Rapid7 Blog

Compliance  

NIST Standards and Why They Matter

A primer on implementing NIST recommendations by guest author Matt Kelly…

A primer on implementing NIST recommendations by guest author Matt Kelly

Australian Privacy Amendment (Notifiable Data Breaches) Bill 2016

Mandatory notification of data breaches is becoming more commonplace across the globe. Many financial institutions are now required to comply with NY DFS, any organization processing the personal data of EU citizens should be in the midst of their GDPR preparations, and now Australia has…

Mandatory notification of data breaches is becoming more commonplace across the globe. Many financial institutions are now required to comply with NY DFS, any organization processing the personal data of EU citizens should be in the midst of their GDPR preparations, and now Australia has announced that it will also be joining the party. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed by the Australian Senate in February 2017, and comes into effect as of February 22, 2018. As with other compliance regulations, fines can be applied to those who are found to be breaking the rules. In this case, a civil penalty of up to AUD 1,800,000 can be added to the hefty financial impact of a breach. The bill applies to all Australia Privacy Principle (APP) entities, which includes many Australian Government agencies, and private sector organizations with an annual gross revenue of over AUD 3,000,000. It’s important to note that the bill also applies to organizations who hold tax file number information, certain credit providers and credit reporting bodies, and there are some other nuances depending on the type of business or services you provide. If you are unsure as to whether you are exempt from this bill, you can find out more here. Documented timeframes for reporting an eligible data breach are not as prescriptive as the 72-hour reporting window under GDPR, but instead require non-exempt organizations to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as is practicable. There is also a requirement to investigate suspect data breaches within 30 days, during which time you need to ascertain whether the breach occurred and assess whether it falls under the realm of eligibility for notification. Thirty days may seem like a decent amount of time to conduct such an investigation, but if you’ve spent any time doing incident response you’ll know that days and weeks can fly by pretty quickly. Time is a strange beast when the proverbial fan and excrement come together. If you’re looking for advice on next steps, the OAIC (whose website I really cannot praise highly enough) have put together a wealth of easily digestible information that will help you on your compliance journey. In particular, I’d recommend you start by reading these two guides: Guide to securing personal information Guide to developing a data breach response plan The latter is complementary to a much more in-depth document on handling personal information security breaches, which includes a section on preventing future breaches. When reviewing your current breach response measures you should use this advice as a benchmark. All too often, organizations heed this type of advice only after they’ve been subject to a critical incident, so take the opportunity now to learn from others who have lived through the pain of a breach. Need a helping hand? Our experts are here to help you. Rapid7’s IR services team come with a plethora of pedigrees and have many thousands of hours of incident response experience. We’ve got a range of incident response services that can fit your needs, whether those needs are assistance developing an IR program, concern about a potentially compromised environment, a second opinion on your organization's breach-readiness, or immediate help with a potential breach. And if you’re worried about not having the staff or expertise in-house to monitor your environment for threats and attackers (and let’s face it—not everyone has the luxury of having a 24x7x365 security operations centre at their disposal!), don’t panic: we’ve got your back. Rapid7’s Managed Detection and Response (MDR) can be your eyes and ears, and we include a compromise assessment and two incident escalation investigations per year as part of the package. You can learn more from one of our MDR customers, Bill Heinzen of NISC here. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 isn’t just about sending some emails out to customers or putting a notice on your website after the horse has bolted. Prompt investigation and response are key for limiting the impact of a potential breach, and can make a world of difference to those whose data you hold.

Maximizing PCI Compliance with Nexpose and Coalfire

In 2007 Coalfire selected Rapid 7 Nexpose as the engine around which to build their PCI Approved Scan Vendor offering.  PCI was just a few years old and merchants were struggling to achieve and document full compliance with the highly proscriptive Data Security Standard.…

In 2007 Coalfire selected Rapid 7 Nexpose as the engine around which to build their PCI Approved Scan Vendor offering.  PCI was just a few years old and merchants were struggling to achieve and document full compliance with the highly proscriptive Data Security Standard.  Our goal was to find that classic sports car blend of style and power: a vulnerability assessment solution that was as streamlined and easy to use as possible, but robust enough to significantly improve the customer's security.  In other words, an ASV service that could meet the needs of a large multi-national enterprise as well as the small franchise owner just learning how to spell IT.  After looking at all the alternatives, Coalfire selected Nexpose for its high-end performance and ease of interoperability to build around, all at a price point that kept us competitive.The Coalfire scanning solution has gone by many names since its first ASV certification: Surefire Compliance, ARM PCI RapidScan, Coalfire RapidScan right up to today's CoalfireOne℠ scanning platform.  But through all of it, Nexpose was under the hood making it go, with the power and reliability of a GM LS Series 6.0L or an AMC 4.0 straight-six.  Sorry, that might be taking the analogy a bit far (and letting my car geek show), but the point is, we never had to worry if the scan was going to run or if it was going to find the latest SSL vulnerability, it just did.  And that let us focus on the user experience which was always our plan.With our new ASV partnership, Rapid 7's ASV customers now get that “best of both worlds” pairing.  The same high confidence in scan findings they're used to, with the simplicity of CoalfireOne management.  Define your targets, set your schedule, review and dispute findings, and download your attestation of compliance -- all through the easy to use Web interface.  It's a little like a Shelby Cobra -- body by AC Cars, V8 by Ford.  Okay, I'm done.

New and Improved Policy Manager

This year we've made many enhancements to the configuration policy assessment capabilities in Nexpose, including adding 4 new reports and NIST 800-53 controls mapping. Last week we unveiled a new and improved user interface for the Policy Manager, providing you with more information on your…

This year we've made many enhancements to the configuration policy assessment capabilities in Nexpose, including adding 4 new reports and NIST 800-53 controls mapping. Last week we unveiled a new and improved user interface for the Policy Manager, providing you with more information on your compliance position at your fingertips.With the new interface, you can quickly see how compliant you are overall, understand where you need to focus, and drill down to get detailed policy results. But it's not just the look-and-feel that's improved, we've also been working on making the Policy Manager more responsive and scalable, enabling larger datasets to load much faster.What's NewThe new Policy View lets you see at a glance all the policies you've scanned for and the overall percentage of compliance across your network. Clicking on the number of Scanned Policies dynamically filters the table below to only show policies with assessment results. Sort the table by Rule Compliance to quickly see which policies are the least compliant, or by Compliance Trend to see which policies are heading in the wrong direction.Clicking on a policy takes you to a detailed view showing the number of scanned assets and the overall level of compliance. You can drill into a particular rule to see more information including the assessment results of each scanned asset and remediation steps - giving you all the information you need to take action.The new interface also includes a new Asset view where you can see which assets are the most and least compliant, when they were last scanned, and whether they're improving their compliance position or not.Like with policies, clicking on an asset takes you to a detailed view of the asset showing the number of assessed rules and the overall level of compliance. You can drill into a particular rule to see more information including whether the asset is compliant with the rule, proof for why the rule passed or failed, and remediation steps.Auditing your systems for compliance with secure configuration policies like CIS, DISA STIGs, and USBCG is an important part of any effective security and compliance program. If you haven't tried automating this process using the Policy Manager in Nexpose yet, or haven't tried it in a while, then now is the perfect time.

[Q&A] User Behavior Analytics as Easy as ABC Webcast

Earlier this week, we had a great webcast all about User Behavior Analytics (UBA). If you'd like to learn why organizations are benefiting from UBA, including how it works, top use cases, and pitfalls to avoid, along with a demo of Rapid7 InsightIDR, check out…

Earlier this week, we had a great webcast all about User Behavior Analytics (UBA). If you'd like to learn why organizations are benefiting from UBA, including how it works, top use cases, and pitfalls to avoid, along with a demo of Rapid7 InsightIDR, check out on-demand: User Behavior Analytics: As Easy as ABC or the UBA Buyer's Tool Kit. During the InsightIDR demo, which includes top SIEM, UBA, and EDR capabilities in a single solution, we had a lot of attendee questions (34!). We grouped the majority of questions into key themes, with seven Q&A listed below. Want more? Leave a comment!1. Is [InsightIDR] a SIEM?Yes. We call InsightIDR the SIEM you've always wanted, armed with the detection you'll always need. Built hand-in-hand with incident responders, our focus is to help you reliably find intruders earlier in the attack chain. This is accomplished by integrating with your existing network and security stack, including other log aggregators. However, unlike traditional SIEMs, we require no hardware, come prebuilt with behavior analytics and intruder traps, and monitor endpoints and cloud solutions – all without having to dedicate multiple team members to the project.2. Is InsightIDR a cloud solution?Yes. InsightIDR was designed to equip security teams with modern data processing without the significant overhead of managing the infrastructure. Your log data is aggregated on-premise through an Insight Collector, then securely sent to our multi-tenant analytics cloud, hosted on Amazon Web Services. More information on the Insight Platform cloud architecture.3. Does InsightIDR assist with PCI or SOX compliance, or would I need a different Rapid7 solution?Not with every requirement, but many, including tricky ones. As InsightIDR helps you detect and investigate attackers on your network, it can help with many unique compliance requirements. The underlying user behavior analytics will save you time retracing user activity (who had what IP?), as well as increase the efficiency of your existing stack (over the past month, which users generated the most IPS alerts?). Most notably, you can aggregate, store, and create dashboards out of your log data to solve tricky requirements like, “Track and Monitor Access to Network Resources and Cardholder Data.” More on how InsightIDR helps with PCI Compliance.4. Is it possible to see all shadow cloud SAAS solutions used by our internal users?Yes. InsightIDR gets visibility into cloud services in two ways: (1) direct API integrations with leading services, such as Office 365, Salesforce, and Box, and (2) analyzing Firewall, Web Proxy, and DNS traffic. Through the latter, InsightIDR will identify hundreds of cloud services, giving your team visibility into what's really happening on the network.5. Where does InsightUBA leave off and InsightIDR begin?InsightIDR includes everything in InsightUBA, along with major developments in three key areas:Fully Searchable Data SetEndpoint Interrogation and HuntingCustom Compliance DashboardsFor a deeper breakdown, check out “What's the difference between InsightIDR & InsightUBA?”6. Can we use InsightIDR/UBA with Nexpose?Yes! Nexpose and InsightIDR integrate to provide visibility and security detection across assets and the users behind them. With this combination, you can see exactly which users have which vulnerabilities, putting a face and context to the vuln. If you dynamically tag assets in Nexpose as critical, such as those in the DMZ or containing a software package unique to domain controllers, those are automatically tagged in InsightIDR as restricted assets. Restricted assets in InsightIDR come with a higher level of scrutiny – you'll receive an alert for notable behavior like lateral movement, endpoint log deletion, and anomalous admin activity.7. If endpoint devices are not joined to the domain, can the agents collect endpoint information to send to InsightIDR?Yes. From working with our pen testers and incident response teams, we realize it's essential to have coverage for the endpoint. We suggest customers deploy the Endpoint Scan for the main network, which provides incident detection without having to deploy and manage an agent. For remote workers and critical assets not joined to the domain, our Continuous Agent is available, which provides real-time detection, endpoint interrogation, and even a built-in Intruder Trap, Honey Credentials, to detect pass-the-hash and other password attacks.Huge thanks to everyone that attended the live or on-demand webcast – please share your thoughts below. If you want to discuss if InsightIDR is right for your organization, request a free guided demo here.

Getting More Out of Nexpose Policy Reports

Auditing your systems for compliance with secure configuration policies like CIS, DISA STIGs, and USBCG is an important part of any effective security program, not to mention a requirement for many industry and regulatory compliances like PCI, DSS, and FISMA. With Nexpose, you can automate…

Auditing your systems for compliance with secure configuration policies like CIS, DISA STIGs, and USBCG is an important part of any effective security program, not to mention a requirement for many industry and regulatory compliances like PCI, DSS, and FISMA. With Nexpose, you can automate this assessment using our Policy Manager feature.Back in March we launched two brand new policy report templates, Policy Rule Breakdown Summary and Top Policy Remediations, to help organizations understand how compliant their assets are and actions to take to improve their compliance posture. You can read more about these reports here.After receiving lots of great feedback, we've added two more policy reports in the latest version of Nexpose: Policy Details and Top Policy Remediations with Details. These provide additional information like policy rules, test results, and step-by-step remediation instructions so you can drill into the details and take control of your compliance program.The new Policy Details report is useful for understanding exactly what's going on with each asset - which rules are failing, the reasons why, and how you can fix it. The report is divided by asset, with the overall compliance score for the asset at the top. Run this report when you want to deep-dive into the configuration settings of your systems.The new Top Policy Remediations with Details report expands on the report released in March by adding step-by-step instructions for each remediation and a list of the affected assets. With both Top Policy Remediations reports, the recommendations are prioritized for the greatest impact on improving compliance across all your assets and you can change the number of recommendations shown, e.g. change Top 25 to Top 10, to meet your needs. This report is perfect for communicating what needs to be fixed to your IT Operations team.We have lots more enhancements to Policy Manager coming soon, so stayed tuned for more!

Seven Ways InsightIDR Helps Maintain PCI Compliance

“Compliance is king.” This is a familiar saying for any company that processes credit card transactions, where being compliant with the Payment Card Industry Data Security Standard, or PCI DSS, reigns supreme. Any entity that stores, processes, or transmits cardholder data must abide by the…

“Compliance is king.” This is a familiar saying for any company that processes credit card transactions, where being compliant with the Payment Card Industry Data Security Standard, or PCI DSS, reigns supreme. Any entity that stores, processes, or transmits cardholder data must abide by the requirements, which serve as best practices to securing your cardholder data environment (CDE). Nexpose and Metasploit have been designed to directly help your team meet PCI DSS, as well as comply with many other compliance standards. Created by security responders, Rapid7 InsightIDR also ties in with PCI, including helping you meet Requirement 10: Tracking and monitoring all access to network resources and cardholder data. InsightIDR joins your security detail to detect the top attack vectors behind breaches, speed up incident investigations, and help you escape the drudgery of security data management. Here are a few of the PCI requirements that InsightIDR can help your security team manage, ranging from monitoring access to your CDE and exposing risky user behavior, to fast and comprehensive incident investigations across the entire organization. To see it in action, see our 20-minute on-demand demo. Requirements 5.1 & 5.2: InsightIDR scans all endpoints for malware and identifies risky user behavior, including compromised user accounts, anomalous admin activity, and lateral movement. This endpoint visibility is accomplished for all systems through a blend of endpoint scans and the continuous Insight Agent. Requirements 6.4.1 & 6.4.2: You can monitor multiple separated environments, define network zones and alert you if access policies are violated. As an example, an organization could set a policy that no users in the “developers” group should access the network zone “PCI Production,” ensuring InsightIDR alerts them on any such violations. Requirements 7.1, 7.3: After flagging systems in your CDE as restricted assets, InsightIDR will alert you on any change in behavior. This includes suspicious authentications, users with unexpected privilege escalations, and even approved users remotely accessing the CDE from a new source asset. This detects unauthorized access, user risk, and enforces policies set by your security team. **Requirements 8.1, 8.2.4, 8.5: **InsightIDR alerts on brute forcing, pass-the-hash, and other password guessing attempts by running behavior analytics on event logs and through Intruder Traps, such as honey users and honey credentials. Requirement 10: InsightIDR is your complete solution to track and monitor all access to network resources and cardholder data. This starts with aggregation and search across any of your log files. In addition, all network activity is directly correlated to the users and assets behind them. During incident investigations, the security team can bring together log search, real time user activity, and endpoint interrogation into a single Super Timeline (see below). No more parsing through disparate log files, jumping between multiple solutions for investigations, or retracing user activity across IPs, assets, and services. Requirement 11.4: InsightIDR identifies malicious behavior earlier in the attack chain, the steps required to breach a company. Through a combination of user behavior analytics and purpose-built Intruder Traps, InsightIDR detects the top attack vectors behind breaches, including phishing, compromised credentials, and malware. Requirement 12.3, 12.5, 12.10: InsightIDR can aggregate, search, and attribute logs and alerts from Intrusion Detection/Prevention Systems (IDS/IPS) and Firewalls to the users and assets behind them. For example, with one search, the security team can identify the users generating the most IDS/IPS alerts. InsightIDR was built hand-in-hand with security teams to be the SIEM solution you always wanted, armed with the detection you will always need. It combines learnings from the Metasploit project, our penetration testing teams, and tested User Behavior Analytics (UBA) that hundreds of organizations benefit from today. You can finally get visibility and detection while meeting PCI compliance without it becoming a second full-time job. Learn more about how Rapid7 can help your team meet PCI, or sign up for a free guided demo!

People and Process Are Keys to Compliance, Tech Simply Must Make Them Both More Efficient

Compliance is not always an exciting topic to write about, in fact it's almost NEVER an exciting topic to write about, but that doesn't diminish its importance. For those of you in security who must adhere to a varietal (first of many references to adult…

Compliance is not always an exciting topic to write about, in fact it's almost NEVER an exciting topic to write about, but that doesn't diminish its importance. For those of you in security who must adhere to a varietal (first of many references to adult beverages) of compliance policies you know that it is often a painful, yet necessary, part of your jobs. Unfortunately, the log management and SIEM technologies we all deployed over the years have served compliance officers by making it possible to obtain important information, but never considered the ease in which this ritual could be accomplished. Fortunately for me, I get to sit down with security and compliance teams all the time, and when you talk with them about compliance, you hear the pain in their voices as they describe the months it takes to get the right reports built, not to mention the training needed to understand how to review the information. Volume and granularity have seemingly become the two tenants of security compliance reporting, instead of brevity and efficiency. This model needs to be fixed, and we'll talk about how, while enjoying a fine glass of wine and a pint of beer. A pile of reports to dig through is no better than a pile of raw data. Last week, while at dinner, we were greeted by the sommelier and under her arm was a fairly large wine book. This wine expert had most likely spent years building a knowledge of grapes, international regions, and food complements, and she was not there to simply tell us about her favorite wine. Instead, we conveyed to her what we were thinking about eating, what we liked in terms of wines, and she even asked pertinent questions about our tastes and personalities. These were all filters she applied on top of the enormous wine book to essentially spit out (sommelier puns everywhere!) a selection that would be ideal for that moment in time. Any time you have a long list of data points, it becomes more critical to build the right filters on top of the information to ask questions and transform it into something useful. If you look at log management solutions of the past decade, you'll constantly read about “thousands of reports!” and “pre-built compliance dashboards!” but having these are just bragging about the thickness of your menu. Since compliance is all about having the process to monitor the right systems and the people to make that process work, auditors don't care about the number of available reports in the technology, they want to test your process by validating your solution so that they can retrieve the report that matters for each environment. This is why an easily customized menu with access to all of the relevant information is ideal for creating the dashboards your organization needs in a few hours. You should never have to dig through a series of embedded menus or pages and pages of reports every time you need to review a day's activity. There is no acceptable reason for the compliance team to know every IP address and log format. With the recent explosion of craft beer, the same five-star restaurants and their patrons (we're not diners at these places) have started to hire beer experts, occasionally labeled “cicerones.” These hop, malt, and yeast experts are intended to help you navigate the growing thickness of beer menus and appropriately pair with your meal choices. It would be pointless to ask a cicerone to answer all of a table's wine questions because you would typically end up with keeping up with both domains is a major challenge. However, that's just what we've been asking compliance teams to do for years – understand the language of the networking team. Does the networking data contain valuable information for assuring a compliant network? Absolutely, but that doesn't mean we should require one to learn the other's craft. There is more than enough work for both parties in an organization. When a compliance officer needs to learn the format of IDS logs, Windows authentication logs, or firewall logs (which differ for every firewall vendor), it significantly reduces the focus on assuring the proper policies have been followed. Then, to have to track down which user accessed a protected asset when only an IP address is present in the logs is just, kind of, mean. That information should be baked into the events before they are reviewed. Above all else, compliance reporting should be easy to adapt to [and use!] in your environment. Since your compliance team needs to continuously monitor specific events across the systems and users uniquely important to your organization, both identifying the proper source data and viewing the resulting analyses need to be quick and easy. But making something as complex and cryptic as log data simple to view is more challenging than anyone ever anticipated: Normalization is the first key, and this is where the sommelier analogy unravel (since all sauvignon blanc is not equal). By parsing every authentication or firewall event and structuring the information in an easy-to-read format, Rapid7 InsightIDR makes every firewall event look the same, no matter how puzzling the original log, and going a step further, every event across all data types is given a very similar structure, so that reviewing the events doesn't require domain knowledge of networking devices or Microsoft logging conventions. This is done when the event source is connected, without any effort from the customer. The second key is to add important context, such as the user (think: human rather than account) responsible for the event and the host on which the event occurred, to enrich logs containing little detail. This is done during the pre-indexing phase of ingesting every event. With the resulting easy-to-understand events, one only needs to learn the basics of our Querybuilder (LEQL for those who love acronyms) to define every dashboard a compliance team needs in a couple of hours. Having built them with your organization in mind, means no more digging through the thousands of noisy, irrelevant reports provided “out of the box” in other log management solutions. And don't worry, if you're an aspiring data archaeologist you can still dig into the raw events with the click of a button and the experts on other teams only need to get pulled in when something concerning needs to be explained or remediated. To learn more about how InsightIDR can make your compliance process while empowering you to do more for incident detection and response, check out the on-demand InsightIDR demo video. Now, where did that cicerone go….?

Redner's Markets Selects Nexpose & InsightUBA for Compliance and Incident Detection

With breaches making regular headlines, security teams are under more scrutiny than ever before. This is especially true in retail, where strong security practices are paramount to protecting customer and organizational data. PCI DSS compliance is a key component of any retail organization's security program.…

With breaches making regular headlines, security teams are under more scrutiny than ever before. This is especially true in retail, where strong security practices are paramount to protecting customer and organizational data. PCI DSS compliance is a key component of any retail organization's security program. As a level 2 merchant, Redner's Markets must conduct regular vulnerability scans, collect logs, and review them daily. “Compliance was what began our relationship with Rapid7,” explains Nick Hidalgo, Director of IT at Redner's Markets. “We purchased Nexpose for PCI compliance, and afterwards we brought on [InsightUBA, formerly UserInsight].” He and his team are tasked with securing a business environment that includes more than 700 point of sale machines across 45 traditional supermarkets, 18 gas stations, and three corporate facilities. “[InsightUBA] watches over everything,” he laughs. Redner's Markets use Rapid7 solutions to address: PCI Compliance Vulnerability Management Incident Detection, including User Behavior Analytics to detect use of compromised credentials Incident Investigation To hear the whole story of how Redner's Markets partners with Rapid7 for its security needs, read the full Rapid7 case study.

New Policy Reports in Nexpose

With Nexpose, you can assess your network for secure configurations at the same time as vulnerabilities, giving you a unified view of your risk and compliance posture. The latest version of Nexpose focuses on making it easier to understand how well you're doing and the…

With Nexpose, you can assess your network for secure configurations at the same time as vulnerabilities, giving you a unified view of your risk and compliance posture. The latest version of Nexpose focuses on making it easier to understand how well you're doing and the actions to take to improve overall compliance. Starting with Nexpose 6.2.0, users now have access to two brand new policy reports that help you take control of your compliance program and focus on what is important. The first report is the Policy Rule Breakdown Report, which provides a rule by rule breakdown of a policy for each asset. This allows you to understand which rules have passed and which have failed, giving you a high level view of how compliant each of your assets are and which rules to focus on. The second report is the Top Compliance Remediations Report, which provides a prioritized list of remediations to help you drive your compliance program. This list is prioritized based on the actions that will have the greatest impact in improving overall compliance across all your assets. By default, this report will show the Top 25 Remediations prioritized by Nexpose, but you can to change this to a number that meets your needs. In the sample report above, remediating all of the identified issues will increase overall compliance by 12% within the scope of the report. You'll notice that in this example the top 25 issues are identified based on 671 rules across 10 assets, which is the scope of this particular report. All of this information is rule driven with a detailed breakdown of how remediating  specific rules will impact your overall compliance score. As you work through the remediation efforts identified, you can expect to see these numbers get smaller and smaller.

Seven Ways UserInsight Helps With PCI Compliance

For any company that deals with credit cards, PCI DSS Compliance still reigns king. You may be aware of how our Threat Exposure Management solutions, Nexpose and Metasploit, have been designed to directly meet PCI DSS, as well as comply with many other standards. Today,…

For any company that deals with credit cards, PCI DSS Compliance still reigns king. You may be aware of how our Threat Exposure Management solutions, Nexpose and Metasploit, have been designed to directly meet PCI DSS, as well as comply with many other standards. Today, let's look at how our Intruder Analytics solution, UserInsight, joins your security detail to identify threat actors across your ecosystem, whether it be attackers masking as employees, or insider threats. Here is an excerpt of PCI requirements UserInsight can help with – check out the full list in the Rapid7 PCI DSS Version 3.0 Compliance Guide: Requirement 3.5.1: UserInsight lets you monitor which users access critical systems or restricted network zones that may hold cryptographic keys. This provides you with an access audit trail. Requirements 6.4.1 & 6.4.2: You can define the production environment as a network zone, and receive automatic alerts if an outside group (e.g. developers) authenticates into that closed off area/segment/zone. Requirements 7.1, 7.1.1, 7.1.2:UserInsight lets you flag systems in the cardholder data environment (CDE) as critical, and alerts you to unusual authentications. A common step in the attack chain is to use an exploit to elevate a compromised user's privileges. Any user that has an unexpected privilege escalation, which could be used to access a CDE system will trigger an automatic alert. Further, you have instant visibility into the administrators and privileged users within the organization. With automatic insight into endpoints, you detect local lateral movement and pass-the-hash attacks as well. Requirements 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5: UserInsight helps you monitor user behavior from the endpoint to the cloud. Attackers love to gain a foothold on the network through disabled users, cloud services, and by attacking endpoints. By being designed by a team with a deep knowledge of attacker methodology, UserInsight identifies compromised credentials as well as risky internal behavior, such as shared accounts and unnecessary administrators. Requirement 8.2.4: You'll have instant visibility into accounts with passwords set to never expire, as well as the date the password was last changed. Requirements 10.1, 10.2: UserInsight collects a variety of logs across your network, correlates them by user, and tracks authentication attempts, giving you full visibility. Administrative activity across both on-premise and cloud services (IaaS, SaaS and PaaS) are tracked, helping identify previously unknown administrators as well as intruders using compromised credentials to lurk on your systems. Through an Agentless Endpoint Monitor, we can even identify actions taken on your endpoints, including local lateral movement and log deletion – two behaviors any security administrator wants to know about. Requirement 10.6.1: Security teams are already strained by false-positive alerts, parsing through disparate log data, and writing and maintaining rules. UserInsight sanitizes your logs down to the security-relevant events and stores them in perpetuity. By aggregating and running analytics on your endpoint, on-premise, and cloud services, there is a complete picture of user activity – you receive only the alerts that matter. By helping you store your security data on the UserInsight platform, you have a permanent audit trail that can't be tampered or deleted by the attacker. Please see a more comprehensive description of how UserInsight helps you comply with PCI DSS 3.0 in the Rapid7 PCI DSS Version 3.0 Compliance Guide. UserInsight provides benefit to many compliance frameworks outside of PCI DSS, such as the SANS Critical Security Controls. Of course, our vision extends beyond compliance; UserInsight looks to automatically detect attacks, help you quickly investigate security incidents, and monitor user behavior across your entire network ecosystem. Learn more about UserInsight.

Top 3 Takeaways from the "PCI DSS 3.0 Update: How to Restrict, Authenticate, and Monitor Access to Cardholder Data" Webcast

In this week's webcast, Jane Man and Guillaume Ross revisited the latest PCI DSS 3.0 requirements. Security professionals need to be diligent to remain compliant and secure. Jane and Guillaume discussed some key results from the Verizon 2015 PCI Compliance Report, tips and tricks…

In this week's webcast, Jane Man and Guillaume Ross revisited the latest PCI DSS 3.0 requirements. Security professionals need to be diligent to remain compliant and secure. Jane and Guillaume discussed some key results from the Verizon 2015 PCI Compliance Report, tips and tricks for complying with requirements 7, 8, and 10, and touched upon upcoming changes in v3.0 and v3.1. Read on for the top 3 takeaways from the “PCI DSS 3.0 Update: How to Restrict, Authenticate, and Monitor Access to Cardholder Data” webcast:   1) Compliance is a Point in Time Event –If you're deemed compliant and then stop performing processes associated with any requirement, you can easily be out of compliance a few days later. Compliance takes maintenance and adjustments as your environment changes through added data sources, users, operating systems, or applications. According to the Verizon 2015 PCI Compliance Report,none of the companies that have suffered a breach complied with requirements for monitoring access – but they could have been previously compliant, which leads me to the next big takeaway…    2) Sustainability is Essential –Companies can often be very diligent when first aiming to achieve compliance, but if there isn't staff dedicated to the new processes and tasks involved in becoming compliant, the compliancy slips. Compliance is binary and must be a continuous process. You're either compliant or you're not – even if you're 95% of the way there, you're technically not compliant without that last 5%. It's important to have clear and sustainable practices and controls in place that will be effective and efficient over time to help maintain compliance and strong security. Regularly test security systems and processes, and even if you have automated tools, make sure someone is taking the time to look at systems and investigate legitimate alerts. In hindsight, it can be easy to say a breach could have been prevented if you'd just looked at the right logs - but looking at the right log at the right time requires sustained effort and strong monitoring, logging, and auditing processes. 3) Reduce, Restrict, and Revalidate – Reduce the amount of shared and generic accounts wherever possible, and make sure all activity on accounts like these is traceable and logged. Users should be restricted to only access systems, features, and data they need to perform their jobs. Security teams should have controls in place to enforce and provision access policies and to detect violations. Always be revalidating the access you've given to users. The jobs and needs of users in an organization can morph over time. As more privileges are given out, make sure that anything no longer needed is removed to avoid “permission creep," which gets harder and harder to manage if neglected. When it comes to compliance, we should always be fine-tuning permissions and processes – without forgetting to go above and beyond to ensure security for important assets as well. For the in-depth discussion and tips and tricks on keeping up with PCI DSS Compliance, view the on-demand webinar now.

Webcast Followup: Escalate Your Efficiency

Last week, we had a live webcast to talk about how Metasploit Pro helps pentesters be more efficient and save time. There were so many attendees, which made it possible to have great conversation. First of all, I want to thank you folks who have…

Last week, we had a live webcast to talk about how Metasploit Pro helps pentesters be more efficient and save time. There were so many attendees, which made it possible to have great conversation. First of all, I want to thank you folks who have taken the time from their busy schedules to watch us live. There were many questions our viewers asked us, and we were not able to answer all of them due to time limitations. In this post, you will find the answers for those questions.First things first. If you would like to read a recap of the webcast, go here: Top 3 Takeaways from the "Escalate your Efficiency: How to Save Time on Penetration Testing" Webcast, and if you would like to watch the webcast go here: .On Demand Webinar: Escalate Your Efficiency: How to Save Time on Penetration Testing.Questions and AnswersIn order to protect identities of our attendees, we taken out any identifiable information from the questions. Thus, some questions may have been reworded.Is there a tutorial available for some of the finer points of using Metasploit Pro?There are quite a bit of content available. We will continue to generate new content as we add new features in the future. Feel free to start here: Metasploit Online Help.Is Metasploit Pro licensed specifically for a named user or can it be licensed to support a moderate scale remotely located pen test group arrangement?As of right now, we only support licensing based on number of users. However we are investigating different licensing options, and we will take your suggestion into consideration.Does Metasploit Pro license limit how many IP addresses that can be added to a project?No, it does not. Our licensing model is based on number of users. There are no license limitations around number of IP addresses. Please keep in mind that if you plan to test a large network, we strongly suggest you run Metasploit Pro on a beefy machine to prevent any performance issues.Is one of the UI improvements the ability to pause scanning to accommodate multiple small testing windows?Yes. We have recently released the Pause & Resume feature to Metasploit Pro. Currently it is only available for the Credential Reuse task. However we are planning to extend the feature to other tasks in the future.Our organization is just about to train our ISSO to conduct internal penetration testing in house utilizing Metasploit Pro. What features should we begin testing to introduce us "newbies" to the world of pentesting?Metasploit Pro comes with an easy to use web interface to simplify pentesting as much as possible. Personally, I would start with a phishing/social engineering campaign to quickly assess your employees since this type of testing requires a lot less technical knowledge. Additionally, an easy win may be scanning your network for vulnerabilities with Nexpose and validating found vulnerabilities with Metasploit to determine which vulnerabilities you should focus on fixing first. Here is a good read to get started: Introduction to Penetration Testing.Can I develop an exploit in Metasploit Pro?You actually do not need Metasploit Pro to develop an exploit. Metasploit Pro is not a tool for reverse engineering an application to look for zero day vulnerabilities and write exploits. It is an application to consume available exploits in an efficient manner. If you would like to learn how to write exploits, feel free to start with following pages:Contributing to MetasploitMetasploit Resource PortalWhat are the learning curves between the editions? I have used Metasploit Framework several years ago so I am not totally new to pentesting.Metasploit Pro consumes same modules that Framework does, so as far as exploit content goes, there is not much difference. However, Metasploit Pro comes with some additional features, most of which we talked about during the webinar, that might require some reading and learning. We know that many of our users have used Framework in the past and they are used to command line, thus, we are going to bring some of those commands to Metasploit Pro web interface in 2015 to make it even easier to use. Overall, the learning curve is not that steep.Can I use my own word list when I customize a bruteforce attempt?Yes, you can. Even though bruteforce functionality does not take a wordlist as an input, a wordlist can be used to generate a list of credential pairs which then can be imported to be used for bruteforce.Is there an option for passwords in different languages for bruteforce?Currently there is not. You can however create your own custom list of credential pairs from any language wordlists, and then import it for bruteforce.How can I customize the password mutation feature for a bruteforce attempt?Password mutation feature comes with several mutation options. Currently we do not support adding customized mutation rules, however this is something we are looking to implement in the future.What can I expect in a typical 100 PC network including servers and workstations to spend in hours when performing bruteforcing? Does speed changes between Metasploit Editions, say Community vs. Pro?We would very much like to give you an answer for this; however, it really depends on many factors such as network speed, mutation rules, password combinations, number of services, etc. The best way to learn is to actually try this on your own network with your custom configuration. This way you can create your baseline and go from there. Running speed of any task does not differ between versions.Do you have any suggestion for a good place to get a good username and password list to use?Here is a collection of mirrors: https://wiki.skullsecurity.org/Passwords.If you are interested in building personalized wordlists for specific situations, here is a good starting point: Errata Security: Extracting the SuperFish certificate.We started using task chains extensively and at some point realized that they don't function as setup when we update the machines. Are task chains dependent on the projects created?Yes, task chains are project dependent and cannot be replicated across projects.How often are you utilizing embedded outdated, insecure components of applications and systems for exploitation (similar to GHOST)?When there is a high impact vulnerability becomes available, the turnaround is usually pretty fast. When Shellshock came out, there was an exploit released within 24 hours. The turnaround time really depends on how difficult (or easy) the issue is to exploit. If there's a reasonable network vector (rather than a mere local-only vulnerability), and the likely impact of the vulnerability.If the Metasploit framework is unable to break a hash, say an MD5 hash, what other resources would you use or how would you go about using Metasploit to figure out how to crack the hash?We have recently added a tool to lookup MD5 hashes on publicly available databases: https://github.com/rapid7/metasploit-framework/pull/4601Additionally, you can combine John the Ripper and Metasploit to attack MD5 hashes with this module: modules/auxiliary/analyze/jtr_linux.Could you add a service to find default login credentials for Tomcat?There is a Metasploit module already for Tomcat to perform login attempts. It is called "Tomcat Application Manager Login Utility" and its path is "auxiliary/scanner/http/tomcat_mgr_login". Additionally, here is our module database. Feel free to search for other modules.With the release of msfvenom, is there going to be any compatibility with users who have developed payloads and tools in msfencode and msfpayload?We don't anticipate any gaps in functionality -- msfvenom has been in "public beta" for years now, and there should already be a 1:1 feature parity. That said, if you notice something not working for your use case between msfpayload msfencode and msfvenom, please open a GitHub issue here.When will GPU password cracking be available?Currently, we do not have any plans on adding GPU password cracking as a feature. However, John the Ripper has some excellent toolchains for this, and Metasploit can import the results pretty easily.Metasploit is a great tool however it is only a tool. PCI V3 requires that the pentest is "based on industry-accepted penetration testing approaches (for example, NIST SP800-115)". What is the penetration testing methodology used by your pentesters with Metasploit?We believe that there is no single methodology for PCI compliance. Generally, companies use a vulnerability management solution to try to fix as many vulnerabilities as they can. Some also performs initial penetration testing and this is where Metasploit Pro can help. Finally, consultants can come in to provide pentesting. We actually like this order because consultants should help you find the things you could not. I would not call this a methodology, however if you approach a PCI engagement in this order, then you can get the most out of your compliance engagement, not just PCI check in the box. Feel free to read more about this topic starting with this article: What You Should Take Away from the PCI DSS 3.0.Is it simpler to run a WiFi penetration test using Pineapple with Metasploit Pro compared to Metasploit Framework? | Can you add WiFi pentest integration?Once you have a connection to a WiFi network though Pineapple or any other tool, then you can use Metasploit Pro or Metasploit Framework as intended since the WiFi becomes just another network. In this case, all additional features of Pro will be available for you to use. However, as far as getting access to a WEP or WPA protected WiFi network, Metasploit Pro or Framework has no functionality to do this, and we are not planning on adding this functionality at this time.So some of your experts are stating that you shouldn't focus all your work on automated tools such as your own Metasploit, that you should spend the time to learn the tools individually/manually, however other experts are touting Metasploit as the be all end all tool to use. What are your thoughts on this?Metasploit Pro can replace many tools for various tasks thereby makes the user more efficient. Additionally, we can make the argument that if you know Metasploit very well, you may not have to spend time on learning bunch of other tools. The reality is, as long as pentesting stays as a broad and complicated subject, there will always be many tools out there for different purposes, and a good pentester should always be familiar with different options.Is there a set of questions or a methodology that can be used to interview a good pentester?There are many approaches to interviewing a pentester. Here are two examples:Hands On, Practical Interview | Interviewee is given access to a lab network with various systems along with couple pentesting tools, and various objectives which interviewee is expected to complete. With this approach, interviewer can observe the interviewee while interviewee executes a small size pentesting while utilizing different tools and techniques.Theriocal, Story Telling Interview | Interviewee is asked a list of questions to assess the overall knowledge (this step can be combined with practical interview). Interviewee is also expected to share several examples of past work and discuss various situations that the person had to overcome.Interview questions will vary depending on the interviewee; however I find this article a good read.This is it for this blog post. As always, feel free to reach out to us @metasploit if you have further questions. Thank you Metasploit Team for assisting me with these answers.Eray Yilmaz - @erayymzSr. Product Manager, Metasploit

Top 3 Takeaways from the "Escalate your Efficiency: How to Save Time on Penetration Testing" Webcast

Penetration Testing is a complex process that requires attention to detail, multi-tasking, extensive knowledge of different attack vectors, available vulnerabilities and exploits, and patience. Recently erayymz, Senior Product Manager at Rapid7 spoke with pen testing professionals Leon Johnson, Senior Consultant at Rapid7, and Dustin Heywood,…

Penetration Testing is a complex process that requires attention to detail, multi-tasking, extensive knowledge of different attack vectors, available vulnerabilities and exploits, and patience. Recently erayymz, Senior Product Manager at Rapid7 spoke with pen testing professionals Leon Johnson, Senior Consultant at Rapid7, and Dustin Heywood, Manager of Security Assurance at ATB Financial. They discussed how to take advantage of automation with Metasploit Pro to simplify penetration testing processes in the webcast ) Escalate your Efficiency: How to Save Time on Penetration Testing. Read on for the top 3 takeaways from their technical, in-depth conversation: Metasploit is to a Pen Tester as a Scalpel is to a Surgeon – Not using automation for penetration testing is akin to a surgeon performing surgery without using tools. Historically, pen testing was a step by step approach with the ever increasing attack surface adding more steps all the time. It is immeasurably more difficult and time-consuming to keep your security strong when bogged down by the repetitive tasks required by penetration testing. Metasploit Pro makes it possible for security professionals to get extremely repetitive and labor-intensive tasks done with just a few clicks, enabling users to spend more time on customized solutions, targeted pen tests, or any other project on their plate that will ensure greater security for their organization. Credential Security Flaws can be Confronted –Credentials continue to be the #1 attack vector when it comes to compromising networks. With this in mind, the Metasploit team has added a credentials management system to the Pro edition of Metasploit. Features like the Credentials Domino MetaModule and simplified bruteforcing provide huge time-savings and improved security visibility for penetration testers so that credentials are no longer an unmanageable blind spot. (These features are demo'd in the webcast - check it out now.) Compliance is but a framework to build upon - Requirements in frameworks like PCI and HIPAA provide a minimum standard checklist for organizations. Truly strong security is dependent on the strength and ability of a penetration tester getting to go off script and check out possible weaknesses in networks and infrastructures beyond what regulatory guidelines cover. Tools like Metasploit Pro take away the busy legwork in the process, allowing penetration testers to get the job done more thoroughly and quickly. The juiciest parts of the webcast were the Q&A with the live audience and getting to dive into the product to see how Metasploit Pro gets tasks like credential management, bruteforcing, AV evasion, VPN pivoting, and task chains done in a few simple clicks. To experience the full broadcast: view the on-demand webcast now.

Top 3 Takeaways from the "Security in Retail: An Industry at a Crossroads" Webcast

Retail is one of the industries hit hardest by the high-profile mega-breaches of late, so Jane Man, product marketing manager at Rapid7, and Wim Remes, manager of strategic services at Rapid7 (read his intro blog here), came together to discuss the challenges and future of…

Retail is one of the industries hit hardest by the high-profile mega-breaches of late, so Jane Man, product marketing manager at Rapid7, and Wim Remes, manager of strategic services at Rapid7 (read his intro blog here), came together to discuss the challenges and future of retail security, and how organizations need to think about the balance between compliance and focusing on attack prevention and detection. Read on to learn the top 3 takeaways from the "Security in Retail: An Industry at a Crossroads" webcast: EMV: the silver bullet for retail security? – The EMV (Europay Mastercard Visa) method, slow to be adopted in US because of the cost to transition, is proving to be a huge step in the right direction for retail security. It stops magnetic strip skimming fraud and enables online fraud prevention protocols, so it is a great improvement and could limit the damage from major breaches. However, it should only be used as one piece of the larger retail security infrastructure puzzle. Stay above the Security Poverty Line! – Ever heard the saying “you don't have to run faster than the bear to get away, you just have to run faster than the guy next to you”? This same concept applies for security - organizations need to think about how to ensure they are not the path of least resistance to profit for attackers. Attackers are opportunistic and often driven by economic motivations, so maintaining a program that is costly to attack – and is more than just check box compliant – is a sure way to lower your risk. Compliance should be a byproduct of good security, not the other way around. Use Models to Build a Risk Driven Program – Jane and Wim talk through two possible approaches to switching from a compliance driven program to a risk driven program – the Security Maturity Approach, and the Threat Modelling Approach. Both methods are effective, depending on your needs: organizations primarily focused on risk may do better with the maturity level approach, while innovative organizations with a lot of in house development and system design would benefit more from the threat model approach. View the on-demand webinar now to learn more about EMV, the Security Poverty Line, and the Security Maturity and Threat Modelling approaches to security.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now