Rapid7 and Thycotic Integration at Ventas

Bryan Krausen, Senior Systems Administrator, Ventas, Inc.

Nathan Wenzler, Senior Technology Evangelist, Thycotic

Secured Authenticated Scanning

Who is Ventas?Ventas (NYSE: VTR) is a leading healthcare Real Estate Investment Trust (REIT) with a portfolio of more than 1,600 assets in the US, Canada, and United Kingdom.

• Bryan Krausen - Sr. Systems Administrator responsible for managing and maintaining infrastructure including VMware, Storage, Servers, Security, and more.

• Ventas currently utilizes Rapid7 Nexpose for vulnerability scanning for everything from infrastructure and servers to end user’s client.

• Ventas uses Thycotic Secret Server for privileged account management and password rotation for both servers and clients.

20% of Forbes 50

10% of Forbes Global 2000

4 of top 5 in Software**

**based on Forbes Global 2000 Classification

Honoree, 2013 and 2014 Finalist, Security and Compliance Finalist, Best Customer Service

Who is Thycotic?3,000 customers around the world from Fortune 5 to mid-market to small IT departments.

Headquarters in Washington, DC. Offices in London and Sydney.

Rated top in class for customer satisfaction*.

*Forrester Research independent survey.

Thycotic Product slide

Vulnerability Analysis Find weaknesses in target systems before an attacker does

and (hopefully) remediate

Need as much visibility as possible!

Non-Authenticated scan vs.

Authenticated scan

Unauthenticated Scanning finds only

basic issues

• Operating systems and versions

• Open network ports

• Services listening on open ports

• Data leaked by services (banner grabbing,

etc.)

Why Authenticated Scanning?

More detections

• Some items can’t be discovered without authenticating to the target

More accuracy

• Reduce false positives

• Obtain more detailed information about remotely-discovered vulnerabilities

Better Reporting and Analysis

• More complete patch requirements

• Increased trend analysis for overall security posture

• Complete visibility into the state of the target system

Privileged Account Management

in a Nutshell

A password vault is NOT a true PAM solution

• Privileged accounts = Non-human account (Root, Local Admin, Domain Admin, etc.)

• Control, Audit and Monitor

• Rotate passwords on a regular basis – Better security

• Limit who can access the credentials, reducing exposure of these passwords

• Automate processes to reduce staff overhead

PAM Components

- Password Rotation

- Account Discovery

- Access Control to Credentials and

Target

- Action Logging

- Who Accessed the Account?

- Check In/Out

- Session Recording

- Event Notifications

- Heartbeat Check of Credentials

CONTROL AUDITING MONITORING

Putting it into Perspective

Ventas Implementation

• Origin of Vulnerability Analysis program

• Origin of Secret Server need and implementation

• What was security program like at first before either product?

• Timeframes for implementation

• What obstacles were found?

Nexpose and Secret Server Integration

• Integration comes in the form of a Ruby Gem and can be easily

scheduled

• Prerequisites:

• Credentials configured within Thycotic Secret Server w/ Access

to Rapid7 Service Account

• Credentials configured within Rapid7 Nexpose

• SiteIDs for Nexpose Sites to be managed

Nexpose and Secret Server IntegrationConfiguration (part 1)

• Within a Ruby environment, install the nexpose_Thycotic-0.0.4.gem obtained from Rapid7 (or Google)

• Set required Environment Variables:

• Thycotic URL -https://hostname/SecretServer/webservices/SSWebservice.asmx?wsdl

• Rapid7 URL – hostname – must match the certificate – no https://

• Thycotic Secret Server - Username and Password

• Rapid7 Nexpose - Username and Password

Nexpose and Secret Server IntegrationConfiguration (part 2)

• Modify nx_Thycotic.rb file to include the SiteIDs you wish to change• sites = [5,9,18,23]

• Set the Environment Variables Run the Script

• Example of Script to Run

setx THYCOTIC_URL

https://passwords.company.com/SecretServer/webservices/SSWebservice.asmx?wsdl

setx THYCOTIC_USER Thycotic_user

setx THYCOTIC_PASS P@ssw0rd1

setx NEXPOSE_URL rapid7.company.com

setx NEXPOSE_USER Rapid7_user

setx NEXPOSE_PASS P@ssw0rd1

nx_Thycotic.rb

Vulnerability Data before Authentication

A total of 3 vulnerabilities found on a target host.

Vulnerability Data after Authentication

158 total vulnerabilities found (118 Critical) on the same target host

COMPARING THE DATAAuthenticated Scan ResultsNon-Authenticated Scan Results

• 3 total vulnerabilities found• No critical vulnerabilities found• No application vulnerabilities detected

• 158 total vulnerabilities found• 118 critical vulnerabilities found• Application vulnerabilities and missing

patches detected

Results at Ventas

• Better overall visibility across environments

• Reduced risk from exposure of privileged credentials

• Huge reduction in total vulnerabilities

• Improved security audit results

• Foiled external pen tester’s attempts to gain Domain Admin creds for the first time in 5 years

Resource Documents

• Bryan’s post for the Integration How-to:http://www.itdiversified.com/configuring-integration-

between-thycotic-secret-server-and-rapid7-nexpose/

• Contact Rapid7 Support for Nexpose Configuration and Integration Guide

Questions?