Rapid7 is investing heavily in the reporting and dashboard capabilities of InsightVM. In 2021 alone, we launched the ability to filter dashboards via single query, a new report creation wizard powered by our query builder, several use-case-driven dashboard templates, and most recently, the ability to distribute reports via email. This allows users to easily and quickly distribute reports to users who may not have access to InsightVM.
For example, let’s say Theresa is tasked with giving her manager a copy of our Patch Tuesday dashboard as a PDF at the end of every month. Previously, she had to go to the Reports Management page in InsightVM, download the PDF, create an email, and send this to her manager — who does not have an InsightVM account.
Now, she can either create this report via the query builder or edit the existing report, then check the checkbox labeled “Permit users who do not have access to console” under the “Shared with” section, and enter her manager’s email address. InsightVM will automatically send a link to an encrypted and password-protected PDF of the report and another email that contains the password.
This additional security feature was included because of the increased threat surrounding proprietary information. For example, say Theresa creates an Assets report that is delivered every Friday to a colleague, and that colleague accidentally forwards the email with the PDF link to an unattended party. While the recipient could download the PDF, they’re blocked from viewing the contents because they don’t have the password.
This is an example of our evolution to more powerful features in the SaaS version of InsightVM, and our intention here is to reduce the burden of reporting to various stakeholders so that they can get back to what they do best: securing their environments.
We are excited to bring this functionality to our users. Please read our help documents for more information.
Have you ever tried to figure out why a vulnerability or policy scan isn’t showing you the results you expect, even though you’ve provided credentials? If so, you’ll be pleased to hear that the November 3rd release of Nexpose and InsightVM (version 6.6.111) will introduce a new check category designed to help troubleshoot issues with credentialed scanning: Scan Diagnostics.
No more combing through scan logs to get answers! These checks will be disabled by default, but you can configure them to run by adjusting your scan templates. When enabled, Scan Diagnostics checks will report a “vulnerable” result against assets when the Scan Engine is supplied with credentials but unable to gather local information.
The challenge of finding the right fix
For complete and accurate coverage, the InsightVM Scan Engine requires local access to systems being scanned. Most Microsoft checks are based on values found in the Windows Registry. Checks for Linux distributions typically require access to the package manager, which is important for vulnerability correlation (cutting down on noise due to backported fixes).
This means that for many types of scans, you need to tell the engine how it should authenticate by configuring credentials. When things go smoothly, the engine will collect all the data it needs for vulnerability or policy assessments. But when results aren’t as expected, it can be challenging to understand what went wrong.
The way the Security Console currently indicates authentication status results is rather coarse-grained. Credential Success means it’s all good, but a Credential Failure (or the puzzling “Partial Credential Success”) can often leave a VM analyst scratching their head about how to fix things.
Bringing greater visibility to your scanning environment
Our new Scan Diagnostics checks provide more detailed visibility into where things fell apart. Because the results are written as vulnerability checks, you’ll be able to use a lot of familiar product functionality to work with them. They can be enabled or disabled via scan templates, and you can report on them like any other category. We’ll also be providing solution information to make it easier to resolve issues, and you can look at the proof the scanner provides to get additional context.
Another advantage of using check results for Scan Diagnostics is that they are built atop the expert system at the core of the scanner. This helps Scan Diagnostics target the most precise cause of an error and provide guidance accordingly. No more going through a laundry list of checkboxes to make sure your sites and assets are configured correctly.
Here is the initial set of Scan Diagnostics we’ll be releasing:
Error when connecting to DCOM Ports (required for WMI)
rapid7-diagnostics-wmi-permission-error
Permission error when connecting to the WMI Service
rapid7-diagnostics-wmi-read-access-errors
Access errors encountered in attempts to read over WMI
rapid7-diagnostics-wmi-unknown-error
Unknown error occurred trying to connect to the WMI Service
rapid7-diagnostics-winrm-authentication-error
Authentication error when connecting to the WMI Service
rapid7-diagnostics-winrm-listener-error
The WinRM listener on the target appears to be blocking the scan engine from connecting
rapid7-diagnostics-winrm-unknown-error
Unknown error occurred trying to connect to the WinRM Service
rapid7-diagnostics-winrm-unencrypted
The WinRM service is operating over an unencrypted protocol, potentially leaking valuable data
Note that these “vulnerabilities” carry the lowest possible severity and will not increase your risk score. However, they may increase overall vulnerability counts, so we’re leaving them turned off by default for now. If you do scan with them, you can adjust the scope of generated reports to exclude these results if you don’t want them to get passed through to remediation teams.
The existing status shown in the Authentication column of Scan Results and Node pages will remain the same for the time being, so that it is available regardless of whether this new Scan Diagnostics check type is enabled and won’t adjust anything on the corresponding dashboard card.
We’d love to hear any feedback on this new feature! Please reach out to your Customer Success Manager to let them know how it’s working out in your scans.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Password-based credentials are a ubiquitous part of our online lives, but they are prone to vulnerabilities. Combatting those vulnerabilities has been a major hurdle for security professionals, and it’s come at major cost for businesses. We are reinventing the credentialing process for our Network Scan Engine with the release of the Scan Assistant — a safer way to scan assets that limits the inherent drawbacks of credentials.
Passwords as a means of securing computer systems have been around for 60 years. Scholars believe MIT’s Compatible Time-Sharing System was the first to implement a password to allow different users to log in. Since then, passwords have become ubiquitous. Every operating system, website, and WiFi connection utilizes passwords as a means of restricting access.
Unfortunately, this has also proven to be fertile ground for attackers who wish to gain unauthorized access to data and computer systems. Due in part to the popularity — and potential weaknesses — of passwords, businesses have spent enormous amounts of time and money in building robust security programs in order to protect their intellectual property.
As a part of any good security program, companies regularly scan their networks to identify where they are vulnerable. One of the most uncomfortable nuances of network scans is that in order to fully assess a set of targets, the scanner must be able to authenticate to those targets. Providing the necessary credentials to the network scan engine comes with a number of challenges. These include:
Increased security risk: Storing credentials within an application immediately makes that application a potential vector for attack. If the application is compromised or misconfigured, an attacker could gain access to a comprehensive list of credentials, giving them the ability to compromise a customer’s network.
Credential management: Storing credentials within an application introduces additional operational challenges with managing those credentials. Anytime a credential changes on a target or set of targets, that credential will have to be updated within the application. This results in administrators having to manage the same set of credentials within multiple systems, which can be burdensome and error-prone. Using a centralized credential vault can help mitigate this challenge, but not all organizations are in a position to deploy such a service for every target within their environment.
Insufficient permissions: In order for a network scanner to accurately assess and report on the risk for a set of targets, the scanner needs to be capable of collecting sufficient information. Thus, the credentials supplied need to have a broad range of permissions associated with them — ideally, root or administrator-level — so the network scanner can perform a full collection of data. In practice, many organizations are either unaware of this requirement or hesitant to do so. This can result in collecting incomplete information, leading to reports that don’t fully convey the targets’ vulnerabilities.
Introducing the Scan Assistant
The Engineering team here at Rapid7 has spent a significant amount of time discussing, researching, and brainstorms solutions to the challenges with providing credentials for the purpose of performing network scans. The team decided that the ideal solution for our customers was to eliminate the need for credentials altogether. This led to the development of the Scan Assistant.
The Scan Assistant is a lightweight service that can be installed on each target you’re scanning. It’s designed to work specifically with the InsightVM and Nexpose Network Scan Engine so it can scan targets without the need to provide credentials. When the Network Scan Engine scans a target containing the Scan Assistant, it collects all the necessary information required to fully assess that target.
The Scan Assistant supports both vulnerability and policy scans performed by the Network Scan Engine. Providing coverage for both types of scans was a key requirement for the team. As a result, customers can quickly identify vulnerabilities and validate policies within their network without the operational burden of managing credentials or permissions. Customers will continue to get the exact same insights into their network while simultaneously reducing the risk of managing credentials within the product.
How it works
The Network Scan Engine and the Scan Assistant communicate over an encrypted channel by using a TLSv1.2 certificate. When the Scan Engine scans a target, there are specific pieces of information that it needs to collect from that target. The Scan Assistant has been designed to only provide the specific data that the Scan Engine needs in order to fully assess the target.
This implies that the Scan Assistant does not provide a means for arbitrarily accessing the filesystem. Furthermore, all commands sent from the Scan Engine to the Scan Assistant are signed, ensuring that only the Scan Engine with the correct signing key is capable of requesting data from a Scan Assistant.
Why it’s better than a credential
Administrative credentials provide the Scan Engine with more access than it needs and put you at risk if those credentials are compromised. The Scan Assistant provides the Scan Engine with only the access it needs, reducing risk.
Root credentials give the Scan Engine unrestricted access to run commands over OpenSSH, which can also introduce risk. It can be a challenge to restrict commands using sudo or similar tools. To solve this problem, the Scan Assistant requires commands to be signed by Rapid7. This reduces risk and transparently limits what the Scan Assistant is allowed to run.
Why it’s secure (in more technical terms)
The Scan Assistant is built on the transport layer security (TLS) protocol and only enables algorithms specified in the Commercial National Security Algorithm Suite (CNSA) by the National Security Agency (NSA). This includes support for Elliptic Curve Diffie-Hellman (ECDH) and Elliptic Curve Digital Signature Algorithm (ECDSA) with the P-521 curve to establish trust with the Scan Engine, and 256-bit Advanced Encryption Standard (AES) to achieve data secrecy between the Scan Engine and Scan Assistant.
The Network Scan Engine and the Scan Assistant use TLSv1.2 with two-way certificate authentication (client-side authentication). However, the server does not verify the client. Each time the Scan Assistant starts, it generates a new certificate. This makes it impossible to track an asset by tracking the scan assistant certificate used on the HTTPS listener. That means there’s no way for the scan engine to verify the certificate from the scan assistant. So in effect, the mechanism is a reverse one-way authentication.
Insight Agent vs. Scan Assistant
At first glance, it may seem that the Insight Agent and the Scan Assistant serve the same purpose. They are both small, background services that get deployed across a fleet of targets for the purpose of vulnerability and policy assessment. However, this is where their similarity ends. The Insight Agent and the Scan Assistant are fundamentally different in terms of the use cases they satisfy.
The Insight Agent is appropriate for assets that have internet connectivity and are capable of periodically publishing data to the platform. For these types of assets, such as laptops and workstations, the Insight Agent is the preferred technology.
The Scan Assistant is intended for assets and environments for which internet connectivity is either unavailable or heavily restricted. This may include assets such as Domain Controllers or database servers. Any device that is effectively air-gapped from the outside world would not be able to use the Insight Agent. These devices must be scanned using the Network Scan Engine in order to assess them for vulnerabilities. In this scenario, the Scan Assistant can help improve the performance of those scans without having to store credentials within the product.
Ultimately, you can deploy both the Insight Agent and the Scan Assistant to different parts of your network in order to provide a fast, secure, and comprehensive vulnerability assessment.
Feature
Insight Agent
Scan Assistant
Collection Type
Active – collects data periodically and publishes to the platform
Passive – only collects data when requested by a scan engine
Data Collected
Collects all data necessary in order to perform an assessment
Only collects the data requested by the scan engine
Platform connected?
Yes
No
Idle footprint
When not collecting data, periodically beacons health status to the platform
Contains an HTTPS listener waiting for incoming connections, otherwise does not perform any activity
Breakdown of the differences between the Insight Agent and the Scan Assistant
Performance improvement analysis
Preliminary performance analysis has shown promising improvements when performing scans with the Scan Assistant installed. Vulnerability scans have completed faster, and the total scan time has been more consistent than scans that rely on retrieving data via SMB or WMI.
Furthermore, scan times for policy-based scans have shown significant improvement, particularly against servers with a large number of users and groups (such as Domain Controllers). The following chart compares scan times for policy-based scans performed against different types of servers. The team plans to continue to collect and analyze the performance of the Scan Assistant and will share this analysis in a future article.
Scan duration comparison between the Scan Assistant and SMB.It’s important to note that the timescale is logarithmic, so for most cases, the Scan Assistant provides orders of magnitude better performance than the SMB protocol.
What’s next
Here are some of the major items we plan to work on next.
Add support for additional operating systems, including Linux, Unix, and macOS
Support the ability to perform DISA-based policy scans
Update the Security Console to support managing certificates on the scan engines
If you have any suggestions for features you would like to see, please speak with your Customer Success Manager.
Downloading the Scan Assistant
The Scan Assistant is currently in early access and is only available for Windows operating systems. If you are interested in the Scan Assistant and would like to deploy it in your environment, reach out to your Customer Success Manager to request access.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
In today’s post, we’re giving a rundown of new features and functionality launched in Q3 2021 for InsightVM and the Insight Platform. We hope you can begin to leverage these changes to drive success across your organization.
Apple Silicon support on the Insight Agent
We’re excited to announce that the Insight Agent now natively supports Apple Silicon chips!
Apple announced the first generation Apple Silicon chip — the M1 processor — in November 2020. This chip is the new standard on all MacBooks starting with the 2020 releases, and Apple plans to transition completely to Apple Silicon chips over the next two years.
The new Mac installer specifically designed for the Apple Silicon can be accessed right from Agent Management in the platform, in the download section. Learn more in our Apple Silicon Agent Support blog post.
Asset and Vulnerability Details reports
This new feature allows you to easily communicate details of your assets and vulnerabilities with stakeholders in a PDF format. Simply click the Export to PDF button on the Vulnerability Details page, and you’ll have a PDF ready to share!
This is particularly useful if you’re attempting to collaborate while remediating a specific vulnerability. We’ll use a hypothetical security engineer named Jane to illustrate this.
Jane recently read about a new ransomware strain that leverages a specific vulnerability as part of an attack chain that seems to be targeting the industry of her organization. She opens the query builder in InsightVM, constructs a search query to identify the vulnerability by CVE, and discovers several instances. She wants to mention this during her morning all-hands sync so she can recruit other team members to her effort. She exports the vulnerability details page to a PDF, which allows her to share this out and provide more details to interested team members, who then can help her remediate this vulnerability much more quickly.
Moreover, while undertaking this effort, another team member — Bill — finds an asset that seems to be a complete tragedy in terms of patching and vulnerability prevalence. He creates the Asset Details report and shares this in an e-mail to his team, stating that this asset seems to be missing their organization’s patch cycle. He also suggests that they look for more of these types of assets because he knows that when there is one offender, there are often many.
Snyk integration for reporting vulnerabilities
Container Security assessments will now report Ruby vulnerabilities through an integration with the Snyk vulnerability database. This adds RubyGems packages to our Snyk-based coverage, which currently includes vulnerability detections for Java, JavaScript, and Python libraries. This integration is particularly helpful for organizations that perform scanning of Container Images at rest, in both public and private registries.
Emergent threat coverage recap
Q3 2021 was another busy quarter for high-priority cybersecurity threats. As part of our emergent threat response process, Rapid7’s VRM research and engineering teams released vulnerability checks and in-depth technical analysis to help InsightVM customers understand the risk of exploitation and assess their exposure to critical security threats. In July, CVE-2021-34527, dubbed “PrintNightmare” presented remediation challenges for many organizations amid active exploitation of the Windows Print Spooler service. In August, the ProxyShell exploit chain put on-premises instances of Microsoft Exchange Server at risk for remote code execution. More recently, widespread attacks took advantage of CVE-2021-26084, a critical flaw in Confluence Server & Confluence Data Center, to deploy cryptominers, exfiltrate data, and obtain initial access for ransomware operations.
As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in vulnerability management at Rapid7.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
The world is changing rapidly. We hear that phrase a lot. Throughout Q2 though, it really is true. Vaccines have been rolling out, to varying success depending on the part of the world, but there is optimism.
As Rapid7 offices begin to open up to our hard-working team members around the globe, we want to infuse some of that optimism into the latest and greatest new features and updates now available to InsightVM customers. The back half of the year will no doubt bring new threats (will ransomware attacks keep going bigger?), so let’s dive into what’s new so you can prepare and prosper.
Honorable mention
In our Q1 recap, we covered 2 releases that can each have significant positive impact on your operations, so they bear repeating here.
Kubernetes integration
Now available in InsightVM, you can now navigate directly to the new Kubernetes tab to initiate the Kubernetes monitor in DockerHub. Then, deploy it to your clusters to see data in Container VRM within InsightVM. You can also see monitor health and connection details via the Data Collection Management page.
Scoped Executive Summary Report
The Executive Summary Report in InsightVM has expanded its functionality so users can filter the report for at-a-glance views of priority items. Shape the report to access key metrics and communicate progress to desired goals and outcomes.
Dashboards, consoles, and panels, oh my!
The new releases and updates for the second quarter of 2021 were aimed at quick-look features that bolster our goal of providing customers with evolving ease-of-use functionalities and products that increasingly focus on at-a-glance convenience.
What’s new: Dialing up dashboard performance
Featuring new cards as well as new ways to filter cards, these features solve 3 distinct issues:
Gaining insights into Microsoft’s vulnerability patch cycle
Rapid7’s Patch Tuesday dashboard template now provides an easy way to stay up to date on information associated with deployment of new Microsoft patches and cycles. Why search around for news or insights when you can get them in the one-stop-shop where your team already receives updates and kicks off remediation efforts on the latest vulnerabilities?
Featuring new cards detailing the assets affected as well as trends, assessments, and biggest risks, you can now learn about and prioritize remediation efforts on all Microsoft vulnerabilities within this expanded InsightVM dashboard.
Hunting down fine-grained vulnerability-and-remediation details
New card #1: New vs remediated vulnerability comparison over time
Displays trends in remediated vulnerability findings for date ranges you specify.
New card #2: Average days to remediate by severity
Compares the average number of days needed to remediate a specific vulnerability against all vulnerabilities remediated for a week you specify.
New card #3: Number of unique vulnerabilities
Expandable table shows the number of all unique vulnerabilities in the Rapid7 database for which InsightVM has checks as well as the number of all unique vulnerabilities in the user’s environment.
New card #4: Asset type
Bar chart displays device type for assets in the scope you filter. Each bar shows the quantity of a group of os.type, sorted from left to right.
Filtering every card in a dashboard to focus the view on a group of assets or issues
If this were about finding the best way to navigate your way past a big city, we would say this new feature is the loop that takes you around the traffic vs taking the surface streets that often put you in the traffic.
You can now quickly filter all of your cards by applying a single query to your dashboard. Gone are the days of manually filtering each and every card just to focus your view on a group of assets or vulnerabilities. Long story short: You save more time by quickly filtering to your desired view.
What’s improved: Shortcuts to what you need
To continue the traffic analogy, getting somewhere faster than you’re used to is always a great thing. The latest InsightVM improvements help you do just that by addressing 3 issues:
Manually loading custom vulnerability checks
Now you can simply deploy a check, load it into the Security Console, then the console does the rest. Just load the check, start the scan, and the console will automatically push that check to whichever Scan Engine(s) you specify.
More context needed
Peek. Panel. Proof. What that actually means is InsightVM now offers at-a-glance context about a specific vulnerability via a “peek panel.” When a user clicks on an affected asset from the vulnerability details page, the panel opens to the right and displays the proof details.
Gaining results visibility
Teams assessing container image builds in their CI/CD pipeline can now see results in the InsightVM Container Security feature Builds tab.
We hope you have a successful quarter and a great season, wherever your business takes you. Until next time…
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
On March 2, 2021, the Microsoft Threat Intelligence Center (MSTIC) released details on an active state-sponsored threat campaign exploiting four zero-day vulnerabilities in on-premises instances of Microsoft Exchange Server. MSTIC attributes this campaign to HAFNIUM, a group “assessed to be state-sponsored and operating out of China.”
Rapid7 detection and response teams have also observed increased threat activity against Microsoft Exchange Server since Feb. 27, 2021, and can confirm ongoing mass exploitation of vulnerable Exchange instances. Microsoft Exchange customers should apply the latest updates on an emergency basis and take immediate steps to harden their Exchange instances. We strongly recommend that organizations monitor closely for suspicious activity and indicators of compromise (IOCs) stemming from this campaign. Rapid7 has a comprehensive list of IOCs available here.
The actively exploited zero-day vulnerabilities disclosed in the MSTIC announcement as part of the HAFNIUM-attributed threat campaign are:
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gives an attacker the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If an attacker could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. An attacker who can authenticate with the Exchange server can use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Also included in the out-of-band update were three additional remote code execution vulnerabilities in Microsoft Exchange. These additional vulnerabilities are not known to be part of the HAFNIUM-attributed threat campaign but should be remediated with the same urgency nonetheless:
Microsoft has released out-of-band patches for all seven vulnerabilities as of March 2, 2021. Security updates are available for the following specific versions of Exchange:
Exchange Server 2010 (for Service Pack 3—this is a Defense in Depth update)
Exchange Server 2013 (CU 23)
Exchange Server 2016 (CU 19, CU 18)
Exchange Server 2019 (CU 8, CU 7)
Exchange Online is not affected.
For Rapid7 customers
InsightVM and Nexpose customers can assess their exposure to these vulnerabilities with authenticated vulnerability checks. Customers will need to perform a console restart after consuming the content update in order to scan for these vulnerabilities.
InsightIDR will generate an alert if suspicious activity is detected in your environment. The Insight Agent must be installed on Exchange Servers to detect the attacker behaviors observed as part of this attack. If you have not already done so, install the Insight Agent on your Exchange Servers.
Building security into your overall vulnerability risk management (VRM) strategy is a must-do in the age of the all-important web app. Between security and IT-Ops teams, there are a number of steps in the VRM process, including asset identification, enumeration, prioritization, and remediation. How does application security fit in?
Co-sponsored by Forrester, a recent Rapid7 webcast expounds upon the topics discussed in this blog post. The distinguished subject-matter experts and presenters also dive deep into the nitty gritty of what it takes to get a better night’s sleep by creating a VRM strategy that extends to the application layer. Watch the webcast here, and read on for our recap below!
Web applications and APIs are assets, too
Applications are one of the most common ways attackers are getting in. In a recent survey, Forrester found that 31% of firms suffered a breach as a result of an external attack, with applications serving as one of the most common attack vectors. Along with all other assets in a VRM program, web apps must be prioritized as assets that need to be covered.
Knowing this, security leaders have started to think harder about application security. But just because it’s a top priority, does that mean it’s the company’s? Bringing stakeholders into the process early is key, because getting that application layer covered affects the entire organization. The more buy-in and support from everyone who has a stake in getting secure products to customers, the more value everyone gets from a comprehensive VRM investment.
Building security in
Buy-in comes from building in. Static Application Security Testing (SAST) is a process that can find flaws early in the life cycle of applications, providing guidance to dev teams so they can find and fix issues early in the process. Adopting SAST in the development phase means making it easier for developers to remediate as they’re coding.
Further, Software Composition Analysis (SCA) tools can help analyze the open-source libraries and third-party components that go into creating a large portion of today’s applications. A modern VRM program also needs to consider these components as assets to cover. Building these processes and tools into the Software Development Lifecycle (SDLC) will help dev teams experience fewer security flaws, get real-time education, and eventually find the ability to scale quickly.
However, as development approaches change, more and more organizations are struggling to identify and secure the sheer number of APIs built into their applications. Security teams might understandably be rushing to keep up with:
Identifying and cataloging APIs and endpoints
Assuring and managing API user identities
Meeting regulatory and compliance requirements
How can security pros start thinking about baking those processes in earlier?
Understanding API security
There is no single tool for API security. A holistic approach includes identifying what sorts of APIs are out there, assessing them for organizational fit, and scanning and testing them for vulnerabilities. It also includes managing them throughout deployment and production. Does the traffic match how you expect the API to behave?
Looking at API security from the client to the backend is also key. Not only does your existing application tooling need to be inclusive of API behavior, but additional tooling may be of great insight when looking at API-specific issues like managing authentication and authorization. Remember, new development methodologies will requite new security patterns.
Zoom out: What are you looking to accomplish?
When it comes to rethinking or building a sound VRM strategy, performing foundational work up front will help get organizational buy-in faster. It’ll take time to inventory everything that’s sitting at the edge, from web applications to APIs to third-party vendors. Recognizing that a significant shift will take time and being transparent about this with stakeholders can only help streamline the process. So, why invest the time?
As more people than ever before shift to a work-from-home environment, organizations may not feel as safe as they once did having corporate information residing on endpoints scattered around the city and, indeed, the world. Following along naturally to this issue is increased questioning and anxiety from cyber-insurers and auditors, particularly as it concerns things like an organization’s supply chain and partners. Much like the recent SolarWinds incident, an attack on one organization can quickly escalate into a threat against its partners.
If you’re part of an organization beginning to engage more with your existing supply chain or validations, it’s important to remember that you are also part of their chain. So, it can be a reciprocal nature of checks and scrutiny as more partners come online. In this entire ecosystem, a good rule of thumb is to remember that exploitation has a real cost—whether the attacker’s intent is simply to disseminate sensitive data or there’s a ransom scenario afoot. Defining security frameworks and testing them against overall goals can help translate processes down into each project as well as speed up validation with a potential partner.
Extend, extend, extend
When it comes to rethinking or building a sound VRM strategy, extending that foundational security work to your web applications at the edge is a modern best practice that can yield many benefits—whether it’s protecting against someone probing for their own nefarious purposes or looking to sell that information down the line. It can also start to create an ingrained culture of taking proactive and protective steps to secure applications and the tools on which they’re built.
A growing remote-work culture demands a graduation in the approach to security. It’s time to test, monitor, secure, and extend to the application layer.
A modern methodology for vulnerability management (VM) is vital for organizations looking to minimize attack surfaces by prioritizing potential threats. This includes identifying, evaluating, treating, and reporting on security risks across key systems and the software that runs on them. An example of this full-stack approach includes broader coverage of on-premises and virtual environments, inclusive of web-application testing, and leveraging best-in-class practices and tools.
A good place to start is establishing an asset management solution. Gaining a full understanding of the vulnerabilities associated with each asset across the network is key to informing stakeholders, prioritizing vulnerabilities, and remediating issues. Due to the persisting COVID-19 pandemic, these assets are increasingly part of a growing remote workforce continuously expanding every organization’s attack surface. As assets are no longer regularly connecting to corporate networks, traditional vulnerability scans aren’t possible.
This has paved the way for agents to plug that particular vulnerability. For instance, Rapid7’s Insight Agent is lightweight data-collection software you can install on any cloud-based asset. Let’s take a more in-depth look at modern vulnerability risk management (VRM) and what to look for in a holistic solution.
The need for speed
The COVID-19 pandemic has accelerated the evolution of security and protections for an unplanned, exponential growth in the global remote workforce. This means a faster digital transformation for every industry and organization. It means a faster pace of spinning up and scaling new apps. And it means quickening cloud adoption as IT teams scramble for accessible and reliable places to host mission-critical services. So how do we go about securing every layer in this new era of VRM?
Prioritizing vulnerabilities is more important than ever. Limited time and an ever-changing threat landscape make it unrealistic for teams to try and fix everything. Scrambling to do so could mean critical threats escaping through the cracks.
Developing strong partnerships has new meaning because, most likely, those partnerships will be virtual for the foreseeable future. Thus extra attention must be paid to maintaining them so there are more reliable eyes monitoring for vulnerabilities and ready to jump into action if a threat arises.
Incorporating a full-stack approach means testing traditional and cloud infrastructure, and extends to the applications those environments host. Teams must move carefully, but also expediently when leveraging scan engines and agents to remotely monitor servers.
With the acceleration of seemingly all security processes, it’s also important to remember to take stock of what’s working and what’s not. No matter how many fancy features, a solution is only worth the investment if it meets your organization’s unique needs and drives eventual ROI.
About that application layer
Gaining real-time understanding of an attack on your web apps provides actionable intelligence for quick remediation while providing an opportunity for a team teaching moment for the next time it happens. InsightAppSec and tCell from Rapid7 is a test-monitor-prevent solution that focuses on neutralizing vulnerabilities at the application layer.
With guided remediation into web app flaws, you can begin building a road map for making more secure applications. You’ll start by scanning your applications in as few as five minutes so you can get visibility into the weaknesses that exist in your applications. From there, you’ll be able to view severity and remediation guidance, and share with key stakeholders to allow you to collaborate faster and scale easier. Scan on- and off-premises apps with InsightAppSec’s powerful cloud engines, accessing all of your internal and external scan configurations from a central console.
The ability to monitor more apps in more environments will be key for the future of your business, and is an extra layer of protection for vulnerabilities you can’t remediate in time. Finding solutions that include functionality to help your remediation stakeholders understand the context of the associated vulnerabilities (Attack Replay, granular remediation guidance, etc.) will allow you to partner more effectively.
An increased reliance on direct-to-cloud app deployment is a natural evolution. Benefits like higher baseline security, automated hardening, and increased flexibility are attractive. But all of that demands more time and more vigilance.
But what about the infrastructure? (People and machines)
Consider this: It’s not just about remediation, it’s also how you navigate the red tape. Grasping a more complete picture of how vulnerabilities translate to business risk is key not only for communicating those risks to higher-ups, but also maintaining and growing things like team headcount. After all, you have to have people to solve the problems. InsightVM, Rapid7’s vulnerability management solution, can help you understand and prioritize risk, with clarity.
Assume everything along your attack surface is being targeted by threat actors. These days, the reports of malicious events are coming more frequently. But covering local, remote, cloud, containerized, and virtual infrastructure is possible with InsightVM. It’s not a guaranteed catch-all solution, but it does provide the shared view and common language that can bring together traditionally siloed teams. It also paves the way for collaboration and accountability between those teams, making it easier for remediators to drive impact, celebrate progress, and improve ROI.
With more fully supported integrations than any other VM vendor as well as the ability to automate virtually any aspect of vulnerability scanning with RESTful API, it’s now possible to get a near-complete story of the security of your infrastructure and how it affects business.
A fortified foundation
Together, InsightVM and InsightAppSec can be complementary solutions to security organizations looking to tailor or refine any on-premises, off-premises, or hybrid VRM program.
Comprehensive visibility at the infrastructure layer empowers you to leverage people more efficiently.
Click-and-scan security testing at the application layer enables rapid return of actionable results … and peace of mind.
Robust reporting capabilities featured in both solutions make it easy to measure progress and report it to key stakeholders.
A single pane of glass is the best way to see real-time processes at work as well as the overall security status of your world.
A full-stack approach can help you secure every layer of your attack surface. Then someday, perhaps we won’t call it an “attack” surface anymore.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Organizations are in a constant struggle to identify and reduce risks in their constantly changing environments. These changes may manifest by several means and can be recurring events.
For example:
Laptops and other devices are commissioned or decommissioned due to changes in the workforce.
Your security tool discovers that assets in your environment contain several vulnerabilities recently discovered by researchers.
New software or services are deployed to your organization that introduce new risk via new vulnerabilities.
Your IT team deployed a round of patches to local assets, which significantly decreased the number of vulnerabilities in your environment.
The obvious challenge here is that these changes create moving targets and security teams need to quickly identify, prioritize and remediate risk as it’s introduced. We developed our Significant Changes in the Last 30 Days dashboard in InsightVM in order to provide a lens through which we can highlight the differences in your environment from the past 30 days to present day, as well as the ability to pivot the findings into a Remediation Project directly from the dashboard.
Users may easily create this dashboard by selecting the template titled “Significant Changes in the Last 30 days.” This action will create a local copy of the dashboard for you and save three new asset queries in your query library. These queries are:
Assets Discovered in the Last 30 Days,
Critical Vulnerabilities Discovered in the Last 30 Days
Vulnerabilities Discovered in the Last 30 Days
These queries all filter the cards on the dashboard, and we’ve added the ability to view the queries applied to this Dashboard, which will allow you to further focus the finding on the dashboard.
Users are completely able to add and remove cards as they wish. However, the following cards are included in the template:
Total Asset Trends
This card shows the total number of assets in your environment, as well as the total number of new assets in the past 30 days and the total percentage of increase.
Number of Critical Vulnerabilities Found in the Last 30 Days
These are the total number of vulnerabilities with a severity of “critical” found within the last 30 days of the current date.
Number of Exploitable Critical Vulnerabilities Found in the Last 30 Days
This card shows all vulnerabilities with a severity of critical and known exploits. These provide a powerful view into vulnerabilities attackers could easily exploit.
New vs. Remediated Vulnerabilities
This card shows the number and percentage of new, remediated, and unchanged vulnerability findings. This is powerful in showing which vulns in your environment have been addressed, which are new, and which have remained static.
Assets by Risk and Vulnerabilities Found in the Last 30 Days
This visualization helps you identify the riskiest assets in your environment based on the number of vulnerabilities and the associated risk score. The size of the bubbles indicates how many assets exist for a given vulnerability count and risk score range.
Vulnerabilities by CVSS Score
This card shows the vulnerabilities found in your environment in the past 30 days grouped by CVSS score range (e.g., CVSS 7.0–10).
Newly Discovered Vulnerabilities by Total Risk Score
This card allows users to leverage our Real Risk score in order to identify and prioritize vulnerabilities discovered in the past 30 days.
Assets With Actively Targeted Vulnerabilities
This card is intended to enable users to identify vulnerabilities that are actively being targeted in the wild, and therefore presenting a great degree of risk.
Assets by Number of Running Containers
This card is intended to identify risk exposure by showing container hosts and the total number of containers running on these.
Top Riskiest Assets
This card lists the riskiest assets discovered in the past 30 days, allowing teams to prioritize remediations that will help reduce risk quickly.
Most Common Software
This card shows the software most commonly used in their environment, allowing teams to prioritize their efforts at those items with the greatest surface area.
Most Common Services
This card shows the services most commonly deployed in their environment, giving them insight into what could be of the most importance.
New Vulnerability Findings
This card shows the total number of vulnerability findings discovered in the past 30 days, and expanding this view shows a list of these. This allows teams to identify recent vulnerabilities and prioritize those accordingly.
Remediated Vulnerability Findings
Finally, some positive news. This card demonstrates remediated vulnerabilities in the past 30 days, and this allows teams to demonstrate their progress on a monthly basis.
Per usual, users are able to arrange cards per their desires as well as share these with team members. We think this dashboard has the potential to provide deep visibility into changes in their environments and we hope this will help drive customers to a safer state.
Not an InsightVM customer? Watch this on-demand demo to see our vulnerability risk management solution in action.
InsightVM and Nexpose customers can now harness the power of the Metasploit community to assess their exposure to the latest threats. The Feb. 3 release of InsightVM and Nexpose (version 6.6.63) includes a beta version of the Metasploit Remote Check Service, bringing Metasploit check method capabilities to Linux-based Scan Engines to enhance their remote vulnerability coverage capabilities.
The Metasploit community is well-known and highly regarded within the security space for being a community of experts. With this feature, Rapid7 is bringing this expertise to Linux Scan Engines.
Many vulnerabilities that can be exploited by Metasploit are low-hanging fruit for hackers and script kiddies. With the Metasploit Remote Check Service, your Scan Engines will be more capable of identifying these.
You don’t have to worry about Metasploit running potentially harmful exploits against your endpoints; the Scan Engine will only ask it to perform safe checks. There is no ability to deliver offensive payloads.
How to enable the Metasploit Remote Check Service
Getting started with the Metasploit Remote Check Service is easy—simply run a console command once, and it leverages existing scan engines already deployed in your environment. For information on how to enable this beta feature, please see the product documentation
Windows Engine Support
Due to limited support of Metasploit on Windows, in this initial beta release we have focused on adding support for Linux Scan Engines only.
If you are only using Windows engines but you would like to try the Metasploit Remote Check Service feature, you may wish to try using the Scan Engine container image.
Initial Metasploit Remote Check Service content
As part of the initial beta program, we’ve focused on adding remote checks that improve visibility into misconfigured developer environments and services. Many of these are not covered by traditional VM tools, despite representing significant value to attackers.
We’re including the following new vulnerability checks, which make use of the new Metasploit Remote Check Service to remotely assess assets:
rConfig Install Command Execution – Identify exposed rConfig endpoints that allow attackers to remotely execute system commands via an HTTP GET request.
Redis Replication Command Execution – Identify exposed redis endpoints that provide remote execution access to attackers via the service’s extension functionality.
We’d love to hear your feedback
Based on the success of this beta feature, more content will follow. If you have any feedback regarding this feature, please contact your Customer Success Manager or our Support team.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Web applications have been growing in complexity over the past several years, while also becoming the preferred method for attackers looking to capitalize on emergent technologies. This is a trend that will only persist and evolve, so it’s crucial to extend your web application testing strategy to your development team’s practices and languages. We’ll say it simply: Managing your overall risk must extend to weaknesses in your web apps and APIs. This webcast will be offered live on two dates—please register by choosing the region closest to you:
Exploitation can happen anywhere across your attack surface, so it’s critical that your vulnerability risk management (VRM) program provides enhanced visibility into web apps as well as traditional on-premises and cloud infrastructure.
Join Forrester’s principal analyst for security and risk professionals, Sandy Carielli, and Hypertherm’s information-security manager, James Thompson, for our Feb. 11 webcast as they discuss:
Best practices and common challenges for a sound VRM strategy
Their thoughts on extending a holistic VRM approach to the application layer
How James uses both InsightVM and InsightAppSec to secure every layer of the modern environment
Why it’s so important to have mitigating controls in place for possible exploitation
And, if your team is considering an expanded presence in the cloud, your solution needs to eliminate as many blind spots across your environment as possible. Start gaining deeper visibility into potential real-time attacks and minimize their ability to create chaos in your world.
We hope to see you there!
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Here at Rapid7, we’re pretty proud of the work that goes into keeping InsightVM a leader in the vulnerability risk management space. We’re constantly investing in and improving InsightVM capabilities so our customers have no trouble seeing and proving value. That said, here’s our roundup of the new and improved features we’ve updated in Q4.
[NEW] Fewer false alarms and faster reporting with InsightVM’s new false positive investigation tool
You can now investigate vulnerability findings as potential false positives directly from your Security Console. If your investigation determines that the finding could indeed be a false positive, you can send the results to Rapid7 for analysis with just one click. For more details, see our help documentation and blog post.
[NEW] Improvements made to the Goals and SLAs wizard
We’re excited to announce that creating a goal or SLA in InsightVM just became a lot simpler. Instead of following a four-step process, we’ve gotten it down to three: use, sort, and define your data, establish the conditions you want to meet, and save your goal using our three-step wizard. This new context-sensitive workflow allows you to create meaningful goals faster and with fewer steps. For more details, see our help documentation and blog post.
[NEW] Creation of Insight Platform accounts for non-admin users
The Rapid7 Insight platform provides data collection, visibility, analytics, and automation to establish a shared point of view between security, IT operations, and DevOps teams. Insight platform accounts are now available for non-admin users of InsightVM. This allows access to InsightVM through insight.rapid7.com. To complete the activation process, check out our help documentation. At the conclusion of this activation process, your Insight account will be used to authenticate your access to InsightVM’s cloud capabilities.
[IMPROVED] More dashboard controls for admins
Administrators now have full visibility on all user-created dashboards in their organization and can delete them if necessary. Simply navigate to the Dashboard Library to see a list of InsightVM dashboards created by other users. The ability for Admins to now delete user-created dashboards eases the pain of managing dashboards across the organization. This is especially beneficial for if an employee leaves – you’ll now have an easy way to manage/remove orphaned dashboards. For more information on managing dashboards in InsightVM, see our help documentation.
[NEW] New Snyk vulnerability content for container assessment
We know many development teams these days are taking advantage of containerized software applications that may contain all of the necessary code, runtime, system tools, and libraries needed to run an application. Despite the benefits of efficiency from a development standpoint, containers may present risks that are often difficult for security teams to identify. This can be attributed to multiple factors, including how fast things change in containerized environments and the types of packages found within these environments.
InsightVM now integrates with Snyk, a leading provider of software composition analysis (SCA) in containerized applications. Snyk provides deep visibility into Open Source Software (OSS) vulnerabilities. With this new integration, InsightVM can consume Java vulnerability content from Snyk Intel Vulnerability DB. No customer action is needed to leverage this integration. Behind the scenes, InsightVM is consuming content from Snyk, building vulnerability checks around this content, and delivering it as checks within the Container Security feature in InsightVM. For more details, see our blog post.
[NEW] Scope and schedule reports with the new report creation wizard
We’ve made it easier to collect, analyze, and report InsightVM data all in one place. Using our Report Creation Wizard powered by Query Builder, you can create customized reports and opt to run recurring reports on a schedule. You can share directly with stakeholders to help you communicate about your work and gain insight into your organization’s vulnerability management program. For more information, see our help documentation.
[NEW] Audit logging for Custom Policy Builder
As organizations continue to harden their policies through customizations, it becomes extremely important to keep track of all these changes, because these customizations may significantly impact an organization’s overall compliance. You can now configure Custom Policy Builder to send audit logs that capture every policy update implemented by your users. These audit logs record which changes were made to a policy, when those changes were applied, and who was responsible for them. Use this new functionality to allow another user or an auditor to view the change history of any policy when needed. For more details, see our help documentation and blog post.
Not an InsightVM customer? Watch a demo of our award-winning vulnerability management solution.
When it comes to offloading security controls to the cloud, it may seem counterintuitive to the notion of “securing” things. But, when we consider the efficiency to be gained by shifting right with some security controls, it makes sense to send more granular, ground-up responsibilities to a trusted managed services cloud partner. This could help to increase development-and-deployment velocity, without compromising the integrity of your bespoke process.
Building a true DevSecOps ecosystem is probably a common goal for most teams. However, uncommonality most often enters the picture in the forms of both technical and organizational roadblocks. Let’s take a look at some key insights from a 2020 SANS Institute survey on current industry efforts to more closely integrate DevOps and SecOps—and how you can plot your best path forward.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
In more traditional environments, security teams often feel they’ve been left behind by the pace of DevOps. Vulnerabilities are introduced faster than SecOps can likely find them. The shift is with teams that are building continuous delivery frameworks, with compliance checks at every stage of the game. It becomes a matter of defending the environment as it’s being built.
Currently, about 74% of organizations are deploying changes more than once per month, according to SANS. Often, these are weekly or daily instances. So, velocity is increasing, primarily out of a need to get customers what they need, faster. Traditional change approvals and security controls are becoming more guardrail-style checks. The challenge, however, lies in optimizing the process and keeping it as secure as possible.
Increasing cloud adoption
From a security perspective, transitioning to a cloud provider’s responsibility model can better match the pace of DevOps and increase delivery speed. When both of these velocities are increasing, albeit responsibly, that’s better for business.
Cloud-hosted VM platforms allow teams to spin up processes more quickly compared to a traditional setup.
Adoption is accelerating for cloud-hosted container services and serverless platforms because providers are doing more provisioning, patching, and upgrading for many existing execution environments.
More organizations are running on cloud-hosted VMs versus container services and serverless platforms, but that could change because the latter two options allow you to further reduce your responsibility model.
Multi-cloud motivations
About 92% of organizations run on at least one public cloud provider. But for about 60% of those companies, the main motivations behind spreading services out between multiple providers are not quite as technical as one might imagine.
Mergers and acquisitions can cause obvious complexity, as companies link up and potentially run similar processes in different cloud environments like AWS, Azure, or GCP. There are also decision-makers and teams that prioritize a task-based approach and pick the best environment to get a particular job done. The benefits of a multi-cloud environment could then become drawbacks, as security becomes more difficult to plan for and understand. And no one wants complexity in an approach that is essentially supposed to offload responsibilities and make things easier.
Risk doesn’t translate for SecOps
As more DevOps teams increase their use of JavaScript, traditional security controls don’t support the popular format as well as other legacy languages. In this situation, there is greater risk. However, an older web app that hasn’t been updated in a while could be the tip of the iceberg in terms of the technical debt sitting out there.
Apps built on older languages like Java, .NET, and C++ could leave exposures open as teams roll over to newer languages. So, this situation also presents risk. Security teams may not even be aware they’re in the dark about vulnerabilities those legacy apps present, as they try to keep pace with DevOps.
The future of shifting left
When it comes to security testing phases,there’s still a heavy tendency toward QA. More is being done to integrate those protocols in the process, but the sea change of baking testing into earlier phases largely has yet to occur.
Over the next decade, teams will likely adopt more cloud-based integration tools like AWS CodePipeline, Microsoft Azure DevOps, GitHub Actions, and GitLab CI. In these instances, the cloud provider is managing more for you, minimizing attack surfaces and providing more built-in security. GitHub and GitLab, in particular, are trending toward greater baked-in security.
Jenkins has been the continuous integration tool of choice for about the last decade. However, the 24/7 nature of running on-premises or in the cloud to manage builds, releases, and patches can increase the attack surface.
When it comes to container orchestration tools, cloud-managed services like AWS Fargate and Azure Container are beginning to pull even with cloud-hosted services like Docker and Kubernetes. It’s becoming more attractive to outsource control-point and hardening responsibilities, so that security can shift further left into containers; it simplifies testing and helps ease deployment.
The future of shifting right
Security-testing responsibility lies with actual security teams about 65% of the time. Yet, managing corrective actions lies with development teams about 63% of the time, according to SANS. These numbers indicate largely siloed actions blocking the path to a true DevSecOps approach.
The biggest success measurement of DevSecOps is the time it takes to fix an issue. Aligning teams to tackle an issue in a speedy manner can make or break. Additionally, identifying post-deployment issues can help to improve shift-left controls to prevent those issues from ever escaping into production.
A 100% cross-functional effort most likely will not be achieved by every organization. However, moving closer to this goal could help strengthen teams, boost morale, and feed back key learnings to ultimately increase the speed of success.
In conclusion
Ironically, the biggest challenge of all isn’t technical in nature. Red tape within organizations can present challenges like lack of buy-in from management, insufficient budget (open-source tools can help here!), and siloed efforts. Additionally, a shortage of skilled workers could reinforce the same old decision-making patterns at those management levels.
When it comes to closely aligning teams and getting more time back to innovate, it’s often a cyclical dance of shifting right to improve your efforts in shifting left. For example, can you move further right into the cloud rather than building do-it-yourself, comprehensive solutions to security? Offloading could help to create more controls for enforcing security in tandem with DevOps.
No one wants to compromise the integrity of deploying on time, particularly as it relates to customers and your company’s bottom line. Co-sponsored by Rapid7, this recent SANS webinar presents an in-depth look at key statistics from a recent survey of companies and their advancements—or lack thereof—in DevSecOps.
Since 2018, thousands of enterprises have utilized InsightVM’s Goals and SLAs feature to build their organization-specific security goals. Through Goals and SLAs, security teams ensure that they’re making progress toward their goals and service-level agreements (SLAs) at an appropriate pace, and that they’re maintaining compliance with the standards set for their program. Not only do Goals and SLAs enable our customers to deliver impact, but they are also super easy to set up. In fact, with the newly redesigned Goals 2.0 wizard, the average customer creates a new goal in less than five minutes.
Creating goals in InsightVM may be easy, but we know that executing on those goals can be challenging, especially when multiple, cross-functional stakeholders are involved. To help you with these challenges, we have enhanced the Goals and SLAs feature by enabling Goal Owners to share goals with other stakeholders. In doing so, Goal Owners and the teams they work with can more efficiently execute on goals, and visibility of goals can be shared more widely. Want more details on how this updated functionality can deliver value to your organization? Keep reading!
Not an InsightVM customer? Watch our on-demand demo.
A Goal Owner can now share their goal directly with other stakeholders, such as a fellow team member or manager, through Step 3 of the Goal Wizard, called “Review.” Goals can be shared during the creation of a goal or after a goal has already been created.
It is common for Goal Owners to assign their created goals to a Live Dashboard for easy tracking. If a Goal Owner chooses to share a goal with another stakeholder, any shared dashboard containing that goal card will automatically be made available to that stakeholder, increasing awareness and recognition of the goal and any progress made toward it.
Increase visibility and productivity
As mentioned earlier, the success of a goal depends on multiple people collaborating from different teams. A security manager is responsible for translating their CISO’s key risk indicators into security performance metrics that can be monitored on a continuous basis. The same security manager is also responsible for working with many teams, such as global risk management, information security, and remediation teams, to execute on security program goals. It’s absolutely imperative that every team member involved each has the same view into the security program goals to avoid the typical back-and-forths and long turnarounds. By sharing goals among stakeholders, the security team can collaborate with other cross-functional teams in a more effective manner.
Reduce noise and build focus
Until now, all InsightVM users were able to create a goal. After extensive user research and feedback, we have come to an understanding that security managers are typically responsible for coming up with goals, and it almost always leads to better performance when every team member is executing on the same goals.
We are now offering a new platform permission, “Remediation Projects and Goals and SLAs,” on the InsightVM security console that will allow security administrators to fine-tune their users’ permissions, thereby limiting the ability of some users to create goals. The users without goal permissions can still receive a shared goal and continue to execute on goals, but they will not have the permission to create goals.
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.
