Surface Command Pre-Deployment Handbook
Thank you for Advancing Securely with Rapid7. Within this document, you’ll find system, network, and functional requirements, a deployment overview, and additional resources. If you have any additional questions, please send those to your Project Manager or your Security Consultant.
Surface Command Overview
Surface Command breaks down data silos by combining comprehensive attack surface visibility across hybrid environments to build a dynamic 360-degree view of your entire attack surface in one place. External scans provide an adversary’s perspective on the attack surface, detecting and validating exposures while highlighting areas attackers are most likely to target.
Surface Command combines these external scans with a detailed inventory of your internal assets, no matter the security or IT tool used to scan them. This process delivers complete visibility into your attack surface without the risk of blind spots, unprotected assets, and ungoverned access. Understanding how assets are configured assists in quickly identify and address misconfigurations, shadow IT, and compliance issues. This integrated approach gives you a holistic view of your digital landscape, enabling proactive risk mitigation, threat prevention, and rapid response.
Surface Command is accessible from the Solutions sub-menu on the Command Platform. You can also navigate directly to points of interest within Surface Command by interacting with the Attack Surface Overview or the other Attack Surface-related navigation menu items.
Looking for Surface Command Access Control?
For detailed information on Surface Command entitlements and access control, visit Role-Based Access Control .
Prepare for Deployment
In order for your Surface Command / Exposure Command deployment to be successful, you must have the following resources in place prior to the first day of your deployment:
Change Control
It is common for many organizations to employ a change control process around their IT environments. To ensure a successful deployment, change controls must be approved prior to Deployment to enable implementation and testing of product functionality. Consider mitigation action, for example: if change control has been submitted, but not approved, or an emergency change is required, what course of action can be taken to keep the deployment moving?
Multi-Team Stakeholder Participation
Cybersecurity often involves teams outside of the direct security team deploying the software. For example, an IT team can speak to existing hardware whereas a provisioning team can speak to how new hardware is onboarded. Managerial staff can additionally provide context around key performance indicators (KPIs) and required compliance that must be met for things like data retention. Having several teams involved in the deployment of Surface Command will ensure a successful rollout within your environment, allow for cross-training, and improved understanding of findings.
We recommend that you have representatives from the following teams available during the deployment:
- Cybersecurity Managerial staff
- System Administrator capable of provisioning required accounts / API keys for connector setup
- System Administrator(s) (should be available throughout deployment)
- Network Administrator: capable of modifying and troubleshooting routing / access control issues
They do not need to be present during the entire deployment timeframe but need to have the flexibility to join at relatively short notice.
Technology Preparation
Preparing for the new technology is also an important part of the deployment process. Surface Command relies on Connectors to collect data. Sometimes Outposts are necessary for Connectors to access on-prem applications or applications behind a firewall.
Connectors
Surface Command offers many different Connectors, all of which are outlined on the Connector Library page. Rapid7 has organized Connectors into 5 categories to simplify the process of ensuring you have coverage across your entire Attack Surface. We recommend installing at least 1 Connector from each category:
| Category | Example Connectors |
|---|---|
| Asset Management |
|
| Endpoint Detection & Response (EDR) / Endpoint Protection Platforms (EPP) |
|
| Vulnerability Management |
|
| Cloud Service Provider (CSP) / Cloud Security Posture Management (CSPM) |
|
| Identity Management |
|
Orchestrator
You may not need to install an orchestrator, as it is only required in situations where a portion of your network is unavailable to Surface Command over the internet, such as when you have an on-prem system that you want to connect (for example, on-prem Active Directory, BigFix).
CentOS 7 orchestrator is no longer supported
On June 1, 2024, the CentOS 7 Insight Orchestrator reached end-of-life. As a result, orchestrators using this operating system will no longer receive security updates or patches from CentOS Linux.
To keep your environment secure, you must install the new Ubuntu orchestrator or migrate to Ubuntu if you have existing CentOS 7 orchestrators in your environment.
Version requirements
The minimum version of the Insight Orchestrator required to support Surface Command connectors is v1.64.0.
Operating environment
The Insight Orchestrator runs as a virtualized machine on the following virtualization platforms:
- VirtualBox
- VMWare
- AWS (conversion to AMI needed)
VMWare version requirements
The orchestrator .ova requires SHA256 support. If you are a VMWare user, make sure you have a VMWare ESXi Server version number above 6.5.0.
If you need to convert the OVA for compatibility, visit the resource here: https://www.sonicwall.com/en-us/support/knowledge-base/180411180839044 .
Required production hardware
The orchestrator requires the following resources:
- 4-core CPU
- 8GB+ available RAM
- 64-128GB available storage
Disk Space Requirements
You should provision at minimum 64GB of disk space for the orchestrator. The more workflows you intend to use, you should allocate more disk space in advance.
Network connectivity requirements
Ensure that the following domains and ports are accessible to the orchestrator:
{region}.api.connect.insight.rapid7.com- Replace the
{region}section with the code for your area:us,us2,us3,eu,ap,ca, orau
- Replace the
{region}.plugins.connect.insight.rapid7.com- Replace the
{region}section with the code for your area:us,us2,us3,eu,ap,ca, orau
- Replace the
- Port 443 / TCP for HTTPS egress
mirrors.fedoraproject.org(EPEL packages)download.docker.com(Docker packages)packagecloud.io(For nightly updates to the orchestrator)
If XFS is your current filesystem, the ftype setting must be correct for Docker. To check that you have this setting, run xfs_info / | grep ftype=1 | wc -l in a terminal window. The command should return 1. If it doesn’t, your XFS filesystem is not compatible with our Docker installation.
When using the script installer with a RHEL 7 or 8 image, ensure SELinux is disabled or set to permissive mode.
Software requirements
In order for Surface Command connectors to run using an Insight Orchestrator, Docker Community Edition (CE) is required for all supported operating systems. The virtual appliance will ensure Docker CE is already installed while the install script will ensure the necessary Yum or Apt repo is added and that Docker is installed for Ubuntu version 20.04 or 22.04 and RHEL version 7 or 8.
Supported container engines for Red Hat Enterprise Linux
Although Docker CE is not directly supported by Red Hat, it remains a system requirement for running Surface Command connectors on Red Hat Enterprise Linux and is the only container engine currently supported. The Red Hat Container Tools module (such as Podman) is not a supported replacement for Docker CE, has not been known to work, and has not been tested by Rapid7.
Post-Deployment Support and Feature Requests
At the conclusion of your deployment, please use the Support link within the Insight platform. Rapid7 values input in product improvement and direction from our customers. If you have suggestions for improvements, please let your consultant know of these items so they can be added to our internal feature lists. For ongoing support of your products, please log in to the Insight platform and click the question mark icon in the top right of the screen. Click Contact Support to create a support request.
Support and Enhancements Page: www.rapid7.com/for-customers/