We are excited to share another quarter of new Detection & Response capabilities and improvements. As we continue to innovate across our platform, we thank our customers for continuous insight, engagement, and direction.
Keenly focused on our mission to deliver solutions for consolidated, end-to-end security operations and a practitioner-focused experience, Rapid7 recently introduced Managed Threat Complete (MTC), which brings together our leading MDR service and industry-leading vulnerability management technology, enabling customers to level up their detection and response programs with complete coverage and a team of Rapid7 experts.
At the core of MTC is InsightIDR (IDR), our cloud-native XDR technology that cuts through the noise and enables practitioners to focus on what matters most. Read on to learn about recent updates to MTC and IDR, including Log Search Open Preview, which is now the default experience for users, and support for AWS AppFabric.
New Faster and Streamlined Log Search Experience Is Live!
We are always striving to drive greater efficacy, productivity, and efficiency for our customers–and since querying data is such a huge part of security practitioners’ day-to-day, Log Search is always a significant area of focus. We are excited to officially introduce our new Log Search experience, which is now live and available for all InsightIDR and MDR customers. This new experience delivers a faster and more simplified UI, while also unlocking more paths to build sophisticated queries and dashboards. Highlights include:
Easily Access Saved Queries: Identify, capture, edit, and share saved queries via the new Log Search interface. The “home page” gives you single-click access for all search-related activities.
Refine Detection Rules From Search: Refine existing or create new detection rules directly from queries.
Master Visualizations: Tweak and perfect visualizations before they are added to dashboards.
Expanded Partnership with Amazon Web Services (AWS) Improves Cloud D&R Efficiency
As part of our continued commitment to helping customers secure cloud infrastructure, InsightIDR now supports AWS AppFabric, which quickly connects SaaS applications for streamlined security management using a standard schema. By ingesting logs from AppFabric, customers have improved visibility into SaaS app activity and the ability to centralize security data within the Insight Platform—and ultimately, detect and respond to cloud threats faster. For additional information, see Rapid7’s recent press release and blog post on this exciting news.
More Flexibility for Detection Rule Exceptions
We take pride in the fidelity of our out-of-the-box Detection Library while recognizing our customers’ need for flexibility to prioritize threats, fine-tune alerts, and manage detection exceptions for their unique environments. InsightIDR users can now use exceptions to modify and prioritize detection rules for specific users and asset levels. When creating an exception, users can convert the key-value pair into Log Entry Query Language (LEQL) for more specificity. The ability to write exceptions with multiple conditions in a single query saves valuable time and allows analysts to fine-tune specific detections where applicable. To learn more about leveraging LEQL for more complex tuning capability, read the documentation.
API Event Source for Palo Alto Cortex XDR Accelerates Triage
A new API integration enables customers to ingest alerts from Cortex XDR into InsightIDR, providing an easy and secure way to triage PAN alerts. Users can set up a new event source to request incidents from the Incidents API within Cortex XDR and generate third-party alerts. Find configuration details here.
Insight Agent Updates Improve Monitoring and Management
Users can configure how long Insight Agents are tracked to better monitor and manage the health and status of endpoint Agents. See our updated Agent Management settings documentation for configuration instructions and more details.
Rapid7 is excited to announce version 0.6.9 of Velociraptor–the premier open-source DFIR platform. Enhancements include direct SMB support, improvements to the GUI and the VQL scripting language, and the introduction of “lock down” server mode. Learn more in the blog.
MSSP Multi-Customer Investigations Support Prioritization Efficiency
MSSPs now have access to an enhanced multi-customer investigation experience that improves the customer management workflow for analysts and increases the speed of investigations.
The new interface enables MSSP analysts to manage customers at scale. They can see a list of all of their customers in a single view, click into each individual customer to manage their investigations, and switch between managed customers without leaving InsightIDR. Learn more in the documentation.
Attacker Behavior Analytics (ABA) Detection Rules
In Q2, we added 1197 new ABA detection rules for threats. See them in-product or visit the Detection Library for actionable descriptions and recommendations.
Stay tuned!
We’re always working on new product enhancements and functionality to ensure teams can stay ahead of potential threats and respond to attacks as quickly as possible. Keep an eye on the Rapid7 blog and the InsightIDR release notes to keep up to date with the latest Detection and Response releases at Rapid7.
It would have been really cool to combine those two words to make “inundata,” but it would have been disastrous for SEO purposes. It’s all meant to kick off a conversation about the state of security organizations with regard to threat intelligence. There are several key challenges to overcome on the road to clarity in threat intelligence operations and enabling actionable data.
For the commissioned study, Forrester conducted interviews with four Rapid7 customers and collated their responses into the form of one representative organization and its experiences after implementing Rapid7’s threat intelligence solution, Threat Command. Interviewees noted that prior to utilizing Threat Command, lack of visibility and unactionable data across legacy systems were hampering efforts to innovate in threat detection. The study stated:
“Interviewees noted that there was an immense amount of data to examine with their previous solutions and systems. This resulted in limited visibility into the potential security threats to both interviewees’ organizations and their customers. The data the legacy solutions provided was confusing to navigate. There was no singular accounting of assets or solution to provide curated customizable information.”
A key part of that finding is that limited visibility can turn into potential liabilities for an organization’s customers – like the SonicWall attack a couple of years ago. These kinds of incidents can cause immediate pandemonium within the organizations of their downstream customers.
In this same scenario, lack of visibility can also be disastrous for the supply chain. Instead of affecting end-users of one product, now there’s a whole network of vendors and their end-users who could be adversely affected by lack of visibility into threat intelligence originating from just one organization. With greater data visibility through a single pane of glass and consolidating information into a centralized asset list, security teams can begin to mitigate visibility concerns.
Time-consuming processes for investigation and analysis
Rapid7 customers interviewed for the study also felt that their legacy threat intelligence solutions forced teams to “spend hours manually searching through different platforms, such as a web-based Git repository or the dark web, to investigate all potential threat alerts, many of which were irrelevant.”
Because of these inefficiencies, additional and unforeseen work was created on the backend, along with what we can assume were many overstretched analysts. How can organizations, then, gain back – and create new – efficiencies? First, alert context is a must. With Threat Command, security organizations can:
Receive actionable alerts categorized by severity, type (phishing, data leakage), and source (social media, black markets).
Implement alert automation rules based on your specific criteria so you can precisely customize and fine-tune alert management.
Accelerate alert triage and shorten investigation time by leveraging Threat Command Extend™ (browser extension) as well as 24x7x365 availability of Rapid7 expert analysts.
By leveraging these features, the study’s composite organization was able to surface far more actionable alerts and see faster remediation processes. It saved $302,000 over three years by avoiding the cost of hiring an additional security analyst.
Pivoting away from a constant reactive approach to cyber incidents
When it comes to security, no one ever aims for an after-the-fact approach. But sometimes a SOC may realize that’s the position it’s been in for quite some time. Nothing good will come from that for the business or anyone on the security team. Indeed, interviewees in the study supported this perspective:
“Legacy systems and internal processes led to a reactive approach for their threat intelligence investigations and security responses. Security team members would get alerts from systems or other teams with limited context, which led to inefficient triage or larger issues. As a result, the teams sacrificed quality for speed.”
The study notes how interviewees’ organizations were then motivated to look for a solution with improved search capabilities across locations such as social media and the dark web. After implementing Threat Command, it was possible for those organizations to receive early warning of potential attacks and automated intelligence of vulnerabilities targeting their networks and customers.
By creating processes that are centered around early-warning methodologies and a more proactive approach to security, the composite organization was able to reduce the likelihood of a breach by up to 70% over the course of three years.
Security is about the solutions
Challenges in a SOC don’t have to mean stopping everything and preparing for a years-long audit of all processes and solutions. It is possible to overcome challenges relatively quickly with a solution like Threat Command that can show immediate value after an accelerated onboarding process. And it is possible to vastly improve security posture in the face of an increasing volume of global threats.
For a deeper-dive into The Total Economic Impact™ of Rapid7 Threat Command For Digital Risk Protection and Threat Intelligence, download the study now. You can also read the previous blog entry in this series here.
Security teams must continuously contort their efforts to effectively respond to the growing volume of cyberthreats. These constantly shifting methods in the security operations center (SOC) can be difficult to manage in the face of emerging external threats—it can be like keeping multiple spinning plates in the air at once.
As the world continues to lean into the convenience of the digital age, cyberthreats continue to rise. Greater visibility is needed. Accurate automation is needed. And enhancements to every organization’s overall security posture are most certainly needed to stay secure in the global economy.
Intelligence when you need it
The more contextualized alerts and insight you can gain on a potential threat, the better positioned you’ll be to mitigate the threat before it can have a tangible impact on the business. Threat Command from Rapid7 was specifically built to help security organizations gain clarity about external threats. Can it see around corners? Almost.
Threat Command produced an ROI of more than 300%! The characteristics of the composite organization used for this calculation were based on real-life customer interviews Forrester conducted within their Total Economic Impact (TEI) framework. This representative organization is described as a $5.7 billion global enterprise consisting of 7,500 employees and headquartered in North America. The study concluded that this business realized 311% ROI over three years while also fending off threats with a solution that prioritizes:
Immediate value and the ability to get up and running quickly
More active responses with agile detection and automated alert responses
Simplified workflows that leverage mapping capabilities to accelerate investigations
All of this translates into greater visibility into threats—before their truly concussive effects are felt—which can lead to significantly reduced aftershocks of cyberattacks.
Benefits and other findings
Threat Command reduced the likelihood of a major security breach by up to 70%. The composite organization was able to realize significant efficiencies—and cost savings—leading to a considerable reduction in the probability of a breach event. The Forrester Consulting study states:
“By implementing Threat Command, the composite organization gains greater efficiency to detect, investigate, respond to, and remediate cyberattacks… Having Threat Command as a part of its security environment has the effect of lowering the likelihood of successful breaches by up to 70% over the course of three years and decreasing the impact of cyberattacks. This results in up to $1.1 million (PV) in savings over three years.”
Organizations were also able to leverage Threat Command to lower signal-to-noise alert ratio, as well as proactively identify and remediate threats before they morph into significant business impact. Indeed, automation helped in this area and led to time savings. A study interviewee—the principal threat intelligence analyst for a financial services firm—estimated three analysts on the security team saved three to four hours a day after implementing Threat Command.
“We were having a lot of trouble distinguishing relevant threats from noise. It was a manual approach of pulling the information from these sources … It was very reactive.”—Principal threat intelligence analyst, financial services
Remediation efficiency
Threat Command delivered a 75% reduction in time for investigation, threat hunting, and analysis. When looked at in terms of workforce, this helped organizations avoid the cost of bringing on additional headcount due to Threat Command’s comprehensive detection and user access to Rapid7’s internal SOC and remediation teams.
What about security posture?
Threat Command created benefits of $1.88 million over three years against costs of $457,000. We believe that with numbers like that, employees would benefit, shareholders would be happy, and the company would make progress toward meeting its financial goals.
But threats still loom. So, how did interviewees’ overall security postures look after implementing Threat Command? They experienced the following gains:
More efficient security processes
Personalized alerts on potential threats
Rapid takedowns of accounts and domains from the dark web
Greater accounting of all digital assets
Transition from a reactive to proactive approach for threat intelligence and remediation
Make intelligence intelligent
With regard to securing an ever-expanding attack surface, information means nothing if it can’t be interpreted and acted upon. Threat Command from Rapid7 can supercharge your ability to turn intelligence into results-focused action with faster detection and automated alert responses across your environment.
There are lots of numbers in this study, and we love that. It’s great to see proof that a solution is capable of helping customers become more confident in their security postures. But Rapid7’s commitment to partnering with our customers goes beyond the numbers. We’ll never stop innovating on the effectiveness of our products and services to proactively defend against—and defeat—the growing volume of global threats.
For a deep-dive into The Total Economic Impact(™) of Rapid7 Threat Command for Digital Risk Protection and Threat Intelligence, download the study now.
In an evolving threat landscape, non-stop alerts and more IOC feeds don’t guarantee better protection. Security teams are overwhelmed and struggle to identify relevant threat information.
Thankfully, Threat Command delivers highly contextual alerts and integration across your environment to help you cut through the noise, enable prioritization, streamline operations, and reduce brand exposure. Threat Command external threat intelligence protects organizations in every industry from targeted threats across the clear, deep, and dark web.
As we forge into 2023, we remain laser-focused and committed to addressing the critical needs of resource-constrained security operations teams:
Accessible and actionable external threat intelligence
Better visibility for faster decisions
Greater relevance, less noise
Simplified security workflows
Accelerated response
Faster time-to-value
But first, let’s take a look at the ways we improved Threat Command in 2022.
Executing on Our Promise of Value 2022 Product Feature Introductions and Enhancements
Throughout 2022, we continuously iterated and improved upon the capabilities of Threat Command, making it an even more effective resource to keep your organization safe from external threats. Here is a rundown of some of the most important improvements we made last year.
Threat Command + InsightIDR integration: The only 360-degree XDR solution in the market that infuses generic threat intelligence (IOCs) and customized digital risk protection coverage. Unlock a comprehensive view of your external and internal attack surface by seeing Threat Command alerts alongside IDR detections.
Twitter Chatter: Know when your company is mentioned in negative discourse on Twitter.
Information Stealers: Get alerted when employees have been compromised by malware that gathers leaked credentials and private data from infected devices. In many cases, this scenario plays out on employee-owned personal devices, drastically amplifying potential risk to the organization.
Asset Management: Track your most targeted digital assets for a more proactive defense. Categorize your assets using tags and comments, and automatically generate policy conditions and bulk actions for alerts.
Strategic Intelligence: The first strategic dashboard for CISOs delivers visualization of threats specifically targeting the organization – critical input for assessing, planning, and budgeting for future security investments. This is the threat intelligence market’s only comprehensive view of an organization’s external threat landscape (aligned to the MITRE ATT&CK framework).
Second Half 2022
Rapid7 + ServiceNow: In the second half of the year, we released Threat Command for ServiceNow ITSM. Users of both platforms now have access to an end-to-end integration for managing security incidents:
Quickly and easily create ServiceNow incidents based on Threat Command alert data for streamlined incident response from a single pane of glass within ServiceNow.
Create incidents in your ServiceNow instance based on Threat Command alert data and assign ITSM tickets to specific users or groups.
Rapid7 + MISP: Our Threat Intelligence Platform (TIP) now integrates with MISP (Malware Information Sharing Platform), an open-source TI platform that collects and shares indicators of compromise related to security incidents. This integration allows users to ingest enriched IOCs from our TIP and create events in MISP cloud devices.
TIP Investigation Enhancements
Filterable user events now appear in the IOC Timeline for improved visibility and investigation efficiency. Users can view events related to specific IOCs, sorted by date.
See the relation types between related IOCs on the Investigation map for 360-degree visibility and faster investigations.
View Threat Command alert indications on IOC nodes in the Investigation map for additional visibility.
Leaked Credentials Enhancements
Our Leaked Credentials coverage now supports a wide variety of additional database formats, allowing broader visibility into the ever-expanding threat of leaked credentials detected in various breaches and hacker campaigns across the clear, deep, and dark web.
Looking Ahead
Lots happening in 2023! Look for our new Forrester Total Economic Impact of Rapid7 Threat Command for Digital Risk Protection and Threat Intelligencein early Q2 (sneak peak: our ROI number surpasses that of our primary competitors!) and new solutions packages that scale with customer needs across the maturity spectrum and offer opportunities to maximize ROI.
Stay tuned!
There are many more exciting feature enhancements and new releases planned throughout the year. A big thank you to all of our customers and partners. We look forward to delivering even more value to you in 2023!
Learn more about how Threat Command simplifies threat intelligence, delivering instant value for organizations of any size or maturity, while reducing risk exposure. Watch an on-demand demo to see how Threat Command takes the complexity out of threat intelligence with an intuitive platform that prioritizes the most critical threats to your organization.
Rapid7 Strengthens Market Position With 360-Degree XDR and Best-in-Class Threat Intelligence Offerings
Time flies… and provides opportunities to establish proof points. After recently passing the one-year milestone of Rapid7’s acquisition of IntSights, the added value threat intelligence brings to our product portfolio is unmistakable.
Cross-platform SIEM, SOAR, and VM integrations expand capabilities and deliver super-charged XDR
Integrations with Rapid7 InsightIDR (SIEM) and InsightConnect (SOAR) strengthen our product offerings. Infusing these tools with threat intelligence elevates customer security outcomes and delivers greater visibility across applications, while speeding response times. The combination of expertly vetted detections, contextual intelligence, and automated workflows within the security operations center (SOC) helps teams gain immediate visibility into the external attack surface from within their SIEM environments.
The threat intelligence integration with IDR is unique to Rapid7. It’s the only XDR solution in the market to infuse both generic threat intelligence IOCs and customized digital risk protection coverage. Users receive contextual, tailored alerts based on their digital assets, enabling them to detect potential threats before they hit endpoints and become incident response cases.
Capabilities
Expand and accelerate threat detection with native integration of Threat Command alerts and TIP Threat Library IOCs with InsightIDR.
Proactively thwart attack plans with alerts that identify active threats across the attack surface.
Benefits
360-degree visibility and protection across your internal and external attack surface
Faster automated discovery and elimination of threats via correlation of Threat Command alerts with InsightIDR investigative capabilities
The Threat Command Vulnerability Risk Analyzer (VRA) + InsightVM integration delivers complete visibility into digital assets and vulnerabilities across your attack surface, including attacker perspective, trends, and active discussions and exploits. Joint customers can import data from InsightVM into their VRA environment where CVEs are enriched with valuable context and prioritized by vulnerability criticality and risk, eliminating the guesswork of manual patch management. VRA is a bridge connecting objective critical data with contextualized threat intelligence derived from tactical observations and deep research. In addition to VRA, customers can leverage Threat Command’s Browser Extension to obtain additional context on CVEs, and TIP module to see related IOCs and block actively exploited vulnerabilities.
Integration benefits
Visibility: Continuously monitor assets and associated vulnerabilities.
Speed: Instantly assess risk from emerging vulnerabilities and improve patching cadence.
Assessment: Eliminate blind spots with enhanced vulnerability coverage.
Productivity: Reduce time security analysts spend searching for threats by 75% or more.
Prioritization: Focus on the vulnerabilities that matter most.
Automation: Integrate CVEs enriched with threat intelligence into existing security stack.
Simplification: Rely on intuitive dashboards for centralized vulnerability management.
Learn how to leverage this integration to effectively prioritize and accelerate vulnerability remediation in this short demo and Integration Solution Brief.
In addition to these game-changing integrations that infuse Rapid7 Insight Platform solutions with external threat intelligence, Threat Command also introduced numerous feature and platform enhancements during the past several months.
Expanded detections and reduced noise
Of all mainstream social media platforms, Twitter has the fewest restrictions and regulations; coupled with maximum anonymity, this makes the service a breeding ground for hostile discourse.
Twitter by the numbers (in 2021)
Threat Command Twitter Chatter coverage continually monitors Twitter discourse and alerts customers regarding mentions of company domains. Expanded Twitter coverage later this year will include company and brand names.
Threat Command’s Information Stealers feature expands the platform’s botnets credentials coverage. We now detect and alert on information-stealing malware that gathered leaked credentials and private data from infected devices. Customers are alerted when employees or users have been compromised (via corporate email, website, or mobile app). Rely on extended protection against this prevalent and growing malware threat based on our unique ability to obtain compromised data via our exclusive access to threat actors.
Accelerated time to value
The recently enhanced Threat Command Asset Management dashboard provides visibility into the risk associated with specific assets, displays asset targeting trends, and enables drill-down for alert investigation. Users can now categorize assets using tags and comments, generate bulk actions for multiple assets, and see a historical perspective of all activity related to specific assets.
Better visibility for faster decisions
Strategic Intelligence is now available to existing Threat Command customers for a limited time in Open Preview mode. The Strategic Intelligence dashboard, aligned to the MITRE ATT&CK framework, enables CISOs and other security executives to track risk over time and assess, plan, and budget for future security investments.
Capabilities
View potential vulnerabilities attackers may use to execute an attack – aligned to the MITRE ATT&CK framework (tactics & techniques).
See trends in your external attack surface and track progress over time in exposed areas.
Benchmark your exposure relative to other Threat Command customers in your sector/vertical.
Easily communicate gaps and trends to management via dashboard and/or reports.
Benefits
Rapid7 is the first vendor in the TI space to provide a comprehensive strategic view of an organization’s external threat landscape.
Achieve your security goals with complete, forward-looking, and actionable intelligence context about your external assets.
Bridge the communication and reporting gap between your CTI analysts dealing with everyday threats and the CISO, focused on the bigger picture.
Stay tuned!
There are many more exciting feature enhancements and new releases planned by year end.
Learn moreabout how Threat Command simplifies threat intelligence, delivering instant value for organizations of any size or maturity, while reducing risk exposure.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
This post was originally published on the IntSights blog.
Last year marked a huge milestone with the acquisition of IntSights by Rapid7. The IntSights team is very excited to join a company committed to simplifying and improving security outcomes for its customers. Rapid7’s focus is a great complement to the IntSights core mission to “democratize threat intelligence” for all. We look forward to continuing in this mission as part of the Rapid7 family, as our external threat intelligence solutions are incorporated within the Insight platform.
Threat Intelligence solutions compete in an increasingly crowded marketplace. Our solution stands out from others by removing the inherent complexity of threat intelligence while helping organizations of any size or maturity minimize their external risk while significantly reducing their workload. Over the course of 2021, we continued to deliver on this core promise by adding additional value to our products through:
Expanding detection coverage and sources across the clear, deep, and dark web
Helping customers speed their response processes through an expanded investigation toolset
Continuously improving the user experience, ensuring our solutions deliver immediate value out of the box
“IntSights’ competitive advantage lies in its simplicity.”– Dave Estlick, CISO, Chipotle
2021 IntSights External Threat Protection Suite highlights
Expanded threat coverage
Over the course of 2021, we increased our Threat Command detections coverage in several key areas to offer customers additional protection and value. These expanded capabilities include:
Phishing websites: Detection and alert coverage for additional Phishing feeds including AlienVault, OpenPhish, Phishing Domain Database, PhishStats, and PhishTank
Public repositories: Expanded coverage for leaked secrets in both GitHub and GitLab
Leaked databases: Alerts on leaked databases that contain organization-specific PII data (such as phone number, physical address, date of birth)
Black markets coverage: Expanded detections of customer products offered for sale in dark web black markets and ability for customers to view decision parameters to understand why specific threats were elevated to alerts
BOT data for sale: Option to use the new “Bot price” condition to trigger alerts based on bot prices and easily initiate bot purchase requests from the Threatspage
“IntSights gives us the ability to see a more granular view of our threats in a very easy-to-use fashion.”– Zac Hinkel, Global Cyber Threat Manager, Hogan Lovells
Proactive phishing detection
In 2021, we offered a new solution called Phishing Watch that offers advanced and preemptive phishing detection capabilities that help customers identify attacks before phishing websites emerge. Phishing Watch employs a lightweight snippet installed on customer-facing websites that proactively detects the copying or redirection of legitimate/official websites to an illegitimate (and potentially phishing) website. Customers receive proactive notice of any phishing scams before they are employed, including the details required to enable automatic takedown of the phishing website and eradicate any threats in the early stages.
Expanded research and investigation capabilities
This year, we also greatly enhanced the investigation capabilities and content within our Threat Intelligence Platform (TIP) to accelerate customers’ ability to research and triage threats. The enhancements enable customers to easily understand the intent associated with indicators and prioritize those that pose the greatest risk. Features include:
Improved user interface that helps customers quickly investigate IOC and common cyber attack details
Expanded and accelerated investigation functionality including attack context, mapping tools, notes, and export functionality
Ability to easily share information on specific indicators with teams to enable better coordination and more proactive security posturing
Ability to analyze and understand the correlation of a CVE to cyber terms, view which feed reported the malware or actor, and see the first and last report date for better visibility and context on reported threats
Users can view and search CVEs in the Investigation Map.
IntSights Extend (browser extension)
Introduced earlier this year, IntSights Extend actively parses, enriches, and highlights cyber threat intelligence data from any web-based application, such as a technical blog detailing the latest breach or a raw intelligence feed. It actively scrapes domains, URLs, IP addresses, file hashes, email addresses, and CVEs to deliver contextualized risk-prioritized alerts at the click of a mouse. Additionally, layering real-time enriched threat intelligence over any web-based application allows security practitioners to perform end-to-end investigation and analysis. They can immediately detect if threat indicators are active within their environment and block them directly from the browser. Customers can also easily pivot to the IntSights platform for further analysis, investigation, and action.
Threat library
Dedicated research analysts work behind the scenes to input up-to-the-minute intelligence. The research team includes detailed information on known threat actors, malware, campaigns, and associated MITRE TIDs to help security analysts spot trends and gain contextual details regarding threats targeting geographic regions, including threat actor engagement and reconnaissance. Security analysts can take immediate action on threats by adding IOCs associated with specific topics to their security devices, without ever leaving the library. The IOCs can also be tagged with malware, threat actor names, campaigns, and/or attack type to accelerate triage across existing security infrastructure.
Vulnerability Risk Analyzer (VRA) customers can click on specific CVEs to view further details on the Vulnerabilities page. This helps customers prioritize vulnerabilities used in specific campaigns that affect their organization so they can focus on immediate updates and patching for the most relevant CVEs.
MITRE ATT&CK mapping
More advanced search capabilities to speed investigation plus details on MITRE ATT&CK framework tactics, techniques, and procedures (TTPs) are now mapped to Threat Library topics, bringing all relevant information related to a threat into one simplified view. Beyond the Threat Library, platform users can view and filter alerts by specific MITRE framework tactics and techniques for more context about threats in the customer environment.
IntelliFind
IntelliFind, our comprehensive dark web search tool, enables customers to directly search outside their digital footprint to immediately discover threat actor chatter and potential attacks targeting their organization or industry on the black market, hacking forums, paste sites, and other dark web sources across the attack surface. We offer the largest and most extensive database of these otherwise inaccessible sites.
Workflow improvements and technology integrations
Multi-tenant threat management
MSSPs and large enterprises with subsidiaries can now view and manage the threat data associated with all accounts, as well as navigate between customers, from a single dashboard, streamlining account management and saving money, time, and resources.
Threat Command: Those managing multi-tenant accounts can access each account’s Threat Command alerts, remediations, and associated policy options from the tenant view. The expanded functionality also makes it easier for tenants and subsidiaries to consume and act on threat intelligence to improve their digital risk protection and cybersecurity posture. Alerts for multiple accounts can be displayed and managed simultaneously, as well as aggregated by date and category. Multi-tenant account owners can also engage with our expert threat analysts in real time to dig deeper into specific alerts and proactively reduce response time.
TIP: MSSPs can see each tenant’s threat feeds and aggregated and prioritized IOCs from the TIP, as well as set IOC severity for all managed accounts.
IntelliFind: Using this exclusive dark web search tool, MSSPs gain access to advanced investigation capabilities and can view and manage queries and trigger alerts for multiple tenants via a single login.
“The new MSSP capabilities allow us to view and manage all of our tenants from a single dashboard. We can switch between our customers’ tailored intelligence platforms with the click of a button. Also, we can easily generate reports to share with our customers, documenting the value they receive from Rapid7 threat intelligence.” – Royi Biller, CEO, MT Cyber (MSSP)
Rapid7 InsightConnect Plugin for IntSights Threat Intelligence
Mutual customers of IntSights and Rapid7 InsightConnect (and InsightIDR or InsightVM) can now leverage contextualized threat alerts, indicators, and vulnerabilities within their Rapid7 SOAR solution, InsightConnect, helping them prioritize incident response and vulnerability management activities. This integration helps organizations gain a 360-degree view of the external threat landscape, align internal security enforcement, and expedite critical areas of security operations. The first ICON Plugin workflow (for Rapid7 InsightIDR) is now available in the Rapid7 Extensions Library. This workflow enriches IDR alerts by performing a lookup on all domains, hashes, URLs, and IPs in the Threat Intelligence Investigation module. In addition, IntSights can now directly trigger an incident response workflow in InsightConnect based on generated alerts, enabling more efficient and effective responses to threats that the IntSights platform detects.
The IntSights bidirectional app for Splunk enables customers to bring actionable threat intelligence into their Splunk solution for a holistic view of threats targeting their environment. Building on existing functionality that facilitated the import of prioritized IOCs from the IntSights platform, the app introduced earlier this year enables customers to:
Identify attacks in progress on their network by correlating indicators in their environment with IntSights high-severity IOCs
Import Threat Command alerts and prioritized vulnerabilities from Vulnerability Risk Analyzer into the Splunk environment to continue triaging external threats directly from the Splunk dashboard
Instantly analyze and prioritize credible threats in the IntSights environment. When an alert, IOC, or CVE is found in the customer’s Splunk environment, it is flagged simultaneously in Splunk and IntSights so that users can take action in either platform.
Our native bidirectional application for IBM QRadar allows customers to leverage the robust enrichment and investigation capabilities of the IntSights TIP in their QRadar environments. Mutual customers can:
Detect IOCs found in the network
View top malware and threat actors targeting the organization
Conduct comprehensive, end-to-end investigations directly within the Qradar environment
Looking ahead
Looking ahead to 2022, some of the key themes and areas of investment that Rapid7’s Threat Intelligence customers will experience include:
Delivering more visibility for faster decision-making with a new Strategic Intelligence module and custom reporting capabilities
Key integrations with Rapid7 products including the InsightIDR XDR/SIEM solution, the InsightConnect SOAR platform, and the InsightVM vulnerability management solution
New pricing and packaging model that scales with customer needs across the maturity spectrum
Continued investment in expanding intelligence sources and detections for reduced noise and better protection
Driving growth through a more optimized Threat Intelligence experience for MSSP partners
A big thank you to all of our customers and partners for working with us this year. We look forward to delivering even more value to our Threat Intelligence customers as part of the Rapid7 family, as well as sharing more about these investments and additional updates with you in 2022.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.
