Core Security Technologies is introducing new pen testing software that, according to the company, has robust reporting capabilities, enabling CIOs, CISOs and other executives to gauge risk to internal systems and gain greater visibility into the progress of ongoing security initiatives.
The Boston-based penetration testing firm, best known for its Core Impact Pro software for pen testers, launched Core Insight Enterprise on Monday. The new tool can be programmed to view critical systems and their connection points and then can be set to conduct multiple, automated pen tests in an attempt to find a way into the company's most critical assets, said Mark Hatton, CEO of Core Security Technologies Inc.This a tool for forward leaning organizations that would like to be more aggressive with their scanning and try to determine where actual risk exists as opposed to traditional scanning.
vice president and distinguished analystGartner Inc.
"You're not just going out and hiring a crazy guy with earrings to do pen tests anymore," Hatton said. "We're giving you actionable information and solving that disconnect between what security teams are doing and what the business side wants them to do."
Making insight different from Impact Pro is its dashboard, which gives executives a high-level view of the relative threat impact to company systems, the status of ongoing pen testing campaigns and lays out a history of the security health of the organization's systems over time. Hatton said the tool was designed to make it easier for security professionals to create understandable metrics out of vulnerability data for executives and auditors.
Core Security is trying to differentiate itself from firms like Rapid7, which is integrating the commercial Metasploit testing platform into its NeXpose vulnerability scanning software. Diana Kelley, a partner at security analysis and research firm SecurityCurve, said Core Security is bringing to market the first automated penetration testing tool that enables ongoing campaigns, but its sales force will have to find a way to create a value proposition for the product.
"It's unclear if companies understand the benefits of ongoing penetration testing," Kelley said. "We don't have a compliance mandate saying it must be done, so [Core Security] will have to sell the value return the organization will get through ongoing testing."
Unlike vulnerability scanners, which focus mainly on client vulnerabilities, penetration testing tools gather network device information and simulate an attack by a malicious hacker to check for access points into servers containing sensitive data. Kelley said robust penetration testing can do a thorough check of network devices to find hidden flaws, network configuration issues or server connections that are often missed using less sensitive tools.
Hatton said that in time he believes continuous testing will be legislated. Using Core Insight Enterprise, a company can set up multiple pen tests or "campaigns" to find vulnerabilities that could lead to data leakage, Hatton said. The tool validates whether or not the security controls are working and if the data can be accessed, he said. The dashboard shows the path used to steal data in a successful campaign. CISOs can drill down into a campaign to find and get network teams to fix weak points and remove the vulnerable paths used by the pen test, Hatton said.
Ultimately Core Security is combining penetration testing and vulnerability scanning, said Paul Proctor, vice president and distinguished analyst at Stamford, Conn.-based Gartner Inc. Proctor said Core Insight makes pen testing relevant by taking the relevance out of the hands of just the technical subject matter experts.
"This is a tool for forward leaning organizations that would like to be more aggressive with their scanning and try to determine where actual risk exists as opposed to traditional scanning, which is about showing the 10,000 places where the organization hasn't updated its patches," Proctor said.
Hatton said that Core Insight has been designed so eventually enterprises would have the ability to integrate logs from security information and event management (SIEM) systems and incorporate vulnerability and patching data from vendors such as Qualys Inc. or Imperva Inc.
"Qualys, [IBM ISS] and others could become a feed for us," Hatton said.