Rapid7 Blog

Sam Humphries  

AUTHOR STATS:

9

GDPR or GDP-argh? Find out at UNITED!

Contained within this post is a secret look into the talk-planning life of Samantha Humphries, Rapid7's senior manager for international solutions, and Katie Ledoux, a senior security analyst. Let's watch what happens. From: Caitlin Condon Sent: 16 August 2017 15:26 To: Samantha Humphries; Katie…

Contained within this post is a secret look into the talk-planning life of Samantha Humphries, Rapid7's senior manager for international solutions, and Katie Ledoux, a senior security analyst. Let's watch what happens. From: Caitlin Condon Sent: 16 August 2017 15:26 To: Samantha Humphries; Katie Ledoux Subject: Re: Blog post for your GDPR session at UNITED Sam! Katie! How would you two feel about writing a blog post on your UNITED session on GDPR and how it’s going to affect U.S.-based companies? It seems like some folks here think this is a Europe-only issue. Your session should debunk that myth. You game? From: Samantha Humphries Sent: 16 August 2017 16:26 To: Katie Ledoux Subject: Re: Blog post for your GDPR session at UNITED Hey Katie, I started writing about how to our session will help UNITED attendees understand what GDPR is, how they can prepare, and how our own governance team has addressed and overcome challenges...AND THEN I CHECKED OUT THE BLOODY AGENDA FOR UNITED. Have you seen the list of sessions that are running concurrently with ours?! Rajeev is talking about how bots are changing IT and security as we know it; Rebekah and the DoJ are speaking on cyber threat exchange with the government; and Leon’s session is on hacking with “flair”—I don’t even know what that means! Do you think he’ll have drones?! What if nobody comes to our session? I can’t even ask my mum to make up the numbers, because she lives here in the UK! Yours panickingly, Sam From: Katie Ledoux Sent: 16 August 2017 16:48 To: Samantha Humphries Subject: Re: Blog post for your GDPR session at UNITED Sam, calm down, I’m sure...WHOA, Leon told me he might have a light show to go with his ‘flair’ and I think he might be serious! We need costumes and vodka shots! Do you think we can have live animals on stage? From: Samantha Humphries Sent: 16 August 2017 17:33 To: Katie Ledoux Subject: Re: Blog post for your GDPR session at UNITED Right, how about this? http://www.argos.co.uk/product/3144114 Everyone loves hearing from Compliance Stormtroopers—it is known! I’ll see if Kyle’s got budget for them. Will report back in a mo. From: Samantha Humphries Sent: 16 August 2017 19:33 To: Katie Ledoux Subject: FW: Re: FW: Blog post for your GDPR session at UNITED Sigh. The boss said no...but he didn’t say anything about the vodka shots. From: Kyle Flaherty Sent: 16 August 2017 18:06 To: Samantha Humphries Subject: Re: FW: Blog post for your GDPR session at UNITED Sam, you know we don’t shell out for stormtrooper costumes unless it’s for a keynote talk. You and Katie have an awesome session planned—you don’t need gimmicks to talk about why GDPR applies to ANY organization in the world that holds personal data about EU citizens, regardless of vertical, company size, or geographic location. Attendees will want to learn about how they can prepare and why GDPR is a good thing! Take a breath. /kff DISCLAIMER: There is no commitment to provide vodka shots, live animals, or costumes at our GDPR or GDP-argh talk. You will get a full 568mls of GDPR goodness though, including some great insights into what GDPR is, how you need be preparing, and how we’re thinking about GDPR internally at Rapid7. We should also mention that if you come dressed as a Stormtrooper, you get extra points. See you there! (Here's how to register if you've not done so already!)

Preparing for GDPR

GDPR is coming….. If your organisation does business with Europe, or more specifically does anything with the Personal Data of EU Citizens who aren't dead (i.e. Natural Persons), then, just like us, you're going to be in the process of living the dream…

GDPR is coming….. If your organisation does business with Europe, or more specifically does anything with the Personal Data of EU Citizens who aren't dead (i.e. Natural Persons), then, just like us, you're going to be in the process of living the dream that is Preparing for the General Data Protection Regulation. For many organisations, this is going to be a gigantic exercise, as even if you have implemented processes and technologies to meet with current regulations there is still additional work to be done. Penalties for infringements of GDPR can be incredibly hefty. They are designed to be dissuasive. Depending on the type of infringement, the fine can be €20 million, or 4% of your worldwide annual turnover, depending on which is the higher amount. Compliance is not optional, unless you fancy being fined eye-watering amounts of money, or you really don't have any personal data of EU citizens within your control. The Regulation applies from May 25th 2018. That's the day from which organisations will be held accountable, and depending on which news website you choose to read, many organisations are far from ready at the time of writing this blog. Preparing for GDPR is likely to be a cross-functional exercise, as Legal, Risk & Compliance, IT, and Security all have a part to play. It's not a small amount of regulation (are they ever?) to read and understand either – there are 99 Articles and 173 Recitals. I expect if you're reading this, it's because you're hunting for solutions, services, and guidance to help you prepare. Whilst no single software or services vendor can act as a magic bullet for GDPR, Rapid7 can certainly help you cover some of the major security aspects of protecting Personal Data, in addition to having solutions to help you detect attackers earlier in the attack chain, and service offerings that can help you proactively test your security measures, we can also jump into the fray if you do find yourselves under attack. Processes and procedures, training, in addition to technology and services all have a part to play in GDPR. Having a good channel partner to work with during this time is vital as many will be able to provide you with the majority of aspects needed. For some organisations, changes to roles and responsibilities are required too – such as appointing a Data Protection Officer, and nominating representatives within the EU to be points of contact. So what do I need to do?If you're just beginning in your GDPR compliance quest, I'd recommend you take a look at this guide which will get you started in your considerations. Additionally, having folks attend training so that they can understand and learn how to implement GDPR is highly recommended – spending a few pounds/euros/dollars, etc on training now can save you from the costly infringement fines later on down the line. There are many courses available – in the UK I recently took this foundation course, but do hunt around to find the best classroom or virtual courses that make sense for your location and teams.Understanding where Personal Data physically resides, the categories of Personal Data you control and/or process, how and by whom it is accessed, and how it is secured are all areas that you have to deal with when complying with GDPR. Completing Privacy Impact Assessments are a good step here. Processes for access control, incident detection and response, breach notification and more will also need review or implementation. Being hit with a €20million fine is not something any organisation will want to be subject to. Depending on the size of your organisation, a fine of this magnitude could easily be a terminal moment. There is some good news, demonstrating compliance, mitigating risk, and ensuring a high level of security are factors that are considered if you are unfortunate to experience a data breach. But ideally, not being breached in the first place is best, as I'm sure you‘d agree, so this is where your security posture comes in. Article 5, which lists the six principles of processing personal data, states that personal data must be processed in an appropriate manner as to maintain security. This principal is covered in more detail by Article 32 which you can read more about here.Ten Recommendations for Securing Your EnvironmentEncrypt data – both at rest and in transit. If you are breached, but the Personal Data is in a render unintelligible to the attacker then you do not have to notify the Data Subjects (See Article 34 for more on this). There are lots of solutions on the market today – have a chat to your channel partner to see what options are best for you. Have a solid vulnerability management process in place, across the entire ecosystem. If you're looking for best practices recommendations, do take a look at this post. Ensuring ongoing confidentiality, integrity and availability of systems is part of Article 32 – if you read Microsoft's definition of a software vulnerability it talks to these three aspects. Backups. Backups. Backups. Please make backups. Not just in case of a dreaded ransomware attack; they are a good housekeeping facet anyway in case of things like storage failure, asset loss, natural disaster, even a full cup of coffee over the laptop. If you don't currently have a backup vendor in place, Code42 have some great offerings for endpoints, and there are a plethora of server and database options available on the market today. Disaster recovery should always be high on your list regardless of which regulations you are required to meet.Secure your web applications. Privacy-by-design needs to be built in to processes and systems – if you're collecting Personal Data via a web app and still using http/clear text then you're already going to have a problem. Pen tests are your friend. Attacking your systems and environment to understand your weak spots will tell you where you need to focus, and it's better to go through this exercise as a real-world scenario now than wait for a ‘real' attacker to get in to your systems. You could do this internally using tools like Metasploit Pro, and you could employ a professional team to perform regular external tests too. Article 32 says that you need to have a process for regularly testing, assessing, & evaluating the effectiveness of security measures. Read more about Penetration testing in this toolkit.Detect attackers quickly and early. Finding out that you've been breached ~5 months after it first happened is an all too common scenario (current stats from Mandiant say that the average is 146 days after the event). Almost 2/3s of organisations told us that they have no way of detecting compromised credentials, which has topped the list of leading attack vectors in the Verizon DBIR for the last few years. User Behaviour Analytics provide you with the capabilities to detect anomalous user account activity within your environment, so you can investigate and remediate fast.Lay traps. Deploying deception technologies, like honey pots and honey credentials, are a proven way to spot attackers as they start to poke around in your environment and look for methods to access valuable Personal Data.  Don't forget about cloud-based applications. You might have some approved cloud services deployed already, and unless you've switched off the internet it's highly likely that there is a degree of shadow IT (a.k.a. unsanctioned services) happening too. Making sure you have visibility across sanctioned and unsanctioned services is a vital step to securing them, and the data contained within them. Know how to prioritise and respond to the myriad of alerts your security products generate on a daily basis. If you have a SIEM in place that's great, providing you're not getting swamped by alerts from the SIEM, and that you have the capability to respond 24x7 (attackers work evenings and weekends too). If you don't have a current SIEM (or the time or budget to take on a traditional SIEM deployment project), or you are finding it hard to keep up with the number of alerts you're currently getting, take a look at InsightIDR – it covers a multitude of bases (SIEM, UBA and EDR), is up and running quickly, and generates alert volumes that are reasonable for even the smallest teams to handle. Alternatively, if you want 24x7 coverage, we also have a Managed Detection and Response offering which takes the burden away, and is your eyes and ears regardless of the time of day or night.Engage with an incident response team immediately if you think you are in the midst of an attack. Accelerating containment and limiting damage requires fast action. Rapid7 can have an incident response engagement manager on the phone with you within an hour. Security is just one aspect of the GDPR, for sure, but it's very much key to compliance. Rapid7 can help you ready your organisation, please don't hesitate to contact us or one of our partners if you are interested in learning more about our solutions and services. GDPR doesn't have to be GDP-argh!

Vulnerability Management: Best Practices

We are often asked by customers for recommendations on what they should be scanning, when they should be scanning, how they ensure remote devices don't get missed, and in some cases why they need to scan their endpoints (especially when they have counter-measures in place…

We are often asked by customers for recommendations on what they should be scanning, when they should be scanning, how they ensure remote devices don't get missed, and in some cases why they need to scan their endpoints (especially when they have counter-measures in place protecting the endpoints). This blog post is intended to help you understand why running regular scans is a vital part of a security program, and to give you options on how to best protect your ecosystem.Q: What do I need to be scanning?Scan everything. This may seem blunt or overly simplified, but if a device touches your ecosystem, then it should be scanned. Why? Because if you don't, you are losing visibility into the weaknesses in your infrastructure. This brings inherent, unquantifiable risk because you cannot see where the holes are that an attacker can use to access your organisation. Exploitable vulnerabilities exist across all operating systems and applications; if you are not scanning your entire ecosystem, including cloud and virtual, you are leaving these vulnerabilities as unknowns. Scanning everything does not mean that all systems or devices will be treated with the same level of criticality when it comes to prioritizing remediation actions. Q: How frequently should I scan my ecosystem?Our recommendation is to combine Insight Agents and regular scanning to get a live picture of your ecosystem at all times. Nexpose Now capabilities prevent your data from becoming stale, meaning you'll know where to focus your efforts on reducing risk at all times. Specifically, adaptive security within Nexpose Now automatically detects new devices as they join your network, so you never miss a network change.If you haven't had a chance to upgrade your vulnerability management program to include the live monitoring that comes with Nexpose Now and are still using traditional Nexpose, then scanning everything as frequently as possible is highly recommended. Monthly scans to coincide with Patch Tuesday are good, but scanning more frequently certainly doesn't hurt. Customers often split up their scans to hit different segments at different times, but they'll cover the whole environment on a monthly or bi-weekly basis. More details on scan configuration can be found here.Q: How do I ensure my remote workers aren't missed?Most organisations have a number of remote workers, some of whom hardly ever connect to the internal network, but still have access to certain applications when they are on the road. It can be tricky to ensure their devices don't get missed during scans and patching. Remote workers bring additional risk as they often keep sensitive data local to their devices for ease of access when they are travelling, and frequently connect to unsecured Wi-Fi. Therefore, on the occasions when they do venture into the office, their devices are potential grenades.  You really don't want to miss these folks. The best way to ensure you have visibility into these devices is to use our Insight Agent, which can connect back to Nexpose Now as long as the device has internet access.  You can learn more about how Rapid7 can solve your remote workforce challenges here.Q: Why are endpoints important? Can I just scan my servers?Endpoints run operating systems and applications that have vulnerabilities, meaning they can be breached just as easily as servers — if not more so. Endpoints are more likely to have a connection to the internet and generally have users attached to them. Users often introduce security risks, either due to a lack of care or, in some cases, through no fault of their own (i.e. unknowingly connecting to a compromised website). Endpoints can have sensitive data saved locally while also accessing resources on the network. Users can also introduce security risks by connecting removable media and other USB type devices to endpoints. Furthermore, attackers have been increasingly focusing on using endpoints as an initial entry point in an attack. We've become very good at spending millions of dollars on firewalls and defense-in-depth tools to protect servers, so attackers have moved to the weakest link that remains: users and their endpoints. Almost every major breach in the news begins with a phishing or spear phishing attack, and these all exploit endpoints.As mentioned above, any device you do not scan brings unquantifiable risk to your ecosystem. Scan or use Insight Agents across all your devices, endpoints, servers, virtual, remote, and cloud. Q: But I've got countermeasures in place!Good. Countermeasures — and a good security policy — are really important. These could include Host or Network IPS, a strong security configuration on the endpoints, plus things like access control policies and strict settings for remote users to ensure they always connect to your VPN before accessing the internet. That doesn't mean you shouldn't scan devices for vulnerabilities *and* validate that your countermeasures are working. There have been multiple instances of vulnerabilities in security software itself, not to mention operating system and application vulnerabilities, as well as malware that affects configuration settings and a device's security policy. If you don't have a way to see which vulnerabilities are on a device, then you are leaving a door open for attackers. The best way to test that your countermeasures are working properly is to simulate an attack and make sure they catch it; many customers use Metasploit Pro to test their security controls, or our professional services to simulate a full-scale attack and help plan how to improve compensating controls.Additional questions?If you would like to discuss best practices further, we would love to talk with you. If you are already a customer, your Customer Success Manager is a great resource. We can also provide services engagements to help you implement or invigorate your security program. If you're interested in receiving training on how to make the most of Nexpose, we have options available to you as well. Contact us through your CSM or Rapid7.com and let us know how we can help.

Finalists in FIVE categories at the Network Computing Awards!

Ring Ring! You're in the Final! It's always nice to get a phone call letting us know that we've been shortlisted for awards – but when it's five awards, we like those calls even more! Two of our products, and our company have reached the final…

Ring Ring! You're in the Final! It's always nice to get a phone call letting us know that we've been shortlisted for awards – but when it's five awards, we like those calls even more! Two of our products, and our company have reached the final stages for the Network Computing Awards, and of course we'd love it if you took a moment to vote for us please. La La Land may have racked up the Oscar noms, but at the Network Computing Awards it's looking good for LE LE Land! OK, so we might not quite have the fourteen nominations that La La Land has, but our Logentries (lovingly shortened to LE) product is a finalist in three categories: Best Picture, Best Soundtrack, Best Original Screenplay (or rather: IT Optimisation Product of the Year, Software Product of the Year, and The Return on Investment Award). To reach this stage in these categories is huge, and we're very happy to be triple listed. If you've not yet experienced Logentries, I would highly recommend you take a look – it's a pretty amazing product: Imagine trying to put together a jigsaw puzzle, without an image of the completed puzzle, no idea of how many pieces are required, and to add to your woes the pieces are hidden all over the building. If you've ever had to trawl through multiple logs to try and work out what's causing a problem, and you only have symptoms to work from – say a production server is running slowly – you'll recognise the analogy. Logentries puts the answers hidden within your myriad of logs right at your fingertips. It's simple to use, lightning fast, and you can create some very cool visualisations from your data too. Click here to learn more about how Logentries can revolutionise how you see your ecosystem. Look out! Here comes the AppSpider, Man! Whilst my tenuously linked movie reference here is no stranger to Oscar nominations either, I'm obviously referring to our AppSpider product, which is listed as a finalist in the Network Computing Awards, in the Testing and Monitoring Product of the Year category. Web apps, and the plethora of technologies that power them, are growing at a crazy rate, presenting complicated security challenges for organisations. AppSpider crawls to the deepest, darkest corners of even the most modern and complex apps to effectively test for risk and get you the insight you need to remediate faster. It plays a key part in the SDLC, and allows DevOps to fix issues earlier in the cycle - resulting in a huge reduction in last minute delays caused by vulnerabilities being found late in the day. You can read more about how DevOps teams using AppSpider can reduce stress and possibly live longer happier lives* here. *Life lengthening not guaranteed, but your web app SDLC will be in a happier place for sure. Always read the label. So many great movies, so little time….but which One should I Watch? The Rapid7 movie, of course! Well, OK, we don't have a movie length extravaganza of Rapid7 for you yet (cough, cough: Kyle Flaherty,), but we do have some pretty cool YouTube videos you can watch, plus a highly acclaimed podcast you should listen to. We've also been listed as a finalist for the One to Watch Company - hooray! We're pleased (read: overjoyed), humbled, and indeed chuffed (I had to get a Britishism in somewhere) to have received our finalist nominations, and very much looking forward to attending the event in London later this year. If you could please take a minute to cast your votes for Logentries, AppSpider and Rapid7 that would be most wonderful of you – voting is open until March 22nd. Click here to vote!

[Free Tool] IoTSeeker: Find IoT Devices, Check for Default Passwords

So there's this Thing... We need to talk about Things, you and I. Specifically those connected Things. This isn't a weird breakup discussion regarding a relationship you didn't know we had (I hear that's called stalking actually, and is an altogether different type of problem)…

So there's this Thing... We need to talk about Things, you and I. Specifically those connected Things. This isn't a weird breakup discussion regarding a relationship you didn't know we had (I hear that's called stalking actually, and is an altogether different type of problem). There may be Things on your network that are harbouring a security issue, and that's not a good place to be either. We can help you track them down (which does bear a slight resemblance to stalking, granted, but we're security people and they're just Things so it's allowed). Mirai - definitely not a Vision of Love A recent DNS attack sent parts of the Internet into temporary meltdown – not just because our ability to share cat videos and food pictures was impeded. It became apparent that there's a new kid in town – the Mirai botnet – which takes advantage of weak security in IoT devices. Default credentials are not the internet's friend. Now, there are plenty of good articles already available for you to read about the technicalities of the Mirai botnet, including this blog post from the highly distinguished Mr Tod Beardsley – so I'm not going to rewrite an already well authored wordy wheel, but like I said earlier we do have something cool for you to find out if you have Things on your own network that could pose a risk. IoTSeeker – it does exactly what it says on the package! So without further ado, I'd like to introduce you to IoTSeeker – a tool created by the incredibly smart folks on the Metasploit engineering team. IoTSeeker allows you to hunt down IoT devices which are languishing in your eco-system poorly configured with the same creds that they were born with. It's nice and simple to use, and the scan output (example below) provides you with a list of Things and an indicator as to whether they need re-configuring to be in a more secure state. To run this tool you'll need to be on a Mac OS or a Linux OS, as IoTSeeker uses the perl module AnyEvent for high parallelism – which essentially means you can quickly scan A LOT of IPs. It's free, because we're nice like that, and we plan to keep updating it to include new Things that could be a problem. The steps on how to use IoTSeeker are available when you download the tool – and unless you have the attention span of an ADHD goldfish in a barrel full of squirrels, you'll be up and scanning in a minute or so, it really is that simple. A very important note: this tool is provided for you to only scan assets for which you have administrative responsibility. Download the IoTSeeker here. Feedback welcomed, and happy Thing Seeking!

Stop, collaborate and listen... (...and think, and connect)

Since its inception, our wonderful connected world has been a battleground for cybercriminals vs law enforcement and security professionals, who are locked into a twisted dance of punches and counterpunches as the arena in which they fight evolves around them. We continue to connect more…

Since its inception, our wonderful connected world has been a battleground for cybercriminals vs law enforcement and security professionals, who are locked into a twisted dance of punches and counterpunches as the arena in which they fight evolves around them. We continue to connect more and more Things, providing new and elaborate opportunities for attackers to launch their weapons of mass disruption. Not everything is awesome, but you are part of a team! Somewhere down the line, if you're connected you're going to be (or have already been) affected – whether it's a device you own being pwned, or your account being compromised on a third party system. Cybercrime doesn't care which language(s) you speak, or where you pay your taxes, your data and information have a value either directly or indirectly (I can pretty much guarantee that someone reading this will have at some point re-used a web account password on their corporate network account). As cybercrime naturally transcends traditional borders, a consolidated global effort is required to combat this global foe. And yes, it needs reiterating – We Are All Responsible – you can't reap the benefits of the internet without playing a part in keeping it safe. You don't necessarily have to be an expert either – Team Global Security, which you are a part of (welcome to all of our new members!), has some very strong players in its ranks, and regardless of your level of expertise you do have an important part to play. Awareness, vigilance and frankly Just Not Being Bloody Stupid (yeah I'm looking at you, with the re-used password on your corporate account – go and change it right now, thanks) are all important ways in which you can help the cause. You have the security industry and profession on your side, and your government too. That's pretty solid backing I'd say. If you've ever uttered the words “the government should be doing something about this” then you'll be pleased to know when it comes to Cyber Security there are multiple collaborative initiatives happening Right Now. “Wow, that IS awesome!” I hear you say. Yes. Very Awesome Indeed. So what's going on? As I type this blog, the U.S. are in the midst of the 13th annual National Cyber Security Awareness Month – a joint venture between the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS). Every week in October has a theme [PDF], covering everything from securing critical infrastructure to how to practice good security habits on your personal devices. If you're of a Twitter persuasion, take a look at the #ncsam or #cyberaware tweets to get information and advice from industry gurus, vendors and businesses. Or if you love our blog (and of course you do), check out the series we have going. And whilst this is billed a U.S. party, Team Global Security can absolutely benefit from the event. Across the pond in the UK, the big news here is the opening of the National Cyber Security Centre. Whilst many of the NCSC team will operate from GCHQ in Cheltenham, around half of the 700 staff will be based in some rather stunning London offices close to Buckingham Palace. Via four key objectives, the centre aims to be the beating heart of the Government's strategy for the UK to become “the safest place to live and work online”. These objectives cover a multitude of areas, ranging from the all-important knowledge sharing through to being front and centre on critical national cyber security issues: To understand the cyber security environment, share knowledge, and use that expertise to identify and address systemic vulnerabilities. To reduce risks to the UK by working with public and private sector organisations to improve their cyber security. To respond to cyber security incidents to reduce the harm they cause to the UK. To nurture and grow our national cyber security capability, and provide leadership on critical national cyber security issues. The centre opening coincided with the launch of a new website, which is an excellent resource for both people and organisations in the UK, and for the wider global audience too. In Singapore, the government recently announced the formation of GovTech – a new agency established to “transform public service delivery with citizen-centric services and products.” Security naturally falls under the remit of the agency - GovTech will also play a critical role in overseeing the public sector's ICT infrastructure, putting in place policies for critical infrastructure and cybersecurity to enable the operation of a secure and resilient Smart Nation. No matter whether you're a citizen of the US, the UK, Singapore, or somewhere else entirely, there is plenty of information, advice and best practice sitting at your fingertips. Global issues need a global response, and these initiatives are vital efforts to help us all enjoy this wonderful connected world. Rapid7 has your back If you think your organisation would benefit from some cyber security awareness training, maybe it's time to book in a pen test, or you'd like some help with your overall security program - we're happy to help you. Do you need more foot soldiers to help you fight the good fight? Your army of cyber guardians are ready for enlistment [PDF]. Our team is your team – let us know how we can be of assistance.

Overcome Nephophobia - Don't be a Shadow IT Ostrich!

Overcome Nephophobia - Don't be a Shadow IT Ostrich! Every cloud….. When I was much younger and we only had three TV channels, I used to know a lot of Names of Things. Lack of necessity and general old age has meant I've now long…

Overcome Nephophobia - Don't be a Shadow IT Ostrich! Every cloud….. When I was much younger and we only had three TV channels, I used to know a lot of Names of Things. Lack of necessity and general old age has meant I've now long since forgotten most of them (but thanks to Google, my second brain, I can generally “remember” them again as long as there's data available). Dinosaurs, trees, wild flowers, and clouds were all amongst the subject matters in which my five-year-old self was a bit of an expert. I would point at the sky and wow my parents with my meteorological prowess, all learnt from the pages of a book. Good times. These days I can manage about three cloud names off the top of my head before reaching for the Internet. Cirrus, stratus, cumulonimbus (OK I had to double check the last one).  Failing memory aside, I still love clouds, and frankly there's little that beats a decent sunset – which wouldn't be anywhere near as good without some clouds. So assuming you're still reading and not googling cloud names (because it can't just be me), I'd like you to think of a cloud please, an actual one, not a digital one. Chances are it's all fluffy and white, the cumulus (oh yeah) type. Of all the words I could use to describe a cumulus cloud “scary” isn't one of them. But did you know that Nephophobia - the irrational fear of clouds - is a real condition? Nephophobics struggle to look up into the sky, and in some cases won't even look at a picture of a cloud. Any phobia by its very nature is debilitating, leaving the sufferer feeling anxious at best, or totally unable to function at worst. I live with a six-foot strapping arachnophobe who is reduced to a gibbering wreck at anything larger than a money spider. Digital Nephophobia Nephophobia exists in our digital world too. Use of the cloud is written off and immediately written in to policy. “We don't use the cloud” is something I've heard far too frequently. And sometimes “don't” is more “can't” (blocked from doing so by government regulation) or “won't” (we just don't want to, we don't trust it), but actually “do…but don't know it” is more often the reality. This is where anxiety caused by the cloud is at its most valid – lack of visibility into the cloud services your users are already using (aka Shadow IT) is frankly terrifying for anyone concerned with data privacy or data security. I recently met with an IT Security Manager of a global network, who rightly said “if you're not providing the services your users need and expect, then whether you like it or not you are probably being exposed to Shadow IT”. Pretending it's not happening won't make it go away either, as many a mauled ostrich will merrily testify. Digital Therapy Many phobia therapies involve facing the fear head on. Now I'm not suggesting that the best medicine to cure digital nephophobia is to burn the “we don't use the cloud” policy and open up your network to every cloud service available, far from it. First of all, it's vital to understand what is really happening within your environment now – which cloud services your users have using without your knowledge. From there you can work out which cloud services you should be formally provisioning, which you should be monitoring, and which you should be locking down. Perform the due diligence – any cloud vendor worth their salt will be able to provide you with the reassurance that their service is secured, with in-depth details of how it is secured, what happens to your data in transit and at rest, how it is segmented from other organisations' data, who has access, and more. Set yourself free Once you've worked out what you need, and are confident in the service provider's security processes (which are likely going to be on par or indeed even better than those in your own network), the weight of digital nephophobia will begin to lift. The benefits of using the cloud are huge – a huge reduction in provisioning, administration, and maintenance overheads for a start. The speed in which you can provide new services compared to the old world of doing it all in-house is staggering – how many times have you heard users moan about how long it takes IT to bring in a new service? Speaking of moaning – how about those 79 bajillion helpdesk tickets and IMs and calls that come in because The Server's Down….Again? Distant memories – uptime is another benefit to embracing cloud services.  You'll be in good company too - organisations from every vertical are using the cloud – financial institutions, governments, healthcare, defense, manufacturing, charities, the list goes on and on. Tackling Shadow IT is the first step in the journey from Nephophobe to Nephophile Our aforementioned ostrich friend wants to be a lesson to you. If you can't see where your problems are, you can't begin to do something about them, and if you bury your head in the sand you are in dire risk of becoming lion lunch. Visibility into cloud services, whether they are sanctioned or shadow IT services, is a string that every IT Security professional needs to have in their bow. InsightIDR gives you that string (and a whole bunch more too!) – at the tips of your fingers lies a wealth of information on which cloud apps are being accessed, who is using them, when they are being used, and how frequently. And you don't have to code a bunch of complex queries to access this information – the interactive dashboard has it all: Want to learn more about how InsightIDR gives organisations insight into cloud services, user behaviour, and accelerates incident investigations by over 20x (told you there were more bow strings available!)? We'd love to show you a demo. And if you would like to know more about our approach to cloud platform security you can read all about here right here.

Warning: This blog post contains multiple hoorays! #sorrynotsorry

Hooray for crystalware! I hit a marketer's milestone on Thursday – my first official award ceremony, courtesy of the folks at Computing Security Awards, which was held at The Cumberland Hotel in London. Staying out late on a school night when there's a 16 month old…

Hooray for crystalware! I hit a marketer's milestone on Thursday – my first official award ceremony, courtesy of the folks at Computing Security Awards, which was held at The Cumberland Hotel in London. Staying out late on a school night when there's a 16 month old teething toddler in the house definitely took it's toll the following morning, but the tiredness was definitely softened by the sweet knowledge that we'd left the award ceremony brandishing some crystalware. In the two categories that Rapid7 solutions were shortlisted as finalists - SME Security Solution of the Year (Nexpose) and Best New Product of the Year (InsightIDR) - we were awarded winner and runner-up respectively. What's particularly cool about the Computing Security Awards is that the majority of awards, including the two we were up for, are voted for by the general public, so receiving these accolades is very special to us. We'd like to say an absolutely massive THANK YOU to everyone who voted for our products, we are truly very grateful for your support. Hooray for Nexpose! Nexpose storming to the win in the SME category, a space that isn't always top of mind to some security vendors, really validates for me how well designed and engineered the product is. Our customers come in all shapes and sizes, and the maturity of their vulnerability management programs vary just as much, but Nexpose caters for all. In SME the concept of a dedicated security team is certainly less common. More often than not we see that IT teams have security as just one of their many disciplines – so they need a vulnerability management tool which is easy to use, and allows them to quickly prioritise remediation efforts with live data that's relevant to their environment. Nexpose determines and constantly updates vulnerability risk scoring using RealRisk – scoring vulnerabilities from 1-1000, thus removing the nightmare of having umpteen hundred ‘'criticals” which are seemingly all equal. Liveboards (because dashboards don't actually dash – they should really be called meanderboards) provide admins with real time data – you know at all times exactly how well you are winning at remediating. If you're reading this blog and you're thinking about implementing a new VM solution, you should download a free trial here and experience it in action for yourself. Hooray for InsightIDR! InsightIDR receiving an honourable mention in the Best New Product category makes Sam very happy. This product was frankly one of the main reasons I came to work for Rapid7. When I first heard of it back in March my interest was immediately sparked, as I'd never seen anything quite like it.  I've worked in incident response in a previous life, and have seen a vast number of organisations really struggle to find answers when they are in the unfortunate situation of a cyberattack. Some didn't even know they'd been under attack until they received notification from a third party. Incidents would regularly go on for many days, with teams having to work around the clock with great pressure to balance business continuity and incident response, which is the juggling act from hell. More often than not, investigations and Root Cause Analysis reports would take months and months, and would frequently be lacking in details. If you can't see what's happening, you can't properly respond, and you have pretty much a zero chance of taking away any solid learnings from the event. InsightIDR solves these problems by combining SIEM, EDR and UBA capabilities, which mean it detects attacks early in the attack chain, finds compromised credentials, and it provides a clear investigation timeline. It's truly an amazing piece of kit, and I know that every incident I ever worked on would undoubtedly have had a better outcome had InsightIDR been in place at the time. Seeing in this case will definitely result in believing – I'd heartily recommend you arrange a demo today. Hooray for Integrated Solutions! So before I give a shout out to the incredible people behind these two superb products, there's one further piece of good news: you can now integrate [PDF] them too! Hooray for Moose! Our people, our “Moose”, who design, build, test, sell, support and of course market (obvs.) these products are all the winners here. I don't use the term ‘incredible' lightly either – I am privileged to have represented them at the awards ceremony, we have an amazing team across the globe jam-packed with smart, creative, brilliant people. Our solutions are testament to the work they do, their combined knowledge solves difficult customer problems, providing insight to security professionals all over the world. Congratulations Moose – you are a bloody awesome bunch! Thanks again to everyone who voted for our solutions, and a big cheers to the folks at Computing Security who held a brilliant awards bash. We hope to see you again next year!

Are Your Employees Really Out to Ruin Your Business?

Read most security vendors' websites (yes, we know what we are) and you'll generally find something about the terrifying “Risk of Insider Threats.” Rogue employees are lurking around every corner. You try to hire good honest people, brimming with integrity, but still these evildoers slip…

Read most security vendors' websites (yes, we know what we are) and you'll generally find something about the terrifying “Risk of Insider Threats.” Rogue employees are lurking around every corner. You try to hire good honest people, brimming with integrity, but still these evildoers slip through the net and before you know it they are trying to take you down. They don't care that you have a family to feed, that you put your life and soul into creating a flourishing business. Maybe you should just go self-employed. Switch off the internet and go back to pen and paper. Reduce the risk completely and become a cave-dwelling hermit. Actually, can you come back out of the cave and turn the internet back on for a moment please? Thanks. I hope the mild exaggeration in the above paragraph was apparent. And if that's the reality in your business perhaps it's time to rethink your hiring strategy (and maybe go back to the cave after all, it was nice in there right?). Most of your employees really like you having a business, they don't want to ruin it, and they aren't going to do something purposely malicious. There is a BUT coming, though. Actually, there are two, because reality is a harsh mistress. BUT #1... Insider threats are real. I'm sorry, I'm being That Vendor. We haven't invented this as an industry, I promise. It does only take one person to cause a lot of potential damage – take the recent Sage data breach as an example. Hundreds of detailed financial customer records accessed by an unauthorised* employee. A the time of writing this, the Sage investigation is ongoing - an arrest has been made, and a lot of Sage's customers have received a notification that their details may have been on the list. Like I said, it just takes one. *that isn't a typo btw, I'm from that tiny island over the pond, we just don't do zeds with the same level of enthusiasm that Americans do #sorrynotsorry BUT #2... Unwitting insider threats are a much greater concern. This isn't a disgruntled employee, it's someone who can easily open up your business to the evils of the outside world. They clicked on a dodgy Facebook link from a friend, they opened up an "invoice" which turned out to be hiding malicious code, they chomped down on the hook of a phishing email and before you can say Wicked Tuna, there's a keylogger or worse sitting on their PC. Their user credentials get captured and delivered off to someone truly malicious outside of your organisation. Your employee didn't mean to cause a problem, they just didn't know any better.  And they'd possibly do the same thing all over again tomorrow. Understanding the risk posed by your employees, the users of your systems, the people who access critical data that's key to your business is so much bigger than worrying about the occasional rogue employee. Bonus BUT (because marketing)... Compromised user credentials behave just like insider threats Protecting assets is an important part of any security program, no doubt about it, but a huge number of data breaches are caused by compromised user credentials (the Verizon Data Breach Investigations Report has this as the top method of attackers breaching a network every year from 2013). These are user accounts that look, feel and smell like the real deal because That's Exactly What They Are. They just got into the wrong hands. And if you fall into the 60% of organisations who have no way to detect compromised credentials, you won't be able to tell the difference between a bona fide user and an attacker using a compromised account. On the plus side, they won't be hogging the drinks table at your summer party, but that's really the smallest of wins. Call to action: Don't be a hermit! If you're thinking seriously about that cave option again, it's OK, you don't need to (unless cave dwelling is actually your thing, but let's assume otherwise because it's a little niche). Take stock, think about where your weak spots are. Would your employees benefit from some up-to-date security awareness training? How robust are those incident response processes?  When did you last health-check your overall security program? Do you have the capabilities to quickly spot an attacker who's got their grubby mitts on the keys to your metaphorical castle (or cave, obvs)? If the answers to those questions aren't clear, we can help you get a plan together. You can gain the insight you need to be able to protect your business. Visit our web page on compromised credentials and learn more about how we can help you achieve this. Sam Humphries

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Upcoming Event

UNITED 2017

Rapid7's annual security summit is taking place September 12-14, 2017 in Boston, MA. Join industry peers for candid talks, focused trainings, and roundtable discussions that accelerate innovation, reduce risk, and advance your business.

Register Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now