Rapid7 Blog

PCI  

PCI DSS Dashboards in InsightIDR: New Pre-Built Cards

No matter how much you mature your security program and reduce the risk of a breach, your life includes the need to report across the company, and periodically, to auditors. We want to make that part as easy as possible. We built InsightIDR as a…

No matter how much you mature your security program and reduce the risk of a breach, your life includes the need to report across the company, and periodically, to auditors. We want to make that part as easy as possible. We built InsightIDR as a SaaS SIEM on top of our proven User Behavior Analytics (UBA) technology to address your incident detection and response needs. Late last year, we added the ability to create custom dashboards and reports through the Card Library and the Log Entry Query Language (LEQL). Now, we’ve added seven pre-built cards that align directly to PCI DSS v3.2, to help you find important behaviors and communicate it out across the company, the board, and external auditors. Let’s walk through a quick overview of the seven cards and how it ties to the requirements in PCI DSS v3.2. 1.3.5: Denied Connection Attempts PCI Requirement 1 covers installing and maintaining a firewall configuration to protect cardholder data. InsightIDR can easily ingest and visualize all of your security data, and with our cloud architecture, you don’t need to worry about housing and maintaining a datastore, even as your organization grows with global offices or acquisition. The above card is a standard, important use-case to identify anomalies and trends from your firewall data. In this case, the card runs the query, “where(connection_status=DENY) groupby(source_address)” over your firewall log data. 4.1c: Potential Insecure Connections It’s important to identify traffic with destination to port 80, or the use of outdated SSL/TLS, especially for traffic around the CDE. This can help identify misconfigurations and ensure per Req 4, transmission of cardholder data is encrypted. As with all cards, you can click on the top right gear to pivot into log search, for more context around any particular IP address. 7.1.2b & 8.1.4: Users Accessing the CDE Identifying which users have accessed the PCI environment is important, as is digging a layer deeper. When did they last access the CDE, and from what asset? This is all important context used when identifying the use of compromised credentials. If the creds for Emanuel Osborne, who has access to the cardholder environment, are used to log in from a completely new asset, should your team be worried? We think so—and that’s why our pre-built detections will automatically alert you. From this card, you can pivot to log search to identify the date of last access. On the top global search, any name can be entered to show you all of the assets where those credentials have been used (new asset logon is tracked as a notable behavior). 8.1.1: Shared/Linked Accounts in the CDE Credentials being shared by multiple people is dangerous, as it makes it much more difficult to retrace behavior and identify compromise. This card draws from asset authentication data to identify when the source account is not the destination (where(sourceaccount != destinationaccount) groupby(destinationaccount)), so your team can proactively reduce this risk, especially for the critical CDE. 8.1.3a: Monitor Deactivated Accounts Similar to the above, it’s important to know when deactivated accounts are re-enabled and used to access the CDE—many InsightIDR alerts focus on this attack vector as we’ve found that disabled and service accounts are common targets for lateral movement. Related: See how InsightIDR allows you to detect and investigate lateral movement. This card highlights users with accounts deactivated over the last 30 days. 10.2.4: Highlight Relevant Log Events 10.2.5a: Track & Monitor Authentications Ah, the beefy Requirement 10: track and monitor access to network resources and cardholder data. This is where InsightIDR shines. All of your disparate log data is centralized (Req. 10.2) to detect malicious behavior across the attack chain (Req. 10.6). With the standard subscription, the data is stored and fully searchable for 13 months (Req. 10.7). These two cards highlight failed and successful authentications, so you can quickly spot anomalies and dig deeper. If you’ve been able to use InsightIDR for a few months, you already know that we’ll surface important authentication events to you in the form of alerts and notable events. These cards will ease sharing your findings and current posture outside the team. For a comprehensive list of how InsightIDR can help you maintain PCI Compliance, check out our PCI DSS v3.2 guide here. If you don’t have InsightIDR, check out our interactive product tour to see how it can help unify your data, detect across the attack chain, and prioritize your search with security analytics.

Maximizing PCI Compliance with Nexpose and Coalfire

In 2007 Coalfire selected Rapid 7 Nexpose as the engine around which to build their PCI Approved Scan Vendor offering.  PCI was just a few years old and merchants were struggling to achieve and document full compliance with the highly proscriptive Data Security Standard.…

In 2007 Coalfire selected Rapid 7 Nexpose as the engine around which to build their PCI Approved Scan Vendor offering.  PCI was just a few years old and merchants were struggling to achieve and document full compliance with the highly proscriptive Data Security Standard.  Our goal was to find that classic sports car blend of style and power: a vulnerability assessment solution that was as streamlined and easy to use as possible, but robust enough to significantly improve the customer's security.  In other words, an ASV service that could meet the needs of a large multi-national enterprise as well as the small franchise owner just learning how to spell IT.  After looking at all the alternatives, Coalfire selected Nexpose for its high-end performance and ease of interoperability to build around, all at a price point that kept us competitive.The Coalfire scanning solution has gone by many names since its first ASV certification: Surefire Compliance, ARM PCI RapidScan, Coalfire RapidScan right up to today's CoalfireOne℠ scanning platform.  But through all of it, Nexpose was under the hood making it go, with the power and reliability of a GM LS Series 6.0L or an AMC 4.0 straight-six.  Sorry, that might be taking the analogy a bit far (and letting my car geek show), but the point is, we never had to worry if the scan was going to run or if it was going to find the latest SSL vulnerability, it just did.  And that let us focus on the user experience which was always our plan.With our new ASV partnership, Rapid 7's ASV customers now get that “best of both worlds” pairing.  The same high confidence in scan findings they're used to, with the simplicity of CoalfireOne management.  Define your targets, set your schedule, review and dispute findings, and download your attestation of compliance -- all through the easy to use Web interface.  It's a little like a Shelby Cobra -- body by AC Cars, V8 by Ford.  Okay, I'm done.

[Q&A] User Behavior Analytics as Easy as ABC Webcast

Earlier this week, we had a great webcast all about User Behavior Analytics (UBA). If you'd like to learn why organizations are benefiting from UBA, including how it works, top use cases, and pitfalls to avoid, along with a demo of Rapid7 InsightIDR, check out…

Earlier this week, we had a great webcast all about User Behavior Analytics (UBA). If you'd like to learn why organizations are benefiting from UBA, including how it works, top use cases, and pitfalls to avoid, along with a demo of Rapid7 InsightIDR, check out on-demand: User Behavior Analytics: As Easy as ABC or the UBA Buyer's Tool Kit. During the InsightIDR demo, which includes top SIEM, UBA, and EDR capabilities in a single solution, we had a lot of attendee questions (34!). We grouped the majority of questions into key themes, with seven Q&A listed below. Want more? Leave a comment!1. Is [InsightIDR] a SIEM?Yes. We call InsightIDR the SIEM you've always wanted, armed with the detection you'll always need. Built hand-in-hand with incident responders, our focus is to help you reliably find intruders earlier in the attack chain. This is accomplished by integrating with your existing network and security stack, including other log aggregators. However, unlike traditional SIEMs, we require no hardware, come prebuilt with behavior analytics and intruder traps, and monitor endpoints and cloud solutions – all without having to dedicate multiple team members to the project.2. Is InsightIDR a cloud solution?Yes. InsightIDR was designed to equip security teams with modern data processing without the significant overhead of managing the infrastructure. Your log data is aggregated on-premise through an Insight Collector, then securely sent to our multi-tenant analytics cloud, hosted on Amazon Web Services. More information on the Insight Platform cloud architecture.3. Does InsightIDR assist with PCI or SOX compliance, or would I need a different Rapid7 solution?Not with every requirement, but many, including tricky ones. As InsightIDR helps you detect and investigate attackers on your network, it can help with many unique compliance requirements. The underlying user behavior analytics will save you time retracing user activity (who had what IP?), as well as increase the efficiency of your existing stack (over the past month, which users generated the most IPS alerts?). Most notably, you can aggregate, store, and create dashboards out of your log data to solve tricky requirements like, “Track and Monitor Access to Network Resources and Cardholder Data.” More on how InsightIDR helps with PCI Compliance.4. Is it possible to see all shadow cloud SAAS solutions used by our internal users?Yes. InsightIDR gets visibility into cloud services in two ways: (1) direct API integrations with leading services, such as Office 365, Salesforce, and Box, and (2) analyzing Firewall, Web Proxy, and DNS traffic. Through the latter, InsightIDR will identify hundreds of cloud services, giving your team visibility into what's really happening on the network.5. Where does InsightUBA leave off and InsightIDR begin?InsightIDR includes everything in InsightUBA, along with major developments in three key areas:Fully Searchable Data SetEndpoint Interrogation and HuntingCustom Compliance DashboardsFor a deeper breakdown, check out “What's the difference between InsightIDR & InsightUBA?”6. Can we use InsightIDR/UBA with Nexpose?Yes! Nexpose and InsightIDR integrate to provide visibility and security detection across assets and the users behind them. With this combination, you can see exactly which users have which vulnerabilities, putting a face and context to the vuln. If you dynamically tag assets in Nexpose as critical, such as those in the DMZ or containing a software package unique to domain controllers, those are automatically tagged in InsightIDR as restricted assets. Restricted assets in InsightIDR come with a higher level of scrutiny – you'll receive an alert for notable behavior like lateral movement, endpoint log deletion, and anomalous admin activity.7. If endpoint devices are not joined to the domain, can the agents collect endpoint information to send to InsightIDR?Yes. From working with our pen testers and incident response teams, we realize it's essential to have coverage for the endpoint. We suggest customers deploy the Endpoint Scan for the main network, which provides incident detection without having to deploy and manage an agent. For remote workers and critical assets not joined to the domain, our Continuous Agent is available, which provides real-time detection, endpoint interrogation, and even a built-in Intruder Trap, Honey Credentials, to detect pass-the-hash and other password attacks.Huge thanks to everyone that attended the live or on-demand webcast – please share your thoughts below. If you want to discuss if InsightIDR is right for your organization, request a free guided demo here.

Seven Ways InsightIDR Helps Maintain PCI Compliance

“Compliance is king.” This is a familiar saying for any company that processes credit card transactions, where being compliant with the Payment Card Industry Data Security Standard, or PCI DSS, reigns supreme. Any entity that stores, processes, or transmits cardholder data must abide by the…

“Compliance is king.” This is a familiar saying for any company that processes credit card transactions, where being compliant with the Payment Card Industry Data Security Standard, or PCI DSS, reigns supreme. Any entity that stores, processes, or transmits cardholder data must abide by the requirements, which serve as best practices to securing your cardholder data environment (CDE). Nexpose and Metasploit have been designed to directly help your team meet PCI DSS, as well as comply with many other compliance standards. Created by security responders, Rapid7 InsightIDR also ties in with PCI, including helping you meet Requirement 10: Tracking and monitoring all access to network resources and cardholder data. InsightIDR joins your security detail to detect the top attack vectors behind breaches, speed up incident investigations, and help you escape the drudgery of security data management. Here are a few of the PCI requirements that InsightIDR can help your security team manage, ranging from monitoring access to your CDE and exposing risky user behavior, to fast and comprehensive incident investigations across the entire organization. To see it in action, see our 20-minute on-demand demo. Requirements 5.1 & 5.2: InsightIDR scans all endpoints for malware and identifies risky user behavior, including compromised user accounts, anomalous admin activity, and lateral movement. This endpoint visibility is accomplished for all systems through a blend of endpoint scans and the continuous Insight Agent. Requirements 6.4.1 & 6.4.2: You can monitor multiple separated environments, define network zones and alert you if access policies are violated. As an example, an organization could set a policy that no users in the “developers” group should access the network zone “PCI Production,” ensuring InsightIDR alerts them on any such violations. Requirements 7.1, 7.3: After flagging systems in your CDE as restricted assets, InsightIDR will alert you on any change in behavior. This includes suspicious authentications, users with unexpected privilege escalations, and even approved users remotely accessing the CDE from a new source asset. This detects unauthorized access, user risk, and enforces policies set by your security team. **Requirements 8.1, 8.2.4, 8.5: **InsightIDR alerts on brute forcing, pass-the-hash, and other password guessing attempts by running behavior analytics on event logs and through Intruder Traps, such as honey users and honey credentials. Requirement 10: InsightIDR is your complete solution to track and monitor all access to network resources and cardholder data. This starts with aggregation and search across any of your log files. In addition, all network activity is directly correlated to the users and assets behind them. During incident investigations, the security team can bring together log search, real time user activity, and endpoint interrogation into a single Super Timeline (see below). No more parsing through disparate log files, jumping between multiple solutions for investigations, or retracing user activity across IPs, assets, and services. Requirement 11.4: InsightIDR identifies malicious behavior earlier in the attack chain, the steps required to breach a company. Through a combination of user behavior analytics and purpose-built Intruder Traps, InsightIDR detects the top attack vectors behind breaches, including phishing, compromised credentials, and malware. Requirement 12.3, 12.5, 12.10: InsightIDR can aggregate, search, and attribute logs and alerts from Intrusion Detection/Prevention Systems (IDS/IPS) and Firewalls to the users and assets behind them. For example, with one search, the security team can identify the users generating the most IDS/IPS alerts. InsightIDR was built hand-in-hand with security teams to be the SIEM solution you always wanted, armed with the detection you will always need. It combines learnings from the Metasploit project, our penetration testing teams, and tested User Behavior Analytics (UBA) that hundreds of organizations benefit from today. You can finally get visibility and detection while meeting PCI compliance without it becoming a second full-time job. Learn more about how Rapid7 can help your team meet PCI, or sign up for a free guided demo!

Redner's Markets Selects Nexpose & InsightUBA for Compliance and Incident Detection

With breaches making regular headlines, security teams are under more scrutiny than ever before. This is especially true in retail, where strong security practices are paramount to protecting customer and organizational data. PCI DSS compliance is a key component of any retail organization's security program.…

With breaches making regular headlines, security teams are under more scrutiny than ever before. This is especially true in retail, where strong security practices are paramount to protecting customer and organizational data. PCI DSS compliance is a key component of any retail organization's security program. As a level 2 merchant, Redner's Markets must conduct regular vulnerability scans, collect logs, and review them daily. “Compliance was what began our relationship with Rapid7,” explains Nick Hidalgo, Director of IT at Redner's Markets. “We purchased Nexpose for PCI compliance, and afterwards we brought on [InsightUBA, formerly UserInsight].” He and his team are tasked with securing a business environment that includes more than 700 point of sale machines across 45 traditional supermarkets, 18 gas stations, and three corporate facilities. “[InsightUBA] watches over everything,” he laughs. Redner's Markets use Rapid7 solutions to address: PCI Compliance Vulnerability Management Incident Detection, including User Behavior Analytics to detect use of compromised credentials Incident Investigation To hear the whole story of how Redner's Markets partners with Rapid7 for its security needs, read the full Rapid7 case study.

Seven Ways UserInsight Helps With PCI Compliance

For any company that deals with credit cards, PCI DSS Compliance still reigns king. You may be aware of how our Threat Exposure Management solutions, Nexpose and Metasploit, have been designed to directly meet PCI DSS, as well as comply with many other standards. Today,…

For any company that deals with credit cards, PCI DSS Compliance still reigns king. You may be aware of how our Threat Exposure Management solutions, Nexpose and Metasploit, have been designed to directly meet PCI DSS, as well as comply with many other standards. Today, let's look at how our Intruder Analytics solution, UserInsight, joins your security detail to identify threat actors across your ecosystem, whether it be attackers masking as employees, or insider threats. Here is an excerpt of PCI requirements UserInsight can help with – check out the full list in the Rapid7 PCI DSS Version 3.0 Compliance Guide: Requirement 3.5.1: UserInsight lets you monitor which users access critical systems or restricted network zones that may hold cryptographic keys. This provides you with an access audit trail. Requirements 6.4.1 & 6.4.2: You can define the production environment as a network zone, and receive automatic alerts if an outside group (e.g. developers) authenticates into that closed off area/segment/zone. Requirements 7.1, 7.1.1, 7.1.2:UserInsight lets you flag systems in the cardholder data environment (CDE) as critical, and alerts you to unusual authentications. A common step in the attack chain is to use an exploit to elevate a compromised user's privileges. Any user that has an unexpected privilege escalation, which could be used to access a CDE system will trigger an automatic alert. Further, you have instant visibility into the administrators and privileged users within the organization. With automatic insight into endpoints, you detect local lateral movement and pass-the-hash attacks as well. Requirements 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5: UserInsight helps you monitor user behavior from the endpoint to the cloud. Attackers love to gain a foothold on the network through disabled users, cloud services, and by attacking endpoints. By being designed by a team with a deep knowledge of attacker methodology, UserInsight identifies compromised credentials as well as risky internal behavior, such as shared accounts and unnecessary administrators. Requirement 8.2.4: You'll have instant visibility into accounts with passwords set to never expire, as well as the date the password was last changed. Requirements 10.1, 10.2: UserInsight collects a variety of logs across your network, correlates them by user, and tracks authentication attempts, giving you full visibility. Administrative activity across both on-premise and cloud services (IaaS, SaaS and PaaS) are tracked, helping identify previously unknown administrators as well as intruders using compromised credentials to lurk on your systems. Through an Agentless Endpoint Monitor, we can even identify actions taken on your endpoints, including local lateral movement and log deletion – two behaviors any security administrator wants to know about. Requirement 10.6.1: Security teams are already strained by false-positive alerts, parsing through disparate log data, and writing and maintaining rules. UserInsight sanitizes your logs down to the security-relevant events and stores them in perpetuity. By aggregating and running analytics on your endpoint, on-premise, and cloud services, there is a complete picture of user activity – you receive only the alerts that matter. By helping you store your security data on the UserInsight platform, you have a permanent audit trail that can't be tampered or deleted by the attacker. Please see a more comprehensive description of how UserInsight helps you comply with PCI DSS 3.0 in the Rapid7 PCI DSS Version 3.0 Compliance Guide. UserInsight provides benefit to many compliance frameworks outside of PCI DSS, such as the SANS Critical Security Controls. Of course, our vision extends beyond compliance; UserInsight looks to automatically detect attacks, help you quickly investigate security incidents, and monitor user behavior across your entire network ecosystem. Learn more about UserInsight.

Top 3 Takeaways from the "PCI DSS 3.0 Update: How to Restrict, Authenticate, and Monitor Access to Cardholder Data" Webcast

In this week's webcast, Jane Man and Guillaume Ross revisited the latest PCI DSS 3.0 requirements. Security professionals need to be diligent to remain compliant and secure. Jane and Guillaume discussed some key results from the Verizon 2015 PCI Compliance Report, tips and tricks…

In this week's webcast, Jane Man and Guillaume Ross revisited the latest PCI DSS 3.0 requirements. Security professionals need to be diligent to remain compliant and secure. Jane and Guillaume discussed some key results from the Verizon 2015 PCI Compliance Report, tips and tricks for complying with requirements 7, 8, and 10, and touched upon upcoming changes in v3.0 and v3.1. Read on for the top 3 takeaways from the “PCI DSS 3.0 Update: How to Restrict, Authenticate, and Monitor Access to Cardholder Data” webcast:   1) Compliance is a Point in Time Event –If you're deemed compliant and then stop performing processes associated with any requirement, you can easily be out of compliance a few days later. Compliance takes maintenance and adjustments as your environment changes through added data sources, users, operating systems, or applications. According to the Verizon 2015 PCI Compliance Report,none of the companies that have suffered a breach complied with requirements for monitoring access – but they could have been previously compliant, which leads me to the next big takeaway…    2) Sustainability is Essential –Companies can often be very diligent when first aiming to achieve compliance, but if there isn't staff dedicated to the new processes and tasks involved in becoming compliant, the compliancy slips. Compliance is binary and must be a continuous process. You're either compliant or you're not – even if you're 95% of the way there, you're technically not compliant without that last 5%. It's important to have clear and sustainable practices and controls in place that will be effective and efficient over time to help maintain compliance and strong security. Regularly test security systems and processes, and even if you have automated tools, make sure someone is taking the time to look at systems and investigate legitimate alerts. In hindsight, it can be easy to say a breach could have been prevented if you'd just looked at the right logs - but looking at the right log at the right time requires sustained effort and strong monitoring, logging, and auditing processes. 3) Reduce, Restrict, and Revalidate – Reduce the amount of shared and generic accounts wherever possible, and make sure all activity on accounts like these is traceable and logged. Users should be restricted to only access systems, features, and data they need to perform their jobs. Security teams should have controls in place to enforce and provision access policies and to detect violations. Always be revalidating the access you've given to users. The jobs and needs of users in an organization can morph over time. As more privileges are given out, make sure that anything no longer needed is removed to avoid “permission creep," which gets harder and harder to manage if neglected. When it comes to compliance, we should always be fine-tuning permissions and processes – without forgetting to go above and beyond to ensure security for important assets as well. For the in-depth discussion and tips and tricks on keeping up with PCI DSS Compliance, view the on-demand webinar now.

Webcast Followup: Escalate Your Efficiency

Last week, we had a live webcast to talk about how Metasploit Pro helps pentesters be more efficient and save time. There were so many attendees, which made it possible to have great conversation. First of all, I want to thank you folks who have…

Last week, we had a live webcast to talk about how Metasploit Pro helps pentesters be more efficient and save time. There were so many attendees, which made it possible to have great conversation. First of all, I want to thank you folks who have taken the time from their busy schedules to watch us live. There were many questions our viewers asked us, and we were not able to answer all of them due to time limitations. In this post, you will find the answers for those questions.First things first. If you would like to read a recap of the webcast, go here: Top 3 Takeaways from the "Escalate your Efficiency: How to Save Time on Penetration Testing" Webcast, and if you would like to watch the webcast go here: .On Demand Webinar: Escalate Your Efficiency: How to Save Time on Penetration Testing.Questions and AnswersIn order to protect identities of our attendees, we taken out any identifiable information from the questions. Thus, some questions may have been reworded.Is there a tutorial available for some of the finer points of using Metasploit Pro?There are quite a bit of content available. We will continue to generate new content as we add new features in the future. Feel free to start here: Metasploit Online Help.Is Metasploit Pro licensed specifically for a named user or can it be licensed to support a moderate scale remotely located pen test group arrangement?As of right now, we only support licensing based on number of users. However we are investigating different licensing options, and we will take your suggestion into consideration.Does Metasploit Pro license limit how many IP addresses that can be added to a project?No, it does not. Our licensing model is based on number of users. There are no license limitations around number of IP addresses. Please keep in mind that if you plan to test a large network, we strongly suggest you run Metasploit Pro on a beefy machine to prevent any performance issues.Is one of the UI improvements the ability to pause scanning to accommodate multiple small testing windows?Yes. We have recently released the Pause & Resume feature to Metasploit Pro. Currently it is only available for the Credential Reuse task. However we are planning to extend the feature to other tasks in the future.Our organization is just about to train our ISSO to conduct internal penetration testing in house utilizing Metasploit Pro. What features should we begin testing to introduce us "newbies" to the world of pentesting?Metasploit Pro comes with an easy to use web interface to simplify pentesting as much as possible. Personally, I would start with a phishing/social engineering campaign to quickly assess your employees since this type of testing requires a lot less technical knowledge. Additionally, an easy win may be scanning your network for vulnerabilities with Nexpose and validating found vulnerabilities with Metasploit to determine which vulnerabilities you should focus on fixing first. Here is a good read to get started: Introduction to Penetration Testing.Can I develop an exploit in Metasploit Pro?You actually do not need Metasploit Pro to develop an exploit. Metasploit Pro is not a tool for reverse engineering an application to look for zero day vulnerabilities and write exploits. It is an application to consume available exploits in an efficient manner. If you would like to learn how to write exploits, feel free to start with following pages:Contributing to MetasploitMetasploit Resource PortalWhat are the learning curves between the editions? I have used Metasploit Framework several years ago so I am not totally new to pentesting.Metasploit Pro consumes same modules that Framework does, so as far as exploit content goes, there is not much difference. However, Metasploit Pro comes with some additional features, most of which we talked about during the webinar, that might require some reading and learning. We know that many of our users have used Framework in the past and they are used to command line, thus, we are going to bring some of those commands to Metasploit Pro web interface in 2015 to make it even easier to use. Overall, the learning curve is not that steep.Can I use my own word list when I customize a bruteforce attempt?Yes, you can. Even though bruteforce functionality does not take a wordlist as an input, a wordlist can be used to generate a list of credential pairs which then can be imported to be used for bruteforce.Is there an option for passwords in different languages for bruteforce?Currently there is not. You can however create your own custom list of credential pairs from any language wordlists, and then import it for bruteforce.How can I customize the password mutation feature for a bruteforce attempt?Password mutation feature comes with several mutation options. Currently we do not support adding customized mutation rules, however this is something we are looking to implement in the future.What can I expect in a typical 100 PC network including servers and workstations to spend in hours when performing bruteforcing? Does speed changes between Metasploit Editions, say Community vs. Pro?We would very much like to give you an answer for this; however, it really depends on many factors such as network speed, mutation rules, password combinations, number of services, etc. The best way to learn is to actually try this on your own network with your custom configuration. This way you can create your baseline and go from there. Running speed of any task does not differ between versions.Do you have any suggestion for a good place to get a good username and password list to use?Here is a collection of mirrors: https://wiki.skullsecurity.org/Passwords.If you are interested in building personalized wordlists for specific situations, here is a good starting point: Errata Security: Extracting the SuperFish certificate.We started using task chains extensively and at some point realized that they don't function as setup when we update the machines. Are task chains dependent on the projects created?Yes, task chains are project dependent and cannot be replicated across projects.How often are you utilizing embedded outdated, insecure components of applications and systems for exploitation (similar to GHOST)?When there is a high impact vulnerability becomes available, the turnaround is usually pretty fast. When Shellshock came out, there was an exploit released within 24 hours. The turnaround time really depends on how difficult (or easy) the issue is to exploit. If there's a reasonable network vector (rather than a mere local-only vulnerability), and the likely impact of the vulnerability.If the Metasploit framework is unable to break a hash, say an MD5 hash, what other resources would you use or how would you go about using Metasploit to figure out how to crack the hash?We have recently added a tool to lookup MD5 hashes on publicly available databases: https://github.com/rapid7/metasploit-framework/pull/4601Additionally, you can combine John the Ripper and Metasploit to attack MD5 hashes with this module: modules/auxiliary/analyze/jtr_linux.Could you add a service to find default login credentials for Tomcat?There is a Metasploit module already for Tomcat to perform login attempts. It is called "Tomcat Application Manager Login Utility" and its path is "auxiliary/scanner/http/tomcat_mgr_login". Additionally, here is our module database. Feel free to search for other modules.With the release of msfvenom, is there going to be any compatibility with users who have developed payloads and tools in msfencode and msfpayload?We don't anticipate any gaps in functionality -- msfvenom has been in "public beta" for years now, and there should already be a 1:1 feature parity. That said, if you notice something not working for your use case between msfpayload msfencode and msfvenom, please open a GitHub issue here.When will GPU password cracking be available?Currently, we do not have any plans on adding GPU password cracking as a feature. However, John the Ripper has some excellent toolchains for this, and Metasploit can import the results pretty easily.Metasploit is a great tool however it is only a tool. PCI V3 requires that the pentest is "based on industry-accepted penetration testing approaches (for example, NIST SP800-115)". What is the penetration testing methodology used by your pentesters with Metasploit?We believe that there is no single methodology for PCI compliance. Generally, companies use a vulnerability management solution to try to fix as many vulnerabilities as they can. Some also performs initial penetration testing and this is where Metasploit Pro can help. Finally, consultants can come in to provide pentesting. We actually like this order because consultants should help you find the things you could not. I would not call this a methodology, however if you approach a PCI engagement in this order, then you can get the most out of your compliance engagement, not just PCI check in the box. Feel free to read more about this topic starting with this article: What You Should Take Away from the PCI DSS 3.0.Is it simpler to run a WiFi penetration test using Pineapple with Metasploit Pro compared to Metasploit Framework? | Can you add WiFi pentest integration?Once you have a connection to a WiFi network though Pineapple or any other tool, then you can use Metasploit Pro or Metasploit Framework as intended since the WiFi becomes just another network. In this case, all additional features of Pro will be available for you to use. However, as far as getting access to a WEP or WPA protected WiFi network, Metasploit Pro or Framework has no functionality to do this, and we are not planning on adding this functionality at this time.So some of your experts are stating that you shouldn't focus all your work on automated tools such as your own Metasploit, that you should spend the time to learn the tools individually/manually, however other experts are touting Metasploit as the be all end all tool to use. What are your thoughts on this?Metasploit Pro can replace many tools for various tasks thereby makes the user more efficient. Additionally, we can make the argument that if you know Metasploit very well, you may not have to spend time on learning bunch of other tools. The reality is, as long as pentesting stays as a broad and complicated subject, there will always be many tools out there for different purposes, and a good pentester should always be familiar with different options.Is there a set of questions or a methodology that can be used to interview a good pentester?There are many approaches to interviewing a pentester. Here are two examples:Hands On, Practical Interview | Interviewee is given access to a lab network with various systems along with couple pentesting tools, and various objectives which interviewee is expected to complete. With this approach, interviewer can observe the interviewee while interviewee executes a small size pentesting while utilizing different tools and techniques.Theriocal, Story Telling Interview | Interviewee is asked a list of questions to assess the overall knowledge (this step can be combined with practical interview). Interviewee is also expected to share several examples of past work and discuss various situations that the person had to overcome.Interview questions will vary depending on the interviewee; however I find this article a good read.This is it for this blog post. As always, feel free to reach out to us @metasploit if you have further questions. Thank you Metasploit Team for assisting me with these answers.Eray Yilmaz - @erayymzSr. Product Manager, Metasploit

Top 3 Takeaways from the "Escalate your Efficiency: How to Save Time on Penetration Testing" Webcast

Penetration Testing is a complex process that requires attention to detail, multi-tasking, extensive knowledge of different attack vectors, available vulnerabilities and exploits, and patience. Recently erayymz, Senior Product Manager at Rapid7 spoke with pen testing professionals Leon Johnson, Senior Consultant at Rapid7, and Dustin Heywood,…

Penetration Testing is a complex process that requires attention to detail, multi-tasking, extensive knowledge of different attack vectors, available vulnerabilities and exploits, and patience. Recently erayymz, Senior Product Manager at Rapid7 spoke with pen testing professionals Leon Johnson, Senior Consultant at Rapid7, and Dustin Heywood, Manager of Security Assurance at ATB Financial. They discussed how to take advantage of automation with Metasploit Pro to simplify penetration testing processes in the webcast ) Escalate your Efficiency: How to Save Time on Penetration Testing. Read on for the top 3 takeaways from their technical, in-depth conversation: Metasploit is to a Pen Tester as a Scalpel is to a Surgeon – Not using automation for penetration testing is akin to a surgeon performing surgery without using tools. Historically, pen testing was a step by step approach with the ever increasing attack surface adding more steps all the time. It is immeasurably more difficult and time-consuming to keep your security strong when bogged down by the repetitive tasks required by penetration testing. Metasploit Pro makes it possible for security professionals to get extremely repetitive and labor-intensive tasks done with just a few clicks, enabling users to spend more time on customized solutions, targeted pen tests, or any other project on their plate that will ensure greater security for their organization. Credential Security Flaws can be Confronted –Credentials continue to be the #1 attack vector when it comes to compromising networks. With this in mind, the Metasploit team has added a credentials management system to the Pro edition of Metasploit. Features like the Credentials Domino MetaModule and simplified bruteforcing provide huge time-savings and improved security visibility for penetration testers so that credentials are no longer an unmanageable blind spot. (These features are demo'd in the webcast - check it out now.) Compliance is but a framework to build upon - Requirements in frameworks like PCI and HIPAA provide a minimum standard checklist for organizations. Truly strong security is dependent on the strength and ability of a penetration tester getting to go off script and check out possible weaknesses in networks and infrastructures beyond what regulatory guidelines cover. Tools like Metasploit Pro take away the busy legwork in the process, allowing penetration testers to get the job done more thoroughly and quickly. The juiciest parts of the webcast were the Q&A with the live audience and getting to dive into the product to see how Metasploit Pro gets tasks like credential management, bruteforcing, AV evasion, VPN pivoting, and task chains done in a few simple clicks. To experience the full broadcast: view the on-demand webcast now.

Top 3 Takeaways from the "PCI DSS 3.0: Are You Ready for January?" Webcast

The deadline (January 1, 2015!) for PCI DSS 3.0 compliance is quickly approaching. Some of our PCI experts addressed this head on in a recent webcast, “PCI DSS 3.0: Are you Ready for January?”. Derek Kolakowski, Brian Tant, and ncrampton discussed…

The deadline (January 1, 2015!) for PCI DSS 3.0 compliance is quickly approaching. Some of our PCI experts addressed this head on in a recent webcast, “PCI DSS 3.0: Are you Ready for January?”. Derek Kolakowski, Brian Tant, and ncrampton discussed what it will take for security professionals to get over the finish line and achieve 3.0 compliance, and to be secure and ready when auditors come a'calling. Read on for the top takeaways from this discussion:Know Who Owns What – Not only is this important for your internal planning and implementation, but it is actually one of the new requirements in 3.0 compared to 2.0 standards. The new requirement - 12.8.5 - says to maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by your own organization. This is a particularly important one to follow since so many of the recent major breaches have been a result of weak security on the part of 3rd parties working with the compromised organization.Continuously Review & Update your Plan – It's important to keep revisiting your plan to achieve 3.0 compliance to make sure you are on task, and that your plans continue to make sense for your environment. Information discovered during implementation of an initial action plan can cause the best laid plans to no longer make sense and need updating along the way. Your plan should be a living document that is constantly refined to reflect your current environment.The Goal: Compliance 24x7x365 – One thing our speakers emphasized is that the concept of compliance shouldn't be looked at as just boxes to check so auditors are satisfied and go away. PCI DSS 3.0 compliance should be thought of as an ongoing process, with plans for continual upkeep. The requirements were developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. Compliance is of course not the only thing needed to be secure, but it's an essential piece for many security programs.For a more in-depth discussion of the major changes from 2.0 to 3.0, and final steps to take before January 1st, view the on demand webcast now.You can also check out our entire library of PCI DSS 3.0 readiness resources here: https://www.rapid7.com/pci.

PCI 30-second newsletter #38 - The Holy Grail vs ROC-Fission: The only way to reach compliance

A big thanks to Andy Barratt - Managing Director, Europe and QSA, Coalfire for his contribution to this newsletter. “Any darn fool can make something complex; it takes a genius to make something simple.”― Peter SeegerIf you are the glorious knight responsible for…

A big thanks to Andy Barratt - Managing Director, Europe and QSA, Coalfire for his contribution to this newsletter. “Any darn fool can make something complex; it takes a genius to make something simple.”― Peter SeegerIf you are the glorious knight responsible for getting your company up to mandatory compliance levels (and keep it there), you could potentially feel desperate facing this enormous and tedious undertaking. This is especially true for service providers, large and complex organizations. The ROC (Report On Compliance) quest could well be compared to the one for the Holy Grail, an endless day, a money- and time-consuming black hole. This sounds quite pessimistic — but it is realistic. The quest is so time-, effort- and money-consuming that organizations decide to give up and accept the risk of non-compliance.And what could we say about the army of QSAs (Qualified Security Assessors), required to validate compliance of such environments? How could they effectively take responsibility, execute their mission with the expected quality without having to live, sleep and eat with their customers? And what relevance could we possibly expect from a several-hundred page ROC?Definitely in complex environments, the usual "ONE ROC approach" just doesn't work. It's long, if not endless and tedious, and leads to unmanageable projects, poor outcomes, and lots of frustration. It requires an army of QSAs and a mountain of evidence. Not surprising that in such conditions, compliance projects do not serve security.  On the contrary, they can often initiate a negative security cycle, as there is definitely no incentive to compliance.The ROC-Fission approachIn physics, fission is the act of splitting a nucleus of an atom into nuclei of lighter atoms. "ROC-fissioning" is the name I give to the act of splitting the object of a ROC, defined by the PCI scope, into smaller objects (parts of the scope). Each part being more manageable nearly independent of each other and associated to its own ROC (nuclei).Is this approach validated by PCIco? Although not specifically advertised by PCIco, the payment brands and the acquirers, "ROC-Fissioning" is definitely approved/supported and encouraged.  The topic was even at the heart of a major presentation and discussion at the latest PCI Community meeting. To Andy Barratt (above-mentioned contributor to this article), splitting the ROCs was the ONLY way for large organizations to reach compliance. Andy also mentioned one of his customers having up to 16 different ROCs (nuclei).What are the pre-requisites? This approach requires that:The global CDE scope be documentedEach portion ROC(nuclei) be clearly documented in terms of the scope/ object of the assessment and what is excluded from it (from the original scope).The object of the ROC (nuclei) be firewall-off/segregated from the rest of the scope.Acquirer agreement be receivedHow to achieve ROC-Fission? Most of the large service providers uses this approach to segregate their services. One Service = One specific ROC allowing them to deliver to their customers the ROC associated to the service offered. But there is a panel of other ways to ROC-fission the complexity of an assessment by:Payment channelsAssets managed by different entitiesBusiness unitsRegionsAssetsNetwork subnetsWhat are the benefits?In the same way than the fission releases energy, "ROC-fissioning"  releases the burden associated to complex compliance projects. Here are some of the benefits:Manageable audits, better preparation, better outcomeReduce the audit efforts and time while increasing the qualityReach compliance faster and therefore send a positive message to customers and acquirersModerate/limit the size of ROCsBreak down the cost of complianceReduce the size of the QSA armyGet the right stakeholder involved and therefore get them more accountable and interestedLimited impact in case of breach. With one ROC, the complete organization compliance is impacted. With multiple ROCs (nuclei), the compliance impact is limited to the ROCs associated to the breach.Are there cons to this approach? Andy doesn't see any cons to this approach. Of course, it requires more audits but this is not a bad thing. As mentioned above the efforts, cost and time associated to each audit are drastically reduced for a better and faster outcome.QuestionsWere you aware of this approach?Do you already follow it?Will you follow it?Have you read our previous newsletter: PCI 30 seconds newsletter #37 - And PCI said "Get Pen-tested"!Other resources:PCI Compliance Dashboard V3PCI Newsletters published so farPCI templates, policies and procedures ready to usePCI-GO Compliance Platform, a collaborative tool for Merchants and Auditing parties specifically tailored to reduce the cost and optimize the audit efforts.Didier Godart

How to use Nexpose as part of your internal PCI compliance program

If your systems process, store, or transmit credit card holder data, you may be using Nexpose to comply with the Payment Card Industry (PCI) Security Standards Council Data Security Standards (DSS). The newest PCI internal audit scan template released as part of Nexpose 5.11.…

If your systems process, store, or transmit credit card holder data, you may be using Nexpose to comply with the Payment Card Industry (PCI) Security Standards Council Data Security Standards (DSS). The newest PCI internal audit scan template released as part of Nexpose 5.11.4 is designed to help you conduct your internal assessments as required in the DSS.To learn more about PCI DSS 3.0, visit our resource page.The following is an outline of a suggested process to use with Nexpose to help with your internal PCI scans. (For more information on how to use any of the features in Nexpose, see the Help or User's Guide.)As described in PCI DSS 3.0 section 6.1, you need to create a process to identify security vulnerabilities. To do so create one or more sites in Nexpose using the following configurations:Include the assets you need to scan for PCI compliance. (Generally these hosts will comprise your Cardholder Data environment or “CDE”).Use the PCI internal audit scan template.Specify credentials for the scan. (These credentials should have privileges to read the registry, file, and package management aspects of target systems).As indicated in the PCI Data Security Standard requirements 11.2.1 and 11.2.3, you need to create and examine reports to verify that you have scanned for and remediated vulnerabilities. You should also keep copies of these reports to prove your compliance with the PCI DSS.Create a new report as indicated in the Nexpose Help or User's Guide. You will most likely want to use the PCI Executive Summary and PCI Vulnerability Details reports. Follow this process for each of those templates. Specify the following settings:For the Scope of the report, specify the assets you are scanning for PCI.In the advanced settings, under Distribution, specify the e-mail sender address and the recipients of the report.Mitigate the vulnerabilities. The description of a vulnerability contains remediation steps.Re-scan to verify that your mitigations have successfully resolved the findingsIf compensating controls are used, it may be necessary to use exception handling to eliminate the associated findings. (It may not be possible for automated tools to detect your compensating control even if it is effective in mitigating associated risk.)Continue to scan and mitigate. You will need to scan internally quarterly until you have remediated all high-risk vulnerabilities, as defined in sections 6.1 and 11.2.1 of the PCI DSS. You will also need to scan after major changes, as defined in section 11.2.3. The acceptable timeframes for applying remediations are outlined in section 6.2.

ControlsInsight: Server Controls - Single Critical role

NIST CM-7, Australian DSD Mitigation #24, SANS critical control 11-6 and PCI-DSS 2.2.1 suggest that servers deployed in a production environment must only be serving one critical role.For example, if we add another critical role like file services to a web server…

NIST CM-7, Australian DSD Mitigation #24, SANS critical control 11-6 and PCI-DSS 2.2.1 suggest that servers deployed in a production environment must only be serving one critical role.For example, if we add another critical role like file services to a web server then we increase the attack vectors on that server. Generally, web servers deployed in a production environment are open to public internet and are more susceptible to attacks. They require high maintenance with respect to installing security patches and making sure that they are up to date. If an attacker manages to hack into the web server then he gets an easy route to also hack into the file server leading to an additional problem of mitigating sensitive file system data. So it is a best practice in information security to isolate servers to serving only one critical role.Demonstration by example:For example, on a Windows 2008 operating system, the server manager supports adding multiple roles on a system. The different roles that can be added to the Windows 2008 server areActive Directory Certificate ServicesActive Directory Domain ServicesActive Directory Federation ServicesActive Directory Lightweight Directory ServicesActive Directory Rights Management ServicesApplication serverDHCP serverDNS serverFax serverFile servicesHyper-VNetwork policy and access servicesPrint and document servicesWeb server (IIS)Windows Deployment ServicesWindows Server Update ServicesOut of the above roles, ControlsInsight classifies the following as the critical roles. If we detect that any asset or a system has multiple critical roles installed then we flag the asset as Risky.Directory Services (Active Directory/LDAP/Kerberos)Mail Services (Exchange/POP3/SMTP)File ServerFTP ServerPrint Server/SpoolerHTTP ServerDatabase Server (MySQL/Microsoft SQL)In the below example,Asset1 is 10.4.26.26 and has two critical roles installed – File services and Web serverAsset2 is 10.4.27.214 and has single critical role installed – File servicesAsset1 showing two critical roles installedAsset2 showing only one critical role installedControlsInsight shows the findings on a per asset basis

Cyber Security Awareness Month: Data Custodianship

By now, you know that October is Cyber Security Awareness Month in the US and across the European Union. We know many SecurityStreet readers work in information security and are already “aware” - so this year we're equipping you for executive tier cyber…

By now, you know that October is Cyber Security Awareness Month in the US and across the European Union. We know many SecurityStreet readers work in information security and are already “aware” - so this year we're equipping you for executive tier cyber security discussions. We kicked this off last week with a piece on why security matters now. This post focuses on duty of custodianship, and in the coming weeks we will be posting on building security into the corporate culture through policies and user education; how organizations can make security into a strength and advantage; and crisis communications and response.For this week's topic, we're discussing data custodianship.When choosing to keep data, we have a legal and custodial responsibility, because we do not own that data. As a result, keeping data introduces an element of liability for your business, and protecting it is expensive and complex. . Inventorying and eliminating regulatory data reduces liability, saving time and money.Imagine hiring a babysitter for the first time, and they show up five minutes before you are scheduled to leave the house. No prior communication, no advanced information requested – and now you're worried you're going to be late.“Hey there, I'm here- have a good time tonight!” the sitter says walking in the door and sitting down on the couch.That's it!? “Do you care to know the number of, ages and names of our children? If there are any special needs, medical issues, habits, dietary restrictions, bed times, or the last time they ate? Do you need to know when we are coming home, or how much we are paying?”There is a very clear difference between the concerns and interests of a parent and this babysitter; those differences nicely illustrate the decisions companies make unintentionally when handling sensitive and regulatory data. Unlike babysitters, enterprises may have the luxury of choosing what responsibility we inherit.As corporate decision makers, we have the option of not storing data.The holy trinity of misunderstood data is PCI, PHI, and PII. PCI is information relating to the Payment Card Industry – think of credit and debit cards.PHI is Protected Health Information, as defined by the Health Insurance Portability and Accountability Act (HIPAA).PII is Personally Identifiable Information – also under HIPAA.Said again differently – companies are hesitant to destroy data, but retaining certain kinds of data involves expensive protection in the face of very real liability.  More often than not, a very expensive decision to retain regulatory data is made without knowing what is at stake, often at a business level unacquainted with the associated costs and risks.The current pervasive thinking is that gathering data creates “business intelligence,” which enables the business to operate more effectively and build new or stronger lines of revenue. Unfortunately, this data also attracts criminals who know they can turn a healthy profit for this stolen information on the black market. Defending against these attackers is time-consuming, expensive, and extremely challenging. Attackers cannot steal data you don't have, so eliminating specific data sets can massively lower your liability and reduce your expense.A solid business case review makes sense. Some data must be stored for a period of time. Some abstracted data can provide business and market intelligence. Custodianship drives us to make informed decisions and to be deliberate about the investment required to protect data the company does not own.By choosing to retain this data, we choose to retain risk and liability; your company will be held accountable for success or failure in safely caring for this data.Keep only what you really need. Make sure whatever you need to run your business is vigorously protected. And we strongly urge you to look into what liability protection you have around security threats.  You may think you're covered and actually find that you are not.If you like this series, check out last year's series of user awareness emails covering  phishing, mobile threats, basic password hygiene, avoiding cloud crises, and the value of vigilance.

PCI 30 Seconds newsletter #37 - And PCI said "Get Pen-Tested"!

This newsletter clarifies what is expected to comply with PCI DSS 11.3: Penetration testing. Why is Pen-test needed? In the same way that wellness checks support a doctor's diagnosis by determining what's wrong or not working as expected (a.k.a. an analysis) and…

This newsletter clarifies what is expected to comply with PCI DSS 11.3: Penetration testing. Why is Pen-test needed? In the same way that wellness checks support a doctor's diagnosis by determining what's wrong or not working as expected (a.k.a. an analysis) and establish the appropriate treatment (a.k.a. a remediation plan), penetration testing aims to: Determine and validate a diagnosis by determining the genuineness and severity of identified vulnerabilities Validate that defense mechanisms against external and internal attack vectors are working appropriately. In other words, checking to see that the security controls meant to detect and block security issues and alert the appropriate responsible actually work. Why scanning is not enough? Scanners are used to identify potential anomalies or deviations against a defined normality. They help answering to the question: “Is there something wrong?” The use of scanners is however not sufficient to determine if these anomalies comprise a real danger. In this context, penetration testing is used to answer the next question: “So what?” It helps clarifying the level of danger an anomaly presents, or the level of exploitability of IT vulnerabilities.  If scanners help uncover potential issues, penetration tests help validating the reality of these findings in term of risks for the entity and priorities in term of remediation. Penetration testing for PCI compliance Conduction of penetration testing is a pre-requisite for meeting compliance with PCI DSS V3 for type A-EP, D, S and C organisations (see Merchant types). They must: Have a documented, validated and applied methodology for penetration testing (DSS 11.3.1) Perform penetration testing at least annually and after any significant infrastructure or application upgrade or modification (DSS 11.3.1, 11.3.2, 11.3.4) Correct and validate correction of reported « exploitable » vulnerabilities. (DSS 11.3.3) From which perspective? Penetration tests must be performed through the following perspectives: From public networks forming the external perimeter of the CDE (Requirement: 11.3) From any non-CDE LAN that has access to the CDE perimeter (Requirement: 11.3.2) From any non-CDE LAN that is entirely segmented from the CDE (Requirement: 11.3.4). The intent of this assessment is to validate the scope-reduction controls between the non-CDE LANs and the CDE perimeter. What happens during a pen test? Penetration testers will try to get unauthorized access to components within the CDE, including security network devices, servers, databases and application written by or for the organization. Beside any critical systems outside of the CDE, boundaries that could affect the security of the CDE must also be targeted. Common examples of critical systems would be a DNS server, Active Directory Server, NTP server, and/or an Update server. Who conducts the pen test? Organizations subjected to penetration testing may use either internal resources or third party testers who must be qualified for such job. The term qualified being left to the QSA appreciation. How do you prove compliance? Make sure to have the following materials ready: Documented penetration methodology covering the various sections listed in the standard; Documented and validated scope of penetration tests and how it was determined; List of executed pen tests with the following information: Test date, Internal or External, Initial versus re-test, Pen tester Id, scope in terms of IP's, Number of exploitable vulnerabilities reported, link to reports; Last reports; Remediation plan (for identified issues) (Actions and planning); Documented evidences of the penetration testers qualifications. Questions Any ideas or recommendations to show compliance with 11.3? What are the major impediments you got on your way and how you solved them? Have you read our previous newsletter: PCI 30 seconds newsletter #36 - Control your privileged accounts - How to contain the “Keys to the kingdom” problem Other resources: PCI Compliance Dashboard V3 PCI Newsletters published so far PCI templates, policies and procedures ready to use PCI-GO Compliance Platform, a collaborative tool for Merchants and Auditing parties specifically tailored to reduce the cost and optimize the audit efforts. Didier Godart

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now