Securing every layer: How Rapid7 manages vulnerabilities
The evolution of technology has always run parallel with larger socio-economic trends, and the nature of cyber threat is no different. The COVID-19 pandemic, for example, has uprooted operating paradigms and shifted workers away from the relative safety of siloed corporate networks and towards the security minefield of remote working. Solid vulnerability management requires an ability to navigate the unexpected and know the best course of action to remain protected using cutting-edge tools guided by industry expertise. We spoke to Victoria Sitcawich, Product Marketing Manager, and Bria Grangard, Product Marketing Manager, to find out how security specialist Rapid7 can offer both.
Rapid7’s approach is characterised by its broad scope of coverage, which isn’t restricted simply to traditional network environments but extends to an organisation’s entire infrastructure, including web applications, virtual environments and remote assets. “We view vulnerability management as being a holistic process of identifying the assets in your environment, evaluating them for risk, prioritising that risk, and treating the identified vulnerabilities through remediation or mitigation,” explains Sitcawich. The company enables customers to do this with a suite of dedicated, cloud-based products, including InsightVM and InsightAppSec.
InsightVM allows the user to understand business risk in the context of their entire digital environment, prioritise their focus, and report on findings to both technical and non-technical stakeholders. “Not every asset is created equal; your payroll systems should probably be considered more critical than an individual laptop,” continues Sitcawich. “InsightVM translates that security risk into business risk and helps our customers look at key metrics to track success.” InsightAppSec, Grangard explains, is similar: the highest-rated DAST (dynamic application security testing) solution according to Gartner for three consecutive years, InsightAppSec automatically assesses web applications to identify common vulnerabilities. “When developing the product we thought, ‘How can we help test, monitor and ultimately prevent the exploitation of vulnerabilities or weaknesses at the application layer?’ A lot of components from our InsightAppSec and tCell products come into play here: InsightAppSec brings testing and monitoring together so that clients can understand how their apps are being attacked in real-time.”
When it comes to designing and implementing a quality vulnerability risk management strategy, time is one of the most important factors to consider, not just in ‘speed of response’ terms but also overall focus. Rapid7’s five-point process (identification, assessment, prioritisation, remediation, and measuring progress) aims to reduce risk through greater environmental visibility and prioritisation acuity, “Everyone has the same 24 hours in a day; we want to help you focus on what's most important,” states Grangard. Part of Rapid7’s mission, says Sitcawich, is to establish reasonable expectations with its customers amid a highly complex threat landscape: “It's unrealistic to think that you're going to be able to fix every vulnerability as soon as it appears in your environment. You're going to have to make tough decisions, but, at the end of the day, a vulnerability management programme is meant to reduce risk, and you're not achieving that until you start remediating.” Essentially, customers should define a vision of successful cybersecurity and pursue core goals in attaining it, without being paralysed into inaction by an overwhelming number of possibilities. Developing strong partnerships with key vendors who are able to troubleshoot any problems can support this even further.
While Rapid7’s products and services are able to secure every layer of an enterprise’s digital environment, it is also worth reflecting on root causes of vulnerabilities in the first instance. Neglecting to follow the aforementioned five-point process and other imposed limitations conspire to make addressing security issues more difficult in real-world situations. “Broken authentication (when authentication credentials are compromised) and misconfiguration are two common examples, particularly as companies make the shift to the cloud,” says Sitcawich. “SQL injections and cross-site scripting are also frequent,” adds Grangard. “These are where attackers will try to gain personal information by injecting code into either the website or the application itself.” There are many circumstances that can precipitate these attacks: a lack of resources and expertise are significant factors, but, once again, nothing is so deleterious as a lack of time. “If customers tell us, ‘I don't have the time or the energy’, or ‘this isn't where I want to focus my time’, we inform them that Rapid7 has a group of security experts and a dedicated customer advisor to manage vulnerabilities day-to-day.” Also, it should be remembered that some forms of attack cannot be predicted. This is why keeping informed should go hand-in-hand with testing and monitoring to identify vulnerabilities early, “We encourage all of our customers to look at the OWASP Top 10 if they want to stay educated on the most common application security risks.”
When considering the technologies that are changing how vulnerabilities are managed and resolved, Sitcawich has an emphatic answer: automation. “Our InsightConnect solution is specifically dedicated to it. Automation is truly key to helping keep processes efficient.” A no-code platform containing over 290 plugins to connect tools and enable workflow customisation, InsightConnect is envisioned as a tool for liberating teams from routine or mundane tasks and enabling them to be redeployed in more valuable areas; retaining the human element in the remediation process is still vitally important. “Similarly, on the application security side, we’re always exploring which tasks can be automated to make your life easier,” explains Grangard. “We're not losing the human element; we're trying to amplify what humans can do via automation.”
Despite offering comprehensive products, services and insights, Grangard states that Rapid7 does not want to foster customer dependency. On the contrary, it encourages clients to gain confidence using its tools and independently grow their respective vulnerability risk management programmes, “if they feel they have the expertise and can handle it on their own, we absolutely support that.” In instances where a customer’s in-house security creates tension by redirecting other teams towards non-priority goals, Sitcawich adds that Rapid7 can act as a mediating force by establishing a “common language” and creating understanding around critical business objectives. This is particularly important for organisations that are now adopting cloud for the first time because of COVID-19, which has had the dual effect of introducing cloud network vulnerabilities and increasing the surface area for attack on enterprise IT. “There's been a push for businesses to change the emphasis on how they work: ‘mom and pop’ restaurants who relied on in-store patronage have had to adopt a greater online presence. Rapid7 has always talked about the power of digital transformation, and COVID-19 has accelerated that faster than any of us could have predicted,” says Grangard.
Summarising the qualities of a strong vulnerability management strategy, both Sitcawich and Grangard highlight the importance of regarding security as a collection of individual activities that merge into one holistic solution. “One of the key takeaways is the importance of securing every layer of your modern attack surface,” says Sitcawich. “Not just network infrastructure, but also the cloud and web applications. There needs to be visibility over all of it so that you can prioritise effectively and remediate efficiently, especially as new technologies come into play.” Therefore, Rapid7’s vulnerability risk management tools empower companies to achieve the requisite level of understanding, confidence and agility to thrive in an increasingly complex cyber threat landscape. “We all need to think about scaling security simultaneously with some of these newly adopted technologies,” concludes Grangard. “It's not just traditional devices anymore; there's so many different layers that must be considered now.”