The Rapid7 InsightConnect Extension library is getting bigger! We’ve teamed up with IT operations platform, Automox, to release a new plugin and technology alliance that closes the aperture of attack for vulnerability findings and automates remediation. Using the Automox Plugin for Rapid7 InsightConnect in conjunction with InsightVM, customers are able to:
Automate discovery-to-remediation of vulnerability findings
Query Automox device details via Slack or Microsoft Teams
Getting started with Automox within InsightConnect
Automox is an IT Operations platform that fully automates the process of endpoint management across Windows, macOS, Linux, and third-party software — including Adobe, Java, Firefox, Chrome, and Windows.
The Automox InsightConnect Plugin allows mutual customers of Rapid7 and Automox to expand their capabilities between products, ultimately streamlining cyber security outcomes and operational effectiveness. Seamlessly transition CVE-based vulnerability findings through discovery to remediation, and perform device queries without needing to leave Slack or Microsoft Teams!
Example workflows you can start leveraging now with the Automox Plugin
Generate Rapid7 InsightVM Report and Upload to Automox Vulnerability Sync: An example workflow that leverages threat context for assets and prioritizes them for remediation. An InsightVM report is automatically generated and uploaded using Automox’s Vulnerability Sync for easy remediation, saving internal teams precious time and effort in managing critically emerging threats – from start to finish.
Automox Device Lookup from Microsoft Teams: An example workflow that lets a user query a device in Automox directly from Microsoft Teams.
Automox Device Lookup from Slack: An example workflow that lets a user query a device in Automox directly from Slack.
For more information or to start using this plugin, access and install the Automox Plugin for Rapid7 InsightConnect through the Rapid7 Extension Library.
The world of cybersecurity never has a dull moment. While we are still recovering from the aftermath of Log4Shell, the recent ContiLeaks exposed multiple vulnerabilities that have been exploited by the Conti ransomware group. It’s critical for your team to identify the risk posed by such vulnerabilities and implement necessary remediation measures. As you will see, the product updates our vulnerability management (VM) team has made to InsightVM and Nexpose in the last quarter will empower you to stay in charge — not the vulnerabilities.
But that’s not all we’ve improved on. We’ve increased the scope of vulnerabilities tracked by incorporating CISA’s known exploited vulnerabilities (KEV) in the Threat Feed, usability enhancements, targeted reporting and scanning, and Log4Shell mitigation checks. And we’ve released our annual Vulnerability Intelligence Report to help you make sense of the vulns that impacted us last year and understand the trends that we will all be facing this year. Our team also offers practical guidance to help the security teams better protect themselves.
Let’s dive into the key feature releases and updates on the vulnerability management front for Q1 2022.
CISA’s KEV list: Detect, prioritize, and meet regulatory compliance
[InsightVM] ContiLeaks Helpful Query to easily detect ContiLeaks vulns and ensure compliance
CISA’s KEV catalog is part of the agency’s binding operative directive that has reporting requirements for federal agencies and civilian contractors. The recent ContiLeaks revealed over 30 vulns that are now a part of CISA’s KEV. While users could always build a query in IVM to identify these vulns, doing so is time-consuming and can be prone to error. The ContiLeaks Helpful Query takes out the manual effort and lets customers easily locate 30+ ContiLeaks vulnerabilities in their environments. When the query is loaded into our Specific Vulnerability Dashboard template, it can give an at-a-glance view of the company’s risk posture as it relates to the Conti threat. In addition to helping customers identify the exploited vulnerabilities in their environment, the update will also help them stay within the bounds of CISA’s operative directive.
[InsightVM] Threat feed dashboard now includes CISA’s KEV catalog
While we are on the topic of CISA, you will be excited to learn that we have expanded the scope of vulnerabilities tracked to incorporate CISA’s KEV catalog in the InsightVM Threat Feed Dashboard, including the Assets With Actively Targeted Vulnerabilities card and the Most Common Actively Targeted Vulnerabilities card. The CISA inclusion makes it easy to see how exposed your organization is to active threats and inform prioritization decisions around remediation efforts.
We have also added a new “CISA KEV (known exploited vulnerability)” vulnerability category to allow for more targeted scanning (i.e. scanning the environment for CISA KEV entries only). You can also use the CISA KEV category to filter scan reports.
Improvements to credentials
[Insight VM and Nexpose] A new credential type to support scanning Oracle Databases by Service Name
InsightVM and Nexpose customers have always been able to scan Oracle databases using SIDs (system identifiers) but were previously unable to provide a Service Name in the credential. This meant a gap in visibility for Oracle databases that could only be accessed via their Service Name. We were not happy with this limitation. Now, you now configure Oracle Database scans to specify a Service Name instead of an SID (you can still use the SID, if you want!) when authenticating. You now have the visibility into a wider range of deployment configurations of Oracle Database and the ability to configure scan using Service Name or SID.
[Insight VM and Nexpose] Automatic Scan Assistant credentials generation
Last year, we introduced Scan Assistant, which alleviates the credential management (for Scan Engine) burden on vulnerability management teams. For the Scan Assistant to communicate with the Scan Engine, it requires digital certificates to be manually created and deployed on both the target assets and the Nexpose / IVM Security Console. Manually creating the public / private key pair is a complex and error-prone process.
With this update, we are taking some more burden off the vulnerability management teams. You can now use the Shared Credentials management UI to automatically generate Scan Assistant credentials. This not only reduces the technical expertise and time required to manage Scan Assistant credentials but also makes for a user-friendly experience for you.
[Insight VM and Nexpose] Log4Shell mitigation checks
The product improvements list would be incomplete without an update on Log4Shell.
If you are vulnerable to Log4Shell, you can edit the JAR files on a system to take out the vulnerable code and thus not get exploited. However, it is difficult to keep a check on this manually. This update adds that extra capability to not only look at the version of Log4j that was present in your environment but also check if it has been mitigated — i.e., if the vulnerable code is removed.
Authenticated scans and Agent-based assessments can now determine whether the JNDILookup class removal mitigation for Log4Shell has been applied to Log4j JAR files on Windows systems. This will reduce the number of reports of the vulnerability on systems that are not exploitable. We also added an Obsolete Software vulnerability check for Log4j 1.x, which will let you find obsolete versions of Log4j in your environment.
Stay in charge
As always, we hope these updates will make it easier for you to stay ahead of vulnerabilities.
It almost felt like the quarter might end on a calm note, but then the world of cybersecurity never has a dull moment. The end of the quarter saw Spring4Shell, another zero-day vulnerability in the Spring Core module of Spring Framework. Learn more about Rapid7 response to this vulnerability and how we are working around the clock to help our customers protect their own environments from Spring4Shell.
The credentials to log into the assets on the network are one of the most critical inputs that can be provided to a vulnerability assessment. In order to capture and report on the full risk of an asset, the scan engine must be able to access the asset so that it can collect vital pieces of information, such as what software is installed and how the system is configured. For UNIX and UNIX-like systems, access to a target is primarily achieved through the Secure Shell Protocol (SSH). Thus, scan engines accessing these systems should have access to the appropriate SSH credentials.
However, this raises the question: What are appropriate SSH credentials? In order for a vulnerability or policy assessment to provide accurate and comprehensive results, the scan engine should ideally be able to gain root-level access to the systems being assessed. Understandably, many security teams are wary about providing the scan engine with root credentials to all of their systems. Instead, security teams prefer to provide a non-root set of credentials that are capable of elevating to become root. In this context, credential elevation means logging into a system with one set of credentials that has fewer privileges and then elevating that credential to gain root-level privileges. In this way, IT administrators can provide service users that can be monitored and easily disabled if necessary.
In the next section, we will look at the different ways that credentials can be elevated.
Elevation options
sudo
The sudo command enables users to run commands with the security privileges of another user, which by default happens to be the root user (superuser). The ability to use the sudo command to elevate to root is a privilege that is provided by the system administrator. The administrator explicitly grants users (or groups) permission to use the sudo command — this is typically done by modifying the /etc/sudoers file on Linux-based systems.
The benefit of having access to the sudo command means that a user does not need to know the root password in order to gain root-level privileges. However, the user attempting to elevate to root-level privileges via sudo may still need to authenticate themselves by providing their own password. This is different from the behaviour of the su command, which will be discussed later.
What this means in terms of configuring sudo elevation in the Security Console is that the Permission Elevation Password on the “Add Credentials” page must be set to the password of the user attempting to elevate to root.
su
Like the sudo command, the su command enables users to run commands with the security privileges of another user, the default being to run the commands as the root user (superuser). However, unlike the sudo command, the su command typically does not require a system administrator to provide explicit permission to use the command. Instead, users can use the su command to switch to any other user on the system but must provide the password of the target user. The implication of this is that in order to use the su command to elevate to root-level privileges, the user must authenticate by providing the root password.
What this means in terms of configuring su elevation in the Security Console, is that the Permission Elevation Password on the “Add Credentials” page must be set to the password of the root user.
sudo+su
If you have read the above sections on sudo and su, you may be asking yourself why you would need to combine the two commands. The answer comes down to a subtle but important difference between the two commands, namely the environmental context in which those commands are invoked. When using sudo to execute another command with root-level privileges, the command is run within the current user’s environment. This means that any environment-specific properties (for example, environment variables) are retained. When using su to execute another command with root-level privileges, su will invoke the default shell used by root and then run the command within that environment. This implies that any environment-specific properties loaded by default when logging into the root user will be set.
Given this explanation, combining the sudo and su commands provides a best of both worlds situation: It allows a user to elevate their privileges to root by providing their own user password, and it will execute the command within the context of the root environment (as opposed to the user’s environment). How does this work?
The first command executed is sudo, which will prompt the user to authenticate themselves by entering their own password. Then, the su command will be run. However, since it is running with root-level privileges, it won’t prompt for another password but instead will execute any commands within the context of the root environment. So to summarize, sudo+su allows for executing commands with root-level privileges within the context of root’s environment but without requiring knowledge of the root password.
What this means in terms of configuring sudo+su elevation in the Security Console, is that the Permission Elevation Password on the “Add Credentials” page must be set to the password of the user attempting to elevate to root.
Important note about sudo, su and sudo+su
The Permission Elevation User should be root. A common misconfiguration when configuring permission elevation is to set this value to the user’s username. This leads to the scan engine logging in as the initial user, then using permission elevation to attempt to elevate to the same user! The credential status will be reported as successful, but the scan results will not have the same accuracy of a correctly configured scan with root permissions.
pbrun
The pbrun command is a utility within the PowerBroker application provided by BeyondTrust. It works similarly to the sudo command in that it allows a user to elevate to root-level privileges without having to provide the root password.
Configuring privilege escalation with pbrun in the Security Console is fairly straightforward, as it does not require any additional passwords beyond the user’s password.
Cisco Enable / Privileged Exec
This option specifically allows a user to elevate to superuser-level privileges on certain Cisco devices using the enable command. Administrators of the Cisco devices will need to have configured an enable password to allow for privilege elevation.
What this means in terms of configuring Cisco Enable / Privileged Exec elevation in the Security Console, is that the Permission Elevation Password on the “Add Credentials” page must be set to the Cisco Enable password configured on the devices.
Perils of not elevating
Elevation is critical to accurately assess an asset for vulnerabilities and system configurations. There are several key pieces of information that can only be collected with root-level privileges. Improperly configuring credential elevation is one of the most common causes of inaccurate or incomplete assessment results. The following table outlines a few key operations and pieces of data that require root-level privileges. It is important to note that this is a non-exhaustive list operations and data requiring root-level privileges – an exhaustive list would quickly become outdated as new data collection techniques are constantly being added to the product.
Conclusion
When it comes to vulnerability management, retrieving accurate and comprehensive results is paramount to mitigating risks within your organization. The most accurate data is collected when the scan engine has root-level access to the systems it is scanning. However, not all organizations may be in a position to provide the root password to these systems.
In this case, a best practice is to provide the vulnerability management software with a service account that is capable of elevating its permissions to root. This allows system administrators to more easily manage who is capable of elevating to root and, if necessary, revoke access. However, there are several different ways that an account can elevate its permissions. Each method comes with subtle but important differences. Understanding those differences is critical to ensuring that elevation to the correct level of permissions occurs successfully.
When scanning an asset, one key piece of data that the InsightVM Scan Engine collects is the MAC address of the network interface used during the connection. The MAC address is one of several attributes used by the Security Console to perform asset correlation. As a result of the volatile nature of IP addresses, identifying assets using the MAC address can provide increased reliability when integrating scan results. In some cases, the MAC address can be used as a rudimentary means of fingerprinting an asset. Several manufacturers will use the same first 3 bytes when assigning a MAC address to a device (for example, several CISCO SYSTEMS, INC devices use 00000C as the MAC address prefix).
When performing an authenticated scan (a scan whereby the engine has the necessary credentials to authenticate to the target), collecting the MAC address is relatively straightforward, as all operating systems provide tooling to gather this information. However, collecting the MAC address with an unauthenticated scan (a scan where no credentials are provided) is less reliable. This is due to limitations of network protocols and modern network topologies.
Breaking down IP protocols
In order to understand these limitations, it is important to first understand the fundamentals of the IP protocol suite.
The IP protocol suite can be thought of in 4 layers:
The MAC address is part of the bottom layer called the Link Layer. The MAC address is used by the hardware when communicating with other devices on the same network equipment. Any devices communicating at the Link layer do so without the use of routers.
On the other hand, IP addresses are part of the Network layer. IP addresses are used to communicate with devices across different networks, traversing through routers.
MAC address discovery with unauthenticated scans
This leads to the limitation in unauthenticated scans. When performing an unauthenticated scan against assets that are accessed via a router, the scan engine is only able to communicate with that asset via the Network layer. The implications of this are that the MAC address is not included in the network packets received by the scan engine. This is not a limitation or defect of the scan engine, but rather a reality of the IP protocol suite and modern network infrastructure.
To work around these limitations in the IP protocol suite, the InsightVM scan engine uses several alternative methods to attempt to collect the MAC address of assets being scanned. In general, these alternative methods attempt to authenticate to an asset over various protocols using known default credentials. As a result of this capability in the scan engine, asset results from unauthenticated scans may include the MAC address despite being scanned over a router. However, it is important to note that the success rate is dependent on whether assets are configured to allow authentication using default credentials.
Note: SNMPv1 and SNMPv2 are more likely than most protocols to be configured with known default credentials.
Summary
The following tables outline the different methods that the scan engine will use to collect MAC addresses from targets, and whether or not authentication is required.
Windows
Method
Authenticated or unauthenticated scan
via SMB protocol
Authenticated
via WMI protocol
Authenticated
Scan Assistant
Authenticated
SNMPv1 or SNMPv2
Authenticated or unauthenticated
Note: Collecting the MAC address via SNMPv1 or SNMPv2 with an unauthenticated scan is only possible if the scan engine can authenticate using the default credentials for these protocols. However, it is not recommended that default credentials be left enabled as this poses a serious security risk.
Linux
Method
Authenticated or unauthenticated scan
Via SSH protocol
Authenticated
Via an insecure Telnet protocol
Authenticated
Note: Running an insecure Telnet server on an asset is a serious security risk and is not recommended.
SNMPv1 or SNMPv2
Authenticated or unauthenticated
Note: Collecting the MAC address via SNMPv1 or SNMPv2 with an unauthenticated scan is only possible if the scan engine can authenticate using the default credentials for these protocols. However, it is not recommended that default credentials be left enabled as this poses a serious security risk.
Over the years, the engineering team here at Rapid7 has partnered with dozens of security teams to identify pain points and develop solutions. The importance of collecting the MAC address for targets being scanned is well understood. As a result, the InsightVM Scan Engine has been designed to utilize a multi-pronged approach to collecting MAC addresses from assets.
Greetings, fellow security professionals. As we enter into the new year, we wanted to provide a recap of product releases and features on the vulnerability management (VM) front for Q4 2021.
Let’s start by talking about the elephant in the room. The end of last year was dominated by Log4Shell, the once-in-a-generation security vulnerability that impacted nearly every corner of the security industry and completely ruined every holiday party we were invited to. But as you will see below, in addition to providing you with strong Log4Shell coverage, our VM team has been hard at work on multitudes of other features and capabilities as well.
Chief among these are improvements to credential management aspects of scanning, in the form of Scan Assistant, and better Credential Status Reporting. Container scanning is also seeing improved integration of results, as well as enhanced checks leveraging Snyk. Last but not least, email distribution of reports will allow you to better communicate findings across the organization. In other words, Q4 was more than Log4Shell over here, and we’re excited to tell you about it.
(Note: Starting this edition, you will see up front a label of [InsightVM] vs [InsightVM & Nexpose] to clarify which product a new feature or capability pertains to)
[InsightVM & Nexpose] Log4j security content
When Log4j hit in early December, our VM teams went into high gear offering solutions and boosting ways InsightVM can identify vulnerable software. Here’s a recap of our current coverage:
Authenticated, generic JAR-based coverage for Windows, macOS, and Unix-like operating systems
Authenticated JAR-based checks for follow-on CVEs (CVE-2021-45046, CVE-2021-45105, CVE-2021-44832)
[InsightVM] Log4j dashboard and Query Builder
We added a log4j Query Builder query to the Helpful Queries section of Query Builder and a new dashboard template (the Specific Vulnerability Dashboard) designed to allow customers to visualize the impact of a specific vulnerability or vulnerabilities to their environment.
We have a TON of additional Log4j resources here for you to check out:
A blog from our product manager Greg Wiseman that gives some great context on using InsightVM to detect Log4j
A customer resource hub on how various Rapid7 products help you defend against Log4j
[InsightVM & Nexpose] Additional vulnerability checks and content (non-Log4Shell)
Believe it or not, the world has seen other vulns beyond Log4j. As a team, we added nearly 4,000 vulnerability checks to InsightVM and Nexpose in Q4 and more than a few that warrant mentioning here.
Zoho’s ManageEngine portfolio was affected by critical unauthenticated remote code execution vulnerabilities in ServiceDesk Plus and Desktop Central
The open-source CI/CD solution GoCD was hit by CVE-2021-43287, allowing unauthenticated attackers to leak configuration information, including build secrets and encryption keys, with a single HTTP request
If you want to learn more about these and many other threats that materialized during Q4, check out our Emergent Threat Response blogs (you should check those out regularly, because we are constantly and consistently writing about new threats in near real-time).
[InsightVM & Nexpose] Introducing Scan Assistant
Credential management for Scan Engine can be a huge burden on vulnerability management teams, especially when you are managing tens of thousands of devices. That’s why we created Scan Assistant to help ease that burden.
Scan Assistant is a lightweight service that can be installed on each targeted scan. It allows you to scan targets without the need for credentials. When the Scan Engine scans a target with the Scan Assistant attached, it will automatically collect the information it needs to access the target without the need for additional scan credentials. In addition to enhanced security, Scan Assistant improves scan performance for vulnerability and policy scans, has a fully on-premise footprint, works with both InsightVM and Nexpose, and is completely idle until engaged by a scan. Scan Assistant has now GA’ed for Windows environment. We’ll have coverage for other OSes to follow in the future.
[InsightVM & Nexpose] NEW – Scan diagnostic checks for Credential Status Reporting
While we’re on the subject of credentials during scans, every so often the scan engine can return a partial or total credential failure that might leave you scratching your head. With this new feature, InsightVM and Nexpose offer scan diagnostic checks that allow you to have more granular visibility into credential success (or lack thereof). This will allow you to better troubleshoot authenticated scans that return results you did not expect.
Results are written as vulnerability checks, giving you the ability to use aspects of the platform’s functionality that you are already familiar with to assess where things went wrong.
We are always looking for ways to make your life easier, and these three new improvements to the InsightVM platform are designed to do just that. First, we enhanced the Container Image Scanner to record and post results to InsightVM rather than just to the developer’s local machine where the container lives. This allows the organization to better monitor the security of containers under development. Take a look for yourself — it’s in the Builds tab of the Contain Security Section.
We’ve also launched a fingerprinter for .Net NuGet and Ruby Gem Packages. This allows us to check for vulnerabilities in these software packages leveraging the Snyk integration. This brings our support for Snyk security content to include Java Maven, Node NPM (Javascript), Python PIP, and now .Net NuGet Ruby Gem packages.
Finally, we’re making it easier to share findings across your organization by allowing reports to be sent via email. The entire message includes a password-protected and encrypted pdf and recipients receive a password in a separate email to ensure the info remains secure.
Q4 was a trying time for everyone in the security sphere, and we know that our work on that front is far from done. We hope that some or all of these new InsightVM and Nexpose features make Q1 2022 and beyond a little easier, less stressful, and ultimately more secure. Stay strong!
There are many methods InsightVM can use to identify vulnerable software. Which method is best depends on the software and specific vulnerability in question, not to mention variability that comes into play with differing network topologies and Scan Engine deployment strategies. When it comes to a vulnerability like CVE-2021-44228, affecting a software library (Log4j) that is used to build other software products and may not expose its presence in an obvious way, the situation gets even more complicated. For in-depth analysis on the vulnerability and its attack surface area, see AttackerKB.
The intent of this post is to walk InsightVM and Nexpose users through how to best approach detecting exposure to Log4Shell in your environment, while providing some additional detail about how the various checks work under the hood. This post assumes you already have an operational deployment of InsightVM or Nexpose. For additional documentation on scanning for Log4j CVE-2021-44228, take a look at our docs here.
Before (or while) you scan
Even before a vulnerability check has been made available, it can be possible to get a sense of your exposure using InsightVM features such as Query Builder, or Nexpose’s Dynamic Asset Groups. Because we use generic fingerprinting techniques such as querying Linux package managers and enumerating software found in Windows Registry uninstaller keys, the software inventory for assets may include products that are not explicitly supported. Using the search predicate software.productCONTAINSlog4j will show packages on Linux systems that have been installed via package managers such as rpm or dpkg.
An alternative approach to this is using an SQL Query Export using the following query:
SELECT
da.sites AS "Site_Name",
da.ip_address AS "IP_Address",
da.mac_address AS "MAC_Address",
da.host_name AS "DNS_Hostname",
ds.vendor AS "Vendor",
ds.name AS "Software_Name",
ds.family AS "Software_Family",
ds.version AS "Software_Version",
ds.software_class AS "Software_Class"
FROM
dim_asset_software das
JOIN
dim_software ds USING(software_id)
JOIN
dim_asset da ON da.asset_id = das.asset_id
WHERE
ds.software_class like'%'
AND
ds.name ilike '%log4j%'
ORDER BY
ds.name ASC
Authenticated and agent-based assessments
The most reliable way to find vulnerable instances of CVE-2021-44228 on non-Windows machines as of December 13, 2021 is via our authenticated check (check ID: apache-log4j-core-cve-2021-44228), which does a complete filesystem search for JAR files matching log4j-core.*.jar. At this time, the unzip command must be available on systems in order to extract the version from the JAR’s manifest file. An upcoming release (expected December 15) will add the capability to extract the version information from the filename if available.
For the find command to run and locate vulnerable JARs, scans must be configured with root credentials (either directly or via a privilege elevation mechanism) in the Site Configuration interface. There is currently no generic JAR detection available on Windows systems.
This functionality requires product version 6.6.118 or later. For Agent-based assessments, assets must be running version 3.1.2.36 of the Insight Agent or later. Use the Agent Management interface to determine the version of the Agent being used in your environment.
Remote scanning
A remote (unauthenticated) check for CVE-2021-44228 was published in a content release on December 12 9pm ET with Check ID apache-log4j-core-cve-2021-44228-remote. This check is platform-independent (and currently the only option for Windows systems) and works as follows:
IF any of the following TCP ports are found open: 80, 443, 8080, 8888 — or, alternatively, if: Nmap service fingerprinting detects HTTP or HTTPS running (note that enabling Nmap service fingerprinting may negatively impact scan times)
THEN the Scan Engine will attempt to exploit the vulnerability and make the scan target open a connection to the Engine on port 13456.
The Engine does not open a TCP listener but does a packet capture to identify connection attempts against 13456/TCP. If a connection attempt to the Engine is detected, this indicates that the target is vulnerable, and the check will fire accordingly.
This approach relies on bi-directional networking and requires the scan engine and scan target to be able to “talk” to each other. In some cases, such as scanning through a VPN, NAT, or firewall, that required bi-directional networking is not available.
Note: We have received some reports of the remote check not being installed correctly when taking a content update. Product version 6.6.119 was released on December 13, 2021 at 6 PM EST to ensure the remote check is available and functional.
Product-based checks
We know that many downstream vendors will issue security advisories of their own in the coming days and weeks. We continue to monitor several vendors for related security advisories. We will have checks for affected products included in our recurring coverage list as vendors provide details about affected and/or fixed versions. Users can also adapt the Query Builder or SQL Export queries provided above to find products of concern in the meantime, with the caveat that they may not be visible if they use non-standard installation mechanisms.
Container security
Customers who are worried about vulnerable images in their container repos have been able to scan for CVE-2021-44228 using InsightVM’s Container Security since December 10 at 2pm ET, thanks to our integration with the Snyk vulnerability database. It is also possible to rerun an assessment on any images that are particularly sensitive to be sure of up-to-date results.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Rapid7 is investing heavily in the reporting and dashboard capabilities of InsightVM. In 2021 alone, we launched the ability to filter dashboards via single query, a new report creation wizard powered by our query builder, several use-case-driven dashboard templates, and most recently, the ability to distribute reports via email. This allows users to easily and quickly distribute reports to users who may not have access to InsightVM.
For example, let’s say Theresa is tasked with giving her manager a copy of our Patch Tuesday dashboard as a PDF at the end of every month. Previously, she had to go to the Reports Management page in InsightVM, download the PDF, create an email, and send this to her manager — who does not have an InsightVM account.
Now, she can either create this report via the query builder or edit the existing report, then check the checkbox labeled “Permit users who do not have access to console” under the “Shared with” section, and enter her manager’s email address. InsightVM will automatically send a link to an encrypted and password-protected PDF of the report and another email that contains the password.
This additional security feature was included because of the increased threat surrounding proprietary information. For example, say Theresa creates an Assets report that is delivered every Friday to a colleague, and that colleague accidentally forwards the email with the PDF link to an unattended party. While the recipient could download the PDF, they’re blocked from viewing the contents because they don’t have the password.
This is an example of our evolution to more powerful features in the SaaS version of InsightVM, and our intention here is to reduce the burden of reporting to various stakeholders so that they can get back to what they do best: securing their environments.
We are excited to bring this functionality to our users. Please read our help documents for more information.
Have you ever tried to figure out why a vulnerability or policy scan isn’t showing you the results you expect, even though you’ve provided credentials? If so, you’ll be pleased to hear that the November 3rd release of Nexpose and InsightVM (version 6.6.111) will introduce a new check category designed to help troubleshoot issues with credentialed scanning: Scan Diagnostics.
No more combing through scan logs to get answers! These checks will be disabled by default, but you can configure them to run by adjusting your scan templates. When enabled, Scan Diagnostics checks will report a “vulnerable” result against assets when the Scan Engine is supplied with credentials but unable to gather local information.
The challenge of finding the right fix
For complete and accurate coverage, the InsightVM Scan Engine requires local access to systems being scanned. Most Microsoft checks are based on values found in the Windows Registry. Checks for Linux distributions typically require access to the package manager, which is important for vulnerability correlation (cutting down on noise due to backported fixes).
This means that for many types of scans, you need to tell the engine how it should authenticate by configuring credentials. When things go smoothly, the engine will collect all the data it needs for vulnerability or policy assessments. But when results aren’t as expected, it can be challenging to understand what went wrong.
The way the Security Console currently indicates authentication status results is rather coarse-grained. Credential Success means it’s all good, but a Credential Failure (or the puzzling “Partial Credential Success”) can often leave a VM analyst scratching their head about how to fix things.
Bringing greater visibility to your scanning environment
Our new Scan Diagnostics checks provide more detailed visibility into where things fell apart. Because the results are written as vulnerability checks, you’ll be able to use a lot of familiar product functionality to work with them. They can be enabled or disabled via scan templates, and you can report on them like any other category. We’ll also be providing solution information to make it easier to resolve issues, and you can look at the proof the scanner provides to get additional context.
Another advantage of using check results for Scan Diagnostics is that they are built atop the expert system at the core of the scanner. This helps Scan Diagnostics target the most precise cause of an error and provide guidance accordingly. No more going through a laundry list of checkboxes to make sure your sites and assets are configured correctly.
Here is the initial set of Scan Diagnostics we’ll be releasing:
Error when connecting to DCOM Ports (required for WMI)
rapid7-diagnostics-wmi-permission-error
Permission error when connecting to the WMI Service
rapid7-diagnostics-wmi-read-access-errors
Access errors encountered in attempts to read over WMI
rapid7-diagnostics-wmi-unknown-error
Unknown error occurred trying to connect to the WMI Service
rapid7-diagnostics-winrm-authentication-error
Authentication error when connecting to the WMI Service
rapid7-diagnostics-winrm-listener-error
The WinRM listener on the target appears to be blocking the scan engine from connecting
rapid7-diagnostics-winrm-unknown-error
Unknown error occurred trying to connect to the WinRM Service
rapid7-diagnostics-winrm-unencrypted
The WinRM service is operating over an unencrypted protocol, potentially leaking valuable data
Note that these “vulnerabilities” carry the lowest possible severity and will not increase your risk score. However, they may increase overall vulnerability counts, so we’re leaving them turned off by default for now. If you do scan with them, you can adjust the scope of generated reports to exclude these results if you don’t want them to get passed through to remediation teams.
The existing status shown in the Authentication column of Scan Results and Node pages will remain the same for the time being, so that it is available regardless of whether this new Scan Diagnostics check type is enabled and won’t adjust anything on the corresponding dashboard card.
We’d love to hear any feedback on this new feature! Please reach out to your Customer Success Manager to let them know how it’s working out in your scans.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Password-based credentials are a ubiquitous part of our online lives, but they are prone to vulnerabilities. Combatting those vulnerabilities has been a major hurdle for security professionals, and it’s come at major cost for businesses. We are reinventing the credentialing process for our Network Scan Engine with the release of the Scan Assistant — a safer way to scan assets that limits the inherent drawbacks of credentials.
Passwords as a means of securing computer systems have been around for 60 years. Scholars believe MIT’s Compatible Time-Sharing System was the first to implement a password to allow different users to log in. Since then, passwords have become ubiquitous. Every operating system, website, and WiFi connection utilizes passwords as a means of restricting access.
Unfortunately, this has also proven to be fertile ground for attackers who wish to gain unauthorized access to data and computer systems. Due in part to the popularity — and potential weaknesses — of passwords, businesses have spent enormous amounts of time and money in building robust security programs in order to protect their intellectual property.
As a part of any good security program, companies regularly scan their networks to identify where they are vulnerable. One of the most uncomfortable nuances of network scans is that in order to fully assess a set of targets, the scanner must be able to authenticate to those targets. Providing the necessary credentials to the network scan engine comes with a number of challenges. These include:
Increased security risk: Storing credentials within an application immediately makes that application a potential vector for attack. If the application is compromised or misconfigured, an attacker could gain access to a comprehensive list of credentials, giving them the ability to compromise a customer’s network.
Credential management: Storing credentials within an application introduces additional operational challenges with managing those credentials. Anytime a credential changes on a target or set of targets, that credential will have to be updated within the application. This results in administrators having to manage the same set of credentials within multiple systems, which can be burdensome and error-prone. Using a centralized credential vault can help mitigate this challenge, but not all organizations are in a position to deploy such a service for every target within their environment.
Insufficient permissions: In order for a network scanner to accurately assess and report on the risk for a set of targets, the scanner needs to be capable of collecting sufficient information. Thus, the credentials supplied need to have a broad range of permissions associated with them — ideally, root or administrator-level — so the network scanner can perform a full collection of data. In practice, many organizations are either unaware of this requirement or hesitant to do so. This can result in collecting incomplete information, leading to reports that don’t fully convey the targets’ vulnerabilities.
Introducing the Scan Assistant
The Engineering team here at Rapid7 has spent a significant amount of time discussing, researching, and brainstorms solutions to the challenges with providing credentials for the purpose of performing network scans. The team decided that the ideal solution for our customers was to eliminate the need for credentials altogether. This led to the development of the Scan Assistant.
The Scan Assistant is a lightweight service that can be installed on each target you’re scanning. It’s designed to work specifically with the InsightVM and Nexpose Network Scan Engine so it can scan targets without the need to provide credentials. When the Network Scan Engine scans a target containing the Scan Assistant, it collects all the necessary information required to fully assess that target.
The Scan Assistant supports both vulnerability and policy scans performed by the Network Scan Engine. Providing coverage for both types of scans was a key requirement for the team. As a result, customers can quickly identify vulnerabilities and validate policies within their network without the operational burden of managing credentials or permissions. Customers will continue to get the exact same insights into their network while simultaneously reducing the risk of managing credentials within the product.
How it works
The Network Scan Engine and the Scan Assistant communicate over an encrypted channel by using a TLSv1.2 certificate. When the Scan Engine scans a target, there are specific pieces of information that it needs to collect from that target. The Scan Assistant has been designed to only provide the specific data that the Scan Engine needs in order to fully assess the target.
This implies that the Scan Assistant does not provide a means for arbitrarily accessing the filesystem. Furthermore, all commands sent from the Scan Engine to the Scan Assistant are signed, ensuring that only the Scan Engine with the correct signing key is capable of requesting data from a Scan Assistant.
Why it’s better than a credential
Administrative credentials provide the Scan Engine with more access than it needs and put you at risk if those credentials are compromised. The Scan Assistant provides the Scan Engine with only the access it needs, reducing risk.
Root credentials give the Scan Engine unrestricted access to run commands over OpenSSH, which can also introduce risk. It can be a challenge to restrict commands using sudo or similar tools. To solve this problem, the Scan Assistant requires commands to be signed by Rapid7. This reduces risk and transparently limits what the Scan Assistant is allowed to run.
Why it’s secure (in more technical terms)
The Scan Assistant is built on the transport layer security (TLS) protocol and only enables algorithms specified in the Commercial National Security Algorithm Suite (CNSA) by the National Security Agency (NSA). This includes support for Elliptic Curve Diffie-Hellman (ECDH) and Elliptic Curve Digital Signature Algorithm (ECDSA) with the P-521 curve to establish trust with the Scan Engine, and 256-bit Advanced Encryption Standard (AES) to achieve data secrecy between the Scan Engine and Scan Assistant.
The Network Scan Engine and the Scan Assistant use TLSv1.2 with two-way certificate authentication (client-side authentication). However, the server does not verify the client. Each time the Scan Assistant starts, it generates a new certificate. This makes it impossible to track an asset by tracking the scan assistant certificate used on the HTTPS listener. That means there’s no way for the scan engine to verify the certificate from the scan assistant. So in effect, the mechanism is a reverse one-way authentication.
Insight Agent vs. Scan Assistant
At first glance, it may seem that the Insight Agent and the Scan Assistant serve the same purpose. They are both small, background services that get deployed across a fleet of targets for the purpose of vulnerability and policy assessment. However, this is where their similarity ends. The Insight Agent and the Scan Assistant are fundamentally different in terms of the use cases they satisfy.
The Insight Agent is appropriate for assets that have internet connectivity and are capable of periodically publishing data to the platform. For these types of assets, such as laptops and workstations, the Insight Agent is the preferred technology.
The Scan Assistant is intended for assets and environments for which internet connectivity is either unavailable or heavily restricted. This may include assets such as Domain Controllers or database servers. Any device that is effectively air-gapped from the outside world would not be able to use the Insight Agent. These devices must be scanned using the Network Scan Engine in order to assess them for vulnerabilities. In this scenario, the Scan Assistant can help improve the performance of those scans without having to store credentials within the product.
Ultimately, you can deploy both the Insight Agent and the Scan Assistant to different parts of your network in order to provide a fast, secure, and comprehensive vulnerability assessment.
Feature
Insight Agent
Scan Assistant
Collection Type
Active – collects data periodically and publishes to the platform
Passive – only collects data when requested by a scan engine
Data Collected
Collects all data necessary in order to perform an assessment
Only collects the data requested by the scan engine
Platform connected?
Yes
No
Idle footprint
When not collecting data, periodically beacons health status to the platform
Contains an HTTPS listener waiting for incoming connections, otherwise does not perform any activity
Breakdown of the differences between the Insight Agent and the Scan Assistant
Performance improvement analysis
Preliminary performance analysis has shown promising improvements when performing scans with the Scan Assistant installed. Vulnerability scans have completed faster, and the total scan time has been more consistent than scans that rely on retrieving data via SMB or WMI.
Furthermore, scan times for policy-based scans have shown significant improvement, particularly against servers with a large number of users and groups (such as Domain Controllers). The following chart compares scan times for policy-based scans performed against different types of servers. The team plans to continue to collect and analyze the performance of the Scan Assistant and will share this analysis in a future article.
Scan duration comparison between the Scan Assistant and SMB.It’s important to note that the timescale is logarithmic, so for most cases, the Scan Assistant provides orders of magnitude better performance than the SMB protocol.
What’s next
Here are some of the major items we plan to work on next.
Add support for additional operating systems, including Linux, Unix, and macOS
Support the ability to perform DISA-based policy scans
Update the Security Console to support managing certificates on the scan engines
If you have any suggestions for features you would like to see, please speak with your Customer Success Manager.
Downloading the Scan Assistant
The Scan Assistant is currently in early access and is only available for Windows operating systems. If you are interested in the Scan Assistant and would like to deploy it in your environment, reach out to your Customer Success Manager to request access.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
In today’s post, we’re giving a rundown of new features and functionality launched in Q3 2021 for InsightVM and the Insight Platform. We hope you can begin to leverage these changes to drive success across your organization.
Apple Silicon support on the Insight Agent
We’re excited to announce that the Insight Agent now natively supports Apple Silicon chips!
Apple announced the first generation Apple Silicon chip — the M1 processor — in November 2020. This chip is the new standard on all MacBooks starting with the 2020 releases, and Apple plans to transition completely to Apple Silicon chips over the next two years.
The new Mac installer specifically designed for the Apple Silicon can be accessed right from Agent Management in the platform, in the download section. Learn more in our Apple Silicon Agent Support blog post.
Asset and Vulnerability Details reports
This new feature allows you to easily communicate details of your assets and vulnerabilities with stakeholders in a PDF format. Simply click the Export to PDF button on the Vulnerability Details page, and you’ll have a PDF ready to share!
This is particularly useful if you’re attempting to collaborate while remediating a specific vulnerability. We’ll use a hypothetical security engineer named Jane to illustrate this.
Jane recently read about a new ransomware strain that leverages a specific vulnerability as part of an attack chain that seems to be targeting the industry of her organization. She opens the query builder in InsightVM, constructs a search query to identify the vulnerability by CVE, and discovers several instances. She wants to mention this during her morning all-hands sync so she can recruit other team members to her effort. She exports the vulnerability details page to a PDF, which allows her to share this out and provide more details to interested team members, who then can help her remediate this vulnerability much more quickly.
Moreover, while undertaking this effort, another team member — Bill — finds an asset that seems to be a complete tragedy in terms of patching and vulnerability prevalence. He creates the Asset Details report and shares this in an e-mail to his team, stating that this asset seems to be missing their organization’s patch cycle. He also suggests that they look for more of these types of assets because he knows that when there is one offender, there are often many.
Snyk integration for reporting vulnerabilities
Container Security assessments will now report Ruby vulnerabilities through an integration with the Snyk vulnerability database. This adds RubyGems packages to our Snyk-based coverage, which currently includes vulnerability detections for Java, JavaScript, and Python libraries. This integration is particularly helpful for organizations that perform scanning of Container Images at rest, in both public and private registries.
Emergent threat coverage recap
Q3 2021 was another busy quarter for high-priority cybersecurity threats. As part of our emergent threat response process, Rapid7’s VRM research and engineering teams released vulnerability checks and in-depth technical analysis to help InsightVM customers understand the risk of exploitation and assess their exposure to critical security threats. In July, CVE-2021-34527, dubbed “PrintNightmare” presented remediation challenges for many organizations amid active exploitation of the Windows Print Spooler service. In August, the ProxyShell exploit chain put on-premises instances of Microsoft Exchange Server at risk for remote code execution. More recently, widespread attacks took advantage of CVE-2021-26084, a critical flaw in Confluence Server & Confluence Data Center, to deploy cryptominers, exfiltrate data, and obtain initial access for ransomware operations.
As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in vulnerability management at Rapid7.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
The world is changing rapidly. We hear that phrase a lot. Throughout Q2 though, it really is true. Vaccines have been rolling out, to varying success depending on the part of the world, but there is optimism.
As Rapid7 offices begin to open up to our hard-working team members around the globe, we want to infuse some of that optimism into the latest and greatest new features and updates now available to InsightVM customers. The back half of the year will no doubt bring new threats (will ransomware attacks keep going bigger?), so let’s dive into what’s new so you can prepare and prosper.
Honorable mention
In our Q1 recap, we covered 2 releases that can each have significant positive impact on your operations, so they bear repeating here.
Kubernetes integration
Now available in InsightVM, you can now navigate directly to the new Kubernetes tab to initiate the Kubernetes monitor in DockerHub. Then, deploy it to your clusters to see data in Container VRM within InsightVM. You can also see monitor health and connection details via the Data Collection Management page.
Scoped Executive Summary Report
The Executive Summary Report in InsightVM has expanded its functionality so users can filter the report for at-a-glance views of priority items. Shape the report to access key metrics and communicate progress to desired goals and outcomes.
Dashboards, consoles, and panels, oh my!
The new releases and updates for the second quarter of 2021 were aimed at quick-look features that bolster our goal of providing customers with evolving ease-of-use functionalities and products that increasingly focus on at-a-glance convenience.
What’s new: Dialing up dashboard performance
Featuring new cards as well as new ways to filter cards, these features solve 3 distinct issues:
Gaining insights into Microsoft’s vulnerability patch cycle
Rapid7’s Patch Tuesday dashboard template now provides an easy way to stay up to date on information associated with deployment of new Microsoft patches and cycles. Why search around for news or insights when you can get them in the one-stop-shop where your team already receives updates and kicks off remediation efforts on the latest vulnerabilities?
Featuring new cards detailing the assets affected as well as trends, assessments, and biggest risks, you can now learn about and prioritize remediation efforts on all Microsoft vulnerabilities within this expanded InsightVM dashboard.
Hunting down fine-grained vulnerability-and-remediation details
New card #1: New vs remediated vulnerability comparison over time
Displays trends in remediated vulnerability findings for date ranges you specify.
New card #2: Average days to remediate by severity
Compares the average number of days needed to remediate a specific vulnerability against all vulnerabilities remediated for a week you specify.
New card #3: Number of unique vulnerabilities
Expandable table shows the number of all unique vulnerabilities in the Rapid7 database for which InsightVM has checks as well as the number of all unique vulnerabilities in the user’s environment.
New card #4: Asset type
Bar chart displays device type for assets in the scope you filter. Each bar shows the quantity of a group of os.type, sorted from left to right.
Filtering every card in a dashboard to focus the view on a group of assets or issues
If this were about finding the best way to navigate your way past a big city, we would say this new feature is the loop that takes you around the traffic vs taking the surface streets that often put you in the traffic.
You can now quickly filter all of your cards by applying a single query to your dashboard. Gone are the days of manually filtering each and every card just to focus your view on a group of assets or vulnerabilities. Long story short: You save more time by quickly filtering to your desired view.
What’s improved: Shortcuts to what you need
To continue the traffic analogy, getting somewhere faster than you’re used to is always a great thing. The latest InsightVM improvements help you do just that by addressing 3 issues:
Manually loading custom vulnerability checks
Now you can simply deploy a check, load it into the Security Console, then the console does the rest. Just load the check, start the scan, and the console will automatically push that check to whichever Scan Engine(s) you specify.
More context needed
Peek. Panel. Proof. What that actually means is InsightVM now offers at-a-glance context about a specific vulnerability via a “peek panel.” When a user clicks on an affected asset from the vulnerability details page, the panel opens to the right and displays the proof details.
Gaining results visibility
Teams assessing container image builds in their CI/CD pipeline can now see results in the InsightVM Container Security feature Builds tab.
We hope you have a successful quarter and a great season, wherever your business takes you. Until next time…
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
On March 2, 2021, the Microsoft Threat Intelligence Center (MSTIC) released details on an active state-sponsored threat campaign exploiting four zero-day vulnerabilities in on-premises instances of Microsoft Exchange Server. MSTIC attributes this campaign to HAFNIUM, a group “assessed to be state-sponsored and operating out of China.”
Rapid7 detection and response teams have also observed increased threat activity against Microsoft Exchange Server since Feb. 27, 2021, and can confirm ongoing mass exploitation of vulnerable Exchange instances. Microsoft Exchange customers should apply the latest updates on an emergency basis and take immediate steps to harden their Exchange instances. We strongly recommend that organizations monitor closely for suspicious activity and indicators of compromise (IOCs) stemming from this campaign. Rapid7 has a comprehensive list of IOCs available here.
The actively exploited zero-day vulnerabilities disclosed in the MSTIC announcement as part of the HAFNIUM-attributed threat campaign are:
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allows an attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gives an attacker the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If an attacker could authenticate with the Exchange server, they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. An attacker who can authenticate with the Exchange server can use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
Also included in the out-of-band update were three additional remote code execution vulnerabilities in Microsoft Exchange. These additional vulnerabilities are not known to be part of the HAFNIUM-attributed threat campaign but should be remediated with the same urgency nonetheless:
Microsoft has released out-of-band patches for all seven vulnerabilities as of March 2, 2021. Security updates are available for the following specific versions of Exchange:
Exchange Server 2010 (for Service Pack 3—this is a Defense in Depth update)
Exchange Server 2013 (CU 23)
Exchange Server 2016 (CU 19, CU 18)
Exchange Server 2019 (CU 8, CU 7)
Exchange Online is not affected.
For Rapid7 customers
InsightVM and Nexpose customers can assess their exposure to these vulnerabilities with authenticated vulnerability checks. Customers will need to perform a console restart after consuming the content update in order to scan for these vulnerabilities.
InsightIDR will generate an alert if suspicious activity is detected in your environment. The Insight Agent must be installed on Exchange Servers to detect the attacker behaviors observed as part of this attack. If you have not already done so, install the Insight Agent on your Exchange Servers.
Building security into your overall vulnerability risk management (VRM) strategy is a must-do in the age of the all-important web app. Between security and IT-Ops teams, there are a number of steps in the VRM process, including asset identification, enumeration, prioritization, and remediation. How does application security fit in?
Co-sponsored by Forrester, a recent Rapid7 webcast expounds upon the topics discussed in this blog post. The distinguished subject-matter experts and presenters also dive deep into the nitty gritty of what it takes to get a better night’s sleep by creating a VRM strategy that extends to the application layer. Watch the webcast here, and read on for our recap below!
Web applications and APIs are assets, too
Applications are one of the most common ways attackers are getting in. In a recent survey, Forrester found that 31% of firms suffered a breach as a result of an external attack, with applications serving as one of the most common attack vectors. Along with all other assets in a VRM program, web apps must be prioritized as assets that need to be covered.
Knowing this, security leaders have started to think harder about application security. But just because it’s a top priority, does that mean it’s the company’s? Bringing stakeholders into the process early is key, because getting that application layer covered affects the entire organization. The more buy-in and support from everyone who has a stake in getting secure products to customers, the more value everyone gets from a comprehensive VRM investment.
Building security in
Buy-in comes from building in. Static Application Security Testing (SAST) is a process that can find flaws early in the life cycle of applications, providing guidance to dev teams so they can find and fix issues early in the process. Adopting SAST in the development phase means making it easier for developers to remediate as they’re coding.
Further, Software Composition Analysis (SCA) tools can help analyze the open-source libraries and third-party components that go into creating a large portion of today’s applications. A modern VRM program also needs to consider these components as assets to cover. Building these processes and tools into the Software Development Lifecycle (SDLC) will help dev teams experience fewer security flaws, get real-time education, and eventually find the ability to scale quickly.
However, as development approaches change, more and more organizations are struggling to identify and secure the sheer number of APIs built into their applications. Security teams might understandably be rushing to keep up with:
Identifying and cataloging APIs and endpoints
Assuring and managing API user identities
Meeting regulatory and compliance requirements
How can security pros start thinking about baking those processes in earlier?
Understanding API security
There is no single tool for API security. A holistic approach includes identifying what sorts of APIs are out there, assessing them for organizational fit, and scanning and testing them for vulnerabilities. It also includes managing them throughout deployment and production. Does the traffic match how you expect the API to behave?
Looking at API security from the client to the backend is also key. Not only does your existing application tooling need to be inclusive of API behavior, but additional tooling may be of great insight when looking at API-specific issues like managing authentication and authorization. Remember, new development methodologies will requite new security patterns.
Zoom out: What are you looking to accomplish?
When it comes to rethinking or building a sound VRM strategy, performing foundational work up front will help get organizational buy-in faster. It’ll take time to inventory everything that’s sitting at the edge, from web applications to APIs to third-party vendors. Recognizing that a significant shift will take time and being transparent about this with stakeholders can only help streamline the process. So, why invest the time?
As more people than ever before shift to a work-from-home environment, organizations may not feel as safe as they once did having corporate information residing on endpoints scattered around the city and, indeed, the world. Following along naturally to this issue is increased questioning and anxiety from cyber-insurers and auditors, particularly as it concerns things like an organization’s supply chain and partners. Much like the recent SolarWinds incident, an attack on one organization can quickly escalate into a threat against its partners.
If you’re part of an organization beginning to engage more with your existing supply chain or validations, it’s important to remember that you are also part of their chain. So, it can be a reciprocal nature of checks and scrutiny as more partners come online. In this entire ecosystem, a good rule of thumb is to remember that exploitation has a real cost—whether the attacker’s intent is simply to disseminate sensitive data or there’s a ransom scenario afoot. Defining security frameworks and testing them against overall goals can help translate processes down into each project as well as speed up validation with a potential partner.
Extend, extend, extend
When it comes to rethinking or building a sound VRM strategy, extending that foundational security work to your web applications at the edge is a modern best practice that can yield many benefits—whether it’s protecting against someone probing for their own nefarious purposes or looking to sell that information down the line. It can also start to create an ingrained culture of taking proactive and protective steps to secure applications and the tools on which they’re built.
A growing remote-work culture demands a graduation in the approach to security. It’s time to test, monitor, secure, and extend to the application layer.
A modern methodology for vulnerability management (VM) is vital for organizations looking to minimize attack surfaces by prioritizing potential threats. This includes identifying, evaluating, treating, and reporting on security risks across key systems and the software that runs on them. An example of this full-stack approach includes broader coverage of on-premises and virtual environments, inclusive of web-application testing, and leveraging best-in-class practices and tools.
A good place to start is establishing an asset management solution. Gaining a full understanding of the vulnerabilities associated with each asset across the network is key to informing stakeholders, prioritizing vulnerabilities, and remediating issues. Due to the persisting COVID-19 pandemic, these assets are increasingly part of a growing remote workforce continuously expanding every organization’s attack surface. As assets are no longer regularly connecting to corporate networks, traditional vulnerability scans aren’t possible.
This has paved the way for agents to plug that particular vulnerability. For instance, Rapid7’s Insight Agent is lightweight data-collection software you can install on any cloud-based asset. Let’s take a more in-depth look at modern vulnerability risk management (VRM) and what to look for in a holistic solution.
The need for speed
The COVID-19 pandemic has accelerated the evolution of security and protections for an unplanned, exponential growth in the global remote workforce. This means a faster digital transformation for every industry and organization. It means a faster pace of spinning up and scaling new apps. And it means quickening cloud adoption as IT teams scramble for accessible and reliable places to host mission-critical services. So how do we go about securing every layer in this new era of VRM?
Prioritizing vulnerabilities is more important than ever. Limited time and an ever-changing threat landscape make it unrealistic for teams to try and fix everything. Scrambling to do so could mean critical threats escaping through the cracks.
Developing strong partnerships has new meaning because, most likely, those partnerships will be virtual for the foreseeable future. Thus extra attention must be paid to maintaining them so there are more reliable eyes monitoring for vulnerabilities and ready to jump into action if a threat arises.
Incorporating a full-stack approach means testing traditional and cloud infrastructure, and extends to the applications those environments host. Teams must move carefully, but also expediently when leveraging scan engines and agents to remotely monitor servers.
With the acceleration of seemingly all security processes, it’s also important to remember to take stock of what’s working and what’s not. No matter how many fancy features, a solution is only worth the investment if it meets your organization’s unique needs and drives eventual ROI.
About that application layer
Gaining real-time understanding of an attack on your web apps provides actionable intelligence for quick remediation while providing an opportunity for a team teaching moment for the next time it happens. InsightAppSec and tCell from Rapid7 is a test-monitor-prevent solution that focuses on neutralizing vulnerabilities at the application layer.
With guided remediation into web app flaws, you can begin building a road map for making more secure applications. You’ll start by scanning your applications in as few as five minutes so you can get visibility into the weaknesses that exist in your applications. From there, you’ll be able to view severity and remediation guidance, and share with key stakeholders to allow you to collaborate faster and scale easier. Scan on- and off-premises apps with InsightAppSec’s powerful cloud engines, accessing all of your internal and external scan configurations from a central console.
The ability to monitor more apps in more environments will be key for the future of your business, and is an extra layer of protection for vulnerabilities you can’t remediate in time. Finding solutions that include functionality to help your remediation stakeholders understand the context of the associated vulnerabilities (Attack Replay, granular remediation guidance, etc.) will allow you to partner more effectively.
An increased reliance on direct-to-cloud app deployment is a natural evolution. Benefits like higher baseline security, automated hardening, and increased flexibility are attractive. But all of that demands more time and more vigilance.
But what about the infrastructure? (People and machines)
Consider this: It’s not just about remediation, it’s also how you navigate the red tape. Grasping a more complete picture of how vulnerabilities translate to business risk is key not only for communicating those risks to higher-ups, but also maintaining and growing things like team headcount. After all, you have to have people to solve the problems. InsightVM, Rapid7’s vulnerability management solution, can help you understand and prioritize risk, with clarity.
Assume everything along your attack surface is being targeted by threat actors. These days, the reports of malicious events are coming more frequently. But covering local, remote, cloud, containerized, and virtual infrastructure is possible with InsightVM. It’s not a guaranteed catch-all solution, but it does provide the shared view and common language that can bring together traditionally siloed teams. It also paves the way for collaboration and accountability between those teams, making it easier for remediators to drive impact, celebrate progress, and improve ROI.
With more fully supported integrations than any other VM vendor as well as the ability to automate virtually any aspect of vulnerability scanning with RESTful API, it’s now possible to get a near-complete story of the security of your infrastructure and how it affects business.
A fortified foundation
Together, InsightVM and InsightAppSec can be complementary solutions to security organizations looking to tailor or refine any on-premises, off-premises, or hybrid VRM program.
Comprehensive visibility at the infrastructure layer empowers you to leverage people more efficiently.
Click-and-scan security testing at the application layer enables rapid return of actionable results … and peace of mind.
Robust reporting capabilities featured in both solutions make it easy to measure progress and report it to key stakeholders.
A single pane of glass is the best way to see real-time processes at work as well as the overall security status of your world.
A full-stack approach can help you secure every layer of your attack surface. Then someday, perhaps we won’t call it an “attack” surface anymore.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Organizations are in a constant struggle to identify and reduce risks in their constantly changing environments. These changes may manifest by several means and can be recurring events.
For example:
Laptops and other devices are commissioned or decommissioned due to changes in the workforce.
Your security tool discovers that assets in your environment contain several vulnerabilities recently discovered by researchers.
New software or services are deployed to your organization that introduce new risk via new vulnerabilities.
Your IT team deployed a round of patches to local assets, which significantly decreased the number of vulnerabilities in your environment.
The obvious challenge here is that these changes create moving targets and security teams need to quickly identify, prioritize and remediate risk as it’s introduced. We developed our Significant Changes in the Last 30 Days dashboard in InsightVM in order to provide a lens through which we can highlight the differences in your environment from the past 30 days to present day, as well as the ability to pivot the findings into a Remediation Project directly from the dashboard.
Users may easily create this dashboard by selecting the template titled “Significant Changes in the Last 30 days.” This action will create a local copy of the dashboard for you and save three new asset queries in your query library. These queries are:
Assets Discovered in the Last 30 Days,
Critical Vulnerabilities Discovered in the Last 30 Days
Vulnerabilities Discovered in the Last 30 Days
These queries all filter the cards on the dashboard, and we’ve added the ability to view the queries applied to this Dashboard, which will allow you to further focus the finding on the dashboard.
Users are completely able to add and remove cards as they wish. However, the following cards are included in the template:
Total Asset Trends
This card shows the total number of assets in your environment, as well as the total number of new assets in the past 30 days and the total percentage of increase.
Number of Critical Vulnerabilities Found in the Last 30 Days
These are the total number of vulnerabilities with a severity of “critical” found within the last 30 days of the current date.
Number of Exploitable Critical Vulnerabilities Found in the Last 30 Days
This card shows all vulnerabilities with a severity of critical and known exploits. These provide a powerful view into vulnerabilities attackers could easily exploit.
New vs. Remediated Vulnerabilities
This card shows the number and percentage of new, remediated, and unchanged vulnerability findings. This is powerful in showing which vulns in your environment have been addressed, which are new, and which have remained static.
Assets by Risk and Vulnerabilities Found in the Last 30 Days
This visualization helps you identify the riskiest assets in your environment based on the number of vulnerabilities and the associated risk score. The size of the bubbles indicates how many assets exist for a given vulnerability count and risk score range.
Vulnerabilities by CVSS Score
This card shows the vulnerabilities found in your environment in the past 30 days grouped by CVSS score range (e.g., CVSS 7.0–10).
Newly Discovered Vulnerabilities by Total Risk Score
This card allows users to leverage our Real Risk score in order to identify and prioritize vulnerabilities discovered in the past 30 days.
Assets With Actively Targeted Vulnerabilities
This card is intended to enable users to identify vulnerabilities that are actively being targeted in the wild, and therefore presenting a great degree of risk.
Assets by Number of Running Containers
This card is intended to identify risk exposure by showing container hosts and the total number of containers running on these.
Top Riskiest Assets
This card lists the riskiest assets discovered in the past 30 days, allowing teams to prioritize remediations that will help reduce risk quickly.
Most Common Software
This card shows the software most commonly used in their environment, allowing teams to prioritize their efforts at those items with the greatest surface area.
Most Common Services
This card shows the services most commonly deployed in their environment, giving them insight into what could be of the most importance.
New Vulnerability Findings
This card shows the total number of vulnerability findings discovered in the past 30 days, and expanding this view shows a list of these. This allows teams to identify recent vulnerabilities and prioritize those accordingly.
Remediated Vulnerability Findings
Finally, some positive news. This card demonstrates remediated vulnerabilities in the past 30 days, and this allows teams to demonstrate their progress on a monthly basis.
Per usual, users are able to arrange cards per their desires as well as share these with team members. We think this dashboard has the potential to provide deep visibility into changes in their environments and we hope this will help drive customers to a safer state.
Not an InsightVM customer? Watch this on-demand demo to see our vulnerability risk management solution in action.
InsightVM and Nexpose customers can now harness the power of the Metasploit community to assess their exposure to the latest threats. The Feb. 3 release of InsightVM and Nexpose (version 6.6.63) includes a beta version of the Metasploit Remote Check Service, bringing Metasploit check method capabilities to Linux-based Scan Engines to enhance their remote vulnerability coverage capabilities.
The Metasploit community is well-known and highly regarded within the security space for being a community of experts. With this feature, Rapid7 is bringing this expertise to Linux Scan Engines.
Many vulnerabilities that can be exploited by Metasploit are low-hanging fruit for hackers and script kiddies. With the Metasploit Remote Check Service, your Scan Engines will be more capable of identifying these.
You don’t have to worry about Metasploit running potentially harmful exploits against your endpoints; the Scan Engine will only ask it to perform safe checks. There is no ability to deliver offensive payloads.
How to enable the Metasploit Remote Check Service
Getting started with the Metasploit Remote Check Service is easy—simply run a console command once, and it leverages existing scan engines already deployed in your environment. For information on how to enable this beta feature, please see the product documentation
Windows Engine Support
Due to limited support of Metasploit on Windows, in this initial beta release we have focused on adding support for Linux Scan Engines only.
If you are only using Windows engines but you would like to try the Metasploit Remote Check Service feature, you may wish to try using the Scan Engine container image.
Initial Metasploit Remote Check Service content
As part of the initial beta program, we’ve focused on adding remote checks that improve visibility into misconfigured developer environments and services. Many of these are not covered by traditional VM tools, despite representing significant value to attackers.
We’re including the following new vulnerability checks, which make use of the new Metasploit Remote Check Service to remotely assess assets:
rConfig Install Command Execution – Identify exposed rConfig endpoints that allow attackers to remotely execute system commands via an HTTP GET request.
Redis Replication Command Execution – Identify exposed redis endpoints that provide remote execution access to attackers via the service’s extension functionality.
We’d love to hear your feedback
Based on the success of this beta feature, more content will follow. If you have any feedback regarding this feature, please contact your Customer Success Manager or our Support team.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Web applications have been growing in complexity over the past several years, while also becoming the preferred method for attackers looking to capitalize on emergent technologies. This is a trend that will only persist and evolve, so it’s crucial to extend your web application testing strategy to your development team’s practices and languages. We’ll say it simply: Managing your overall risk must extend to weaknesses in your web apps and APIs. This webcast will be offered live on two dates—please register by choosing the region closest to you:
Exploitation can happen anywhere across your attack surface, so it’s critical that your vulnerability risk management (VRM) program provides enhanced visibility into web apps as well as traditional on-premises and cloud infrastructure.
Join Forrester’s principal analyst for security and risk professionals, Sandy Carielli, and Hypertherm’s information-security manager, James Thompson, for our Feb. 11 webcast as they discuss:
Best practices and common challenges for a sound VRM strategy
Their thoughts on extending a holistic VRM approach to the application layer
How James uses both InsightVM and InsightAppSec to secure every layer of the modern environment
Why it’s so important to have mitigating controls in place for possible exploitation
And, if your team is considering an expanded presence in the cloud, your solution needs to eliminate as many blind spots across your environment as possible. Start gaining deeper visibility into potential real-time attacks and minimize their ability to create chaos in your world.
We hope to see you there!
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Here at Rapid7, we’re pretty proud of the work that goes into keeping InsightVM a leader in the vulnerability risk management space. We’re constantly investing in and improving InsightVM capabilities so our customers have no trouble seeing and proving value. That said, here’s our roundup of the new and improved features we’ve updated in Q4.
[NEW] Fewer false alarms and faster reporting with InsightVM’s new false positive investigation tool
You can now investigate vulnerability findings as potential false positives directly from your Security Console. If your investigation determines that the finding could indeed be a false positive, you can send the results to Rapid7 for analysis with just one click. For more details, see our help documentation and blog post.
[NEW] Improvements made to the Goals and SLAs wizard
We’re excited to announce that creating a goal or SLA in InsightVM just became a lot simpler. Instead of following a four-step process, we’ve gotten it down to three: use, sort, and define your data, establish the conditions you want to meet, and save your goal using our three-step wizard. This new context-sensitive workflow allows you to create meaningful goals faster and with fewer steps. For more details, see our help documentation and blog post.
[NEW] Creation of Insight Platform accounts for non-admin users
The Rapid7 Insight platform provides data collection, visibility, analytics, and automation to establish a shared point of view between security, IT operations, and DevOps teams. Insight platform accounts are now available for non-admin users of InsightVM. This allows access to InsightVM through insight.rapid7.com. To complete the activation process, check out our help documentation. At the conclusion of this activation process, your Insight account will be used to authenticate your access to InsightVM’s cloud capabilities.
[IMPROVED] More dashboard controls for admins
Administrators now have full visibility on all user-created dashboards in their organization and can delete them if necessary. Simply navigate to the Dashboard Library to see a list of InsightVM dashboards created by other users. The ability for Admins to now delete user-created dashboards eases the pain of managing dashboards across the organization. This is especially beneficial for if an employee leaves – you’ll now have an easy way to manage/remove orphaned dashboards. For more information on managing dashboards in InsightVM, see our help documentation.
[NEW] New Snyk vulnerability content for container assessment
We know many development teams these days are taking advantage of containerized software applications that may contain all of the necessary code, runtime, system tools, and libraries needed to run an application. Despite the benefits of efficiency from a development standpoint, containers may present risks that are often difficult for security teams to identify. This can be attributed to multiple factors, including how fast things change in containerized environments and the types of packages found within these environments.
InsightVM now integrates with Snyk, a leading provider of software composition analysis (SCA) in containerized applications. Snyk provides deep visibility into Open Source Software (OSS) vulnerabilities. With this new integration, InsightVM can consume Java vulnerability content from Snyk Intel Vulnerability DB. No customer action is needed to leverage this integration. Behind the scenes, InsightVM is consuming content from Snyk, building vulnerability checks around this content, and delivering it as checks within the Container Security feature in InsightVM. For more details, see our blog post.
[NEW] Scope and schedule reports with the new report creation wizard
We’ve made it easier to collect, analyze, and report InsightVM data all in one place. Using our Report Creation Wizard powered by Query Builder, you can create customized reports and opt to run recurring reports on a schedule. You can share directly with stakeholders to help you communicate about your work and gain insight into your organization’s vulnerability management program. For more information, see our help documentation.
[NEW] Audit logging for Custom Policy Builder
As organizations continue to harden their policies through customizations, it becomes extremely important to keep track of all these changes, because these customizations may significantly impact an organization’s overall compliance. You can now configure Custom Policy Builder to send audit logs that capture every policy update implemented by your users. These audit logs record which changes were made to a policy, when those changes were applied, and who was responsible for them. Use this new functionality to allow another user or an auditor to view the change history of any policy when needed. For more details, see our help documentation and blog post.
Not an InsightVM customer? Watch a demo of our award-winning vulnerability management solution.
When it comes to offloading security controls to the cloud, it may seem counterintuitive to the notion of “securing” things. But, when we consider the efficiency to be gained by shifting right with some security controls, it makes sense to send more granular, ground-up responsibilities to a trusted managed services cloud partner. This could help to increase development-and-deployment velocity, without compromising the integrity of your bespoke process.
Building a true DevSecOps ecosystem is probably a common goal for most teams. However, uncommonality most often enters the picture in the forms of both technical and organizational roadblocks. Let’s take a look at some key insights from a 2020 SANS Institute survey on current industry efforts to more closely integrate DevOps and SecOps—and how you can plot your best path forward.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
In more traditional environments, security teams often feel they’ve been left behind by the pace of DevOps. Vulnerabilities are introduced faster than SecOps can likely find them. The shift is with teams that are building continuous delivery frameworks, with compliance checks at every stage of the game. It becomes a matter of defending the environment as it’s being built.
Currently, about 74% of organizations are deploying changes more than once per month, according to SANS. Often, these are weekly or daily instances. So, velocity is increasing, primarily out of a need to get customers what they need, faster. Traditional change approvals and security controls are becoming more guardrail-style checks. The challenge, however, lies in optimizing the process and keeping it as secure as possible.
Increasing cloud adoption
From a security perspective, transitioning to a cloud provider’s responsibility model can better match the pace of DevOps and increase delivery speed. When both of these velocities are increasing, albeit responsibly, that’s better for business.
Cloud-hosted VM platforms allow teams to spin up processes more quickly compared to a traditional setup.
Adoption is accelerating for cloud-hosted container services and serverless platforms because providers are doing more provisioning, patching, and upgrading for many existing execution environments.
More organizations are running on cloud-hosted VMs versus container services and serverless platforms, but that could change because the latter two options allow you to further reduce your responsibility model.
Multi-cloud motivations
About 92% of organizations run on at least one public cloud provider. But for about 60% of those companies, the main motivations behind spreading services out between multiple providers are not quite as technical as one might imagine.
Mergers and acquisitions can cause obvious complexity, as companies link up and potentially run similar processes in different cloud environments like AWS, Azure, or GCP. There are also decision-makers and teams that prioritize a task-based approach and pick the best environment to get a particular job done. The benefits of a multi-cloud environment could then become drawbacks, as security becomes more difficult to plan for and understand. And no one wants complexity in an approach that is essentially supposed to offload responsibilities and make things easier.
Risk doesn’t translate for SecOps
As more DevOps teams increase their use of JavaScript, traditional security controls don’t support the popular format as well as other legacy languages. In this situation, there is greater risk. However, an older web app that hasn’t been updated in a while could be the tip of the iceberg in terms of the technical debt sitting out there.
Apps built on older languages like Java, .NET, and C++ could leave exposures open as teams roll over to newer languages. So, this situation also presents risk. Security teams may not even be aware they’re in the dark about vulnerabilities those legacy apps present, as they try to keep pace with DevOps.
The future of shifting left
When it comes to security testing phases,there’s still a heavy tendency toward QA. More is being done to integrate those protocols in the process, but the sea change of baking testing into earlier phases largely has yet to occur.
Over the next decade, teams will likely adopt more cloud-based integration tools like AWS CodePipeline, Microsoft Azure DevOps, GitHub Actions, and GitLab CI. In these instances, the cloud provider is managing more for you, minimizing attack surfaces and providing more built-in security. GitHub and GitLab, in particular, are trending toward greater baked-in security.
Jenkins has been the continuous integration tool of choice for about the last decade. However, the 24/7 nature of running on-premises or in the cloud to manage builds, releases, and patches can increase the attack surface.
When it comes to container orchestration tools, cloud-managed services like AWS Fargate and Azure Container are beginning to pull even with cloud-hosted services like Docker and Kubernetes. It’s becoming more attractive to outsource control-point and hardening responsibilities, so that security can shift further left into containers; it simplifies testing and helps ease deployment.
The future of shifting right
Security-testing responsibility lies with actual security teams about 65% of the time. Yet, managing corrective actions lies with development teams about 63% of the time, according to SANS. These numbers indicate largely siloed actions blocking the path to a true DevSecOps approach.
The biggest success measurement of DevSecOps is the time it takes to fix an issue. Aligning teams to tackle an issue in a speedy manner can make or break. Additionally, identifying post-deployment issues can help to improve shift-left controls to prevent those issues from ever escaping into production.
A 100% cross-functional effort most likely will not be achieved by every organization. However, moving closer to this goal could help strengthen teams, boost morale, and feed back key learnings to ultimately increase the speed of success.
In conclusion
Ironically, the biggest challenge of all isn’t technical in nature. Red tape within organizations can present challenges like lack of buy-in from management, insufficient budget (open-source tools can help here!), and siloed efforts. Additionally, a shortage of skilled workers could reinforce the same old decision-making patterns at those management levels.
When it comes to closely aligning teams and getting more time back to innovate, it’s often a cyclical dance of shifting right to improve your efforts in shifting left. For example, can you move further right into the cloud rather than building do-it-yourself, comprehensive solutions to security? Offloading could help to create more controls for enforcing security in tandem with DevOps.
No one wants to compromise the integrity of deploying on time, particularly as it relates to customers and your company’s bottom line. Co-sponsored by Rapid7, this recent SANS webinar presents an in-depth look at key statistics from a recent survey of companies and their advancements—or lack thereof—in DevSecOps.
Since 2018, thousands of enterprises have utilized InsightVM’s Goals and SLAs feature to build their organization-specific security goals. Through Goals and SLAs, security teams ensure that they’re making progress toward their goals and service-level agreements (SLAs) at an appropriate pace, and that they’re maintaining compliance with the standards set for their program. Not only do Goals and SLAs enable our customers to deliver impact, but they are also super easy to set up. In fact, with the newly redesigned Goals 2.0 wizard, the average customer creates a new goal in less than five minutes.
Creating goals in InsightVM may be easy, but we know that executing on those goals can be challenging, especially when multiple, cross-functional stakeholders are involved. To help you with these challenges, we have enhanced the Goals and SLAs feature by enabling Goal Owners to share goals with other stakeholders. In doing so, Goal Owners and the teams they work with can more efficiently execute on goals, and visibility of goals can be shared more widely. Want more details on how this updated functionality can deliver value to your organization? Keep reading!
Not an InsightVM customer? Watch our on-demand demo.
A Goal Owner can now share their goal directly with other stakeholders, such as a fellow team member or manager, through Step 3 of the Goal Wizard, called “Review.” Goals can be shared during the creation of a goal or after a goal has already been created.
It is common for Goal Owners to assign their created goals to a Live Dashboard for easy tracking. If a Goal Owner chooses to share a goal with another stakeholder, any shared dashboard containing that goal card will automatically be made available to that stakeholder, increasing awareness and recognition of the goal and any progress made toward it.
Increase visibility and productivity
As mentioned earlier, the success of a goal depends on multiple people collaborating from different teams. A security manager is responsible for translating their CISO’s key risk indicators into security performance metrics that can be monitored on a continuous basis. The same security manager is also responsible for working with many teams, such as global risk management, information security, and remediation teams, to execute on security program goals. It’s absolutely imperative that every team member involved each has the same view into the security program goals to avoid the typical back-and-forths and long turnarounds. By sharing goals among stakeholders, the security team can collaborate with other cross-functional teams in a more effective manner.
Reduce noise and build focus
Until now, all InsightVM users were able to create a goal. After extensive user research and feedback, we have come to an understanding that security managers are typically responsible for coming up with goals, and it almost always leads to better performance when every team member is executing on the same goals.
We are now offering a new platform permission, “Remediation Projects and Goals and SLAs,” on the InsightVM security console that will allow security administrators to fine-tune their users’ permissions, thereby limiting the ability of some users to create goals. The users without goal permissions can still receive a shared goal and continue to execute on goals, but they will not have the permission to create goals.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
