We are pleased to announce the next major release of Nexpose, version 5.9. This release focuses on reducing the risk that matters to your business, quickly and efficiently.
One of the biggest failings of the security industry so far is that it has failed to successfully tie the knowledge and the needs of the business to the overall risk landscape. Every organization has different thoughts and needs around how they prioritize risk, what they deem fundamentally important, and how risk drives process when consuming data internally. While security products have traditional done an excellent job of quantifying risk when looking at issues in a bubble, they often fail when trying to drive process around those findings and contextualizing that information with what is important to the business. This "misunderstanding" can often lead to wedges between security teams and the rest of the organization, creating conflicts when there should not be any, mostly due to the fact that security teams don't know how to prioritize and communicate in a language that the rest of the business can understand.
Providing context to risk is not a new concept in the security space. The Common Vulnerability Scoring System (CVSS) has the concept of leveraging environmental metrics as inputs, tying an understanding of the environment to the severity of a vulnerability. While an excellent start, the adoption rate is quite low, since it still attempts to contextualize risk in a language that only security teams can understand. It does not help the rest of the organization translate security risk to business risk.
What is RealContext™?
RealContext™ is a new feature in Nexpose 5.9 that enables security teams to contextualize information and report in a language/format that is tailored to simplifying the experience for the rest of the business. Nexpose users can now associate business context to the security risks on assets by leveraging four new classifications for assets. They are:
- Asset Ownership: Who in the organization is responsible for owning and/or remediating this asset. This could be a business unit, an individual user, a group, or any combination thereof.
- Asset Location: Where is the organization is this asset located? This could be a physical location, city, country, datacenter, etc.
- Asset Criticality: How important/critical is this asset to my organization?
- Custom: Any other information, outside of ownership, location and criticality, that may be of importance to your business.
Using the sample screenshot above, as a Nexpose user, I can easily gain context into a specific asset. I know that this asset falls under PCI Compliance, lives in the DMZ somewhere, and this asset is really really critical to my business. In addition, the asset is owned by "John Smith" and is located somewhere in Austin. This allows you to gain real insight into how you may want to tackle risks that are found on this asset now, and in the future.
This also helps simplify your overall workflow. If a new risk is discovered on this asset in the future, you know how to tackle the problem. Is there an SLA in place for extremely critical assets? If so, you know exactly who to send information to ("John Smith") and where the asset is ("Austin"). You no longer have to rely on going to a CMDB (in the best case) or an Excel Spreadsheet (in the worst case) to find out what to do. In addition, it enables you to speak in a language that John will understand, since you have a full understanding of the context of his world, and how information could be tailored to help drive the remediation and tracking process.
Automatically Driving Context through Dynamic Asset Groups and Scan Groups
Providing context on a per asset basis throughout your entire organization can be extremely cost prohibitive for even small organizations, let alone a Fortune 500 company. Thankfully, Nexpose can help you solve this problem through three different ways, "Dynamic Asset Groups", "Scan Groups" (a.k.a Sites) and the Open API™.
Dynamic Asset Groups is a very powerful feature set that already exists within Nexpose. It allows you to create groupings of assets that based on a set criteria that you provide. Some examples include:
- "Show me all assets that have Windows installed"
- "Show me all assets that have a validated vulnerability that was discovered by Metasploit"
- "Show me all assets that have vulnerabilities that would cause it to fail a PCI assessment."
- "Show me all assets that have Windows installed AND show me all assets that have vulnerabilities that would cause it to fail a PCI assessment."
Dynamic Asset Groups allow you to contextualize information in a way that you want to see it. Since they are also dynamically updated after every scan, they can also allow you to track progress over time, such as tracking assets that have remediated a particular vulnerability to zero.
As part of Nexpose 5.9, users are now able to add tags to assets that are members of these dynamic asset groups.
In the above screenshot, I have searched for all assets in my organization that have an Operating System of Windows. I want to be able to automatically classify those assets with a Windows tag and I know that "Jane Smith" is responsible for remediation for all Windows assets. By adding these tags, when looking at any asset that is Windows, I can easily gain the context I need to understand what to do when I need to tackle this asset. I will no longer have to spend time figuring out what an asset is, when the system can help me auto-populate what I need to know. The power of dynamic asset groups allows me to group information in the way that I want to see, and then apply the logic that I need to help my organization drive value and lower security risk.
In addition, dynamic asset groups can include multiple asset tags based on the same search criteria. As an example, I have included a filter that couples tags the Windows label that I created above with all assets that have known validated vulnerabilities from a Metasploit penetration test. I can then reclassify these assets with additional labels such as "FIX NOW!" and denoting the asset as "Very High." Since these asset groups are dynamic, they will constantly update over time, allowing you to see when issues are fixed since the tags would be added and/or removed based on the filter criteria you have entered. This gives you real time insight into the risks in your world as things happen and infinite flexibility in how you want to represent the needs of your world in Nexpose.
In addition, Nexpose users often group scans into "Sites" or logical scan groups. These are often based on subnet and/or location. You can now classify assets at the scan group level, and every asset that is a member of that scan group will inherit the labels provided.
Automating Remediation Assignment Using RealContext™
I know what you are saying. "I can see that I can add owners to my assets in Nexpose. So what?!?"
I have already walked through how you can leverage the power of Nexpose asset groups to drive process, but you can also drive remediation process and save time by combining the power of RealContext™ and reporting. Nexpose users can now build reports based on the tags that they have created.
Therefore, users can build very targeted reports based on the needs of the business in the context that they want to see. As an example, let's assume that you deliver a listing of the Top Remediation Steps to each of your business owners for the assets that they directly own. Since you now know who owns an asset, you can generate a remediation plan targeted directly to them and the assets that they own by sending the report directly to them. It works like the following.
Since you have the direct flexibility of running automated scans on a schedule, generating reports after a scan is complete and sending the report over e-mail to an "owner", you can automate the entire workflow of scanning and delivering information to the right stakeholders without having to lift a finger outside of initial setup. RealContext™ enables you to get information easily into the right peoples hands, so that you can have others drive next steps in security remediation, and you can spend time worrying about real issues that impact your world.
Look to this blog in the next couple weeks to show you additional ways that RealContext™ can simply your workflow and world.
Targeting High Priority Assets Through Criticality in RealContext™
As already mentioned, RealContex™t in Nexpose 5.9 allows you to set the criticality level for an asset or a group of assets. This allows you to target the assets that are the most critical in your organization.
Nexpose 5.9 also includes the unique functionality of adjusting the RealRisk™ score of your asset based on the criticality level that you have set. You can set a multiplier value for RealRisk™ based on each criticality level within the product. As an example, you may decide that the risk score of your highly critical assets should increase 2 times, so that you can accurately represent the level of risk not only from a criticality level, but also from an underlying score level as well.
As a user, you have the ability to provide a risk score multiplier for each criticality, if you so choose. In the screenshot above, I have increased the risk score for all "Very High" assets by 2 times. Therefore, as you view assets against each other, you can have the risk score represent the real risk that is represented based on the criticality level set. This new risk score is leveraged throughout the entire product where RealRisk™ is shown, including the user interface and all reports. An example is shown below.
Here, you can see that the newly defined risk score is coupled with the original RealRisk score as determined within a Nexpose scan, allowing you to easily see how the context that you provide impacts risk.
RealContext™ is designed to simplify the overall experience for our customers. We want you to make informed and intelligent decisions on what you should do next, freeing up time for you to act, and enabling you to easily understand the needs of your organization and business through a simplified workflow and contextual intelligence. This will enable you to shorten the window of attack on high risks through automated prioritization based on upon your business and assign risks for quick resolution.
You can find a video, walking you through the workflows of RealContext here.
For more information on Nexpose 5.9, including information about newly supported languages for reports and additional features, you can look at the release notes here.