Skip navigation
All Places > Nexpose > Blog
1 2 3 Previous Next


296 posts

Patch Tuesday, January 2017

Posted by anowak Employee Jan 10, 2017

Microsoft starts off the year with 4 bulletins and continues a long running trend with their products where the majority of bulletins (2) are remote code execution (RCE) followed by an even distribution of elevation of privilege and denial of service. Missing from this month’s list of affected products is Internet Explorer, which typically complements the Edge bulletin (MS17-002). All this month’s critical bulletins are remote code execution vulnerabilities, affecting Adobe Flash Player, Microsoft Office, Microsoft Office Services and Web Apps, Microsoft Windows.


While Microsoft continue actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing table in which they are unable to permanently address these vulnerabilities, which predominately affect the consumer applications listed above. Unfortunately this leads to one of the single largest attack vectors, consumers.


This month Microsoft resolves 15 vulnerabilities across 4 bulletins. Both consumers and server users MS17-002 and MS17-003 are the bulletins to watch out for, addressing 14 vulnerabilities. Fortunately, at this time no vulnerabilities are known to have been exploited in the wild. However, two vulnerabilities addressed by MS17-001 (CVE-2017-0002) and MS17-004 (CVE-2017-0004) are known to have been publicly disclosed.


Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins (MS17-002, MS17-003).


Please note that January marks the end of Microsoft’s Security Bulletins as the tech giant transitions to their Security Update Guide; instead of publishing bulletins to describe related vulnerabilities. This new portal provides security vulnerability information through an online database where users can filter, sort and search. Be advised that the current Security Update Guide is in preview; for further information refer to Microsoft’s blog post on furthering their commitment to security updates.


Ken Mizota

macOS Agent in Nexpose Now

Posted by Ken Mizota Employee Dec 29, 2016


As we look back on a super 2016, it would be easy to rest on one's laurels and wax poetic on the halcyon days of the past year. But at Rapid7 the winter holidays are no excuse for slowing down: The macOS Rapid7 Insight Agent is now available within Nexpose Now.


Live Monitoring for macOS

Earlier this year, we introduced Live Monitoring for Endpoints with the release of a Windows agent for use with Nexpose Now. The feedback from the Community has been great (and lively!) and now we're back with another round. Recall, by adding agents into your threat and vulnerability management routine, you can:

  • Get a live view into your exposures: Automatically collect data from your endpoints and seamless integrates it into Nexpose Now, so your Liveboards are always populated with real time data without the need to hit refresh or rescan.
  • Get visibility into remote workers:  Remote workers rarely, or in some cases never, connect to the corporate network and often miss scheduled scan windows. Our lightweight agents can be deployed to monitor risks posed by the mobile workforce.
  • Eliminate restricted asset blindspots: Some assets are just too critical to the business to be actively scanned. With our agents, you'll get visibility into assets with strict scanning restrictions, while removing the need to manage credentials to gain access.

These same powers may now be pointed at your macOS population.


macOS adoption has been on the rise for years. Windows adoption is not in danger of being eclipsed, but many customers need visibility into their pockets of macOS machines within the environment. This makes sense -- when IT can't always mandate a common hardware platform, entire business units adopt what works for them, and C-suite executives use the hardware they desire; a Security team simply needs visibility to what's weak on the systems that mean the most to them.


Getting Started

Just like its Windows counterpart, the macOS agent is easy to install (interactive or silent), easy to manage (directly from Liveboards), and most importantly performs its duty with minimal resource consumption and no user interference. Ready to get started? Here's how:


First, navigate to your Liveboards and if you haven't done so already, add an Agent card.


Click on the Manage Agents link and then the Download Mac Agent button.


Run the installer package on your Macs of choice and you've taken a first step into a larger world. The Rapid7 Insight Agent takes care of the rest, performing initial and regular data collection, securely transmitting the data back to Nexpose Now for assessment. All of this takes place whether the user is connected to your network or just the internet, reducing the effort for you to get the visibility you need. We expect every organization may deploy or configure things a little differently, so we've provided more information and a FAQ on Rapid7 Insight Agents.


tl;dr, at launch the macOS Agent is compatible with macOS Yosemite 10.10 and onwards.


You keep using that word...


Since launching Nexpose Now early in the year and following up with Live Monitoring for Endpoints and Remediation Workflow, we've received questions on the minor, but obvious (Beta), label visible within some parts of Nexpose Now.


While on the topic of new capabilities, we thought we'd take the opportunity to share some of the Q&A with you all.


What is in (Beta) in Nexpose Now?

Remediation Workflow and Live Monitoring for Endpoints are the two current features that have this label applied. We've opened up these new capabilities to all users of Nexpose Now without restriction.


Why is <feature> Beta?

We want to get new capabilities into your hands as soon as possible, so you can start getting value and provide feedback to Rapid7 on how we can improve. We continue to work on improvements that will make the user experience more seamless, more capable and more performant. Beta is used to let customers know Rapid7 is actively working to deliver value: more goodness to come!


Are you releasing untested functionality?

All features are fully tested before being released. Users will get a high quality experience across many workflows, with more features and workflows being added to the product based on feedback we receive.


Is (Beta) functionality supported?

Yes. Features offered in Beta form are fully supported by Rapid7 Technical Support.


May I use these features in production?

Yes. That is why we've released them into the world, so they may deliver their intended value to you NOW.


Haven't tried Nexpose Now but are interested? Check out our Help page to learn how to get started with Nexpose Now.


All of our innovations are built side-by-side with our customers through the Rapid7 Voice program. Please contact your Rapid7 CSM or sales representative if you're interested in helping us make our products better.

'Tis the holiday season and the Nexpose team is in the giving spirit! At the Rapid7 workshop, we've been busy little helpers building toys for deserving security teams throughout the year. Here are just some of the goodies you can take advantage of NOW:




Before 2016 is over, we want to give all the hardworking security teams one final treat. What does virtually every team need and wish they had more of? Time, of course.


Teams using Adaptive Security in Nexpose have already been saving time by automating key workflows (like Rapid7’s own security team). Earlier this year we added integration with Rapid7 Labs’ Project Sonar and a new Rapid7 Critical vulnerability category. This week we released even more improvements to Adaptive Security, including the ability to trigger Automated Actions during scans and a new Automated Actions Activity Monitor, to help security teams save even more time.


Scanning as a Trigger

There are 3 ways to trigger Automated Actions; when a known asset comes online, a new asset is discovered, or there is new vulnerability coverage. These can be triggered via Discovery Connections (e.g. DHCP, vSphere, Sonar, etc.) and now, during any active scan (discovery, vulnerability or policy).


There are many ways you can use this new capability. Here's one way: Performing quick assessments in between full vulnerability scans. For example, you can run a discovery (nmap) scan to trigger an Automated Action to assess only the assets that haven’t been scanned before.




Automated Actions Activity Monitor

Adaptive Security is the gift that keeps on giving – working to keep your network secure even when you’re not there. The new Activity Monitor shows you which Automated Actions were triggered and when, so you (and your manager) can see exactly how much work was done. This capability also makes it simple for you to disable/enable Actions and spot any issues that need troubleshooting.




You can now create, edit and monitor Automated Actions via this icon Picture4.png  in the left navigation.


If you haven’t tried Adaptive Security yet, there’s no time like the present!

A question that often comes up when looking at vulnerability management tools is, “how many vulnerability checks do you have?” It makes sense on the surface; after all, less vulnerability checks = less coverage = missed vulnerabilities during a scan right?


As vulnerability researchers would tell you, it’s not that simple: Just as not all vulnerabilities are created equal, neither are vulnerability checks.


How “True” Vulnerability Checks Work


At Rapid7 we pride ourselves in generating “True” Vulnerability Checks, which leverage vulnerability information right from the source, the vendor. Our content is composed of two fundamental components; fingerprinting and vulnerability check data. Researchers spend considerable effort in-order to provide our expert system the capability to accurately identify vendor products such as applications and operating systems. “True” vulnerability checks are executed within our expert system, which utilizes these fingerprints to determine characteristics for each asset it encounters, then comparing these characteristics against our vulnerability check data to identify any vulnerabilities.


Looking at vulnerability check count alone is a meaningless metric as security vendors could easily inflate this number by spreading their check logic across multiple check files. There is only a finite amount of ways to test for the presence of a vulnerability, which is most often prescribed by the vendor.


“Informational” Vulnerabilities


This brings us to what vendors usually describe as “Informational Vulnerabilities.” In the act of doing a vulnerability scan (especially during credentialed scans), a vulnerability scanner gleans a ton of useful information that doesn’t necessarily have a CVSS score or real risk, such as installed software, open ports, and general information about what a system is and how it operates.


A common way vendors show these findings to users is by making them “informational or potential” vulnerabilities, categorizing them in the same way they categorize CVSS-scored issues. Most scanners that do this thankfully make it easy to filter out informational vulnerabilities from “real” ones so you can focus on the vulnerabilities with actual risk; however, it still leads to several issues:

  • Users that are new to vulnerability management may not understand what is informational and what isn’t, leaving those vulnerabilities in reports and making it appear that their scan is catching much more than others (when in reality the actual vulnerability information is likely very similar)
  • There’s no industry standard for classifying “informational” vulnerabilities like there is for CVSS scored “real” vulnerabilities. This leaves it to the vendor’s discretion what they consider is pertinent information. There’s a huge amount of incidental information that can be gathered from a vulnerability scan; labeling ALL of it as vulnerabilities is impractical, and so is leaving out data by labeling only SOME of the data. It’s a lose-lose situation
  • Thanks to the above point, vendors often tout their total number of vulnerability checks as proof of their superiority over each other, without pointing out that a sizeable chunk of these checks are largely irrelevant to prioritizing important vulnerabilities


The Nexpose Approach


Nexpose doesn’t have any informational vulnerabilities.  For example, identifying that the target has a resolvable FQDN isn’t something you will find in our vulnerability list. This is simply a characteristic of the target not necessarily a vulnerability and therefore is found in the asset details page. We know that no one wants to be bogged down with irrelevant vulnerabilities or spend extra time filtering out information they don’t need; that’s why we focus on making it easy to filter down your assets to identify relevant information and report off of assets based on these filters. Need to see all assets that are virtual machines (yes, believe it or not, being a virtual machine is classified as a vulnerability in some tools!)? Simply create a dynamic asset group to automatically filter your assets down to just virtual machines, a group that updates automatically as new devices are added. Strip away informational vulns, and you’ll be surprised with how may real vulnerability checks are left over.


In the end, the number of vulnerability checks isn’t much of a differentiator anymore; as those new Sprint commercials say, its 2016, and every enterprise level vulnerability scanner has pretty similar coverage across even uncommon types of assets. Vendors that tout the # of checks as a differentiator often do it because they know that have more informational checks than their competition, and conveniently fail to mention that a sizeable chunk of these would never be used in actual remediation, only slowing down your security team and giving you more 1000 page irrelevant reports.


Patch Tuesday, December 2016

Posted by anowak Employee Dec 13, 2016

December continues a long running trend with Microsoft’s products where the majority of bulletins (6) are dominated by remote code execution (RCE) followed by an even distribution of elevation of privilege (3) and information disclosure (3). All of this month's critical bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Exchange, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server).


While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect the consumer applications listed above. Unfortunately, this leads to one of the single largest attack vectors, consumers.


This month Microsoft resolves 59 vulnerabilities across 12 bulletins. For consumers MS16-144, MS16-145, MS16-146, MS16-147 and MS16-154 are the bulletins to watch out for, addressing 36 vulnerabilities. For server users MS16-146 and MS16-147 are the bulletins to watch out for, addressing 4 vulnerabilities. Fortunately, at this time no vulnerabilities are known to have been be exploited in the wild. However, five vulnerabilities addressed by MS16-144 (CVE-2016-7202, CVE-2016-7281, CVE-2016-7282), MS16-145 (CVE-2016-7206, CVE-2016-7281, CVE-2016-7282) and MS16-155 (CVE-2016-7270) are known to have been publicly disclosed.


Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-144, MS16-145, MS16-146, MS16-147, MS16-148, MS16-154).


With the launch of Nexpose Now in June, we’ve talked a lot about the “passive scanning trap” and “live assessment” in comparison. You may be thinking: what does that actually mean?  Good question.


There has been confusion between continuous monitoring and continuous vulnerability assessment – and I’d like to propose that a new term “continuous risk monitoring” be used instead, which is where Adaptive Security and Nexpose Now fits. The goal of a vulnerability management program is to understand your risk from vulnerabilities and manage it effectively, based upon what is acceptable to your organization.


First ask, “What does ‘Continuous Monitoring’ actually mean?”


“Continuous” admits that our networks, and the systems on them, are not static. System configurations change, users install stuff, admins deploy things. Users move around the building, plug into network jacks, or leave stuff plugged in.


“Monitoring” speaks to the need to answer that question “What is on my network?” and “Are the systems on my network patched and configured in a way we are comfortable with?”. Because these things are changing continuously, we need to be able to monitor them continuously to be secure.


Then ask, “How are other folks using this ‘continuous monitoring’ concept?”


There are different definitions from best practices and regulatory standards that use the words “continuous”, like SANS (now CIS) Critical Security Controls and NIST [PDF].


The definitions vary.

  • SANS says “Run automated vulnerability scanning tools against all systems on the network on a weekly or more frequent basis and deliver prioritized lists of the most critical vulnerabilities to each responsible system administrator along with risk scores”.
  • NIST says “Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”


With that said, the intent behind “continuous” is the same…it is to provide you as close to real-time visibility into risk in your environment that is actionable, to ultimately reduce your risk of a breach (side note: Rapid7 was also recently recognizedas the top company for meeting the SANS top 20 controls, so this is just one of 19 controls we can help with!)


Many Approaches Available


There are different approaches to continuous risk monitoring that range from running back-to-back vulnerability scans, or passively finding vulnerabilities using network traffic, to running event-driven vulnerability assessments.


Back-to-Back Scans

Nexpose Live Assessment Passive Scanning.png

This approach is basically running an endless loop of vulnerability scans back to back, so when one scan finishes you run another scan.  While this approach ensures that you always have a full picture of the risk on your network, during the time between when the scan starts and ends you have a potential blindspot in your risk posture. Not only is this noisy and expensive from a network bandwidth perspective, a risky asset could join and be removed during this window without your knowledge.


Passively identifying vulnerabilities using network traffic

Nexpose Live Assessment Fig. 2.png

The other approach to continuously monitoring risk is to put a network sniffer throughout your network to find vulnerability risk.  This approach sounds pretty good, however, it is limited as it relies only on clear text network traffic on the network. The volume of vulnerabilities is limited when compared to active vulnerability scanning, and is more likely to generate false-positives needing tracked down and explained to your IT organization.  Buyers should also be aware that network traffic is increasingly encrypted –Google is even rewarding sites that leverage HTTPS through better rankings – this limits visibility of data that can be used for vulnerability assessment.


Because of these limitations it’s tough to use passive vulnerability scanning alone as true continuous monitoring; you still Nexpose Live Assessment Fig. 3.pngneed active vulnerability scanning in order to have an actionable view of your risk posture. Which is fine, but the deployment architecture is eerily similar to IDS and would be duplicated if you already have an IDS deployed in your environment.  Many organizations have made the upgrade to IPS over the classic IDS because if you are going to go through the effort of sniffing network traffic, you might as well have a solution that can actually prevent an attack from happening instead of just knowing about it.



What’s even more interesting is that Gartner says “In 2015, 40% of enterprises have a standalone IPS deployed.  However, it is decreasing down to 30% by the end of 2017.”


That seems odd, right?  Well, IPS technology is getting baked into next-generation firewalls which is becoming a more and more popular choice for enterprises.


This is the trap that most people fall into: thinking they can rely on “passive scanning” to do continuous monitoring, when they a) often have very similar capabilities already baked into their next-generation security tools and b) are overloaded with false positives that provide more noise than actual monitoring. This is what lead us to a new approach.


A Live approach for vulnerability management: Adaptive Security + Nexpose Now


The Adaptive Security approach, which was released with Nexpose 6, is a dynamic event-driven automated workflow approach that provides between-vulnerability-scan visibility to changes that occur in your network and real-time. These adaptive security features provide actionable insight into the impact on your organization’s risk.


Dynamic data collection is made possible by the Nexpose integration with asset sources like DHCP and VMWare to identify when an asset joins the network. The automated actions workflow enables instant scanning of these assets, tagging and/or adding to a site. Thus, when a new asset or vulnerability joins the network, Nexpose can automatically assess it and add it to you reports, without any additional deployment and with minimal impact on network performance, and only provides vulnerability insight and actionable information for the events you want to track – no alert fatigue.


Now this can be coupled with Nexpose’s Liveboards to get an instantly updating scoreboard of how your environment is doing. Integrating a new subnet into your network after an acquisition? Adaptive Security will instantly scan it and you’ll see how it affects your overall risk in (near) real time. New critical vulnerability come out over the weekend? Walk into the office on Monday with a list of all assets that are affected and have the ability to assign remediation to the right IT group.


Check out this blog post for more information on Adaptive Security. Ready to get started? Download a free trial of Nexpose to test drive the new adaptive security features!

Nexpose supports a variety of complementary reporting solutions that allows you to access, aggregate, and take action upon your scan data. However, knowing which solution is best for the circumstance can sometimes be confusing, so let's review what's available to help you pick the right tool for the job.


I want to pull a vulnerability assessment report out of Nexpose. What are my options?


Web Interface

The Nexpose web interface provides a quick and easy way to navigate through your data. You can drill-down and navigate through cross references and tables support exporting to CSV. Dashboards are a more flexible and configurable way to organize and visualize the data and printable reports support more comprehensive aggregation. The web interface is best suited for ad-hoc exploratory analysis of data.



Dashboards provide a rich way to visualize and analyze your data in real time. Dashboards in Nexpose Now are highly configurable, flexible, and adaptable to your reporting needs. Cards in the dashboard are easy to use and can be exported to CSV, but are not printable or distributable outside of a web interface natively. Built-in and/or custom report templates are a better option for scheduled distribution and printing.


Built-in Report Templates

Built-in vulnerability assessment report templates allow configurable reporting for common use cases, such as prioritizing remediation, providing overview of remediation progress, auditing results, etc. Each template allows simple user-interface configuration of the scope of the report, as well as scheduling, distribution and other settings that can make automated workflows simple to execute. Built-in report templates are the first feature you should use to get familiar with Nexpose reporting capabilities, format, etc. Built-in report templates may also be configured and generated through the external XML-based application programming interface (API) for even more control. If you are satisfied with the level of control and configuration, but would like alternate printable templates, consider using custom report templates.


Custom Report Templates

Custom report templates extend the built-in report templates with various additional reports. Several are available here on the community but you may also engage with the Rapid7 professional services team to customize the building and deployment of a report specifically suited to your needs. This option is ideal when your organization has little SQL expertise or other reporting infrastructure in place.


SQL Query Export

SQL Query Export provides fine-grained control over the data output in a CSV-formatted reporting. Raw SQL queries against the Reporting Data Model allow any combination, slicing, and intersection of data that is required. This lightweight option is best when the scale of the report is limited, and the CSV format is ideal for consumption. SQL Query Export works well with adhoc API reporting and other scripting-oriented solutions. For large scale deployments that want to have efficient, indexed access to raw data, consider using Data Warehouse Export instead.


Data Warehouse Export

The Data Warehouse Export feature allows Nexpose to perform an extract transform and load (ETL) process to an external data warehouse. The export supports a highly-optimized, indexed, and efficient dimensional model that any business intelligence (BI) tool can easily connect to. If you are familiar with a BI tool or your organization already has access to one, then warehousing may be a good fit. The data warehouse export runs on regularly scheduled intervals and as such will have some latency before data is available in the warehouse. The data warehouse is best suited for large scale enterprise deployments where hundreds of reports may generate on a daily basis. The more active your organization is at reporting, the more benefit you get from the warehouse. However, the data warehouse does require a separately managed and installed PostgreSQL instance to export into and does not provide the built-in capabilities such as role-based access control, distribution, or scheduling natively. BI tools can be used to provide these report management capabilities, such as Tableau, Qlik, Pentaho, Domo, JasperReports Server and many others.


How do I know which reporting solution is right for me?

The following chart highlights some key similarities and differences between the various reporting solutions, which you can use to help select the reporting capabilities best for you and your organization.


Web InterfaceDashboardsBuilt-in ReportsCustom ReportsSQL Query ExportData Warehouse Export
Output FormatCSVCSV



Distribution (e.g. SMTP)
Access Control
Printable Output Format
Customizable Output
Enterprise Scalability
Raw Data Access


Full support

Partial support (varies)

Can You Be Trusted with the Sword of a Thousand Truths?


Does the vision of what you want to accomplish appear to you so clearly that it seems real?  After all, you already have the custom integrations, tools, and workflows set that make the most sense in your world.  They are tailored to your organization’s unique needs. They are tuned and ready to go – or at least they would be if only you could just get your data. You know that with this, you’d be unstoppable.


You want the Sword of a Thousand Truths. A tool powerful enough to allow someone who knows what they’re doing to just do it. For those of you uninitiated with the Sword of a Thousand Truths, it’s from South Park. The gang seeks the Sword of a Thousand Truths, which is only to be used when all other methods in the rather complex and mature environment of World of Warcraft fail to scale. (See also:,_Not_Warcraft)



     How do I give stuff to another player? It's in the release notes.


The Nexpose team has recently released a new dimensional data warehousing export feature built to answer the call of customers who need direct access and unadulterated control of their Nexpose data.


Nexpose users have traditionally had a variety of reporting capabilities at their disposal, from readily configured reports, flexible templates, SQL Query Export, custom reports created as part of a Rapid7 Global Services engagement, to those sourced from our Community.


Our customers' reporting needs grew and became increasingly complex, with highly custom Business Intelligence (BI) workflows in place that required ingestion of data translated into proprietary formats. For example, they might need to supply enterprise-wide data across hundreds of thousands of assets to Tableau to fuel their visualizations. 


We needed to provide another avenue for such customers to access their Nexpose data without disrupting the console. We focused on developing a way for critical functions such as reporting to scale horizontally for customers with large deployments. The answer was to externalize the Nexpose Reporting Data Model via a dimensional data warehouse export. Now that we've productized this capability, users can access and control their Nexpose data like never before.


  • Scalable – By externalizing Nexpose data, console operations are not disturbed and performance is not impacted. These enhancements have shown report generation to be 100x faster using the new data warehouse versus the existing Reporting Data Model.
  • Easy to consume – Unlike the legacy data warehouse feature in Nexpose, the new dimensional data warehouse exports information in the format of our Reporting Data Model, with which our users have long been familiar.
  • Powerful - Users can feed the reports, dashboards, visualizations, BI workflows, and powerful features that are similar to those found in Nexpose Now, such as LiveBoards. Users who wish to power their own, proprietary analytics, be it in the cloud or on premise, can now do so with their Nexpose data.
  • Better documentation - Both in the Help documentation online and inside the database itself.
  • Secure - Transit is encrypted, FIPS supported.


To be sure, the Sword of a Thousand Truths is not be trusted to a newb. The problem with data today is that people either hoard it to themselves or dump it on others. At some point, just like the World of Warcraft game makers, it comes down to taking a calculated risk by entrusting the Sword of a Thousand Truths to the right people so that they can better protect what matters most.



     With great power comes great responsibility.


This new and powerful capability was released as part of Nexpose 6.4.6.  We will be following this blog with more detailed technical posts for those interested in further exploring or testing the new data warehouse export.

Intel Security’s user conference FOCUS 16 wrapped up last week, and it was a great experience for Intel Security customers, partners and Rapid7. We announced some exciting new integrations, met with dozens of great mutual customers, and even won some crystal! Here are the highlights of Rapid7’s big week at the show:

  • We’re the real MVP! Rapid7 was named Most Valuable Partner for 2016 from the SIA program. We were also a finalist for Most Innovative, the only partner (of 125 SIA partners) to be nominated for 2 of 3 categories. This was a great validation of all the work we’ve been doing together as Intel Security’s preferred partner for vulnerability management, and a sign of even more exciting integrations and close ties to come.

  • We officially launched our exclusive ePO and DXL integrations. Following up from the announcement a week before, FOCUS was the official launch of our integrations with ePO and DXL, making Nexpose the only vulnerability management tool to integrate with DXL and the only one with a two-way integration to ePO. Intel CTO Steve Grobman did a live demo using DXL across several different products (including Nexpose) which you can see here (starting at “Open DXL Demo #1 section). To see the ePO integration in action, check out our launch webcast here.

  • This is only the beginning. FOCUS was a great opportunity to meet with customers and partners to discuss the future of the McAfee products, especially Open DXL, and even more ways we can all collaborate to make your lives easier. These integrations were only phase 1 of our plans to partner with “the new McAfee”; stay tuned in the coming weeks and months for news on the next phase of the integrations!


As always, we would love your input on ways we can integrate with your existing toolset to help you become more efficient; join the Voice program or reach out to your Customer Success Manager today!


Patch Tuesday, November 2016

Posted by anowak Employee Nov 8, 2016

November continues a long running trend with Microsoft’s products where the majority of bulletins (7) address remote code execution (RCE), closely followed by elevation of privilege (6) and security feature bypass (1). All of this month’s critical bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Exchange, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server).


While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect the consumer applications listed above. Unfortunately, this leads to one of the single largest attack vectors, consumers. These types of vulnerabilities are difficult to distinguish as they typically lure users to visit/open an e-mail, webpage or multimedia, which makes use of specially crafted content. In the worst case, upon viewing this content, a bad actor has the ability to execute malicious code and take complete control of an affected system with the same privileges of the user known as remote code execution.


This month Microsoft resolves 77 vulnerabilities across 14 bulletins. For consumers MS16-129, MS16-130, MS16-131, MS16-141 and MS16-142 are the bulletins to watch out for, addressing 30 vulnerabilities. For server users MS16-130, MS16-132, MS16-135 and MS16-141 are the bulletins to watch out for, addressing 21 vulnerabilities. Unfortunately, at this time two vulnerabilities addressed by MS16-132 (CVE-2016-7256), and MS16-135 (CVE-2016-7255) are known to have been be exploited in the wild. Additionally four vulnerabilities addressed by MS16-129 (CVE-2016-7199, CVE-2016-7209), MS16-135 (CVE-2016-7255) and MS16-142 (CVE-2016-7199) are known to have been publicly disclosed.


Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-129, MS16-130, MS16-131, MS16-132, MS16-141 and MS16-142).


Staying Ahead of New Vulnerabilities

The security threat landscape is constantly shifting and there are a multitude of solutions for managing threats. An unfortunate effect of having a large toolbox is, the more tools and vendors you have in your toolbox, the more complex your management task becomes. When one facet of your security infrastructure becomes aware of risks, how can you most effectively utilize your full security ecosystem to combat them? With Nexpose’s Adaptive Security, integration with DXL and TIE from McAfee (formerly Intel Security) allows your security team to gain insight in to your assets and automatically prioritize assets when compromises are detected – meaning your team does more with less time and effort.


Sharing Knowledge with DXL and TIE Integration

Nexpose is able to speak over the DXL communication layer, which allows everyone on the fabric to share knowledge with the vulnerability management solution. This means communication across different vendors’ solutions, enabling you to go after threats with the proper tool or tools and maximizing your security investment.


One of the most powerful new features of this integration is vulnerability discovery reporting. Nexpose can automatically report vulnerabilities (including title, Nexpose vulnerability ID, CVSS score, detection time, and ePO agent ID) as they are found, enabling other solutions like firewalls and monitoring tools to take actions dependent on those discoveries. Additionally, Nexpose can increase your insight into these vulnerabilities by dispensing expanded vulnerability details over DXL.


In addition to publishing vulnerability discoveries, Nexpose can now consume TIE file reputation events as a trigger for automated actions. One particularly powerful use of TIE triggered events is tagging assets. TIE triggered events are capable of applying a criticality tag to assets to automatically adjust the risk score of assets, raising their visibility within Nexpose. This means malicious file events detected by TIE are seamlessly passed along to Nexpose and affected assets bubble to the top of your vulnerability reports, so you automatically fix potentially compromised assets first.


DXL Integration Setup and Usage Guide

As a prerequisite, a site with ePO assets has been created.


Vulnerability detection

First, create a DXL discovery connection. Go to the “Administration” tab > find the “Discovery Options” card > find the “Connections” section > click the “Create” link.

Nexpose Discovery Options Card Create.png


Name and configure your connection. Be sure to check the Publish Vulnerabilities box and test your configuration before saving.

Nexpose New Discovery Connection.png


Start a scan.

When Nexpose sees undiscovered vulnerabilities it will publish messages on the /rapid7/event/nexpose/vulnerability/detection topic of the DXL fabric.


Furthermore, Nexpose is listening on the /rapid7/event/nexpose/vulnerability/details topic of the DXL fabric. If you request vulnerability details there, Nexpose will respond with them.


Automated Actions using TIE File Reputation Events

Turn on risk score adjustment by going to the “Administration” tab > find the “Global and Console Settings” card > and selecting “Manage.”


From the “Risk Score Adjustment” tab, check the “Adjust asset risk scores based on criticality” and save.


Nexpose Risk Score Adjustment.png


From any screen click the “Automated Actions” icon in the top right.

Nexpose Automated Actions.png


After the “Automated Actions” panel appears, click “New Action.”

In the “Trigger” panel, select “TIE File Reputation Event” and the DXL connection.

In the “Action” panel, pick the “Tag” and select the “Very High” tag.


Now, when TIE detects malicious file events assets will be tagged “Very High” and their risk scores will be scaled appropriately.

Security professionals today face great challenges protecting their assets from breaches by hackers and malware. A good vulnerability management solution could help mitigate these challenges, but vulnerability management solutions often produce huge volumes of data from scanning and require lots of time spent in differentiating between information and noise.

Rapid7 Nexpose helps professionals identify the most critical assets that can be exploited. With this information the security professional can take necessary steps to mitigate the risk.


A vulnerability has a risk score of 0 – 1000, calculated using Rapid7’s security intelligence. An asset’s risk score is calculated by adding the risk score of all its vulnerabilities. Essentially, a higher risk score on an asset implies that the asset is more vulnerable to attack. Unlike a CVSS score which does not consider the whole context of the identified vulnerability, the Real Risk Score, as we call it, adjusts a CVSS value by analyzing each risk element separately incorporating temporal and governance parameters.


Temporal parameters look at the age of a vulnerability, as well as how many exploits and/or malware kits use the vulnerability. Temporal score increases over time, increasing risk score.


Governance parameters follow asset tagging in Nexpose which lets you tag assets as more critical or less critical than others, raising or lowering risk scores accordingly.


The integration of ePO with Nexpose allows the security professionals to leverage Rapid7 Security Intelligence to identify and mitigate real risks that have a higher potential negative impact on the environment and take the right steps to mitigate those risks.


Setting Up Risk Score Integration

To integrate ePO with Nexpose a site must be configured in Nexpose to hold all of the assets that are imported from ePO during the integration process.


The following steps show how to set up an ePO integration with Nexpose and how to push risk scores from Nexpose into ePO:


1. Go to the Administration page on Nexpose
2. Click on Create Discovery Connection
3. From the Connection Type, choose Intel Security ePolicy Orchestrator


Nexpose New Discovery Connection.png


4. Enter all the information needed to connect to ePO server.
5. Check the option “Consume assets” and select a site in which all the existing assets in ePO will go.
6. Check “Push risk scores” to have Nexpose risk scores pushed to ePO.
7. Click the Test Credentials button to ensure all the entered information is correct, if all the details are valid the following message will appear.


Nexpose New Discovery Connection ePO.png


8. Click on Save to save the connection and start the integration process between ePO and Nexpose.


Shortly after clicking save, the site selected in the configuration will start importing assets from ePO.


After the assets have been imported, trigger a scan on the site with any scan template other than the discovery scan template. Once the scan is completed, risk scores identified by Nexpose will now be present in ePO.


There is a convenient built-in dashboard present in ePO that shows the top 10 riskiest assets in ePO as identified by Nexpose. The following screenshot shows the dashboard:


Nexpose ePO Dashboard.png


Now Rapid7 Nexpose has provided the risk exposure information to all ePO partners to see the real risk associated with these assets. With this critical information the respective administrators can work together on the next steps to mitigate the risk identified. Some common operations include quarantining systems, pushing updates to assets and setting up compliance policies.


Already a McAfee customer? Be sure to download a trial license of Nexpose and try the integration today!

As a corporate network grows and new locations are opened up, it becomes increasingly difficult for companies to keep track of and understand their total asset count and the associated risk exposure. Nexpose lets you easily discover all of your assets before a scan, but if that information is already in a great asset management tool like McAfee ePO, why waste time and duplicate efforts? Now you don’t have to, with the ability to automatically import ePO assets into Nexpose before a scan.



The goal of the ePO asset discovery use case is to allow users to import ePO assets, including assets from the McAfee Vulnerability Manager (MVM), into Nexpose. McAfee is discontinuing support for MVM, which means that their customers need to find another vulnerability management solution. Rapid7’s ePO integration allows users to import MVM systems or any other systems managed through ePO into Nexpose. Once their assets are imported, they have visibility into all their assets via Nexpose, and can manage them from there.


How it works

Nexpose allows customers to create a connection to an ePO server. Once they have done so, all systems currently being managed by ePO will be imported into Nexpose. Nexpose will check periodically for any new or updated systems within ePO. Nexpose is capable of correlating existing assets with imported assets from ePO, consolidating risk and avoiding duplication.


Once ePO assets are imported into Nexpose, they can be managed like any other asset, including scheduling scans and generating reports. In other words, if you already are keeping ePO up to date with your latest assets, you can now automatically import these into Nexpose.



Nexpose imports ePO assets into a static site. We recommend setting up a dedicated ePO site for this purpose. Simply create a site and put one placeholder hostname in the included assets list, as Nexpose does not allow empty sites to be saved. Refer to for more information.


Nexpose Site Configuration.png


Next, set up an ePO connection to your server by going to Administration à Discovery Options à Create Connection. Select “Intel Security ePolicy Orchestrator” for the connection type. The Rapid7 ePO client extension creates a NexposeServiceUser account on the ePO client, which only has the Nexpose Remote Command privilege. We recommend using this account or create a similar one for asset import. Select the “consume assets” consumption setting, and choose the site created above.  


Nexpose New Discovery Connection.png



It is also recommended to sign the certificate on the ePO client so that it does not have to trust self-signed certificates. Click the “Test Credential” button to ensure that the connection is configured correctly. Then choose “Save” to save the connection and start importing assets. Nexpose will immediately start importing assets from ePO.


Initially, the assets will only have an IP address, hostname, and mac address, and no last scanned date. To learn more about these assets and their vulnerabilities, either scan them immediately, or schedule a scan for later.


Nexpose epoAssets.png

We wanted to give you a preview into Nexpose’s new integration with both McAfee ePolicy Orchestrator (ePO) and McAfee Data Exchange Layer (DXL); this is the next stage of our partnership with Intel as their chosen vendor for vulnerability management [PDF]. This partnership is also a first for both Rapid7 and Intel, as Nexpose is the only vulnerability management solution to not only push our unique risk scoring into ePO for analysis, but also automatically import asset data from ePO and threat intelligence from DXL into Nexpose for better discovery and prioritization. On top of that, we publish vulnerability data to DXL so that your entire DXL eco-system can benefit from this intel (pun fully intended). The integration is currently in its final stages, so here’s what you have to look forward to:


Vulnerability Management for your McAfee eco-system.png


ePO and Nexpose: Correlating risk, and ensuring no asset goes unscanned


ePO lets you deploy, manage and report on a huge portion of your security program - from endpoint protection right out to the gateway. Now you can overlay this information with the susceptibility of your systems to a real world attack, by importing our unique risk score that incorporates vital context including exploit exposure, vulnerability age and malware exposure to show you the vulnerabilities and assets an attacker is most likely to target.


In addition, ePO and Nexpose communicate asset information, ensuring coverage accuracy for the crucial first step of any scan: Discovery. Not only can you import current ePO asset details into Nexpose, making initial set up a breeze, you can automatically import newly discovered ePO assets too, so your vulnerability management team always has the complete picture of your network (or if you’re a one man shop or an elite team of security oracles, you don’t have to waste time doing the same work with multiple products).


DXL and Nexpose – share vulnerability info and automate exploit response


The McAfee DXL platform lets multiple products collaborate and share information with each other – it’s essentially a force multiplier for your security program. Nexpose and DXL customers correlate Nexpose risk scores and vulnerability data with other products in the ecosystem. Via Intel’s Threat Intelligence Exchange (TIE), Nexpose can also identify systems that may have been compromised and prioritize them for remediation. No other vulnerability management tool provides this kind of insight to the Intel Security partner ecosystem.

Rapid7 and Intel Security Automated Detection and Remediation.png


Keep an eye out for detailed blog posts on each of these integration points over the next few weeks; in the meantime, check out our webcast on October 26th and reach out to your friendly neighborhood sales rep or customer success manager for more information on integrating these two key pieces of your security program!

Hooray for crystalware!


I hit a marketer’s milestone on Thursday – my first official award ceremony, courtesy of the folks at Computing Security Awards, which was held at The Cumberland Hotel in London. Staying out late on a school night when there's a 16 month old teething toddler in the house definitely took it's toll the following morning, but the tiredness was definitely softened by the sweet knowledge that we’d left the award ceremony brandishing some crystalware. In the two categories that Rapid7 solutions were shortlisted as finalists - SME Security Solution of the Year (Nexpose) and Best New Product of the Year (InsightIDR) - we were awarded winner and runner-up respectively.


What’s particularly cool about the Computing Security Awards is that the majority of awards, including the two we were up for, are voted for by the general public, so receiving these accolades is very special to us. We’d like to say an absolutely massive THANK YOU to everyone who voted for our products, we are truly very grateful for your support.


Hooray for Nexpose!SME Security Solution of the Year.jpg

Nexpose storming to the win in the SME category, a space that isn’t always top of mind to some security vendors, really validates for me how well designed and engineered the product is. Our customers come in all shapes and sizes, and the maturity of their vulnerability management programs vary just as much, but Nexpose caters for all. In SME the concept of a dedicated security team is certainly less common. More often than not we see that IT teams have security as just one of their many disciplines – so they need a vulnerability management tool which is easy to use, and allows them to quickly prioritise remediation efforts with live data that’s relevant to their environment. Nexpose determines and constantly updates vulnerability risk scoring using RealRisk – scoring vulnerabilities from 1-1000, thus removing the nightmare of having umpteen hundred ‘’criticals” which are seemingly all equal. Liveboards (because dashboards don’t actually dash – they should really be called meanderboards) provide admins with real time data – you know at all times exactly how well you are winning at remediating. If you’re reading this blog and you’re thinking about implementing a new VM solution, you should download a free trial here and experience it in action for yourself.


Hooray for InsightIDR!

InsightIDR receiving an honourable mention in the Best New Product category makes Sam very happy. This product was frankly one of the main reasons I came to work for Rapid7. When I first heard of it back in March my interest was immediately sparked, as I’d never seen anything quite like it.  I’ve worked in incident response in a previous life, and have seen a vast number of organisations really struggle to find answers when they are in the unfortunate situation of a cyberattack. Some didn’t even know they’d been under attack until they received notification from a third party. Incidents would regularly go on for many days, with teams having to work around the clock with great pressure to balance business continuity and incident response, which is the juggling act from hell. More often than not, investigations and Root Cause Analysis reports would take months and months, and would frequently be lacking in details. If you can’t see what’s happening, you can’t properly respond, and you have pretty much a zero chance of taking away any solid learnings from the event. InsightIDR solves these problems by combining SIEM, EDR and UBA capabilities, which mean it detects attacks early in the attack chain, finds compromised credentials, and it provides a clear investigation timeline. It’s truly an amazing piece of kit, and I know that every incident I ever worked on would undoubtedly have had a better outcome had InsightIDR been in place at the time. Seeing in this case will definitely result in believing – I’d heartily recommend you arrange a demo today.


Hooray for Integrated Solutions!

So before I give a shout out to the incredible people behind these two superb products, there’s one further piece of good news: you can now integrate [PDF] them too!


Hooray for Moose!

Our people, our “Moose”, who design, build, test, sell, support and of course market (obvs.) these products are all the winners here. I don’t use the term ‘incredible’ lightly either – I am privileged to have represented them at the awards ceremony, we have an amazing team across the globe jam-packed with smart, creative, brilliant people. Our solutions are testament to the work they do, their combined knowledge solves difficult customer problems, providing insight to security professionals all over the world. Congratulations Moose – you are a bloody awesome bunch!

Thanks again to everyone who voted for our solutions, and a big cheers to the folks at Computing Security who held a brilliant awards bash. We hope to see you again next year!

Filter Blog

By date: By tag: