hicsalta security day - cleaned · 2004 – nexpose commercial release 2008 –bain capital...
TRANSCRIPT
HicSalta Security Day
Federico Vailati - Regional Account Executive
Don Vogel – Senior Security Architect
©Rapid7, LLC 2014 All Material is Privileged & Confidential
Rapid7 at a Glance
Solutions
Investors
Key Facts
Industry Recognition
HQ: Boston, MA, 300+ Employees
$59M in Funding
90+% CAGR from 2004 to 2011
2,000+ Customers in 65 countries
2000 – Founded by Alan Matthews, Tas Giakouminakis & Chad Loder
2004 – Nexpose Commercial Release
2008 – Bain Capital Ventures invests in Rapid7
2009 – Acquired the Metasploit Project
2010 – Metasploit Express and Metasploit Pro Commercial Releases
2011 – First Annual UNITED Security Summit (hosted by Rapid7)
2011 – Technology Crossover Ventures invests $50 million in Rapid7
2012 – Acquired Mobilisafe
2013 – Founded Rapid7 Labs
2013 – Announcement of new Products: ControlsInsight &
UserInsight
Rapid7 Timeline
3
Support for the Metasploit Open Source Community
• Metasploit Community – Over 200,000 active users & contributors
Magnificent7 – Fund supporting open source projects
• John the Ripper (Password cracker) & Cuckoo Sandbox (Malware
analysis)
Thought Leadership – UNITED Security Summit
• 3 Day Conference where attendees gain actionable, pragmatic
advice from security practitioners and researchers to help them
maximize their security investment
Community Driven
4
Design Partner – Build with our Customers
5
YOU are using our products every day
Constant customer dialog is a central
part of our design/development
process
Validation
• Problem, Solution
• Continuous learning
• Course correction
Products & Solutions
6
Vulnerability
Management
Security Configuration
Assessment
Web Application
Security
Virtualization Security
PCI Compliance
Management
7
Rapid7 Product Portfolio
Mobile Vulnerability
Management
Vulnerability
Verification
Penetration Testing
Reduce Phishing
Exposure
Password Auditing
Test Security
Controls
Endpoint Control
Monitoring
User Activity
Monitoring
Core Competencies
8
Nexpose Differentiators
Unified Platform - Complete assessment of
entire physical and virtual IT infrastructure
including IPv4 and IPv6 networks, OS, web apps,
DB and security configurations
Expert System - JESS engine, increased
accuracy with vulnerability chaining/hacker
emulation, false positive reduction
Advanced Risk Scoring - Exploit & Malware
Exposure, vulnerability filtering/exceptions
Superior Remediation – actionable, detailed
instructions, estimated completion times
Customizable Reporting – granular filtering
and prioritization capabilities; roles-based, pre-
defined templates fully customizable; variety of
export formats and delivery options
Vulnerability
Management
Security
Configuration
Assessment
Web Application
Security
Virtualization
Security
PCI Compliance
Management
Unified Platform
Security Configuration Assessment
Benchmark internal policies against industry
standards such as:
• USGCB, FDCC, SCAP, CIS
Modify policies with Nexpose Policy Editor
Report on policy violations, measure and
document compliance
Superior remediation
Gain credibility with stakeholders by delivering
reports that are relevant, concise and actionable
9
Nexpose: Configuration Assessment & Web App Security
Web Application Security
Differentiators:
• Unified Platform, Single Scan, Single
Reporting Engine
• Identify and Remediate vulnerabilities in
all OWASP Top 10 categories, including
cross-site scripting, SQL injection, client-
side vulnerabilities found in Flash and Flex
applications
• With Metasploit – validate & exploit web
vulnerabilities to demonstrate risk to the
applications’ administrators or as part of a
penetration test
Differentiators:
• Only VA solution validated by
VMware and part of virtualization
security architecture
• Patent-pending vScan technology:
continuous discovery of virtual
machines in their dynamic
environments
• Dynamic Asset Groups
• Integration with vShield
Nexpose: Virtualization Security
“In 2014, 75% of all servers will
be virtualized” – Forrester, 2012
Nexpose: PCI Compliance Management
11
Rapid7 is an Approved Scanning Vendor
(ASV)
Partners can resell PCI ASV Subscription
Service
In-house subject matter experts:
• Didier Godart, original co-author of the PCI
DSS is our Risk Product Manager
• Payment Card Industry Professional (PCIP)™
Automate PCI compliance testing
audits and reports
Nexpose Differentiator: JESS, the Expert System
12
Differentiators:
• Artificial intelligence engine
built for NASA by Sandia
National Laboratories – JESS,
the Java Expert System Shell
• Hacker emulation and
vulnerability chaining
• False positive reporting <1%
• 106,000+ checks for 39,000+
vulnerabilities
Nexpose Differentiator: Exploit & Malware Exposure; RealRisk
13
Nexpose Differentiator: Superior Remediation
14
Differentiator: Actionable
& Customizable Reporting
• Prioritized Remediation
• Step-by-Step Instructions
• Estimated Completion
Times
• Issues Addressed by Each
Patch
• Systems Affected
• Direct Links to the Patches
on the Manufacturers’
websites
NeXpose Partner Ecosystem SIEM & Log
GRC
IPS & NGFW
Risk Management
Virtualization
Ticketing
NSX
Core Competencies
16
Metasploit Differentiators
HD Moore
Creator of Metasploit & Chief
Research Officer, Rapid7
#1 Most used penetration testing solution in
the world
Largest public database of quality-assured
exploits
Community Driven – 200,000+ users and
contributor; QA for all community-generated
exploits
Vulnerability Validation
Penetration Testing
Managing Phishing
Exposure
Password Auditing
Test Security
Controls
Positioning – “not just a hacker tool”
“Crash Test” for Security Controls
• Ensure business continuity
• Compliance testing
• Reputation
Metasploit: Vulnerability Validation
Penetration
Testing &
Threat
Validation
Vulnerability
Management &
Configuration
Assessment
Risk Assessment
Risk Validation
Metasploit: Manage Internal Security & Phishing Exposure
18
Understand where your organization is
vulnerable:
• Launch phishing campaigns to test the
security awareness of your organization
• Track how many open the email, click
on the link, submit a web form, etc.
• Perform a password audit to identify weak
passwords beyond just Windows logins
• Uncover the root cause, for example
bad process (using default passwords)
or lack of training and fix the problem.
The “Bring-Your-Own-Device/BYOD” Challenge:
• Device Diversity – hardware manufacturers, operating
systems, carriers
• Employee owned and managed
• Employee reluctance to give employer access to or
control over personal property
• Mobile software updates require coordination between
handset manufacturers, OS vendors and carriers and
can take months to deploy
Mobilisafe: Mobile Vulnerability Management
19
Mobilisafe: Mobile Vulnerability Management
Visibility
• Discover users and their devices
• Discover Applications via AppSentinel
Management
• Easy to Deploy; No Agents on Devices
• Monitor, assess and automatically identify the
vulnerability risk of each device
Action
• Mitigate risks with a policy framework that
makes it easy to update mobile devices,
eliminate their vulnerabilities, and control
access to corporate resources
Endpoint Controls Monitoring
• Assess to see if…
� Anti-virus is optimized
� Browsers, high risk applications and operating systems are up to date
� Passwords and browsers are hardened
� Code execution prevention is deployed
� User Access Control is enabled
� USB access is blocked
� Windows firewall is enabled
� Email client attachment filtering enabled
21
ControlsInsight
Competitive Landscape
22
Source: Gartner, Market Scope for Vulnerability Assessment, September 9, 2013
Nexpose: Recognized Market Leader
RATING
Strong
NegativeCaution Promising Positive
Strong
Positive
Beyond Security x
BeyondTrust x
CriticalWatch x
Digital Defense x
McAfee x
QualysGuard x
Rapid7 x
SAINT x
Tenable x
Tripwire/nCircle
x
Trustwave x
Strengths:
• Flexible Deployment
• Technical Support
• Metasploit integration
• Nexpose API for integration
with complementary security
programs
SC Magazine Awards - Best Vulnerability Management Solution5 Star Rating / Winner 2012 / 2013 / 2014
24
Strengths:
• Unified Platform
• Comprehensive scan
• “Excellent” Vuln. Validation
• Exploit & Malware Exposure
• Clear remediation reports rich
with detail allowing users to
fully comprehend the tasks
and time to remediate the
vulnerability
• “Intuitive GUI”
Strengths:
• Ease of Use: lightweight UI,
did not lag or take up a lot of
memory
• Vulnerability Detection:
Comprehensive knowledgebase
& a great engine for detecting
vulnerabilities
• Comprehensive Reporting
• Metasploit Integration
HackMiami Web Application Scanner 2013 PwnOff
25
“Having tools like Nexpose integrated with
Metasploit Pro allows the vulnerability analyst
the ability to streamline tasks and perform more
assessments in a shorter amount of time.”