Security Consulting

Provide compliance and security to your clients

Rapid7 solutions are optimized for use by consultants, who want to deliver best-of-breed solutions to their customers. At the same time, Rapid7’s vulnerability management and penetration testing solutions are optimized for use by consultants.

Many clients only ask their consultants to help them comply with regulations, but your customers also hire consultants to avoid making costly mistakes. This is where you as a consultant can add value and build a long-term relationship: by recommending that they not only look at compliance but also at security. After all: If one of your consulting customers had a data breach, would they continue working with you or choose a different consulting firm? Exactly.

Best of breed solutions for consulting firms

Rapid7 is the leader in unified vulnerability management and penetration testing solutions. Our solutions deliver precise, actionable risk scores and to reduce the number of false positives dramatically. Nexpose Consultant software includes information about exploits and remediation for vulnerabilities. Nexpose Consultant solutions scan at all levels, including operating systems, databases, web and other applications. Metasploit Pro verifies the exploitability of found vulnerabilities, confirming whether or not mitigating controls are effective in stopping a data breach. In addition, consultants can use Metasploit Pro to launch social engineering campaigns into a target network.

Rapid7's research and development teams are tightly integrated with the security community to get early and in-depth input on new vulnerabilities and exploits. Close relationships with open source projects such as Metasploit, w3af, WarVox, and John the Ripper provide unique insights on exploits, Web vulnerabilities, password cracking, and war dialing.

Build a portfolio of services on Rapid7 solutions

Security consulting firms offer many innovative services based on Rapid7 solutions, including:

• Security assessments: This is a great first project to start a long-term relationship with your clients. You can offer security assessments of your customer’s IT infrastructure to identify areas for improvements. This can usually involves a vulnerability scan and a penetration test, including password audits and sometimes social engineering. Security problems identified often lead to follow-on consulting engagements to address these issues.
• Deployment services: Leaving behind a test an evaluation license of Nexpose or Metasploit can help you sell licenses into the account to improve your client's security posture. Through the Rapid7 reseller program, you not only benefit from the license sale but also from services for deployment and product training.
• Security awareness: Test the security awareness of your clients’ employees through Metasploit Pro’s social engineering functionality. If there is room for improvement, you can offer security awareness training for the employees.
• PCI Compliance: Companies that accept or process credit cards must comply with the Payment Card Industry Data Security Standard. Requirements 11.2 and 11.3 require periodic vulnerability scans and penetration tests.
• 11.2 Vulnerability Management: Help your customers prepare for PCI audits by conducting a Nexpose vulnerability scan before the scheduled Authorized Scanning Vendor (ASV) scan or use become an ASV and use Nexpose as the scanner. Nexpose Consultant is a PCI-approved vulnerability management solution and includes dedicated PCI scanning templates.
• 11.3 Penetration Testing: Conduct penetration tests to help your customers comply with requirement 11.3. Metasploit Pro includes a pre-defined PCI DSS report template that includes a detailed, actionable report on an organization’s security posture regarding requirements 2, 6, and 8, which include password and secure systems maintenance.
• Compliance and governance: Around the world, companies have to navigate a large number of compliance regulations. Many of these regulations require the protection of personally identifiable information (PII) and protected health information (PHI). Vulnerability management and penetration testing are an essential part of a good security program to protect confidential data. Nexpose Enterprise integrates with leading SIEM and GRC solutions that enable your clients to maintain the overview of their security posture.
• Managed security services: Enterprises can benefit from lower cost of operations by outsourcing security task to Managed Security Service Provider (MSSP). Nexpose Enterprise supports multi-tenancy, making it easy for you to host several clients on the same server while keeping each client’s data strictly separate. Unlike alternative solutions, you can customize the Nexpose portal with your logo and let customers log in to securely view the scan results rather than regularly preparing reports, which may be difficult to transmit because it’s bad security practice to send confidential data by unencrypted email. Using the customer portal, customers can even kick off their own scans at any time.
• Trainings: Support your clients with customized trainings on how to operate Nexpose Enterprise in their infrastructure or conduct periodic baseline penetration tests with Metasploit Express. Offer security awareness trainings for your client’s end-users, and create social engineering campaigns with Metasploit Pro to show them how to react when they receive a file from an unknown sender or find a USB key in the parking lot.

Recommended solutions for consulting firms

Nexpose Consultant

Nexpose Consultant’s licensing model has been specifically designed for independent consultants and auditors. It is based on Nexpose Enterprise, which received the highest rating of “Strong Positive” in Gartner’s MarketScope for Vulnerability Assessment 2011, and provides unique capabilities designed for complex IT environments. Unlike other products, Nexpose identifies vulnerabilities from an attacker’s perspective. By focusing on exploitable vulnerabilities, you’ll reduce your vulnerability risk exposure and remediation costs.

Nexpose Consultant offers these great benefits for consulting firms:

• Spend less on licensing: Unlike alternative solutions, which charge a license fee for specific IP ranges, Nexpose is licensed by the number of IPs that you can scan at any one time. When you have completed one customer’s assessment, you can change the IP range to match your next assignment without having to pay an additional license fee. In other words, the money goes straight into your pocket starting with the second scan.
• Scan from your laptop: Unlike alternative solutions, you don’t need to ship an appliance to your client’s network to conduct an internal scan. Simply start a vulnerability scan from your laptop.
• Customize your reports: Edit your report once and never again: all reporting templates can be customized made to fit your consulting firm’s corporate design, including the logo. In addition, reports can be generated in Rich Text Format (RTF), so you can easily make one-off changes. Nexpose contains several types of standard reports for different audiences.

Metasploit Pro

Metasploit Pro includes advanced penetration testing methods, enabling your security consultants to penetrate networks much faster and deeper than with open source tools alone. It has been ranked the best penetration testing solution by the HackMiami group in a competitive bake-off against two other leading products. Metasploit Pro supports team collaboration, so several consultants can work on the same project at the same time, which improves teamwork and reduces reporting overhead at the end of the project.

Metasploit Pro offers these great benefits for consulting firms:

• Enjoy more flexible licensing: Unlike alternative solutions, Metasploit Pro is licensed by named user. Each named user can install Metasploit Pro on up to three machines. Consultants typically install one instance on their laptop to conduct internal penetration tests and one license on a hosted server, so they can conduct an external penetration test through Metasploit Pro’s web interface. If you need licensing for more than one consultant, special team licenses are available.
• Earn higher margins: Metasploit Pro’s streamlined workflow and associated efficiency saves hours of cutting & pasting passwords, hashes, screenshots, and automates reporting. This means you can either pass the savings on to your customers to become more competitive or increase your margins.
• Spend less on training: Metasploit Pro intuitive graphical user interface gets your consultants up to speed much faster without the extensive training required for using traditional open source tools.
• Leverage junior consultants: Team collaboration enables you to mix junior and senior consultants on customer engagements to increase margins. You can either increase size of engagements to two or more people, or complete assignments in half the time. Senior consultants who prefer the Metasploit Framework can use the Metasploit Pro console, taking advantage of team collaboration, evidence collection & reporting from the command line.
• Demonstrate need: Metasploit Pro can often be used to demonstrate the need for a vulnerability management or penetration testing solution. For example, Metasploit Pro can be used to exploit a vulnerability found by Nexpose to convince a network operations engineer that a certain vulnerability should be addressed with high priority. Metasploit Pro can also be used to secure budget for a security program by demonstrating to business-level executives how easy it is to access their data and systems.
• Enable customers to verify remediation: Metasploit Pro can generate a replay script for the Metasploit Framework that enables your customer to retrace your penetration testing steps. As a result, your customers can easily test if their remediation was successful.
• Customize your reports: Edit your report once and never again: all reporting templates can be customized made to fit your consulting firm’s corporate design, including the logo. In addition, reports can be generated in Rich Text Format (RTF), so you can easily make one-off changes. Metasploit Pro contains several types of standard reports for different audiences.
• Defend against allegations: Metasploit Pro automatically logs every action of the penetration test, which not only enables your clients to trace every step you took to penetrate their systems, but also holds you harmless in case your clients alleges you to have taken unauthorized steps.

How Rapid7 supports you

Rapid7 has several programs to ensure that you receive help when you need it:

• Reseller program: This program was designed for providers who specialize in security/compliance solutions and offer a superior level of quality in pre- and post-sales services to their customers.
• Consulting licenses: Rapid7 offers flexible licenses specifically for consulting customers. Contact us for details.

Want to learn more? Watch our webinar "Consulting for Profit: Building a Business on Security Assessments"

If you're interested in talking to us about how we can help you with your consulting practice, please phone us at 617.247.1717 or contact us online!