Core Security Offers Enterprise-Level Automated Pen Testing

Core Security Technologies has released an automated penetration testing product that leverages its flagship Core Impact Pro technology on an enterprise scale. Core Insight Enterprise enables enterprises to launch multiple automated pen tests (based on algorithms and user data developed from the company's experience with Core Impact) and generate high-level vulnerability/risk posture and trending reports for operational security personal, as well as for executives and auditors.

"For forward-leaning organizations, those that do internal penetration testing, this a great way to take advantage of technical analysis to improve their ability to use, and understand, pen testing data," says Paul Proctor, VP of security and risk management for Gartner.

Core Insight Enterprise is designed for conducting pen testing on a scale that has not been possible before. Internal enterprise penetration testing is generally limited by the lack of proficient personnel. Experts often characterize pen testing as an art form combining technical expertise with high-level detective work. Many companies turn to third-party consultants, but these services are very expensive and time-consuming. As a result, they are usually narrow in scope and provide only a snapshot of current vulnerability.
 
Enterprises can now conduct multiple, continuous and repeated pen tests against targets throughout their IT infrastructure without relying solely on expert pen testers. Tests are applied against target systems or groups of systems, organized in what Core calls "campaigns." In a particular test or campaign, the user identifies the asset he or she wants to protect, and Core Insight Enterprise calculates the likely attack paths and conducts pen tests to see which attacks might succeed.

The results are displayed in a network diagram that shows successful and failed attack paths, as well as the systems, the end target system and/or systems along the path that were compromised and require remediation. Even failed attacks may reveal systems that were compromised before the intruders were thwarted further along the path.

"I've run about 10 times more tests using Insight because I can automate," says the IT and security director for an e-commerce company specializing in user-designed products. He has been a Core Impact Pro user, and has been using Core Insight Enterprise as an alpha and beta tester for several months. "It will never take away the manual process [of pen testing] entirely, but it can negate a lot of it by automating the critical tests," he says.The dashboard provides a variety of high-level views with the ability to drill down in detail. From an operational perspective, the "heat" map provides an at-a-glance status reading for each campaign. A red block indicates very vulnerable, high-value assets, while green means you can turn your attention elsewhere. High-level trending charts can show security status based on testing over time for the organization as a whole, for a business unit, for groups of systems, and so on, based on user-configurable filters. "If the trend shows a hot spot is 'always' this entity, the problem may not be hardware or software," says the e-commerce company director. "It may be people."

The dashboard provides a good way to measure improvement, or the lack thereof, as the organization initiates tests to gauge the impact of changes in the environment. For example, you can see which systems remain vulnerable after a critical patch is applied or measure the effectiveness of a newly introduced intrusion prevention system.

Enterprises can import data from asset management systems to provide a detailed context for the organization's vulnerability management program. Core Insight Enterprise also has a series of built-in connectors to popular IT products, including network management systems, so an organization can import network topology. It also imports information from network and Web vulnerability scanners, so pen tests can be applied to test exploits against reported vulnerabilities. Reported data leak issues can be imported, as well. Patch management integration allows automated remediation when testing reveals an unfixed vulnerability.

"Not only do I want to test more systems, I want to look at all that information and assets in a more proactive way," says Mark Hatton, Core Security Technologies president and CEO. "It's what vulnerability management is intended to do: effectively look at potential vulnerabilities, test and, to the extent they create risk for you, remediate them in a relatively short period of time."

Core's competition in a limited market has been primarily from Canvas and the open-source Metasploit project. Core Insight Enterprise might the company in the enterprise vulnerability and risk management market with companies such RedSeal Systems and SkyBox Security, as well as with Q1 Labs, which entered the market earlier this year with Risk Manager. These vendors develop potential attack models against critical assets based on systems information, such as vulnerability reports, configuration data, firewall rules and network topology.Core Insight Enterprise can be successful if Core can expand its appeal from the highly technical users of  Core Impact to security officers and higher-level executives, as well as auditors says Gartner's Proctor. "It's an interesting capability that could prove useful for certain organizations. Its purpose is to hit enterprises with the ability to scale up to this type of testing and make it relevant to different audiences, like internal auditors and executives."
  
Last week, Core announced the latest version of Core Impact Pro, featuring new capabilities such as the ability to detect and exploit network router and switch vulnerabilities, import Web vulnerability scan results and validate them for exploitability; exploit persistent (or stored) cross-site scripting vulnerabilities; exploit cross-site scripting vulnerabilities in Adobe Flash applications; reveal additional top Web application vulnerabilities as defined by the Open Web Application Security Project (OWASP); replicate wireless man-in-the-middle attacks; and leverage expanded client-side phishing capabilities.

Version 11 also improves information gathering by scanning a range of IP addresses and returning a list of discovered network devices, along with identifying information such as operating system, manufacturer and device model. It also offers detection and exploitation of configuration vulnerabilities. Pricing for Core Insight Enterprise starts at $150,000 for up to 10,000 targets. Pricing for Core Impact Pro starts at $30,000 for a one-year license.