Core Security Technologies Inc. has put out a call for enterprises interested in beta testing its new product, which it says can help organizations automate the discovery of potential data breach risks, even if it took an attacker multiple steps to steal data.
The Boston-based penetration-testing specialist has announced the beta availability of Core Insight Enterprise. Unlike the company's venerable pen-testing software product, Core Impact, Insight Enterprise is an on-premise appliance that automates the processes involved with checking whether key applications, servers and devices are susceptible to known, real-world exploits.
Kim Legelis, Core's vice president of marketing, said the product works by initially scanning the network, and then security administrators use the results to define which network assets are "critical" or require validation of their security posture.
From there, Insight Enterprise can execute what the vendor refers to as campaigns, or customizable automated tests that seek to determine whether a customer's systems are vulnerable to attack using actual known exploits, not simulations or modeling. What makes the product unique, Legelis said, is should it discover a vulnerability, it can be configured to act as an attacker would by automatically running secondary exploits against the initial one to try to attempt to compromise additional systems.
Legelis said Insight Enterprise is meant to help companies avoid incidents like the infamous 2009 Heartland Payment Systems Inc. data breach, in which an online crime syndicate led by convicted attacker Albert Gonzalez was able to piggyback a Web server breach to break into a database that, in turn, provided access to another database where sensitive credit card data was stored.
What to do with network penetration test results: It takes a lot of time and effort to plan and conduct an enterprise network penetration test, but the work doesn't stop there.
"So if you were using traditional scanning technology, you might discover an opening on a particular webpage, but you'd have no idea where it could lead you," Legelis said. "This allows you to go multiple layers into the organization to determine if the assets you want to protect are ultimately protected.
"There are no false positives," Legelis added. "Either you get to the data, or you don't."
John Pescatore, vice president and research fellow at Stamford, Conn.-based Gartner Inc., said there is a major need for continuous vulnerability assessment in the enterprise, especially in light of recent changes to FISMA and PCI DSS compliance mandates emphasizing vulnerability assessments.
"The sophistication of attacks these days has increased the need for penetration testing as well," Pescatore said via email.
Core is also positioning the product as supplement to expensive human pen-testers and as a tool for application developers and other non-security-focused business groups that could benefit from automated exploit testing, but lack the experience to conduct such tests on their own.
Diana Kelley, partner with Amherst, N.H.-based consultancy SecurityCurve, wrote a white paper about the product for Core Security. She spoke with alpha customers who said they liked how it can identify common types of enterprise servers or applications and then test the security of the associated services or protocols that commonly enable exploits.
Pescatore indicated that Insight Enterprise utilizes Core Security's strong foundation of penetration testing capabilities, but there are other vendors out there, such as Qualys Inc. and Rapid7 LLC, that have more experience in automating vulnerability assessments.
Kelley, however, said the product's automation capabilities -- especially its ability to run automated tests using custom rules based on a human pen-tester's accumulated knowledge, like commonly used password formulas -- differentiate the product from competitors.
For the beta program, which runs through the end of the year, Core is seeking a small group of enterprises interested in a free test deployment of Insight Enterprise. These companies will get deployment and management assistance, and in turn will be asked to provide feedback on product performance and usage, specifically regarding exploit campaigns.