Rapid7 Blog

Ken Mizota  

AUTHOR STATS:

11

Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010

A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several European countries and the US. It is believed that the ransomworm may achieve its initial infection via a malicious document attached to a phishing email, and that it…

A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several European countries and the US. It is believed that the ransomworm may achieve its initial infection via a malicious document attached to a phishing email, and that it then leverages the EternalBlue and DoublePulsar exploits to spread laterally. Once in place, it takes control of a system and encrypts files. As a reminder, ExternalBlue was leveraged for WannaCry as well, so we cannot stress enough the importance of patching against MS17-010 vulnerabilities. For the latest updates on this ransomworm, please see Rapid7's recommended actions. To help customers understand their risk, we are sharing steps to create a targeted scan, dynamic asset group, and remediation project for identifying and fixing vulnerabilities; we will update as more information becomes available on other CVEs that may be used to spread the worm. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven't done so already, download a trial of InsightVM here. Creating a Scan Template The step-by-step guide to create an InsightVM/Nexpose scan template specifically to look for MS17-010 is as follows: 1.  Under the Administration tab, go to Templates > Manage Templates 2. Copy the following template: Full Audit without Web Spider. Don't forget to give your copy a name and description. 3. First uncheck "Policies". Click on Vulnerability Checks and then "By Individual Checks" 4. Add Check “MS17-010” and click Save: This should return checks that are related to MS17-010. The related CVEs are: CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 5. Save the template and run a scan to identify all assets with MS17-010. Creating a Dynamic Asset Group Now that you have scanned your assets, you may want to create a Dynamic Asset Group for reporting and tagging, which will update whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the InsightVM console, just under the search button: Now, use the "CVE ID" filter to specify the CVEs listed below: This asset group can now be used for reporting as well as tagging to quickly identify exposed systems. Creating a Dashboard Rapid7 will add a pre-built dashboard for the Petya-like ransomworm, like we did with the recent WannaCry and Samba vulnerabilities. Also, check out the new Threat Feed dashboard which contains a view of your assets that are affected by actively targeted vulnerabilities including those leveraged by this ransomworm. If you want to build your own, here's how you can build a custom dashboard, with examples taken from the Shadow Brokers leak.  To find your exposure to MS17-010 vulnerabilities, you could use this Dashboard filter: asset.vulnerability.alternateIds <=> ( altId = "MS17-010" ) Creating a SQL Query Export @00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: WannaCry - Scanning & Reporting. Creating a Remediation Project In InsightVM, you can also create a remediation project to track the progress of remediation. To do this, go to the “Projects” tab and click “Create a Project”: Give the project a name, and under vulnerability filter type in vulnerability.alternateIds.altId CONTAINS "MS17-010" Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA or ServiceNow, you can also configure the automatic ticketing integration between InsightVM and JIRA/ServiceNow to automatically assign tickets to the right folks. Using these steps, you'll be able to quickly scan for some of the vulnerabilities leveraged by this ransomworm. If you have any questions please don't hesitate to let us know! For more information and resources on this ransomworm, please visit this page.

Announcing Microsoft Azure Asset Discovery in InsightVM

Almost every security or IT practitioner is familiar with the ascent and continued dominance of Amazon Web Services (AWS). But you only need to peel back a layer or two to find Microsoft Azure growing its own market share and establishing its position as the…

Almost every security or IT practitioner is familiar with the ascent and continued dominance of Amazon Web Services (AWS). But you only need to peel back a layer or two to find Microsoft Azure growing its own market share and establishing its position as the most-used, most-likely-to-renew public cloud provider. Azure is a force to be reckoned with. Many organizations benefit from this friendly competition and not only adopt Azure but increasingly use both Azure and AWS. In this context, security teams are often caught on the swinging end of the rope. A small shake at the top of the rope triggers big swings at the bottom. A credit card is all that is needed to spin up new VMs, but as security teams know, the effort to secure the resulting infrastructure is not trivial. Built for modern infrastructure One way you can keep pace is by using a Rapid7 Scan Engine from the Azure Marketplace. You can make use of a pre-configured Rapid7 Scan Engine within your Azure infrastructure to gain visibility to your VMs from within Azure itself. Another way is to use the Rapid7 Insight Agent on your VM images within Azure. With Agents, you get visibility into your VMs as they spin up. This sounds great in a blog post, but since assets in Microsoft Azure are virtual, they come and go without much fanfare. Remember the bottom-of-the-rope metaphor? You're there now. Security needs visibility to identify vulnerabilities in infrastructure to get on the path to remediation, but this is complicated by a few questions: Do you know when a VM is spun up? How can you assess risk if the VM appears outside your scan window? Do you know when a VM is decommissioned? Are you reporting on VMs that no longer exist? Do you know what a VM is used for? Is your reporting simply a collection of VMs, or do those VMs mean something to your stakeholders? You might struggle with answering these questions if you employ tools that weren't designed with the behavior of modern infrastructure in mind. Automatically discover and manage assets in Azure InsightVM and Nexpose, our vulnerability management solutions offer a new discovery connection to communicate directly to Microsoft Azure. If you know about our existing discovery connection to AWS you'll find this familiar, but we've added new powers to fit the behavior of modern infrastructure: Automated discovery: Detect when assets in Azure are spun up and trigger visibility when you need it using Adaptive Security. Automated cleanup: When VMs are destroyed in Azure, automatically remove them from InsightVM/Nexpose. Keep your inventory clean and your license consumption cleaner. Automated tag synchronization: Synchronize Azure tags with InsightVM/Nexpose to give meaning to the assets discovered in Azure. Eliminate manual efforts to keep asset tags consistent. Getting started First, you'll need to configure Azure to allow InsightVM/Nexpose to communicate with it directly. Follow this step-by-step guide in Azure Resource Manager docs. Specifically, you will need the following pieces of information to set up your connection: Application ID and Application Secret Key Tenant ID Once you have this information, navigate to Administration > Connections > Create Select Microsoft Azure from the dropdown menu. Enter a Connection name, your Tenant ID, Application ID and Application Secret key (a.k.a. Authentication Key). Next, we'll select a Site we want to use to contain the assets discovered from Azure. We can control which assets we want to import with Azure tags. Azure uses a : format for tags. If you want to enter multiple tags, use as a delimiter, e.g., Class:DatabaseType:Production. Check Import tags to import all tags from Azure. If you don't care to import all tags in Azure, you can specify exactly which ones to import. The tags on the VM in Azure will be imported and associated automatically with Assets as they are discovered. When there are changes to tag assignment in Azure, InsightVM/Nexpose will automatically synchronize tag assignments. Finally, as part of the synchronization when VMs are destroyed within Azure, the corresponding asset in InsightVM/Nexpose will be deleted automatically, ensuring your view remains as fresh and current as your modern infrastructure. Great success! Now what...? If you've made it this far, you're at the point where you have your Azure assets synchronized with InsightVM/Nexpose, and you might even have a handful of tags imported. Here are a few ideas to consider when looking to augment your kit: Create an Azure Liveboard: Use Azure tags as filtering criteria to create a tailored dashboard. Scan the site or schedule a scan of a subset of the site. Create Dynamic Asset Groups using tags to subdivide and organize assets. Create an automated action to trigger a scan on assets that haven't been assessed. All of our innovations are built side-by-side with our customers through the Rapid7 Voice program. Please contact your Rapid7 CSM or sales representative if you're interested in helping us make our products better. Not a customer of ours? Try a free 30- day trial of InsightVM today.

WannaCry coda: Have you disabled SMBv1?

By now, if you're reading this blog, you probably have read about WannaCry. If not, please take a moment to review: Wanna Decryptor (WNCRY) Ransomware Explained Using Threat Intelligence to Mitigate Wanna Decryptor (WannaCry) WannaCry Update: Vulnerable SMB Shares Are Widely Deployed And People Are…

By now, if you're reading this blog, you probably have read about WannaCry. If not, please take a moment to review: Wanna Decryptor (WNCRY) Ransomware Explained Using Threat Intelligence to Mitigate Wanna Decryptor (WannaCry) WannaCry Update: Vulnerable SMB Shares Are Widely Deployed And People Are Scanning For Them Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose With many organizations now taking heed of Microsoft's advice to disable SMBv1, Rapid7 customers have asked: How does this affect my scan capabilities? Tl;dr If your assets have Windows Management Interface (WMI) enabled and the Windows Management Instrumentation firewall rules enabled, the Scan Engine will use SMB/CIFS credentials to authenticate via WMI. If your assets are not part of a domain and the Scan Engine is not on the same subnet as the assets, the WMI firewall rules need to be updated to permit messages from the Scan Engine. Read this MSDN article to learn how to setup remote WMI connections and configure Windows Firewall Remote Management. Checking your configuration You can verify if you are using SMB credentials in InsightVM by navigating to Administration > Shared Credentials. You may have a Shared Credential that looks like this: If your organization has disabled SMBv1 on your asset you can use your existing SMB credential. You'll want to configure InsightVM to scan port 135, so first verify your Scan Template(s). Navigate to Administration > Scan Templates. Select a Scan Template and review the Service Discovery tab. Take a look at the Additional ports field. Our example above has a range that includes port 135 and yours should too. In summary: Setup WMI for remote connections and enable WMI traffic through Windows Firewall Make sure your Scan Template includes port 135.

CVE-2017-5242: Nexpose/InsightVM Virtual Appliance Duplicate SSH Host Key

Today, Rapid7 is notifying Nexpose and InsightVM users of a vulnerability that affects certain virtual appliances. While this issue is relatively low severity, we want to make sure that our customers have all the information they need to make informed security decisions regarding their networks.…

Today, Rapid7 is notifying Nexpose and InsightVM users of a vulnerability that affects certain virtual appliances. While this issue is relatively low severity, we want to make sure that our customers have all the information they need to make informed security decisions regarding their networks. If you are a Rapid7 customer who has any questions about this issue, please don't hesitate to contact your customer success manager (CSM), or your usual support contact. We apologize for any inconvenience this may cause our customers. We take our customers' security very seriously and strive to provide full transparency and clarity so users can take action to protect their assets as soon as practicable. Description of CVE-2017-5242 Nexpose and InsightVM virtual appliances downloaded between April 5th, 2017 and May 3rd, 2017 contain identical SSH host keys. Normally, a unique SSH host key should be generated the first time a virtual appliance boots. A malicious user with privileged access to one of these vulnerable virtual appliances could retrieve the SSH host private key and use it to impersonate another user's vulnerable appliance. In order to do so, an attacker would also need to redirect traffic from the victim's appliance to the attacker's appliance. Likewise, an attacker that can capture SSH traffic between a victim's client machine and the victim's virtual appliance could decrypt this traffic. In either attack scenario, an attacker would need to gain a privileged position on a victim's network in order to capture or redirect network traffic. Since our virtual appliances are rarely exposed directly to the internet, this added complexity makes it a relatively low-risk vulnerability. Am I affected? Customers can determine whether their virtual appliance is affected by running the following command: stat /etc/ssh/ssh_host_* | grep Modify Modify: 2017-04-29 13:20:13.684650643 -0700 Modify: 2017-04-29 13:20:13.684650643 -0700 Modify: 2017-04-29 13:20:13.724650642 -0700 Modify: 2017-04-29 13:20:13.724650642 -0700 Modify: 2017-04-29 13:20:13.764650641 -0700 Modify: 2017-04-29 13:20:13.764650641 -0700 Modify: 2017-04-29 13:20:13.592650647 -0700 Modify: 2017-04-29 13:20:13.592650647 -0700 Affected virtual appliances contain SSH host keys generated between April 5th, 2017 and May 3rd, 2017. If the modified date for any of the SSH host keys falls in this range, then the virtual appliance is affected and the remediation steps below should be completed. Remediation Customers should either download and deploy the latest virtual appliance or regenerate SSH host keys, using these commands: /bin/rm -v /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server /etc/init.d/ssh restart Post-remediation After regenerating the SSH host keys, customers will see a "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" notice the next time they SSH to the virtual appliance. Customers should run the following command on the client they use to SSH to the virtual appliance. ssh-keygen -R <Virtual_Appliance_FQDN_or_IP> Resources The latest virtual appliances are available at: https://community.rapid7.com/docs/DOC-2595 Additional details to resolve “REMOTE HOST IDENTIFICATION HAS CHANGED!” warning can be found at: https://www.cyberciti.biz/faq/warning-remote-host-identification-has-changed-err or-and-solution/

Discovery of assets in Active Directory

Many security teams work in a world that they can't fully see, let alone control. It can be difficult to know how to make meaningful progress in your vulnerability management program when simply maintaining visibility can be a struggle. One way to get some leverage…

Many security teams work in a world that they can't fully see, let alone control. It can be difficult to know how to make meaningful progress in your vulnerability management program when simply maintaining visibility can be a struggle. One way to get some leverage is to make wise use of asset discovery. If you are able to tap into repositories or sources of assets, you stand a better chance of gaining and maintaining visibility.Over the years, we've written a thing or two about expanding your ability to discover assets from wherever they may leave a trace. You might have read about our vulnerability scanner having the ability to discover assets from McAfee ePO, or Infoblox DHCP, or even Rapid7's own Project Sonar. Or perhaps you've scoured the recently redesigned https://help.rapid7.com to learn about how you may discover assets from AWS or VMware vSphere. If you were a voracious reader, you may have even tried out Adaptive Security to automate your response to what you discover, and then you could've started to monitor the work automated actions do for you.Today we are pleased to share the availability of asset discovery from Active Directory.Getting startedWe've made it simple for you to gain visibility into your catalog of assets as they reside within Active Directory. In the Administration tab, create a new Discovery Connection.Next, select Active Directory (LDAP). You'll immediately be able to enter in information to connect to your own Active Directory server.Give your connection a name, enter the hostname of the Active Directory server, and select a protocol. Both LDAP and LDAPS are supported. Provide a username and password, and then test your credential. If your credentials are good to go, you can then move on to creating your Base Query and Search Query.Your Active Directory is likely tailored to meet the needs and contours of your organization. We've provided the ability to enter a Base Query to specify the portion of the AD tree you'd like to import, and a Search query that you may use to further qualify the computers to discover. Once you've created your query, you might want to take it for a spin to make sure its working properly. Try out Preview to see the top 50 results of your query to make sure you've got it dialed in.Let's refine our search just a bit, to focus on just Exchange servers. I'll enter a Search Query: (dnshostname=exch*), and perform another quick test.Now that I'm feeling good about this query, I think I'd like to put it to work for me...Simple automationDid you notice the Consumption Settings in the screenshot above? It looks pretty familiar to the setup for importing assets from McAfee ePolicy Orchestrator, and it works in the same manner. Simply enable Consume assets, and select a site to import into and let the system do the work for you. You'll see assets populated from Active Directory as soon as the connection is saved. The time it takes to complete will vary, and will largely be driven by the time it takes the Active Directory server to respond to the query. Here is a view of the assets immediately after they've been imported:You'll notice we've also pulled in OS information from Active Directory where available, so you can create asset groups by the hostname and the OS. Of course, if you have existing dynamic asset groups, these assets may also be included.The Discovery Connection imports assets once a day, maintaining the visibility you need, while limiting the burden on your Active Directory server. And just like that, you're on your way to better visibility, with a minimum of effort, and a great deal of flexibility to match the contours of your world.All of our innovations are built side-by-side with our customers through the Rapid7 Voice program. Please contact your Rapid7 CSM or sales representative if you're interested in helping us make our products better.Not a customer of ours? Try a free 30- day trial of InsightVM today.

Vulnerability Management Tips for the Shadow Brokers Leaked Exploits

Rebekah Brown and the Rapid7 team have delivered a spot-on breakdown of the recent Shadow Brokers exploit and tool release. Before you read any further, if you haven't done so already, please read her post. It's probably not the only post you've read on this…

Rebekah Brown and the Rapid7 team have delivered a spot-on breakdown of the recent Shadow Brokers exploit and tool release. Before you read any further, if you haven't done so already, please read her post. It's probably not the only post you've read on this topic, but it is cogent, well-constructed and worth the 5 minutes. Back with me? With all of the media attention and discussion in the infosec community, it would not surprise me to hear that a security team still wondered aloud: “Nation-state intrigue makes for scintillating reading, but what do I do with this news?” So long as there are attackers and defenders in infosec, the Rapid7 community continues to be on the front lines of the struggle. But, in such a position, which action is prudent? Purchasing an underground bunker outright may not be a sound decision for you.  However, there are practical actions you can take. Don't waste a learning moment You invest in building and maintaining your vulnerability management program. This includes making sure you have visibility to the latest threats and perhaps automating your response. The exploits thrust onto the world stage by the Shadow Brokers, while newsworthy, distill down to a seemingly normal set of patches and updates. As Rebekah's post states: If you are unsure if you are up to date on these patches, we have checks for all of them in Rapid7 Nexpose and Rapid7 InsightVM. These checks are all included in the Microsoft Hotfix scan template. It turns out, if you're maintaining your vulnerability scans, and getting the visibility to your Windows assets, you already have the visibility you need. But that doesn't mean you have to treat this event as business as usual.  Perhaps you'd like to see how your security program fares when up against vaunted Shadow Brokers trove? Here are a few ideas you can try based on a mix of newer and long-standing capabilities. Look for what you need If you want to efficiently identify the presence of Shadow Brokers' leaked vulnerabilities, and you don't want to change your existing Scan regime, create a new Scan template. You'll find creating a new Scan Template in the Administration tab. Start off by naming your template: Next, configure your Scan Template for specific vulnerability checks. Tailor your template by looking only for the checks associated with the CVEs exploited by the Shadow Brokers leak. EternalBlue EternalSynergy EternalRomance EternalChampion MS17-010 msft-cve-2017-0143 msft-cve-2017-0144 msft-cve-2017-0145 msft-cve-2017-0146 msft-cve-2017-0147 msft-cve-2017-0148 EmeraldThread MS10-061 WINDOWS-HOTFIX-MS10-061 EskimoRoll MS14-068 WINDOWS-HOTFIX-MS14-068 EducatedScholar MS09-050 WINDOWS-HOTFIX-MS09-050 EclipsedWing MS08-067 WINDOWS-HOTFIX-MS08-067 Use the CVEs to search for the checks and add to your template. Here, I've added CVE-2017-0144. Now that you've got one template squared away, you can take your new Scan Template out for a spin on an entire Site, or an ad hoc scan, or you might want to check out improvements to Scan Configuration to target a scan for just the subset of a Site. If you don't have time for manual scans, create an Automated Action to scan an asset when it is discovered on your network. Whether you've discovered the asset via DHCP discovery connection or just by a regular discovery scan, you can use Automated Actions to scan the Asset when it appears. Give your stakeholders a view I couldn't leave you without one final tried and true tip for satisfying demanding executive stakeholders: You can always create a new dashboard! I've created a custom Shadow Brokers Leak dashboard to house all the cards and analysis I'll need. Next, I'll start adding Cards that I'd like to work with. Let's use the Newly Discovered Assets card as a starting point. I've added this card to my Dashboard and I'll click Expand Card to drill in. Next, I'll create a new filter to look only for Assets that are affected by CVE and hotfixes identified above. I'll paste this into the Filter field: UPDATE: Corrected May 24,2017: Changed "ms10-068" to "ms14-068" asset.vulnerability.title CONTAINS "cve-2017-0143" OR asset.vulnerability.title CONTAINS "cve-2017-0144" OR asset.vulnerability.title CONTAINS "cve-2017-0145" OR asset.vulnerability.title CONTAINS "cve-2017-0146" OR asset.vulnerability.title CONTAINS "cve-2017-0147" OR asset.vulnerability.title CONTAINS "cve-2017-0148" OR asset.vulnerability.title CONTAINS "ms10-061" OR asset.vulnerability.title CONTAINS "ms14-068" OR asset.vulnerability.title CONTAINS "ms09-050" OR asset.vulnerability.title CONTAINS "ms08-067" OR asset.vulnerability.title CONTAINS "ms17-010" It'll look something like this: I've saved this filter so I can use it across any number of cards I wish. Since I've done the work of creating the filter once, it is straightforward to add cards, apply the filter, and then save the Cards to my dashboard. I've built a tailored view, showing the impact of the Shadow Brokers leaked exploits on my organization. If you're feeling comfortable with this approach, take a step futher! Try out an Actionable Remediation Project from here and get started taking down these risks on your turf. Not a customer of ours? Try a free 30-day trial of InsightVM here.

Live Vulnerability Monitoring with Agents for Linux...and more

A few months ago, I shared news of the release of the macOS Insight Agent. Today, I'm pleased to announce the availability of the the Linux Agent within Rapid7's vulnerability management solutions. The arrival of the Linux Agent completes the trilogy that Windows and macOS…

A few months ago, I shared news of the release of the macOS Insight Agent. Today, I'm pleased to announce the availability of the the Linux Agent within Rapid7's vulnerability management solutions. The arrival of the Linux Agent completes the trilogy that Windows and macOS began in late 2016. For Rapid7 customers, all that really matters is you've got new capabilities to add to your kit. Introducing Linux Agents Take advantage of the Linux Agent to: Get a live view into your exposures: Automatically collect data from your endpoints and seamlessly update your Liveboards, which are always populated with real time data with out the need to hit refresh or rescan. Get visibility into remote workers: Remote workers rarely, or in some cases never, connect to the corporate network and often miss scheduled scan windows. Our lightweight agents can be deployed to monitor risks posed by the mobile workforce. Eliminate restricted asset blind spots: Some assets are just too critical to the business to be actively scanned. With our agents, you'll get visibility into assets with strict vulnerability scanning restrictions, while removing the need to manage credentials to gain access. Get visibility into elastic or ephemeral assets by building the Insight Agent into your base machine images or VM templates. Of course, Linux isn't a monolithic OS like Windows or macOS. In order for our customers to get the widest possible coverage, Linux Insight Agents support an array of distributions: Debian 7.0 - 8.2 CentOS 5.2 - 7.3 Red Hat Enterprise Linux (RHEL) Client 5.2 - 7.3 Red Hat Enterprise Linux (RHEL) Server 5.2 - 7.3 Red Hat Enterprise Linux (RHEL) Workstation 5.2 - 7.3 Oracle Enterprise Linux (OEL) Server 5.2 - 7.3 Ubuntu 11.04 - 16.10 Fedora 17 - 25 SUSE Linux Enterprise Server (SLES) 11 -12 SUSE Linux Enterprise Desktop (SLED) 11 -12 openSUSE LEAP (42.1 - 42.2) Amazon Linux With such a diverse list, we hope you're able to find a match for your environment. Ready to get started? Check out the steps to download and install, and you'll be up and running in no time. ...and more If you've read this far, you may be wondering: “Hey, what about the ‘...and more' promised in the title?” Since the release of Insight Agents for vulnerability management in late 2016, we've received great feedback from our customers. In particular, we heard that customers liked the visibility they were able to attain, but found the management capabilities lacking. With our most recent release, we've now brought management capabilities to your Assets with Agents. You can now treat your Assets with Agents just like any other asset in your system. You are now able to: Add Assets with Agents to groups Tag Assets with Agents Run standard reporting from the Console on Assets with Agents Correlate using Asset Linking Apply vulnerability exceptions All of your Assets with Agents will be synchronized from the Insight Platform into an automatically created “Rapid7 Insight Agents” site so you'll always know where to find them. I hope you grab a moment to give these new tools a spin and let us know what you think! All of our innovations are built side-by-side with our customers through the Rapid7 Voice program. Please contact your Rapid7 CSM or sales representative if you're interested in helping us make our products better. Download a free 30-day trial of InsightVM.

Introducing Interactive Guides

Recently, Rapid7 took a step forward to deliver insight to our customers: our vulnerability management solutions now include the ability to deliver interactive guides. Guides are step-by-step workflows, built to deliver assistance to users at the right time. Guides are concise and may be absorbed…

Recently, Rapid7 took a step forward to deliver insight to our customers: our vulnerability management solutions now include the ability to deliver interactive guides. Guides are step-by-step workflows, built to deliver assistance to users at the right time. Guides are concise and may be absorbed with just a few clicks. They are available anytime on-demand within the user interface, so you can quickly and easily find the information you need, as you need it, where you will be applying it.Here's an example:How Guides WorkInteractive guides are powered by Pendo.io. As you navigate through the user interface, relevant guides are made available based on the area of the application in use. Pendo serves Rapid7 authored content directly to the user. The user's workstation must be connected to the internet to make use of these new capabilities. We understand this limits access for some of Rapid7's customers, but for most individuals, internet access has become as important as the keyboard or a monitor.To be clear, to receive guides, the user's workstation requires internet access. The machine hosting the Security Console does not require access to the internet.How are guides delivered in context?In order to determine which guides are relevant to a user in the moment, very specific information is transmitted to Pendo from the user's browser:The URL navigated toCSS element the user has clicked onA globally unique, random identifier for the userWith this information, Rapid7 is able to deliver very specific guidance to users when they need it, for improved experiences within the product. All data collected is anonymized, and all communications between the user's workstation and Pendo.io are encrypted with SSL/TLS. Is my Nexpose data transmitted?No data that is collected by Rapid7 Nexpose about your organization's assets or vulnerabilities is transmitted to Pendo or Rapid7:No personally identifiable information, such as email addresses, names or User IDs is transmitted.No vulnerability data is transmitted.No asset data is transmitted, inclusive of software, attributes, IP addresses, and other metadata.No information collected by Scan Engines or Agents is transmitted.To learn more on how Rapid7 and Pendo.io protect your information, please visit: http://rapid7.com/trust and http://www.pendo.io/support/trust/I don't see any guides. When will they be available?We're busy building guides right now. You can expect to see new guides in the coming weeks.What if I cannot participate, or do not want to participate?If your users have no access to the internet, then you won't be able to receive guides. No data will be transmitted and no guides will be delivered.If you do not wish to receive guides, you can easily disable the capability on the Security Console:Login to the machine hosting the Security Console as an administratorLocate and edit nsc.xml. The file is located in the “deploy/nsc/conf/nsc.xml” directory. For example “/opt/rapid7/deploy/nsc/conf/nsc.xml” in some Linux distributions. Make a copy of the file in case you need to revert the configuration.Edit or add the following element <Analytics enabled=”false” />. This element should be a direct child of <NexposeSecurityConsole />.This is a snippet of the nsc.xml file used to illustrate the format of the element. Your nsc.xml will differ.Changes will take effect during the next Console restart.Making inadvertent changes to the nsc.xml file can cause issues in your Security Console. Please contact Rapid7 Support for guidance or assistance.

macOS Agent in Nexpose Now

As we look back on a super 2016, it would be easy to rest on one's laurels and wax poetic on the halcyon days of the past year. But at Rapid7 the winter holidays are no excuse for slowing down: The macOS Rapid7 Insight Agent…

As we look back on a super 2016, it would be easy to rest on one's laurels and wax poetic on the halcyon days of the past year. But at Rapid7 the winter holidays are no excuse for slowing down: The macOS Rapid7 Insight Agent is now available within Nexpose Now. Live Monitoring for macOS Earlier this year, we introduced Live Monitoring for Endpoints with the release of a Windows agent for use with Nexpose Now. The feedback from the Community has been great (and lively!) and now we're back with another round. Recall, by adding agents into your threat and vulnerability management routine, you can: Get a live view into your exposures: Automatically collect data from your endpoints and seamless integrates it into Nexpose Now, so your Liveboards are always populated with real time data without the need to hit refresh or rescan. Get visibility into remote workers: Remote workers rarely, or in some cases never, connect to the corporate network and often miss scheduled scan windows. Our lightweight agents can be deployed to monitor risks posed by the mobile workforce. Eliminate restricted asset blindspots: Some assets are just too critical to the business to be actively scanned. With our agents, you'll get visibility into assets with strict scanning restrictions, while removing the need to manage credentials to gain access. These same powers may now be pointed at your macOS population. macOS adoption has been on the rise for years. Windows adoption is not in danger of being eclipsed, but many customers need visibility into their pockets of macOS machines within the environment. This makes sense -- when IT can't always mandate a common hardware platform, entire business units adopt what works for them, and C-suite executives use the hardware they desire; a Security team simply needs visibility to what's weak on the systems that mean the most to them. Getting Started Just like its Windows counterpart, the macOS agent is easy to install (interactive or silent), easy to manage (directly from Liveboards), and most importantly performs its duty with minimal resource consumption and no user interference. Ready to get started? Here's how: First, navigate to your Liveboards and if you haven't done so already, add an Agent card. Click on the Manage Agents link and then the Download Mac Agent button. Run the installer package on your Macs of choice and you've taken a first step into a larger world. The Rapid7 Insight Agent takes care of the rest, performing initial and regular data collection, securely transmitting the data back to Nexpose Now for assessment. All of this takes place whether the user is connected to your network or just the internet, reducing the effort for you to get the visibility you need. We expect every organization may deploy or configure things a little differently, so we've provided more information and a FAQ on Rapid7 Insight Agents. tl;dr, at launch the macOS Agent is compatible with macOS Yosemite 10.10 and onwards. You keep using that word... Since launching Nexpose Now early in the year and following up with Live Monitoring for Endpoints and Remediation Workflow, we've received questions on the minor, but obvious (Beta), label visible within some parts of Nexpose Now. While on the topic of new capabilities, we thought we'd take the opportunity to share some of the Q&A with you all. What is in (Beta) in Nexpose Now? Remediation Workflow and Live Monitoring for Endpoints are the two current features that have this label applied. We've opened up these new capabilities to all users of Nexpose Now without restriction. Why is <feature> Beta? We want to get new capabilities into your hands as soon as possible, so you can start getting value and provide feedback to Rapid7 on how we can improve. We continue to work on improvements that will make the user experience more seamless, more capable and more performant. Beta is used to let customers know Rapid7 is actively working to deliver value: more goodness to come! Are you releasing untested functionality? All features are fully tested before being released. Users will get a high quality experience across many workflows, with more features and workflows being added to the product based on feedback we receive. Is (Beta) functionality supported? Yes. Features offered in Beta form are fully supported by Rapid7 Technical Support. May I use these features in production? Yes. That is why we've released them into the world, so they may deliver their intended value to you NOW. Haven't tried Nexpose Now but are interested? Check out our Help page to learn how to get started with Nexpose Now. All of our innovations are built side-by-side with our customers through the Rapid7 Voice program. Please contact your Rapid7 CSM or sales representative if you're interested in helping us make our products better.

Giving the Gift of Time: Nexpose Adaptive Security Improvements

'Tis the holiday season and the Nexpose team is in the giving spirit! At the Rapid7 workshop, we've been busy little helpers building toys for deserving security teams throughout the year. Here are just some of the goodies you can take advantage of NOW: Remediation…

'Tis the holiday season and the Nexpose team is in the giving spirit! At the Rapid7 workshop, we've been busy little helpers building toys for deserving security teams throughout the year. Here are just some of the goodies you can take advantage of NOW: Remediation Workflows - create and assign remediation projects to get to fix faster Liveboards - live and interactive dashboards for getting a real-time view of risk ePO and DXL integration - share data between Nexpose and your Intel Security tools Faster scanning - improve your scan times and performance by as much as 10X! Endpoint agents - monitor remote assets and systems with scan restrictions for risks New Policy Manager - much improved user interface and new policy reports Before 2016 is over, we want to give all the hardworking security teams one final treat. What does virtually every team need and wish they had more of? Time, of course. Teams using Adaptive Security in Nexpose have already been saving time by automating key workflows (like Rapid7's own security team). Earlier this year we added integration with Rapid7 Labs' Project Sonar and a new Rapid7 Critical vulnerability category. This week we released even more improvements to Adaptive Security, including the ability to trigger Automated Actions during scans and a new Automated Actions Activity Monitor, to help security teams save even more time. Scanning as a Trigger There are 3 ways to trigger Automated Actions; when a known asset comes online, a new asset is discovered, or there is new vulnerability coverage. These can be triggered via Discovery Connections (e.g. DHCP, vSphere, Sonar, etc.) and now, during any active scan (discovery, vulnerability or policy). There are many ways you can use this new capability. Here's one way: Performing quick assessments in between full vulnerability scans. For example, you can run a discovery (nmap) scan to trigger an Automated Action to assess only the assets that haven't been scanned before. Automated Actions Activity Monitor Adaptive Security is the gift that keeps on giving – working to keep your network secure even when you're not there. The new Activity Monitor shows you which Automated Actions were triggered and when, so you (and your manager) can see exactly how much work was done. This capability also makes it simple for you to disable/enable Actions and spot any issues that need troubleshooting. You can now create, edit and monitor Automated Actions via this icon in the left navigation: If you haven't tried Adaptive Security yet, there's no time like the present!

Nexpose Now Notes: August 2016

We build Nexpose to help security practitioners get from find to fix faster. With the launch of Nexpose Now, Rapid7 delivered Liveboards to help you know what's weak in your world right now. Liveboards combine your live threat exposure data, powerful analytics and intuitive querying…

We build Nexpose to help security practitioners get from find to fix faster. With the launch of Nexpose Now, Rapid7 delivered Liveboards to help you know what's weak in your world right now. Liveboards combine your live threat exposure data, powerful analytics and intuitive querying so you can spend less time compiling data, and more time improving your security program. Liveboards, powered by the Rapid7 Insight Platform, continuously deliver improvements from our engineers to your fingertips and without maintenance effort on your part.We know its hard to keep up with change; so we'll be sharing tips, tricks and new capabilities in right-sized blog posts. In this post, you'll learn one way Liveboards can do heavy lifting for you: customizing and tailoring your dashboards to match your world. Time for some actionNexpose Now Liveboards provide visibility into what is weak and the power to dive into your data, enabling you to take action. Dozens of built-for-purpose Cards are available in Liveboards with more being released on a regular basis. Cards help you focus on what matters in an easy to understand and easy to act on form. Spending less time in Excel pivot tables means more time on the actual work of driving remediation. Consider the three Cards above. Driving Assets with Expired SSL Certificates to zero is a worthy goal, as is minimizing Assets Running Obsolete Software. But, these metrics may require refinement before taking action in your organization. If your remediation teams work on a site-by-site basis, understanding the percentage of assets running obsolete operating systems is interesting but not sufficient to drive remediation. When you're trying to get to fix faster, getting to action in your remediation teams is critical. We could help our cause by breaking down our data into parcels the remediation teams understand.Dig a bit deeper by clicking on the Expand Card link and we're immersed in Asset data. Some remediation teams have ownership of Assets of a specific operating system type. An easy way to start is by narrowing down by OS family.That query looks useful! Since you've spent time crafting it, maybe you want to save it and use it again later? Here I show how to save a query called "FreeBSD Assets" and then create a copy of the Assets Running Obsolete OS Card but only for FreeBSD Assets. Repeat this process for each of the OS's supported in your organization and you arrive at a powerful comparison. Here we see percentages of Assets running obsolete operating systems by OS family. With this view, you can quickly see differences and get a much better sense of what is weak: perhaps the Solaris systems need some attention. Do you want more?Give this technique a try with your own data. I used a simple example of filtering by OS, but you can easily build refined queries and Cards to make Nexpose work for you. Some other ideas you could try:Compare KPI on new assets discovered across Sites or Asset GroupsCreate individual Dashboards for individual teams or SitesLet us know if you find useful ways to compare and share them here.Nathan Palanov

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now