HicSalta Security Day

Federico Vailati - Regional Account Executive

Don Vogel – Senior Security Architect

©Rapid7, LLC 2014 All Material is Privileged & Confidential

Rapid7 at a Glance

Solutions

Investors

Key Facts

Industry Recognition

HQ: Boston, MA, 300+ Employees

$59M in Funding

90+% CAGR from 2004 to 2011

2,000+ Customers in 65 countries

2000 – Founded by Alan Matthews, Tas Giakouminakis & Chad Loder

2004 – Nexpose Commercial Release

2008 – Bain Capital Ventures invests in Rapid7

2009 – Acquired the Metasploit Project

2010 – Metasploit Express and Metasploit Pro Commercial Releases

2011 – First Annual UNITED Security Summit (hosted by Rapid7)

2011 – Technology Crossover Ventures invests $50 million in Rapid7

2012 – Acquired Mobilisafe

2013 – Founded Rapid7 Labs

2013 – Announcement of new Products: ControlsInsight &

UserInsight

Rapid7 Timeline

3

Support for the Metasploit Open Source Community

• Metasploit Community – Over 200,000 active users & contributors

Magnificent7 – Fund supporting open source projects

• John the Ripper (Password cracker) & Cuckoo Sandbox (Malware

analysis)

Thought Leadership – UNITED Security Summit

• 3 Day Conference where attendees gain actionable, pragmatic

advice from security practitioners and researchers to help them

maximize their security investment

Community Driven

4

Design Partner – Build with our Customers

5

YOU are using our products every day

Constant customer dialog is a central

part of our design/development

process

Validation

• Problem, Solution

• Continuous learning

• Course correction

Products & Solutions

6

Vulnerability

Management

Security Configuration

Assessment

Web Application

Security

Virtualization Security

PCI Compliance

Management

7

Rapid7 Product Portfolio

Mobile Vulnerability

Management

Vulnerability

Verification

Penetration Testing

Reduce Phishing

Exposure

Password Auditing

Test Security

Controls

Endpoint Control

Monitoring

User Activity

Monitoring

Core Competencies

8

Nexpose Differentiators

Unified Platform - Complete assessment of

entire physical and virtual IT infrastructure

including IPv4 and IPv6 networks, OS, web apps,

DB and security configurations

Expert System - JESS engine, increased

accuracy with vulnerability chaining/hacker

emulation, false positive reduction

Advanced Risk Scoring - Exploit & Malware

Exposure, vulnerability filtering/exceptions

Superior Remediation – actionable, detailed

instructions, estimated completion times

Customizable Reporting – granular filtering

and prioritization capabilities; roles-based, pre-

defined templates fully customizable; variety of

export formats and delivery options

Vulnerability

Management

Security

Configuration

Assessment

Web Application

Security

Virtualization

Security

PCI Compliance

Management

Unified Platform

Security Configuration Assessment

Benchmark internal policies against industry

standards such as:

• USGCB, FDCC, SCAP, CIS

Modify policies with Nexpose Policy Editor

Report on policy violations, measure and

document compliance

Superior remediation

Gain credibility with stakeholders by delivering

reports that are relevant, concise and actionable

9

Nexpose: Configuration Assessment & Web App Security

Web Application Security

Differentiators:

• Unified Platform, Single Scan, Single

Reporting Engine

• Identify and Remediate vulnerabilities in

all OWASP Top 10 categories, including

cross-site scripting, SQL injection, client-

side vulnerabilities found in Flash and Flex

applications

• With Metasploit – validate & exploit web

vulnerabilities to demonstrate risk to the

applications’ administrators or as part of a

penetration test

Differentiators:

• Only VA solution validated by

VMware and part of virtualization

security architecture

• Patent-pending vScan technology:

continuous discovery of virtual

machines in their dynamic

environments

• Dynamic Asset Groups

• Integration with vShield

Nexpose: Virtualization Security

“In 2014, 75% of all servers will

be virtualized” – Forrester, 2012

Nexpose: PCI Compliance Management

11

Rapid7 is an Approved Scanning Vendor

(ASV)

Partners can resell PCI ASV Subscription

Service

In-house subject matter experts:

• Didier Godart, original co-author of the PCI

DSS is our Risk Product Manager

• Payment Card Industry Professional (PCIP)™

Automate PCI compliance testing

audits and reports

Nexpose Differentiator: JESS, the Expert System

12

Differentiators:

• Artificial intelligence engine

built for NASA by Sandia

National Laboratories – JESS,

the Java Expert System Shell

• Hacker emulation and

vulnerability chaining

• False positive reporting <1%

• 106,000+ checks for 39,000+

vulnerabilities

Nexpose Differentiator: Exploit & Malware Exposure; RealRisk

13

Nexpose Differentiator: Superior Remediation

14

Differentiator: Actionable

& Customizable Reporting

• Prioritized Remediation

• Step-by-Step Instructions

• Estimated Completion

Times

• Issues Addressed by Each

Patch

• Systems Affected

• Direct Links to the Patches

on the Manufacturers’

websites

NeXpose Partner Ecosystem SIEM & Log

GRC

IPS & NGFW

Risk Management

Virtualization

Ticketing

NSX

Core Competencies

16

Metasploit Differentiators

HD Moore

Creator of Metasploit & Chief

Research Officer, Rapid7

#1 Most used penetration testing solution in

the world

Largest public database of quality-assured

exploits

Community Driven – 200,000+ users and

contributor; QA for all community-generated

exploits

Vulnerability Validation

Penetration Testing

Managing Phishing

Exposure

Password Auditing

Test Security

Controls

Positioning – “not just a hacker tool”

“Crash Test” for Security Controls

• Ensure business continuity

• Compliance testing

• Reputation

Metasploit: Vulnerability Validation

Penetration

Testing &

Threat

Validation

Vulnerability

Management &

Configuration

Assessment

Risk Assessment

Risk Validation

Metasploit: Manage Internal Security & Phishing Exposure

18

Understand where your organization is

vulnerable:

• Launch phishing campaigns to test the

security awareness of your organization

• Track how many open the email, click

on the link, submit a web form, etc.

• Perform a password audit to identify weak

passwords beyond just Windows logins

• Uncover the root cause, for example

bad process (using default passwords)

or lack of training and fix the problem.

The “Bring-Your-Own-Device/BYOD” Challenge:

• Device Diversity – hardware manufacturers, operating

systems, carriers

• Employee owned and managed

• Employee reluctance to give employer access to or

control over personal property

• Mobile software updates require coordination between

handset manufacturers, OS vendors and carriers and

can take months to deploy

Mobilisafe: Mobile Vulnerability Management

19

Mobilisafe: Mobile Vulnerability Management

Visibility

• Discover users and their devices

• Discover Applications via AppSentinel

Management

• Easy to Deploy; No Agents on Devices

• Monitor, assess and automatically identify the

vulnerability risk of each device

Action

• Mitigate risks with a policy framework that

makes it easy to update mobile devices,

eliminate their vulnerabilities, and control

access to corporate resources

Endpoint Controls Monitoring

• Assess to see if…

� Anti-virus is optimized

� Browsers, high risk applications and operating systems are up to date

� Passwords and browsers are hardened

� Code execution prevention is deployed

� User Access Control is enabled

� USB access is blocked

� Windows firewall is enabled

� Email client attachment filtering enabled

21

ControlsInsight

Competitive Landscape

22

Source: Gartner, Market Scope for Vulnerability Assessment, September 9, 2013

Nexpose: Recognized Market Leader

RATING

Strong

NegativeCaution Promising Positive

Strong

Positive

Beyond Security x

BeyondTrust x

CriticalWatch x

Digital Defense x

McAfee x

QualysGuard x

Rapid7 x

SAINT x

Tenable x

Tripwire/nCircle

x

Trustwave x

Strengths:

• Flexible Deployment

• Technical Support

• Metasploit integration

• Nexpose API for integration

with complementary security

programs

SC Magazine Awards - Best Vulnerability Management Solution5 Star Rating / Winner 2012 / 2013 / 2014

24

Strengths:

• Unified Platform

• Comprehensive scan

• “Excellent” Vuln. Validation

• Exploit & Malware Exposure

• Clear remediation reports rich

with detail allowing users to

fully comprehend the tasks

and time to remediate the

vulnerability

• “Intuitive GUI”

Strengths:

• Ease of Use: lightweight UI,

did not lag or take up a lot of

memory

• Vulnerability Detection:

Comprehensive knowledgebase

& a great engine for detecting

vulnerabilities

• Comprehensive Reporting

• Metasploit Integration

HackMiami Web Application Scanner 2013 PwnOff

25

“Having tools like Nexpose integrated with

Metasploit Pro allows the vulnerability analyst

the ability to streamline tasks and perform more

assessments in a shorter amount of time.”