Browsing articles from "May, 2009"

A Bit of Perspective on the Metasploit Acquisition

Anytime a major open-source security project like Metasploit is touched by the commercial arm it is a big deal. Thus, I felt the need to put together some thoughts regarding the acquisition of the Metasploit project, an industry leader in exploitation frameworks by Rapid7, an innovative vulnerability management vendor. The acquisition will no doubt have a lot of people talking and unfortunately will likely spur some drama within the security community, largely because of the concerns around any potential changes to the open-source nature of the Metasploit project. Which although I think the community should not be concerned as the acquisition will in the end benefit them, I will throw out one minor caution…It is much easier to produce controversial technology when it calls into question the decision making of a project than it is when it calls into question the decision making of a company.

That being said, I want to reiterate my earlier point, this will in the benefit both Metasploit and Rapid7.

Why This is Good For Metasploit

In looking at this from an analyst perspective, one must separate the hype and controversy from the cold hard facts. The fact is that the Metasploit project is an open-source pillar of the security community and anytime anything changes in one of those pillars their is a tendency for the security community to, well, overreact. Hopefully this won’t be the case with the acquisition of Metasploit. The benefits for Metasploit are very clear, a few of which are:

  • Metasploit will still be an open-source project
  • HD Moore is now working on Metasploit fulll time
  • The Metasploit team will now consist of a professional staff including a GUI developer, an exploit developer, and a QA engineer
  • Metasploit will have the benefit of Rapid7′s much larger test and development infrastructure
  • Metasploit will benefit from Rapid7′s resources including some well-known security minds that could potentially add interesting things to the Metasploit framework

Put simply, Metasploit will now have a few more dollars and cents backing their efforts. Which means that the designers will be able to focus more attention to develop the project to better meet the needs of users. Rapid7 was really a perfect fit for the Metasploit project since Rapid7 employs several very talented developers and vulnerability researchers. Furthermore, in terms of business culture there are very few organizations whose management could take on the Metasploit project, Rapid7 is one of those organizations.

Why This is Good for Rapid7

I have no doubt that I will take some heat for this statement but…but the acquisition is primarily a great marketing tool. On the one hand it will bring in growth in capabilities but I don’t see that having a major market impact. More on that to come. Where I see this being good for Rapid7 is in the realm of brand recognition amongst security professionals. ?Metasploit is one of the top 5 Security Tools according to Fydor’s Top 100 Security Tools survey which was conducted in 2006. While this list is due for an update the point is that Rapid7 NeXpose competitors Qualys Qualysguard, Tenable Nessus, eEye Retina, SAINT, ISS Security Scanner, GFI Languard, and even SARA (which is no longer in development) all made the list. Rapid7 NeXpose did not.?When considering the capabilities of NeXpose in comparison to some of these competitors it becomes clear that Rapid7 simply does not have the market recognition they should. The fact that Rapid7′s brand is now on the Metasploit project will largely change this.

The other major benefit that Rapid7 will have is simply in gaining talent. Already they have gained talent by hiring HD Moore as a CSO, further benefits will come in the form of the talent that the Metasploit project will attract.

Some Vulnerability Management Market Perspective

In all likelyhood the acquisition of Metasploit by Rapid7 will not have a major impact on the vulnerability management market other than to move up Rapid7 in terms of overall brand recognition. On the one hand it is a very interesting maneuver by Rapid7 and they are getting one of the industries most recognized names in the Metasploit project (and in HD Moore in general) on the other hand the vulnerability management market is no longer predicated on evangelism or hacker rockstar persona. That is not to say that the move was not an excellent one for Rapid7. From a marketing perspective alone, the acquisition will without a doubt show Rapid7 a major return on investment.

Rather this merely means that the acquisition will not change business as usual in the vulnerability management market, at least not at the level of current leaders. Though, there is a real opportunity to grab some of the market share currently held by vendors perceived to have fallen off in the vulnerability management radar. However, Rapid7 had that opportunity to begin with. Thus, I must reiterate that the acquisition of Metasploit will garner attention but will not alone have a major impact on the market.

It is easy to forget that Qualys, a leader in the vulnerability management market, gained the majority of their market share through an intelligent business model and not through a hacker rockstar persona. In fact when Qualys began gaining major market traction eEye, not Qualys, held the image of the hacking rockstars within the market. At that time though Qualys intelligently aligned themselves with the PCI Data Security Standard and an easier implementation model (in a SaaS standard solution). The result was an easy to justify ROI and a simple implementation methodology. I can speak first hand to this because at that time I was still working as the?vulnerability management Coordinator within a large enterprise and I had both eEye and Qualys for enterprise solutions.

Why both? Simply because the purchase of eEye’s REM product failed to meet the needs of that organization. At the time ensuring PCI compliance?(section six) was difficult when utilizing products from Qualys competitors due to the close alignment of Qualys with PCI (mind you this was well before CVSS scoring). ?This was extremely frustrating for non-Qualys customers, including yours truly, and in the end, when compared to the cost of using eEye as a long term solution (including implementation, hosting, and management costs) it made more sense to just bring in Qualys.

This largely signaled the death for the rockstar hacking persona as a major competitive differentiator in vulnerability management. With the acquisition of Metasploit, I largely see Rapid7 in the same light as I saw eEye before I became aware of Qualys and PCI. I now see Rapid7 as the hacking rock star of the vulnerability management market. Of course this will do great things for the Rapid7 brand in terms of overall visibility, but that does not necessarily mean that they will replace other industry leaders products. Leaders such as Foundstone, nCircle, and Qualys have all done well to align themselves with difficult to implement business processes such as enterprise assessments and configuration management.

Thus, while the lower-level operational staff who are focused on the technology may want to try Rapid7 because of interesting capabilities, higher-level management will be less keen on the idea because the ROI is more difficult to justify when one considers that a well-tuned business process could potentially be impact ed. In order for Rapid7 to really take over the marketshare of leaders in the space they will have to be able to show the business justification alongside of the enhanced capabilities.

This isn’t to say that Rapid7 won’t be able to do that, perhaps they will. Rather this is merely pointing out that the acquisition of Metasploit is not going to give Rapid7 that advantage.

Some Exploitation Framework Market Perspective

On the other side of this acquisition the exploitation framework market will feel the Impact at its very Core, pun intended. That is to say the real impact of this acquisition will be felt by Core Security, a leader in commercial vulnerability exploitation frameworks. One of Core Security’s difficulties in gaining better market adoption and moving more product has been to justify their product against a marketplace where one major competitor is free and another one comes at a minor cost. In other words Core had to show their customers why they should pay a premium price for an exploitation framework. One of their primary reasons was that their exploits were QA tested and therefore far less likely to cause any type of disruption or outage. The acquisition of Metasploit by Rapid7 promises to change this differentiator for Core Security as Rapid7 will be designating resources to the Metasploit project over the next six months and HD Moore, now the CSO of Rapid7 has publicly announced intentions to hire at least one QA engineer.

Fortunately however it is not unreasonable to believe that the exploitation framework market is big enough for all three vendors. It is not infeasible for one organization to have licenses for Immunity Canvas and Core Impact while still utilizing the Metasploit framework. Although Core has as of the past year taken a more enterprise approach to penetration testing, none of these products are particularly expensive by comparison to most enterprise security products. Canvas comes at a cost of $1,495 for 10 seats (unless you want support or early updates), Core Impact does not publicly display their prices but I can say from my personal experience under GSA pricing one copy of Impact is in many cases a P-card purchase (depending on your limit), and finally Metasploit is free.?So really one could more or less get all three solutions for the price of, well, Core Impact. ?Which in my personal opinion is well worth the investment.

However, despite my opinion on the investment this does again beg the question of price for Core Impact. On the one hand the justification for Canvas is relatively simple, realistically one could justify the purchase based solely on the exploit library (even though there are other justifications), for Core however, things are not so simple. Given some time to develop within Rapid7, Metasploit has a real opportunity to create a commercial grade product (if in it’s non-Rapid7 form it’s not commercial grade enough). Thus, what is the value of Core Impact which comes at a large multiple of the price of Canvas (and an infinite multiple of Metasploit’s free product)?

Answering this question will not only impact Core Security but will also impact the penetration testing market as a whole. Previously Core Security was one of the primary evangelists for penetration testing as part of enterprise security strategies. It is not unlikely that Core will have to shift some of that attention and focus towards evangelizing the value of their product lines given the price. This begs the question will Rapid7 pick up the slack for evangelizing penetration testing? Maybe. But then I have to ask what is the value to Rapid7.

Again, I don’t see a real market value for Rapid7′s integration of a penetration testing framework into the vulnerability analysis engine. SAINT Corporation has done that with their flagship product and to be honest the market has not really adopted that on a large scale either (in fact in most blog posts covering the Metasploit acquisition don’t even mention SAINT). Nor do I see Rapid7 delivering a unified product as a major competitive differentiator, especially considering the fact that eEye, GFI Languard, Nessus, and Qualys scan results can all be easily integrated into Core Impact. Therefore any attempt to leverage the capability as a competitive differentiator in the vulnerability management market will likely fuel Core and vulnerability management vendors to market their integrations which have existed since 2005.

Instead it makes much more sense for Rapid7 to reap the benefits of the brand recognition delivered by the Metasploit project name, for Metasploit to reap the benefits of a commercially backed company, and for Core Impact to invest more resources into differentiating their products from Metasploit. ?All the while efforts to push penetration testing as a critical component of security strategies will be reduced.

If I’m wrong I’ll admit it, but I just don’t see it.

Quick Look: VAM Lite

Summary

*NOTE SecAnalysis opinions have changed since the release of this article regarding the Nessus interface*

First of all this report will be a little less instructional since StillSecure does such a good job with their user guide. There is really no purpose of me producing one here.? The guide can be seen here. Regardless, awhile ago I had the pleasure of having an on-site meeting with the folks at StillSecure. StillSecure is a strong, well-known security vendor that provides vulnerability management, NAC, and IPS/IDS products. StillSecure also provides Managed Security Services to customers looking to outsource their security capabilities.? Awhile ago I noticed that StillSecure offers a freeware version of their VAM product labeled VAM Lite.? VAM Lite is a relatively simple but powerful vulnerability scanner that leverages a web based user interface. VAM Lite differs from the commercial VAM product through the following (according to the StillSecure Website):

  • Vulnerability scanning is limited to 100 IP addresses
  • StillSecure’s Security POV reporting module is disabled
  • VAM Lite can not be run in a distributed scanning environment

I decided I’d give VAM Lite a shot in the lab to determine whether it could be a mainstay. I was actually pleasently surprised to see the ease and poewr of the product. Granted much of the scanning technology is similiar if not the exact same as Nessus, however, one of the biggest problems with the freeware version of Nessus is the fact that the interface is hideous (particularly for windows) and adds little additional functionality. Thus, VAM Lite addresses a primary issue with an excellent solution (the interface).? VAM Lite is a simple, effective solution that can address the needs of a small business environment. In a large environment one needs to be careful of accidentally crossing a low performance firewall as the connections table could fill up very quickly based on the initial port scanning engine.

Things I Like

  • Simple setup
  • Simple to use interface
  • Powerful Nessus backed scan engine
  • The vulnerability summary page gives a good overview

Things I Dislike

  • The interface is a little bit slow
  • The interface uses quite possibly the ugliest “loading” image
  • Difficult to customize outside of working directly on the system

Vulnerability Summary Tab

Thoughts

I generally like the interface a lot better than I enjoy the Windows version of Nessus, VAM Lite also gives you a much nicer interface for management as opposed to simple reports. The simple to use interface and easy set up make it an excellent solution for labs or security enthusiasts who wish to test out products or systems in their environments.? VAM Lite comes in two forms, virtual machine and iso. For my part, the virtual machine was the best solution.? VAM Lite is a must have for laboratory environments and should be tried out by all (especially since it is free!).

Check It Out

Check out VAM Lite under the “Freeware Products” at StillSecure’s website www.stillsecure.com