Tag Archives: Exposure Management

Vendor-Agnostic Security: The Key To Smarter Risk Management

Post Syndicated from Michael Chroney original https://blog.rapid7.com/2025/05/13/vendor-agnostic-security-the-key-to-smarter-risk-management/

Vendor-Agnostic Security: The Key To Smarter Risk Management

Security teams are investing in more tools than ever – but visibility into real risk is still elusive. Why? Because too many tools are locked inside closed ecosystems that don’t share data or context.

A vendor-agnostic security strategy changes that. It gives you the flexibility to integrate best-in-class tools, eliminate blind spots, and build a stronger, more agile cybersecurity program. It’s also a core enabler of modern frameworks like continuous threat exposure management (CTEM).

In this post, we’ll explore how a vendor-agnostic approach, powered by exposure assessment platforms (EAPs), helps you manage risk smarter – by unifying your attack surface and helping your team focus on what matters most.

The risks of vendor lock-in in cybersecurity

Security teams rely on a mix of tools from different vendors. According to the 2023 Gartner® Technology Adoption Roadmap for Large Enterprises Survey, “cybersecurity leaders indicated that on average their organizations had 43 tools in their cybersecurity product portfolios, and 5% of the leaders indicated their organizations had over 100 tools”. When those tools don’t speak the same language, you’re left with siloed data and a fragmented security strategy. That’s how blind spots are born – and how critical vulnerabilities slip through the cracks.

On top of that, being locked into a single vendor makes it costly and complicated to switch solutions, often forcing organizations to stick with suboptimal tools. Instead of driving innovation, you have limited options that lead to unnecessary spending on add-ons that may not fully meet your needs.

How a vendor-agnostic approach powers CTEM

CTEM is designed to be proactive, contextual, and continuous. It’s about knowing what exposures exist, which ones to prioritize, and how to remediate them – before attackers take advantage. To get the most out of CTEM, your security framework needs to be as flexible as the threats you’re defending against.

That means looking beyond a single vendor’s lens. A vendor-agnostic approach helps you:

  • Ingest data from anywhere across endpoints, cloud, identities, networks, threat intel, and more.
  • Correlate and prioritize with context – so your team can focus on what’s urgent and actionable.
  • Act faster across teams with remediation workflows that plug into existing tools and processes.

Unlocking CTEM with exposure assessment platforms

This is where EAPs make a real difference. These platforms unify and enrich data from across your hybrid environment, continuously identifying and prioritizing exposures – like vulnerabilities and misconfigurations – across a wide range of asset types. This gives security teams the context they need to act with clarity and confidence.

With a vendor-agonostic EAP, security teams can:

  • Continuously discover exposures across hybrid environments
  • Prioritize based on actual risk, not just raw severity scores
  • Correlate findings across sources to surface exploitable attack paths
  • Enable confident, fast decisions using context like business criticality and threat intel

It’s a centralized command center for everything that puts your organization at risk – and helps provide insight into what you can do about it.

Real-world example: Why risk context matters

Let’s say your team spots a misconfiguration in a firewall. On its own, that might trigger a red flag. But without deeper context, it’s hard to know if it’s actually a risk – or just noise.

Now imagine you can instantly cross-reference that misconfiguration with endpoint telemetry. If those endpoints aren’t exposed or already have compensating controls in place, you can safely deprioritize the issue. But if it opens the door to vulnerable assets? You’ve got the clarity (and urgency) to act.

That level of insight is only possible with a centralized, vendor-agnostic platform that brings together telemetry from across your environment. It filters out the noise and empowers your team to make informed, high-impact decisions.

Key takeaways

Strengthen your organization’s overall security posture by adopting a vendor-agnostic strategy that helps your team:

  • Break free from vendor lock-in for more flexibility and control
  • Unify security tools to drive a more effective CTEM program
  • Enhance decision-making with EAPs
  • Extract more value from the tools and telemetry you already have

Build a future-ready cybersecurity strategy

Rapid7’s Exposure Command embraces a vendor-agnostic approach to provide a unified, transparent view of your security landscape. It aggregates telemetry and risk signals from across your existing tools – endpoint, cloud, identity, vulnerability management, and more – so you can:

  • Uncover blind spots hidden in fragmented vendor ecosystems
  • Correlate and contextualize risk with a unified, real-time view
  • Streamline decisions and accelerate remediation with automated workflows and prioritization

By moving to a vendor-agnostic approach with Rapid7, you’re not just reducing risk — you’re building a security program that’s resilient, scalable, and built for what’s next.


1Gartner, Infrastructure Security Primer for 2025, John Watts, Franz Hinner, 29 January 2025 (For Gartner subscribers only)

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Exploring an Untethered, Unified Approach to CTEM

Post Syndicated from Joel Alcon original https://blog.rapid7.com/2025/05/07/exploring-an-untethered-unified-approach-to-ctem/

Exploring an Untethered, Unified Approach to CTEM

We live in a world where traditional Vulnerability Management (VM) has become infosec’s version of ‘whack-a-mole’— an attempt to tackle risks that constantly shift, multiply, and morph. As organizations push workloads to the cloud, offer customers digital experiences, or as they build AI-enabled applications across  their business, the attack surface expands exponentially. For decades, security teams have relied on traditional network and endpoint-based scanners to discover and patch CVEs, but the reality is attackers don’t think in terms of “CVEs”—they think in attack paths.

The most successful hackers increase the blast radius and impact of their attacks by connecting key dots across your organization:

  • Weak access controls to high-privilege users.
  • Misconfigurations to mission-critical assets.
  • Known exploits to number of impacted systems.

To tame this complicated, quickly-evolving threat landscape, security teams are moving from ticking boxes for vulnerabilities patched, to understanding, contextualizing, and preempting real-world threats before they become breaches. The strategic shift has fueled the rise of Risk-Based Vulnerability Management (RBVM) and Continuous Threat Exposure Management (CTEM).

However, many organizations implement these approaches through an array of point security solutions – vulnerability scanners, endpoint detection software, penetration testing – and feed this data into one or more aggregation tools (usually SIEMs). This fragmented approach has inadvertently paved the way for tool sprawl, operational silos, and security blind spots. In this blog, I’ll explore why RBVM and CTEM have become essential security strategies, common mistakes that organizations make in implementation, and why these shortcomings have fueled the demand for unified exposure management.

RBVM helps teams prioritize remediation based on exploitability, criticality, and threat intelligence, rather than relying solely on CVE severity scores. RBVM solutions typically ingest data from vulnerability scanners, external threat feeds, endpoint detection systems, and other security tools. Security analysts then correlate key findings against SIEM tools to determine which vulnerabilities are actively being exploited in their environment.

The key benefit? This approach reduces alert noise because it filters out low-risk vulnerabilities, enabling security teams to focus remediation efforts on the most critical threats.

However, RBVM approaches come with significant drawbacks:

  • RBVM tools are not designed to perform scans or produce threat intel themselves.
  • Teams must integrate RBVM solutions into their existing security stack (SIEM, SOAR, EDR, cloud security tools) – a process that’s often complex, time-consuming, and costly.
  • Most critically, if there are assets that the RVBM services have no visibility into, they will not produce risk scores for them, creating an incomplete picture of your attack surface and inaccurate representation of true business threats.

The evolution to CTEM

To continuously assess and validate exposures across the entire attack surface, organizations are turning to CTEM as a proactive strategy for mitigating ongoing risk. With real-time, continuous visibility into the attack surface and attack paths, security teams can prioritize remediation efforts based on the risks that impact business-critical systems. Despite the benefits of this more advanced approach, implementing CTEM with fragmented security tools creates significant challenges:

Misleading view of the attack surface.

Your security stack may have top-tier vulnerability scanners, EDR solutions, and CSPM tools, but if these tools aren’t talking to each other, you end up with an incomplete view of the attack paths that hackers would take. Leading CTEM approaches are underpinned by platforms that go beyond CVEs by incorporating misconfigurations, cloud entitlements, shadow IT, lateral movement risks, and application security gaps to provide a comprehensive view of the attack surface.

Lacking business content and impact analysis for prioritization.

Security teams have to sort through alerts, false positives, and vulnerability scan results that often lack business context. Without a unified platform connecting vulnerability findings with risk scores and business impact, teams will struggle to accurately prioritize risk, leaving them spending valuable time remediating issues that do not actually impact business-critical systems. Organizations need to look across the entire attack surface, including internal and external-facing attack vectors, as well as telemetry signals like weak identity and access controls.

Silos hinder incident response.

Vulnerability dashboards and reports do not depict how an adversary would exploit a vulnerability. Organizations need an in-depth view of the attack path to understand, for example, how misconfigurations can result in disruptive domain compromise in the event of a breach. This insight helps security teams identify interconnected systems and organizational peers (e.g., application owners, cloud architects, developers, engineers, etc.) that they will need to coordinate with in case there is a breach.

The driving force for a unified exposure management platform

According to the 2023 Gartner® Technology Adoption Roadmap for Large Enterprises Survey, cybersecurity leaders indicated that on average their organizations had 43 tools in their cybersecurity product portfolios, and 5% of the leaders indicated their organizations had over 100 tools.” We believe that managing that many tools can be overwhelming, especially because security teams often operate their tools in silos. The ensuing sprawl creates blind spots that attackers can easily exploit. Instead of juggling multiple disconnected tools, forward-thinking organizations are embracing a unified approach to exposure management with comprehensive platforms that deliver:

  • Vulnerability management
  • CASM
  • EASM
  • Cloud security
  • Identity security
  • Threat intelligence

Because many high-profile breaches start with compromised credentials or excessive privileges, the ideal exposure management platform maps critical assets against users with weak authentication protocols.

Security teams can no longer rely on a scan-and-patch approach; they need to stay ahead of attackers by continuously identifying, validating, and mitigating risks across the entire attack surface. If your security tools aren’t fully integrated, attackers will exploit what’s left exposed. CISOs, security architects, and SOC leaders are tackling this challenge by moving beyond traditional VM and adopting a unified exposure management strategy with Rapid7’s Exposure Command Platform.

Connecting the dots with Exposure Command

Unlike traditional standalone VM, CASM, EASM, SIEM, or EDR tools that rely on proprietary agents, Exposure Command from Rapid7 brings it all together into one platform. With an inside-out and outside-in view of your risks, combined with trusted threat intelligence and a vendor agnostic approach to vulnerability aggregation, security teams gain a complete, end-to-end view of their attack surface.

Rapid7’s all-in-one Exposure Command platform goes even further by automatically mapping users, authentication protocols, and the criticality of the systems they can access. Armed with deep visibility into vulnerabilities and their impact to the business, organizations can leverage Rapid7’s Remediation Hub to address the risks that have the largest impact on their overall risk posture.

The paradigm has shifted – it’s no longer about chasing vulnerability patches, but about taking command and reducing risk across the business.

Ready to see the difference a unified approach can make? Check out the Rapid7 Exposure Command product trial to learn more about our platform and dive deeper into our unified, modern approach to managing risk and remediating security threats.

Gartner, Infrastructure Security Primer for 2025, John Watts, Franz Hinner, 29 January 2025 (For Gartner subscribers only)

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

From Noise to Action: Introducing Intelligence Hub

Post Syndicated from Rapid7 original https://blog.rapid7.com/2025/04/23/from-noise-to-action-introducing-intelligence-hub/

From Noise to Action: Introducing Intelligence Hub

Co-authored by Raj Samani (Chief Scientist) & Craig Adams (Chief Product Officer)

In traditional conflicts, intelligence is both integral and beneficial to decision-making at every level. Unfortunately, in cybersecurity, the impact of threat intelligence as an asset for organizations—and in particular their security operations team—has been less significant.  

Why has this been the case? While threat intelligence should be intrinsic to the detection and response process, the reality is that security teams are overwhelmed with far too much noise to efficiently gather what they need from it. Not responding in a timely fashion ultimately means that by the time any response can be mustered, it will be too late. This is particularly the case given threat actors’ dwell times have in some instances decreased to a matter of hours.

The threat landscape is not static—defenders need a continuous view of what is occurring, right now.

We are delighted to announce the availability of Intelligence Hub, an evolution in threat intelligence delivery that is designed to provide meaningful context and actionable insights integrated with the Rapid7 Command Platform.

High-fidelity data: curated intelligence

Intelligence is not a commodity. Simply gathering every feed is why many organizations are overwhelmed and unable to respond in a timely manner to disrupt the kill chain before attackers move to the final stage. Consider many of the recent significant breaches; invariably, alerts are missed and data is exfiltrated. With this in mind, the focus of Rapid7 Labs has been to increase the fidelity of data, leveraging our own approach to curated intelligence.

Data that can be trusted

The objective of curated intelligence is to extract the low-prevalence indicators and verify the malicious nature of the artifact, thus enabling a timely response while reducing the risk of false positives. Introducing high-fidelity data also provides the opportunity to automate the response. Such an approach goes beyond the analyst and considers what an appropriate response should be.

The curated intelligence within Intelligence Hub is derived from ingestion sources that are unique to Rapid7, such as our honeypot data and proprietary research, as well as insights from our open source and research communities. These include Metasploit, AttackerKB, and other global communities that make our reach into understanding the threatscape both broader and deeper. Expertly crafted machine learning (ML) models combined with manual verification from our Rapid7 Labs team create additional layers of validation.

From Noise to Action: Introducing Intelligence Hub
What matters to me? Understand prevalence quickly with the campaigns that are targeting your business sector or geography as efficiently as possible.

Decay modeling maintains relevance

Even curated intelligence can quickly get very stale. If we consider an IP address used within a given campaign, this artifact will soon cease to be relevant since threat actors will migrate once it has been identified as known bad. For this reason, Intelligence Hub shows the decay score, which will reduce over time as the artifact migrates from known bad to unknown (or another state).

From Noise to Action: Introducing Intelligence Hub
A view of campaign activities being conducted by the Mustang Panda APT group (correct at the time of writing). Intelligence Hub covers all major threat activities from organized crime and APT groups.

Contextualized information

Intelligence Hub’s higher fidelity data remains continuously updated, allowing us to move away from the problem of traditional Threat Intelligence Platforms (TIPs) that have provided the firehose of false positives and noisy alerts. The opportunity is to now use prevalence to allocate resources to only the areas which are necessary. In other words, if a threat campaign is targeting a specific sector and/or geography and exploiting specific vulnerabilities, then surely these will require remediation first. In addition, if the campaign is being carried out by a ransomware group whose dwell time continues to drop, then almost certainly prioritizing remediation should include automation.

Automation does, of course, demand high-fidelity data, which is why curated intelligence remains the foundation of the solution.

Actionable insights

What all of this means is the security teams can get true, actionable insights — understanding what indicators within their environment are confirmed as malicious, as well as the threat actors’ motivations. Utilizing these insights to take the appropriate action to mitigate the threat in a timely fashion now becomes a reality with Intelligence Hub.

From Noise to Action: Introducing Intelligence Hub
Learn more about the active threat groups conducting operations in the world today.

Intelligence is great, but what does this mean for your organization?

Above all else, the integration of Intelligence Hub with the Rapid7 Command Platform provides the ability to go beyond the analyst and deliver true security outcomes. Firstly, with our next-gen SIEM, Rapid7 InsightIDR, the security analyst can prioritize triaging security alerts that demand attention. For example, if there are reliable indicators regarding the possibility of a ransomware group inside the environment, this clearly demands prioritization with the intention of disrupting the kill chain before the final stage payload is delivered. Such an approach reinforces why context matters, and perhaps controversially, why attribution becomes operationally relevant.

From Noise to Action: Introducing Intelligence Hub
Migrate away from the dependency of manual tools to integrate intelligence into operations and surface the alerts that truly matter.

Threat-informed remediation: beyond the security analyst

The role of intelligence Hub therefore goes beyond the security analyst, and supports integration with the remediation actions of any organization. An upcoming integration with Remediation Hub will give security analysts the added insight to justify security updates being rolled out outside of the normal change control cycle. An example of this could be CVE-2024-55591, an authentication bypass in Fortinet firewalls, which was exploited as a zero-day in January 2025 and reported to be used by ransomware groups on March 18, 2025. This attack warrants immediate remediation in order to mitigate the potential of being exploited. This answers the question many security practitioners are often asked: Are we vulnerable? And, with the investigation option within Intelligence Hub, the opportunity exists to answer the question: Have we been compromised?

With actionable (and relevant) intelligence being incorporated into the allocation of resources for remediation, Intelligence Hub provides the critical data necessary for effective security operations.

From Noise to Action: Introducing Intelligence Hub
Intelligence Hub is the integrated threat intelligence solution that delivers proactive context and prioritization, rapidly accelerating time to remediation.

The evolution of threat intelligence

In summary, Intelligence Hub represents a significant leap forward in threat intelligence delivery. By providing curated, high-fidelity data with relevant context and actionable insights, it empowers security teams to move beyond the noise of traditional threat intelligence solutions. The integration with the Rapid7 Command Platform and Remediation Hub further offers threat-informed remediation, allowing organizations to prioritize and automate responses effectively. Ultimately, Intelligence Hub is designed to help organizations achieve true security outcomes by focusing on what truly matters and disrupting the kill chain quicker, and with greater confidence. Learn more about Intelligence Hub here.

What’s New in Rapid7 Products & Services: Q1 2025 in Review

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2025/04/01/whats-new-in-rapid7-products-services-q1-2025-in-review/

What’s New in Rapid7 Products & Services: Q1 2025 in Review

At Rapid7, we started off the year focused on delivering new features and advancements across our products and services to bring you the context needed to prioritize exposures, visualize your attack surface, and accelerate incident response. Read on for Q1 2025 release highlights across the Command Platform, from Exposure Command to Managed Threat Complete.

Eliminate blind spots with Exposure Management

Discover and protect sensitive data across hybrid environments

Keeping sensitive data secure across hybrid and multi-cloud environments isn’t easy—especially without clear visibility. Data gets misplaced, duplicated, or left exposed, making risk assessment and compliance difficult. Sensitive Data Discovery, our latest feature delivering clarity and control to your security data, can help.

Available as part of  Exposure Command and InsightCloudSec, Sensitive Data Discovery gives security teams real-time visibility into sensitive data, such as PII, financial data or customer records, across multi-cloud environments, helping identify exposures, prioritize risks, and take action faster.

With automated scanning and classification, you can pinpoint who has access to sensitive data, continuously monitor for exposures, and strengthen compliance while streamlining incident response. Learn more Sensitive Data Discovery  here.

What’s New in Rapid7 Products & Services: Q1 2025 in Review
Sensitive Data Discovery in InsightCloudSec

Intelligent vulnerability prioritization with AI-driven CVSS Scoring

In February 2024, the National Vulnerability Database (NVD) stopped providing CVSS scores for all CVEs, creating a gap in risk assessment as vulnerabilities go unscored. To bridge this gap, we’ve introduced AI-Generated Risk Scoring in Exposure Command, which uses machine learning to supplement missing CVSS scores and ensure an immediate, accurate risk rating for all CVEs without manual analysis.

This AI/ML scoring ensures all vulnerabilities are properly assessed, helping you prioritize remediation efforts efficiently and strengthen your overall security posture with the right context and insights. Discover more about AI-driven CVSS Scoring here.

What’s New in Rapid7 Products & Services: Q1 2025 in Review
CVSS Risk Scoring in InsightVM

Prioritize risk and accelerate remediation of critical exposures

To effectively prioritize remediation efforts and reduce cyber risk, you need clear contextual information about your assets and vulnerabilities. Without this, you risk misclassifying the severity of vulnerabilities and wasting effort on low-priority issues while high-risk threats remain unaddressed.

Our newly expanded Surface Command and Remediation Hub integration embeds this necessary context about assets and vulnerabilities directly within the asset inventory and detail pages of Surface Command, providing:

  • Faster mean-time-to-remediate (MTTR) by bringing prioritized remediation guidance directly to the pages your team is already working within in Surface Command.
  • Deeper asset context at the time of remediation, including insights from third-party security and ITOps tooling.
  • Improved collaboration by providing security teams and stakeholders with enriched context for quicker decision-making.

Learn more about how this integration can empower your team to act with confidence, ensuring that remediation efforts are focused on the vulnerabilities that matter most here.

MDR: A clear line of sight

New detection and response dashboard

Teams need a holistic view of threats, SOC activity, and response performance to have confidence in their program and communicate efficacy to leadership and stakeholders. Available for Managed Detection and Response customers, our new customizable Detection & Response Dashboard provides an executive-ready snapshot of your MDR program, offering real-time, easy-to-communicate insights into:

  • Threat prioritization & alert trends: Analyze the volume of alerts by severity and identify the most common alert types to understand the highest-risk threats.
  • Incident response efficiency: Threat pipeline visualization tracks how alerts progress to investigations and incidents, while mean time to begin investigating highlights response speed.
  • Investigation & resolution metrics: Insights into closed alerts and investigations by priority and disposition help teams assess the effectiveness of their threat response and remediation efforts​.
What’s New in Rapid7 Products & Services: Q1 2025 in Review
Detection and Response Dashboard in Rapid7 MDR

Learn more about the dashboard in our blog.

Transparency in AI-driven security: AI Alert Triage decisioning

Artificial intelligence (AI) has transformed security operations, enabling faster detection and response. However, black-box AI decision-making can lead to uncertainty—why was an alert escalated or dismissed?

With Rapid7’s AI Alert Triage Transparency, MDR customers gain full visibility into the reasoning behind AI-driven security actions​, such as what factors influenced alert prioritization. You’ll also benefit from Rapid7’s AI triage’s 99.89% accuracy, reducing noise and giving you more time to focus on investigating real threats. Learn more about what this means for your organization here.

What’s New in Rapid7 Products & Services: Q1 2025 in Review
AI-Powered Auto Triage in Rapid7 MDR

The latest intelligence from Rapid7 Labs

Emergent threat response: Real-time guidance for critical threats

Rapid7’s Emergent Threat Response (ETR) program from Rapid7 Labs delivers fast, expert analysis and first-rate security content for the highest-priority security threats to help both Rapid7 customers and the greater security community understand their exposure and act quickly to defend their networks against rising threats.

In Q1 2025, Rapid7’s ETR team provided expert analysis, InsightVM content, and mitigation guidance for a variety of notable vulnerabilities, including several that came under active attack. Q1 CVEs of note include:

Follow along here to see the latest emergent threat guidance from our team.

Technical assessments of CVEs in AttackerKB

This past quarter Rapid7 researchers also published additional vulnerability assessments in AttackerKB (Rapid7’s community platform for vulnerability research and threat data) to help customers and the community understand and prioritize notable CVEs:

Coordinated vulnerability disclosure

In February 2025, Rapid7 researchers discovered a novel vulnerability in PostgreSQL (now assigned CVE-2025-1094) while researching BeyondTrust CVE-2024-12356, which was exploited as a zero-day flaw in a high-profile attack on the U.S. Treasury Department.

In every scenario Rapid7 researchers tested, a successful exploit for BeyondTrust CVE-2024-12356 had to include exploitation of PostgreSQL CVE-2025-1094 in order to achieve remote code execution. See Rapid7’s full analysis of CVE-2024-12356 here and our disclosure of PostgreSQL CVE-2025-1094 here.

Stay tuned for more!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in product and service investments at Rapid7.

Rapid7 and IDC ASM Spotlight Paper Blog Jan 25

Post Syndicated from Ed Montgomery original https://blog.rapid7.com/2025/03/20/rapid7-and-idc-asm-spotlight-paper-blog-jan-25/

Rapid7 and IDC ASM Spotlight Paper Blog Jan 25

Rapid7 recently collaborated with IDC on their comprehensive Attack Surface Management Spotlight guide. These Spotlight publications deliver expert analyst perspectives on critical business and technology challenges, emerging industry trends, and innovative solutions. We’re pleased to share IDC analyst Michelle Abraham’s insights on cyber risk exposure management and the imperative for organizations to implement proactive security strategies.

IDC’s trend forecast

“Managing exposures with proactive cybersecurity tools and platforms should be a mindset for the entire organisation, from the C-suite to the back office.”

IDC agrees that it is no longer realistic to conduct asset management on spreadsheets due to the increasing complexity of cloud, SaaS and Generative AI technologies used by many organizations. IT teams have an added complexity brought about by hybrid and remote working. This expansion signifies that CAASM and ASM should be part of a wider exposure management system to cover cloud security, application security and vulnerability management.

IDC key takeaways

  • Foundational visibility: Establishing comprehensive awareness of all assets, whether on-premises or in cloud environments. .
  • Contextual intelligence:  Integrating business context and threat intelligence to accurately assess risk levels and prioritize response strategies.
  • Cross-functional utilization: Extending security data beyond the security team to support additional organizational use cases.

Understanding Key Exposure Management Concepts

Check out this blog which will cover off the definitions for ASM, CAASM and EASM.

You can’t protect what you can’t see.” – Aaron Herndon, Principal Security Consultant, Rapid7

The benefits of holistic exposure management

Organizations that adopt a holistic approach to exposure management gain the ability to aggregate, deduplicate, and analyze data from diverse IT and business tools, resulting in a more comprehensive understanding of their security posture.

According to IDC, the most valuable ASM use cases include:

  1. Identifying which assets do not have Vulnerability Management software installed.
  2. Finding assets without endpoint protection solutions.
  3. Determining users, with Admin access, who have not got multi-factor authentication (MFA) activated.
  4. Proactively suggesting users who have a propensity to open and click on Phishing emails utilizing a high phishing susceptibility score.

Organizations that adopt a holistic approach to exposure management gain the ability to aggregate, deduplicate, and analyze data from diverse IT and business tools, resulting in a more comprehensive understanding of their security posture.

Business context is critical. The correct ASM tool will provide insight on the relative importance and criticality of each asset.

Which assets are exposed to the internet and whether there is sensitive data in these assets? Sharing data around asset management is extremely helpful for IT and security teams, ensuring everyone is operating from a “single-source of truth”.

The benefits of CAASM and ASM  extend beyond the security team, in fact other job functions will reap rewards from highly contextualized asset data, including IT, finance and compliance. Security is a team sport.
We have developed several self-guided product tours highlighting key use cases identified by IDC above, for Surface Command and Exposure Command which you can check out at your leisure.

Using CAASM and ASM is all about reducing risk.” – Quote: Michelle Abraham, IDC

IDC’s review of Surface Command and Exposure Command

“Surface Command reconciles data about assets, threats, vulnerabilities, and controls to determine the true attack surface.”

IDC provides context around our Surface Command product that was released in August 2024, following the acquisition of Noetic Cyber.

Rapid7 delivers unparalleled  attack surface visibility through the Command Platform, empowering  security teams to identify, prioritize, and remediate risk across hybrid environments. Surface Command is the only solution available that combines native external and internal scanning into a single unified view of your attack surface, enriched with telemetry from third party security and ITOps tools via more than 130 out-of-the-box connectors.  

The power behind Surface Command is its graph database, showing the relationships between assets, identities and the potential exposure to present the context of the business risk.

Exposure Command builds on this foundational attack surface visibility, layering on adversary-aware risk prioritization and integrated remediation workflows that make it easy for security teams to anticipate where attackers are going to target, pinpoint their most pressing exposures and act swiftly and collaboratively to address issues before they can be exploited.

Elevate your security posture with proactive exposure management

As highlighted by IDC analyst Michelle Abraham in this comprehensive Spotlight report, organizations that implement robust exposure management strategies gain significant advantages:

  • Reduced attack surface: Identify and remediate vulnerabilities before they can be exploited
  • Enhanced visibility: Maintain complete awareness of your entire digital footprint
  • Improved resource allocation: Focus security efforts where they’ll have the greatest impact
  • Cross-functional value: Leverage security data across IT, compliance, and business operations

Rapid7’s Command Platform delivers the comprehensive visibility and actionable intelligence needed to effectively manage your organization’s attack surface. By combining external and internal scanning with powerful contextual analysis, our solutions enable security teams to stay ahead of sophisticated threat actors in today’s complex technological environments.

Ready to transform your approach to exposure management?

Download the complete IDC Spotlight report to discover how proactive security strategies can protect your critical assets and strengthen your overall security posture.

Rapid7 Fills Gaps in the CVE Assessment Process with AI-Generated Vulnerability Scoring in Exposure Command

Post Syndicated from Rapid7 original https://blog.rapid7.com/2025/02/19/rapid7-fills-gaps-in-the-cve-assessment-process-with-ai-generated-vulnerability-scoring-in-exposure-command/

Rapid7 Fills Gaps in the CVE Assessment Process with AI-Generated Vulnerability Scoring in Exposure Command

The National Vulnerability Database (NVD) announced in February 2024 that it would no longer provide common vulnerability scoring system (CVSS) scores for all CVEs. Due to resource constraints and an inability to keep up with the volume of newly-disclosed vulnerabilities, NVD shifted its focus to processing vulnerabilities more efficiently by relying on vendor-provided and third-party scores rather than scoring each CVE independently.

Many organizations rely on NVD’s CVSS scores as a consistent, centralized guide to measuring the potential risk of vulnerabilities. This is especially useful for teams that don’t have the resources to conduct their own in-depth vulnerability analysis given the pace at which new CVEs are cropping up.

To address this widening gap in vulnerability scoring and ensure our customers are making informed decisions with the most accurate understanding of their current risk posture we’re excited to announce the release of AI-Generated Risk Scoring in Exposure Command. By integrating an advanced machine learning model, Exposure Command supplements existing CVSS scores by providing AI-Generated Risk Scores for CVEs where NVD does not provide them, ensuring all vulnerabilities are provided an accurate score.

The need to evolve from traditional vulnerability management practices to continuous threat and Exposure Management

Moving beyond simple risk scoring methodologies is critical for modern vulnerability management teams to stay ahead of advanced threats. For many organizations, this means adopting a Risk-Based Vulnerability Management (RBVM) approach.

Put simply, this means incorporating not just a deep and accurate understanding of how risky a given CVE is in a vacuum, but also layering on additional context related to reachability and exploitability, asset criticality, and a real-world understanding of what threat actors are actively targeting in the wild. And how all these inputs relate to the organization’s specific environment.

AI-Generated CVSS scoring in Exposure Command feeds directly into our broader Active Risk scoring methodology. More importantly, it empowers Rapid7 to produce predictive CVSS scores by analyzing vulnerability information and comparing with previous expert vulnerability analysis.

The model generates each vector individually, and once combined to form a score, results in 76% of these generated scores being in the correct severity classification. Combined with Rapid7’s Active Risk calculator, this increases to 87% of scores returning the correct classification. The remaining scores are never more than one classification out.

This insight will feed directly into and improve the overall accuracy of our Active Risk scoring models, as well as, ensure severity scores are assigned and provided to security teams faster than humanly possible, making your entire security program more resilient to external change.

By leveraging AI/ML to generate predictive risk scores, security teams benefit from:

  • Enhanced accuracy: Our expertly designed model trained on historical NVD data accurately provides CVSS scores.
  • Predictive scoring: Get immediate insight into the severity of newly-disclosed CVEs that are left unscored, without the need for manual aggregation and analysis.
  • Improved security posture: Ensuring all CVEs are assigned an accurate severity score, organizations are equipped with the necessary context to effectively prioritize remediation efforts and in turn strengthen their organization’s security posture.

This release represents a major step forward in our mission to provide industry-leading cybersecurity solutions. We expect these enhancements will significantly improve your ability to assess and manage vulnerabilities, giving you the confidence to stay ahead of potential threats.For more detailed information and implementation guidelines, please refer to the release notes. If you’d like to learn more about the Rapid7 AI Engine and how we’re leveraging AI across the platform, download the eBook today!

The Vulnerability Vortex: Escaping the Whirlpool of Ineffective Security

Post Syndicated from Christian Jacobsen original https://blog.rapid7.com/2025/01/24/the-vulnerability-vortex-escaping-the-whirlpool-of-ineffective-security/

Drowning in data: The modern security dilemma

The Vulnerability Vortex: Escaping the Whirlpool of Ineffective Security

In today’s interconnected digital landscape, organizations find themselves caught in a relentless torrent of security alerts and vulnerability notifications. As cyber threats evolve at breakneck speed, security teams struggle to keep their heads above water, desperately trying to prioritize and address an overwhelming flood of potential risks. This data overflow, ironically intended to bolster defenses, often leaves companies more vulnerable than ever.

The root of the problem: How we got here

The journey to this precarious position began with good intentions. As the internet grew and cybercrime flourished, the need for robust security measures became painfully apparent. Developing vulnerability management practices and creating standardized tracking systems like Common Vulnerabilities and Exposures (CVEs) and the Common Vulnerability Scoring System (CVSS) aimed to bring order to the chaos.

These tools provided a common language for discussing and prioritizing security risks. CVEs offered unique identifiers for specific vulnerabilities, while CVSS scores attempted to quantify the severity of these threats. In theory, this standardization should have streamlined the process of identifying and addressing the most critical security issues.

However, as the digital ecosystem expanded exponentially, so did the number of potential vulnerabilities. The growth of internet-connected devices, cloud services, and complex software ecosystems created a vast attack surface ripe for exploitation. Coupled with increasingly sophisticated cyber criminals and state-sponsored threat actors, the vulnerability landscape became a rapidly shifting minefield.

Drowning in false positives: The alert overflow crisis

The result of this explosive growth in potential threats is what security professionals now term “alert overflow.” Vulnerability scanners, intrusion detection systems, and other security tools generate constant alerts with many false positives. These incorrect or irrelevant warnings significantly drain resources as analysts must investigate each one, often finding nothing of consequence.

This flood of false positives leads to a dangerous phenomenon known as “alert fatigue.” As security teams become accustomed to the constant barrage of warnings, their ability to distinguish genuine threats from noise diminishes. This desensitization can result in slower response times to real vulnerabilities, potentially exposing critical systems for longer periods.

The Limitations of traditional approaches

While vulnerability management has undoubtedly matured over the years, traditional approaches are increasingly falling short in the face of modern challenges. The sheer volume and complexity of today’s digital environments make it nearly impossible for organizations to maintain comprehensive visibility across their entire attack surface.

Moreover, the static nature of many vulnerability assessment tools fails to account for the dynamic reality of modern networks. Cloud environments, containers, and ephemeral instances can appear and disappear in moments, creating blind spots in traditional scanning methodologies.

Another significant limitation is the overreliance on CVSS scores for prioritization. While these scores provide a standardized severity measure, they often lack crucial context about an organization’s specific environment and risk tolerance. This can lead to misallocated resources, with teams focusing on high-scoring vulnerabilities that may pose little real-world risk to their particular systems.

Shifting gears: The move towards exposure management

Recognizing the shortcomings of traditional vulnerability management, forward-thinking organizations are embracing a more holistic approach known as exposure management. This paradigm shift acknowledges that not all vulnerabilities pose an equal threat and that context is crucial for effective risk mitigation.

Exposure management takes into account factors beyond mere technical vulnerabilities. It considers an organization’s unique attack surface, the potential impact of a successful exploit, and the likelihood of a vulnerability being targeted by threat actors. This more nuanced approach allows security teams to focus their limited resources on the most critical issues that pose genuine risks to their specific environment.

Continuous Threat Exposure Management (CTEM): A framework for the future

The concept of Continuous Threat Exposure Management (CTEM) is at the forefront of this evolution. CTEM represents a strategic, cyclical approach to identifying, assessing, and mitigating potential security exposures across an organization’s digital footprint.

The CTEM framework consists of five key phases:

  1. Scoping and discovery: Continuously map and update the organization’s attack surface, including known and unknown assets.
  2. Validation and prioritization: Assessing discovered vulnerabilities in the context of the organization’s specific environment and risk tolerance.
  3. Mobilization: Coordinating efforts across teams to address the most critical exposures.
  4. Remediation: Implementing fixes, patches, or mitigations to reduce identified risks.
  5. Verification: Confirm that remediation efforts have been successful and reassess the overall security posture.

This cyclic process ensures security efforts align with the organization’s ever-changing digital landscape and evolving threat environment.

Building the right team: Human expertise in the age of automation

While technology is crucial in modern security practices, the human element remains irreplaceable. Implementing a successful CTEM program requires a diverse team with various skills and perspectives.

Key roles in a CTEM team might include:

  • Security analysts: Skilled in threat intelligence and vulnerability assessment
  • Network specialists: Experts in understanding complex infrastructure
  • Cloud security professionals: Versed in securing dynamic, distributed environments
  • Risk management experts: Adept at translating technical findings into business impact
  • Data scientists: Capable of deriving actionable insights from vast amounts of security data

By combining automated tools with human expertise, organizations can achieve a more nuanced and effective approach to managing their security exposures.

Conclusion: Embracing a proactive future

The shift from traditional vulnerability management to exposure management and CTEM represents a necessary evolution in increasingly complex and dynamic threat landscapes. By adopting these more contextual and proactive approaches, organizations can break free from the vulnerability vortex plaguing security teams.

Exposure management allows for a more strategic allocation of resources, focusing on the most critical risks rather than chasing an endless stream of potential vulnerabilities. The CTEM framework provides a structured-yet-flexible approach to continuously assessing and improving an organization’s security posture.

As we progress, the key to successful cybersecurity will lie in embracing these more holistic methodologies. By combining advanced technologies with human expertise and a deep understanding of their unique risk profiles, organizations can navigate the turbulent waters of the digital age with greater confidence and resilience.

Threat Exposure Management (CTEM)

Exposure Management

Attack Surface Management(ASM)Cyber Asset Attack Surface Management (CAASM)

Other Blogs:
Modernizing Your VM Program with Rapid7 Exposure Command: A Path to Effective Continuous Threat Exposure Management