“Security professionals face a huge and complex challenge and they need to know that they are focusing their efforts on the highest risk vulnerabilities,” said HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project. “With Metasploit and Nexpose, security professionals can identify which of the numerous potential vulnerabilities are real in-roads for an attacker and prioritize these for remediation, making a more meaningful improvement to the organization’s security posture.”
With so many known and unknown threats facing organizations, it can be hard for IT security teams to decide which potential risks they should focus on. A vulnerability that may be dangerous to one organization could be far less significant to another because a compensating control or other defensive solution affects its exploitability. Security professionals often have to work with reports with thousands of vulnerabilities identified: far more than they have time to address. As a result, many IT security teams are focusing on the wrong items and are not able to address the real risks before it is too late. This new Metasploit version delivers a simple solution to this frustration for IT security teams by prioritizing the critical risks.
With this release, Rapid7 provides a closed-loop security risk assessment solution: Metasploit imports vulnerability scanning results from Nexpose, validates risks, and feeds the outcome back into Nexpose to simplify reporting and streamline remediation. Metasploit does this by identifying and testing known exploits that correlate to each vulnerability. The results are listed with information about why a given vulnerability may not have been exploitable. The resulting Nexpose reports then give users straight-forward, pragmatic recommendations on how to remediate each vulnerability. Additionally, users can now group assets in Nexpose based on the powerful tagging capabilities of Metasploit Pro. Once steps have been take to remediate the vulnerabilities, security professionals can then use Metasploit to test the effectiveness of the action taken.
Specifically, Metasploit now tightly integrates with Nexpose by:
• Importing rich vulnerability data from Nexpose scans, sites and XML
• Automatically validating the exploitability of many high-risk vulnerabilities
• Providing a simplified process to spot-check individual vulnerabilities
• Pushing granular exploit results back to Nexpose via Vulnerability Exceptions
• Pushing device classifications back to Nexpose Asset Groups via Metasploit Tags
• Enhancing Metasploit reports with detailed Nexpose scan data
Security professionals benefit from the integration in the following ways:
• Quickly identify high-risk vulnerabilities not protected by compensating controls
• Measure the effectiveness of defensive solutions designed to mitigate vulnerabilities
• Increase credibility and reduce friction between IT operations and security teams
On July 18 at 2pm EST, HD Moore will demonstrate the new functionality in the free webcast “Validate Risks in Your Security Assessment Program.” Security professionals can register at http://information.rapid7.com/webcast-managed-vulnerability-pentesting-registration.html?LS=1231847.
Pricing and Availability
Metasploit 4.4 is available immediately from www.rapid7.com. The new features are exclusive to the Metasploit Pro edition. For information on pricing, please contact [email protected] For a free trial, please visit http://www.rapid7.com/downloads/metasploit.jsp.
Rapid7 will be providing demonstrations at booth 518 at Black Hat in Las Vegas later this week.
Rapid7 is the leading provider of security risk intelligence. Its integrated vulnerability management and penetration testing products, Nexpose and Metasploit, empower organizations to obtain accurate, actionable and contextual intelligence into their threat and risk posture. Rapid7's solutions are used by more than 2,000 enterprises and government agencies in more than 65 countries, while the Company's free products are downloaded more than one million times per year and enhanced by the more than 175,000 members of its open source security community. Rapid7 has been recognized as one of the fastest growing security companies by Inc. Magazine and as a “Top Place to Work” by the Boston Globe. Its products are top rated by Gartner®, Forrester® and SC Magazine. The Company is backed by Bain Capital Ventures and Technology Crossover Ventures. For more information about Rapid7, please visit http://www.rapid7.com.