Professional Documents
Culture Documents
InsightVM_Slide_Deck
InsightVM_Slide_Deck
Administrator
Discover
Prioritize
Verify
Assets
Remediate Assess
Report
Vulnerability Management
• Consolidated reporting
• Dashboards
Understand Business Context
• Automatic classification
• Identify important systems and assign remediation owners
InsightVM Architecture
OBJECTIVES:
• Understand the components that make up the InsightVM
architecture
InsightVM Components
16
InsightVM Architecture DISTRIBUTED (INTERNAL)
SCAN ENGINES
TCP 40814
https://*.insight.rapid7.com:443
Navigating the UI
Objectives:
• Understand components of the InsightVM console user
interface
Accessing the Console
• https://[Console_IP]:3780
• Supported Browsers:
• Chrome
• Firefox/Firefox ESR
• IE 11/Microsoft Edge
• Others work, but not supported
• (i.e. Safari, Ice Weasel)
• Login with the credential defined during the console installation
Top Menu Items
Scan, Edit
or Delete
Create a Site
Site
Current
Scan
Statistics
Create
Asset
Group
Navigating User Interface
Demo
The Scan Process
Objectives:
• Understand the Scanning Process
• The Importance of the Scan Template
Scan Process Overview
Unconfirmed Confirmed
Service OS Policy
Discovery Port Scan Vulnerability Vulnerability
Fingerprinting Fingerprinting Checks
Checks Checks
NSC > NSE: Go and find all ‘alive’ devices
Using ICMP Ping, ARP Ping, TCP and/or UDP Port Scanning
NSC > NSE: What Services are running on the open ports?
• Service Fingerprinting
• InsightVM will try and determine services/processes are running on open
ports detected in the previous step.
• Methods:
• Banner-grabbing
• IP Stack Analysis
• Service fingerprinting for custom configuration
• Map custom port to service name
• default-services.properties
NSC > NSE:
What OS are we dealing with?
• OS Fingerprinting using information collected from the previous scan stages the
scan attempts to guess which operating system is running on the asset.
• Recog is a framework for identifying products, services, operating systems, and
hardware
• Matching fingerprints against data returned from various network probes
• Consists of both XML fingerprint files and an assortment of code, mostly in Ruby, that
makes it easy to develop, test, and use the contained fingerprints.
• A score indicating how certain the scan is about its guess is kept and the
highest ranked guess is used for other stages of the scan.
NSC > NSE:
What OS are we dealing with?
• OS Fingerprinting
• Credentialed vs. Non-credentialed scans.
• Only scans using administrator/root will provide a Certainty of 1.
• Credentials with less than administrator/root privileges may show a Certainty of 0.85
• Credentialed scans are necessary for policy scans, client side and some system configuration
related vulnerability detection.
• Unconfirmed Vulnerability Checks
• Primarily include checks based on patch and version information. These checks determine that a version of
software etc. is known to have an issue but does not confirm the specific issue exists. An example may be
that a version of software ships with a default password. The check would determine that that version of
software is present and may have default credentials even if the credentials have already been changed.
InsightVM includes a variety of preconfigured scan templates to help you assess your
vulnerabilities according to the best practices for a given need.
Demo & Lab 1:
Creating Custom Templates
Organizing Your Data
Objectives:
• Understand the role of sites and developing a site strategy
• Learn to leverage asset groups for analysis and reporting
• Learn to leverage asset tags for providing context
InsightVM Containers
• Sites
• IP’s/Groups to be Scanned, Schedules, Engines, Scan Templates
• Dynamic and Static
• Asset Groups
• Commonality
• Reporting
• Analysis
• RealContext (Asset Tags)
• Adds business context
Site Overview
Scan
Scan Schedule
Engine
(Optional)
Scan Alerts
Templates (Optional)
Dynamic Static
Subject to change Constant data set
Automatically
Comparative reporting
clean/update
“Frozen time”
“Real time” perspective
perspective
Group Strategy
• Asset Function
• Desktops
• Mobile
• Servers
• Printers
• Database
• Web
• Platform/Product
• Windows
• Linux
• Networking Devices
Demo & Lab 3:
Create Asset Groups
RealContext (aka Asset Tagging)
• Allows the ability to provide business context around your assets by applying
tags
• Built-in Tags
• Criticality
• Location
• Owner
• Custom Tags
• Examples: PCI, DMZ, SOC, XYZ Network, DEV, XYZ Application, etc..
RealContext - Adjust Risk By Criticality
• Apply risk multipliers to assets
• Adjust configurable risk score multiplier based on criticality
• Disabled by default
RealContext Best Practices
network
AWS
• No more waiting for scans to
run
https://insightvm.help.rapid7.com/docs/automating-security-actions-in-changing-environments
Automated Actions
• Automated action can be turned on/off
• You can have as many automated actions as necessary
• Best Practice: avoid conflict (adding asset to two sites, for example)
New Vulnerability Released
• Make instant decisions to scan
based on new vulnerabilities that
have been released.
• Only scans for the vulnerabilities
that meet the threshold.
• Can set threshold by Risk or CVSS
Score
New Asset Discovered
• Allows you to make decisions on
scanning assets when they are
first discovered
• Filter based on asset criteria
• Actions include
• Add to a Site
• Add to a Site and Scan
Immediately
Known Asset Discovered
• You can make instant decision for
assets that are known to exist
• Filter based on asset criteria
• Actions Include:
• Tag the Asset
• Add the Asset to another
Site
MEM.LOG Problems with memory. mem.log shows scanning and reporting memory usage.
NSC.LOG System and application level event tracking, scheduling of operations, or tracking any Maintenance Mode
activity
NSE.LOG Troubleshoot specific checks. If a check produces an unexpected result, you can look here to determine how
the scan target was fingerprinted
• Patching and updating the operating system on which the security console
is installed is your responsibility.
Lab 7: Troubleshooting
Challenge
Highly Scalable
Scan Engines
Backup
• Console
• Flexible
Deployment Engine
Standards-based
Open API and Pre-
• Build Connector
API
System Requirements
Scan Report
Frequency Retention
Total # of
Deployment Network
IP’s
Architecture Architecture
Scanned
Hardware Requirements
80
Scan Perspective - Internal
YOUR
Satellite Office
DMZ INTERNAL 1000 Assets
50 Assets
NETWORK
NSE
VPN
NSE
Headquarters
2000 Assets
Remote Sales
WAN LINK Office - 250 Assets
NSC / NSE
NSE
Scan Perspective - External
• Scan traffic originates from an NSE located outside your perimeter firewall
• Targets devices located on the company extranet
• Provides the ‘outside looking in’ perspective
• True attacker perspective of your network
• Rapid7 offers these ‘Hosted Services’ and SONAR
Scan Perspective - External
DMZ
50 Assets Only OPEN
Ports
Rapid7
Datacenter
Headquarters
2000 Assets
TCP 40814
NSC / NSE
Scan Perspective - Hybrid
• Scans utilize multiple strategically located NSE’s
• Can be both internal/externally located
• Use Cases for a Distributed Scanning Strategy
• Large number of target IP addresses
• Highly segmented network
• Bandwidth restrictions
Scan Perspective - Hybrid Rapid7
Datacenter
DMZ
50 Assets
NSE
Headquarters
2000 Assets
Remote Sales
WAN LINK Office - 250
Assets
NSC / NSE
NSE
Scan Engine vs. Insight Agent
A scan engine is an application used with the Security Console that helps
discover and collect network asset data and scans them for vulnerabilities
and policy compliance.
'Scanning' a Sonar site *does not* perform an assessment of those assets, it simply retrieves archived scan data from Sonar.
Installing InsightVM
Objectives:
• Install InsightVM on a Windows/Linux Server
Windows Installation
• Latest Installer
• https://kb.help.rapid7.com/docs/insightvm-and-nexpose-
installers-md5sum-files-and-virtual-appliances
• Console + Scan Engine or Scan Engine Only
• Services
• Nexpose Security Console - Automatic
• Download the appropriate md5sum file to ensure that the
installer was not corrupted during download.
Linux Installation
• Latest Installer
• https://kb.help.rapid7.com/docs/insightvm-and-nexpose-installers-
md5sum-files-and-virtual-appliances
• chmod +x Rapid7Setup-Linux64.bin
• Console + Scan Engine or Scan Engine Only
• Textual-based Installer
• ./Rapid7Setup-Linux64.bin
• Disable SELinux
• Download the appropriate md5sum file to ensure that the installer was
not corrupted during download.
Installation Process
• Default Install Directory
• C:\Program Files\rapid7\nexpose
• /opt/rapid7/nexpose
• Verify you meet the minimum
requirements
• Default PostgreSQL Listener Port: 5432
• Company Info
• Uses this information to create SSL
certificates and be included in requests to
technical support
• Create an initial Admin user with strong
password
Manage Scan Engines
Objectives:
• Learn How To Create A Scan Engine
• Learn How To Manually Pair An Engine
• Learn About Engine Pooling
Scan Engine Quantity
• Not an exact science…
• How many assets do you want to scan?
• How fast do you want to scan them?
• How much resources are you allocating to your engines?
Scan Engine Placement
• For the most efficient performance and comprehensive scan results, scan engines
should:
• Be located as close as possible to the assets being scanned
• Be placed inside demilitarized zones, secure network environments
• Be distributed to geographical regions/locations, depending on the number of assets to be scanned
and bandwidth between the engine and the target assets
• Be placed behind, or very least whitelisted though firewalls and other security controls
Scan Engine Performance
• Scan times vary
• Non-credentialed scans on a single asset can take an average of 5 minutes,
depending on the device type, with no web spidering.
• Credentialed scans on a single asset can take an average of 7-10 minutes,
depending on device type, with no web spidering.
• Web spider Non-credentialed scans on a single asset can be around 15 minutes.
• Web spider credentialed scans on a single asset can be around 20 minutes.
Adjust simultaneous assets per engine count in scan template to fully utilize scan engine.
95
Scan Engine Management
Force
Update the
Engine
Engines
Current
Status
Currently
Running
Refresh Version
the Status
Pairing a Distributed Scan Engine
• Console to engine configuration communicates on port 40814
• Engine to console configuration communicates on port 40815
• Two step pairing process:
• Generate key in Console
Exception Scope
Demo & Lab 10:
Create an Exception
Vulnerability and Risk
Scoring
Objectives:
• Understand the importance of risk scoring
• Understand the common vulnerability scoring system (CVSS)
• Learn the various risk scoring strategies
Vulnerability and Risk Scoring
The Need for Standardized Scoring
• Historically, vulnerability scoring had been
done on a vendor specific level
• Created to address the need for defining &
quantifying detected vulnerabilities across
enterprise platforms
• No standardization meant that
intercommunication/integration between
enterprise security applications could not
share vulnerability information
CVSS History
• CVSS v.1
• Research commissioned in 2003;
DHS accepted in 2004
• Public launch at RSA in 2005; Active
until 2007
• CVSS v.2
• Public launch in June, 2007; PCI
mandated in July, 2007
• CVSS v.3
• Released in late 2015
CVSSv2 Base Metrics
Exploitability Metrics Impact Metrics • Scored relative to overall impact
• No awareness of cases which a flaw in one app
impacts other apps
• Access Vector • Confidentiality • Access Vector may be unable to rate local system
• Access Complexity • Integrity access with physical hardware attacks
• Authentication • Availability • Authentication scores biased towards None/Single
AV:[L,A,N]/AC:[H,M,L]/Au:[M,S,N]/C:[N,P,C]/I:[N,P,C]/A:[N,P,C]
Impact = 10.41*(1-(1-Confidentiality)*(1-Integrity)*(1-
Availability))
Exploitability = 20*
AccessVector*AccessComplexity*Authentication
BaseScore = (((0.6*Impact)+(0.4*Exploitability)–
1.5)*f(Impact))
CVSS Base Scoring - Exploitability
AV:N/AC:L/Au:N/C:N/ I:N/A:C/
Exploitability = 20* AccessVector*AccessComplexity*Authentication
Exploitability = 10.0
CVSS Base Scoring - Impact
AV:N/AC:L/Au:N/C:N/I:N/A:C/
Impact = 10.41*(1-(1-0.0(None) )*(1-0.0(None))*(1-.66(Complete))
Impact =6.9
CVSS Base Scoring – f(Impact)
f(Impact) = 1.176
CVSS Calculating Base Score
BaseScore = 7.8
OpenSSL “Heartbleed” Flaw (CVE-2014-0160)
CVSSv2 CVSSv3
https://www.rapid7.com/solutions/compliance/pci-dss/
Demo & Lab 11:
Risk Scoring
REPORTING
Objectives:
• Learn how to create report templates
• Learn about the various types of report formats
• Discover useful reports for building a sustainable program
Report Configuration
Report
Schedule
Report
Report
Specific
Template
Configuration
Report
Report InsightVM Distribution
Scope Report and Access
Report Formats
• InsightVM provides a flexible, easy to use, reporting
• Export in a variety of formats e.g. XML – CyberScope, SCAP, XCDDF
Report Templates
• Customizable Templates
• Report Templates are made up of Report Sections
• You can edit the template and define which
sections to utilize
• You cannot edit the sections themselves – they
are static
• Static Templates
• Report structure/format cannot be modified
• SQL Query Export Template
• Query the reporting data model directly
Demo & Lab 12:
Create Reports
InsightVM Platform
Objectives:
• Understand the role of the Dashboard
• Learn the importance of cards and creating Remediation Workflows
Environmental Considerations
• Domains that need to be allowed to communicate with the InsightVM Security Console
(Port 443)
• data.insight.rapid7.com
• s3.amazonaws.com
• s3-external-1.amazonaws.com
• exposure-analytics.insight.rapid7.com
• Network requirements and expectations
• Network traffic between the Console and R7 Insight Platform will be similar to the traffic
between the Console and a Scan Engine.
137
Data Handling
If you opt to end your engagement with Rapid7, you may collect and transfer any data that is
possible to export. If you request that Rapid7 delete all your data, the request will be
processed within 14 days.
143
Monthly Executive Summary
The product training exam exists as a separate lesson within your Skilljar training environment.
After completing class, return to your Skilljar account and select the exam lesson for your class.
Results are displayed immediately upon completion.
Acclaim badges are issued weekly to the registered email address.
Partner program participants certify by taking the technical quiz from the partner portal. Your
program coordinator will notify us of successful completion for badge issue.
a. True
b. False
Practice Exam
a. Weighted risk
b. Real risk
c. Temporal risk
d. PCI ASV 2.0 Risk
Practice Exam
a. 32
b. 4
c. 16
d. 12
e. 8
Practice Exam
a. CSV Export
b. XML Export
c. Database Export
d. CyberScope XML Export
e. All of the above
Practice Exam
10. What URL would you use if trying to reach a remote InsightVM
install on another server?
a. http://servername/Console:3780
b. https://localhost:3780
c. https://serverIPaddress:3780
d. https://serverIPaddress:40814
Practice Exam
12. Specify the items to which you can apply custom tags: (Select all
that apply)
a. An individual asset
b. Asset groups
c. Sites
d. Reports
e. Scan templates
Practice Exam
13. Performing a filtered asset search is the first step in creating what
type of asset groups?
a. Full
b. Asset
c. Dynamic
d. Site
Practice Exam
a. Temporal Scores
b. CVSS Scores
c. Weighted Scores
d. SANS Vulnerability Scores
Additional Resources
• Rapid7 Academy
• https://academy.rapid7.com/
169
We want your
feedback!!
Please take 2 minutes to fill out this survey about the class:
https://r-7.co/2ODGuZf
https://docs.google.com/forms/d/e/1FAIpQLSdlUQwqoeSSmqoBskGgE66XW40XcaxB926UgmpH__PWPAXqJg/viewform?c=0&w=
1