It happens all the time—a company’s sensitive asset becomes vulnerable or falls out of compliance, then a user logs in to it and puts the company at risk of exploitation or breach.
The solution to this is two-fold: First, you should be alerted when an asset falls out of compliance or has a vulnerability. Second, you must limit access to the asset until it can be fixed to decrease the likelihood of exploitation.
Just like you wouldn’t walk over a bridge with cracks in it, you also don’t want insecure assets left online and fully accessible to users until they’re fixed.
Rapid7’s vulnerability assessment solution, InsightVM, is designed to help companies quickly spot vulnerabilities across their environment so they can be remediated. With our new integration with the CyberArk Privileged Access Security Solution, user access to vulnerable assets can be automatically restricted until the issue is eliminated. We first integrated with CyberArk to provide InsightVM customers with privileged credential management during their vulnerability management scans. Now, we’re taking things a step further to enable a conditional access integration. In this post, we’ll show you what it’s all about!
How the InsightVM/CyberArk integration works
The integration between InsightVM and CyberArk provides conditional access based on characteristics of an asset, such as its risk score. This integration protects employees, contractors, and other users from accessing potentially compromised machines and, in turn, helps make your organization more secure.
To start, CyberArk securely retrieves the profile of an asset from InsightVM’s assessment results and checks the characteristics of the asset against defined rules in CyberArk to ensure access is permitted. If the asset characteristics have triggered a CyberArk rule—such as being above a risk threshold or out of PCI compliance—access to the asset will be blocked to non-administrative group members until the issue is resolved.
You can set rules within CyberArk that define which criteria warrants blocking access, and you can also create asset tags within InsightVM. For example, if there is a particular group of assets that are extraordinarily sensitive, you can add a tag to those assets in InsightVM, so that CyberArk can apply more stringent access policies. You can also apply tags in bulk to InsightVM’s dynamic asset groups, which can change as vulnerabilities and remediations occur.
Lastly, if a device has fallen out of compliance, you can block users from accessing it until the device is brought back into scope.
When a user attempts to connect to a machine, CyberArk pings InsightVM to get all the information about it, including its risk score, tags, compliance status, presence of containers, and more. If any of these criteria are configured to be triggers, CyberArk limits or blocks access.
Case in point: A well-known retail breach
Imagine you’ve hired a third-party contractor to manage a server in your environment. If that server were found to be extraordinarily risky, you’d want to block that contractor from logging in to it until the server is safe—that is, if you have the ability to detect the risk and block certain users. For example, in an infamous retail company’s data breach, it was discovered that a third-party contractor that was hired to manage its HVAC systems was insecure and unknowingly infiltrated by attackers. When the contractor connected to the retail company’s vulnerable servers, the attackers were able to use that bridge to jump in and move the credit card processing servers and terminals, resulting in the breach. If the retail company had a way to detect the risk and prevent the contractor from connecting to its vulnerable servers, this data breach could have potentially been avoided.
How to implement conditional asset access
Making it faster and easier to mitigate risk across a company’s environment is the crux of what we do here at Rapid7, and our latest integration with CyberArk furthers that mission. When it comes to user access, ideally you want to set your asset access policies once and have that criteria be used across all of your assets within your environment. InsightVM and CyberArk bring this possibility to life with the ability to set and restrict access based on the characteristics of assets to keep you secure.