Infoblox and Rapid 7

Security Orchestration for Efficiently

Mitigating Threats
Agenda
• Operational Challenges in Mitigating Threats
• Infoblox and Rapid 7 Integration
• Rapid 7 Vulnerability Management
• Use Cases and Demo
• Next Steps
Today’s Security Landscape

400+
VENDORS
 And Yet There is a Disconnect

Security You Want Security You Often Get

Silos Exist Between Teams and Technologies
Network and Security – Separate Teams with Different Priorities

Network Security “Silos between network, edge,

Team
 High Availability
 Network Infrastructure:
routers, APs, switches,
etc.
Team endpoint and data security
systems and processes can
restrict an organization’s ability
 Risk Mitigation
to prevent, detect and respond
 Security Infrastructure: to advanced attacks.”
firewalls, endpoints,
sandboxing, etc.

 Network Logging and  Security Logging and

Monitoring Monitoring (SIEM)
Best Practices for Detecting and Mitigating
Advanced Threats, 2016 Update 29 March
2016
No Knowledge of Threat Context
Context – environmental information required to take the right
action

WHO (identity)
WHAT (what network device)
WHERE (where and what part of the network)
WHEN (time of day, how often)

Today’s security teams:

• Face too many alerts with no way to prioritize based on actual
risk
• Lack easy access to network data for context
Lack of Automation
• Security tools can’t take action
automatically based on network activities
 When new network elements join the
network
 When malicious activities are detected by
DNS security tools

Today’s security teams use difficult, manual

processes to assemble data from disparate
sources
 Solution
Security Orchestration with Infoblox and Rapid 7
Security Orchestration
Accelerating Incident Handling and Response with Automation Context to Prioritize Remediation

Device Audit Trail and

Fingerprinting
SIEM Vulnerability
Management DHCP • Device info, MAC, lease history

Application and
Business Context
Threat
Network
Intelligence IPAM • “Metadata” via Extended
Platform Access Control
Attributes: Owner, app, security
level, location, ticket number

• Context for accurate risk

assessment and event
prioritization

• Malicious activity inside the

security perimeter
Advanced Threat Next-gen
Detection • Includes BYOD and IoT devices
Endpoint Security DNS
• Profile device & user activity
Use Cases
Incident Response

Event Management and Prioritization

Compliance & Discovery

Action – Automated actions &

Remediation
 Easing Compliance & Audit - Infoblox & Rapid 7
Opportunity
•Lack of complete and up-to-date information about
network devices and non-compliant hosts limits
effectiveness of vulnerability scanning

Solution
•Infoblox acts as the ‘Single Source of Truth’ for the
network and devices.
•Network & device discovery with metadata
•Notifies Rapid 7 on new networks, devices as they are
identified
•Triggers on-demand vulnerability scan (new &
compromised devices)
•Enforce Network Access Control policy based on scan
results

Benefits
•Efficient vulnerability management & compliance
Vulnerability Scans Policy Enforcement Remediation processes
•Faster response to potential risks associated with new
devices or virtual workloads on the network
Infoblox DDI, NAC and Vulnerability Scanner Integration
Infoblox and Cisco ISE, Rapid7

Malicious Domain

Device makes DNS

query to C&C and Cisco ISE
2 5
Infoblox blocks
communication Notify ISE of Indicator of
ISE requests device scan
Compromise/DNS tunneling
1
Infoblox DNS Infoblox IPAM updated Reports vulnerability risk, updates
Firewall/ with quarantine status status to not quarantined
Internal DNS
Security
4 8 3 7

ISE quarantines device 6

Rapid7 scans device and provides details on vulnerability to help
Infected prioritize remediation efforts
device
 Gain Insights with Reporting and Analytics
Unlock the Value of Core Network Services Data

• Harness rich network data to gain actionable insights

• Visibility into infected endpoints with contextual info(can include DHCP fingerprinting info – username,
MAC address, device type, lease history etc.)

Ensure Compliance with Identify Security Risks and Plan Future

Historical Visibility Impacted Devices at Present Requirements with
Time Predictive Reports

Integrated Data Historical Unique Algorithm and Pre-built Reports and Cost Effective
Collection Engine Tracking of DDI Predictive Reports Customization Deployment
Transform Data Into
Answers
Clarity, command, and confidence to
securely move your business forward.
 Why are we here?

Am I Am I Am I
Vulnerable? Compromised? Optimized?

Measure & Manage Organizational Risk

 Uncertainty Abounds

Am I Am I Am I
Vulnerable? Compromised? Optimized?

Measure & Manage Organizational Risk

Endpoints, Assets, and Data Resources, Talent & Productivity

Alert & Portal Fatigue IT Control, Remediation,

and Visibility
Attacker Sophistication & Reach
 Metasploit Vulnerability
Heisenberg
Framework Project Sonar Disclosure, Threat
Project
& Community Intel, & Attacker
Modeling
The most used Global Honeypot Network Internet-wide scans Team of security
penetration testing researchers
tool
Why Rapid7?
The Attacker Mindset
Solve Critical Security & IT Questions

Am I Vulnerable? Am I Compromised? Am I Optimized?

Threat Exposure Incident Detection & Log Management & IT

Management Response Analytics

VULNERABILITY USER BEHAVIOR ANALYTICS ENDPOINT VISIBILITY &

MANAGEMENT ASSET MANAGEMENT

APPLICATION INCIDENT DETECTION & INFRASTRUCTURE

SECURITY TESTING RESPONSE MONITORING &
TROUBLESHOOTING
ATTACK SIMULATION ENDPOINT VISIBILITY & LOG MANAGEMENT &
INTERROGATION COMPLIANCE

Software + Managed Services

We Help You With:
Rapid7 Insight
InsightVM
InsightIDR Managed Third-Party
Metasploit
InsightOps Services Applications
AppSpider

Rapid7 Consult:
Penetration Testing
Pre-Packaged Analytics Security Maturity
Assessment
Program Development &
Search – Visualize – Report Benchmarking
Threat Modeling
Incident Response
Contextual Data Collection IoT Strategy and Testing

Asset User Behavioral Mobile Cloud Controls 3rd Party

Data Data Data Info Activity Info Data
Extensive, Beneficial Partner Ecosystem

Rapid7 has
more
80+
DATA DATA DATA
COLLABORATION WORKFLOW INGESTION
than PARTNERS PARTNERS PARTNERS

Platform • Two-way data sharing • IT security integration • Enhances analytics

• ‘Single pane of glass’ • Streamlines correction • Enables detection
Integrations
• Enhanced platform • Improves IT • Simplifies
with Partners value efficiencies investigations
 Rapid7 Threat Exposure
Management
Vulnerability Management | Application Security | Penetration Testing
 Live vulnerability and
endpoint analytics
powered by the Insight
Platform
COLLECT
InsightVM centralizes
vulnerability data from the
network, endpoints, and
cloud instances to
automatically collect, monitor,
and analyze your network for
new and existing risk
PRIORITIZE
Using our award winning
security and IT analytics
platform, InsightVM evolves with
your shifting vulnerability
management program, and
using Rapid7’s proven history of
vulnerability prioritization, moves
you beyond the paralysis of
CVSS-only scores
REMEDIATE
InsightVM
streamlines Remediation
Workflow to provide IT,
management, and the C-
suite with the data they
need, and tracks progress
of each fix in real-time to
validate upon completion.
 • InsightVM Live Monitoring is always-on, allowing you to automatically
collect, monitor, and analyze your network for new and existing risk,
and provide your IT and Security teams with the right answers to do

COLLECT •
their jobs more efficiently
Using InsightVM Adaptive Security, Rapid7 Universal Agent, and
Rapid7 Internet-wide scan research (Project SONAR), new risks are
immediately identified as they enter your network along with
exposures you didn’t know you had.
• Cover your entire network and use exclusive integrations (AWS,
VMware, etc.) to track your dynamic cloud and virtual infrastructures.

“Rapid7’s vulnerability management solution is the

only technology I’ve ever used that gives me a
full, actionable view of my environment, all the
way to the endpoint.”
--Scott Cheney, Manager of IS, Sierra View Medical Center
 • The InsightVM Real Risk Score moves you past CVSS-only
methods and incorporates vulnerability age and ease of exploitation
to help you focus on the vulnerabilities most likely be used in an
attack.

PRIORITIZE • Validate with Rapid7 Metasploit integration, asset grouping, and

business context and respond all the way to your endpoints to what
a real attacker will try and exploit.
• See it all with Liveboard metrics driven by exposure analytics that
show real-time risk and custom views tailored to your users.

“We maximize our efforts by focusing on

areas with the most risk, relying on the
data it gives us.”
--Jason Leitner, Vulnerability Management Engineer at
Brady Corporation
 • InsightVM streamlines Remediation Workflow to provide IT,
management, and the C-suite with the data they need, and tracks
progress of each fix in real-time to validate upon completion.
• No more 1000 page static reports, InsightVM provides a step-by-

REMEDIATE step guide on what to fix first, contextualized for individuals.

• InsightVM has you covered with streamlined remediation workflow
and analysis, alongside direct integration with leading ticketing
solutions.
• Metasploit lets you validate which exploitable vulnerabilities have
truly been fixed
“Dashboards have helped upper management move
beyond a “check the box” mentality by showing them the
true risk of different assets beyond just vulnerability count
and highs or criticals. Also, the remediation reports are in
the language that remediation teams understand, so there’s
no more back and forth on what needs to be fixed and why’.
--Lead Security Engineer, Healthcare Facility
Integration / Demo Summary
Use Cases
How the Integration Works
Next Steps
• Read Solution Note
– https://www.infoblox.com/wp-
content/uploads/infoblox-partner-
solution-brief-enabling-security-
orchestration-with-infoblox-and-rapid-
7.pdf
• Demo video and more info on
community site
– https://community.infoblox.com/t5/Rapid
7/gp-p/Rapid7
• Contact Infoblox and Rapid 7 to discuss
your security architectures
Q&A