Below is a copy of the 451 Research product review on Rapid7's two new products, ControlsInsight and UserInsight. If you would like your own copy of this report please fill out the form to the right.
Copyright 2013 - The 451 Group
Reproduced by permission of The 451 Group; © 2013. This report was originally published within 451Research's Market Insight Service. For additional information on 451 Research or to apply for trial access, goto: www.451research.com
Rapid7 is a prominent name in the vulnerability assessment and penetration testing market.However, as with other vendors in this space, we've wondered what innovation and diversification route Rapid7 would take going forward. The company's path has become clear with the announcement of its latest offerings: ControlsInsight and UserInsight, two products that seek to leverage the data Rapid7 already harvests via its Nexpose, Metasploit and Mobilisafe technologies, in addition to collecting data from Active Directory, firewalls, Web proxy, cloud services, mobile devices and other products to provide enterprises with visibility for risk management across assets, users, networks and services. The move complements recent developments the company has been pursuing for a more top-down approach by providing information tailored for C-level consumption.
Rapid7 is a well-known entity in the realm of vulnerability management and penetration testing. Through its existing technologies, the company has the ability to harvest information from assets. It has leveraged its previous technologies along with new data collection and context-adding capabilities in an attempt to provide insight into endpoints and user activity.We like the fact that the company is expanding beyond its core offering, and opportunities to develop the products further will be plentiful. It is a bold move that should add a welcome boost for the company, which is looking to make a lasting impression at the C-level. Still,Rapid7 is stepping into market areas where established vendors will try to keep it at bay.
Boston-based Rapid7 was founded in 2000 by Tas Giakouminakis, Alan Matthews and Chad Loder. Matthews is chairman of the board of directors, and Giakouminakis is the CTO, while Corey Thomas is the president and CEO of the company. Rapid7 acquired Metasploit in 2009 and, subsequently, Mobilisafe in 2012. The company has taken in $59m in outside funding, of which the largest portion came in 2011 with a $50m series C round. Today, the company has about 350 employees with offices in the United States, as well as Amsterdam, Hong Kong, Sydney and Toronto.
Rapid7 ControlsInsight is an endpoint security control and defense-monitoring product that sets out to answer the question many enterprises ask: "How secure are we?" It utilizes the Nexpose scan engine to collect data from endpoints and measures the state of security controls that have been deployed. The effectiveness is measured by analyzing the security control state and comparing against industry best practices, such as SANS, and by utilizing its own intelligence and custom-developed threat models. The user console displays the overall status of endpoint controls and threats with a score of 1-10 to indicate the overall security strength when compared to the threat model. The controls are placed in logical groupings such as email, USB, network, etc., to facilitate the process of identifying where weaknesses lie. Upon drilling down into issues, ControlsInsight provides users with guidance as to how to remediate weaknesses. ControlsInsight is currently available for Windows endpoints, but the company has other operating systems and assets on its roadmap. Rapid7 has also announced UserInsight, which is designed specifically to monitor user activity,whether that be on-premises, mobile or while accessing cloud applications. The initial release will provide visibility into user activity, including cloud services and mobile devices in one console. The software can also identify where user credentials may have been compromised, such as when logins are reported from distant geographical locations. The user dashboard also identifies which cloud services are being used, even when they are not on the corporate network. No endpoint agent is required for UserInsight; instead, a network collector is deployed to collate information from network devices. From the cloud-application perspective, Rapid7 has connectors designed to integrate with salesforce.com and Box, which monitor when corporate credentials are used to sign on, monitoring access even when this is performed with non-corporate devices off-network. The company states it is working to integrate with other cloud providers in the future. Both ControlsInsight and UserInsight can be purchased as stand-alone products, with ControlsInsight pricing starting from a base price of $20,000.
With its latest offerings, Rapid7 has sidestepped most of its traditional pure-play vulnerability management competitors and into a far wider and competitive landscape where it will find itself trying to win business from a myriad of companies. Guidance Software, with its recently announced endpoint analytics, is the most likely candidate to try to elbow Rapid7 out of the race early; however, other vendors that look at the endpoint, in particular those with some forensic or monitoring capabilities such as Bit9 or AccessData, will claim to provide equivalent visibility. Some vulnerability management vendors have been looking to increase context around the scan data to provide better data management and prioritization of remediation. BeyondTrust combines vulnerability data with privilege management, as does Cyber-Ark and Viewfinity, which can further help in detecting stolen credentials. These will undoubtedly compete more on the UserInsight offering, although SpectorSoft is likely to be a more direct competitor. IT GRC vendors will also likely point to their ability to ingest data from multiple sources to present a view of a company's risk position. These include Rsam, EMC (Archer Technologies), Agiliance, LockPath, Modulo, eGestalt Technologies and Brinqa. Some SIEM vendors may also see Rapid7 as competing on their turf, especially those with scanning technologies, such as IBM QRadar or Tripwire. These vendors aside, Rapid7 says it sees itself as being complementary to a SIEM – the difference being that it wants to focus more on the control effectiveness and to follow users when they go mobile or into the cloud.
Rapid7 is a well-known vendor with mature vulnerability management and penetration capabilities. The brand name and technology should allow the company to gain awareness and uptake in its offerings.
It is relatively straightforward for UserInsight to monitor cloud services in use from within the organization. However, in order for organizations to monitor whether employees are accessing cloud services from personal devices, UserInsight needs to integrate directly with cloud providers. Currently, UserInsight is integrated with salesforce.com and Box. The company says it is working on more partnerships that it will roll out over time, but we wonder whether the rate of integrations can keep up with the number of applications enterprises may want to use in the future.
The opportunities to develop and enhance both products are plentiful, with many features on product roadmaps. Beyond the technology, the new products allow Rapid7 to move into new market areas and expand its footprint.
There are a number of vendors in the endpoint security and monitoring space that provide similar or a subset of functionality that Rapid7 is seeking to provide. The company will have to contend with breaking into these new markets, which have a multitude of vendors that will be looking to keep Rapid7 at bay.