Name: Rapid7 Global Partner Webinar: Exposure Management Demo Walkthrough (Part 3 of 6)
Uploaded: 2025-06-17T15:01:09.870Z
Duration: 45 min 4 s
Description: Rapid7 Global Partner Webinar: Exposure Management Demo Walkthrough (Part 3 of 6)

Transcript for "Rapid7 Global Partner Webinar: Exposure Management Demo Walkthrough (Part 3 of 6)": Hi, everyone, and welcome to part three of our exposure management webinar series. And in this one, we are gonna go through a demo walk through of the platform. My name is David Higgs. I'm a senior solution engineer for Channel Alliances in EMEA, and I'm gonna be taking you through the demo today. So let's start off with the architecture of the platform. So here we have our, architecture slide. You'll see here that we're including all of the portfolio now in the command platform. And you'll you'll see this when we go into the interface itself. Now the platform as a whole includes vulnerability management for on premise and cloud. It includes our DaaS solution for web app scanning. We have a CNAP solution and validation all within the exposure management part of the platform. On detection and response, we have our managed detection and response. We have our next gen scene, digital forensics incident response, and threat intelligence. And our attack surface management, which is fed from, as you see here, all of the data fees that we have going into the platform. Now let's move on to the next slide, which simplifies this slightly. So when setting up the command platform, you will look at all of your different data sources across the customer environment. And the idea is that we want to connect as many as possible to correlate assets within your environment, to get a good view of your attack surface. So really good ones to to start with, for example, is any cloud platforms you have, Active Directory, your EDR. Obviously, your Rapid7 tools, they will go in by default into our data mesh. And then any third party vulnerability management or cloud security tools, they're really good to have in as well. On top of that, adding in your CMDB is gonna give you loads and loads of context, rich business context around your attack surface. So we start with by connecting our sources, we then cross correlate those assets and identities between those sources, contextualize the information using your CMDB, for example, which then allows us to prioritize and respond appropriately. So before we go into the demo itself, I just wanna take the time to show you this final slide. Here we have the initial access vectors for threat actors, and this was from the Rapid7 incident response data report, January 2024. We see here that multifactor was attributing to 41% of all initial access. That's, lax or no enforcement of multifactor. We then have vulnerability scanning or rather vulnerability exploitation, should I say. 30% was the vulnerability exploitation for initial access. And then finally, phishing is the third one I wanna talk about. So social engineering, 12%. All of this making up, around 83% of all initial access, for threat actors. Now why do I show this slide first? Well, because when we go to the Rapid7 Command platform, we can see here on our home page immediately assets with and without endpoint security shown here, assets with vulnerabilities and without vulnerabilities, as such, shown here. Identities with and without multifactor enabled, shown here. Now I'll come back to these in a moment. We'll we'll actually pivot into them. I'm just gonna give you a tour on the rest of the home page first. So here we have our top remediations. This is from a partner platform called Remediation Hub, which is within our risk section here. So our top remediation's shown there. Top investigations by priority. This is from inside IDR. It shows all of the active investigations, within the environment and, obviously, the the top ones according to their priority here. We can obviously pivot into that using view all investigations. We then, on the risk side of the platform, have the executive risk view showing trends, vulnerabilities versus risk score over time, and then soft performance, again, from InsightIDR, showing time to assign and close investigations. We have, on the left hand side, our solutions. And then if I just expand all of these sections here on the left, we have our attack surface, our overview, our assets and identities, our external attack surface. We'll go into that in a moment, and our workspace. Risk, we have the executive risk view, the remediation hub that I spoke about here, cloud posture, and in compliance, we have our agent and cloud compliance. We can see threat information, automation, and reporting, and, of course, our admin page. So let's go into the attack surface, and I'm gonna start with our external attack surface here. So to start with, we're gonna add our seeds. A seed is a IP address or, domain that we're gonna add in here. One an example of one seed is a single IP address or you can have it as a full subnet that still is just one seed. And then, of course, a FQDN, we can add in there as well. What we'll then do off the back of that is we will do DNS lookups on the FQDNs. We will do reverse lookups on the IP addresses and list IPs and domains shown here. We can then look at the resulting network services and certificates that have been discovered from these IPs and domains. So here, I'm just gonna clear all my filters, and then we can see all of our certificates. Let's filter by critical severity. So we see that still includes services and certificates. Let's have a look at the certificate. We can see first discovered, last discovered. We can also see the expiry date. Going back, I'm just gonna get rid of certificates. We're just focusing on services now. Let's have a look at this one here. We can see that open SSH is open on this IP address here. And then we are using Project Sonar, which is a Rapid7 project, in the back end, which scans the Internet every, twice a week. And we will then enrich it with proprietary data as well, including third party data from the likes of the showdown project. So you can see here all of the CVEs, that we've managed to grab as a result of banner grabbing the OS version, of OpenSSH. So this is the first part of our, attack surface. Before I go into the, more detail on the attack surface, I'm just gonna touch on the risks section in remediation hub. So here, we actually look at, cumulative remediation. So let's say you have, a remediation that has lots of vulnerabilities associated with it. Rather than listing the fixes, each individual fix for each vulnerability, we do cumulative, remediation. So you can see here, we're focusing on lots of vulnerabilities in a single remediation, and we will list the most recommended remediation, so the the most up to date. Showing you here, we have the impacted assets, and, of course, I can filter as I see fit, based on sites, tagging. You'll also see here that we give you detail on if endpoint protection and patch management is enabled on those devices. And that's because of the attack surface management. We are looking at the endpoint connectors. We're looking at the patch management connectors and seeing if it's installed on those devices after vulnerability scanning them. And so when it comes to your prioritization of your remediation, you might say, well, okay. We've got some devices that got patch management installed. We know that we can roll out a fix really quickly, so let's go and get them off the list. Next, we might focus and say, okay. Well, some of the devices have endpoint protection, but some of them don't. So let's focus on the devices that don't have patch management or endpoint protection because they are riskiest. And you might choose to prioritize it in that order. The beauty here is that the filters can give you the flexibility to do whatever you see fit. So from here, let's go into our attack surface. And we're gonna start with let's start with assets with endpoint security or rather without endpoint security. So we come in. We can see here that it's auto selected workstations and servers, and we're looking for endpoint protection active, excludes true. So there's actually three settings, for different endpoint, or three settings for, the status of EDR on an endpoint. And that is true, I e, it's installed and it's active. False, it's installed, but it's not active. And then no, which is it's just not installed. And so I want to exclude true. So we've said, employment protection is active, excludes true. Now what I can do here is we we can see we've got loads of properties across the top. If I wanted to, I could actually add some other properties in. So let's say I wanted to I don't know. Let's pick one, for example. I'm gonna go I wanna find out if the device is encrypted. So we've added that to here, and I can, of course, change the order, in the list if I wanted to and apply that. And we can see here if the device is encrypted or not, and then we get all of the other information as we did before. What I'm gonna do is I'm gonna show you our correlation capabilities. So to do this, I am going to filter on sources, and you can see not not all devices are are encrypted. As you can see here, not all of them have that attribute. So I'm going to search for ServiceNow. And what the system is doing in the back end is it's going off to our data mesh, and it is, pulling back all of that information based on the query. Now in our demo platform, because we have to sample so many different connectors, to be able to show you, the correlation capabilities of the platform across all of these different connectors. So for instance, EDRs, we have, like, five different EDR feeds coming into the platform, which obviously has loads and loads of assets. So in the demo platform, we've actually got around about a 100,000, assets within the solution. And we can see here now that it's pulled back all of that information. So let's have a look at this particular asset here. So I'm gonna pull back that information. Let's expand it. So we can see here we have the general tab, which is pulling information from all of these other information sources. Now we said, okay. We're looking for, endpoint protection is not true. But we have defender machine here. So let's have a look to see why that's coming back as as false. So endpoint protection is active. We're saying it's false. And the reason being is in the defender machine properties, we have protection enabled equals false, which is why that showing as endpoint protection is not active. Scrolling down, we have our correlation information. So we're actually very transparent about how we are correlating, that asset between sources. We can see here we've correlated the MAC address between, Intune, Inside VM, and ServiceNow. We've got the qualified host name, from AD, from Defender, and from inside VM. And then unqualified host name has been picked up by Exabeam, and also, Intune in this instance. I can also go into the individual sources and review the information from each. We can also see any additional properties that we want to filter on. On top of that, we have the graphical view, so I'm just gonna discard that. So here I can see the individual asset and then all of the other, attributes for that asset. Now what I might wanna do is see, okay, how many what what are the other assets on the same network segment, for example? So I could look at the subnet here, and I could expand the subnet. And we can see here all of the other assets within that subnet. And then if it's a bit messy, we can, of course, try and clear that up a little bit and just show the assets. And then we can clear individual assets as well, to reduce our our focus. Okay. So that has covered off part of our, journey so far. We've looked at assets without endpoint protection, on servers and workstations. Let's go back to the cloud, the command platform. So here, we have identities. In fact, let's go into identities next. So here we're looking for ones with multifactor excludes true. Now I wanna add some more filters here. So let's say I want to know if they are an active user. So we'll say only true. And then we'll add some more filters, so I want to know if they are an administrator as well. So let's go with only admins. Then we can see here that that's brought back, just administrators. Now let's have a look at one of these users. Let's expand that. So we can see that they are an administrator. Let's, have a look at okay. They've got groups. So we're looking at the domain users group. Let's have a look to see what the why they've been flagged as an administrator. Here we go. So administrator, and that's true. And if we hold it over the information button, we can see that that's in Slack and in Google Workspace. And, of course, we can go into these individual properties as well. Now there are some properties. For instance, in KnowBe4, we have this print fishes percentage. Now this you see is unique to the KnowBe4 property. So it doesn't tend to get pulled through into the general tab, which may is for, like, attributes that are common across loads of sources. So what I could do here is we could see that their prone to phishing percentage is 16.8%. Now this is really important contextual information. So what I could do here in this instance is say, okay. We'll take that existing filter that we've started. And what I'm gonna do now is I'm gonna click this button here, which is going to send us to the workspace to edit the same query. And here I can get more granular with the query itself. So I can click here on the filters and I can add more information. Now you see here in the general tab, I've got the ability to select all that same information as before. But if I click the show source types button, then I can access information across all of the other source types including no before. So if we remember, the attribute that we wanted to look at was called prone to phishing. There we go. And then let's say I want to say greater or equal to 50%. And we'll apply that and we will run that query. Now we can see here it's brought back four results. And let's have a look at the results in that query. So let's go to the Nova four information. 86.5%. This user, where are we? We need to go to the no before information. 92.2, we're going up. And then we've got 95.2, still going up. And then 99.8, we have a winner, or rather not as the case may be. A higher score is obviously worse. Let's go back to our query. So here, we were looking for all of these attributes, but we do also have, an any option. So if I was to select this, it would come back with any of these attributes, and then the advanced section gives you the ability to add Boolean style operators. So you see here I could do, one or two and three or four. Obviously, it wouldn't really apply to this example, but hopefully you get an idea as to the types of queries that you could start to make. We also have this, advanced query language, which is our what we call our Cypher query. You see here that it's more of a command, or rather, SQL style, syntax. So if I was to go edit in Cypher, we can then edit that query in our Cypher language. I'll give you an example of the flexibility of, Cypher queries. So let's just have a look at this one, for example. So here we are, looking for defender AV status attributes. So looking at, the noncompliant ones, we can then also look at if the device has encryption enabled, if there's endpoint protection active, and if there's any, mitigations with regards to vulnerability scanning. And then we can bring back we are essentially creating new data. So if this is true, then we will say, okay. This is, encrypted. If it's not true, then we will say it's it's not encrypted. We'll give it a thumbs down. And so, what we're gonna do as a result of this is provide a table to someone who's maybe doesn't quite understand the the details of these specific, attributes and give them something that is a bit more usable, for them so that they can see a direct action that they need to complete as the result of seeing that data. I'll give you another example. Here we go. Let's this was one I created previously, which is a prone to fish ranges. So where we had the percentages before, this is obviously, this is quite handy, but then we can also see that if we have a lot of users, each user is gonna have an individual percentage. And so what we wanna do at that point is try start to try and create ranges, so that we can actually put people into those pools of ranges if you like. So looking at this, we've run the query, and then, what I want to do is edit those query details. And that takes us off to, our saved queries because this is a query I've saved previously. And we can see here that the, Cypher language here. So I've just created ranges as you can see here. So if no before user percentage is greater or equal to 10 and it's less than 20, then we will put that in the 10 to 19 range. And as a result of this, you can then create some widgets with the ranges that you see here. And it's really simple. So once you got that query in place, you then go to the widgets and then you can select the graphics that you want. We can call select Venn diagram, donor, pie chart, correlation. In this instance, I'm gonna select a bar chart. So I'll select a bar chart there. And what I will then do is we will look to add some dimensions. So the dimensions I wanna use are where is it gone? Prentiss range. So we've got that in there now, but as you can see, the the ranges are a bit jumbled up. So I'm going to order by, and that's not count because count would be the number that's been counted for each option. I'm gonna order a to z, and that obviously includes numbers as well. So you can see here that most people are falling within the first 30%, and then maybe we wanna focus on the people who are in the, 80 to 100% category. So that shows you how to create queries and then go from queries to creating your own widgets. What we then do with those widgets is we put them in dashboards. So there are a few default dashboards that you'll get with the platform. So that is external attack surface insights. You'll also get the controls overview, the data overview, and then the external attack surface overview as well. Let's start with the external attack surface insights. So here we have a ESM summary, total external IPs, total certificates, domains and subdomains, so nice overall stats. We can see EASM vulnerability insights. We got CVEs there, CVSS scores associated. We can then see, web servers, application breakdowns. We got pie charts, risky service insights as well. And then, of course, if I want to, I can expand that. I can also run that in detail and see the individual assets or rather external seeds that are associated with that. Let's go to our external, where's it gone? External attack surface overview. So a nice high level overview of your external attack surface in its totality. Right. Let's show you one of the default ones. So that is the, controls overview. Assets without EDR, assets without vulnerability scanning, admin users without multifactor. These are the three areas that we always recommend that you start on straight away. And then, ideally, you'll see trends going down over time. And then let's have a look at your data overview, which is here. We can see the data correlation effectiveness across the environment. Ideally, what you're looking for is as many sources correlated as cross as possible. If you get down to, assets only being seen by a single source, then that is definitely something that requires investigation. We can see a beta hygiene summary if there's any duplicate records. Really good use case for surface command is in the instance of licensing on other security products. If you think you've got license duplication, you can of yours course use surface command to try and validate that. Let's give you an example of some of the other dashboards that you can create. So here we have a vulnerability management dashboard, and we can see here we've got an overall overview, prioritization, key control indicator reporting. We've gone asset inventory. We can add explanations as you see here. So really nice dashboards. Let's show you how to create one. So I just clicked create dashboard. Give your dashboard a description because it really helps. People understand your dashboard. And then we can add widgets. So the widgets that I created previously, the prone to fishes, we can see a print fishes, percentage, and then we also got the ranges that you can see here. And then I can just add it in there as you see. Let's cancel that dashboard. So next, we're gonna go into connectors, and this is how we connect the data into the platform. To add a connector, it's very simple. You just click add connector. This takes you off to our extensions page. That is extensions.Rapid7.com. It's publicly available for you to go and view, and you can see all of the a 151 existing extensions that we have in the platform. If I want to add a new connector, I simply click on the connector. We can see this one's already installed in fact. So let's go and find a collector that isn't installed already. All I'll do is let's go to recently added. And there I can select one that's not been installed, and we can see here that we have the install button available. I can also see we have documentation that shows how to set up the API key, and also all of the API functions that we'll be using and any discussion, between the Rapid7 partner community. Now let's have a look at one of these connectors. So I'm just gonna click on one here, and then we can see the update information. We can also have a look at the settings so we could actually update those credentials as we see fit. Version history, and then this is really important information. So this shows you the correlation across, property types. So let's say I was to click on, let's go to AD computer. We can see the correlation score across the environment, and that's between these three sources. So we've got active directory computer, it's IBM, and Azure AD. If we wanted to, we could view that bar graph view as well, and then we can also add additional sources if we wish. So I could add AWS. We could add Zscaler in there as well, and I could add CrowdStrike. And we apply that, and then we can see the correlation across all of those sources. So we can see there's, four sorry. Five sources that have correlated 14 assets. This is, pretty good in terms of correlation, although we would want more devices to be in this section here versus this single section here. Then we can see the properties being correlated. So more to that, we have our unified properties, which you are able to manage. I'm just gonna resize this for the purpose of the demo. Give me one moment. So these are our unified properties. Now what I can do is click on an asset, and you can see all of the properties that we are correlating for a asset. And I can have a look let's say I wanna have a look at IP address. I can see all of the sources here that are going to pull in that information. And I can actually select what I want to fulfill that information. So let's say, I could use most recently updated value or I could actually specify a top priority. So I could specify AWS as your Cisco as our top priorities here. And then right down the bottom of the list might be something like, ServiceNow. Quite often, CMDBs tend to have a lot of out of date information when it comes to up to date technical information, but CMDBs are really, really good for applying business information and context to the asset. So although ServiceNow would be really low on the list when it came to IP address, for example, actually, when it comes to attributes like business owners, maybe you would wanna actually move ServiceNow to the top of the list because that's gonna have the most up to date and relevant business owner information for that asset. So that can be done here within the unified model explorer. Okay. So in our presentation, we have covered the attack surface. We've gone through assets and identities. We've gone through dashboards, showing you how to go from the workspace to create your saved queries to then create widgets as a result of that. You've hopefully understood the versatility of the Cypher language. But let's just in fact, let's just show you here again. So that prone to fish is ranges. Let's go edit, and you can see here I created a case and then given percentage ranges. So I'm actually creating my own metadata from the existing metadata in the platform, making it more useful to me and my security program. We then showed you to you how to create widgets as a result of that and pull them into dashboards. And then finally, we finished off on the connectors, adding them into your environment, configuring them, and looking at our unified properties for surface command as well. So I just wanna finish now on the partner program. To support our partners, the Rapid7 partner portal has a wealth of tools and resources available, including information on your packed program progression. From finding sales and marketing tools to registering your deals, progressing opportunities, and checking on renewals, the portal also includes access to our formal partner academy, training, and important certifications. Some of the key exposure management resources available to you via the partner portal are noted here. Please feel free to leverage these assets in your conversations with customers and prospects or just for your own learnings, as you dive deeper into the product. To take the next steps in your learning journey with Rapid7, please visit the Partner Academy. Go to partners.rapid7.com. Load your Rapid7 partner portal homepage. Next, navigate to the Partner Academy shown here, number two. And then when you go through, you'll then need to click start your journey. And this will take you through to the Partner Academy. That's all your certifications, achievements in the partner academy will be tracked, and automatically updated within the packed partner portal to advance your progress within the program tiers. As you may already know, the PACS program tier releveling will occur in January, so make sure you meet all of your training requirements by completing your partner academy certifications. Click start your journey and get started today to unlock your packed program benefits and incentives. To get started within the partner academy, you just need to identify your role and your knowledge level. Whenever you log in, you will always find your learning path under partner learning journeys. If you're a sales rep, which we call Rapid7 sales professional learning path or RSP for short, all you have to do is click the RSP tile to access all of the courses available that are focused on building your knowledge and skills for your role. That's this one right here. If you are a solution engineer or solution architect like myself, we call the Rapid7 technical sales professional learning path or RTSP for short. Your home page tile will look like the second image, this one right here. Clicking RTSP tile will give you a focused view of all the presales technical content you need to build your knowledge and skills around rapid sales solutions with as much breadth and depth as you like, including advanced technical certifications that provide a deep dive into product features. And by the way, if you do the, technical sales professional, you don't have to do the sales professional because it's already got all of that sales professional content in it. But let's say you are a a long time Rapid7 partner, already have a ton of experience selling, positioning, demonstrating, validating Rapid7 solutions. You may not necessarily need to explore the extensive content within these courses, but still want the recognition for your expertise in these areas. All you need to do to prove it, the tile on the right side, is where you access all of these certification exams just here. All of the certification exams to validate your knowledge and skills without spending the time required to complete the coursework. Click into the certification exams on the home page to take advantage of our test out option and collect all the badges you want. Each badge you earn counts towards your tier progression in the packed program and includes the functionality to display officially on your LinkedIn profile for public visibility with your customers and prospects, reinforcing your crucial role as a trusted adviser. Please refer to the packed partner program guide to see how many certifications required for each program tier. Of course, the ultimate goal is to drive impact and business growth for everyone. As you identify opportunities, don't forget to register your deals on the partner portal. It's quick and simple, and the best way to get, best way to protect the deal, securing it to you and your business, the easiest way to garner the highest discounts available. Thank you for all the questions in the session today. If you need any further help, please don't hesitate to reach out to your channel account manager or partners@rapid7.com. I'd just like to add a quick reminder to please, please register for the other sessions in the series. We have so much more information to share. The details can be found on our partner portal, and please be on the lookout for regular Rapid7 partner business communications, which detail product and solution launches, improvements, important program, partner program updates, and information on all upcoming new and on demand webinar sessions available. And with that, thank you for joining us today. Have a good day, everyone. Bye for now.