Penetration Testing, Vulnerability Scanning, And The Big Picture
New technologies aim to show organization's overall security posture
November 18, 2010
Getting a handle on an organization's true security posture can be like pinning down a moving target. But new features and technologies are becoming available that bring organizations closer to a true picture of where their actual risks lay -- and what they should do to about them.
Penetration testing firms Core Security and Rapid7, for instance, are rolling out new products and features that bring pen testing and vulnerability scanning to a different level. Core Security's new Core Insight, an automated testing platform that regularly pen tests and analyzes the exploitability of threats to a business, offers multiple dashboard levels of information and reports for security, IT, and businesspeople. The idea is to map the threats to the business' sensitive assets and operations.
Rapid7 in its commercial Metasploit products has been integrating its NeXpose vulnerability scanning with Metasploit penetration testing and making the output more user-friendly. It has done the same with the open-source Metasploit version, according to HD Moore, chief security officer for Rapid7 and the creator of Metasploit.
Core's Insight -- which is in beta and scheduled to ship on Dec. 15 -- basically integrates and extends pen testing and vulnerability scanning, experts say. "Certainly this is an extension of the two categories of products and bringing them together: The traditional low-touch vulnerability scan tends to be done in snapshots, and with the penetration test a human looks at, 'How far can I get in? Can I actually exploit this?' Bringing those two together gives you low and slow and continuous assessment," says Diana Kelley, partner with Security Curve. "And [this assessment] is automated, so you can do it all the time."
Kelley says the problem with periodic scanning and testing is that it captures "a point in time," which may not reflect all of the real risks as networks shift and change. "This is the next phase beyond, 'There I am, and I'll check it again in three months,'" she says. It's an approach akin to what WhiteHat Security does with its dynamic Web scanning, she says, but differs from security information and event management (SIEM) products because those tools focus on what has already occurred.
It's becoming increasingly important to be able to spell out what certain bugs and exploits actually mean risk-wise to your business applications and operations, she says.
That doesn't mean replacing the human pen tester, of course. "This isn't looking to replace humans," Kelley says. "It's just a way of getting pen-testing [information] into the hands of those who [aren't experienced] with it."
More intelligence and actionable information helps organizations with limited resources, security experts say. "We got a lot of feedback from organizations saying they were getting all of this information about what vulns they have, but they can't easily match them to their business risks or assets," says Alex Horan, director of product management for Core. "[Insight] fills the gap between vulnerability information and all the things the business cares about ... we show how it maps to their exposure and risk."
Rapid7's Moore says the reason vulnerability scanning and pen testing are coming together is that you can't do one without the other. "We see a lot of folks doing a NeXpose scan saying, 'What do I need to focus on first?' The penetration-testing angle helps identify what the priorities are -- even if you aren't penetration testing, you can use it to verify" the actual risks associated with the vulnerabilities that are found, he says.
"What we're trying to do with Metasploit Express and Pro is bring the pen-testing usability bar down a little bit" to non-pen-testing experts, he says. "If you have the skill set and want to, you can do a hands-on, deep dive. Or if you just want to verify vulnerabilities, the pen-test tools now automate that well enough now. You don't have to be a pen-test expert."
Moore warns that continuous pen testing, however, could be risky due to the possibility of crashing a server before you can fix the bugs that are discovered. "When that is automated, there are chances of knocking [something] out," he says. Moore says weekly pen tests are typically sufficient.
"There's definitely a convergence in penetration testing and vulnerability scanning, asset management," and similar tasks, he says. Organizations are asking what to fix first, and need ways to verify and validate that, he says.
Larry Whiteside, CISO of the Visiting Nurse Service of New York, is currently beta-testing Core Insight. Whiteside, who helped push Core to build the tool, says he doesn't have the resources to dig through all of the threats and vulnerabilities his tools find. He has a small security staff of two, including himself. "We have 80-plus developers on staff and no one has the bandwidth to be everywhere at the same time and doing all the testing," he says.
Whiteside had previously handed off the data from pen-test and vulnerability scans to nonsecurity staffers to help his team prioritize what to fix first. "That approach is not the best way, leaving it up to people who don't necessarily understand security as well as a person in the security group," he says. "I really wanted Core to deal with the automation and pen-testing function and forget about it ... and go back and say, 'You need to do this because this is exploitable,'" for example, he says.
He says the idea is to be more proactive in mitigating threats. "One of the big things I stress is that the reporting needs to ... have the capability that a nonsecurity person can understand it. So they can look at the dashboard, report, and understand exactly what happened," Whiteside says. "It would have reports that come out every time it scans, what happened, what you need to do to mitigate it, whether it's a configuration change ... this is what we recommend to do."
Visiting Nurse Service of New York's Whiteside says these capabilities don't overlap with SIEM, however. "SIEM is really an aggregation tool," he says.
Fred Pinkett, vice president of product management for Core, describes it this way: "SIEM is about activity on the network. We are more about security posture ... SIEM and SIM are like military intelligence, and we're about understanding where your forces are standing," he says. "This is two sides of the coin and both are necessary."
To that end, Core plans to eventually integrate Insight with SIEM and SIM products as well, according to Pinkett.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like