Today, we’re excited to announce a major milestone for InsightVM: Recognition as a Leader in The Forrester Wave™: Vulnerability Risk Management, Q1 2018, earning top scores in both the Current Offering and Strategy categories. We are proud of the achievement not only because of years of hard work from our product team, but also because we believe that it represents the thousands of days and nights spent working with customers to understand the challenges they face prioritizing vulnerabilities and trying to optimize remediation processes in a modern network.
For us, our position on the Forrester Wave, as well as Forrester’s analysis that “Rapid7 has already implemented what VRM will look like in the future”, validates the approach we’ve been taking with vulnerability management for years: using the power of the Insight platform to provide data analytics and help customers make sense of the constantly changing risk in their modern network.
Forrester’s research uncovered four critical areas for mature vulnerability risk management capability that, in our view, align with what customers tell us they love about InsightVM. Here are those four areas, along with our own takeaways:
“Asset Management is the foundation of a mature VRM capability” - Forrester states that “Without knowing what’s in your environment, you have no hope of securing it”. According to IDC, overall IT spending on cloud infrastructure will surpass IT spending on non-cloud infrastructure by 2020; as the modern network shifts to more cloud and virtualized infrastructure, it’s become practically impossible to get accurate visibility into that dynamic environment using legacy schedule scanning. That’s why Rapid7 has been investing in direct discovery connections with sources like AWS, Azure, and VMware for years, going back to Nexpose’s integrations with Project Sonar and DHCP.We continuously add new ways to gain visibility into new types of assets, like containers, and most importantly make it easy to correlate these assets with the rest of your infrastructure in a single unified view.
“Patch prioritization must extend beyond vulnerability scores” - IT and Security teams can’t take a spray and pray approach with patches; while some fixes are fairly straightforward, many devices will require additional testing and some level of human input before a patch can be safely applied. InsightVM’s Remediation Workflows help IT and Security teams work better together on these fixes by sharing remediation duties and progress, as well as integrating with ServiceNow and JIRA to fold remediation seamlessly into IT’s existing approval workflow. InsightVM also makes it easy for customers to automatically prioritize critical assets with our robust tagging system, and security teams can create exceptions for vulnerabilities that they know they can’t fix but need to mitigate until patching is possible.
“Threat intelligence provides an additional pathway for strategic patching” - CVSS scores are usually not enough to successfully prioritize vulnerabilities in a modern network; customers are left sorting through thousands of “critical” vulnerabilities with little context of which ones truly present the most risk to the network. InsightVM includes integrated threat feeds from our own research as well as third party sources so that security teams can prioritize vulnerabilities used in real world attacks. Combined with our 1-1000 risk score that incorporates malware exposure, exploit exposure/ease of use, CVSS, and vulnerability age, InsightVM helps security teams think like an attacker, and take a risk-based approach to prioritizing vulnerabilities.
“Reporting capabilities facilitate your ability to identify procedural vulnerabilities” - Forrester points out that “Risk exposure metrics are critical to measuring the risk associated with an organization’s operational footprint and allow prioritization of security sensitive systems”. InsightVM’s Liveboards let users visualize how their risk changes over time, and filter down their views based on what they and the company consider to be most important using robust queries and automatic prioritization of important assets.
This is just the beginning for InsightVM; we will continue to push forward in vulnerability management by enabling IT, Security, and DevOps teams to work better together in solving security challenges, making security an enabler of innovation and expansion, not an afterthought. Stay tuned for some exciting developments over the next year that we believe will continue to validate Forrester’s placement as a leader in the VRM space.
You can download the full report here.