Exposure Command Pre-Deployment Requirements
To ensure a successful deployment, carefully review the checklist below. If you identify any items that you can answer Yes to, explore the related section for further guidance.
| Done | Item | Review |
|---|---|---|
| Y/N | I installed my console with an OVA | Section 1 |
| Y/N | I am running a Proof of Concept console from pre-sales | Section 1 |
| Y/N | I am hosting the console and/or engines myself | Section 2 |
| Y/N | I will be using the Insight Agent | Section 3 |
| Y/N | I have not reviewed my user’s access | Section 4 |
| Y/N | I installed or identified the connectors for ASM | Section 5 |
| Y/N | I want to monitor my External Attack Surface and but do not have a list of public domains or IP addresses | Section 6 |
| Y/N | I plan to connect to services that require authentication | Section 7 |
| Y/N | My cloud providers require credentials to access them Advanced and Ultimate Only | Section 8 |
| Y/N | I have internal web applications I want to scan that are not internet accessible Ultimate Only | Section 9 |
| Y/N | The web applications I plan to scan use login credentials Ultimate Only | Section 10 |
| Y/N | I plan to scan production web applications Ultimate Only | Section 11 |
| Y/N | My organization uses firewalls and/or WAFs Ultimate Only | Section 12 |
| Y/N | My organization is new to application security and development Ultimate Only | Section 13 |
Essential Guidelines for a Successful Deployment
This section contains information that will benefit all customers. Take a moment to review.
Change Control Requirements
Many organizations implement a change control process for their IT environments. To ensure a successful deployment, it’s crucial that all change controls are approved before deployment. This allows for proper implementation and testing of product functionality.
If a change control has been submitted but not yet approved, or if an emergency change is needed, consider what actions can be taken to maintain the momentum of the deployment.
Insight Platform Access
Ensure you have access to the Insight Platform (insight.rapid7.com) as a Platform Administrator, or that somebody with this level of access will be available during the engagement.
If you do not have this access or your organization does not have a Platform Administrator notify your Customer Success Manager (CSM).
Core Event Sources
All users should ensure requirements are met to deploy the core event sources with our consultants. The requirements can be found on the “Before you Begin” section of our docs site for each of the Core Event Sources below:
Customer Event Source Owners
Although our consulting team specializes in Rapid7 products, we may not be familiar with the specific products or versions you’re using as event sources. To maximize the productivity of our deployment and ensure that the event sources meet your organization’s exact specifications, we kindly ask that the business owner for those event sources attends the deployment sessions.
Deploying a Collector
The SIEM Collector is responsible for collecting events from the multitude of systems inside of your environment. For Medium to Large environments multiple collectors may need to be placed in each datacenter or network zone to meet logging requirements. Each Collector must have a Fully Qualified Domain Name. Our team will assist you stand up collectors on your deployment, however do ensure your targeted machines for installation are available and meet the System Requirements .
Deploying Insight Agents
We recommend deploying the Insight Agent to applicable systems. Please ensure these machines meet or exceed the System and Network Requirements .
Orchestrator Required
An Orchestrator is required for Automation (ASM), and will require an additional machine. This Orchestrator will act as the ‘proxy’ between your on-premise systems and ASM.
Our team will assist you during your deployment, ensure the machine is available and meets or exceeds the System and Network Requirements .
For our session, have either the Linux Server available or a VM administrator that can deploy the Virtual Appliance.
Credentialed Scanning
For the most accurate results during scans, credentials should be supplied to VM in order to authenticate with the target assets. Without credentials, you will find significantly less vulnerabilities and the OS and system fingerprinting won’t be as accurate.
If for whatever reason you can not obtain credentials for your devices, you can always deploy agents to the target machines. Just remember that you should perform scans using your scan engines in addition to the agents to get maximum visibility into the target assets.
The level of credentials you use during a scan have a strong correlation with fingerprinting a machine and finding vulnerabilities, for that reason we recommend an Administrator account for Windows and a root account for Linux. Notably, you can do elevation with sudo after connecting to the targeted asset.
Note: For external scans, it is not advisable to use credentials.
Section 1: Non-Production Console
Proof of Concept Console
The PoC console provided during pre-sales was intended to demonstrate product capabilities. It was not configured with best practices in mind or with a full understanding of your organization’s needs. See Deactivating my Console below.
OVA Console
The OVA is a quick way to stand up the VM console, however it is not intended to be used in production. The disks are not expanded to the full volume, default passwords exist, and the nomenclature implies Rapid7 maintains the appliance, whereas your organization will be responsible for scanning, updating, and patching the operating system of these consoles. See Deactivating my Console below.
Deactivating the Console
If you do not intend to migrate data from your proof of console / OVA instance to your production instance, follow the below steps. This process MUST be completed 48 hours prior to your deployment.
Deactivating your console will remove all Insight Platform data, such as dashboards, remediation projects, and Goals & SLAs. Your existing agent associations will remain.
- Log into your current console.
- Navigate to Administration > Global and Console Settings > Console > Administer > Insight Platform and click “Deactivate”.
- Stand up the hardware for the new console but do not install the VM console at this time.
At this point you may back up your security console and discuss onboarding that during your engagement. Your consultant will advise if the console should be built from scratch.
Section 2: Self-Hosted Console or Engines
Review the sections below for any of the self-hosted assets you intend to use:
Console
If Rapid7 is not hosting your console, our team will deploy that with you. Ensure the machine you would like to use for your console is available and meets or exceeds the System and Network Requirements .
Engine(s)
For locally hosted Scan Engines, ensure the machine(s) you would like to use for your engines is available and meets or exceeds the System and Network Requirements . If you are unsure how many engine(s) it will take to scan your organization, let us know before the deployment and our team will provide you with an architecture review.
Note: You are not required to install the engine software, we’ll do that with you during the deployment.
Section 3: Insight Agents
If you are planning on rolling out the Insight Agent to your systems, ensure those machines meet or exceed the System and Network Requirements .
Section 4: Access Denied
Users will require ASM Product Access and ASM Admin Role access.
These settings are found in the Command Platform in the section Administration → User Management. See the the Manage Users documentation for more details.
Section 5: Connector Configurations
Connectors are the link between ASM and any of your other systems that you wish to ingest data from. The first part of the engagement will focus on the installation and configuration of these connectors.
You can find the entire list of connectors here: Surface Command Connectors
Each connector will have a Documentation page that will detail the settings for each connector
Include administrators for these systems on the call if the access cannot be configured prior to the engagement.
Section 6: External Attack Surface
Licensing will determine the level of information that can be returned, but this works by Adding Seeds which will be your any public facing domains or external IP Addresses (including ranges and CIDR). Learn more here: Manage Your External Assets
If interested, have at least a few of your public facing domain names and/or external facing IP addresses available to add.
Typically, this will be done at the beginning to allow time for ‘discovery’ on the initial session.
Section 7: Connection Credentials
Ensure that you have credentials for the service(s) that you wish to connect to and automate prior to the engagement with Rapid7.
To ensure a successful connection, navigate to Rapid7 Extensions Repository and search for the plugin in question for authentication requirements.
Section 8: Authenticating to Cloud Providers
Note: This section only applies to Exposure Command Advanced and Ultimate Customers
Cloud Security requires access to your cloud environments to assess configuration options.
Regardless of your cloud provider, we require the following for the entire duration of the engagement:
- An administrator with full access to your Cloud Service Provider
- An administrator with full access to Cloud Security
If you do not have access to Cloud Security, notify your Customer Success Manager or Project Manager prior to the first date of the engagement.
Microsoft Azure Cloud
Ensure you have the following available:
- A Microsoft Azure account that is an “Owner” over all subscriptions/management groups/tenants we’ll be working with the appropriate Azure roles. You will need to verify that the prerequisite roles exist or that you have permissions to create/modify the required roles
- Ensure the services and roles are supported by checking the list of supported regions
Amazon Web Services
AWS Cloud Setup (Single Cloud Accounts)
- Access to AWS Console and/or API
- Familiarity with Assume Role and cross-account trust relationships
- Permissions to create IAM Roles, attach policies, and modify trust relationships
- More Info
AWS Cloud Setup (Organizations)
Ensure you have the following available:
- One or more AWS Organizations
- Access to AWS Console and/or API
- Familiarity with Assume Role and cross-account trust relationships
- Permissions to create IAM Roles, attach policies, and modify trust relationships in ALL accounts within the AWS Organization
- Access and permission to use CloudFormation’s Stacks & StackSets for deploying roles across all accounts.
- More Info
Additional Amazon Web Services Tooling Considerations
If you are using Opt-In Regions, GuardDuty, or would like your own SSL Cert with your elastic load balancers, review the documentation here .
Google Cloud Platform
Decide whether you want to integrate as a single project, or multiple as part of an organization.
Single Project
Ensure you have the following available:
- An Administrator within Cloud Security
- Appropriate permissions in GCP to create service accounts, roles, and enable APIs
Multiple Projects (Organizations)
Ensure you have the following available:
- An Administrator within Cloud Security
- Appropriate permissions in GCP to create service accounts, roles, and enable APIs. You must have the appropriate level of access in GCP to create Service Accounts within a project, and access to create and apply Roles at the organization level
Section 9: Scanning Internal Applications
Note: This section only applies to Exposure Command Ultimate Customers
Out of the box, Application Security offers “cloud” engines that can scan publicly accessible web applications. If you are looking to scan web applications that do not face the internet, you will need to stand up a local scan engine that can see the application in question. Our team will help you stand up engines during your deployment, however you will want to ensure machine(s) are available that meet the system requirements .
Section 10: Scanning with Credentials
Note: This section only applies to Exposure Command Ultimate Customers
Web applications can be scanned without credentials, however doing so may cause Application Security to miss large portions of your application (forms, links, query strings). To get better coverage of an application, Rapid7 recommends the following:
- Administrator credentials for your website (Or role with the largest share of authorizations)
- For websites that offer additional functionality to non-admin users: a set of credentials for each role/account to ensure entire application coverage
Providing credentials to ensure coverage of the entire site can prevent security blind spots. Before your engagement, verify that the credentials work and document them as you will need them to authenticate to your application.
Feel free to use the following table with your application owners to collect that information:
| App | URL | Environment | Username | Password Location | Role |
|---|---|---|---|---|---|
| 1 | rapid7.com | Dev/UAT/Prod | r7user | (See Vault) | Admin |
| 2 | |||||
| 3 | |||||
| 4 | |||||
| 5 |
Note: We may be required to install a browser extension to record some types of logins, such as the Rapid7 AppSec Plugin . Ensure you are authorized to add extensions to Google Chrome during the deployment.
Section 11: Assessing Production Sites
Note: This section only applies to Exposure Command Ultimate Customers
Scanning production web applications is not generally recommended, as it comes with a certain level of risk that the application may be affected in a negative manner (i.e. crashing, fragments of benign data inserted into application or databases, certain data deleted).
To safely scan these applications, it is advised to first scan a development or User Acceptance Testing version of the application, so that any potential side effects of scanning may be uncovered.
Section 12: Scanning and Firewalls
Note: This section only applies to Exposure Command Ultimate Customers
Scans should be performed outside of a Web Application Firewall (WAF), Intrusion Detection System (IDS) Intrusion Protection System (IPS) and any DDOS protection. This allows Application Security to enumerate vulnerabilities as presented within your software, not the protections afforded by your WAF/IDS etc. With this information, you can remediate the source of the issues in the event that the WAF rule doesn’t catch the malicious activity. It also gives rise to an opportunity to inform your development team on ways they can improve their secure coding practices.
If you wish to assess your security footprint including compensating controls, that can be done through the above mentioned tools.
Section 13: Including Teams
Note: This section only applies to Exposure Command Ultimate Customers
If your company represents both the development of the software package to scan, as well as the security auditors, it will prove handy to have stakeholders from those teams present during the deployment. Developers and System Administrators can elaborate on the internal architecture of your environment and can also assist your Security Consultant by:
- Identifying areas of your application we may not be scanning
- Identifying decisions made during server provisioning and application development (why a setting may be insecure, differences between production, QA/UAT and development versions)
Having Security Analysts available will also allow cross training, segregation of duties, and improved understanding of findings and speed of remediation.