Author: Rapid7

Three Security Vendor Consolidation Myths Debunked

When it comes to security vendor consolidation, Gartner found that 57% of organizations are working with fewer than ten security vendors, utilizing consolidation to cut costs and improve their overall security posture.

But what about the other 43%?

While security vendor consolidation has many advantages — like improved security and operational efficiency as well as cost reduction and improved ROI — however, it’s clear that some myths about consolidation persist. Let’s take a deeper look at three of the most common consolidation myths:

  • The supremacy of “best of breed” security solutions
  • Lack of flexibility or vendor lock-in
  • Increased risk of vendor compromise

Myth #1: The supremacy of “best of breed” security solutions

One of the biggest myths of security vendor consolidation is that after consolidating, organizations will lose access to the superior “best of breed” security approach. “Best of breed” refers to purchasing the best product of each type for your infrastructure’s security needs. This could look like using one vendor for firewall protection, another for observability, a third for remediation, and so on.

While it is true that a “best of breed” approach seems to allow organizations to piece together a tech stack of all the best possible products, that’s not the whole story. Organizations with “best of breed” solutions often end up with technology bloat, or a larger tech stack that requires far more maintenance than single-platform or more streamlined offerings. Additionally, there’s more data created from using tools from multiple vendors, which can actually increase an organization’s attack surface and overall risk level.

Some “best of breed” environments are plagued by interoperability issues — the tools fail to communicate with each other and exchange information properly. This can result in a poorer overall security performance characterized by false alarms and a higher mean time to resolve (MTTR).

Myth #2: Consolidation kills flexibility and creates vendor lock-in

Many security teams believe that consolidation locks you into working with a single or smaller number of vendors who may prove to be unreliable or offer subpar services. In reality, you can easily address concerns of vendor performance and flexibility by carefully researching potential vendors before selecting a solution. During the vetting process, ask potential vendors questions around on- and offboarding, security, maintenance, subscription, and licensing fees.

It’s also important to remember that many vendors offer flexibility within their consolidation packages, which means that you often will be able to build a portfolio of products to meet your needs as opposed to being locked into a specific package.

Finally, working with fewer vendors allows you to develop stronger relationships with fewer vendor representatives, resulting in more comprehensive customer service and support.

Myth #3: Increased risk from vendor compromise

Many organizations fear that after consolidating, if one of its vendors is compromised, then it presents a serious security risk. This is easily avoidable, however, if organizations practice consolidation across functions and not layers.

In general, secure organizations have layers of security, or redundancies in place to catch and remediate vulnerabilities quickly. This approach, also known as “defense in depth,” may look like a security solution to monitor your endpoints and a separate tool to manage threats in your ecosystem.

You don’t want to consolidate within these layers. For example, let’s imagine that you have the same security provider for both your endpoint monitoring and threat management. If the vendor is compromised and unable to provide protection, your infrastructure would be without endpoint management and threat management at the same time, which presents a serious security risk.

Consequently, you’ll want to consolidate across functions. It may be helpful to picture your security needs within a layer. For example, if you’re looking for greater endpoint protection — monitoring, visibility, and remediation — you can look for consolidation solutions in this area. Consolidating across functions can actually strengthen your security posture. Working from a single platform can improve data sharing across tools, efficiency, and remediation processes, creating a stronger layer of security. Then, if a vendor is compromised, you’ll still have active protection from vendors in your other layers.

Consolidation just makes sense

Hesitation around security vendor consolidation is understandable. It’s important not to rush and choose the wrong vendor or platform, which can ultimately put your organization at risk. However, widespread consolidation myths may be holding you back from reaping the financial, operational, and security benefits of consolidation.

Lowering costs is a big one. Organizations with a variety of security vendors are paying for each service, and often, multiple licenses. Consolidation offers a chance to cut costs of multiple subscription and licensing fees, as well as reap the benefits of competitively priced consolidation packages.

Consolidation also boosts operational efficiency. Organizations with too many security vendors struggle with visibility, false alarms, and gaps in their infrastructure’s coverage. The interoperability that consolidation offers can eliminate false alarms and boost visibility, while working with security vendors to build a customized consolidated security package that fits your organization’s needs.

When it comes to consolidation, breaking down the major misconceptions can lead to a stronger, more cohesive security solution equipped to handle the rapidly changing threat landscape.

Want to learn more about consolidation and where to get started? Check out our eBook, “The Case for Security Vendor Consolidation.”

Ransomware-as-a-Service cheat sheet

Ransomware-as-a-Service, or RaaS, has taken the threat landscape by storm — so much so that in 2023, the White House re-classified ransomware as a national security threat. How has RaaS taken the impact of ransomware attacks to this next level of federal concern? By allowing potential cybercriminals to launch a ransomware attack regardless of their experience with programming or technical sophistication.

According to Cybersecurity Ventures, ransomware might cost companies nearly $265 billion annually by the end of 2031. Meanwhile, bad actors get a lot of bang for their buck with Ransomware-as-a-Service. RaaS kit subscriptions can be as little as $40 per month.

That said, security professionals shouldn’t roll over or wave the white flag. Implementing a few key strategies can minimize the effect and decrease the likelihood of falling victim to a RaaS attack.

What is RaaS?

Organizations should clearly understand what RaaS is to make their security strategies specific to the needs of ransomware defense.

So, what is Ransomware-as-a-Service? It’s a business model designed by larger, more sophisticated ransomware groups. These groups utilize their technical expertise to create portable ransomware packages — or kits — that they then sell to buyers aiming to launch their own ransomware attacks.

Basically, ransomware operators turn their processes into a program or software usable by other threat actors. RaaS packages are often advertised on forums on the dark web, and they can also come with downloadable features, bundled offers, and 24/7 support staff. Well-known examples of groups that produce RaaS kits include:

RaaS kits aren’t developed out of the goodness of ransomware groups’ hearts. As noted above, these kits operate similarly to SaaS business models in that users follow some type of payment plan with the original ransomware operators.

These plans might look like:

  • A one-time licensing fee
  • A monthly subscription fee
  • An affiliate program fee — which typically entitles a chunk of the profits to the ransomware group
  • Pure profit sharing

Defending against RaaS attacks

When it comes to Ransomware-as-a-Service, the best method of defense follows a pretty consistent cybersecurity theme: Prevention is protection. Ransomware attacks are extremely costly and time-consuming for security teams to retroactively address. So, implementing security strategies aimed at stopping RaaS users in their tracks should be considered essential.

However, RaaS attacks are evolving faster than ever, so it can be tough for security teams to know where to start. Here’s a cheat sheet of three easy ways to defend your organization from RaaS attacks — well before they even strike.

1. Patch, patch, and patch again

Patching is a critical part of cybersecurity maintenance. Ransomware operators are looking out for new vulnerabilities to exploit around the clock — after all, that’s their full-time job. So, it’s critical for organizations to amp up their vulnerability management strategy and stay on top of the growing list of critical vulnerability exploits (CVEs) that bad actors use to breach sensitive systems and assets. A rigorous patching program will go a long way in keeping the latest RaaS kits at bay.

RaaS Hack: Keep tabs on what vulnerabilities your organization might have by checking up on CISA’s Known Exploited Vulnerabilities Catalog. This federal resource includes a bulletin that security teams can subscribe to, as well as downloadable versions in CSV and JSON formats.

2. Segment networks to prevent widespread environment proliferation

One of the biggest problems with RaaS attacks is that they move fast. Once RaaS users find an “in,” they can swiftly move into other connected environments — which can lead to an organization getting completely infested by ransomware.

To prevent the RaaS ripple effect, organizations should segment their networks. Network segmentation compartmentalizes one larger network into sub-networks, which allows security teams to devise security controls unique to each smaller network. Sub-networks not only make network security more manageable, they also make network security more diverse — mitigating the damage of one exploited vulnerability.

3. Build and maintain a culture of security

An organization is only as strong as its weakest link — and more often than not, humans are the weakest link. IBM’s 2023 X-Force Threat Intelligence Index found that successful phishing campaigns caused 41% of all security incidents. That means a critical remedy for RaaS attacks is providing organization-wide education on attempts via phishing, business email compromise, or other attack methods reliant on human error.

RaaS Hack: If your organization has limited resources for cybersecurity, leveraging managed services can implement cybersecurity “training wheels.” Managed services vendors can help educate your teams — and by proxy, your whole organization — on best practices for protection against RaaS attacks.

Next steps for RaaS defense

RaaS attacks are growing more frequent and more sophisticated, and it can be tough to match and meet bad actors where they’re at when you are inundated with a laundry list of other daily tasks.

That’s why we built Managed Threat Complete, an always-on MDR with vulnerability management in a single subscription that helps take the load off your security teams so they have space to innovate and strategize. Leverage the skill of our world-class cybersecurity experts and learn how to implement robust RaaS defense in your organization today.

Rapid7 Takes 2023 SC Awards for Vulnerability Management and Threat Detection

The highly respected SC Awards program, hosted by SC Media, recognizes the solutions, organizations, and people driving innovation and success in information security. Now in its 26th year, the SC Awards continue to grow and evolve.

Rapid7 is proud to announce we have received not one, but two prestigious SC Awards this year! InsightVM is the 2023 SC Award recipient for Best Vulnerability Management Solution and InsightIDR received the award in the brand new Best Threat Detection Technology category.

This year, SC’s panel of independent industry leaders, from sectors including healthcare, financial services, manufacturing, consulting, and education sorted through a record number of entries. Additionally, SC added several new award categories and several modified categories to the competition.

Why InsightVM was selected

InsightVM is a vulnerability management tool that provides visibility into an organization’s security program, enabling security teams to reduce attack surface and security risk. The tool helps manage and mature vulnerability management programs by identifying vulnerabilities, prioritizing remediation efforts, and tracking progress against key metrics.

SC Media says InsightVM was selected for its ability to support the entire vulnerability management lifecycle and enabling security teams to manage their program more effectively. SC also noted the solution’s integration with Project Sonar for external-facing asset and threat exposure monitoring, as well as its robust tagging system to prioritize critical assets for remediation. Finally, they noted that live dashboards, Remediation Projects, and Goals and SLAs ease collaboration with stakeholders.

InsightVM was designed to provide a shared view and common language needed to collaborate with traditionally siloed teams and drive impactful remediation. As a result, easy collaboration stands out to customers as well.

“We’ve got at least five different teams that have responsibility for their own systems,” said Nick Defoe, Director of Information Security, US Signal. “Using the dashboard interface, we’ve been able to build out the reporting for each individual team. Getting these disparate groups all into one platform where they can see what they need to do for vulnerability management has been critical to our success.”

Why InsightIDR was selected

InsightIDR, Rapid7’s cloud-native XDR and next-gen SIEM, offers unified and transformed security data to detect real attacks and provide high-context insights to stop threats early in the attack chain.

According to SC Media, InsightIDR was selected because it empowers teams to deliver sophisticated detection and response outcomes with greater efficiency and efficacy, wherever they are in their security journey. This tracks with customers, as well.

In a recent Techvalidate survey, 92% of Rapid7 customers reported that InsightIDR creates efficiency and scale, and it offers savings that make it an accessible and robust solution for diverse industries and teams.

"When I put Rapid7 in place my response time went from three to four hours to ten to fifteen minutes,” said Kerry LeBlanc, IT Security Engineer, Bioventus. “I see what it is and how to remediate it. Everything is right there. I can query the endpoint or get information and pull up different things on the user."

SC also noted InsightIDR’s “complete visibility, coverage, superior signal-to-noise, and smarter responses.” InsightIDR provides this complete visibility and coverage with a native endpoint agent, network sensors, collectors and APIs. Lightweight, software-based collection technology and integrations go beyond unifying data to correlate, attribute, and enrich diverse datasets into a single, harmonious picture — unlocking efficiency to give teams time back, ensure that they find real threats faster, and that they can respond quickly and completely.


Rapid7 offers free trials of both InsightVM and InsightIDR.

How To Present SecOps Metrics (The Right Way)

SecOps metrics can be a gold mine of potential for informing better business decisions, but 78% of CEOs say they don’t have adequate data on risk exposure to make good decisions. Even when they do see the right data, 82% are inclined to “trust their gut” anyway.

Here lies the disconnect between data and decisions for C-level executives: a lack of effective presentation. Ultimately, the responsibility of communicating that SecOps metrics matter falls on today’s security teams. They must transform numbers into narratives that illustrate the challenges in today’s attack landscape to decision-makers — and, most importantly, make stakeholders care about those challenges.

But metrics presentations can get boring. So, how can security professionals present SecOps metrics in an engaging way?

Stories inspire empathy and action

While facts and figures play a role in communication, humans respond differently to stories. With narratives, we understand meaning more deeply, remember events longer, and factor what each story taught us into future decisions. Storytelling is also an effective way for security teams to inspire empathy — and therefore, action — in today’s decision-makers.

It’s critical for security professionals to identify the narrative thread in the metrics they’re analyzing. Here’s what we mean by that, step by step and metric by metric.

Establish how hungry the bad guys are

Hone in on the frequency of security incidents. This metric directly correlates to the power and reach threat actors have. Dive into the causes behind incidents, how much impact incidents had, and what can be done to stop them.

This information gives executives direct insight into the potential risks your organization faces and the negative outcomes associated with them. When executives can see the cold hard number of times their organizations have suffered from a breach, attack, or leak, it can highlight where security strategies are still lacking — and where they’re losing out to malicious actors.

Show how the villains keep winning

MTTD (mean time to detection) is a measure of how fast security teams can detect incidents. While it might not be a flashy metric in and of itself, it can pack a powerful punch when illustrating the damage bad actors can do before they’re suspected of even breaking in.

MTTD provides insight into the efficacy of an organization’s current cybersecurity tools and data coverage. It can also be a helpful indicator of how well current security processes are working — and how overworked or resource-strained a security team might be.

Tell the underdog’s story

Here’s where you leverage MTTR (mean time to respond). This metric shows how quickly the security team can spring into action. More often than not, security teams have a litany of other important tasks at hand that can make MTTR less than ideal. This demonstrates why resource-strained and overworked security professionals are set up to fail if they don’t have the right tools, strategies, and support.

With MTTR, security teams can add an extra layer of context to the data shown by MTTD. This metric highlights how quickly security teams respond to incidents — which can be another indicator of how well tools and processes match up to current threats.

Describe the loot you stand to lose

Finally, communicate the potential cost per incident. Money speaks volumes when you’re crafting a narrative out of SecOps metrics — so it’s best to close out your stories with this powerful data point. This metric provides insight into the efficiency of a cybersecurity program’s processes, tools, and resource allocation.

This is perhaps the most effective metric security professionals can use with executives because it speaks directly to one of their critical concerns: the bottom line.

Putting it all together

While many additional SecOps metrics matter, those four data points can come together most effectively to weave a story that speaks to C-level execs.

However, executives will have their own set of questions and concerns at SecOps briefs. So, it’s important to supplement even the strongest SecOps stories with additional answers, such as:

  • How efficiently your organization is addressing risks compared to other similar companies.
  • Where budget spend works and where it doesn’t in terms of ROI.
  • Where opportunities for increased efficiencies (namely, breaking down disparate silos and cutting costs with consolidation) can come into play.

It all comes down to communication

By focusing on crafting data narratives, security teams can turn SecOps metrics into actionable decisions for stakeholders. Telling the right story to the right people can help procure backing from the top — which means getting the resources, people, and budget security leaders need to stay ahead of threats.

Effectively communicating with C-levels helps build a rapport between stakeholders and boots-on-the-ground security professionals. By presenting metrics as parts of a larger story, organizations can unlock better collaboration, better relationships, and better business outcomes.

All while keeping threat actors in check.

Want to learn more about creating SecOps narratives that pack a punch? Download Presenting Upward: How to Showcase SecOps Metrics That Matter now.

Showcasing SecOps Metrics That Matter

This year, new rules from the Security and Exchange Commission (SEC) about board-level expertise, risk management, and public disclosures will take effect. The European Union is updating its regulations, as well. To meet these new requirements, organizations will need to explain to shareholders exactly how they assess cyber risk, describe security policies, and prove a significant level of board oversight.

In this climate, security leaders will be expected to advise the C-suite on SecOps activities. As a security professional, this can be a challenge. It’s also an opportunity to shape the structure and execution of business and go-to-market decisions.

Our latest ebook, Presenting Upward: How to Showcase SecOps Metrics That Matter offers practical and actionable advice on how to present security metrics in a language execs understand.

About those metrics

Cybersecurity metrics are essential to understand where you’re succeeding and where you may need to make changes.

Some examples include:

Number and disposition of security incidents: You have no control of this, but it gives execs insight into the risk they face. There’s an attack every 39 seconds somewhere. What’s life like in your security operation?

Mean time-to-detection (MTTD): This metric gives insight into both efficacy of tools and coverage of data (is the detection coming from a reported incident vs. a tool, etc.).

Mean time-to-respond (MTTR): This also gives insight into your ability to respond and whether your tools and processes meet your threats and use cases.

Cost-per-incident: This gives you insight into efficiency of process, tooling, and also potential staffing shortcomings (like the number of people or specific skills).

There are many other metrics you may need to track to understand your cybersecurity readiness. Good metrics will differ for every organization, depending on your risks, needs, compliance requirements, desired business outcomes, security maturity, and more.

Stories + metrics = success

Generally speaking, executives don’t usually want to get too deep in the weeds. So, your ability to present metrics in a way they understand is critical to achieve cybersecurity goals.

Execs typically want answers to questions like:

  • What are our risks, and how are we addressing them?
  • How secure are we compared to similar organizations?
  • Are we budgeting the right amount for cybersecurity?
  • Where do we have opportunities for efficiencies or consolidation?
  • How are we addressing that thing in the news?

So, when presenting to execs it’s essential to put metrics into context. One way to do this is to craft a narrative that brings metrics to life. Stories often have more of an impact than facts and figures alone. This isn’t anecdotal; neuroscience has shown that when we are presented with a story, we understand the information more deeply, remember longer, and are more likely to factor what it taught us into future decisions.
For more tips on crafting an effective narrative, and much more, download Presenting Upward: How to Showcase SecOps Metrics That Matter now.

Alerting Rules!: InsightIDR Raises the Bar for Visibility and Coverage

By George Schneider, Information Security Manager at Listrak

I've worked in cybersecurity for over two decades, so I've seen plenty of platforms come and go—some even crash and burn. But Rapid7, specifically InsightIDR, has consistently performed above expectations. In fact, InsightIDR has become an essential resource for maintaining my company’s cybersecurity posture.

Alerting Rules!

Back in the early days, a SIEM didn’t come with a bunch of standardized alerting rules. We had to write all of our own rules to actually find what we were looking for. Today, instead of spending six hours a day hunting for threats, InsightIDR does a lot of the work for the practitioner. Now, we spend a maximum of one hour a day responding to alerts.

In addition to saving time, the out-of-the-box rules are very effective; they find things that our other security products can't detect. This is a key reason I’ve been 100% happy with Rapid7. As a user, I just know it’s functional. It’s clear that InsightIDR is designed by and for users—there’s no fluff, and the kinks are already ironed out. Not only am I saving time and company resources, the solution is a joy to use.

Source Coverage

When scouting SIEM options, we wanted a platform that could ingest a lot of different log sources. Rapid7 covered all of the elements we use in the big platforms and various security appliances we have—and some in the cloud too. InsightIDR can ingest logs from all sources and correlate them (a key to any high-functioning SIEM) on day one.

Trust the Process

I can honestly say this is the first time I’ve ever used a product that adds new features and functionality every single quarter. It’s not just a new pretty interface either, Rapid7 consistently adds capabilities that move the product forward.

What’s also wonderful is that Rapid7 listens to customers, especially their feedback. Not to toot my own horn, but they’ve even released a handful of feature requests that I submitted over the years. So I can say with absolute sincerity that these improvements actually benefit SOC teams. They make us better at detecting the stuff that we’re most concerned about.

Visibility and Coverage, Thanks, Insight Agent!

If you’re not familiar with Insight Agent, it’s time to get acquainted. Insight Agent is critical for running forensics on a machine. If I have a machine that gets flagged for something through an automated alert, I can quickly jump in without delay because of the Insight Agent. I get lots of worthwhile information that helps me consistently finish investigations in a timely manner. I know in pretty short order whether an alert is nefarious or just a false positive.

And this is all built into the Rapid7 platform—it doesn’t require customization or installations to get up and running. You truly have a single pane of glass to do all of this, and it’s somehow super intuitive as well. Using the endpoint agent, I don’t have to switch over to something else to do additional work. It’s all right there.

“Customer support at Rapid7 is outstanding. It’s the gold standard that I now use to evaluate all other customer support.”

Thinking Outside the Pane

I also have to give a shout out to the Rapid7 community. The community at discuss.rapid7.com/ and the support I get from our Rapid7 account team cannot be overlooked. When I have a question about how to use something, my first step is to visit Discuss to see if somebody else has already posted some information about it—often saving me valuable time. If that doesn’t answer my question, the customer support at Rapid7 is outstanding. It’s the gold standard that I now use to evaluate all other customer support.

The Bottom Line

My bottom line? I love this product (and the people). To say it’s useful is an understatement. I would never recommend a product that I didn’t think was outstanding. I firmly believe in the Rapid7InsightIDR and experience how useful it is every day. So does my team.

To learn more about InsightIDR, our industry-leading cloud-native SIEM solution, watch this on-demand demo.

Four Signs You Need to Consolidate Your Tech Stack

Recently, Gartner surveyed security professionals and found that over 50% of the respondents were looking to consolidate their security tech stack. Why? These professionals recognized that consolidation is key to achieving their goals of improving productivity, visibility, and reporting as well as bridging staff resourcing gaps.

Additionally, threat actors are leveraging artificial intelligence (AI) and machine learning tools to launch more sophisticated, high-impact attacks. Defending against AI-assisted attacks requires greater network visibility and operational efficiency—not to mention the automated detection and response capabilities in most consolidation offerings. As the threat landscape evolves, streamlining your tech stack can also improve your organization’s security posture and protect against financial losses. This is an important consideration, as the cost of the average data breach has reached $9.44 million in the U.S.  

While the benefits of consolidation are clear, organizations often miss the tell-tale signs that it is time to consolidate their tech stack. Recognizing these signs can help your organization identify the areas where it’s most needed and develop a seamless implementation strategy that minimizes disruption.

Four tell-tale signs it’s time to consolidate your security tools

Sign #1: You can’t track (or visualize) your tech stack

When was the last time you cataloged your resources? This may seem a little on the nose, but one of the best ways to tell if your organization is in need of consolidation is that you’re unable to track or visualize your tech stack.

In 2021, IBM found that 45% of security teams used more than 20 tools when investigating and responding to a cybersecurity incident. These tools are a drain on your budget and can even present security risks. Excess tech is less likely to be monitored for compliance and needlessly broadens your network’s attack surface.

Visibility into your tech stack is just as important as visibility across your network. The inability to track and visualize your tech stack can indicate that your organization is working with tools that are obsolete, underutilized, or ignored.

Sign #2: Your mean time to resolve (MTTR) is high

Did you know it takes the average company a staggering 277 days to identify and contain a breach? Finding and resolving breaches quickly is key to protecting your systems and data. When your MTTR is high, it’s indicative of operational inefficiencies in your security responses.

Working with too many vendors and tools can make it difficult to prioritize and respond to threats. For example, if you’re working with redundant tools, event data from one tool may conflict with another, and your team is forced to spend precious time confirming which dataset is correct before it can respond to the security incident.

Siloed tools from a variety of vendors are another common pain point. Even if you’re using “best of breed” tools, a cobbled together security solution of multiple vendors can create issues. Tools from different vendors may not integrate well (if at all). Consequently, your team may be missing crucial alerts and experiencing a breakdown in workflows as data is transferred from one tool to another.

Sign #3: Your processes are manual

If your team is wasting valuable time manually investigating false positives, prioritizing risks, and drawing context from massive datasets, consolidation could be the solution. Manual investigation is also error-prone, and teams often find that important security events are missed entirely or slip through the cracks until they become pervasive, system-wide concerns. As a result, you may be able to track your team’s elevated MTTR rate back to manual resolution workflows.

Consolidated security platforms offer the crucial automation features that companies need to close skill and staffing resource gaps, as well. Consolidating with automation in mind can simplify and improve your team’s workflows, ensuring that your team is able to respond to threats faster and reduce overall risk across your infrastructure—even if your organization is understaffed. Finally, removing the burden of manual investigation can increase your team’s productivity, free up resources, and create space for senior staff to work on other projects.

Sign #4: Compliance is a struggle

If you’re working with a variety of vendors and security tools, compliance can be problematic. You may find that each vendor’s approach to compliance varies widely, and it’s nearly impossible to impose a consistent standard of compliance across your entire network.

Network applications are difficult to update and secure if your organization struggles to maintain visibility in its tech stack. Also, gathering data across your infrastructure for compliance audits is complicated when you have redundant tools, disagreement between the datasets, and no single source of truth.

Whether your organization is in a highly regulated industry or not, maintaining a compliant network is important. Organizations that maintain compliant networks can resolve configuration-related vulnerabilities faster, creating a baseline for security practices and IT operations.

Following governmental compliance regulations can help your organization enhance its data management capabilities. There are also serious drawbacks to a non-compliant network. Depending on your industry, if your network is non-compliant, you may be required to pay hefty fines. Additionally, non-compliant networks are less secure; they’re prone to configuration vulnerabilities and a host of other issues.

When it comes to consolidation, don’t ignore the signs

Knowing the signs of a tech stack in need of consolidation can save your organization a considerable amount of time, money, and frustration. Some companies worry about giving up “best of breed” security options. However, consolidation is increasingly considered more secure than “best of breed.”

For many organizations, the security advantage of narrowing your attack surface, automating processes, and streamlining data far outweighs the individual benefits of separate solutions and multiple vendors. As the threat landscape evolves, it's increasingly important to have a streamlined tech stack that can deliver the security support needed to effectively mitigate risk.

Want to learn more about consolidation and where to get started? Check out our eBook,The Case for Security Vendor Consolidation.”

Understanding CAASM

Cyber Asset Attack Surface Management 101

This article was written by Ethan Smart, Co-Founder and Chief Solution Architect, appNovi (a Rapid7 integration partner).

It's essential for security and IT teams to have a comprehensive view and control of their cyber assets. This is why Cyber Asset Attack Surface Management (CAASM) has received so much attention from security practitioners and leaders.

According to Gartner, “CAASM tools use API integrations to connect with existing data sources of the organization. These tools then continuously monitor and analyze detected vulnerabilities to drill down the most critical threats to the business and prioritize necessary remediation and mitigation actions for improved cyber security.”

CAASM provides a unified view of all cyber assets to identify exposed assets and potential security gaps through data integration, conversion, and analytics. It is intended to be authoritative source of asset information complete with ownership, network, and business context for IT and security teams.

Security teams integrate CAASM with existing workflows to automate security control gap analysis, prioritization, and remediation processes. These integration outcomes boost efficiency and break down operational silos between teams and their tools. Common key performance indicators of CAASM are asset visibility, endpoint agent coverage, SLAs, and MTTR.

It’s important to understand assets are more than devices and infrastructure. In a Security Operations Center (SOC), assets include users, applications, and application code. Recognizing the interconnectedness of these assets is key to enhancing the SOC's capabilities. For example, consider a scenario where 1,000 servers have the same vulnerability. Assessing each one individually would be incredibly time-consuming. CAASM enriches cyber asset data to automate the majority of analysis.

For example, when you understand only eight of the 1,000 servers are internet-facing, and of those only two are exposed through the necessary port and protocol for exploitation of the vulnerability, you know which assets have the highest contextual exposure, which are exploitable, and which should be addressed first.

In this blog, we’ll cover how security teams can leverage their existing tech stack for Cyber Asset Attack Surface Management.

Understanding the Attack Surface

Comprehensive attack surface management hinges on a comprehensive understanding of everything that is a target for attackers. In a sprawling enterprise environment, there's an abundance of assets distributed across different networks (e.g. cloud, SDN, on-prem), each with its own set of monitoring and alerting tools. When these security tools don’t interoperate or mesh with one another, security teams lack a complete picture of the attack surface. This fragmented understanding results in the continued siloing of teams and tools and inhibits effective data sharing.

One of the oldest adages in cybersecurity is complexity is the enemy of security—and complexity increases when teams recognize assets as more than devices. Assets are more than just computers and servers connecting on the network, as those assets are used to support applications to drive revenue. Applications also use code, which can be used by multiple applications. Users are assets that operate the business using technology. This complex asset tracking and relationship mapping spans network connections, application and code ownership, and the dependencies and indirect dependencies between applications.

CAASM emerged to address this complexity. CAASM is founded through the consolidation of existing data from all the different network and security tools. For example, by integrating Rapid7's portfolio of products with a security data integration and visualization solution like appNovi, organizations can achieve and maintain full visibility across their entire connected network—including on-prem, Software Defined Network (SDN), and hybrid cloud.

Using CAASM, organizations can leverage analytics to refine search results, identify trends, or disseminate specific information to defined groups or individuals. One common use case with appNovi is identifying vulnerable application servers contextually exposed for exploitation and identifying owners based on login telemetry and notifying the server owner and security. This integrated approach delivers comprehensive attack surface visibility and mapping to enable organizations to address risks and manage vulnerabilities more efficiently. When analytics are coupled with automation tools, such as orchestrators, the SOC is able to focus on threat hunting and less on data analysis. Common examples include asset inventory management and security control gap analysis.

Cyber Asset Inventory and Mapping

To manage the attack surface proficiently, it's essential to discover and map an organization's assets accurately and with the greatest level of detail. Organizations that use Rapid7’s Insight Platform already identify network infrastructure to pinpoint active devices, open ports, and running services. When combined with your other tools’ data through the enrichment capabilities of appNovi, Rapid7’s InsightVM integrates with the entire network and security tech stack to reveal overlooked assets, those that were inadvertently deployed without endpoint detection and response (EDR) agents, and those that require a prioritized response.

Telemetry data can also be leveraged from Rapid7’s InsightIDR to enrich asset data to understand network connections, ownership, and user activity. This relationship and connection mapping supports establishing the relationships between assets and their relevance to applications. With an automated and continuously updated asset inventory enriched by telemetry, IT and security teams not only gain visibility but also develop a comprehensive understanding of each asset’s dependencies and business significance.

Risk Assessment and Prioritization Based on Exposure

Vulnerability scanners and agents help you understand what devices and their software are vulnerable. For teams today to understand the exposure of their vulnerable devices requires sifting through large amounts of network log data. This time-consuming process often inhibits the ability to prioritize devices based on their network contextual exposure. But when telemetry sources are abstracted and converged with cyber asset data, contextual exposure analysis becomes a simple and automated analysis. That’s why data convergence in appNovi with Rapid7’s platform compiles network, asset, and vulnerability data into a comprehensive and easily accessible format.

This powerful data management capability means teams efficiently and accurately identify the devices that are the most vulnerable and exposed to both external threats and lateral movement from within the network. With this level of enrichment, security teams can quickly identify the handful of assets that require immediate prioritization to support an effective remediation strategy.

Identifying and Managing New Assets

Monitoring the attack surface involves leveraging a diverse set of tools to identify new assets within an organization's digital ecosystem. It is vital to utilize comprehensive asset discovery tools, vulnerability scanners, and other solutions to gain a holistic view of the digital infrastructure.

However, some infrastructure is ephemeral or may be inaccessible to all monitoring tools, in which case telemetry data sources and other SIEM data can be used to identify new assets. This aggregation, enrichment, and analysis can feed into other actions whether it be as simple as email notifications of results or triggering specific automated actions.

Creating Closed-Loop Remediation

When an authoritative source of detailed asset data is established standard searches can be run to provide consistent results and define specific outcomes. As an example, many organizations want to prioritize appropriate EDR agent and Rapid7 IDR agent installations across their application infrastructure.

To achieve this functionality, security teams define what constitutes appropriate security controls and search for all assets that do not meet the criteria. The results can trigger playbooks or workflows to create automated remediation notifications. In instances where orchestrators can install agents, those assets without agents can be automatically remediated in a self-healing loop.

By integrating Rapid7's platform with appNovi, businesses gain actionable insights into the changes that occur across their attack surface with the ability to implement streamlined remediation.

Best Practices for Cyber Asset Attack Surface Management

Maintaining a robust attack surface management initiative is essential—automating as much of it as possible is what will result in efficiencies for the SOC. There are several best practices for organizations that want to undertake the initiative to uplevel security operations with Cyber Asset Attack Surface Management.

Different data, same problem
Rarely is all data in the same format. Even more rarely does all data provide the same match values of assets. For CAASM to be effective, ingestion and data convergence must facilitate data normalization through abstraction. This needs to be done through unique identifiers. Without integrated data feeds that support the wide variety of data structures and vendor nuances, you’ll end up back in an Excel spreadsheet that effectively only saves you a SIEM query.

Less is hard
There are many different data points about assets. All the asset attributes must converge into a single asset profile. Without this capability, security teams will be sifting through duplicate records providing two different perspectives on the same asset which often leads to partial resolution or inaction. To be effective, the SOC needs a high-fidelity source of data and not several incomplete profiles of the same asset.

Where is it?
Complete asset inventories are helpful to satiate compliance requirements, but without context, all assets will be viewed based on an objective data point. Because you have network data, you should be able to apply your network context to it and make the asset subjective. An external-facing asset with a medium risk is more important than a high risk asset buried behind several network security controls. Your tools already monitor and have network and business context—that telemetry and enrichment need to extend to assets.

What is it?
Every enterprise has applications. Few know how many they have deployed in their network. Using application data sources can help delineate and track application servers and what they are direct and indirect dependencies of. The business importance of an asset helps not only in prioritization, but telemetry such as logins can expedite ownership identification.

Conclusion

By leveraging the power of CAASM, organizations can overcome the complexity of asset tracking and relationship mapping, optimize their security workflows, and effectively manage the evolving threat landscape. The tooling already exists, all that’s required is the integration and data convergence capabilities for you to uplevel the SOC.

Watch appNovi’s video on CAASM capabilities with Rapid7 today to understand this comprehensive and proactive approach to cybersecurity.

CVE-2023-34362: MOVEit Vulnerability Timeline of Events

The following article was written by Drew Burton and Cynthia Wyre.

Rapid7 continues to track the impact of CVE-2023-34362, a critical zero-day vulnerability in Progress Software’s MOVEit Transfer solution. CVE-2023-34362 allows for SQL injection, which can result in unauthorized access to sensitive data, such as passwords, credit card details, or personal user information.

Rapid7 is not currently seeing evidence that commodity or low-skill attackers are exploiting the vulnerability. However, the exploitation of available high-value targets globally across a wide range of org sizes, verticals, and geo-locations indicates that this is a widespread threat. We expect to see a longer list of victims come out as time goes on.

We’ve put together a timeline of events to date for your reference.

MOVEit Timeline

May 27-28: Rapid7 services teams have so far confirmed indicators of compromise and data exfiltration dating back to at least May 27 and May 28, 2023 (respectively).

May 31: Progress Software publishes an advisory on a critical SQL injection vulnerability in their MOVEit Transfer solution.

May 31: Rapid7 begins investigating exploitation of MOVEit Transfer.

June 1: Rapid7 publishes initial analysis of MOVEit Transfer attacks after responding to incidents across multiple customer environments.

June 1: The security community publishes technical details and indicators of compromise.

June 1: Compromises continue; Rapid7 responds to alerts.

June 1: CISA publishes Security Advisory.

June 2: CVE-2023-34362 is assigned to the zero-day vulnerability.

June 2: Mandiant attributes the attack to a threat cluster with unknown motives.

June 2: Velociraptor releases an artifact to detect exploitation of MOVEit File Transfer critical vulnerability.

June 4: Rapid7 publishes a method to identify which data was stolen.

June 4: Nova Scotian government discloses it is investigating privacy breach.

June 5: Microsoft attributes the attack to Lace Tempest, a Cl0p ransomware affiliate that has previously exploited vulnerabilities in other file transfer solutions (e.g., Accellion FTA, Fortra GoAnywhere MFT).

June 5: UK companies BA, BBC, and Boots disclose breaches as victims in MOVEit File Transfer.

June 5: Cl0p ransomware group claims responsibility for the zero-day attack.

June 6: Security firm Huntress releases a video allegedly reproducing the exploit chain.

June 6: The Cl0p ransomware group posts a communication on their leak site demanding that victim organizations contact them by June 14 to negotiate extortion fees in exchange for the deletion of stolen data.

June 7: CISA publishes #StopRansomware Cybersecurity Advisory regarding MOVEit File Transfer Vulnerability CVE-2023-34362.

June 9: Progress Software updates advisory to include a patch for a second MOVEit Transfer Vulnerability, which was uncovered by Huntress during a third-party code review. The vulnerability is later assigned CVE-2023-35036.

June 12: Rapid7 releases a full exploit chain for MOVEit Transfer Vulnerability CVE-2023-34362.

Mitigation

All MOVEit Transfer versions before May 31, 2023 are vulnerable to CVE-2023-34362, and all MOVEit Transfer versions before June 9, 2023 are vulnerable to CVE-2023-35036. As noted above, fixed versions of the software are available, and patches should be applied on an emergency basis.

Patches are available via Progress Software’s CVE-2023-34362 advisory. Additionally, because CVE-2023-34362 is a zero-day vulnerability, Progress Software is advising MOVEit Transfer and MOVEit Cloud customers to check for indicators of unauthorized access over "at least the past 30 days."

According to the company’s status page, Progress also took the following steps aimed at increasing security monitoring and defending against further exploitation or attack:

  • Developed specific monitoring signatures on Progress’ endpoint protection system.
  • Validated that the newly developed patch corrected the vulnerability.
  • Tested detection rules before finalizing to ensure that notifications are working properly.
  • Engaged outside cybersecurity experts and other incident response professionals to conduct a forensic investigation and assess the extent and scope of the incident.

As noted in the timeline above, Rapid7 has added capabilities across our portfolio that can help users identify and resolve risk from CVE-2023-34362. We have also identified a method to identify exfiltrated data from compromised MOVEit customer environments.

To learn more, check out: Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability