We found out on Tuesday night that we won the SC Magazine Awards for Best Vulnerability Management Solution. I am extremely honored and glad that we won, and we owe it entirely to our amazing customers who have stayed with us over the years and helped us shape Nexpose into what it is today. We truly believe that customers are at our core and they are our partners—not in crime, but in anti-crime.
I can't help but reflect on how much Rapid7 and Nexpose have grown since I started at Rapid7 around 4 years ago.
Vulnerability management has been around since the 90's and the market is mature, but it's still a problem that isn't 'solved.' Security teams still have way too many vulnerabilities to remediate and need to prioritize what matters to the business in order to be effective. The target is constantly moving with the modern network that includes virtualization, mobile, and cloud assets that introduce risks at lightning speed. And the threat landscape isn't slowing down either, look at all the 'celebrity' vulnerabilities that have come out in the past year including Heartbleed, Poodle, Sandworm, Bashbug (aka shellshock). However, you can't forget about old vulnerabilities, as according to the Verizon DBIR, '99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published,' even some published way back in in 1999.
'About half of the CVEs exploited in 2014 went from publish to pwn in less than a month.' - Verizon DBIR 2015
The adversary is no longer a script kiddie playing around in their mom's basement; now there's an entire ecosystem of tools and providers for the adversary. There are multiple layers: From malware authors, to distributors, to markets to purchase stolen credentials, credit cards, or health records. Almost anyone can rent botnets to perform DDoS for a couple hundred dollars. They've even done the weaponizing for you and you buy exploit kits that are fully supported. This is dangerous as even those kits are containing zero days like Angler exploiting an Adobe 0-day.
'No matter how high or smart walls, focused adversaries will find other ways over, under, around, and through,' Yoran said. 'You must understand what matters to your business and what is mission critical [and] defend it with everything you have.'
-Amit Yoran, RSA Keynote 2015
Don't make it easy for the adversary. Breaches are not going away—just look at all the recent breaches at Anthem, JP Morgan Chase, Home Depot, Sony, and Target. As Amit said, you must understand what matters and defend it with everything you have.
Our mission is to help our customers to manage their threat exposure to reduce the chance of a breach. This is why we've combined Nexpose and Metasploit under our overarching Threat Exposure Management solution. And because of this last October, we introduced Nexpose Ultimate, a new Edition of Nexpose, and the first and only unified solution for vulnerability management, vulnerability validation, and controls effectiveness testing. Nexpose and Metasploit are available in a single package and the only tool to offer integrated closed-loop vulnerability validation. RealContext allows you to focus on reducing the risk that matters to your business, quickly and efficiently. And RealRisk provides a granular risk scoring system based on threat intelligence, such as malware and exploit exposure, CVSSv2 and temporal risk metrics. Only Nexpose Ultimate combines both offensive and defensive technologies to understand what threats really matter to your organization.
'A CVE being added to Metasploit is probably the single most reliable predictor of exploitation in the wild.'
-- Verizon DBIR 2015
Winning this award means a lot to all of us here at Rapid7 and we've won it for 2 years in a row. We've all worked very hard innovating and building a solution that gives our customers the best chance at reducing the risk of a breach. We can't wait to keep delivering value and solving challenges our customers are facing.
Special thanks to our product management team for continuing to innovate and drive the product forward, engineering team for building an amazing product, and our customer service and customer success management team for being there for our customers.
And again, we'd like to thank our customers who've stayed with us and help us improve our products.