Rapid7 Announces Strategic Consulting and Assessment Services to Secure the Internet of Things

New practice to focus on secure design and deployment of consumer, enterprise, industrial, medical, and transportation devices

Boston, MA — November 1, 2016

Rapid7, Inc. (NASDAQ: RPD), a leading provider of security data and analytics solutions, today announced that it has expanded its strategic consulting and security testing offerings to aid organizations in securely developing and deploying non-traditional internet connected devices, often referred to as the internet of things (IoT). The new practice area will help organizations think strategically about building security practices into product development lifecycles, provide thorough assessment and testing of potential weaknesses for both hardware and software, and offer forensic analysis for devices that have been compromised.

Compromised IoT devices can be used to amplify and launch crippling denial of service (DDoS) attacks against others. Recent cyber-attacks have taken advantage of IoT device weaknesses, most notably, the Mirai malware. In addition to securing IoT devices themselves, IT and security professionals are charged with defending their networks against this new threat vector.

“The risk posed by IoT devices has moved from theoretical to real-world. When we consider IoT, we’re no longer talking about a single or highly unlikely, targeted instance of a vulnerable device that leads to one compromised system or consumer. We’re now seeing large-scale attacks that leverage huge numbers of devices against extremely popular organizations,” said Deral Heiland, IoT research lead at Rapid7. “As a result, device developers and manufacturers are coming under increased scrutiny and heightened expectations. Their products are assumed secure, though many of these product developers are still learning the fundamentals of secure design principles.”

According to Gartner’s Internet of Things Primer for 2016, “by 2020, over 20 billion connected things will be in use across a range of industries.” While driving significant productivity gains for businesses and consumers, this exploding growth also creates new attack vectors for malicious attackers and presents increased risk. IoT devices not only create new opportunities for attackers to invade networks to steal information, they can also be hacked to gain access to physical spaces and assets, or even cause harm to users. As users become more dependent on the functionality of connected devices, the risk represented by loss of use or corrupted use becomes even greater.

Transportation specialty
Planes, trains, and automobiles often have a complex set of requirements. Rapid7’s deep expertise goes beyond understanding CAN, LIN, FlexRay, and other network protocols to provide assessments and recommendations that will not affect the product's performance, but will solve manufacturers’ specific needs and concerns. Rapid7 works with original equipment manufacturers (OEMs) and tier suppliers to fit into development workflows.

Rapid7’s transportation offering will be led by Craig Smith, who joined the Company over the summer. Smith is the founder of Open Garages, a distributed collective of performance tuners, mechanics, security researchers, and artists. He is also the author of the “Car Hacker's Handbook” and has developed many open source utilities to teach CAN bus protocols to students, as well as security penetration tools that can uncover vulnerabilities in vehicle and diagnostic systems.

"Rapid7 understands the transportation industry, the needs of its engineers, what methods work, and which ones do not – we’ve seen what happens when security isn’t implemented correctly or is considered too late in the process. We’re focused on identifying real risks to create custom solutions that integrate into what’s most important to the business, without compromising design,” said Smith. “Over the past five years, we’ve seen increased recognition for security research as a valuable part of the transportation development process. Manufacturers are working to better understand how software vulnerabilities impact the safety of their products – we’re excited to continue forward on this path,” he finished.

Consulting and assessment service areas
Rapid7 will offer the following services as a part of the IoT practice, across consumer, enterprise, industrial, medical, and transportation devices:

    • Strategic Guidance: Specialist consultancy on how to develop IoT technologies with security built-in from the ground up. The consultants will work with industry experts and trade groups to help develop standards and best practices for IoT security and will funnel this expertise into engagements with IoT developers.
    • Threat Modeling: Development of comprehensive threat models of your entire system that can evolve with your complete product lifecycle to help you identify and mitigate the most critical issues, as well as to document your product’s security posture.
    • Device Design Consulting: Designing hardware is often the first step of a major project and can determine your limitations and weaknesses. The company offers consulting from the ground up so that hardware issues don’t become the Achilles’ heel of your software security architecture.
    • Incident Response: After an attack, getting forensic information from anything more than device logs can be a non-trivial task. Rapid7’s hardware teams can assist in getting the information you need directly from a product.
    • Security Testing and Vulnerability Analysis
      • IoT Penetration Testing: Rapid7 penetration and system analysis testing goes beyond basic analysis to consider the whole ecosystem of the IoT technology, including the IoT mobile application, cloud APIs, communication and protocols, and embedded hardware and firmware.
      • Hardware Testing: Rapid7 will examine the physical security and internal architecture of the device – including internal components – to determine the breadth and depth of its physical attack surface. The Company also provides practical advice to help improve and remediate identified issues.
      • Protocol Testing: Rapid7 will assess and test communications to and from the device, including protocols used, the cryptographic security of encrypted transmissions, the ability to capture and modify transmissions of data, and fuzzing of the communication protocols, to determine the risk to an organization and clients. The Company provides actionable advice to prioritize and reduce risks uncovered.
      • Firmware Analysis: Rapid7 experts extract and examine the content of the firmware to discover backdoor accounts, injection flaws, buffer overflows, format strings, and other vulnerabilities, extending analysis to the firmware upgrade process to ensure that public key encryption and upgrade functionality is also secure.

Responsible security research driving innovation in IoT

Rapid7 security experts have been widely recognized for their research in IoT. Having found security issues with internet connected insulin pumpslight bulbscarstoysbaby monitors, and more, the company is dedicated to using security research to better protect consumers and organizations through coordinated disclosure, clear communications, and jointly agreed upon mitigations whenever possible.

About Rapid7 Strategic Advisory Services
Rapid7's Security Advisory Services apply industry expertise, data-driven analysis, and industry best practices to transform the way organizations manage security programs and empower more impactful business decisions. Our experts will help you answer critical questions to quantify the current state of your security, gain executive alignment, and put in place plans to deliver measurable improvement. Whether you need specific help improving the security of IoT devices, implementing breach response, or revamping a complete security program, Rapid7 has the knowledge, experience, and commitment to get you to success.

The company conducts more than 1,000 penetration tests each year, and its experts in threat modeling, incident detection, breach response, and security program strategy are featured speakers and contributors at major security conferences, including RSA, Black Hat, DEF CON, and SXSW.

About Rapid7

Rapid7 is a leading provider of security data and analytics solutions that enable organizations to implement an active, analytics–driven approach to cyber security. We combine our extensive experience in security data and analytics and deep insight into attacker behaviors and techniques to make sense of the wealth of data available to organizationsabout their IT environments and users. Our solutions empower organizations to prevent attacks by providing visibility into vulnerabilities and to rapidly detect compromises,respond to breaches, and correct the underlying causes of attacks. Rapid7 is trusted by more than 5,300 organizations across over 100 countries, including 36% of the Fortune1000. To learn more about Rapid7 or get involved in our threat research, visit www.rapid7.com.

Cautionary Language Concerning Forward-Looking Statements

This press release includes forward-looking statements. All statements contained in this press release other than statements of historical facts, including, without limitation, statements regarding our growth strategy, future market opportunities and plans and objectives for future operations, are forward-looking statements. The words “anticipate,” “believe,” “continue,” “estimate,” “expect,” “intend,” “may,” “will” and similar expressions are intended to identify forward-looking statements. We have based these forward-looking statements largely on our current expectations and projections about future events and financial trends that we believe may affect our financial condition, results of operations, business strategy, short-term and long-term business operations and objectives and financial needs. These forward-looking statements are subject to a number of risks and uncertainties, including, without limitation, risks related to our rapid growth and ability to sustain our revenue growth rate, the ability of our products and professional services to correctly detect vulnerabilities, competition in the markets in which we operate, market growth, our ability to innovate and manage our growth, our ability to integrate acquired operations, our ability to operate in compliance with applicable laws as well as other risks and uncertainties set forth in the “Risk Factors” section of our Quarterly Report on Form 10-Q filed with the Securities and Exchange Commission for the quarterly period ended June 30, 2016, and subsequent reports that we file with the Securities and Exchange Commission.  Moreover, we operate in a very competitive and rapidly changing environment. New risks emerge from time to time. It is not possible for our management to predict all risks, nor can we assess the impact of all factors on our business or the extent to which any factor, or combination of factors, may cause actual results to differ materially from those contained in any forward-looking statements we may make. In light of these risks, uncertainties and assumptions, we cannot guarantee future results, levels of activity, performance, achievements or events and circumstances reflected in the forward-looking statements will occur. We are under no duty to update any of these forward-looking statements after the date of this press release to conform these statements to actual results or revised expectations, except as required by law. You should, therefore, not rely on these forward-looking statements as representing our views as of any date subsequent to the date of this press release.

Investor Relations Contact

Neeraj Mahajan, CFA

Vice President, Investor Relations



Press Contact

Rachel E. Adam

Senior PR Manager