CM's Note: The following post is by guest blogger and Rapid7 customer Jamil Hightower, Information Security Analyst, Rodale Inc. Thanks for all the help Jamil!
I have extensive experience with multiple vendors, and I must say that using Nexpose has provided me the best results used in my risk matrixes. I use the product every day for a multitude of compliance reasons. Previously, the products I used didn't provide clear-cut direction on how you could tackle the remediation of vulnerabilities in a tactical way. Not being able to tactically provide a direction causes management and engineers to balk at the seriousness, or doesn't make the necessary remediations in a timely manner – despite the fact that risk is present.
Nexpose closed those gaps by far.
I took the lesson and began to pay closer attention to Rapid7. I asked my Sales representation to be involved in initiatives that can help drive and improve the vulnerability assessment and management within my workplace. I was approached to participate and help develop the NXA Certification. My knowledge of Nexpose, combined with obtaining and being a part of the development of the NXA initiative, opened a broader view of the product, which has led to conversations on how I can leverage the other Rapid7 technology offerings for upcoming projects within my infrastructure. I'm looking to add other Rapid7 products to integrate with Nexpose to further enhance our vulnerability management program.
The greatest impact of having in-depth knowledge of Nexpose, along with obtaining the NXA certification, is that I was now able to establish a vulnerability management process consisting of the following:
· Roles (Console Access)
· Vulnerability scan
· Definition of remediation actions
· Implementation of remediating actions
As a result, my risk matrix has dropped exponentially; there is always a risk, but now with substantial support by management along with the process above. I found that this approach was a better alternative than providing large reports which no one wants to read. Management is now more engaged to a point where statistics are reported up to C-level management.
Jamil Hightower, PCIP,PCI-ISA