Core Security Penetration Testing Tool Focuses on Critical Assets

Core Insight Enterprise identifies critical systems in the business and runs a series of automated penetration tests to verify security controls.

Core Security Technologies introduced Core Insight Enterprise, an automated penetration test suite with risk assessment capabilities.

Like its flagship product Core Impact Pro, Core Insight Enterprise, released Dec. 13, allows organizations to launch multiple automated penetration tests to discover vulnerabilities in "critical campaigns" and "critical assets," Mark Hatton, CEO of Core Security, told eWEEK.

Like Pro, the security professionals will still be able to use Insight to test and validate systems, but Insight's chief strength lies in providing CIOs and other "security operations professionals" who manage risk with a dashboardlike view of the organization's "most critical" systems and data assets, said Hatton.

"Not only do I want to test more systems, I want to look at all that information and assets in a more proactive way," said Hatton.

Insight organizes tests in "campaigns," or a specific systems and data the company wants to protect, such as protecting Social Security numbers from being leaked, said Hatton. Insight then executes various penetration tests on the campaign to validate whether or not the system controls are working and that the data is secure, he said. If a test fails because it finds a logical path to steal that data, the manager receives that information in a context that readily allows a risk assessment, Hatton said.

With Pro, the tester understood the system was vulnerable, but there was no easy way of understanding "what being able to attack the system" meant for the enterprise, said Hatton. Insight speeds up the process of taking the failed test and working back to figure out the business implications of the failed test, Hatton said.

"For forward-leaning organizations-those that do internal penetration testing-this is a great way to take advantage of technical analysis to improve their ability to use, and understand, pen testing data," said Paul Proctor, vice president of security and risk management for Gartner.

The test results are displayed in a network diagram that shows both successful and failed attack paths, Hatton said. Both the CIO and security team can look at the results and see the path of attack that compromised the system, all the other systems along the path that were also compromised and the actual vulnerability.

With Insight, CIOs can see the multiple threat vectors and potential paths that need to be remediated to fix specific business problems.

"It's what vulnerability management is intended to do: effectively look at potential vulnerabilities, test and, to the extent they create risk for you, remediate them in a relatively short period of time," said Hatton.

The dashboard provides high-level views that provide up-to-date status for each campaign. If a system vulnerability is affecting a campaign, the manager can then drill down for more details. There are ways to view the security health of the organization over time, as well as see the results of actions taken, such as adding a new system to the network or applying a patch, said Hatton.

"I know which assets to protect, and I need to focus on these tasks," said Hatton.

Core Security conducted an alpha test primarily with its existing customers in June before expanding the tests to include noncustomers in September, said Hatton. The companies that test drove Insight were from various industry sectors, including financial services, manufacturing and retail, he said.

Financial services firms tend to rely on multiple technologies to help meet compliance requirements, so the ability to integrate logs and events data from other systems as well as Core Insight was critical, said Hatton. Core Insight has a series of built-in connectors to common management products such as patch management and asset management systems, he said.

Last week, Core announced the latest version of Core Impact Pro, which now has new capabilities such as the ability to detect and exploit network router and switch vulnerabilities, import Web vulnerability scan results, and validate them for exploitability. It also includes new tests to exploit cross-site scripting vulnerabilities and replicate wireless man-in-the-middle attacks.