ITHQ LTD

Rapid7 InsightVM Continuous Vulnerability Assessment

InsightVM provides highly available, scalable & efficient vulnerability assessments and risk scoring.

InsightVM discovers vulnerabilities in real-time and prioritizes them for your team with executive reporting to ensure you're actually reducing risk across your organisation.

Features

  • Real Risk Prioritisation
  • Live Dashboards
  • IT-Integrated Remediation Projects
  • Cloud and Virtual Infrastructure Assessment
  • Container Security
  • Integrated Threat Feeds
  • Goals and SLAs
  • Policy Assessment
  • Automation-Assisted Patching
  • Automated Containment

Benefits

  • Actionable vulnerability intelligence
  • Risk prioritisation
  • Remediation assistance and automation
  • Integration with ticketing systems to drive workflows
  • Highly scalable

Pricing

£5 to £18 a device a year

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at transform@ithq.pro. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

9 0 4 7 2 1 5 6 8 0 1 4 3 1 2

Contact

ITHQ LTD Dale Nursten
Telephone: 02039977979
Email: transform@ithq.pro

Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Integrates with InsightIDR to provide risk intelligence to SIEM data.
Cloud deployment model
  • Public cloud
  • Hybrid cloud
Service constraints
Console/Engine has a minimum requirement of a dual-core processor with 8GB RAM and 100GB of HDD. This will allow you to scale to ~1000 assets. Further hardware configurations are available for up to 400,000 assets.
System requirements
https://www.rapid7.com/products/insightvm/system-requirements/

User support

Email or online ticketing support
Email or online ticketing
Support response times
S1 - Critical - <2 hours S2 - High - <4 business hours S3 - Medium - <12 business hours
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
None or don’t know
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Customer Support Levels: https://www.rapid7.com/globalassets/_pdfs/whitepaperguide/rapid7-customer-support-guidebook.pdf/

Technical Account Management: https://www.rapid7.com/contentassets/27cecc8df3274f698972f0c2a69e6b40/rapid7-technical-account-management-support-brief.pdf/
Support available to third parties
Yes

Onboarding and offboarding

Getting started
We can provide onsite, online and pre-packaged training for all users. This service is highly customisable and flexible offering options to match your budget and schedule. There is plenty of free online help, webinars and support offered by Rapid7 directly or you can have tailor made training and implementation from ITHQ.
Service documentation
Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction
If you opt to end your engagement with Rapid7, you have the opportunity to collect and transfer any data on the platform.
End-of-contract process
At the end of a contract, you will have the opportunity to collect and transfer any data possible to export. If you request that Rapid7 delete all of your data, the request will be processed within 14 days. No additional fees apply.

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 7
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Yes
Compatible operating systems
  • Linux or Unix
  • MacOS
  • Windows
Designed for use on mobile devices
No
Service interface
Yes
Description of service interface
The console allows you to configure scanning, locations, asset grouping, asset tagging and reporting. There is also advanced dashboarding and reporting available.
Accessibility standards
None or don’t know
Description of accessibility
Details available on request
Accessibility testing
Details available on request
API
Yes
What users can and can't do using the API
InsightVM offers the InsightVM Application Programming Interface (API) Version 3. This API supports the Representation State Transfer (REST) design pattern. Unless noted otherwise, this API accepts and produces the application/json media type. This API uses Hypermedia as the Engine of Application State (HATEOAS) and is hypermedia friendly. All API connections must be made to the security console using HTTPS.
Documentation for the RESTful API Version 3 is available here: https://help.rapid7.com/insightvm/en-us/api/index.html
API documentation
Yes
API documentation formats
  • Open API (also known as Swagger)
  • HTML
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
InsightVM is highly configurable to meet specific customer requirements. Users can customise dashboards, reports, scan schedules, scan templates, configurate and compliance policy templates, alerts, sites, asset groups, role based access controls, and more.

Scaling

Independence of resources
Cloud components are hosted in AWS. Rapid increases in CPU, memory, storage, and networking capacity are performed on demand to meet the scaling and performance needs of enterprise customers. There are currently more than 9000 customers using the platform globally.

Analytics

Service usage metrics
Yes
Metrics types
All logins and changes are audited and available in reporting.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Reseller providing extra support
Organisation whose services are being resold
Rapid7

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • European Economic Area (EEA)
  • Other locations
User control over data storage and processing locations
Yes
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Encryption of all physical media
  • Other
Other data at rest protection approach
All of the data processed and stored is encrypted at rest using various file or disk level encryption mechanisms. Data is encrypted using industry standard AES-256 encryption with keys managed through AWS’s Key Management Service (KMS). Where possible, Rapid7 utilizes AWS’s services to manage encryption at rest (e.g. S3, EBS, RDS, etc.). When not possible, Rapid7 utilizes block level encryption provided by LUKS. Block level encryption is used for ElasticSearch (only used to index some asset metadata). For all other persistence technologies/layers, AWS KMS is used.
Data sanitisation process
Yes
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
InsightVM supports data exports, real-time alerts, scripted API integrations to deliver results and coordinate activity between these solutions. Depending on the type of integration desired and the solution in place, InsightVM data can be delivered and custom functionality can be created enabling integrations.
InsightVM provides a variety of reports in parseable formats. Reports can be created for human delivery in PDF, RTF, Text, HTML, and XML, or in parseable formats including CSV export, a variety of XML exports, and direct-to-database export. Report content is based on the report template selected as well as filter criteria for vulnerability types and severities.
Data export formats
  • CSV
  • Other
Other data export formats
  • PDF
  • XML
  • RTF
  • HTML
  • Multiple machine readable formats (CSV etc)
Data import formats
CSV

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
During the term of Customer’s subscription, the Service will perform in accordance with and subject to this Service Level Agreement (“SLA”). Rapid7’s target is 100% System Availability. If the System Availability during a given month is less than 99.95%, Customer may be eligible for a credit (“Service Credit”), which is the sole and exclusive remedy for any failure to meet the SLA.
Approach to resilience
Rapid7 maintains a Business Continuity Plan for the Insight platform. The primary goal of this plan is to ensure organizational stability, as well as coordinate recovery of critical business functions in managing and supporting business recovery in the event of disruption or disaster. Thus, the plan accomplishes the following: • Ensures critical functions can continue during and after a disaster with minimal interruption; • Identifies and decreases potential threats and exposures; and • Promotes awareness of critical interdependencies. We can share a high-level overview of our Business Continuity Plan for the Insight platform upon request.
Outage reporting
Service status is available at status.rapid7.com. Users may elect to subscribe to notifications from this site.

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Username or password
Access restrictions in management interfaces and support channels
All access is granted through role-based access controls and utilises a least privilege and zero trust approach. Members of the team using InsightIDR can be made Administrator (full access), Investigator (Incident-only access), or Read Only. These roles will limit the functional access of the user, but will not restrict the data that is accessible in InsightIDR. Creating this three-level structure allows interested members outside of the security team to gain insight into the network and view incident alerts without disrupting the workflow of others.
Access restriction testing frequency
At least once a year
Management access authentication
  • 2-factor authentication
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
At least 12 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
Yes
Who accredited the PCI DSS certification
SAQ
PCI DSS accreditation date
2018
What the PCI DSS doesn’t cover
Rapid7 is SAQ (Self Assessment Questionnaire) compliant in alignment with our bank’s PCI guidelines, and we can provide a PCI certificate
Other security certifications
Yes
Any other security certifications
SOC2 Type II

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
The Insight platform is hosted by AWS. All AWS compliance and audit reports, including SOC 2, SOC 3, FedRAMP Partner Package, ISO 27001:2013 SoA etc. are easily accessible
Information security policies and processes
The Information Security team distributes relevant policies internally upon hire, including the Rapid7 Acceptable Use Policy, which addresses the following standards: Asset Usage, Data Protection, Secure Access, Software Usage, Monitoring, Loss and Theft, and Physical and Computer Security. The Information Security and Information Technology groups are responsible for monitoring compliance with data security policies and procedures. Users found in violation of information security policies may be subject to disciplinary action, up to and including termination of employment and legal action. When required, Information Security will work with Legal and People Strategy to address any instance of noncompliance.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Rapid7 applies a systematic approach to managing change so that changes to services impacting Rapid7 and our customers are reviewed, tested, approved, and well communicated. Separate change management processes are in place for corporate IT systems and Insight platform systems to ensure changes are tailored to the specifics of each environment. The goal of Rapid7’s change management process is to prevent unintended service disruptions and to maintain the integrity of services provided to customers. All changes deployed to production undergo a review, testing, and approval process.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
The Information Security team continuously monitors Rapid7’s corporate IT and Insight platform environments for system vulnerabilities in accordance with formally documented vulnerability management processes and procedures. Information Security conducts network and agent-based vulnerability scans of these environments on a continuous basis using InsightVM, with new vulnerability results coming in daily or weekly. Information Security partners with Rapid7’s Managed Vulnerability Management team to augment our vulnerability management processes.Rapid7 also utilizes InsightAppSec and Information Security partners with Rapid7’s Managed AppSec team to monitor Insight platform and Rapid7 web properties for web application vulnerabilities.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
The Platform Security team ensures security is built into our products by providing security requirements, code analysis, and infrastructure configuration monitoring throughout multiple stages of our software development lifecycle
Incident management type
Supplier-defined controls
Incident management approach
Rapid7 uses InsightIDR to monitor on-premises and cloud environments for security incidents. Information Security partners with the MDR and Incident Response services teams to augment Rapid7’s incident response program. InsightIDR alerts are regularly reviewed by analysts and escalated via a paging system when indications of potentially malicious activity are detected.Rapid7 maintains a formal Incident Response process for analysis, containment, eradication, recovery, and follow up in the event of a security incident. Rapid7 will notify customers of any breaches affecting their data within 48 hours. For other breaches, Rapid7 will follow internal policy and all applicable federal, state, and local laws

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Public sector networks

Connection to public sector networks
No

Pricing

Price
£5 to £18 a device a year
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
30 day trial - full functionality.
Link to free trial
https://www.rapid7.com/products/nexpose/download/

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at transform@ithq.pro. Tell them what format you need. It will help if you say what assistive technology you use.