Rapid7 Metasploit Pro Increases Vulnerability Management Efficiency by Leveraging Penetration Testing Intelligence to Validate Security Risks
Rapid7 Helps Security Professionals Prioritize Risk Remediation With Tighter Vulnerability Management Integration
Boston, MA - July 17, 2012 - Rapid7, the leading provider of security risk intelligence solutions, introduces today the means to increase vulnerability management efficiency by leveraging intelligence from its powerful penetration testing solution, Rapid7® Metasploit® Pro to validate potential risks. Metasploit extended integration with Rapid7's vulnerability management product, Rapid7® Nexpose, arms security professionals with knowledge of which vulnerabilities can be exploited, enabling them to prioritize remediation efforts for maximum impact. In addition, this simplified approach to risk validation enables security professionals to measure the effectiveness of their mitigation efforts, increasing their credibility in the organization in the longer term.
“Security professionals face a huge and complex challenge and they need to know that they are focusing their efforts on the highest risk vulnerabilities,” said HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project. “With Metasploit and Nexpose, security professionals can identify which of the numerous potential vulnerabilities are real in-roads for an attacker and prioritize these for remediation, making a more meaningful improvement to the organization's security posture.”
With so many known and unknown threats facing organizations, it can be hard for IT security teams to decide which potential risks they should focus on. A vulnerability that may be dangerous to one organization could be far less significant to another because a compensating control or other defensive solution affects its exploitability. Security professionals often have to work with reports with thousands of vulnerabilities identified: far more than they have time to address. As a result, many IT security teams are focusing on the wrong items and are not able to address the real risks before it is too late. This new Metasploit version delivers a simple solution to this frustration for IT security teams by prioritizing the critical risks.
With this release, Rapid7 provides a closed-loop security risk assessment solution: Metasploit imports vulnerability scanning results from Nexpose, validates risks, and feeds the outcome back into Nexpose to simplify reporting and streamline remediation. Metasploit does this by identifying and testing known exploits that correlate to each vulnerability. The results are listed with information about why a given vulnerability may not have been exploitable. The resulting Nexpose reports then give users straight-forward, pragmatic recommendations on how to remediate each vulnerability. Additionally, users can now group assets in Nexpose based on the powerful tagging capabilities of Metasploit Pro. Once steps have been take to remediate the vulnerabilities, security professionals can then use Metasploit to test the effectiveness of the action taken.
Specifically, Metasploit now tightly integrates with Nexpose by:
- Importing rich vulnerability data from Nexpose scans, sites, and XML
- Automatically validating the exploitability of many high-risk vulnerabilities
- Providing a simplified process to spot-check individual vulnerabilities
- Pushing granular exploit results back to Nexpose via Vulnerability Exceptions
- Pushing device classifications back to Nexpose Asset Groups via Metasploit Tags
- Enhancing Metasploit reports with detailed Nexpose scan data
Security professionals benefit from the integration in the following ways:
- Quickly identify high-risk vulnerabilities not protected by compensating controls
- Measure the effectiveness of defensive solutions designed to mitigate vulnerabilities
- Increase credibility and reduce friction between IT operations and security teams
On July 18 at 2pm EST, HD Moore will demonstrate the new functionality in the free webcast “Validate Risks in Your Security Assessment Program”. Security professionals can register at http://information.rapid7.com/webcast-managed-vulnerability-pentesting-registration.html?LS=1231847
Pricing and Availability
Metasploit 4.4 is available immediately from www.rapid7.com. The new features are exclusive to the Metasploit Pro edition. For information on pricing, please contact firstname.lastname@example.org. For a free trial, please visit http://www.rapid7.com/products/metasploit/download.jsp.
Rapid7 will be providing demonstrations at booth 518 at Black Hat in Las Vegas later this week.
Rapid7's IT security data and analytics solutions collect, contextualize and analyze the security data you need to fight an increasingly deceptive and pervasive adversary. Unlike traditional vulnerability assessment or incident management, Rapid7 solutions uniquely provide insight into the security state of your assets and users across virtual, mobile, private and public cloud networks. They enable you to fully manage your risk, simplify compliance, and identify, investigate and stop threats faster. Our threat intelligence, informed by members of the Metasploit open source community and the industry-leading Rapid7 Labs, provides relevant context, real-time updates and prioritized risk. Our solutions are used by more than 25% of the Fortune 1000 and nearly 3,000 enterprise, government and small business organizations across 78 countries. To learn more about Rapid7 or get involved in our threat research, visit www.rapid7.com.