Rapid7 Blog

InsightVM  

AWS power-up: Tag import, asset cleanup, AssumeRole, ad-hoc scan

AWS instances present many challenges to security practitioners, who must manage the spikes and dips of resources in infrastructures that deal in very short-lived assets. Better and more accurate syncing of when instances are spun up or down, altered, or terminated directly impacts the quality…

AWS instances present many challenges to security practitioners, who must manage the spikes and dips of resources in infrastructures that deal in very short-lived assets. Better and more accurate syncing of when instances are spun up or down, altered, or terminated directly impacts the quality of security data. A New Discovery Connection Today we’re excited to announce better integration between the Security Console and Amazon Web Services with the new Amazon Web Services Asset Sync discovery connection in InsightVM and Nexpose. This new connection is the result of customer feedback and we would like to thank everyone who submitted ideas through our idea portal. This new integration has some notable and exciting improvements over our existing AWS discovery connection that we can’t wait for you to take advantage of. Automatic Syncing with the Security Console as AWS assets are spun up and spun down As assets are created and decommissioned in AWS, the new Amazon Web Services Asset Sync discovery connection will update your Security Console. This means that users will no longer have to worry about their Security Console data being stale or inaccurate. That means no more chasing down assets in AWS for remediation only to find that the instances no longer exist or carving out time to clean up decommissioned AWS assets from the Security Console. Import AWS Tags and Filtering by AWS Tags One feature that we’ve gotten a lot of requests for is importing tags from AWS. With the Amazon Web Services Asset Sync discovery connection, you can now synchronize AWS tags and even use them to filter what assets get imported. You can also filter tags themselves so you only see tags that are important to you. Once the tags are synced, they can be used just like any other tag within Nexpose—that includes using them to filter assets, create dynamic asset groups, and even create automated actions. Remove a tag in AWS? Nexpose will detect the change and automatically remove it as well. Use AssumeRole to Fine-Tune Adding to Sites Users can now leverage AWS AssumeRole to decide which of their assets across all of their AWS accounts to include in a single site without having to configure multiple AWS discovery connections in their Security Console. Coupled with tag-based filtering, this makes managing your AWS assets much more straightforward. AssumeRole is now also available to Security Consoles outside of the AWS environment. Ad-Hoc Scans with the Pre-Authorized Engine Another feature users have requested is more flexibility in selectively scanning sites that contain AWS assets. As part of the Amazon Web Services Asset Sync discovery connection, users will now be able to select which assets they wish to scan with the AWS pre-authorized engine within a site. Use the Security Console Proxy Proxy support is also available for the Amazon Web Services Asset Sync discovery connection. If users already have a proxy server configured and enabled via their Security Console settings, they do not have to change their firewall settings to take advantage of this new discovery connection. Simply check the “Connect to AWS via proxy” box during configuration and the connection will use the configured proxy. Existing AWS Discovery Connections The previous AWS discovery connection will still be available; we recommend users transition to this new, more powerful and flexible the Amazon Web Services Asset Sync discovery connection for managing their AWS assets. Next Steps To take advantage of this new capability, you will need version 6.4.55 of the Security Console for Nexpose and InsightVM. Not already using InsightVM? Get a free trial here.

Container Security Assessment in InsightVM

Earlier in the year in this blog post around modern network coverage and container security in InsightVM, we shared Rapid7’s plans to better understand and assess the modern and ever-changing network with Docker and container security. We began by introducing discovery of Docker hosts…

Earlier in the year in this blog post around modern network coverage and container security in InsightVM, we shared Rapid7’s plans to better understand and assess the modern and ever-changing network with Docker and container security. We began by introducing discovery of Docker hosts and images, as well as vulnerability assessment and secure configuration for Docker hosts. With these capabilities you can see where Docker technology lives in your environment and the exposure of your Docker hosts. We know visibility into your modern infrastructure, including vulnerabilities on individual container images is always precious. Today we’re happy to announce the next stage of container security capabilities in InsightVM: Container image assessment and visualization. Container image visibility InsightVM is built to provide visibility into your modern infrastructure; it’s the only solution that directly integrates with Azure, AWS, and VMware to automatically monitor your dynamic environments for new assets and vulnerabilities. Now, this visibility extends to vulnerabilities residing within Docker container images. When performing scans for vulnerabilities, InsightVM collects configuration information about Docker hosts and the images deployed on the host. One of the new ways InsightVM makes this information available is through Liveboards, a dashboard view that is updated in real time. You can add the Containers Dashboard to get a quick view, or add Container-specific cards to create your own views. The new cards give you insight into the potential risk posed by containers in your environment, such as: How many container hosts exist in my environment? Which specific assets are container hosts? How many of the container images in my environment have been assessed for vulnerabilities? What are the most commonly deployed container images? Expanding a card, we can see details of the assets that have been identified as Docker hosts. You’ll notice new filters available, allowing you to tailor your visualizations based on container image metadata: We can also drill into the individual hosts and view Container images that reside on the host. InsightVM also provides simple visibility into container images themselves. Here we see a view of vulnerabilities on packages. From this view we can also explore the specifics of layers that compose a container image. With InsightVM, getting visibility into container images is easy. However, most development teams working with containers make heavy use of container repositories. Automatically assessing container registries In order to get visibility into the risks containers present in your environment at scale, InsightVM offers integration with container registries. InsightVM provides visibility into container images hosted in public and private registries. Here we see a list of registries connected to InsightVM. InsightVM is configured by default with connections to Docker Hub and Quay.io registries and additional connections may be created: Registries can contain many images. InsightVM automatically assesses container images in your network within a registry. You can be assured when an image from the repository is deployed in your network, InsightVM will provide visibility to the vulnerabilities and configuration of the image. You can also assess or re-assess images as needed: These capabilities make Rapid7 a great partner for securing your application development infrastructure; we can now help you: Assess and secure container images in InsightVM; Scan production applications for vulnerabilities with InsightAppSec; Monitor container usage and deployment with InsightOps; Get a penetration test of your application environment with actionable advice; and Build out a secure software development life cycle with expert guidance. For more detailed information on using these capabilities in InsightVM, see our help page here. And of course, if you haven’t done so already, get a trial of InsightVM today and start assessing!

Apache Struts S2-052 (CVE-2017-9805): What You Need To Know

Apache Struts, Again? What’s Going On? Yesterday’s Apache Struts vulnerability announcement describes an XML Deserialization issue in the popular Java framework for web applications. Deserialization of untrusted user input, also known as CWE-502, is a somewhat well-known vulnerability pattern, and I would expect…

Apache Struts, Again? What’s Going On? Yesterday’s Apache Struts vulnerability announcement describes an XML Deserialization issue in the popular Java framework for web applications. Deserialization of untrusted user input, also known as CWE-502, is a somewhat well-known vulnerability pattern, and I would expect crimeware kits to incorporate this vulnerability well before most enterprises have committed to a patch, given the complications that this patch introduces. What’s The Catch? The problem with deserialization vulnerabilities is that oftentimes, application code relies precisely on the unsafe deserialization routines being exploited—therefore, anyone who is affected by this vulnerability needs to go beyond merely applying a patch and restarting the service, since the patch can make changes to how the underlying application will treat incoming data. Apache mentions this in the "Backward Compatibility" section of S2-052. Updates that mention, "it is possible that some REST actions stop working" is enough to cause cold sweats for IT operations folks who need to both secure their infrastructure and ensure that applications continue to function normally. What Can I Do? Organizations that rely on Apache Struts to power their websites need to start that application-level testing now so as to avoid becoming the next victims in a wave of automated attacks that leverage this vulnerability. Remote code execution means everything from defacements to ransoms and everything in between. In the meantime, Rapid7’s product engineering teams are working up coverage for organizations to detect, verify, and remediate this critical issue. A Metasploit module is in progress, and will be released shortly to help validate any patching or other mitigations. InsightVM customers with content at “Wednesday 6th September 2017” or later (check Administration --> General to confirm content version) can determine whether they have a vulnerable version of Apache Struts present on Unix hosts in their environment by performing an authenticated scan. The vulnerability id is struts-cve-2017-9805 should you wish to set up a scan template with just this check enabled. It has also been tagged with 'Rapid7 Critical.' An unauthenticated check for CVE-2017-9805 is available for InsightVM and Nexpose under the same id, struts-cve-2017-9805. This check does not remotely execute code; instead, it detects the presence of the vulnerable component against the root and default showcase URIs of Apache Struts instances. In addition to these specific updates, we’ve also produced a quick guide with step-by-step instructions on how InsightVM and Nexpose can be used to discover, assess, and track remediation of critical vulnerablities, including this Apache Struts vuln. Not an InsightVM customer? Download a free 30-day trial today to get started. Should I Panic? Yes, you should panic. For about two minutes. Go ahead and get it out of your system. Once that’s done, though, the work of evaluating the Apache Struts patch and how it’ll impact your business needs to get started. We can’t stress enough the impact here—Java deserialization nearly always leads to point-and-click remote code execution in the context of the web service, and patching against new deserialization bugs carries some risk of altering the intended logic for your specific web application. It’s not a great situation to be in, but it’s surmountable. If you have any questions about this issue, feel free to comment below, or get in touch with your regular Rapid7 support contacts.

Vulnerability Management Market Disruptors

Gartner’s recent vulnerability management report provides a wealth of insight into vulnerability management (VM) tools and advice for how to build effective VM programs. Although VM tools and capabilities have changed since the report’s last iteration in 2015, interestingly one thing hasn’t:…

Gartner’s recent vulnerability management report provides a wealth of insight into vulnerability management (VM) tools and advice for how to build effective VM programs. Although VM tools and capabilities have changed since the report’s last iteration in 2015, interestingly one thing hasn’t: Gartner’s analysis of potential disruptors to VM tools and practices. Great minds think alike, as we’ve been heavily investing in these areas to help our customers overcome these persistent challenges. We’ve made numerous enhancements to our vulnerability management solutions (InsightVM and Nexpose) since that 2015 report to address both current and emerging vulnerability management challenges. New Asset Types: Gone are the days when you could just count the number of servers and desktops in your network and be confident that any changes in between quarterly scans would be minimal. Now, networks are constantly changing thanks to virtual machines, IoT, and containers. Nexpose was always a leader in technology integrations, and InsightVM is even more closely integrated into modern infrastructure. InsightVM is the only vulnerability management tool that has direct integration with VMware to automatically discover and assess these devices as they’re spun up; the Insight Agent is also easily clonable so you can integrate an agent into any gold image for automatic deployment. This means that even if your network is constantly changing as VMs are spun up and down, we’ve automatically got you covered. IoT devices are a trickier beast, and Rapid7 is one of the leaders in IoT security research—our recently-released hardware bridge brings the power of Metasploit to IoT penetration testing, enabling research and security testing of a wide range of IoT devices. Finally, InsightVM currently lets you discover containers in your environment, and we’re working on the ability to actively assess containers and container images, providing visibility to another area that many security teams struggle with. Bring Your Own Devices: BYOD has been the buzzword of buzzwords for a number of years now, but as consumer and corporate adoption continues to rise (powered by mobile productivity apps like messaging tools, mobile CRM apps, etc. ), the combined attack surface increases, and the line between what’s personal and what’s corporate blurs. Gartner has released several reports on the topic and recognizes that this is a continuing challenge for vulnerability management. InsightVM makes it easy to get visibility into that attack surface and assess employee devices. We can discover mobile devices that connect to ActiveSync, providing visibility into corporate device ownership so security teams can see where their risk is. Rapid7 Insight Agents can be deployed to any remote laptop, providing continuous monitoring for any device, even if it never connects to the corporate network. Agents can be installed as part of your gold laptop images so that they’re automatically deployed to new employees. With InsightVM, you don’t have to worry about losing track of people working from home or replacement laptops becoming security holes that are never scanned. Cloud Computing: Gartner lists cloud computing as an issue related to the loss of control of infrastructure and even of the devices to be scanned. We find the biggest challenge with cloud services is visibility; cloud instances are often spun up and down rapidly, and the details don’t always make their way to security, giving them only a small inkling of the true footprint and attack surface of their AWS or Azure environments. Similar to our integration with VMWare, InsightVM integrates with AWS and Azure to automatically detect new devices as they’re spun up or down. InsightVM also makes it easy to deploy agents to new cloud devices by embedding them into a gold image. To aid in visibility, you can import tags from Azure into InsightVM, so security teams can report on the same groupings that their IT and development teams use. Thus security teams can be confident in understanding their changing attack surface as rapidly as new devices are deployed. Large Volumes of Data: With all of the above factors drastically increasing the scope of vulnerability management, data management and analysis becomes more important. Even if a tool can gather vulnerability data from every part of your network, you’re never going to have time to fix everything; how do you prioritize what to fix first, and how do you get a holistic view of your security program’s progress? This challenge is why we launched InsightVM and the Insight platform in general; by leveraging the cloud for data analysis, we can provide features like live customizable dashboards and remediation tracking without weighing down customer networks. It also lets us more rapidly deploy new features, like dashboard cards and built-in ticketing integrations with ServiceNow and JIRA. Vulnerability Prioritization: According to Gartner, “A periodic scan of a 100,000-node network often yields from 1 million to as many as 10 million findings (some legitimate and some false or irrelevant).” Given the limited resources that virtually every security team faces, it’s increasingly difficult to figure out what to spend time on, especially given that some systems are more important from a business context than others. Understanding how attackers think and behave has always been one of Rapid7’s strengths, and we pass this on to our customers with InsightVM. Our risk scoring leverages CVSS and amplifies it by factoring in exploit exposure, malware exposure, and vulnerability age to provide a much more granular risk score of 1-1000, enabling customers to focus on the vulnerabilities that make it easiest for an attacker to break in. Combined with the ability to tag certain assets as critical to automatically prioritize them in remediation, we automate the often-manual process of trying to figure out what to fix first. InsightVM has been built to tackle the future of vulnerability management head-on, so that customers never have to worry about falling behind the curve and opening gaps in their security posture. For more information, Gartner customers can download the report, and try out InsightVM today!

Remediation Workflow Now Integrates with ServiceNow

Today we're sharing an update to Remediation Workflow Ticketing capabilities. We are pleased to announce that Remediation Workflow in InsightVM now integrates with ServiceNow.  One of the main benefits of Remediation Workflow Ticketing is to improve collaboration between security and remediation teams by seamlessly feeding…

Today we're sharing an update to Remediation Workflow Ticketing capabilities. We are pleased to announce that Remediation Workflow in InsightVM now integrates with ServiceNow.  One of the main benefits of Remediation Workflow Ticketing is to improve collaboration between security and remediation teams by seamlessly feeding existing IT workflows strategically scoped work items. With this most recent update, you can now extend the reach of Remediation Workflow to collaborate with teams using ServiceNow. Many of our customers are security teams that interface with multiple IT or remediating groups, each of which uses their own workflow tools. In order to drive more effective remediations across their organizations, security teams need to: Deliver the right message to IT, with solution-centric tickets Automate assigning tickets to the right owners Simply and easily track progress in the system of your choice This new capability will help you improve the efficiency of your remediation workflow. To learn more... InsightVM users can go to Remediation Workflow today and configure ticketing connection with ServiceNow. As with the JIRA integration, users can leverage Remediation Workflow's powerful templates to add the just the right amount of security context to tickets automatically, as well as automate ticket assignments via rules. Here are a few resources to check out: Help documentation Simple Vulnerability Remediation Collaboration with InsightVM Actionable Remediation Projects in InsightVM Rapid7 offers multiple ways to integrate with ServiceNow. If Remediation Workflow Ticketing is not your fancy, take a look at Ruby Gem integration and our ServiceNow App in the ServiceNow Store. Want a free 30-day trial of InsightVM? Get it here.

Protecting against DoublePulsar infection with InsightVM and Nexpose

After WannaCry hit systems around the world last month, security experts warned that the underlying vulnerabilities that allowed the ransomworm to spread are still unpatched in many environments, rendering those systems vulnerable to other hacking tools from the same toolset. Rapid7's Project Heisenberg continues to…

After WannaCry hit systems around the world last month, security experts warned that the underlying vulnerabilities that allowed the ransomworm to spread are still unpatched in many environments, rendering those systems vulnerable to other hacking tools from the same toolset. Rapid7's Project Heisenberg continues to see a high volume of scans and exploit attempts targeting SMB vulnerabilities: DoublePulsar, a backdoor that has infected hundreds of thousands of computers, is one of the most nefarious of these tools: It can not only distribute ransomware but is also able to infect a system's kernel to gain privileges and steal credentials. Identifying and patching vulnerable systems remains the best way to defend against the DoublePulsar implant. DoublePulsar is often delivered using the EternalBlue exploit package—MS17-010—which is the same vulnerability that gave rise to the widespread WannaCry infections in May. To help customers, we are reiterating the steps we issued for WannaCry on creating a scan, dynamic asset group, and remediation project for identifying and fixing these vulnerabilities. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven't done so already, you can download a trial of InsightVM here. Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010: 1. Under the Administration tab, go to Templates > Manage Templates 2. Copy the following template: Full Audit without Web Spider. Don't forget to give your copy a name and description; here, we'll call it “Double Pulsar and WNCRY Scan Template” 3. Click on Vulnerability Checks and then “By Individual Check” 4. Add Check "MS17-010" and click save: This should come back with 195 checks that are related to MS17-010. The related CVEs are: CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 5. Save the template and run a scan to identify all assets with MS17-010. Creating a Dynamic Asset Group for MS17-010 Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the InsightVM console, just under the search button: Now, use the "CVE ID" filter to specify the CVEs listed below: This asset group can now be used for reporting as well as tagging to quickly identify exposed systems. Creating a DoublePulsar/WannaCry Dashboard Recently, Ken Mizota posted an article on how to build a custom dashboard to track your exposure to exploits from the Shadow Brokers leak. If you already did that, you're good to go! If you wanted to be specific to WannaCry and DoublePulsar, you could use this Dashboard filter: asset.vulnerability.title CONTAINS "cve-2017-0143" OR asset.vulnerability.title CONTAINS "cve-2017-0144" OR asset.vulnerability.title CONTAINS "cve-2017-0145" OR asset.vulnerability.title CONTAINS "cve-2017-0101" ORasset.vulnerability.title CONTAINS "cve-2017-0146"asset.vulnerability.title CONTAINS "cve-2017-0147" OR asset.vulnerability.title CONTAINS "cve-2017-0148" Creating a SQL Query Export @00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: WannaCry - Scanning & Reporting. This will also apply to DoublePulsar. Creating a Remediation Project for MS17-010 In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the “Projects” tab and click “Create a Project”: Give the project a name, and under vulnerability filter type in "vulnerability.alternateIds <=> ( altId = "ms17-010" )" Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. Now you can give this project a description and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks. Using these steps, you'll be able to quickly scan for the vulnerability that enables both WannaCry and DoublePulsar infections. If you have any questions please don't hesitate to let us know! For more information and resources on DoublePulsar, please visit this page.

Live Threat-Driven Vulnerability Prioritization

We often hear that security teams are overwhelmed by the number of vulnerabilities in their environments: every day they are finding more than they can fix. It doesn't help when rating schemes used for prioritization, like the Common Vulnerability Scoring System (CVSS), don't really work…

We often hear that security teams are overwhelmed by the number of vulnerabilities in their environments: every day they are finding more than they can fix. It doesn't help when rating schemes used for prioritization, like the Common Vulnerability Scoring System (CVSS), don't really work at scale or take the threat landscape into account. How do you know where to focus if your vulnerability management solution shows that you have 10,000 vulnerabilities with a critical or high severity rating? And when a high profile vulnerability comes along, how do you quickly gain insight into its impact on your organization? Understanding which vulnerabilities are most likely to be exploited by an attacker is critical for effective prioritization. That's why the RealRisk score used in InsightVM and Nexpose takes into account whether a vulnerability is targeted by a known exploit or malware kit. In addition, the Rapid7 Critical vulnerability category enables security teams to automatically assess the risk posed by critical threats, particularly 0-days that don't have a CVSS score yet. But given recent events, there is clearly a need for vulnerability-based threat intelligence, as explained in this blog. Rapid7 already gathers and analyzes data on attacker methodology and emerging threats through the Rapid7 Insight platform, Rapid7 Labs' Project Heisenberg Cloud, our Managed Detection and Response team, and the Metasploit community. We want to make all this data available to our customers to help them better understand their exposure to the constantly changing threat landscape, but in a way that adds real value and not just noise. Introducing the Rapid7 Threat Feed in InsightVM The Rapid7 Threat Feed is a live, curated feed of vulnerabilities being actively exploited by attackers in the wild; these are the most dangerous vulnerabilities and should be addressed immediately. The feed combines data collected by our Heisenberg honeypots and incident response activity with information from trusted third parties: Source Description Heisenberg Attacks detected by Rapid7 Lab's modern honeypot framework IR Activity Confirmed incidents from Rapid7's Managed Detection and Response team FBI Information shared as part of the FBI's private sector partnership InfoSharing Information shared from a trusted partner tracking this threat Open Source Publicly available information In addition to actively monitoring and curating the feed, the Rapid7 Threat Intelligence team adds important context such as threat vector and actor information so you can see how relevant a threat is to your organization. Visualizing Threats in Your Environment But just having information is not enough, it needs to be combined with context about your organization's environment to make it actionable. We added a new Threat Feed Dashboard template that makes it easy for you to see how exposed your organization is to active threats and where you need to focus to reduce the likelihood of an attack. This dashboard includes information such as the percentage of assets or vulnerabilities in your environment that can be exploited by a novice, the most commonly exploited vulnerabilities, and common exploits and malware kits. Specifically, there are two new dashboard cards that leverage the Rapid7 Threat Feed. The Most Common Actively Targeted Vulnerabilities card shows you the most prevalent active threats in your environment. Clicking on this card gives a full list of actively exploited vulnerabilities on your network, which you can drill into for the Rapid7 Threat Feed details. The Assets with Actively Targeted Vulnerabilities card shows you the total number of assets on your network that are affected by active threats and which assets you need to prioritize for remediation. Remediating Threats in Your Environment Finding the most dangerous vulnerabilities in your environment is only half the job—next you need to actually fix them. Clicking on the Assets with Actively Targeted Vulnerabilities card gives a full list of affected assets, which can be added to a Static Remediation Project for driving action. With Remediation Workflow, you can create and assign tickets automatically, provide relevant and actionable information, and track progress from start to finish. If you're an existing InsightVM customer (or haven't upgraded yet and are still using Nexpose Now), you can get started with the Rapid7 Threat Feed by creating a new Threat Feed Dashboard or adding the new cards in the Threat Feed category to an existing dashboard. If you're not an existing InsightVM customer, you can sign up for a free 30-day trial.

Wanna see WannaCry vulns in Splunk?

Do you want to see your WannaCry vulns all in one dashboard in Splunk? We've got you covered. Before you start, make sure you have these two apps installed in your Splunk App: Rapid7 Nexpose Technology Add-On for Splunk Rapid7 Nexpose for Splunk Steps 1.…

Do you want to see your WannaCry vulns all in one dashboard in Splunk? We've got you covered. Before you start, make sure you have these two apps installed in your Splunk App: Rapid7 Nexpose Technology Add-On for Splunk Rapid7 Nexpose for Splunk Steps 1. Follow the directions in this blog post to create a custom scan template. 2. Scan your targets with the scan template as shown in the blog above. 3. Create a Dynamic Asset Group (DAG) containing the 8 CVEs (as shown in the blog post). In this example I called the Asset Group “Wannacry Assets.” 4. Create a Site in InsightVM or Nexpose, for Assets use Asset Groups and select the DAG you just made. 5. Let your InsightVM or Nexpose to Splunk sync occur (this happens at 4am by default). 6. Use Filter on Rapid7 Dashboard to pick that site! In this example I called the Site: Wannacry. And there you have it: a dashboard of your WannaCry vulns in Splunk, as found by Nexpose or InsightVM. You can also export the dashboard as a PDF report if you would like to share it. Not a customer of ours? Download a free trial of InsightVM to get started. If you're a Splunk customer concerned about security, we can help. InsightIDR, our incident detection and response solution, uses your existing data sources—including Splunk—to identify stealthy attacks and prioritize risk across your environment. Discover how InsightIDR can help your team solve multiple security use cases without worrying about rising data costs or maintaining custom rules and queries. Take an interactive product tour.

Better Credential Management for Better Vulnerability Results

Often the first time the security team knows that credentials have expired is when their scans start to return dramatically fewer vulnerabilities. We all know getting credentialed access yields the best results for visibility. Yet, maintaining access can be difficult. Asset owners change credentials. Different…

Often the first time the security team knows that credentials have expired is when their scans start to return dramatically fewer vulnerabilities. We all know getting credentialed access yields the best results for visibility. Yet, maintaining access can be difficult. Asset owners change credentials. Different assets have different frequencies for credential updates. Security teams are often left out of the loop. Between the original scan run time, the time it takes the security team to pinpoint that credential status is the cause of the problem, correcting the credential data, and re-running the scan—too much time has elapsed that could have been utilized by security groups. What security teams need is a way to bypass these hassles by leveraging credential management solutions that are currently in play. This way, credentials are not stored in the vulnerability management system and are handled ephemerally, as they should be. This results in not only increased efficiency and less frustration for security teams, but also better security by having credentials be stored and managed centrally via CyberArk. We are pleased to announce that as part of the May 24th, 2017 release, Nexpose and InsightVM (Security Console 6.4.39) have been integrated with CyberArk Enterprise Password Vault to enable credentialed scans while minimizing administrative effort. The CyberArk integration, which is in-product, will work with either specific credentials or shared credentials for a given asset and will allow your team, no matter the size, to spend less time looking after your tools and more time on your security program. You can: Query for credentials dynamically based on: Address: The IP address or fully qualified domain name (FQDN) for the asset. Object Name: The name of the object that stores the credentials. Username: The username for the account that will be retrieved Policy ID: The policy ID that is assigned to the credentials that will be retrieved. Custom Attributes: Custom Key/Value pairs in CyberArk Manage credential management preferences at the Site level or globally. Getting Started Help documentation, CyberArk Support, or contact your CSM or Rapid7 Support.

Live Dashboards for Demonstrating Remediation Progress

Is your security team working on the right things to make your organization safer today? How can you prove it with data? Knowing Versus Doing Knowing your threat exposure is only half the picture. The other half is knowing which actions to take with your…

Is your security team working on the right things to make your organization safer today? How can you prove it with data? Knowing Versus Doing Knowing your threat exposure is only half the picture. The other half is knowing which actions to take with your vulnerability management solution to secure your organization against a shifting landscape of threats while also demonstrating—with data—that these actions were the right thing to do and had the right impact for your organization. Making progress is difficult enough, but even when you've moved the bar, you have to show your stakeholders in ways they can understand. It's not easy, but we think it can be simpler. Bringing Agility to Remediation Efforts InsightVM's new Remediation Liveboard helps you easily, readily, and confidently answer the following questions: What's new in my world and how effective are my teams at remediating vulnerabilities? What remediation work was recently completed and how much is left? Which projects require my attention because they are past due or about to expire? Who are my top remediators? Who are my remediators requiring assistance? The Remediations Liveboard provides visibility into what has been remediated, who your most effective remediators are, and who needs your assistance and guidance the most. You can take quick temperature reads on overall status and progress of remediation efforts across your organization, and you can also easily drill down to inspect details. This new dashboard helps you get a better handle on remediation burndown and makes sure you're ready to field questions on remediation status at any point in the process. The Remediations Liveboard also brings greater agility to remediation efforts. You'll know when to adapt and shift gears in order to reallocate resources in response to changes in your environments.  You'll also have access to the data needed to confidently answer bigger-picture security program questions and analyze what works and what does not work for your teams. How well are we responding to new vulnerabilities found in our organization? The New vs. Remediated Vulnerabilities card illustrates how your teams are fixing what has been found: “My team has been swamped. We are focusing this month only on vulnerabilities we know to be exploitable.” Get a high level view of Remediation Projects' status overall: “No imminent deadlines...time to tackle these overdue projects and get some project completions showing up before my next review.” Deadlines are important for gauging risk, but they don't tell you whether a project is really at risk since the amount of effort and complexity required to mitigate a vulnerability varies, as does the availability of needed resources (e.g., people and skill level). You need to know the amount of remaining work in a project to see remediation burndown. You might want to know which projects are closest to completion based on amount of work; or maybe, if taking down the most risk is your goal, you want to view by total remediations outstanding. Success is all about people. There are two cards that inform you of who in your organization is the most effective at remediation... ...and who needs more support from you and your team. Getting Started The Remediations Liveboard is available today as part of InsightVM. Simply click on the “Create a New Dashboard” drop down list and select “Remediations Dashboard” to get started. Not an InsightVM customer? Download a free trial of InsightVM today!

InsightVM/Nexpose Patch Tuesday Reporting

Many of our customers wish to report specifically on Microsoft patch related vulnerabilities. This often includes specific vulnerabilities that are patched in Patch Tuesday updates. This post will show you the various ways that you can create reports for each of these. Remediation Projects Remediation…

Many of our customers wish to report specifically on Microsoft patch related vulnerabilities. This often includes specific vulnerabilities that are patched in Patch Tuesday updates. This post will show you the various ways that you can create reports for each of these. Remediation Projects Remediation Projects are a feature included in InsightVM that allow you to get a live view of the state of assets in your environment (please note that this feature requires that you have opted into the Insight Platform). Using Remediation Projects you can build dynamic projects that track vulnerabilities related to Microsoft patches as they are identified in your environment. To set up a dynamic project for Microsoft Patch related vulnerabilities, follow the steps below: Go to ‘Projects' in the InsightVM menu and click ‘CREATE A PROJECT' You will see a new overlay appear which provides options to configure for the project. Under the ‘Project Content' section, you can configure ‘Vulnerability Filters'. For reporting on all Microsoft Patch vulnerabilities, you can configure the following filter: vulnerability.categories IN ["Microsoft Patch"] For reporting on specific vulnerabilities, you can use a filter similar to this, changing the vulnerability titles to the ones for which you are interesting in creating a project: vulnerability.title CONTAINS 'Microsoft CVE-2017-0175' || vulnerability.title CONTAINS 'Microsoft CVE-2017-0148' As new vulnerabilities that meet the project criteria are identified, they will be added to the project. Using Vulnerability Filters Vulnerability filters allow you to filter on vulnerability , severity, and categories. These can be applied in the scope section of any report that you are generating, making this option very flexible. Within the Vulnerability Filter selection window, we can select the 'MICROSOFT PATCH' category. This allows for reporting on vulnerabilities that are specific to Microsoft patches for any report template, built-in or custom. The caveat to this method is that it will return all vulnerabilities in the MICROSOFT PATCH category. If you want to report on specific vulnerabilities fixed in Patch Tuesday updates, you can use the 'SQL Query Export' export template to facilitate this. SQL Query Export When reporting using the SQL Query Export template, it is important to know that Microsoft recently changed the naming scheme for security bulletins that it publishes. Prior to February 14th, 2017 Microsoft issued security bulletins using a this format: msft-cve-yyyy-nnnn. From February 14th, 2017 on, Microsoft will be using a CVE based format. You can read more about these changes here: A Reminder About Upcoming Microsoft Vulnerability Content Changes. What this means is that you may need to use both formats when using the SQL Query Export template, so keep in mind the format of the bulletin on which you want to report. Below you will find a simple query that identifies hosts with specific vulnerabilities, as well as one that also includes remediation information. Patch Tuesday SELECT da.ip_address AS ip_address, da.host_name AS hostname, dv.title AS vulnerability, dv.riskscore as vulnerability_riskscore, dv.date_published AS vulnerability_date_published, proofAsText(dv.description) AS vulnerability_description FROM fact_asset_vulnerability_finding favf JOIN dim_asset da USING (asset_id) JOIN dim_vulnerability dv USING (vulnerability_id) WHERE dv.title ~* '(Microsoft CVE-2017-0175|Microsoft CVE-2017-0148)' ORDER BY round(dv.riskscore) DESC; Note the '|' delimiter between the vulnerability titles in the WHERE clause. This allows you to add as many patterns as necessary. The '~*' in the WHERE clause is a case-insensitive regex match operator. Patch Tuesday with Remediations SELECT da.ip_address AS ip_address, da.host_name AS hostname, dv.title AS vulnerability, round(dv.riskscore) as vulnerability_riskscore, dv.date_published AS vulnerability_date_published, ds.summary AS solution_summary, proofAsText(ds.fix) AS fix FROM dim_asset_vulnerability_best_solution JOIN dim_vulnerability dv USING (vulnerability_id) JOIN dim_asset da USING (asset_id) JOIN dim_solution ds USING (solution_id) WHERE dv.title ~* '(Microsoft CVE-2017-0175|Microsoft CVE-2017-0148)' ORDER BY round(dv.riskscore) DESC; This query is similar to the previous query but also includes the solutions for vulnerabilities identified on a host. To learn more about using the InsightVM/Nexpose Data Model for reporting, check out the documentation here: https://help.rapid7.com/insightvm/en-us/#Files/Creating_reports_based_on_SQL_queries.html

Samba CVE-2017-7494: Scanning and Remediating in InsightVM and Nexpose

Just when you'd finished wiping away your WannaCry tears, the interwebs dropped another bombshell: a nasty Samba vulnerability, CVE-2017-7494 (no snazzy name as of the publishing of this blog, but hopefully something with a Lion King reference will be created soon). As with WannaCry, we…

Just when you'd finished wiping away your WannaCry tears, the interwebs dropped another bombshell: a nasty Samba vulnerability, CVE-2017-7494 (no snazzy name as of the publishing of this blog, but hopefully something with a Lion King reference will be created soon). As with WannaCry, we wanted to keep this simple. First, check out Jen Ellis's overview of the Samba vulnerability, and then review the below steps to quickly scan for this vulnerability on your own infrastructure and create a dynamic asset group for tagging and reporting. If you aren't already a customer, you can use this free trial to scan for the Samba vulnerability across your environment. Authenticated checks are live in our vulnerability management solutions Nexpose and InsightVM, as well as unauthenticated and authenticated remote checks. Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for CVE-2017-7494: 1. Under administration, go to manage templates. 2. Copy the following template: Full Audit enhanced logging without Web Spider. Don't forget to give your copy a name and description! 3. Click on Vulnerability Checks and then “By Individual Check” 4. Add Check “CVE-2017-7494” and click save. This should come back with 41 checks that are related to CVE-2017-7494. 5. Save the template and run a scan to identify all assets with CVE-2017-7494. Creating a Dynamic Asset Group for CVE-2017-7494 Now that you have your assets scanned, you may want to create a Dynamic Asset Group off of which to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the InsightVM console, just under the search button. Now, use the "CVE ID" filter to specify the CVE: This asset group can now be used for reporting as well as tagging to quickly identify exposed systems. Using these steps, you'll be able to quickly scan as well as report on the Samba vulnerability. Let us know if you have any more questions!

Discovery of assets in Active Directory

Many security teams work in a world that they can't fully see, let alone control. It can be difficult to know how to make meaningful progress in your vulnerability management program when simply maintaining visibility can be a struggle. One way to get some leverage…

Many security teams work in a world that they can't fully see, let alone control. It can be difficult to know how to make meaningful progress in your vulnerability management program when simply maintaining visibility can be a struggle. One way to get some leverage is to make wise use of asset discovery. If you are able to tap into repositories or sources of assets, you stand a better chance of gaining and maintaining visibility.Over the years, we've written a thing or two about expanding your ability to discover assets from wherever they may leave a trace. You might have read about our vulnerability scanner having the ability to discover assets from McAfee ePO, or Infoblox DHCP, or even Rapid7's own Project Sonar. Or perhaps you've scoured the recently redesigned https://help.rapid7.com to learn about how you may discover assets from AWS or VMware vSphere. If you were a voracious reader, you may have even tried out Adaptive Security to automate your response to what you discover, and then you could've started to monitor the work automated actions do for you.Today we are pleased to share the availability of asset discovery from Active Directory.Getting startedWe've made it simple for you to gain visibility into your catalog of assets as they reside within Active Directory. In the Administration tab, create a new Discovery Connection.Next, select Active Directory (LDAP). You'll immediately be able to enter in information to connect to your own Active Directory server.Give your connection a name, enter the hostname of the Active Directory server, and select a protocol. Both LDAP and LDAPS are supported. Provide a username and password, and then test your credential. If your credentials are good to go, you can then move on to creating your Base Query and Search Query.Your Active Directory is likely tailored to meet the needs and contours of your organization. We've provided the ability to enter a Base Query to specify the portion of the AD tree you'd like to import, and a Search query that you may use to further qualify the computers to discover. Once you've created your query, you might want to take it for a spin to make sure its working properly. Try out Preview to see the top 50 results of your query to make sure you've got it dialed in.Let's refine our search just a bit, to focus on just Exchange servers. I'll enter a Search Query: (dnshostname=exch*), and perform another quick test.Now that I'm feeling good about this query, I think I'd like to put it to work for me...Simple automationDid you notice the Consumption Settings in the screenshot above? It looks pretty familiar to the setup for importing assets from McAfee ePolicy Orchestrator, and it works in the same manner. Simply enable Consume assets, and select a site to import into and let the system do the work for you. You'll see assets populated from Active Directory as soon as the connection is saved. The time it takes to complete will vary, and will largely be driven by the time it takes the Active Directory server to respond to the query. Here is a view of the assets immediately after they've been imported:You'll notice we've also pulled in OS information from Active Directory where available, so you can create asset groups by the hostname and the OS. Of course, if you have existing dynamic asset groups, these assets may also be included.The Discovery Connection imports assets once a day, maintaining the visibility you need, while limiting the burden on your Active Directory server. And just like that, you're on your way to better visibility, with a minimum of effort, and a great deal of flexibility to match the contours of your world.All of our innovations are built side-by-side with our customers through the Rapid7 Voice program. Please contact your Rapid7 CSM or sales representative if you're interested in helping us make our products better.Not a customer of ours? Try a free 30- day trial of InsightVM today.

New Vulnerability Remediation Display in Nexpose Gets You to a Fix Faster

Background Information As part of the Nexpose 6.4.28 release on Wednesday, March 29th, we introduced a new way to view remediation solution data in both the Nexpose Console UI and the Top Remediations Report. Over the years, we've heard from our customers that…

Background Information As part of the Nexpose 6.4.28 release on Wednesday, March 29th, we introduced a new way to view remediation solution data in both the Nexpose Console UI and the Top Remediations Report. Over the years, we've heard from our customers that the Top Remediations Report is one of the most useful features in our vulnerability management solution, but there's always room for improvement.  Specifically, they want to only see solutions that are applicable to the asset based on its OS, instead of solution data for all operating systems and platforms.  This led to larger reports and frustrated remediators who need to figure out which exact solution to apply. Enhanced Top Remediations Report We've improved the Top Remediations Report to present a single solution called the “best solution”. This solution is selected from a pool of solutions that are the highest in their supersedence chain, i.e. “rollup”, and are applicable to the asset's OS/platform.  Usually, there is only a single choice, but if there are multiple solutions that meet the criteria for the best solution, Nexpose will choose the latest or most comprehensive solution. This results in a more concentrated delivery of solution prescriptions in the Top Remediations report.  The report provides solutions that will mitigate the same or more amount of risk with a fewer, more finely distilled selection of solutions. In addition to changes in the Top Remediations Report, we have also updated the presentation of solution data in the console UI itself. On the Asset Details Page - New Solutions “Pill” in Vulnerabilities Table: These pill icons indicate the status of the solution. Solution Pill Icon Description A single best solution for the vulnerability. Warning – there is no single best solution or “tie breaker”, so one or more of the following solutions needs to be applied. Error – no solution is applicable, usually because solution is deprecated by the vendor or the Console is decommissioned and not taking updates. Clicking on the new pill icons in the Solutions column will navigate to a new Remediations portlet. This makes all the solution data pertaining to a vulnerability accessible without overwhelming users with the full set of data right away.  Rather than loading the full solution superset every time, the solution information is presented in a more structured way - with the best solutions displayed first, followed by supporting data ordered by priority. Fix all vulnerabilities on an asset or just a targeted few The Remediations portlet can be found on the Asset Details page and has three tabs. The first two tabs are helpful when you are remediating an asset and focused on mitigating as much risk as possible on the asset.  Best Solutions shows the single solution for each vulnerability on the asset, selecting from the data in the Applicable Solutions tab.  The Solutions by Vulnerability tab provides a different view showing solutions by vulnerability, which is helpful in scenarios where remediators are targeting a specific vulnerability to fix. Best solutions for one or all assets The Remediations portlet is also available on the Vulnerabilities Detail Page. Since we are viewing a vulnerability without an asset in mind, the tabs provided show all the solutions that remediate the vulnerability across any OS, platform, library, etc., both in rollup and non-rollup view. However, when viewing a vulnerability found on a particular asset, users will see more information.  The two additional tabs show information in the same fashion as on the Assets Detail Page, so that users can view specific remediation steps to take for a specific vulnerability on a specific asset. Asset Best Solutions lists the single best solution for remediating the vulnerability on this asset. The second tab, Asset Applicable Solutions, allows users to view other possible solutions.  These entries are specific to the OS/Platform or other profile data of the asset, and are also the highest in their supersedence chains. More resources In summary, this new structured solution data in the Console UI and enhancement of the Top Remediations report strikes a balance between keeping the Top Remediations Report clean and actionable while also making available the full set of solution data.  Users will be able to fix faster without losing the ability to look at all of their options. Here are a couple links that may provide more background on the topics covered in this post: Release Notes Help Documentation on Best Solutions

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Upcoming Event

UNITED 2017

Rapid7's annual security summit is taking place September 12-14, 2017 in Boston, MA. Join industry peers for candid talks, focused trainings, and roundtable discussions that accelerate innovation, reduce risk, and advance your business.

Register Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now