Rapid7 and Thycotic Integration at Ventas
Bryan Krausen, Senior Systems Administrator, Ventas, Inc.
Nathan Wenzler, Senior Technology Evangelist, Thycotic
Secured Authenticated Scanning
Who is Ventas?Ventas (NYSE: VTR) is a leading healthcare Real Estate Investment Trust (REIT) with a portfolio of more than 1,600 assets in the US, Canada, and United Kingdom.
• Bryan Krausen - Sr. Systems Administrator responsible for managing and maintaining infrastructure including VMware, Storage, Servers, Security, and more.
• Ventas currently utilizes Rapid7 Nexpose for vulnerability scanning for everything from infrastructure and servers to end user’s client.
• Ventas uses Thycotic Secret Server for privileged account management and password rotation for both servers and clients.
20% of Forbes 50
10% of Forbes Global 2000
4 of top 5 in Software**
**based on Forbes Global 2000 Classification
Honoree, 2013 and 2014 Finalist, Security and Compliance Finalist, Best Customer Service
Who is Thycotic?3,000 customers around the world from Fortune 5 to mid-market to small IT departments.
Headquarters in Washington, DC. Offices in London and Sydney.
Rated top in class for customer satisfaction*.
*Forrester Research independent survey.
Thycotic Product slide
Vulnerability Analysis Find weaknesses in target systems before an attacker does
and (hopefully) remediate
Need as much visibility as possible!
Non-Authenticated scan vs.
Authenticated scan
Unauthenticated Scanning finds only
basic issues
• Operating systems and versions
• Open network ports
• Services listening on open ports
• Data leaked by services (banner grabbing,
etc.)
Why Authenticated Scanning?
More detections
• Some items can’t be discovered without authenticating to the target
More accuracy
• Reduce false positives
• Obtain more detailed information about remotely-discovered vulnerabilities
Better Reporting and Analysis
• More complete patch requirements
• Increased trend analysis for overall security posture
• Complete visibility into the state of the target system
Privileged Account Management
in a Nutshell
A password vault is NOT a true PAM solution
• Privileged accounts = Non-human account (Root, Local Admin, Domain Admin, etc.)
• Control, Audit and Monitor
• Rotate passwords on a regular basis – Better security
• Limit who can access the credentials, reducing exposure of these passwords
• Automate processes to reduce staff overhead
PAM Components
- Password Rotation
- Account Discovery
- Access Control to Credentials and
Target
- Action Logging
- Who Accessed the Account?
- Check In/Out
- Session Recording
- Event Notifications
- Heartbeat Check of Credentials
CONTROL AUDITING MONITORING
Putting it into Perspective
Ventas Implementation
• Origin of Vulnerability Analysis program
• Origin of Secret Server need and implementation
• What was security program like at first before either product?
• Timeframes for implementation
• What obstacles were found?
Nexpose and Secret Server Integration
• Integration comes in the form of a Ruby Gem and can be easily
scheduled
• Prerequisites:
• Credentials configured within Thycotic Secret Server w/ Access
to Rapid7 Service Account
• Credentials configured within Rapid7 Nexpose
• SiteIDs for Nexpose Sites to be managed
Nexpose and Secret Server IntegrationConfiguration (part 1)
• Within a Ruby environment, install the nexpose_Thycotic-0.0.4.gem obtained from Rapid7 (or Google)
• Set required Environment Variables:
• Thycotic URL -https://hostname/SecretServer/webservices/SSWebservice.asmx?wsdl
• Rapid7 URL – hostname – must match the certificate – no https://
• Thycotic Secret Server - Username and Password
• Rapid7 Nexpose - Username and Password
Nexpose and Secret Server IntegrationConfiguration (part 2)
• Modify nx_Thycotic.rb file to include the SiteIDs you wish to change• sites = [5,9,18,23]
• Set the Environment Variables Run the Script
• Example of Script to Run
setx THYCOTIC_URL
https://passwords.company.com/SecretServer/webservices/SSWebservice.asmx?wsdl
setx THYCOTIC_USER Thycotic_user
setx THYCOTIC_PASS P@ssw0rd1
setx NEXPOSE_URL rapid7.company.com
setx NEXPOSE_USER Rapid7_user
setx NEXPOSE_PASS P@ssw0rd1
nx_Thycotic.rb
Vulnerability Data before Authentication
A total of 3 vulnerabilities found on a target host.
Vulnerability Data after Authentication
158 total vulnerabilities found (118 Critical) on the same target host
COMPARING THE DATAAuthenticated Scan ResultsNon-Authenticated Scan Results
• 3 total vulnerabilities found• No critical vulnerabilities found• No application vulnerabilities detected
• 158 total vulnerabilities found• 118 critical vulnerabilities found• Application vulnerabilities and missing
patches detected
Results at Ventas
• Better overall visibility across environments
• Reduced risk from exposure of privileged credentials
• Huge reduction in total vulnerabilities
• Improved security audit results
• Foiled external pen tester’s attempts to gain Domain Admin creds for the first time in 5 years
Resource Documents
• Bryan’s post for the Integration How-to:http://www.itdiversified.com/configuring-integration-
between-thycotic-secret-server-and-rapid7-nexpose/
• Contact Rapid7 Support for Nexpose Configuration and Integration Guide
Questions?