Vulnerability management

Rapid7 InsightVM: Review | Security Weekly Labs

September 23, 2021
  • The work necessary to set up monitoring for scans and ensure they continue to run correctly
  • The work necessary to build and pull regular reports for management, meetings, etc.
  • Managing the underlying operating systems for each scan engine
  • Product cost: Rapid7’s pricing calculator stops at 1,000 assets and our example assumes twice that, so we’ll use the 1,000-asset price ($1.63 per month per asset) to be conservative. The total for 2,000 assets comes to $39,120 per year.
  • Deployment cost (labor): As previously mentioned, we’re estimating labor for junior-level folks. Using the salary estimates you can check out in the methodology document; 40 hours of labor comes to $1,346. Add onto this four hours for the one-off task of making sure someone gets notified when scans break for an additional $134.60
  • Deployment cost (infrastructure): If deploying to bare metal, plan on three modest 1U servers meeting Rapid7’s recommendations, for around $1,500 apiece ($4,500 total). Or use those old dusty ones in a corner. Or ask the vSphere admins nicely for some resources.
  • Maintaining value (labor): this breaks down into a few categories
    • Maintenance of the scan engine (e.g., tweaking scan configurations) and the underlying OS: 4 hours per scan engine per month at a junior rate comes to $4,845.60 per year.
    • The work of building and distributing reports and metrics will vary widely depending on the organization, but we’ll say a middle-of-the-road estimate would come to 2 hours per week, for a total of $3,499.60 per year.
    • The work of analyzing and validating vulnerabilities can be the real time killer for a lot of organizations. It’s also tough to estimate, as the workload is heaviest when scanning assets for the first time, and wanes over the life of the asset somewhat. Throw in compliance and regulatory requirements and that workload increases dramatically (e.g., PCI and the need to obtain quarterly clean scans for the QSA). Our estimate, for a non-regulated organization is going to be 80 hours of work in the first month, going down to 20 hours per month after that initial big push. That initial 80 hours will likely involve senior folks to help triage findings (say, a 50/50 split) and train junior folks on separating signal and noise. We’ll estimate a 25/75 split for the ongoing work, as senior folks continue to validate some of the vulnerabilities and mentor junior staff. The total comes to $13,292.70 per year.
    • Finally, tracking down unknown assets and their owners can also eat a lot of time and has a similar workload curve that’s heavy on the front, but tapers off to a constant value over time. Assuming a split between senior and junior staff that mirrors the previous estimate, we can easily see 40 hours spent on this in the first month and 10 hours per month following. The total comes to $6,646.36
The local console

Dynamic groups reduce management overhead

InsightVM correlates vulnerabilities with Metasploit and ExploitDB
Adrian Sanabria

Adrian joined SC Media’s parent company, CyberRisk Alliance in 2020. He will focus primarily on cybersecurity product reviews, but will also provide industry insight trends for both SC Media and Security Weekly (another CyberRisk Alliance company). He brings two decades of industry experience, working as a practitioner, penetration tester, and industry analyst. He spent the last few years as an entrepreneur, challenging norms in sales and marketing for a variety of vendors. Adrian loves to cook, eat, hike, play music and regale his teenagers with stories of what the early days of the Internet were like.

prestitial ad