Skip navigation
All Places > Nexpose > Blog
1 2 3 4 Previous Next

Nexpose

303 posts

Intel Security’s user conference FOCUS 16 wrapped up last week, and it was a great experience for Intel Security customers, partners and Rapid7. We announced some exciting new integrations, met with dozens of great mutual customers, and even won some crystal! Here are the highlights of Rapid7’s big week at the show:

  • We’re the real MVP! Rapid7 was named Most Valuable Partner for 2016 from the SIA program. We were also a finalist for Most Innovative, the only partner (of 125 SIA partners) to be nominated for 2 of 3 categories. This was a great validation of all the work we’ve been doing together as Intel Security’s preferred partner for vulnerability management, and a sign of even more exciting integrations and close ties to come.

  • We officially launched our exclusive ePO and DXL integrations. Following up from the announcement a week before, FOCUS was the official launch of our integrations with ePO and DXL, making Nexpose the only vulnerability management tool to integrate with DXL and the only one with a two-way integration to ePO. Intel CTO Steve Grobman did a live demo using DXL across several different products (including Nexpose) which you can see here (starting at “Open DXL Demo #1 section). To see the ePO integration in action, check out our launch webcast here.

  • This is only the beginning. FOCUS was a great opportunity to meet with customers and partners to discuss the future of the McAfee products, especially Open DXL, and even more ways we can all collaborate to make your lives easier. These integrations were only phase 1 of our plans to partner with “the new McAfee”; stay tuned in the coming weeks and months for news on the next phase of the integrations!

 

As always, we would love your input on ways we can integrate with your existing toolset to help you become more efficient; join the Voice program or reach out to your Customer Success Manager today!

anowak

Patch Tuesday, November 2016

Posted by anowak Employee Nov 8, 2016

November continues a long running trend with Microsoft’s products where the majority of bulletins (7) address remote code execution (RCE), closely followed by elevation of privilege (6) and security feature bypass (1). All of this month’s critical bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Exchange, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server).

 

While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect the consumer applications listed above. Unfortunately, this leads to one of the single largest attack vectors, consumers. These types of vulnerabilities are difficult to distinguish as they typically lure users to visit/open an e-mail, webpage or multimedia, which makes use of specially crafted content. In the worst case, upon viewing this content, a bad actor has the ability to execute malicious code and take complete control of an affected system with the same privileges of the user known as remote code execution.

 

This month Microsoft resolves 77 vulnerabilities across 14 bulletins. For consumers MS16-129, MS16-130, MS16-131, MS16-141 and MS16-142 are the bulletins to watch out for, addressing 30 vulnerabilities. For server users MS16-130, MS16-132, MS16-135 and MS16-141 are the bulletins to watch out for, addressing 21 vulnerabilities. Unfortunately, at this time two vulnerabilities addressed by MS16-132 (CVE-2016-7256), and MS16-135 (CVE-2016-7255) are known to have been be exploited in the wild. Additionally four vulnerabilities addressed by MS16-129 (CVE-2016-7199, CVE-2016-7209), MS16-135 (CVE-2016-7255) and MS16-142 (CVE-2016-7199) are known to have been publicly disclosed.

 

Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-129, MS16-130, MS16-131, MS16-132, MS16-141 and MS16-142).

 

Staying Ahead of New Vulnerabilities

The security threat landscape is constantly shifting and there are a multitude of solutions for managing threats. An unfortunate effect of having a large toolbox is, the more tools and vendors you have in your toolbox, the more complex your management task becomes. When one facet of your security infrastructure becomes aware of risks, how can you most effectively utilize your full security ecosystem to combat them? With Nexpose’s Adaptive Security, integration with DXL and TIE from McAfee (formerly Intel Security) allows your security team to gain insight in to your assets and automatically prioritize assets when compromises are detected – meaning your team does more with less time and effort.

 

Sharing Knowledge with DXL and TIE Integration

Nexpose is able to speak over the DXL communication layer, which allows everyone on the fabric to share knowledge with the vulnerability management solution. This means communication across different vendors’ solutions, enabling you to go after threats with the proper tool or tools and maximizing your security investment.

 

One of the most powerful new features of this integration is vulnerability discovery reporting. Nexpose can automatically report vulnerabilities (including title, Nexpose vulnerability ID, CVSS score, detection time, and ePO agent ID) as they are found, enabling other solutions like firewalls and monitoring tools to take actions dependent on those discoveries. Additionally, Nexpose can increase your insight into these vulnerabilities by dispensing expanded vulnerability details over DXL.

 

In addition to publishing vulnerability discoveries, Nexpose can now consume TIE file reputation events as a trigger for automated actions. One particularly powerful use of TIE triggered events is tagging assets. TIE triggered events are capable of applying a criticality tag to assets to automatically adjust the risk score of assets, raising their visibility within Nexpose. This means malicious file events detected by TIE are seamlessly passed along to Nexpose and affected assets bubble to the top of your vulnerability reports, so you automatically fix potentially compromised assets first.

 

DXL Integration Setup and Usage Guide

As a prerequisite, a site with ePO assets has been created.

 

Vulnerability detection

First, create a DXL discovery connection. Go to the “Administration” tab > find the “Discovery Options” card > find the “Connections” section > click the “Create” link.

Nexpose Discovery Options Card Create.png

 

Name and configure your connection. Be sure to check the Publish Vulnerabilities box and test your configuration before saving.

Nexpose New Discovery Connection.png

 

Start a scan.

When Nexpose sees undiscovered vulnerabilities it will publish messages on the /rapid7/event/nexpose/vulnerability/detection topic of the DXL fabric.

 

Furthermore, Nexpose is listening on the /rapid7/event/nexpose/vulnerability/details topic of the DXL fabric. If you request vulnerability details there, Nexpose will respond with them.

 

Automated Actions using TIE File Reputation Events

Turn on risk score adjustment by going to the “Administration” tab > find the “Global and Console Settings” card > and selecting “Manage.”

 

From the “Risk Score Adjustment” tab, check the “Adjust asset risk scores based on criticality” and save.

 

Nexpose Risk Score Adjustment.png

 

From any screen click the “Automated Actions” icon in the top right.

Nexpose Automated Actions.png

 

After the “Automated Actions” panel appears, click “New Action.”

In the “Trigger” panel, select “TIE File Reputation Event” and the DXL connection.

In the “Action” panel, pick the “Tag” and select the “Very High” tag.

 

Now, when TIE detects malicious file events assets will be tagged “Very High” and their risk scores will be scaled appropriately.

Security professionals today face great challenges protecting their assets from breaches by hackers and malware. A good vulnerability management solution could help mitigate these challenges, but vulnerability management solutions often produce huge volumes of data from scanning and require lots of time spent in differentiating between information and noise.

Rapid7 Nexpose helps professionals identify the most critical assets that can be exploited. With this information the security professional can take necessary steps to mitigate the risk.

 

A vulnerability has a risk score of 0 – 1000, calculated using Rapid7’s security intelligence. An asset’s risk score is calculated by adding the risk score of all its vulnerabilities. Essentially, a higher risk score on an asset implies that the asset is more vulnerable to attack. Unlike a CVSS score which does not consider the whole context of the identified vulnerability, the Real Risk Score, as we call it, adjusts a CVSS value by analyzing each risk element separately incorporating temporal and governance parameters.

 

Temporal parameters look at the age of a vulnerability, as well as how many exploits and/or malware kits use the vulnerability. Temporal score increases over time, increasing risk score.

 

Governance parameters follow asset tagging in Nexpose which lets you tag assets as more critical or less critical than others, raising or lowering risk scores accordingly.

 

The integration of ePO with Nexpose allows the security professionals to leverage Rapid7 Security Intelligence to identify and mitigate real risks that have a higher potential negative impact on the environment and take the right steps to mitigate those risks.

 

Setting Up Risk Score Integration

To integrate ePO with Nexpose a site must be configured in Nexpose to hold all of the assets that are imported from ePO during the integration process.

 

The following steps show how to set up an ePO integration with Nexpose and how to push risk scores from Nexpose into ePO:

 

1. Go to the Administration page on Nexpose
2. Click on Create Discovery Connection
3. From the Connection Type, choose Intel Security ePolicy Orchestrator

 

Nexpose New Discovery Connection.png

 

4. Enter all the information needed to connect to ePO server.
5. Check the option “Consume assets” and select a site in which all the existing assets in ePO will go.
6. Check “Push risk scores” to have Nexpose risk scores pushed to ePO.
7. Click the Test Credentials button to ensure all the entered information is correct, if all the details are valid the following message will appear.

 

Nexpose New Discovery Connection ePO.png

 

8. Click on Save to save the connection and start the integration process between ePO and Nexpose.

 

Shortly after clicking save, the site selected in the configuration will start importing assets from ePO.

 

After the assets have been imported, trigger a scan on the site with any scan template other than the discovery scan template. Once the scan is completed, risk scores identified by Nexpose will now be present in ePO.

 

There is a convenient built-in dashboard present in ePO that shows the top 10 riskiest assets in ePO as identified by Nexpose. The following screenshot shows the dashboard:

 

Nexpose ePO Dashboard.png

 

Now Rapid7 Nexpose has provided the risk exposure information to all ePO partners to see the real risk associated with these assets. With this critical information the respective administrators can work together on the next steps to mitigate the risk identified. Some common operations include quarantining systems, pushing updates to assets and setting up compliance policies.

 

Already a McAfee customer? Be sure to download a trial license of Nexpose and try the integration today!

As a corporate network grows and new locations are opened up, it becomes increasingly difficult for companies to keep track of and understand their total asset count and the associated risk exposure. Nexpose lets you easily discover all of your assets before a scan, but if that information is already in a great asset management tool like McAfee ePO, why waste time and duplicate efforts? Now you don’t have to, with the ability to automatically import ePO assets into Nexpose before a scan.

 

Solution

The goal of the ePO asset discovery use case is to allow users to import ePO assets, including assets from the McAfee Vulnerability Manager (MVM), into Nexpose. McAfee is discontinuing support for MVM, which means that their customers need to find another vulnerability management solution. Rapid7’s ePO integration allows users to import MVM systems or any other systems managed through ePO into Nexpose. Once their assets are imported, they have visibility into all their assets via Nexpose, and can manage them from there.

 

How it works

Nexpose allows customers to create a connection to an ePO server. Once they have done so, all systems currently being managed by ePO will be imported into Nexpose. Nexpose will check periodically for any new or updated systems within ePO. Nexpose is capable of correlating existing assets with imported assets from ePO, consolidating risk and avoiding duplication.

 

Once ePO assets are imported into Nexpose, they can be managed like any other asset, including scheduling scans and generating reports. In other words, if you already are keeping ePO up to date with your latest assets, you can now automatically import these into Nexpose.

 

Setup

Nexpose imports ePO assets into a static site. We recommend setting up a dedicated ePO site for this purpose. Simply create a site and put one placeholder hostname in the included assets list, as Nexpose does not allow empty sites to be saved. Refer to https://help.rapid7.com/nexpose/ for more information.

 

Nexpose Site Configuration.png

 

Next, set up an ePO connection to your server by going to Administration à Discovery Options à Create Connection. Select “Intel Security ePolicy Orchestrator” for the connection type. The Rapid7 ePO client extension creates a NexposeServiceUser account on the ePO client, which only has the Nexpose Remote Command privilege. We recommend using this account or create a similar one for asset import. Select the “consume assets” consumption setting, and choose the site created above.  

 

Nexpose New Discovery Connection.png

 

 

It is also recommended to sign the certificate on the ePO client so that it does not have to trust self-signed certificates. Click the “Test Credential” button to ensure that the connection is configured correctly. Then choose “Save” to save the connection and start importing assets. Nexpose will immediately start importing assets from ePO.

 

Initially, the assets will only have an IP address, hostname, and mac address, and no last scanned date. To learn more about these assets and their vulnerabilities, either scan them immediately, or schedule a scan for later.

 

Nexpose epoAssets.png

We wanted to give you a preview into Nexpose’s new integration with both McAfee ePolicy Orchestrator (ePO) and McAfee Data Exchange Layer (DXL); this is the next stage of our partnership with Intel as their chosen vendor for vulnerability management [PDF]. This partnership is also a first for both Rapid7 and Intel, as Nexpose is the only vulnerability management solution to not only push our unique risk scoring into ePO for analysis, but also automatically import asset data from ePO and threat intelligence from DXL into Nexpose for better discovery and prioritization. On top of that, we publish vulnerability data to DXL so that your entire DXL eco-system can benefit from this intel (pun fully intended). The integration is currently in its final stages, so here’s what you have to look forward to:

 

Vulnerability Management for your McAfee eco-system.png

 

ePO and Nexpose: Correlating risk, and ensuring no asset goes unscanned

 

ePO lets you deploy, manage and report on a huge portion of your security program - from endpoint protection right out to the gateway. Now you can overlay this information with the susceptibility of your systems to a real world attack, by importing our unique risk score that incorporates vital context including exploit exposure, vulnerability age and malware exposure to show you the vulnerabilities and assets an attacker is most likely to target.

 

In addition, ePO and Nexpose communicate asset information, ensuring coverage accuracy for the crucial first step of any scan: Discovery. Not only can you import current ePO asset details into Nexpose, making initial set up a breeze, you can automatically import newly discovered ePO assets too, so your vulnerability management team always has the complete picture of your network (or if you’re a one man shop or an elite team of security oracles, you don’t have to waste time doing the same work with multiple products).

 

DXL and Nexpose – share vulnerability info and automate exploit response

 

The McAfee DXL platform lets multiple products collaborate and share information with each other – it’s essentially a force multiplier for your security program. Nexpose and DXL customers correlate Nexpose risk scores and vulnerability data with other products in the ecosystem. Via Intel’s Threat Intelligence Exchange (TIE), Nexpose can also identify systems that may have been compromised and prioritize them for remediation. No other vulnerability management tool provides this kind of insight to the Intel Security partner ecosystem.

Rapid7 and Intel Security Automated Detection and Remediation.png

 

Keep an eye out for detailed blog posts on each of these integration points over the next few weeks; in the meantime, check out our webcast on October 26th and reach out to your friendly neighborhood sales rep or customer success manager for more information on integrating these two key pieces of your security program!

Hooray for crystalware!

awards!.jpg

I hit a marketer’s milestone on Thursday – my first official award ceremony, courtesy of the folks at Computing Security Awards, which was held at The Cumberland Hotel in London. Staying out late on a school night when there's a 16 month old teething toddler in the house definitely took it's toll the following morning, but the tiredness was definitely softened by the sweet knowledge that we’d left the award ceremony brandishing some crystalware. In the two categories that Rapid7 solutions were shortlisted as finalists - SME Security Solution of the Year (Nexpose) and Best New Product of the Year (InsightIDR) - we were awarded winner and runner-up respectively.

 

What’s particularly cool about the Computing Security Awards is that the majority of awards, including the two we were up for, are voted for by the general public, so receiving these accolades is very special to us. We’d like to say an absolutely massive THANK YOU to everyone who voted for our products, we are truly very grateful for your support.

 

Hooray for Nexpose!SME Security Solution of the Year.jpg

Nexpose storming to the win in the SME category, a space that isn’t always top of mind to some security vendors, really validates for me how well designed and engineered the product is. Our customers come in all shapes and sizes, and the maturity of their vulnerability management programs vary just as much, but Nexpose caters for all. In SME the concept of a dedicated security team is certainly less common. More often than not we see that IT teams have security as just one of their many disciplines – so they need a vulnerability management tool which is easy to use, and allows them to quickly prioritise remediation efforts with live data that’s relevant to their environment. Nexpose determines and constantly updates vulnerability risk scoring using RealRisk – scoring vulnerabilities from 1-1000, thus removing the nightmare of having umpteen hundred ‘’criticals” which are seemingly all equal. Liveboards (because dashboards don’t actually dash – they should really be called meanderboards) provide admins with real time data – you know at all times exactly how well you are winning at remediating. If you’re reading this blog and you’re thinking about implementing a new VM solution, you should download a free trial here and experience it in action for yourself.

 

Hooray for InsightIDR!

InsightIDR receiving an honourable mention in the Best New Product category makes Sam very happy. This product was frankly one of the main reasons I came to work for Rapid7. When I first heard of it back in March my interest was immediately sparked, as I’d never seen anything quite like it.  I’ve worked in incident response in a previous life, and have seen a vast number of organisations really struggle to find answers when they are in the unfortunate situation of a cyberattack. Some didn’t even know they’d been under attack until they received notification from a third party. Incidents would regularly go on for many days, with teams having to work around the clock with great pressure to balance business continuity and incident response, which is the juggling act from hell. More often than not, investigations and Root Cause Analysis reports would take months and months, and would frequently be lacking in details. If you can’t see what’s happening, you can’t properly respond, and you have pretty much a zero chance of taking away any solid learnings from the event. InsightIDR solves these problems by combining SIEM, EDR and UBA capabilities, which mean it detects attacks early in the attack chain, finds compromised credentials, and it provides a clear investigation timeline. It’s truly an amazing piece of kit, and I know that every incident I ever worked on would undoubtedly have had a better outcome had InsightIDR been in place at the time. Seeing in this case will definitely result in believing – I’d heartily recommend you arrange a demo today.

 

Hooray for Integrated Solutions!

So before I give a shout out to the incredible people behind these two superb products, there’s one further piece of good news: you can now integrate [PDF] them too!

 

Hooray for Moose!

Our people, our “Moose”, who design, build, test, sell, support and of course market (obvs.) these products are all the winners here. I don’t use the term ‘incredible’ lightly either – I am privileged to have represented them at the awards ceremony, we have an amazing team across the globe jam-packed with smart, creative, brilliant people. Our solutions are testament to the work they do, their combined knowledge solves difficult customer problems, providing insight to security professionals all over the world. Congratulations Moose – you are a bloody awesome bunch!

Thanks again to everyone who voted for our solutions, and a big cheers to the folks at Computing Security who held a brilliant awards bash. We hope to see you again next year!

Welcome to Nexpose and the Rapid7 family! This blog is a step by step guide for new Nexpose customers to show you how to set up your first site, start a scan, and get your vulnerability management program under way.

 

First thing’s first: A few definitions in Nexpose:

 

Site: A (usually) physical group of assets; i.e. what you want to scan

 

Scan Template: The things that your scan will look for and how it does discovery; i.e. how you scan

 

Dynamic Asset Group: A filtering of the assets from your scans/sites based on certain criteria like OS, vulnerability, PCI pass/fail, etc.; i.e. how you organize your scan results.

 

Related Resource: [VIDEO] Learn how to setup dynamic asset groups in Nexpose

 

To get started, click on the “create site” button on your Nexpose home screen:

Nexpose Dashboard_img 1.png

Here, give your site a name; as sites are usually logical groupings of your assets, they’re often things like “Boston Office” or “LA Datacenter”

Nexpose Dashboard_img 2.png

For now, don’t worry about the tagging features and the organization/access tabs.

 

Now let’s get into the meat of it. Click into the next section on the top bar, Assets, and enter the assets you want to scan into the “assets” field. You can do this a couple of ways:

  • Simply type in or copy/paste a list of addresses (Nexpose accepts all the common formats)
  • Import a list of assets from an XML file or similar document
  • Create a connection to VMware/AWS/DHCP/ActiveSync and import assets live: We won’t cover this in the scope of this blog post, but you can hook Nexpose directly to the tools above to dynamically import assets into an asset group. Simply go to “connection” and “create connection” to hook them up (you can also read up on this process in the user guide or ask our Customer Success Manager).

Nexpose Dashboard_img 3.png

 

Next let’s go to Credentials. Here you can enter credentials so that Nexpose can authenticate into the devices you’re scanning. Although not required for scanning, we strongly recommend you do authenticated scanning whenever possible; it’ll greatly reduce false positives and give you much more in depth detail on your vulnerabilities, especially for installed software/services.

 

Go to “add credentials” to give a new set of creds a name, select the service you’re using, and input the associated details. You can also test credentials to make sure they’re valid. Once you create this, let’s move on to Templates!

Nexpose Dashboard_img 4.png

Templates are the way that scans are actually run. We have a whole bunch of prebuilt templates in Nexpose, such as for specific compliance scanning (SOX, PCI, etc) or scanning SCADA systems, and you can also copy and customize any template to get into the nuts and bolts of how Nexpose does its magic.

 

For our purposes though, a good scan template to start with is Full Audit without Web Spider; this will discover live assets in the range you gave and scan them for all the relevant vulnerability checks in our database, without trying to crawl through web app scanning (which usually needs some more configuration; if web apps are important for you, learn more about our web application security solutions, and be sure to check out AppSpider).

Nexpose Dashboard_img 5.png

Almost there! The Engines tab lets you select which scan engine you want to do the scan; Nexpose has a distributed architecture that lets you deploy scan engines in remote locations that you don’t have access to from the main console, and scan locally.

 

Your console will come with a scan engine built in, so you can just select “Local scan engine” to launch the scan from your main console.

Nexpose Dashboard_img 6.png

And that’s it! Now you can click “Save and Scan” to launch your scan right away. You can also go to the Schedule section to easily schedule your scans for a later date, or set up a recurring scan schedule.

 

There’s a ton of things you can do to customize your scans and make them more efficient, from custom scan templates to engine pooling and alerts; be sure to reach out to your Customer Success Manager for any questions or check out the Nexpose Training options!

anowak

Patch Tuesday, October 2016

Posted by anowak Employee Oct 11, 2016

October continues a long running trend with Microsoft’s products where the majority of bulletins (6) address remote code execution (RCE) followed by elevation of privilege (3) and information disclosure (1). All of this month’s critical bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Exchange, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server).

 

While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect the consumer applications listed above. Unfortunately, this leads to one of the single largest attack vectors, consumers.

 

This month Microsoft resolves 49 vulnerabilities across 10 bulletins. For consumers MS16-118, MS16-119, MS16-120, MS16-121 and MS16-127 are the bulletins to watch out for, addressing 38 vulnerabilities. For server users no particular bulletin draws immediate attention enabling the majority of server admins to roll out patches at a fairly leisurely pace. Unfortunately, at this time 4 vulnerabilities addressed by MS16-118 (CVE-2016-3298), MS16-119 (CVE-2016-7189), MS16-120 (CVE-2016-3393), MS16-121 (CVE-2016-7193), MS16-126 (CVE-2016-3298) are known to have been be exploited in the wild.

 

Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-118, MS16-119, MS16-120, MS16-122 and MS16-127).

 

This year we've made many enhancements to the configuration policy assessment capabilities in Nexpose, including adding 4 new reports and NIST 800-53 controls mapping. Last week we unveiled a new and improved user interface for the Policy Manager, providing you with more information on your compliance position at your fingertips.

 

With the new interface, you can quickly see how compliant you are overall, understand where you need to focus, and drill down to get detailed policy results. But it's not just the look-and-feel that's improved, we've also been working on making the Policy Manager more responsive and scalable, enabling larger datasets to load much faster.

 

What's New

The new Policy View lets you see at a glance all the policies you've scanned for and the overall percentage of compliance across your network. Clicking on the number of Scanned Policies dynamically filters the table below to only show policies with assessment results. Sort the table by Rule Compliance to quickly see which policies are the least compliant, or by Compliance Trend to see which policies are heading in the wrong direction.

 

 

Clicking on a policy takes you to a detailed view showing the number of scanned assets and the overall level of compliance. You can drill into a particular rule to see more information including the assessment results of each scanned asset and remediation steps - giving you all the information you need to take action.

 

 

The new interface also includes a new Asset view where you can see which assets are the most and least compliant, when they were last scanned, and whether they're improving their compliance position or not.

 

 

Like with policies, clicking on an asset takes you to a detailed view of the asset showing the number of assessed rules and the overall level of compliance. You can drill into a particular rule to see more information including whether the asset is compliant with the rule, proof for why the rule passed or failed, and remediation steps.

 

 

Auditing your systems for compliance with secure configuration policies like CIS, DISA STIGs, and USBCG is an important part of any effective security and compliance program. If you haven't tried automating this process using the Policy Manager in Nexpose yet, or haven't tried it in a while, then now is the perfect time.

At the beginning of summer, we announced some major enhancements to Nexpose including Live Monitoring, Threat Exposure Analytics, and Liveboards, powered by the Insight Platform. These capabilities help organizations using our vulnerability management solution to spot changes as it happens and prioritize risks for remediation.

 

We've also been working on a new way for organizations to get a real time view into their exposures. Rapid7 Insight Agents (Beta), along with our active scanning and Adaptive Security capabilities, allow you to monitor your network and endpoints for risks. This week we're opening up this new capability to all Nexpose Enterprise and Ultimate users.

 

5 Reasons why you should try Rapid7 Insight Agents (Beta)

 

 

1. Get a live view into exposures

Our agents automatically collect data from your endpoints and seamless integrates it into Nexpose Now, so your Liveboards are always populated with real time data without the need to hit refresh or rescan.

 

2. Endpoint security for remote workers

Remote workers rarely, or in some cases never, connect to the corporate network and often miss scheduled scan windows. Our lightweight agents can be deployed to monitor risks posed by the mobile workforce.

 

3. Eliminate restricted asset blindspots

Some assets are just too critical to the business to be actively scanned. With our agents, you'll get visibility into assets with strict scanning restrictions, while removing the need to manage credentials to gain access.

 

Rapid7_Exposure_Analytics (1).png

 

4. Track and manage agents centrally

Monitor the status of your agents from your Liveboards to identify any discrepancies or errors that require attention. You can also see when was the last data collection and which agents are currently online or offline.

 

5. One agent to rule them all

The same agent is used for all solutions on the Insight Platform, including Nexpose Now and InsightIDR, so you only need a single endpoint agent for both vulnerability management and endpoint threat detection.

 

To start using Rapid7 Insight Agents, you'll need to log in to Nexpose and opt-in to Nexpose Now. If you have already opted in to Nexpose Now, click on Manage Agents on one of the Agents Liveboard cards. This takes you to the Agents page where you can download the Windows agent installer and monitor your agents.

 

All of our innovations are built side-by-side with our customers through the Rapid7 Voice program. Please contact your Rapid7 CSM or sales representative if you're interested in helping us make our products better.

At the beginning of summer, we announced some major enhancements to Nexpose including Live Monitoring, Threat Exposure Analytics, and Liveboards, powered by the Insight Platform. These capabilities help organizations using our vulnerability management solution to spot changes as it happens and prioritize risks for remediation.

 

We've also been working on a new workflow tool to streamline the next part of the job - fixing exposures. Remediation Workflow (Beta) allows you to convert exposures into vulnerability remediation projects for assigning and tracking progress. This week we're opening up this new capability to all Nexpose Enterprise and Ultimate users.

 

5 Reasons why you should try the Remediation Workflow (Beta)

 

image2016-9-23 13-56-1.png

 

1. Get from find to fix, fast

Say you spot an exposure that needs to be fixed from your Liveboard. With Remediation Workflow, you can create a project straight from the analytics card and assign it to the right person with all the context they need to get the job done. No need to waste time pulling data from multiple places or logging into another tool to create a ticket.

 

2. Prioritize what's important

Nexpose automatically takes into account the likelihood of a real world attack and the assets your company cares about when prioritizing vulnerabilities for remediation, so you can be confident you're fixing the right things. You'll also get insight into the impact of each project and individual task on reducing risk across your organizations.

 

image2016-9-26 12-53-14.png

 

3. Patch all the (critical) things

Create and assign an ongoing vulnerability remediation project that dynamically updates with critical exposures on business critical assets as soon as appear. You can combine this with Live Monitoring, which automatically detects and assesses changes in your network, to create a live workflow that does away with manual scanning and reporting.

 

4. Talk the same language

Like Nexpose's popular Top Remediations report, Remediation Workflow breaks down tasks using IT speak, not security speak. With Nexpose Now's powerful analytics engine, you can streamline communications by providing IT teams with relevant information on what needs to be fixed, including remediation steps and asset details.

 

image2016-9-23 15-26-11.png

 

5. See progress as it happens

Quickly see the status of all vulnerability remediation projects or filter by owner to get insight into progress made by each team. Remediators can choose to update the status of tasks as they make progress or in bulk at the end of a project. You can track projects until completion in real-time, then automatically verify the fixes during the next scan.

 

To start using Remediation Workflow, simply log in to Nexpose and opt-in to Nexpose Now. If you have already opted in to Nexpose Now, you'll automatically see the Projects icon appear in the left navigation menu.

 

All of our innovations are built side-by-side with our customers through the Rapid7 Voice program. Please contact your Rapid7 CSM or sales representative if you're interested in helping us make our products better.

Rapid7’s Incident Detection and Response and Vulnerability Management solutions, InsightIDR and Nexpose, now integrate to provide visibility and security detection across assets and the users behind them. Combining the pair provides massive time savings and simplifies incident investigations by highlighting risk across your network ecosystem without writing queries or digging through logs.

 

Nexpose proactively identifies & prioritizes weak points on your network, while InsightIDR helps find unknown threats with user behavior analytics, prioritizes where to look with SIEM capabilities, and combines endpoint detection and visibility to leave attackers with nowhere to hide. Let’s look at three specific benefits: (1) putting a "face" to your vulnerabilities, (2) automatically placing vulnerable assets under greater scrutiny, and (3) flagging users that use actively exploitable assets.

 

Vulnerabilities-User-v2.PNG

 

User Context for Your Vulnerabilities

InsightIDR integrates with your existing network & security infrastructure to create a baseline of your users’ activity. By correlating all activity to the users behind them, you’re alerted of attacks notoriously hard to detect, such as compromised credentials and lateral movement.

 

When InsightIDR ingests the results of your Nexpose vulnerability scans, vulnerabilities are added to each user’s profile. When you search by employee name, asset, or IP address, you get a complete look at their user behavior:

 

InsightIDR-User-Page-v2.gif

 

How this saves you time:

  • See who is affected by what vulnerability – this helps you get buy-in to remediate a vulnerability by putting a face and context on a vulnerability. (“The CFO has this vulnerability on their laptop – let's prioritize remediation.”)
  • Have instant context on the user(s) behind an asset, so you accelerate incident investigations and can see if the attacker laterally moved beyond that endpoint.
  • Proactively reduce your exposed attack surface, by verifying key players are not vulnerable.

 

Automatic Security Detection for Critical Assets

In Nexpose, you can dynamically tag assets as critical. For example, they may be in the IP range of the DMZ or contain a particular software package/service unique to domain controllers. Combined with InsightIDR, that context extends to the users that access these assets.

 

When InsightIDR ingests scan results, assets tagged as critical are labeled in InsightIDR as Restricted Assets. This integration helps you automatically place vulnerable assets under greater detection scrutiny.

 

Some examples of alerts for Restricted Assets:

  • First authentication from an unfamiliar source asset: InsightIDR doesn't just alert on the IP address, but whenever possible, shows the exact users involved.
  • An unauthorized user attempts to log-in: This can include a contractor or compromised employee attempting to access a financial server.
  • A unique or malicious process hash is run on the asset: A single Insight Agent deployed on your endpoints performs both vulnerability scanning and endpoint detection. Our vision is to reliably find intruders earlier in the attack chain, which includes identifying every process running on your endpoints. We run these process hashes against the wisdom of 50 virus scanners to identify malicious processes, as well as identify unique processes for further investigation.
  • Lateral movement (both local and domain): Once inside your organization’s network, intruders typically run a network scan to identify high-value assets. They then laterally move across the network, leaving behind backdoors & stealing higher privilege credentials.
  • Endpoint log deletion: After compromising an asset, attackers look to delete system logs in order to hide their tracks. This is a high-confidence indicator of compromise.
  • Anomalous admin activity, including privilege escalation: Once gaining access to an asset or endpoint, attackers use privilege escalation exploits to gain admin access, allowing them to dump creds or attempt pass-the-hash. We identify and alert on anomalous admin activity across your ecosystem.

 

Identifying Users that Use Exploitable Assets

Many Nexpose customers purchase Metasploit Pro to validate their vulnerabilities and test if assets can be actively exploited in the wild. As an extension of the critical asset functionality above, customers that own all three products can automatically tag assets that are exploited by Metasploit as critical, and thus mark these as restricted assets in InsightIDR. This ensures that assets which are easy to breach are placed under higher scrutiny until the exploitable vulnerabilities are patched.

 

InsightIDR-Asset-Info.PNG

Configuring the InsightIDR-Nexpose Integration

If you have InsightIDR & Nexpose, setting up the Event Source is easy.

 

1. In Nexpose, setup a Global Admin.

2. In InsightIDR, on the top right Data Collection tab -> Setup Event Source -> Add Event Source.

 

Rapid7-Event-Source-Nexpose.png

 

3. Add the information about the Nexpose Console (Server IP & Port).

4. Add the credentials of the newly created Global Admin.

 

And you’re all set! If you have any questions, reach out to your Customer Success Manager or Support. Don’t have InsightIDR and want to learn how the technology relentlessly hunts threats? Check out an on-demand 20 minute demo here.

 

Nathan Palanov contributed to this post.

Finding the CISCO EXTRABACON vulnerability (CVE-2016-6366) on your network with Nexpose

Recently, our research team recently wrote an extensive blog on the EXTRABACON exploit (finally a name that we can all get behind). Our research with Project Sonar showed that a large number of devices and organizations are still exposed to this vulnerability, even though a patch has been released; and today I thought we’d get pragmatic and show how you can measure your exposure using Nexpose vulnerability management.

 

Because Nexpose Live Monitoring is always-on, we allow you to automatically collect, monitor, and analyze your network for new and existing risk, including EXTRABACON.  And when you are integrated with Rapid7 SONAR research (see, tying it all together folks), you immediately identify these risks now, and even if they enter the network later.

 

There are a few ways to do it. Let’s take a look.

 

Use Nexpose Dynamic Asset Groups. Here you can create a filter to show you every asset that contains the relevant CVE (in this case, CVE-2016-6366):

(Note: To avoid typos it may be easier to do “Contains” instead of “is” and just include the final number.)

 

This asset group is dynamic, so it will automatically update after scans. When the number of assets reaches 0, that means you’re done!

 

You can also automatically tag every asset under that filter as highly critical, so that their risk scores get amplified and they get pushed to the top of your remediation reports.

 

To help visualize the impact of the vulnerability, you can also use the LiveBoards in Nexpose to filter cards by the vulnerability to see which newly discovered assets have the vuln, as well as what % of your assets are affected. Simply use the filter: asset.vulnerability.title CONTAINS "cve-2016-6366"

 

Finally, we’re working on a Metasploit module for the exploit as well; Want to see how vulnerable your organization is to EXTRABACON? Download a free trial of our vulnerability scanner today!

anowak

Patch Tuesday, September 2016

Posted by anowak Employee Sep 13, 2016

September continues a long running trend with Microsoft’s products where the majority of bulletins (10) address remote code execution (RCE) followed by elevation of privilege (2) and information disclosure (2). All of this month’s critical bulletins are remote code execution vulnerabilities, affecting a variety of products and platforms including Edge, Internet Explorer, Exchange, Microsoft Office, Office Services and Web Apps, Sharepoint as well as Windows (client and server).

 

While Microsoft continues actively working on resolving these issues, as witnessed in the overwhelming number of critical RCE bulletins, there is an ongoing battle in which they are unable to permanently address these vulnerabilities, which predominantly affect the consumer applications listed above. Unfortunately, this leads to one of the single largest attack vectors, consumers.

 

This month Microsoft resolves 94 vulnerabilities across 14 bulletins. For consumers MS16-104, MS16-105, MS16-106, MS16-107, MS16-115 and MS16-117 are the bulletins to watch out for, addressing 60 vulnerabilities. For server users MS16-108 is the bulletins to watch out for, addressing 21 vulnerabilities. As pointed out by todb, Senior Research Manager at Rapid7, “This update is of particular interest because it patches eleven remote code execution bugs in Oracle Outside In, a rather massive file format parsing library that ships with Exchange and is responsible for parsing a wide variety of file types…  it looks like the Exchange server itself can be compromised merely by e-mailing the target organization a maliciously crafted file.” Unfortunately, at this time one vulnerability addressed by MS16-104 (CVE-2016-3551) is known to have been exploited in the wild.

 

Users should be wary of untrusted sources as maliciously crafted content could allow an attacker to remotely execute code in-order to gain the same rights as their user account. The best protection against these threats is to patch systems as quickly as possible. Administrators, be sure to review this month’s bulletins and in accordance with your specific configuration, prioritize your deployment of this months’ updates. At a minimum, ensure to patch systems affected by critical bulletins (MS16-104 MS16-105 MS16-106 MS16-107 MS16-108 MS16-116 MS16-117).

 

Filter Blog

By date: By tag: