Rapid7, the leading provider of security risk intelligence solutions, introduces today the means to increase vulnerability management efficiency by leveraging intelligence from its powerful penetration testing solution, Rapid7® Metasploit® Pro to validate potential risks. Metasploit extended integration with Rapid7's vulnerability management product, Rapid7® Nexpose, arms security professionals with knowledge of which vulnerabilities can be exploited, enabling them to prioritize remediation efforts for maximum impact. In addition, this simplified approach to risk validation enables security professionals to measure the effectiveness of their mitigation efforts, increasing their credibility in the organization in the longer term.
“Security professionals face a huge and complex challenge and they need to know that they are focusing their efforts on the highest risk vulnerabilities,” said HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project. “With Metasploit and Nexpose, security professionals can identify which of the numerous potential vulnerabilities are real in-roads for an attacker and prioritize these for remediation, making a more meaningful improvement to the organization's security posture.”
With so many known and unknown threats facing organizations, it can be hard for IT security teams to decide which potential risks they should focus on. A vulnerability that may be dangerous to one organization could be far less significant to another because a compensating control or other defensive solution affects its exploitability. Security professionals often have to work with reports with thousands of vulnerabilities identified: far more than they have time to address. As a result, many IT security teams are focusing on the wrong items and are not able to address the real risks before it is too late. This new Metasploit version delivers a simple solution to this frustration for IT security teams by prioritizing the critical risks.
With this release, Rapid7 provides a closed-loop security risk assessment solution: Metasploit imports vulnerability scanning results from Nexpose, validates risks, and feeds the outcome back into Nexpose to simplify reporting and streamline remediation. Metasploit does this by identifying and testing known exploits that correlate to each vulnerability. The results are listed with information about why a given vulnerability may not have been exploitable. The resulting Nexpose reports then give users straight-forward, pragmatic recommendations on how to remediate each vulnerability. Additionally, users can now group assets in Nexpose based on the powerful tagging capabilities of Metasploit Pro. Once steps have been take to remediate the vulnerabilities, security professionals can then use Metasploit to test the effectiveness of the action taken.
Specifically, Metasploit now tightly integrates with Nexpose by:
Security professionals benefit from the integration in the following ways:
On July 18 at 2pm EST, HD Moore will demonstrate the new functionality in the free webcast “Validate Risks in Your Security Assessment Program”. Security professionals can register at http://information.rapid7.com/webcast-managed-vulnerability-pentesting-registration.html?LS=1231847
Pricing and Availability
Metasploit 4.4 is available immediately from www.rapid7.com. The new features are exclusive to the Metasploit Pro edition. For information on pricing, please contact firstname.lastname@example.org. For a free trial, please visit http://www.rapid7.com/products/metasploit/download.jsp.
Rapid7 will be providing demonstrations at booth 518 at Black Hat in Las Vegas later this week.
Rapid7 security analytics software and services reduce threat exposure and detect compromise for 3,000 organizations across 78 countries, including over 250 of the Fortune 1000. We understand the attacker better than anyone and build that insight into our solutions to improve risk management and stop threats faster. We offer advanced capabilities for vulnerability management, penetration testing, controls assessment, incident detection and investigation across your assets and users for virtual, mobile, private and public cloud networks. To learn more about Rapid7 or get involved in our threat research, visit www.rapid7.com.