Skip navigation
All Places > Nexpose > Blog
1 2 3 Previous Next

Nexpose

271 posts

We build Nexpose to help security practitioners get from find to fix faster. With the launch of Nexpose Now, Rapid7 delivered Liveboards to help you know what's weak in your world right now. Liveboards combine your live threat exposure data, powerful analytics and intuitive querying so you can spend less time compiling data, and more time improving your security program. Liveboards, powered by the Rapid7 Insight Platform, continuously deliver improvements from our engineers to your fingertips and without maintenance effort on your part.

 

We know its hard to keep up with change; so we'll be sharing tips, tricks and new capabilities in right-sized blog posts. In this post, you'll learn one way Liveboards can do heavy lifting for you: customizing and tailoring your dashboards to match your world.

 

Time for some action

Nexpose Now Liveboards provide visibility into what is weak and the power to dive into your data, enabling you to take action. Dozens of built-for-purpose Cards are available in Liveboards with more being released on a regular basis. Cards help you focus on what matters in an easy to understand and easy to act on form. Spending less time in Excel pivot tables means more time on the actual work of driving remediation.

 

Rapid7_Exposure_Analytics_threecards.png

 

Consider the three Cards above. Driving Assets with Expired SSL Certificates to zero is a worthy goal, as is minimizing Assets Running Obsolete Software. But, these metrics may require refinement before taking action in your organization. If your remediation teams work on a site-by-site basis, understanding the percentage of assets running obsolete operating systems is interesting but not sufficient to drive remediation. When you're trying to get to fix faster, getting to action in your remediation teams is critical. We could help our cause by breaking down our data into parcels the remediation teams understand.

 

Dig a bit deeper by clicking on the Expand Card link and we're immersed in Asset data. Some remediation teams have ownership of Assets of a specific operating system type. An easy way to start is by narrowing down by OS family.

 

assets-by-os-custom-query.gif

 

That query looks useful! Since you've spent time crafting it, maybe you want to save it and use it again later? Here I show how to save a query called "FreeBSD Assets" and then create a copy of the Assets Running Obsolete OS Card but only for FreeBSD Assets.

 

assets-by-os-custom-query-save.gif

 

Repeat this process for each of the OS's supported in your organization and you arrive at a powerful comparison. Here we see percentages of Assets running obsolete operating systems by OS family. With this view, you can quickly see differences and get a much better sense of what is weak: perhaps the Solaris systems need some attention.

 

comparecontrast.png

 

Do you want more?

Give this technique a try with your own data. I used a simple example of filtering by OS, but you can easily build refined queries and Cards to make Nexpose work for you. Some other ideas you could try:

  • Compare KPI on new assets discovered across Sites or Asset Groups
  • Create individual Dashboards for individual teams or Sites

Let us know if you find useful ways to compare and share them here.

 

Nathan Palanov

In July, we added National Institute of Standards and Technology (NIST) Special Publication 800-53r4 controls mappings to version 2.0.2 of the reporting data model for SQL Query Export reports. NIST 800-53 is a publication that develops a set of security controls standards that are designed to aid organizations in protecting themselves from an array of threats.

 

What does this mean for you? Well, now you can measure your compliance against these controls by writing SQL queries. For example, say you want to know how many assets fail or comply with a certain control:

SELECT ncm.control_name,
       SUM(fr.noncompliant_assets) AS noncompliant_assets,
       SUM(fr.compliant_assets) AS compliant_assets
FROM fact_policy_rule fr
   JOIN dim_policy_rule_cce_platform_nist_control_mapping ncm ON ncm.rule_id = fr.rule_id AND ncm.rule_scope = fr.scope
WHERE ncm.control_name LIKE ‘AC-%’
GROUP BY ncm.control_name
ORDER BY ncm.control_name ASC

 

Screen Shot 2016-08-01 at 2.07.36 PM.jpg

 

Or this example shows how you can list your least compliant policy rules (most failed assets) and which CCEs and controls they map to:

SELECT p.title AS policy_name,
       dpr.title AS rule_name,
       ncm.cce_item_id,
       ncm.control_name,
       fr.noncompliant_assets,
       fr.compliant_assets
FROM fact_policy_rule fr
   JOIN dim_policy_rule dpr USING (rule_id, scope, policy_id)
   JOIN dim_policy p USING (policy_id, scope)
   JOIN dim_policy_rule_cce_platform_nist_control_mapping ncm ON ncm.rule_id = fr.rule_id AND ncm.rule_scope = fr.scope
ORDER BY fr.noncompliant_assets DESC

 

Screen Shot 2016-08-01 at 1.52.02 PM.jpg

You can learn more about SQL Query Export here and Nexpose's built-in policy reports here.

anowak

Patch Tuesday, August 2016

Posted by anowak Employee Aug 9, 2016

August continues an on-going trend with Microsoft’s products, the majority of bulletins (5) address remote code execution (RCE) followed by elevation of privilege (2), security feature bypass (1) and information disclosure (1). All of this month’s critical bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server).

 

Looking back at the last year of security bulletins, a resounding trend has emerged and continues to be prominent; the majority of these bulletins address RCE. While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect consumer applications such as Edge, Internet Explorer, Microsoft Office and .NET. Unfortunately, this leads to one of the single largest attack vectors, consumers.

 

This month Microsoft resolves 27 vulnerabilities across 9 bulletins. For consumers MS16-095, MS16-096, MS16-097 and MS16-102 are the bulletins to watch out for, addressing 14 vulnerabilities. For server users, no particular bulletin draws immediate attention enabling the majority of server admins to roll out patches at a fairly leisure pace. Fortunately, at this time no vulnerabilities are known to be publicly disclosed or have been exploited in the wild.

 

Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in order to gain the same rights as your user account. Your best protection against these threats is to patch your systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-095, MS16-096, MS16-097, MS16-099 and MS16-102).

 

This blog shows how to use the power of LogEntries Search and Analytics to monitor your Nexpose installation. LogEntries has joined the Rapid7 family and offers several powerful capabilities to search, analyze, monitor and alert on your Nexpose installation. LogEntries is also super easy to set up and maintain. I spent about five minutes getting it running. The Nexpose engineering team made it very easy by enabling the log4j appender in every installation of Nexpose. All you have to do is follow these steps to get up and running.

 

Set up your free trial

Set up a free trial on LogEntries (https://logentries.com/) by clicking on the "Start a Free Trial" button:

createaccount.png

 

Generate tokens for system logging

You can create logging tokens by clicking on "Add a Log" and choosing the "Java" icon in the "Libraries" section and then click on "Create Log Token" at the bottom of the screen. Create as many as you want appenders (see next step). You can have an appender for every Nexpose log if you want:

 

addalog.png

createlogtoken.png

Configure Nexpose Logging

In your Nexpose installation, copy the logentries appenders in the console's logging configuration located in /opt/rapid7/nexpose/nsc/logging.xml (near the bottom of the file) and paste them into the user-log-settings.xml file in the same directory. Make sure to replace the ${logentries-*-token} with the actual token from your logentries account that you created above Each appender can have it's own token so they can be tracked using different logs in logentries. Here is an example:

 

  <appender name="le-nsc" class="com.logentries.logback.LogentriesAppender">

     <Token>123725d5-10df-4aa7-b683-3e8c71251b2c</Token>

     <Debug>False</Debug>

     <Ssl>False</Ssl>

     <facility>USER</facility>

     <encoder>

       <pattern>${logFormat}</pattern>

     </encoder>

   </appender>

 

 

Unlock the power of LogEntries

Restart Nexpose and you will see logs flowing into your LogEntries account. Now you can start using all the great features of LogEntries including Live Tail, Saved Queries, Alerts, and Tagging to manage your Nexpose console. Here are some examples:

 

Initial Log View

This view will appear as soon as you click on the Log Set that you want to view. In my case, "Demo Set" is the log set that I used when creating my account and hooking up Nexpose. From here you can search and filter to find log entries of interest:

 

viewthelog.png

 

Live Tailing

Live Tailing is a great feature that allows you to debug or monitor issues as they are happening:

 

livetail.png


Creating Tags and Alerts

Tags and alerts allow you to label specific log lines based on regular expressions and also alert if anomalies occur:

alert.png

Wrap Up

Also check out how to do the same thing with Metasploit Pro in Securing Your Metasploit Logs. I hope you have found this helpful and please share any feedback such as alerts, dashboards, or other useful tips and tricks that you have found when using Nexpose with LogEntries.

In any vulnerability management program, defenders are always racing against time to identify new exposures and get the latest data. The recent Nexpose Now release made this easier than ever in Nexpose, but active scans will always remain important. Over the past quarter, we’ve made major strides in improving our scan engine performance so that customers can get the data and the fixes they need fast enough to keep up with the bad guys.

 

The Process

This upgrade is made up of several tweaks and updates we’ve made over the last few months.

 

It all started in May, when we shipped an enhancement to our scan engine that reduced scan time memory utilization by 10x. This allowed us to run scans with 50 threads on a 4GB scan engine. In some instances, we had success running 100 threads on a 4GB scan engine (the default for scan templates is 10 threads). i feel the need.gif

Throughout June, we focused on improving scan performance and multi core utilization. While we initially improved scan times by another 2x, there was obviously more work to do: an engine pool of 5 engines each scanning with 10 threads took 1 hour to scan our lab, and although a single engine with 50 threads should perform the same, it was taking 6 hours. The investigation revealed several inefficiencies in the threaded call manager, which we re-wrote to give a 3x increase in scan performance.

 

Finally, local rock stars Aneel Dadani and Erik Castellanos identified a strange behavior associated with how our content describes Microsoft supersedence relationships that resulted in a considerable amount of additional scan log data. Fixing this resulted in a 3x reduction in scan log size, and thus improved scan performance another 2.5x!

 

 

The Results

After all these improvements, the results were impressive: for our Windows lab, comprised of about 460 Windows assets of different versions, service pack levels, and configurations, scan times improved by as much as 10x, going from 12 hours to just 1 hour and 20 minutes. Just as impressive is the fact that these scans were done with a 4GB engine running 50 threads, something that used to take customers 16GB or 64GB engines to even attempt! This will make it much easier for our customers to tweak and speed up their scan performance (and finally put to bed some of the false rumors our competitors have been spreading about our scan performance for years).

 

for speed.gifHave you noticed the performance improvements over the last month? Do you have ways we can continue to improve scanning efficiency? Let us know, and of course, if you haven’t taken Nexpose for a whirl yet, be sure to download a trial today!

 

Early scan (~5 hours 30 minutes)

Final Scan (~1 hour 20 mins):

anowak

Patch Tuesday, July 2016

Posted by anowak Employee Jul 12, 2016

July continues an on-going trend with Microsoft’s products where the majority of bulletins (6) address remote code execution (RCE) followed by information disclosure (2), security feature bypass (2) and elevation of privilege (1). All of this month’s 'critical' bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server).

 

Looking back at the last year of security bulletins, a resounding trend has emerged and continues to be prominent; the majority of these bulletins address RCE. While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect consumer applications such as Edge, Internet Explorer, Microsoft Office and .NET. Unfortunately, this leads to one of the single largest attack vectors, consumers.

 

This month, Microsoft resolves 40 vulnerabilities across 11 bulletins.

Fortunately, at this time no vulnerabilities are known to have been exploited in the wild. However, one vulnerability from MS16-092 and MS16-094 is known to be publicly disclosed (CVE-2016-3272 and CVE-2016-3287 respectively).

 

Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as your user account. Your best protection against these threats is to patch you systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-084, MS16-085, MS16-086, MS16-087, MS16-088 and MS16-093).

Auditing your systems for compliance with secure configuration policies like CIS, DISA STIGs, and USBCG is an important part of any effective security program, not to mention a requirement for many industry and regulatory compliances like PCI, DSS, and FISMA. With Nexpose, you can automate this assessment using our Policy Manager feature.

 

Back in March we launched two brand new policy report templates, Policy Rule Breakdown Summary and Top Policy Remediations, to help organizations understand how compliant their assets are and actions to take to improve their compliance posture. You can read more about these reports here.

 

After receiving lots of great feedback, we’ve added two more policy reports in the latest version of Nexpose: Policy Details and Top Policy Remediations with Details. These provide additional information like policy rules, test results, and step-by-step remediation instructions so you can drill into the details and take control of your compliance program.

 

The new Policy Details report is useful for understanding exactly what’s going on with each asset - which rules are failing, the reasons why, and how you can fix it. The report is divided by asset, with the overall compliance score for the asset at the top. Run this report when you want to deep-dive into the configuration settings of your systems.

pjimage.jpg

The new Top Policy Remediations with Details report expands on the report released in March by adding step-by-step instructions for each remediation and a list of the affected assets. With both Top Policy Remediations reports, the recommendations are prioritized for the greatest impact on improving compliance across all your assets and you can change the number of recommendations shown, e.g. change Top 25 to Top 10, to meet your needs. This report is perfect for communicating what needs to be fixed to your IT Operations team.

pjimage (1).jpg

We have lots more enhancements to Policy Manager coming soon, so stayed tuned for more!

Recently I've been diving into some advanced and targeted analysis features. Today I'd like to keep things simple while still addressing a significant use case - Vulnerability Regression. Often times the immediate response to high visibility vulnerabilities does not involve setting up future monitoring, leaving the door open for the same vulnerabilities to show back up time and again.

 

The Immediate Response - AKA Fire Drill

Sooner or later, for better or worse, everyone hits a fire drill.  You probably know the situation - late nights, high pressure, and a lot of leadership visibility.  It's a find-fix scramble under a microscope, and it's no fun.  Some slightly dated examples (more on that later) include: Shellshock, Heartbleed, and, for those of you with air-gapped networks, BadUSB.

 

My question is - what happens when the smoke clears?  Everyone takes a deep breath, some pats on the back, a cold beverage or two, maybe even a day off to recuperate before post-mortem reporting begins.  Unfortunately, when the immediate response ends is often when the real visibility gap begins.

 

The Regression

Over time these vulnerabilities have a way of reappearing.  Maybe an old system gets booted up when it was supposed to be deprecated, or maybe a new system gets rolled out with some old software installed on it.  One way or another, older, high-visibility vulnerabilities can come creeping back into the network.  I picked these examples intentionally, because I still see them in the field after all this time;  I even see them even in environments where a fire drill was run and considered a complete success.

 

Regression Monitoring

Without ongoing monitoring for regressions, any immediate response action is inherently a point-in-time fix and not a systematic remediation or root-cause resolution.  The idea of regression testing has been around for quite some time in the development world, and I think there's a huge value to applying that same concept in the security world.  Here's a quick example of how to set up a basic Heartbleed regression check in Nexpose:

 

Create a Dynamic Asset Group (you'll notice a trend - I use DAGs a lot, they are pretty neat):

 

TargetedAnalysis1.png

 

Set up a filter for "Heartbleed" based on Vulnerability Title:

 

VulnerabilityRegression2.png

 

 

Click 'Search' and then 'Create Asset Group' as per usual.  If you create a Dynamic Asset Group the group membership will automatically be updated each time you run a new scan.

 

Conclusion - More Success!

There you have it - a simple, easy way to set up regression monitoring for high visibility vulnerabilities.  Go on and set up a few of these - you might just be surprised what you find!

 

For those of you who want something a bit broader than single vulnerability searching, check out my piece on the usage and value of Vulnerability Categories.

anowak

Update Tuesday, June 2016

Posted by anowak Employee Jun 14, 2016

June continues an on-going trend with Microsoft’s products where the majority of bulletins (7) address remote code execution (RCE) with elevation of privilege as a close second (6); the three address information disclosure (2) and denial of service. All critical bulletins are remote code execution vulnerabilities affecting a variety of products and platforms including Edge, Internet Explorer, Microsoft Office, Office Services and Web Apps as well as Windows (client and server). However, this month is missing resolutions for Adobe Flash issues; Adobe has recognized CVE-2016-4171 as being exploited in the wild (APSA16-03) but no solution is presently available.

 

Looking back at the last year of security bulletins, a resounding trend has emerged and continues to be prominent; the majority of these bulletins address RCE. While Microsoft continues actively working on resolving these issues as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect consumer applications such as Edge, Internet Explorer, Microsoft Office and .NET. Unfortunately, this leads to one of the single largest attack vectors, consumers/end-users.

 

This month Microsoft resolves 36 vulnerabilities across 16 bulletins with MS16-063, MS16-068, MS16-069, MS16-070 and MS16-080 as the bulletins to watch out for, addressing 21 vulnerabilities. Fortunately at this time, no vulnerabilities are known to have been exploited in the wild. However, one vulnerability from MS16-068 is known to be publicly disclosed CVE-2016-3222.

 

Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in order to gain the same rights as your user account. Your best protection against these threats is to patch your systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this month's updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-063, MS16-068, MS16-069, MS16-070 and MS16-071).

 

Resolved Vulnerability Reference:

Incremental improvement is great. Nothing, especially in the world of software, is perfect when first released to the market, so iterative improvement is an expectation every customer must have. But problems begin to arise for users when incremental improvement becomes the accepted norm for long periods of time. Many experts in the vulnerability management market believe that is what’s happened in the industry: vendors continuously spit out minimal, albeit important, updates such as a new report format or rebranding a scanner as an ‘agent'. Unfortunately for all of us, when this happens over several years, security teams are slowed - one might say trapped - by their existing solutions, forced to get creative to work around them. As a big part of the vulnerability management community, we wanted to take the time to talk through these trappings and why it’s NOW time to stop accepting them.

 

It’s often hard to tell what’s happening right now

In most organizations, the vulnerability management program involves a combination of two or more teams and a bevy of activities in multiple stages between asset discovery and remediation. When this process was first implemented, no one imagined it would reach this level of complexity, but as is the case with any cross-departmental system, each moving part adapted, as necessary, to account for the massive growth in workload. And yet, the technology in use by these teams has not made any dramatic changes to accommodate the way a modern, effective program operates.

tremors.jpg

 

When you’re not the person handling one of the many tasks along this process, it can feel like you’re the only one doing anything:

 

  • If you’re on the security team, actively prioritizing what was found in the latest scan and seeing vulns that you swear were sent to remediation last week, you wonder if it’ll ever get done. When you ask about it, you always hear something that sounds (to your biased ears) a lot like what Val said in Tremors: “We plan ahead, that way we don't do anything right now…”
  • On the other side of this process, you have a great deal of work outside of security-related patching and configuration changes, so you learn to tune out the frequent notifications because each claims to be the most critical action you could take all week. You take each ticket you’re assigned and plan it appropriately alongside everything else. You know it’ll get done and you don’t have time to give constant updates on every item.

 

This feeling of “being in it alone” only worsens when you’re provided outdated information and you lose thirty minutes chasing down the facts. It’s one thing to have to be handed a list of new assets for remediation every week, but when that list is inaccurate and you have to figure out the real list, it doesn’t exactly thrill you to start that work instead of more concrete activities. What must be kept in mind is that frustrations around outdated information aren’t limited to one party here; when the security team opens new tickets or raises outstanding ones only to find out the patch was applied the day after a scan, they realize they’ve lost some of their coworkers’ trust. When you’re frustrated like this, you don’t care that it was the technology’s fault.

 

Not knowing if you’re vulnerable to an attack makes waiting for the results excruciating

A major reason outdated information is too often used is the regular “cascade of waiting for results." The most extreme version of the window of wait is what has been experienced during the trend of announcing 0-days with a cool logo, marketing-approved name, and immediate Twitter storm, causing the following sequence of waiting events:advocate_bob.gif

 

You read about it on Twitter --> check your vendor’s blogs to see what they’ve said --> wait for the email update to arrive --> wait until your next scan window --> wait until the scan completes

 

It isn’t until the end of this InfoSec version of the Jupiter Ascending scene where Advocate Bob goes from room to room to confirm Jupiter’s gene sequence that you get the chance to review the results - and even he who is designed for bureaucracy is visibly frustrated by the end. Then, the right member of the team pulls the report and writes the necessary details into a ticket before starting the waiting once again. You wait until the next scan completes to see if this new headline-grabbing vuln has been eradicated before the next time the executive team meets, since the only security question in every newspaper is sure to be raised.

 

Small new injections can lead to immediate confusion and tearing up the plan

It’s this stage between scan results and a confirmed remediation that’s had the least support from technology to date. It’s bad enough that teams have to track progress for thousands of actions with spreadsheets, but that only covers the ideal scenarios when newly discovered exposures can be resolved after those already assigned. Your team probably operates more often in a world where some new vulnerabilities take precedence over what you knew the week before. After all, what good is a live view of your exposure surface area if the owner of the master remediation’s spreadsheet is constantly rewriting the plan until he wants to tear it all down like everyone’s favorite Burger Shack employee in Harold & Kumar Go To White Castle.

khburger.gif

 

There is so much activity between the moment a vulnerability is discovered and it’s been effectively mitigated that security professionals typically have to list Microsoft Excel skills on their resumes to qualify for a job. This may have been a “good enough” solution for the first few years, but spreadsheets just don’t suffice for a workflow in which injections are the norm. You wouldn’t expect your software development team to track every task in this manner, so don’t accept it for the security team who expects the plan to change much more often.

 

If new risks are typical, your technology needs to take them in stride

Why can vulnerability management programs be as painful as described above? There are multiple reasons, but most of them come from one root cause: the process was built around limitations in the technology of yesterday. Let’s go through a quick list:

 

  • Passive and continuous scanning consumed too much bandwidth, so scan windows were set for times when they wouldn’t impact productivity
  • Agents evoked management nightmares and endpoint freezing visions from the antivirus era, so new approaches to agents were largely ignored
  • Present-day processing and analytics technologies couldn’t be added to legacy solutions without demanding more hardware, so reporting was the only option to explore results
  • The results were written in the language of CVEs, exploits, and CIS benchmarks, so the IT department needed everything habitually translated for their tickets and workflow

 

Security teams need to push for better. Better technologies. Better approaches. Better support for today’s reality.

 

Nexpose Now is the culmination of years of conversations with our customers, ranging from on-site interviews about their daily annoyances through clickable prototypes and the longest, most iterative beta programs in Rapid7’s history. It started when we launched Adaptive Security to take you from discovering systems to being informed of their exposure as soon as they come online. It now extends to watching live dashboards update as soon as a remote laptop across the globe installs vulnerable software (with the agent technology we first released with InsightIDR now in Limited Availability for Nexpose) and tracking its remediation along its entire path from assignment through fix using our new Remediation Workflow (Beta).

 

While you’re here, go check out what we’ve done with Nexpose Now.

Attackers don’t wait for your schedule, in fact, they try and take advantage of your ‘windows of wait’ when you’re biding your time waiting for a scan. Just think of your typical Patch Tuesday, when you walk in on Wednesday your vulnerability management solution has all the checks, but then you wait for that next scan. You wait for data to be recollected, assessed, and then hopefully served up in a way that is intuitive and describes exactly what you need to do, and when. At that point the work begins to actually get the remediation done, and thirteen days later you’ve finally got it all patched up.

 

Much of this is a result of technology simply not keeping up with our needs as security pros, as my colleague Matt discussed, but it’s also about combining the right technologies to deliver the right information at the right time. When you have the ability to see fresh data, analyze it easily, serve it up live with detailed priorities, and then manage the remediation with intuitive workflows, you’re no longer passively waiting. You’re acting at the moment of impact.

 

Introducing Nexpose Now

With all that build up above, NOW it's time to deliver. Today, we announced a major evolution in Nexpose vulnerability management, called Nexpose Now. Users will have the power of threat exposure analytics and live dashboards (generally available today), remediation workflow (Beta as of today) and live monitoring via Rapid7 Insight Agents (Limited Availability today). The combination of these capabilities means the end of passively waiting for the next scan or sifting through all those false alerts. Instead, you will immediately see exactly what needs to be done, how to do it, and manage that progress all the way until it's done.

 

Let’s take a look at what Nexpose Enterprise and Ultimate users will soon be able to do:

 


Nexpose Dashboard - Dark.jpg

Easily see the health of your security program with Liveboards and Threat Exposure Analytics (Available Now): New dashboards provide a live scoreboard of where you’re winning and losing in your security program. Unlike most dashboards, which are in reality simply static reports of old data, Nexpose’s Liveboards update instantly when you get new information, and make it easy to dig into granular data with a few clicks – no need for a degree in querying languages or data analytics.

 

 

 

nexpose now graphic.png

Make IT your best friend with Remediation Workflow (Beta): We all know that finding vulnerabilities is only one side of the coin. The key is how fast you can remove those vulns to reduce risk. Our Remediation Workflow will convert vulnerability data into action and hand deliver prioritized tasks and context directly to IT including what needs to be fixed, by when, and why, and you can then watch the progress to ensure the job gets done.

 

Monitor it all live with Adaptive Security or Rapid7 Agents (Limited Availability): As you all know, Adaptive Security has become an important capability, helping you to see exposures as they are introduced into your environment. The Rapid7 Agents, introduced in early 2016 with our InsightIDR product, are now in Nexpose with Limited Availability. When combined with Adaptive Security you will have a truly live monitoring capability that allows you to further avoid the ‘scan and wait’ trap. We are really looking forward to helping our customers realize this powerful capability.

These new capabilities are opt-in, cloud based features in Nexpose Enterprise and Nexpose Ultimate. Because this is a significant advancement, we’ve created a lot of resources for you to get more information, just head to our Nexpose Now overview page for the very latest.

 

We believe that the best advancements are made together, and we certainly owe a big THANK YOU to all of the amazing customers that not only participated in our Beta program for Threat Exposure Analytics and Liveboards, but also have talked with us about your need for each of these capabilities. Today we witness the outcome of our combined partnership and further inspired innovation. If interested in participating in the Beta programs for these upcoming releases and more, please reach out to your CSM or sales representative!

 

NOTE: Rapid7 creates innovative and progressive solutions that help our customers confidently get their jobs done. As such, the development, release, and timing of any product features or functionality described remains at our discretion in order to ensure our customers the excellent experience they deserve and is not a commitment, promise or legal obligation to deliver any functionality. 

In my last blog post I went in depth on Impact Driven Analysis and Response, an often-overlooked but very handy analysis option in Nexpose. Today I'd like to talk about another great option for analysis - filtering assets based on their discovered vulnerabilities by Vulnerability Category. We will use Filtered Asset search to take a focused look at a specific category: Default Account findings.

 

Default accounts are high significance findings with low effort remediations, making them an easy win for targeted analysis. We'll look at how to perform this analysis and the operational value of these easy wins for new and maturing vulnerability management programs.

 

Performing Default Account Analysis

 

Looking at Vulnerability Categories

A Vulnerability Category is simply a grouping of similar vulnerabilities based on common criteria.  A single vulnerability may belong to multiple categories, i.e. a Cisco default account finding may show up in the 'Cisco' category and the 'Default Account' category. You can view an interactive drill-down list of available Vulnerability Categories directly in your Nexpose Console. Just use this URL, substituting in the hostname for your console: https://localhost:3780/vulnerability/categories.jsp

 

We're going to focus on the Default Account category, but this same analysis technique can be used for any category. I recommend taking 10-15 minutes one day to look down that list and see what catches your interest.

 

Vulnerability Category Analysis - Filtered Asset Search

You can get to the Filtered Asset search feature using the Filter icon in the upper right of the UI or by selecting 'Dynamic Asset Group' in the Create mean at the top.

 

TargetedAnalysis1.png

 

The Filtered Asset Search feature allows you to search for assets based on the specific Vulnerability categories for discovered vulnerabilities. Take a look:

 

TargetedAnalysis2.png

 

You can save your search results in an Asset group (either Dynamic or Static) or as a dynamic RealContext tag for ongoing analysis. I would call this group 'Default Accounts' and add a corresponding red custom tag myself, but you can configure it how you like. If you configure a Dynamic Asset group, this list will automatically update with each new scan.

 

Targeted Reporting

In addition to searching for assets, you can filter reports by Vulnerability category as well.  In the 'Scope' section of the 'Create a report' view in Nexpose, there is a 'Filter report scope based on vulnerabilities' option.  You will see the ability to filter by Vulnerability Category - just select the 'Include specific' radio button and use the multi-select dropdown.

 

TargetedAnalysis3.png

 

Responding to Default Account Findings

 

Why They're Significant

Default account findings are of especially high significance because they open the door for an attacker to directly access a system without the effort and risk of detection associated with executing an exploit. There's a reason default accounts are instant-fail findings for PCI compliance. Using standards-based metrics can be an effective way to help communicate this significance more broadly, for instance:

 

 

There will be some nuance to the impact for any given environment, but hopefully the above example helps demonstrate the scale of the significance for these findings.

 

Resolution

One of the great things about a default account finding is how easily you can confirm and remediate the finding. All that you need to do to confirm the finding is try to log in with the same credentials. In order to remediate the finding, you can either remove the default account or change the default password for the account.

 

This does, of course, assume the account is modifiable; if it's baked in to an embedded system, you would have to sort that out with the vendor and restrict all access to that particular service at a lower layer (i.e. firewall protection). Leveraging the CVSS score and the Nexpose Real Risk score associated with the finding may even help to communicate the significance of these findings to upstream vendors.

 

An Easy Win!

As we discussed above, default accounts are high significance findings with low effort to remediate.  This makes them a great option for organizations just starting their vulnerability management programs, or simply growing and maturing their existing process. Starting with targeted analysis lets you focus more time up front figuring out the practical operational details of your program, including: communication channels for remediation (i.e. report distribution, ticketing system integrations), organizational ownership for remediation, and managerial oversight.

 

Often these practical details create the biggest blockers to getting real security work done. By focusing on easy win findings at the beginning, you can help everyone involved with the program get comfortable with the workflow.

 

Custom Account Checks

One of the first questions people ask when they see this functionality is, "how can I add my own default accounts?" Often times developers will use common credentials for convenience during the development cycle with the intent of disabling those common credentials for production. Missing that last step can be a major problem though, and a diligent security team will want to validate that no in-house common credentials get used on production systems.

 

Good news - it is possible to create your own Default Account checks! You can write a custom vulnerability check for a default account using the instructions from the 'Default account checks' section of the Community site.

 

If you'd like an easier approach than writing custom vulnerability checks, you're not alone!  That idea has been suggested in our Idea Portal.  All you have to do is click here, log in with your customer (or employee) support credentials, and vote!

Today I'd like to highlight an often overlooked but very handy analysis option in Nexpose - filtering assets based on their discovered vulnerability CVSS Impact Metrics (Confidentiality, Integrity, Availability).

 

We will use RealContext tags and Filtered Asset Search to answer the following questions:

  • Are there any Availability Impact findings on High Availability systems? (i.e. web servers, authentication servers)
  • Are there any Confidentiality Impact findings on systems with Highly Confidential data? (i.e. HR systems, finance systems)
  • Are there any Integrity Impact findings on systems which should be High Integrity? (i.e. security systems, credential management systems, domain controllers)

 

Filtered Asset Search

You can get to the Filtered Asset search feature using the Filter icon in the upper right of the UI or by selecting "Dynamic Asset Group" in the Create menu at the top.

 

ImpactAnalysis1.png

 

The Filtered Asset search feature allows you to search for assets based on the specific CVSS Impact Metrics of the asset's discovered vulnerabilities. The same goes for CVSS Exploitability Metrics. Take a look:

 

ImpactAnalysis2.png

RealContext Tagging

RealContext asset tagging allows you to add your specific business context information to the technical data gathered by Nexpose. All you need to do is get a list of all High Availability (or High Confidentiality, or High Integrity) systems in your environment and tag those assets accordingly in Nexpose.

 

Putting It Together - High Availability Risk Analysis

When you combine the RealContext tag data with the CVSS Impact Metric filtering option in Nexpose, things get really interesting. You can set up a search to explicitly find High Availability assets which have Availability Impact findings on them, like this:

 

ImpactAnalysis3.png

 

You can save your search results in an Asset Group (either Dynamic or Static) or as a dynamic RealContext tag for ongoing analysis. I would call this group 'High Availability Risk' myself, but you can choose any name you like.  If you configure a Dynamic Asset Group, this list will automatically update with each new scan.

 

High Availability Risk Reporting

Nexpose provides the ability to filter vulnerability findings in a report.  This is a great feature which lets you filter by severity and vulnerability category. Unfortunately for our immediate purposes, the report filtering does not let us filter on CVSS Impact Metrics. But don't worry!

 

For advanced reporting needs, Nexpose has a flexible SQL Query Export option.  You can find this by going to "Create a report" and selecting the Export tab within the Reports view.

ImpactAnalysis4.png

Here's a query that lists all vulnerabilities with Partial or Complete Availability Impact findings, and the solutions for those vulnerabilities.  Note the use of the cvss_availability_impact_id field from the dim_vulnerability table and the use of the dim_cvss_availability_impact table:

 

SELECT dsite.name AS "Site", da.ip_address AS "Asset IP", da.host_name AS "Asset Hostname", dv.title  AS "Vulnerabiltiy", ds.summary AS "Solution", dcai.description AS "CVSS Availability Impact"
FROM fact_asset_vulnerability_instance AS fav
JOIN fact_vulnerability AS fv ON fav.vulnerability_id = fv.vulnerability_id
JOIN dim_vulnerability AS dv ON fav.vulnerability_id = dv.vulnerability_id
JOIN dim_site_asset AS dsa ON fav.asset_id = dsa.asset_id
JOIN dim_site AS dsite ON dsa.site_id = dsite.site_id
JOIN dim_asset AS da ON fav.asset_id = da.asset_id
JOIN dim_vulnerability_solution AS dvs ON fv.vulnerability_id = dvs.vulnerability_id
JOIN dim_solution AS ds ON dvs.solution_id = ds.solution_id
JOIN dim_cvss_availability_impact AS dcai ON dv.cvss_availability_impact_id = dcai.type_id
WHERE dv.cvss_availability_impact_id = 'P' OR dv.cvss_availability_impact_id = 'C'
GROUP by dsite.name, da.ip_address, da.host_name, dv.title, ds.summary, dcai.description
ORDER by dsite.name ASC

 

If you save this Custom SQL Export query and set the scope using the 'High Availability Risk' asset group from earlier, you will get a targeted list of the Partial and Complete Availability Impact vulnerabilities on your High Availability assets.

 

To learn more about working with SQL Query Exports in Nexpose, and some example queries, see this Nexpose Reporting area of the Rapid7 Community site.

 

Success!

One of the initial questions posed was, "are there any Availability Impact findings on High Availability systems?" By leveraging the Filtered Asset Search and RealContext Tag features, we are able to create a 'High Availability Risk' asset group and a 'High Availability Risk' CSV report - with solutions included. This definitively answers the question and provides remediation recommendations. I call that a win!

 

You can apply the same approach for High Confidentiality and High Integrity risk analysis following the steps below:

  • Tag your High Confidentiality or High Integrity assets accordingly
  • Use the Filtered Asset Search feature to create 'High Confidentiality Risk' and 'High Integrity Risk' Dynamic Asset Groups
  • Set up a SQL report for your findings. Adjust the query above - swap out the 'availability' fields and tables for the corresponding 'confidentiality' and 'integrity' fields and tables.

 

If you'd like to see this reporting capability baked in to the vulnerability filtering possible in the Nexpose Reporting UI - so would I!  I've created an idea in our Idea Portal.  All you have to do is click here, log in with your customer (or employee) support credentials, and vote!

 

Custom Targeted Analytics

If your organization wants deep analytics customized to your priorities, the Rapid7 Global Services team is always happy to help! We develop targeted analytics for: custom reports, custom SQL queries, custom dashboards, custom integrations (i.e. ticketing systems, asset management systems), and more. Your Customer Success Manager (CSM) can get the conversation started about requirements, scoping, and all that fun stuff.

 

Thanks, and stay tuned for more!

anowak

Patch Tuesday, May 2016

Posted by anowak Employee May 11, 2016

May continues a long-running trend with Microsoft where the majority of bulletins (10) address remote code execution (RCE) vulnerabilities; the remaining address elevation of privilege (2), information disclosure (2) and security feature bypass. All critical bulletins are remote code execution issues affecting a variety of products and platforms including Adobe Flash Player, Edge, Internet Explorer, .NET Framework, Office, Office Services and Web Apps and Windows (client and server).

 

Looking back at the last 12 months of security bulletins, a resounding trend emerges; the majority of these bulletins address remote code execution vulnerabilities. Microsoft is unable to permanently address these vulnerabilities, which predominantly affect consumer applications such as Edge, Internet Explorer, Microsoft Office and .NET. Unfortunately, this leads to one of the single largest attack vectors, consumers/end-users. Fortunately, Microsoft actively works on resolving these issues as witnessed in the overwhelming number of critical RCE bulletins.

 

This month, Microsoft resolves 33 vulnerabilities across 16 bulletins with MS16-051, MS16-052, MS16-053, MS16-055, and MS16-062 as the bulletins to watch out for, addressing 20 vulnerabilities. Users should pay particular attention to the following bulletins as they resolve X vulnerabilities that have been known to be exploited (CVE-2016-0149, CVE-2016-0189):

 

  • MS16-051 - Cumulative Security Update for Internet Explorer
  • MS16-053 - Cumulative Security Update for JScript and VBScript
  • MS16-065 - Security Update for .NET Framework

 

Users should also be wary of untrusted sources, as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as your user account. Your best protection against these threats is to patch as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration and prioritize your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins.

 

Resolved Vulnerability Reference:

This year’s 2016 Verizon Data Breach Investigations Report has plenty of juicy data to pour over and for the past week we’ve been providing recommendations for ways to improve your security program and stop attackers. The report didn’t provide any huge surprises, except for the fact that everything that was bad just keeps getting worse. Thus, we’ve had some great posts from my teammates focused on the Verizon Data Breach Investigations Report and how it affects the incident detection and response landscape with Eric Sun and the web app security space from Kim Dinerman. But today it’s time to talk vulnerability management.

 

Vulnerability Management has been around for a long time, and if there’s one thing we’ve learned, practically every attack outlined in the Verizon Data Breach Investigations Report or any other industry report still involves an exploited vulnerability at some point. The DBIR provides some key controls to implement to get a handle on the never ending growth of new vulnerabilities, and wouldn’t you know it, they match up perfectly to some of the key reasons our customers love Nexpose.

 

1. Focus on what the bad guys look for first

The DBIR describes patching vulnerabilities as a “Sisyphean struggle," with more vulnerabilities being released every week. Keeping pace is difficult. To stop endlessly running up that hill (bonus points if you get the 80s Kate Bush reference), they recommend you “establish a process for vulnerability remediation that targets vulnerabilities which attackers are exploiting in the wild, followed by vulnerabilities with known exploits or proof-of-concept code." Basically, prioritize the vulnerabilities and get that stuff done first, but one must remember that you have to look beyond CVSS.

 

Here to help: This is what Nexpose is all about! We’re still the only solution that automatically factors known exploits into our risk scoring (including how easy the exploit is to use), and with Metasploit Pro, you can validate your vulnerabilities to see which ones an attacker could exploit in real time. Check out this quick video to see how easy it is to scan for vulnerabilities with Nexpose and then validate your vulnerabilities with Metasploit Pro.

 

2. Identify what can’t be fixed, and come up with a plan to mitigate it

Many companies have critical systems running on legacy software that they can’t update without impacting their business; that doesn’t mean you can ignore the risk. Use a defense-in-depth policy to create mitigating controls for these flaws, so that if you have to leave a hole in the wall open, make damn sure it’s fortified (think the wall tunnel in Game of Thrones).                                                                                                                                                                                                                                                       

Here to help: Nexpose makes it really easy to create exceptions for these vulnerabilities and remove them from reports, as well as set expiration dates and approval chains to make sure you revisit them when you can. You can also use Metasploit to validate those compensating controls and make sure they’re blocking the bad guys the way they should.

 

 

 

 

 

 

 

 

     Mag the Mighty, only slightly scarier than attackers

 

3. Use vulnerability management to figure out what’s new in your environment

Regular vulnerability scanning is like flossing in between going to the dentist; it’s a great way to keep up on security hygiene, and the DBIR suggests you use it to identify unknown assets and deviations from standard configurations.

 

Here to help: Nexpose has baseline comparison and trending reports to make it easy to see what’s new, and with adaptive security you set up Nexpose to automatically scan and catalog new devices as they enter the network, removing a lot of the legwork that comes with today’s rapidly shifting environments. To learn more about adaptive security, check out this on-demand webcast.

 

We’d love to hear your thoughts on these controls and how you’re meeting them now! If you haven’t already, be sure to get a trial of Nexpose and/or Metasploit and take them for a spin!

 

Filter Blog

By date: By tag: