We are pleased to announce the next major release of Nexpose, version 5.6.  This release focuses on providing you the most impactful remediation steps to reduce risk to your organization and extends our current configuration assessment functionality.

New Look and Feel

The most visible change in Nexpose 5.6 is the new look and feel of the user interface.  The action header is now smaller to maximize screen space and usability, and the new colour scheme makes it easier to focus on important areas of the application.

Simplifying Remediation Prioritization

Security Teams are often inundated with thousands of vulnerabilities across all their assets through their entire network. One of the major challenges facing Security teams is the difficulty in translating known vulnerabilities (the "What") discovered on their network into remediation steps (the "How"). With all of vulnerabilities on the network, security teams struggle with determining which vulnerabilities on their network are the most important to fix and what they need to do to remediate. There are many different ways that this can be tackled. Organizations can go from the top down the vulnerability list based on security risk using a metric like CVSS, focus on their business critical systems first, or throw darts at a wall. In all cases, security teams are focusing on fixing each vulnerability individually on the list of assets they care about. When you are getting into the thousands of vulnerabilities, with more coming every day, it becomes almost impossible for security teams to act as they spend all their time worrying about fires and the next big thing.

The other main problem facing security teams is that they often are not the teams performing the actual remediation. Usually they work with the IT Team to apply a patch, upgrade a new version of the vulnerable software on the affected asset, or perform another mitigation technique. The problem is that security and IT teams often speak a different language that is often incompatible with each other. As an example, the security administrator managing the vulnerability management program in an organization might notice that there is a serious vulnerability on a specific asset. After determining whether or not the vulnerability was valid (it was!) and determining which IT administrator was responsible for that asset, the security administrator is now responsible for telling the IT admin to patch that host. Simple enough. The security admin will just tell IT guy, or create a ticket, to state that they need to patch the critical vulnerability CVE-2013-1234 on the asset. They'll probably include the fact that it has a CVSS score of 10.0 and that it's highly critical. All important things to the security admin, but completely useless information to the IT admin. The IT guy is now forced to figure out what all the security mumbo-jumbo means and translate it into something they can understand.

Making it easy for IT Teams to take action on vulnerabilities is only the first step. With thousands of vulnerabilities to manage, going through them one by one does not scale, and providing a thousand page report with all the information within it makes matters worse..  For every vulnerability on your network that you solve, even more come in on a day to day basis. It is imperative that security teams have a system that allows them to prioritize fixing the right risks that affect their organization.

Not all of the thousands of vulnerabilities that affect a specific organization have different remediation steps. With vulnerability supersedence and product updates, often times multiple vulnerabilities can be fixed by performing one step. If an asset has twenty vulnerabilities on it when scanned with Nexpose, but all of them are associated with Adobe Flash, then the solution for all twenty vulnerabilities would be to upgrade the version of Adobe Flash on that host. It is a simple solution that solves the problem for the security admin, presents the information in a way that the IT admin understands ("Patch Flash on Host") and moves teams away from thinking about vulnerabilities being the default metric in how you look at data.

It is a powerful way of thinking about managing your vulnerability program. Instead of focusing on vulnerabilities one-by-one, you can ask the question, "What is the one thing I can do that will minimize my security risk the most and how much will it lower it by?"

Nexpose 5.6 includes two new reports that assist you in making your life easier. The first report is a high-level summary that allows you to see, in a prioritized view, the top 'n' remediation actions that will reduce your level of risk. The report will also provide guidance on how your overall security profile for your organization will improve by applying these remediation steps. These include, as percentages, the following metrics.

  • Overall Vulnerability Risk (% Reduced)
  • Number of Assets Remediated
  • Number of Vulnerabilities with Known Exploits Remediated (% Reduced)
  • Number of Vulnerabilities associated with Known Malware Kits Remediated (% Reduced)

Like any other report in Nexpose, you can restrict the data in the report to specific Sites, Asset Groups, or vulnerability categories for further configurability and granularity. For example, if you have a Dynamic Asset Group that is configured to only include Windows Assets, you can create a remediation report that only list the prioritized remediations for the Windows assets in your environment. This allows you to tailor actionable reports to different IT groups within your organization in a language they understand.

Configuration Compliance Enhancements

Nexpose 5.6 also adds new content within the Policy Manager around configuration assessment  The latest version of Nexpose includes new certified Center for Internet Security (CIS) Benchmarks for the Red Hat Enterprise Linux 4, 5, and 6 operating systems.

We are extending the ability, introduced with the release of Windows CIS Policy content in Nexpose 5.5, for organizations to determine their overall level of compliance to common best practices developed by CIS. This is a big deal for organizations who need to measure their level of compliance against known best standards on Red Hat Enterprise Linux hosts.

Determining the overall level of compliance can be a difficult problem to solve for a lot of organizations. They either have to perform the assessment by hand across all of their assets, or use multiple toolsets to pull out this data. Nexpose is flexible to the needs of organizations by allowing users to scan for both Vulnerabilities and Configuration Issues within a unified assessment toolset, allowing users to minimize the amount of scan configuration and time required to get both vulnerability, application and configuration result data in a low touch manner. Users can select any selection of Policies, either old or new, into any scan template.

In addition, if your organization has decided that the included CIS Red Hat Enterprise Linux benchmarks within the product are great baseline but do not necessarily meet the needs of you organization, you can use our Policy Editor to make modifications to copies of the included policies within Nexpose. You can then include these custom policies in any scan template for inclusion within a scan.

These features are designed to simplify the overall experience for our customers. We want you to make informed and intelligent decisions on what you should do next, freeing up time for you to act, rather than trying to spend time trying to mine through vulnerability and compliance data or dealing with IT. We know that focusing on a remediation view allows you to build a rapport with the IT teams, maximize risk savings while minimizing work effort, and overall simplify and strengthen the security posture of your organization.

For more information on Nexpose 5.6, you can look at the release notes here.