Prior to the release of ControlsInsight 3.0, the application was focused on analyzing the effectiveness of an organization's implementation of security controls targeted only at Windows desktop assets. How does the inclusion of Windows server controls affect the organization and usability of the the application?
ControlsInsight refers to a set of security controls that are important to a particular asset class as part of a 'threat model'. Also included in a threat model are weighted rankings of the included controls.
While different asset classes may have the same control and associated guidance, the relative importance (weight) of that control varies from asset class to asset class. Each threat model, then, receives its own analysis, score, and prioritized guidance based on the importance and effectiveness of its security controls.
ControlsInsight Threat Model:
- An asset class (i.e.: Windows Server, Windows Desktop).
- Set of security controls Rapid 7 experts have deemed important for that asset class via internal and external benchmarking.
- A set of rankings and weights that describes relative importance of each security control to the asset class.
ControlsInsight 3.0 separates its controls into 'Windows Server' and 'Windows Desktop' choices in the left hand navigation pane. The overall defense grade (how effective are my security controls) for each threat model are highlighted in the navigation pane. The color of the circle bordering the 0-10 score (higher is better) gives a quick red/orange/green status as to the effectiveness of the controls.
It is simple to switch between the asset categories by clicking that category in the left pane. The currently selected model is highlighted in the navigation pane and the page title reflects the selection. At this point, other choices in the application (control status, next steps, affected assets, guidance, reporting) only reflect the assets and the analysis of the selected model.
As seen here, the executive report has been modified to show which threat model is being reported on and total number of assets considered in the report. (number of non-filtered assets in the asset class).
Even the 'search' box at the top of the page limits itself to assets relevant to the selected threat model. Remember, a threat model is associated with a specific asset class. So when the 'Windows Server' model is selected, no Windows Desktop assets will be considered in the search.
Hint: A blank search request while 'Windows Desktop' is selected will return all assets that qualify as Windows Desktop assets within ControlsInsight.
Finally, each threat model is independently configurable. To give your organization more flexibility to disable controls that may
not make sense for their circumstance, the Management tab has sections for both desktop and server controls. Enabling or disabling a security control for one asset class (threat model) has no effect on the controls of other threat models. As of ControlsInsight 2.6, changing the set of enabled controls for a given asset class causes historical scoring data to be recalculated, so that the trend more accurately reflects the historical effectiveness of relevant controls.
Rapid7 RealContext TM
RealContext provides the ControlsInsight user access to asset collections (sites, filters, asset groups) within the Nexpose application. Because each threat model is related to a specific asset class, and because an asset class can be seen as an asset grouping, usage of RealContext has not been affected by the release of the Server Threat Model.
As of ControlsInsight 2.6, when RealContext was introduced, ControlsInsight was given the ability to analyze and characterize the controls effectiveness of a specific set of assets out of a chosen asset class. A new class of assets (Windows Server) has been introduced with 3.0. Those assets are mutually exclusive with Windows Desktop assets so RealContext filtering just continues to work.
The images below show how the same selected RealContext asset tags would result in a different set of assets to be considered by each threat model.
Remember that when multiple tags of the same category are chosen (i.e.: asset groups above) the union of those assets is considered. When a different category of RealContext tag is considered, the intersection of that category with other categories is taken.
We all hope the Server Threat Model will be a valuable and easy to use addition to your ControlsInsight experience.