Skip to main content

Exposure Analysis

Overview

Vulnerability scanners are commonly used by Security teams to proactively find and classify vulnerabilities in network devices, hosts, and applications.

After the vulnerability scanner scans and analyzes all the assets within the scope of the analysis, it generates a report. The findings in the report can then be used to improve the overall security posture.

Unfortunately, the data in these reports is overwhelming and not specific enough to be actionable and therefore not very helpful.

Forward Exposure Analysis provides security teams visibility into their security posture and helps them prioritize vulnerability remediation by combining the host vulnerability data provided by vulnerability scanners like Rapid7 InsightVM and Tenable Security Center with Forward Networks modeling capabilities.

Security teams are able to identify within seconds which end-hosts impacted by critical vulnerabilities can be accessed from any exposure point (e.g. internet) and which compromised end-hosts can access internal critical infrastructure.

Pre-requisite

To enable the Exposure Analysis you need to configure the collection of the vulnerability data from a Rapid7 InsightVM or a Tenable Security Center instance. For instructions, please visit the Rapid7 InsightVM or the Tenable Security Center page.

Walk-through

Forward Enterprise collects the latest report data from the vulnerability scanner tool every time it collects from the network infrastructure.

When both the network and vulnerability data are collected and processed, the results are shown on the Security --> Exposure page.

The following page shows an exposure analysis example from a Forward deployment with a Rapid7 instance:

Rapid7 Config

The analysis includes three sections, Exposure point, Overview, and Vulnerability report.

Exposure point

The Exposure Analysis can be run from the perspective of any Exposure point thanks to the Forward Networks modelling capabilities.

By default, the Exposure point is the Internet which corresponds to the Internet node that was added as a synthetic device.

Rapid7 Config

note

If the Internet node was not added, you need to first add an exposure point from the Exposure page.

To add a new exposure point, click on + Add an exposure point in the Exposure point drop-down menu.

An Exposure point can be defined as an interface group, and it will be saved in Objects --> Interface Groups.

Provide the interface group Name, the Interface name patterns, and optionally the VLAN IDs:

Rapid7 Add Exposure Point

For more information on Interface Groups, see the Objects documentation page.

To edit an Exposure point, click on the edit icon in the Exposure point drop-down menu:

Rapid7 Edit Exposure Point

To delete an Exposure point, click on the bin icon in the Exposure point drop-down menu, and confirm the deletion: Rapid7 Delete Exposure Point

warning

The Exposure point will also be deleted from the Objects --> Interface Groups page.

This can't be undone.

Overview

The Overview section provides a high-level view of the analysis: Rapid7 Overview Report

It shows:

  • the number of vulnerable hosts found by Rapid7 InsightVM
  • the number of vulnerable hosts found by Rapid7 InsightVM and modeled by Forward
  • the number of vulnerable hosts found by Rapid7 InsightVM, and modeled by Forward, and exposed to the selected exposure point

Vulnerability report

The Vulnerability report provides a detailed report of every vulnerable host found by Rapid7 that's discovered by Forward and is exposed to the Exposure point.

Rapid7 Vulnerability Report

For every such a host, it provides the following info:

  • Name: hostname and link to the host card in the Search page
  • IPs: list of IPs and link to the Search page
  • Vulnerable services: all services that are vulnerable, based on data from Rapid7 InsightVM.
note

Tenable Security Center does not provide this information.

  • Risk Score: Risk score assigned to this host by the vulnerability scanner and link to the related instance. In case of Rapid7 InsightVM instance, the link provides direct access to the asset page.
  • Critical: number of critical vulnerabilities found vulnerability scanner on the host and link to the related instance. In case of Rapid7 InsightVM instance, the link provides direct access to the asset page
  • Last scanned: time of the latest scan collected
  • Reachable services: analyzes reachable services, based on data from Forward Enterprise.
  • Connectivity Details: shows the reachable services for the host from the exposure point Rapid7 Detailed Host Report Compute
  • Blast Radius: run a Blast Radius analysis for this host Rapid7 Detailed Host Report Blast Radius
Notes
  • You can add/remove info from the table by editing the hidden columns.
  • Rapid7 InsightVM defines the following Severity levels:
    • 1-3 = Moderate
    • 4-7 = Severe
    • 8-10 = Critical

The Download report button provides a report export in csv format.