Risk I/O Now Integrates With OpenVAS

Posted on 06. Oct, 2014 by in Feature Release, Network Scanners, Open Source, Risk I/O, Vulnerability Assessment

Last week we quietly launched our 26th and latest connector. With our latest integration our customers can load their OpenVAS results directly into Risk I/O for threat processing and prioritization.OpenVAS Vulnerability Integration

To take advantage of the OpenVAS integration, navigate to the Connectors tab and click New Connector. From there select the OpenVAS connector, name it and save it. You can then click the Run button on your OpenVAS connector. This will prompt you to upload your XML output that you generated from your OpenVAS scanner. Select the location of the XML file or simply drag and drop it into your browser.

Remember that this connector allows Risk I/O to consume scanner output directly from OpenVAS along with a number of tools that use OpenVAS under the hood.

If you’re not currently a Risk I/O customer you can sign up for a free 30-day trial and give our OpenVAS integration a whirl.

11 Tips and Tricks for the RIO Power User

Posted on 18. Aug, 2014 by in Risk I/O, Vulnerability Intelligence

1. Keyboard Shortcuts
Keyboard shortcuts are available from the home screen. Want to know what they are? Click the Keyboard Shortcuts link in the bottom right sidebar or just <shift>+?

2. Threat Trends Click-Through
Clicking on any of the attack or breach bubbles within the threat trends view will filter your assets by only displaying those that are vulnerable to that attack or exploit. Didn’t know threat trends existed? Go to the dashboard and open the threat trends “drawer” by clicking on it in the bottom of your screen.

3. Threat Trends History
Speaking of threat trends and keyboard shortcuts, there’s a hidden shortcut within threat trends. By clicking on the left and right arrows, you can page through threat trends historically one week at a time.


4. Bulk Editing
You can edit multiple assets and vulnerabilities at a time using the bulk editing menu. To edit multiple assets or vulnerabilities at once, just select the ones you want to edit with the checkbox on the left side of the asset and vulnerability table. At the top right of the table you’ll see our bulk editor. For assets, you can set their priority score, add and remove tags, and mark them inactive or active. For vulnerabilities, you can create a Jira ticket (requires a Jira connector) or edit any custom fields. Didn’t know we had custom fields??

5. Custom Fields
In addition to tagging assets you can create custom fields for vulnerabilities. To define a new custom field, click the gear icon in the upper right and choose custom fields. Click New Custom Field. Complete the form by naming the field, provide an optional description, select the field data type (string, numeric, or date), and if you’d like to filter your vulnerabilities on this field check the faceted search box then save it.

Once you have defined your custom fields you can add them to vulnerabilities either in bulk via the method above or on an individual vulnerability. To define for an individual vulnerability, just click on the vulnerability details arrow from the home screen and then click edit on the right hand side of your screen. Assign your own creative values to your custom hearts content.

6. Heads Up Display (HUD)
Our Heads Up Display is accessible from the home screen by clicking on the bar chart in the upper right corner. Opening up the HUD displays a breakdown of the CVSS metrics and subscores of the vulnerabilities currently under review. You can click on any of the values within the charts to filter your vulnerabilities by those values.


7. Compare Teams/Applications/Networks/BUs via Tagview
You can compare any set of assets side-by-side with meta data using the tag view within the dashboard. Want to compare multiple teams, different applications or maybe even business units against each other? Within the dashboard select the tag view tab and enter the tagged assets you’d like to compare to each other in the tag filter box. For easier comparison, you can select either stacked or grouped charts.


You can restrict access in RIO using Role Based Access Control (RBAC). First you’ll need to create a role by clicking the gear in the upper right of your screen and selecting user roles. Select New Role and complete the form including naming the role, selecting whether the role will have read only or read+write access and then entering the tag(s) to the assets this role will have access to. Next save the role.

Assign a user to a role from the gear in the upper right select users. You can edit an existing user or create a new user. In the user form select the role from the role drop down and save it. Done.

9. Search by IP Range
If you want to find assets by an IP range, you can use the search box in the home screen. An example of a search query by ip range would be:

ip_address_locator:[ TO]

This will produce a list of assets in your 10-dot network.

If you want to find all of your internal RFC 1918 assets you could perform a search like:

ip_address_locator:[ TO] ip_address_locator:[ TO] ip_address_locator:[ TO]

You can also perform a negative search. For example, you could take the same search above and find any asset that doesn’t have an RFC 1918 internal address by adding a ‘-‘ in front of the key to look like this:

-ip_address_locator:[ TO] -ip_address_locator:[ TO] -ip_address_locator:[ TO]

10. Jira Ticketing
If you use Jira for trouble ticketing or bug tracking, you can send vulnerabilities for remediaiton to Jira directly from Risk I/O. You can send multiple vulnerabilities to a single ticket in Jira using the bulk editor as described above. You can also send an individual vulnerability to Jira by opening up the vulnerabilities details page and clicking the Create Jira Issue button on the right side panel. After you submit the issue, we’ll persist the issue ID, assignee, due dates and it’s status within the vulnerability details in Risk I/O.

11. RESTful API
Did you know we have a robust RESTful API? You can find the full doc here: https://api.risk.io

Risk I/O Needs YOU

Posted on 30. Jul, 2014 by in Risk I/O

At Risk I/O our number one goal is making the web and our customers safer by using real-world data to drive security decisions. We work hard to collect information across the Internet that can act as a “neighborhood watch” for our customers. Because we believe our work is critically important, we look for people that are equally as passionate about what they do and how they do it.The Team

Everyone these days talks about how they’re going to “change the world” but truthfully this just seems like something companies say. We like many, offer a number of benefits while working at Risk I/O. Make no mistake that these are important and ultimately help define the culture… but you have to believe what you’re building makes a difference as everything else can easily be replaced by the next recruiter to hit you up on LinkedIn or Twitter.

We are a data-driven company in everything that we do. Whether it’s solving complex security issues for our customers, prioritizing a product roadmap or just figuring out when’s the best time to hold a stand-up, we use data to help make informed decisions. We won’t hesitate to kill a feature that isn’t proven to be valuable by our customers.

Because we believe that what everyone is working on is valuable, you won’t find yourself toiling away on an internal project that never sees the light of day. If you’re engineer we guarantee your code will see its way into production, often in your very first week. We value feedback and openness. Contributing back via charity and open source is important to us and our team as is evident with projects like slackr, bouncer and others.

As a culture, we love working with smart people but humility is equally important. The “no rockstars” rule is an important one. We work very closely together but can also be geographically distributed. We have offices in Chicago and San Francisco but we also have a guy who lives in an Airstream. As important as our work is to us, we try to make it fun. Whether it’s hardware hacking on our newest kegbot, bringing your dog along to work or just going out with co-workers after work, we believe these are all important parts of “the job”.

Other perks that help include unlimited paid time off, medical, dental and vision coverage, 401K (coming soon), free unlimited bike sharing service in Chicago and SF, oh and did I mention that kegbot is making it’s way to the office?

I wrote this post with an interest in finding like minded people to help our cause. If this is you… we’re hiring. Our current needs include engineers, designers and sales but we’re always on the look out for great talent. Thanks for taking the time to read this and I hope you join us.

Announcing Our Latest Integration: Beyond Security

Posted on 05. Jun, 2014 by in Network Scanners, Risk I/O, Static Analysis, Vulnerability Assessment

Beyond Security Web Application Security

At Risk I/O, we’ve always made it our mission to integrate with the scanner tools used most. That’s why we’ve added integration with the BeyondSecurity AVDS web scanner to our vulnerability threat management platform.

With the new BeyondSecurity AVDS connector, you can discover and eliminate your network’s most serious security weaknesses. Simply sync your scan data via our new connector and Risk I/O will continuously process it against active threats from our threat processing engine. Risk meters can be used to pinpoint your exposure to active Internet attacks and breaches and to prioritize the vulnerabilities putting you at greatest risk.

Setting up your BeyondSecurity AVDS connector in Risk I/O, like our other connectors, is easy and requires simply adding it to your instance through the Connectors tab. Not a Risk I/O customer but would like to try out the integration? Signup for a free account and sync your scan data now.

Introducing Nessus Auto-Close with Risk I/O

Posted on 13. Nov, 2013 by in Network Scanners, Remediation, Risk I/O, Vulnerability Assessment

Our Latest Nessus Connector

Our latest Nessus connector auto-closes remediated vulnerabilities and tracks state.

One of the common issues with running multiple siloed scanners is tracking the state of vulnerabilities over time. Which vulnerabilities should be closed based on my subsequent findings (or lack thereof)? This problem can be exacerbated when centralizing these point scanners into a central repository such as Risk I/O. Our  Nessus connector now tracks the state of all reported vulnerabilities and auto-closes any that have been remediated.

With the latest updates to our Nessus connectors we address this problem, making managing state and programs much simpler. Now when you run your Nessus connector we analyze all of the plug-ins and scan policies used, as well as which assets were scanned in order to determine which vulnerabilities are no longer present as compared to previous scans. This works with both our Nessus API connector as well as our Nessus XML connector. When using the Nessus XML connector, just load the files in chronological order to ensure Risk I/O auto-closes correctly; for the Nessus API connector we’ll handle all of those details for you.

To fully automate the management of these Nessus findings, you can use the Risk I/O Virtual Tunnel to connect to your on-premise scanner and schedule and import findings automatically. From there, Risk I/O will analyze your findings via our processing engine matching them against any threats including exploits and breaches we observe across the Internet.

We’re big believers in automation in order to scale security programs, allowing your team to focus on fixing what matters. If you already have a Risk I/O account, give our new Nessus connector functionality a try. You’ll find it in the Connectors tab. If you don’t yet have an account, you can sign up and give it a whirl.

Introducing the Risk Meter

Posted on 08. Oct, 2013 by in Data Analysis, Data Science, Feature Release, Launch, Metrics, Threats and Attacks, Vulnerability Intelligence

Risk Meter

You may have noticed we’ve been publishing a lot of information lately on what factors go into the likelihood of a successful exploit. Our presentation at BSidesLV and subsequent events touched on some of the work we’ve been doing based on our processing of over a million successful breaches we have observed across the internet. While this data continues to grow we’ve been able to glean some great insights into what factors matter most when making remediation decisions.

Our data-driven approach is leaving us pretty excited about our latest feature to hit Risk I/O, the Risk Meter. The Risk Meter takes a number of factors into account including: Exploit Analytics, Asset Prioritization, and Adjusted CVSS. Take a look at the Risk Meter FAQ for more information on rankings.

Because the Risk Meter is an asset-driven model, you’ll naturally find it in the Assets tab. As you apply filter and search criteria to your assets, the Risk Meter score will change to reflect the current group of assets you are viewing.

Want to see a patch report that reflects those assets and Risk Meter? Just click the patch report button directly beneath your meter.

Want to save the Risk Meter for that asset group to your dashboard? Click the save button and it will automatically save that group into your Risk Meter dashboard.

Risk Meter Dashboard

The Risk Meter dashboard gives your team and management a quick, at-a-glance view of your vulnerability and exploit risk across your business, categorized by what’s meaningful to you. Each Risk Meter in your dashboard will display your current real-time score as well as summarize each one with information on the number of vulnerabilities and assets, how many vulnerabilities are easily exploitable, how many are being observed as breaches in the wild, how many are popular targets, as well as the number that have been prioritized.

If you already have a Risk I/O account, feel free to check it out now in your Assets tab. Don’t have an account? Sign up for a free trial.

Nmap + Risk I/O = Peanut Butter + Chocolate

Posted on 03. Sep, 2013 by in Feature Release, Network Scanners

No, I’m not speaking of a fancy new risk formula, but rather about one of our most popular integrations: Nmap.

Nmap can be a pretty powerful tool for asset discovery and figuring out what services and ports are open across your network. It can also be a great way to find configuration issues that could result in security weaknesses for your environment. By combining Nmap with NSE scripts you can even pull Common Vulnerabilities and Exposures (CVE) in some cases.

In Risk I/O, we add context to your vulnerabilities in order to prioritize the most critical.

You can now filter your assets by service name, port, protocol, and product.

Adding data from vulnerability scanners can make for a more complete picture and help factor in to remediation decisions. This is where Risk I/O plays a starring role. Combine this with some news ways to slice-and-view the data within our asset tab to get that holistic view of your network. You can now filter your assets by Service Ports, Service Names, Protocols and Products among other things. Want to see where telnet might be exposed in your DMZ or understand where you might be running a prohibited service? It’s as simple as a single checkbox in Risk I/O.

While filtering can make issues easy to find, there are also side benefits to this. For example, we learned many of our customers in the Energy sector are using this as part of their compliance efforts with their NERC CIP ports and services requirement (PDF). By identifying those through these easy-to-use filters and saving that as a saved search, they have a single click to provide the necessary documentation to their auditors or identify any prohibited services. I’ve included a very brief video below on doing just that.

If you’re already a Risk I/O customer, give the new facets in the asset tab a try. I’d love to hear about any use cases you may have. If you’re not currently a customer, you can sign up for free and give it a spin.

Introducing Quick Lists

Posted on 24. Jul, 2013 by in Feature Release, Launch, Pricing, Threats and Attacks, Vulnerability Database, Vulnerability Management

As you may have read, the Risk I/O platform now correlates live Internet attack data with your vulnerabilities. As your vulnerabilities are processed, we append any vulnerability with additional data around attacks, threats, or exploits. Together, they help to identify where attacks are most likely to occur within your environment.

With the addition of this data, Risk I/O is now able to help you to better prioritize the most critical vulnerabilities. Risk I/O has used this data to create Quick Lists, a new feature available on our Vulnerabilities page.

Vulnerability Page with Facets

Quick Lists are a set of facets that inform you of the vulnerabilities in your data that are putting you most at risk for a breach. Quick Lists are made up of the following facets:

  • Top Priority – Vulnerabilities listed in the most efficient way to reduce your risk.
  • Active Internet Attacks – Vulnerabilities with known attacks occurring right now.
  • Easily Exploitable – Vulnerabilities with known exploits.
  • Popular Targets – Vulnerabilities present in many environments including yours.

You can filter the vulnerabilities listed in your Vulnerability Table by facet. Simply select the facet and the results in the table will update.

The Top Priority filter identifies your highest priority vulnerabilities (those which will most improve your security posture if addressed). Although the vulnerabilities listed in each facet are determined by your vulnerability data (as well as the Internet attack data we append to each vulnerability), you can add vulnerabilities to the Top Priority list by flagging them.

In addition to the new Quick List feature, we are also introducing new pricing for our vulnerability intelligence platform. Our platform is now available for $1 a month per asset*, with volume discounts available. You can talk to the Risk I/O Sales Team regarding a quote or for more information. We will continue to offer a 30-day free trial of a complete version of our platform (with all features available). If you haven’t taken Risk I/O for a spin before, you can sign up right on our website.


*An asset is a server, IP address, router, app, or any other entity that a security scanner examines for vulnerabilities.

A Conference By Any Other Name

Posted on 14. May, 2013 by in Event, Metrics, Risk I/O, Vulnerability Management

HelloKittyMyNameIsLast week I had the opportunity to present at the Best Practices for Technology Symposium. I have to be honest, I’ve never heard of this event and given the name it’s easily missed. In fact, given my recent post on “best practices” and vanity metrics I would have likely avoided an event with such a name. But that would have been a mistake.

Gene Kim introduced me to Fred Palmer who runs this event which is why I seriously considered it. It turns out it’s nothing like what I thought but rather more than two days of emerging technology companies presenting some of their latest tech. I only wish I knew about this event earlier and I wish that I’d known the format was so open. It’s refreshing to hear an audience that actually wants to talk about whether or not the solution you’re pitching works for them rather than the thinly veiled sales pitch cloaked as thought leadership. Having been a practitioner the majority of my career, I think this format is sorely needed. Fred has done a great job bringing together interesting security technologies and providing open and honest feedback. Much like IANS, it has a great workshop format in an informal setting.

One question during the workshop really resonated with me:

Do you think organizations know what’s important to them?

Of course, the sad truth is “it depends.” We were talking about creating a platform like Risk I/O that was created with flexibility in mind. This allows users to slice the data into views that are important to them in order to get better and faster insight. But this is a valid question. What if the organization isn’t sure where to start or what should be important to them? We like to think our priority and trending along with the Heads Up Display are a great start but we will continue to help our customers by flagging and alerting on issues we see as important while maintaining transparency and flexibility. These go well beyond the standard CVSS calculators and take into account real in-the-wild information.

A common question we get is “What are the metrics others are using to measure themselves against?” We will continue to share important metrics to help teams jump-start their programs. It’s great to see practitioners getting together and sharing information that will benefit and raise the bar, and we’ll continue on our mission in helping you gain visibility into what’s important.

Best Practices = Vanity Metrics

Posted on 21. Mar, 2013 by in Industry, Metrics, Security Management, startup

After recently reading a post from Gary McGraw at Cigital arguing for software security training, I became a bit frustrated with cited “evidence” and posted this out on Twitter and received a short follow up from Lindsey Smith over at Tripwire…


Now let me say upfront, I have a lot of respect for Gary and his work AND actually agree with him on the subject of software security training. I’ll get into the why I agree with him in a bit. That said, here’s where my frustration comes in. Gary references the BSIMM as evidence that software security training works. Evidence? I find the BSIMM interesting but it leaves the taste of vanity metrics in my mouth. For those of you not familiar with the term vanity metrics, Eric Ries talks about them a lot as part of The Lean Startup:

“Actionable metrics can lead to informed business decisions and subsequent action. These are in contrast to “vanity metrics” – measurements that give “the rosiest picture possible” but do not accurately reflect the key drivers of a business. Vanity metrics for one company may be actionable metrics for another. For example, a company specializing in creating web-based dashboards for financial markets might view the number of web page views per person as a vanity metric as their revenue is not based on number of page views. However, an online magazine with advertising would view web page views as a key metric as page views as directly correlated to revenue.”

I think the BSIMM and best practices within information security often fall under the definition of vanity metrics. There are things I like about the BSIMM and it’s a great start but only focuses on one half of the data. Telling me what many companies are doing for their security controls becomes a lot more interesting when you also tell me how those controls faired over time. I would love to see the BSIMM and other models like it evolve into an evidence-based set of controls. Today, they certainly should not be cited as evidence that any control within them works as we’re completely missing that side of the picture. This is also not a post to pick on BSIMM but rather an attempt to call out our industry citing best practices without evidence.

I mentioned earlier in this post that I actually agree with Gary on software security training. The reason I can say this is based on evidence, not best practices. At my former employer, we implemented a number of measurements around application defects and specifically security defects. We also did various software security training exercises both internally and with help. As part of this we measured things like defect rates and density within specific groups both before and after. We continued these measurements over time and saw material drops in most categories. Was it completely due to training? No, but we saw a measurable impact each time that correlated with a specific set of training. It’s evidence similar to that I’d like to see combined with a set of “Best Practices.” At best, best practices are a set of things that others *may* be doing; at worst they are meaningless vanity metrics.