The way we do business has fundamentally changed, and as a result, so must security. Whether it’s legacy modernization initiatives, process improvements, or bridging the gap between physical and digital—most organizational strategies and initiatives involve embracing the cloud. However, investing in the cloud doesn’t come without its complexities.
When organizations adopt new technologies and applications, they inadvertently introduce new opportunities for attackers through vulnerabilities and points of entry. To stay ahead of potential security concerns, teams need to rely on data in order to get an overview of their environment—ensuring protection.
Where this becomes a bigger challenge is two fold:
Security professionals need to secure SaaS applications, but each app has its own methodology for generating and storing vital security and usage data.
Even if a security team puts in the work to centralize all this data, it must be normalized and standardized in order to be usable, which creates more work and visibility gaps.
Elevating Security Posture Around SaaS Applications
As part of our continued commitment to ensuring customers stay future-ready and secure through their cloud adoption, we’re excited to announce our work with AWS on their new service that will continue the effort around data standardization. AWS AppFabric quickly connects SaaS applications across the organization, so IT and security teams can easily manage and secure applications using a standard schema.
By using AppFabric to natively connect SaaS productivity and security applications to each other, security teams can automatically normalize application data (into the Open Cybersecurity Schema Framework (OCSF) format) for administrators to set common policies, standardize security alerts, and easily manage user access across multiple applications.
For Rapid7 customers, InsightIDR will be able to ingest logs from AppFabric so security teams have access to that data—stay tuned for more! This is just one in a series of investments we are making to help secure your cloud infrastructure.
To learn more about how customers are leveraging Rapid7’s elite security expertise and practitioner first platform to elevate their security program, check out our Managed Threat Complete offer.
InsightIDR received a number of exciting updates in Q1 2023, including faster search, a redesigned UI, updated investigations, support for Insight Network Sensor, Enhanced Endpoint Telemetry, and more.
In our effort to empower practitioners to feel confident in their detection and response capabilities, we focused on functionality that accelerates investigation and response time. Below you will find key launches and enhancements from the last three months.
Equipped with new features and better interactivity for a more seamless user experience, the new Log Search provides teams the ability to load selected log sets 3x faster in addition to providing:
Easy share and analysis of Log Search queries.
Customization of log data in Table View, JSON Format, and Condensed Format.
Increased Visibility, More Coverage with Updated Investigations Functionality
InsightIDR now provides more visibility into actions taken during an investigation. The investigation audit log records updates made in the investigation, when those updates were made, and the user who made them. Additional features include visibility in Log Search as a part of the Audit Logs log set.
Additionally, two new options are added in Investigations to help practitioners more accurately describe an investigation’s current state – waiting status and unknown disposition. Teams can:
Use the Waiting status to indicate that the investigation is in a pending state while more information is gathered.
Use the Unknown disposition to indicate that the maliciousness of the investigation couldn’t be determined.
Understand Traffic data via VLANs or Ports with ERSPAN Support for Insight Network Sensor
Security teams can now use Encapsulated Remote SPAN (ERSPAN) with the Insight Network
Sensor to mirror traffic associated with one or more VLANs or ports. When configured, a switch will send the SPAN traffic to a Sensor over IP. This allows teams to deploy a Sensor on whatever platform they want and get a copy of network traffic from a crucial network location such as a core switch. Practitioners can enable ERSPAN on a per Sensor basis from the Sensor Management page.
Enriched Endpoint Response with Enhanced Endpoint Telemetry (EET) Data
InsightIDR customers can now leverage EET (captured by the Insight Agent) and capture endpoint process start metadata to create custom detections, accelerate investigations, and help respond with greater precision. InsightIDR Advanced customers have access to a 7 day view; while InsightIDR Ultimate customers have a 13 month view.
Rapid7 provides organizations the world’s only, practitioner-first security solutions. Each product, including InsightIDR, is purpose-built by practitioners, for practitioners to ensure teams achieve elevated outcomes without compromise.
We’re always working on new product enhancements and functionality to ensure teams can stay ahead of potential threats and malicious activity. Keep an eye on the Rapid7 blog and the InsightIDR release notes to keep up to date with the latest detection and response releases at Rapid7.
You’re in cybersecurity, so we’ll guess: 2022 crashed in with Log4Shell and, for the most part, got more challenging—never less. So, we kept making tangible improvements to InsightIDR, our cloud-native next-gen SIEM and XDR. We worked with some of our most forward-deployed practitioners: Rapid7 MDR, Threat Intelligence and Detections Engineering, our open source communities, and our customers. New features and functions address pain points and achieve specific goals.
Let’s review some of the highlights:
Accelerated response time with automated Quick Actions
Earlier in the year, InsightIDR launched the Quick Actions feature which provides teams with instant automation to reduce the time it takes to search, investigate, and respond with a simple click. Example use-cases include:
Threat hunting within log search. Using the “Look Up File Hash with Threat Crowd” quick action, teams can learn more about a hash within an endpoint log. If the output of the quick action finds the file hash is malicious, practitioners can choose to investigate further.
More context around alerts in investigations. Leveraging the “Look Up Domain with WHOIS” quick action enables teams to receive more context around an IP associated with an alert in an investigation
“InsightIDR is a real savior, we have reduced our time for log correlation, responding to incidents, not opening multiple tabs and logging into different platforms to understand what happened.”—Abhi Patel, Information Security Officer, Prime Bank. Source: TechValidate
Expanded visibility across cloud and external attack surface
With InsightIDR, teams have security that grows and scales alongside their business – both on-prem and in the cloud. This year we focused on empowering security teams with cloud incident response capabilities by providing robust integrations with AWS CloudTrail and Microsoft Azure, while also enabling cloud detections with our AWS Guard Duty Detections, AWS Cloud Trail Detections, and more.Customers have the full context of their cloud telemetry and detections alongside their wider environment to get a full, cohesive picture and investigate malicious activity and threats that may move across multiple devices and infrastructures.
Additionally, with Threat Command and InsightIDR together, customers can unlock a complete view of your external and internal attack surface. You can now view Threat Command alerts alongside their broader detection set in InsightIDR:
Prioritize and investigate Threat Command alerts:Use InsightIDR’s investigation management capabilities and seamlessly pivot back to Threat Command to remediate the threat or ask an analyst for help.
Tune Threat Command detection rules directly in InsightIDR: Adjust the rule action, set the rule priority, and add exceptions.
Lastly, Rapid7 provides all customers with 13 months of data retention by default—so they are always audit-ready. To support compliance regulations, we launched new dashboards for organizations to ensure they are meeting requirements. For example, we launched new dashboards for CIS, a common security framework, covering:
CIS Control 5 – Account Management
CIS Control 9 – Email and Web Browser Protections
CIS Control 10 – Malware Defense
“With Rapid7’s InsightIDR, we have a greater handle on threats. We are able to resolve issues quicker and reduce maximum tolerable downtime, our incident management procedures and real-time actions have improved immeasurably too, and we have better cyber hygiene as well.”—Security Officer, Medium Enterprise Chemicals Company. Source: TechValidate
Confidence with expertly curated and vetted detections
Rapid7 Threat Intelligence and Detection Engineering (TIDE) team has curated and is continuously updating our XDR detection library that is expertly vetted by the Rapid7 MDR SOC. The detection library is a result of meticulous research, our vast open source community, security forums, and industry expertise to provide your teams the data they need for sophisticated detection and response. Last year we launched a slew of new detections, a bulk being IDS rules, but worth highlighting is the expanded coverage of tracked threat actors with the Threat Command integration. By integrating our Attacker Behavior Analytics (ABA) detection engine with Threat Command’s threat library intelligence, customers can access broader detections, and new threat groups with around 400 new ABA detection rules powered by thousands of new IOCs.
We also added a new ABA detection rule – Anomalous Data Transfer (ADT) that uses the Insight Network Sensor to identify large transfers of data sent by assets on a network and outputs alerts for easier monitoring of unusual behavior and potential exfiltration.
“InsightIDR provided value to us on Day-1. We didn’t have to write long lists of rules or tweak hundreds of settings in order to get security alerts from our operating environment. Better still, the signal-to-noise ratio of the alerts is great; little-to-no false positives.”—Philip Daly, VP Infrastructure and Information Security, Carlton One Engagement. Source: TechValidate
Looking ahead
Watch this space! We’re always working on new product enhancements and functionality to ensure your team can stay ahead of potential threats and malicious activity. Keep an eye on the Rapid7 blog and the InsightIDR release notes to keep up to date with the latest detection and response releases at Rapid7.
As we continue to empower security teams with the freedom to focus on what matters most, Q4 focused on investments and releases that contributed to that vision. With InsightIDR, Rapid7’s cloud-native SIEM and XDR solution, teams have the scale, comprehensive contextual coverage, and expertly vetted detections they need to thwart threats early in the attack chain.
This 2022 Q4 recap post offers a closer look at the recent investments and releases we’ve made over the past quarter. Here are some of the highlights:
Easy to create and manage log search, dashboards, and reports
You spoke, we listened! Per our customers, you can now create tables with multiple columns, allowing teams to see all data in one view. For example, simply add a query with a “where” clause and select a table display followed by the columns you want displayed.
Additionally, teams can reduce groupby search results with the having() clause. Customers can filter out what data is returned from groupby results with the option to layer in existing analytics function support (e.g. count, unique, max).
Accelerated time to value
The InsightIDR Onboarding Progress Tracker, available for customers during their 90 day onboarding period, is a self-serve, centralized check-list of onboarding tasks with step-by-step guidance, completion statuses, and context on the “what” and “why” of each task.
No longer onboarding? No problem! We made the progress tracker available beyond the 90-day onboarding period so customers can evaluate setup progress and ensure InsightIDR is operating at full capacity to effectively detect, investigate, and respond to threats.
Visibility across your modern environment
For those that leverage Palo Alto Cortex, you can now configure Palo Alto Cortex Data Lake to send activity to InsightIDR including syslog-encrypted Web Proxy, Firewall, Ingress Authentication, etc. Similarly, for customers leveraging Zscaler, you can now configure Zscaler Log Streaming Service (LSS) to receive and parse user activity and audit logs from Zscaler Private Access through the LSS.
For teams who do not have the bandwidth to set up and manage multiple event sources pertaining to Cisco Meraki, we have added support to ingest Cisco Meraki events through the Cisco Meraki API. This will enable you to deploy and add new event sources with less management.
Customers can now bring data from their Government Community Cloud (GCC) and GCC High environments when setting up the Office365 event source to ensure security standards are met when processing US Government data.
Stay tuned!
We’re always working on new product enhancements and functionality to ensure your team can stay ahead of potential threats and malicious activity. Keep an eye on the Rapid7 blog and the InsightIDR release notes to keep up to date with the latest detection and response releases at Rapid7.
Shivangi is a Senior Product Manager for D&R at Rapid7.
Data exfiltration is an unauthorized movement or transfer of data occurring on an organization’s network. This can occur when a malicious actor gains access to a corporation’s network with the intention of stealing or leaking data.
Data exfiltration can also be carried out by inside actors moving data outside of the network accidentally, by uploading corporate files to their personal cloud – or deliberately to leak information that harms the organization.
Identifying this cyber risk is integral to securing your organization’s network.
Of course, attackers use multiple methods
Some use phishing scams to trick users into inputting personal login information into spoofed domains so that they can use the appropriate credentials to infiltrate the network. Once on to the network, the malicious actor can send the files they were searching for outside of their network using remote desktop, SSH, etc.
Another method? Ignoring security controls of a network. For example, employees may download unauthorized software for ease of use, but unintentionally allow a third party to gain access to sensitive information that was not meant to leave the network. People may use personal accounts and devices for work related tasks just because it’s easy. A malicious inside actor can also circumvent security controls to leak information outside of the network.
With many organizations moving to a hybrid model of work, it’s more important than ever to prevent data exfiltration, intended or unintended. This can be done by educating your employees of appropriate conduct when it comes to data usage and data sharing within and outside of your network. Education about common attack vectors attackers may use to steal their credentials will also help your employees keep your network secure. Additionally, education around what devices can access your network will make it easier to monitor whether a data breach is about to occur. Finally, assigning certain privileges based on employee functions will help.
Being able to detect data exfiltration is incredibly important for an organization’s environment and essential to your organization’s security posture. One of our new detections, Anomalous Data Transfer, provides you with the visibility into possible occurrences of data exfiltration within your network.
Rapid7s approach for detecting Anomalous Data Transfers
Anomalous Data Transfer is an InsightIDR detection which utilizes network flow data, produced by the Insight Network Sensor, to identify and mark unusual transfers of data and behavior. The detection identifies anomalously large transfers of data sent by assets out of a network, and outputs data exfiltration alerts
The model dynamically derives a baseline for each asset based on its active periods over 30 days, and each hour, will output network activity that is anomalously high as compared to that baseline as a candidate for further investigation. This process effectively acts as a filter, reducing millions of network connections into a few candidate alerts to bring to the attention of a security analyst.
Further contextual information is included in each candidate alert to help a security team make informed decisions about how to investigate the possible occurrence of data exfiltration.
The user has the ability to tune exceptions for which anomalous data transfer alerts are shown by going into Managed Detections. The user can tune exception rules for Anomalous Data Transfer with the following attributes: Organization, Certificate, and Source IP/Subnet. This allows for the analysts to focus on alerts that are well tailored to their organization’s environment.
Many organizations are in the midst of adopting the cloud faster than ever before; it’s arguably mission critical for their success and longevity. Just look at initiatives like digital transformation or even the digital twin which aims to bridge the gap between the physical and the digital by leveraging IoT. Organizations are realizing the endless possibilities that the cloud provides — such as optimization of their processes, data accessibility, and unlocked collaboration & innovation. By definition, the cloud enables integrated data continuity, and by 2025, the world will store 200 zettabytes of data, according to Cybersecurity Ventures. A huge percentage of that data will be in the cloud.
However, the promise of the cloud isn’t just lucrative for companies, it opens up new opportunities for attackers. Many threats that impact a cloud environment are not contained there. They can either originate elsewhere or start in the cloud, but can move depending on the motive of the attacker. As organizations continue to go beyond on-prem, security teams need support.
Enter, automation.
The resource and bandwidth constraints that teams face have been well documented across the industry, so we won’t rehash that here. But it is important to emphasize it when it pertains to priorities around cloud security. In order to stay ahead of evolving threats, security teams need to prioritize cloud detection and response. Automation is a means to do just that.
Automation provides a way to cut down the time it would take to address malicious activity, especially when compared to a manual approach. It can also enable more effective and efficient communication with important stakeholders who may have a hand to play in alert validation and response.
At Rapid7, we’re constantly innovating new ways to inject highly customizable automation into our cloud offerings, all with the aim of making your team — and by extension, your cloud security — stronger and more efficient.
Achieving security at speed
Rapid7 provides security professionals with the centralized monitoring, comprehensive context, and automation necessary to confidently take action against threats. One of the primary challenges security teams face when responding to threats in the cloud is being able to answer simple questions like:
What is this cloud resource?
Who owns it?
Is this normal behavior for this resource, or is it abnormal?
Some of these questions can be answered with data, but some may require stakeholders outside the security team to weigh in, such as the Cloud Infrastructure or DevOps team. The traditional process of engaging these teams might mean that you spend precious time locating or opening a new channel in your ChatOps platform, and copying & pasting alert data alongside a manually-typed message asking for help. This works, but can quickly become inefficient and untenable with higher alert volumes. Rapid7 offers customers a solution to this challenge; what if that process could be automated?
Instead of forcing customers to manually pass data back and forth, Rapid7’s solutions provide a way to orchestrate the routing of cloud threat detections to the right communication channel, after gathering as much context as possible regarding the associated cloud resources automatically. This way, those responsible for responding to these threats can jump right into decision-making with all the data they need in a centralized place.
Despite the security challenges, the future is very much still going to be in the cloud. As security professionals, we work to ensure that cloud operations are as secure as they can be, while providing tools and workflows that make the work your security team does day in and day out more efficient and effective. Automation is just such an innovation. Request a demo of our Cloud Risk Complete and Threat Complete offerings to learn how Rapid7 can help your organization today!
Extended detection and response (XDR) is increasingly gaining traction across the industry. In a new research ebook sponsored by Rapid7, SOC Modernization and the Role of XDR, ESG identified that 61% of security professionals claim that they are very familiar with XDR technology. While this is an improvement from ESG’s 2020 research (when only 24% of security professionals were very familiar with XDR), 39% are still only somewhat familiar, not very familiar, or not at all familiar with XDR.
Security professionals are still unsure of all the associated capabilities that they can leverage with XDR, and frankly how to define the solution. ESG reports that 55% of respondents say that XDR is an extension of endpoint detection and response (EDR), while 44% believe XDR is a detection and response product from a single security technology vendor or an integrated and heterogeneous security product architecture designed to interoperate and coordinate on threat prevention, detection, and response. Nevertheless, XDR remains to be standardized in the industry.
Keeping up with threats
XDR, as defined by Rapid7, goes beyond simple data aggregation. It unifies and transforms relevant security data across a modern environment to detect real attacks. XDR provides security teams with high context and actionable insights to extinguish threats quickly. With XDR, organizations can operate efficiently, reduce noise, and help zero in on attacks early.
According to ESG, security professionals seem to have a number of common XDR use cases in mind. 26% of security professionals want XDR to help prioritize alerts based on risk, 26% seek improved detection of advanced threats, 25% want more efficient threat/forensic investigations, 25% desire a layered addition to existing threat detection tools, and 25% think XDR could improve threat detection to reinforce security controls and prevent future similar attacks.
The theme and core capabilities that are common align with filling in gaps within the security tech stack – while improving threat detection and response.
Holistic detection and response
More than half of security professionals, surveyed by ESG, believe XDR will supplement existing security operations technologies; 44% of those surveyed see XDR as consolidating current security operations technologies into a common platform.
Security operation center (SOC) analysts struggle with numerous disparate tools and systems. It often leads to having to sift through a lot of data (often noise) and context-switching (moving from one tool to another). XDR aims to:
Unify broad telemetry sources (e.g. users, endpoints, cloud, network, etc.) into a single view and set of detections. It helps analysts curate detections, comprehensive investigations, and much more ultimately enabling simpler, smarter, and faster executions.
Embed expertise to help guide incident response (e.g. recommendation actions and next steps, automations, etc.) to enable security professionals to respond to threats with a single click – or without resource involvement.
Empower security teams to be more proactive around detection and response by enabling hunting, guiding forensic and investigation use cases, and more automation to streamline SecOps.
Unlock greater efficiency and efficacy for security teams at each step of the detection and response journey (from initial deployment and data collection, to finding threats and incident response).
Regardless of how XDR is defined, security professionals are interested in using XDR to help them address several threat detection and response challenges. InsightIDR, Rapid7’s cloud-native SIEM and XDR, is an XDR solution before it was even “coined” and users are achieving XDR outcomes. XDR has improved security efficacy and efficiency, unified data, and helped streamline security operations.
Eight in 10 organizations collect, process, and analyze security operations data from more than 10 sources, ESG identified in a new ebook SOC Modernization and the Role of XDR, sponsored by Rapid7. Security professionals believe that the most important sources are endpoint security data (24%), threat intelligence feeds (21%), security device logs (20%), cloud posture management data (20%), and network flow logs (18%).
While this seems like a lot of data, survey respondents actually want to use more data for security operations in order to keep up with the proliferation of the attack surface. This expansion is driving the need for scalable, high-performance, cloud-based back-end data repositories.
More data, more noise
Organizations are increasingly investing in technology to achieve executive goals and deliver on digital transformation strategies – every company is becoming a software company in order to remain competitive and support the new work normal.
With more technology comes greater potential for vulnerabilities and threats. Security operations center (SOC) analysts are an organization’s first line of defense. In order to effectively stay ahead of potential threats and attacks, security teams rely on vast amounts of data to get an overview of the organization and ensure protection of any vulnerabilities or threats.
However, it’s nearly impossible for organizations to prioritize and mitigate hundreds of risks effectively – and not just due to the skilled resource and knowledge shortage. Security teams need to filter through the noise and identify the right data to act on.
“In security, what we don’t look at, don’t listen to, don’t evaluate, and don’t act upon may actually be more important than what we do,” Joshua Goldfarb recently wrote in Dark Reading.
Focus on what matters with stronger signal-to-noise
Though SOC analysts are adept at collecting vast amounts of security data, they face a multitude of challenges in discerning the most severe, imminent threats and responding to them in an effective, timely manner. These teams are inundated with low-fidelity data and bogged down with repetitive tasks dealing with false positives. In order to reduce the noise, security professionals need a good signal-to-noise ratio. They need high-fidelity intelligence, actionable insight, and contextual data to quickly identify and respond to threats.
With Rapid7, organizations can ensure visibility for their security teams, eliminating blindspots and extinguishing threats earlier and faster. InsightIDR, Rapid7’s cloud-native SIEM and XDR, provides SOC analysts with comprehensive detection and response.
With InsightIDR, security professionals can leverage complete coverage with a native endpoint agent, network sensors, collectors, and APIs. Teams can go beyond unifying data to correlate, attribute, and enrich diverse datasets into a single harmonious picture.
Detailed events and investigations– Track users and assets as they move around the network, auto-enriching every log line.
Correlation across diverse telemetry – Single investigation timeline for each alert, and all the details of an attack in one place.
Expert response recommendations – Alerts come with recommended actions from Rapid7’s global MDR SOC and Velociraptor’s digital forensics and incident response playbooks.
New research sponsored by Rapid7 explores the momentum behind security operations center (SOC) modernization and the role extended detection and response (XDR) plays. ESG surveyed over 370 IT and cybersecurity professionals in the US and Canada – responsible for evaluating, purchasing, and utilizing threat detection and response security products and services – and identified key trends in the space.
The first major finding won’t surprise you: Security operations remain challenging.
Cybersecurity is dynamic
A growing attack surface, the volume and complexity of security alerts, and public cloud proliferation add to the intricacy of security operations today. Attacks increased 31% from 2020 to 2021, according to Accenture’s State of Cybersecurity Resilience 2021 report. The number of attacks per company increased from 206 to 270 year over year. The disruptions will continue, ultimately making many current SOC strategies inadequate if teams don’t evolve from reactive to proactive.
In parallel, many organizations are facing tremendous challenges closer to home due to a lack of skilled resources. At the end of 2021, there was a security workforce gap of 377,000 jobs in the US and 2.7 million globally, according to the (ISC)2 Cybersecurity Workforce Study. Already-lean teams are experiencing increased workloads often resulting in burnout or churn.
Key findings on the state of the SOC
In the new ebook, SOC Modernization and the Role of XDR, you’ll learn more about the increasing difficulty in security operations, as well as the other key findings, which include:
Security professionals want more data and better detection rules – Despite the massive amount of security data collected, respondents want more scope and diversity.
SecOps process automation investments are proving valuable – Many organizations have realized benefits from security process automation, but challenges persist.
XDR momentum continues to build – XDR awareness continues to grow, though most see XDR supplementing or consolidating SOC technologies.
MDR is mainstream and expanding – Organizations need help from service providers for security operations; 85% use managed services for a portion or a majority of their security operations.
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.
