Metasploit extended integration with Rapid7’s vulnerability management product, Nexpose, arms security professionals with knowledge of which vulnerabilities can be exploited, enabling them to prioritize remediation efforts.
In addition, this simplified approach to risk validation enables security professionals to measure the effectiveness of their mitigation efforts, increasing their credibility in the organization in the longer term.
“Security professionals face a huge and complex challenge and they need to know that they are focusing their efforts on the highest risk vulnerabilities,” said HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project. “With Metasploit and Nexpose, security professionals can identify which of the numerous potential vulnerabilities are real in-roads for an attacker and prioritize these for remediation, making a more meaningful improvement to the organization’s security posture.”
With so many known and unknown threats facing organizations, it can be hard for IT security teams to decide which potential risks they should focus on. A vulnerability that may be dangerous to one organization could be far less significant to another because a compensating control or other defensive solution affects its exploitability.
Security professionals often have to work with reports with thousands of vulnerabilities identified: far more than they have time to address. As a result, many IT security teams are focusing on the wrong items and are not able to address the real risks before it is too late. This new Metasploit version delivers a solution to this frustration for IT security teams by prioritizing the critical risks.
Metasploit imports vulnerability scanning results from Nexpose, validates risks, and feeds the outcome back into Nexpose to simplify reporting and streamline remediation. Metasploit does this by identifying and testing known exploits that correlate to each vulnerability. The results are listed with information about why a given vulnerability may not have been exploitable. The resulting Nexpose reports then give users recommendations on how to remediate each vulnerability.
Additionally, users can now group assets in Nexpose based on the powerful tagging capabilities of Metasploit Pro. Once steps have been take to remediate the vulnerabilities, security professionals can then use Metasploit to test the effectiveness of the action taken.