Rapid 7 this week unveiled a new set of tools designed to help businesses better judge the overall effectiveness of existing security controls and the risk associated with users across the organization.
The announcement came during UNITED, the firm’s annual security gathering for customers and analysts. Company officials say the tools, called UserInsight and ControlsInsight, will help organizations deal with user-based risk, and track the performance of existing security controls across the network. Known for vulnerability management (Nexpose), penetration testing (Metasploit), mobile risk management (Mobilisafe), these new tools seem to fall outside of the norm for Rapid7.
CSO sat down with senior vice president of products and engineering, Lee Weiner, to ask why these tools, and why now.
“We’ve been very clear that we want to make sure we solved relevant security problems,” said Weiner. “As we talked to our customers more and more, and we understand that some of the investments they’ve made to gain visibility and protect their organizations aren’t working well for them; we’ve tried to build solutions that help solve those problems.”
They’re not looking to tackle every vertical in the security market, because that wouldn’t make sense, but building something around their customer’s needs does, said Weiner. In fact, over the last 12 to 18 months, Rapid7 customers and the market in general, have reported a lack of visibility into their security posture. The two areas of concern center on risk around users and the effectiveness of existing security controls.
Explaining the rationale behind developing these latest offerings, Weiner told CSO that it has to do with a couple of dynamics. First, the effectiveness of attacks has increased substantially, as well as the volume of attacks. At the heart of this growth is the weakest link in the security chain – people.
In the IT landscape, users today are more empowered than they ever were before, almost to the point to where IT isn’t needed. Over the years, advances in technology means that users can work from anywhere at any time, and these freedoms have caused some issues and created a bit of an unbalanced situation for those charged with defending the business. One of the key points for regaining that balance is visibility into what users are doing, as well as when and where they are doing it – the biggest points of interest being cloud environments and mobile environments.
At the same time, organizations looking to gain this balancing foothold are either poorly served with the level of visibility available to them via existing controls, or they are unable to acquire it due to a number of factors including a lack of human or financial resources.
With UserInsight, Rapid7 promises to help organizations flag common, but reoccurring problems such as compromised credentials and risky behavior. In the 2013 Verizon Data Breach Investigations Report, weak or stolen user credentials were used in 76 percent of the network intrusions reported in 2012. In many of those cases, the victim organization had some level of visibility into the behaviors of their users, but not enough per se, to notice when someone was accessing resources outside of their normal pattern.
Delivered via a SaaS model, Rapid7’s UserInsight tracks many levels of user-based risk, including shared or reused passwords, opening malicious attachments, following suspicious or malicious links, using unknown or insecure cloud services, or even random events such as a lost mobile device suddenly making an attempt to access the corporate network. All of this information comes from data collection and sorting, as well as a few external threat feeds Weiner told us.
“We are collecting data from various points on the network; things like firewall logs, VPN logs, DHCP logs, DNS logs, but we’re also natively integrating with cloud services like Salesforce and Box, so that even if they’re off the network we can tell you what’s going on with those users,” Weiner said.
“There’s a lot of manual processing of this data,” Weiner added explaining how the various data streams are sorted.
“We do the analytics to determine whether there’s been some activity that should be researched, or credentials that have been compromised, and we provide that in an easy to use fashion. We also do some other things because of this, so we can tell you all the cloud services that are running on your network; we can tell you who is using those cloud services; and whether or not theyve been provisioned by the company or not.”
Offering an example of UserInsight in action, Weiner mentioned a story that came from a beta customer, shortly after they started using the product. According to the customer, UserInsight was able to flag an employee who had previously registered their corporate email account on a forum that had been compromised. This flag enabled the security team to follow-up with the user quickly, and ensure they had taken the proper steps to protect their forum account as well as their corporate accounts. This example also highlights another aim of UserInsight, quicker incident response and remediation.
More often than not, many organizations are using manual collection and sorting, or a SEIM to get the job done and gain some sort of visibility. But even then, the level of information is often limited. With UserInsight, IP addresses, and associated usernames, as well as various named points of ingress and egress are all included in the reports.
According to Gartner, worldwide security software revenue totaled $19.2 billion in 2012. When it comes to ControlsInsight, Rapid7 again took their cues from customers and industry conversations, and examined ways that would enable organizations to gain visibility into the effectiveness of their existing security controls.
“All of them,” Weiner said referring to the Rapid7 customers that the company has spoken to, “have deployed hundreds if not thousands of defenses, and they don’t know if these controls are really effective. In some cases they don’t know the status of these controls, and they don’t know if they’re really defending against threats that are relevant to them.”
ControlsInsight offers visibility on the endpoint, by assessing desktop (or laptop) applications, configurations, security mitigations (Anti-virus, and other security tools that have been installed or enabled), and then taking the assessed data and running it through a threat-model developed by Rapid7, built on industry best practices and Rapid7’s own first-hand knowledge of various attack surfaces and attack techniques.
This threat-model will track how effective those controls are against known threats to the environment, such as malware that could come from email or USB drives. From there, the ControlsInsight report will outline steps to take in order to improve the overall level of effectiveness, including implementing new controls or altering existing ones.
In addition, ControlsInsight bridges a gap often seen in the smaller enterprise market, by allowing progress tracking over time, enabling IT managers with an audit trail that shows what controls and products are making the cut, and what isn’t which could be used later as leverage when budget time rolls around. Why spend another $15,000 on licenses, when the product isn’t helping or is redundant?
“Its difficult for security professionals to sift through the noise thats bombarding them and identify relevant threats so they can communicate the current state of their organizations security. Its even harder to gauge whats working and whats not, and where further investment or action is needed. We aim to give them this insight, and help them achieve progress in reducing risk,” Weiner said.
ControlsInsight is available now, and according to the company UserInsight will be available later this year. Pricing for either of these tools was not disclosed.