Effective credential management is the bread and butter of good security hygiene, especially when it comes to privileged accounts. When you’re protecting the keys to the kingdom, you need to be sure that if credentials are ever stolen, they can’t be exploited. This is a big pain point for security professionals who want to leverage a scan engine to assess systems for vulnerabilities—scan engines require privileged access to get the full picture of which vulnerabilities may reside inside, but storing credentials can put them at risk of compromise.
So, is there a way to effectively assess your assets with a scan engine while also keeping credentials safe? With the integration between CyberArk Access Identity Manager and
Rapid7’s leading vulnerability management solution, InsightVM, or our top-rated, on-premises solution, Nexpose, you can. CyberArk provides continuous credential rotations for privileged accounts so that if they are ever compromised, the credentials are rendered useless to an attacker. This keeps your credentials safe, maintains full visibility into your assets, and keeps attackers out.
This integration is part of our ever-growing relationship with CyberArk. Below, we will explain how it works and why it is important to have in place when conducting vulnerability scans:
CyberArk + InsightVM: Born out of a major market need
Since we released this integration, it has quickly risen to become one of our most utilized partner integrations. Born out of customer demand, this integration was developed to address a key issue many organizations were facing: ensuring privileged credentials are changed periodically and are able to be audited without manual effort.
When using scan engines, it’s considered a best practice to audit your systems using privileged accounts in order to obtain deeper insights into the vulnerabilities present on the host. In conjunction with CyberArk, InsightVM or Nexpose allows secure privileged credentials to be retrieved from CyberArk on a per-scan basis. This frees administrators from the worry of having to update privileged credentials in numerous locations and ensures all scans run using secured credentials. With this added layer of security, static credentials won’t be hanging around in your environment.
How the CyberArk/InsightVM integration works
First, you need to have both CyberArk and InsightVM or Nexpose implemented within your environment. You’ll then link the two solutions within the InsightVM Administration Tab. InsightVM will begin to query the CyberArk Privileged Access Security Solution for the credentials on each asset, both on a one-to-one (single credential for a single asset) and one-to-many level (global credential for multiple assets). Whenever InsightVM or Nexpose requests a credential from CyberArk, it will return the correct key and InsightVM or Nexpose will be able to run an Authenticated Scan. CyberArk Application Access Manager will automatically rotate the credentials based on the organization’s security policy or on-demand.
Please note that the credentials themselves are not stored in the InsightVM Security Console. Rather, they are handled ephemerally and for the purposes of the scan only.
Read more about how the integration works with our Integration Brief: Enable In-Depth Scanning With CyberArk Application Access Manager and Rapid7 InsightVM or Nexpose.
The result: Top-notch security hygiene
Centrally storing and rotating secure credentials leads to simplified credential management and ensures that even if you do get compromised, an attacker cannot take advantage. With CyberArk handling credential hygiene, you can implement authenticated vulnerability scans with confidence, enabling better visibility with InsightVM or Nexpose. And, from a compliance perspective, you can maintain a comprehensive audit trail.
To get started with this integration, make sure you have Rapid7 InsightVM or Rapid7 Nexpose 6,CyberArk Privileged Access Security Solution Version 9.3.0, and CyberArk Application Access Manager 7.2.13.
You can begin a free trial of InsightVM now, or if you’re an existing Rapid7 customer, log in and implement the integration today!