Core Security is a pioneer in vulnerability management. Since early on, Core has focused on penetration testing with its Core Impact product. Impact is largely a manual system, but does have some good automation. Automation in pen testing is unusual and often is frowned on by hard-core pen testers. To accommodate them, Impact allows manual testing using supplied scripts, writing your own scripts, or modifying their scripts to be a bit more purpose-built for a particular environment. Now, Core has added Insight, a tool with the best of all worlds and, in fact, it includes Impact as part of its pen testing capability.
Insight adds some important capabilities. Put very simply, it automates much of the vulnerability management workflow beginning with asset discovery. This really is a next-generation tool. It takes in network topology based on a database of over 100 routers and firewalls, known exploits and data from other scan engines - should you opt not to use the PCI-approved network and web scanner that comes with the tool. The network topology is based on provided profiles.
We tested Insight against Core's target range of different machines and applications. The results were quite satisfactory. The tool can auto-discover and profile host operating system, host type, open ports, services and interconnectivity to other devices and networks. It knows real-world exploits and matches them against exploits you use against devices in your enterprise. This allows the tool to determine likely attack paths and risk of compromise.
The tool starts by using its vulnerability scan along other known information about attacks, exploits and vulnerabilities to create a threat model that is used for attack simulation. This goes back to the notion of reachability. By understanding attack paths one can interdict the delivery step of the kill chain and stop the attack from having a significant impact. This also allows exploit validation in the context of the assessment. The modeling process simulates the approach the bad actors would take in one's particular enterprise. This gives the entire vulnerability management process a real-world flavor rather than a lab exercise.
Finally, one can use Impact - included now as part of Insight - to validate exploits found by the scanner and simulation. This, by the way, is not the sort of scanner one may be used to. Rather than let admins perform the scans, it does that for the user based on intelligence it gathers both on the enterprise and externally. Using its Attack Intelligence Platform, Insight calculates attack paths, probable exploits and other things that an attacker attempting to breach an enterprise would take into account and runs the simulation. One can use that to perform actual exploits much as the attacker would perform them.
Reporting is excellent and, while remediation is manual by IT staff, the reports are detailed enough to facilitate rapid and effective remediation. Documentation is exactly what one would expect from Core and virtually all of it is available from the help right at one's fingertips. The website is complete with lots of support resources, both before and after purchase of the product. Of particular interest to us is the exploit database. While it is true that this replicates the exploits available on Core tools, it also is an excellent reference.
At $66 per asset at 1,000 assets, Insight is a bit on the high side. However, this is an (almost) full-featured vulnerability management tool. From a functionality perspective, we wish that Core had taken that last step to stich in either integrated patch management or hooks into popular third-party patch management tools. Other than that, we were quite impressed by Core's latest offering.