Extended detection and response (XDR) is, by nature, a forward-looking technology. By adding automation to human insight, XDR rethinks and redefines the work that has been traditionally ascribed to security information and event management (SIEM) and other well-defined, widely used tools within security teams. For now, XDR can work alongside SIEM — but eventually, it may replace SIEM, once some of XDR’s still-nascent use cases are fully realized.
But what about the pain points that security operations center (SOC) analysts already know so well and feel so acutely? How can XDR help alleviate those headaches right now and make analysts’ lives easier today?
Fighting false positives with XDR
One of the major pain points that Sam Adams, Rapid7’s VP for Detection and Response, brought to light in his recent conversation with Forrester Analyst Allie Mellen, is one that any SOC analyst is sure to know all too well: false positives. Not only does this create noise in the system, Sam pointed out, but it also generates unnecessary work and other downstream effects from the effort needed to untangle the web of confusion. To add to the frustration, you might have missed real alerts and precious opportunities to fight legitimate threats while you were spending time, energy, and money chasing down a false positive.
If, as Sam insisted, every alert is a burden, the burdens your team is bearing better be the ones that matter.
“MDR providers are one of these groups that I get a lot of inspiration from when thinking about what an internal SOC should look like,” she said. While an in-house SOC might not lose money to the same extent an MDR vendor would when chasing down a false positive, they would certainly lose time — a precious resource among often-understaffed and thinly stretched security teams.
Got intel?
One of the things that MDR providers do well is threat intelligence — without the right intel feed, they’d be inundated with far too much noise. Sam noted that XDR and SIEM vendors like Rapid7 realize this, too — that’s why we acquired IntSights to deepen the threat intel capabilities of our security platform.
For Allie, the key is to operationalize threat intelligence to ensure it’s relevant to your unique detection and response needs.
“It is definitely not a good idea to just hook up a threat intel feed and hope for the best,” she said. The key is to keep up with the changing threat landscape and to stay ahead of bad actors rather than playing catch-up.
With XDR, curation is the cure
Of course, staying on top of shifting threat dynamics takes time — and it’s not as if analysts don’t already have enough on their plate. This is where XDR comes in. By bringing in a wide range of sources of telemetry, it helps SOC analysts bring together the many balls they’re juggling today so they can accomplish their tasks as effectively as possible.
Allie noted that curated detections have emerged as a key feature in XDR. If you can create detections that are as targeted as possible, this lowers the likelihood of false positives and reduces the amount of time security teams have to spend getting to the bottom of alerts that don’t turn out to be meaningful. Sam pointed out that one of the key ways to achieve this goal is to build detections that focus not on static indicators but on specific behaviors, which are less likely to change dramatically over time.
“Every piece of ransomware is going to try to delete the shadow copy on Windows,” he said, “so it doesn’t matter what the latest version of ransomware is out there – if it’s going to do these three things, we’re going to see it every time.”
Focusing on the patterns that matter in threats helps keep noise low and efficiency high. By putting targeted detections in security analysts’ hands, XDR can alleviate some of their stresses of false positives today and pave the way for the SOC to get even more honed-in in the future.
In 2021, data breaches soared past 2020 levels. This year, it’s expected to be worse. The odds are stacked against this poor guy (and you) now – but a unified extended detection and response (XDR) and SIEM restacks them in your favor.
Go to this resource-rich page for smart, fast information, and a few minutes of fun too. Don’t miss it.
Still here on this page reading? Fine, let’s talk about you.
Most CISOs like adrenaline, but c’mon
Cybersecurity isn’t for the fragile foam flowers among us, people who require shade and soft breezes. A little chaos is fun. Adrenaline and cortisol? They give you heightened physical and mental capacity. But it becomes problematic when it doesn’t stop, when you don’t remember your last 40-hour week, or when weekends and holidays are wrecked.
Work-life balance programs are funny, right?
A lot of your co-workers may be happy, but life in the SOC is its own thing. CISOs average about two years in their jobs. And 40% admit job stress has affected their relationships with their partners and/or children.
Many of your peers agree: Unified SIEM and XDR changes everything
A whopping 88% of Rapid7 customers say their detection and response has improved since they started using InsightIDR. And 93% say our unified SIEM and XDR has helped them level up and advance security programs.
You have the power to change your day. See how this guy did.
Here at IntSights, a Rapid7 company, our goal is to equip organizations around the world with an understanding of the threats facing them in today’s cyber threat landscape. Most recently, we took a focused look at the insurance industry — a highly targeted vertical due to the amount of personally identifiable information (PII) these organizations hold. We’ve collected our findings in the “2022 Insurance Industry Cyber Threat Landscape Report,” which you can read in full right now.
While conducting this research, one key takeaway caught my eye: the big target on cyber insurers’ backs. Some of these organizations provide cyber insurance coverage for businesses, so in the event of a breach that imposes significant costs on a targeted business, that business is not 100% financially liable.
According to our cyber threat intelligence research, cyber insurance providers are even more appealing targets for bad actors in an industry already full of appealing targets. That begged the question: Why are cyber insurers so highly targeted? And what can they do to protect themselves in the face of these threats?
Cyber insurance providers are data goldmines
Typically, bad actors are angling to breach insurance companies to access PII or to collect policyholder details that they can use for insurance fraud. However, when hackers target cyber insurers, they’re seeking even more specific types of data, such as cyber insurance policy details and information outlining the security standards cyber insurance clients follow.
Why is this the case? A ransomware operation could, for example, leverage this information to build a list of potential targets covered under a cyber insurance policy. Some cyber insurance providers will pay an insured victim’s ransom, and if this is stated in the policy, these clients will bump up on the list of high-value targets, because the bad actors may assume they’re more likely to pay a ransom.
Knowledge of the security standards cyber insurers require their customers to fulfill is also dangerous in the wrong hands. It can help attackers craft their techniques to evade victims’ security measures. For example, they may completely avoid strongly defended points of entry and instead target areas of the perimeter with weaker protections. While not a guaranteed path to success, it gives bad actors more information to work with, and that’s never a good thing.
These are very real — and unique — threats facing the cyber insurance segment, and we’ve seen a few breaches like this play out already. In 2021, CNA Financial, a leading US insurance company that provides cyber insurance policies, suffered a cyberattack and reportedly paid a ransom of $40 million USD to ransomware operators.
Other cyber insurance companies that experienced breaches include Tokio Marine Insurance Singapore in August 2021 and global cyber insurer AXA in May 2021. The AXA breach happened shortly after it announced it would stop reimbursing new French customers for ransom payments after ransomware attacks. This was in response to claims by French officials that cyber insurance coverage of ransom payments encouraged more ransomware attacks and higher ransom demands. The attackers may have aimed to punish AXA for this decision, just going to show that the French officials may have been correct in their claim.
How cyber insurers can better protect their data
To defend themselves and their clients against ransomware attacks and data breaches, cyber insurers can follow a few simple steps:
Avoid publicly identifying specific customers by name for any reason. For example, it’s common practice to list the names of your biggest brands or enterprise clients on your website. However, this may make your business more appealing to hackers. They may view your organization as a gateway to gain access to your clients — if they can break through your security perimeter, they may get an even larger payload of data from the clients that can foot more expensive ransoms.
Refrain from listing any details about the cyber insurance policies you provide. If you publish information about how much your policy compensates the insured in the event of a ransomware attack or security breach, bad actors can use this data to calculate an optimal ransom amount that’s high enough to maximize profit but low enough for victims to accept. As such, your policy details will need extra protection, including encryption and network segmentation.
Scrutinize public-facing web applications and other infrastructure, like automated quote tools.Misconfiguration of these applications and bugs can inadvertently expose customer data. Hackers will often target these types of online portals and tools to learn more about a cyber insurer’s policies, and in some cases, they can even gain access to the information they store, which can then be exploited.
Finally, employ rigorous cyber threat intelligence. A key component of any risk management and cybersecurity strategy, threat intelligence can help cyber insurance providers understand the types of data that bad actors hope to steal from them, the methods they may use to obtain it, and even the ransomware operators targeting them. These insights can help your team shore up security against impending threats and remediate malicious actions faster in the event of a breach.
By following these recommendations, cyber insurance providers around the world can better protect their data as well as the sensitive information of their partners, clients, and customers. Because of all the valuable data these organizations house, the target on their backs won’t go away, so the best defensive strategy is a proactive one. Comprehensive cyber threat intelligence can play a critical role there.
Rapid7 is very excited to announce the latest Velociraptor release 0.6.3. This release has been in the making for a few months now and has several exciting new features.
Scalability and speed have been the main focus of development since our previous release. Working with some of our larger partners on scaling Velociraptor to a large number of endpoints, we’ve addressed a number of challenges that we believe have improved Velociraptor for everyone at any level of scale.
Performance running on EFS
Running on a distributed filesystem such as EFS presents many advantages, not the least of which is removing the risk that disk space will run out. Many users previously faced disk full errors when running large hunts and accidentally collecting too much data from endpoints. Since Velociraptor is so fast, it’s quite easy to do a hunt collecting a large number of files, but before you know it, the disk may be full.
Using EFS removed this risk, since storage is essentially infinite (but not free). So there is a definite advantage to running the data store on EFS even when not running multiple frontends. When scaling to multiple frontends, EFS use is essential to facilitate a shared distributed filesystem among all the servers.
However, EFS presents some challenges. Although conceptually EFS behaves as a transparent filesystem, in reality the added network latency of EFS IO has caused unacceptable performance issues.
In this release, we employed a number of strategies to improve performance on EFS — and potentially other distributed filesystems, such as NFS. You can read all about the new changes here, but the gist is that added caching and delayed writing strategies help isolate the GUI performance from the underlying EFS latency, making the GUI snappy and quick even with slow filesystems.
We encourage everyone to test the new release on an EFS backend, to assess the performance on this setup — there are many advantages to this configuration. While this configuration is still considered experimental, it’s running successfully in a number of environments.
Searching and indexing
More as a side effect of the EFS work, Velociraptor 0.6.3 moves the client index into memory. This means that searching for clients by DNS name or labels is almost instant, significantly improving the performance of these operations over previous versions.
VQL queries that walk over all clients are now very fast as well. For example, the following query iterates over all clients (maybe thousands!) and checks if their last IP came from a particular subnet:
SELECT * , split(sep=":", string=last_ip)[0] AS LastIp
FROM clients()
WHERE cidr_contains(ip=LastIp, ranges="192.168.1.0/16")
This query will complete in a few seconds even with a large number of clients.
The GUI search bar can now search for IP addresses (e.g. ip:192.168*), and the online only filter is much faster as a result.
Searching is much faster
Another benefit of rapid index searching is that we can now quickly estimate how many hosts will be affected by a hunt (calculated based on how many hosts are included and how many are excluded from the hunt). When users have multiple label groups, this helps to quickly understand how targeted a specific hunt is.
Estimating hunt scope
Regular expressions and Yara rules
Velociraptor artifacts are just a way of wrapping a VQL query inside a YAML file for ease of use. Artifacts accept parameters that are passed to the VQL itself, controlling how it runs.
Velociraptor artifacts accept a number of parameters of different types. Sometimes, they accept a windows path — for example, the Windows.EventLogs.EvtxHunter artifact accepts a Windows glob path like %SystemRoot%\System32\Winevt\Logs\*.evtx. In the same artifact, we also can provide a PathRegex, which is a regular expression.
A regular expression is not the same thing as a path at all. In fact, when users get mixed up providing something like C:\Windows\System32 to a regular expression field, this is an invalid expression — backslashes have a specific meaning in a regular expression.
In 0.6.3, there are now dedicated GUI elements for Regular Expression inputs. Special regex patterns, such as backslash sequences, are visually distinct. Additionally, the GUI verifies that the regex is syntactically correct and offers suggestions. Users can type ? to receive further regular expression suggestions and help them build their regex.
Entering regex in the GUI
To receive a RegEx GUI selector in your custom artifacts, simply denote the parameter’s type as regex.
Similarly, other artifacts require the user to enter a Yara rule to use the yara() VQL plugin. The Yara domain specific language (DSL) is rather verbose, so even for very simple search terms (e.g. a simple keyword search) a full rule needs to be constructed.
To help with this task, the GUI now presents a specific Yara GUI element. Users can press ? to automatically fill in a skeleton Yara rule suitable for a simple keyword match. Additionally, syntax highlighting gives visual feedback to the validity of the yara syntax.
Entering Yara Rules in the GUI
Some artifacts allow file upload as a parameter to the artifact. This allows users to upload larger inputs, for example a large Yara rule-set. The content of the file will be made available to the VQL running on the client transparently.
To receive a RegEx GUI selector in your custom artifacts, simply denote the parameter’s type as yara. To allow uploads in your artifact parameters simply denote the parameter as an upload type. Within the VQL, the content of the uploaded file will be available as that parameter.
Overriding Generic.Client.Info
When a new client connects to the Velociraptor server, the server performs an Interrogation flow by scheduling the Generic.Client.Info artifact on it. This artifact collects basic metadata about the client, such as the type of OS it is, the hostname, and the version of Velociraptor. This information is used to feed the search index and is also displayed in the “VQL drilldown” page of the Host Information screen.
In the latest release, it’s possible to customize the Generic.Client.Info artifact, and Velociraptor will use the customized version instead to interrogate new clients. This allows users to add more deployment specific collections to the interrogate flow and customize the “VQL drilldown” page. Simply search for Generic.Client.Info in the View Artifact screen, and customize as needed.
Root certificates are now embedded
By default, Golang searches for root certificates from the running system so it can verify TLS connections. This behavior caused problems when running Velociraptor on very old unpatched systems that did not receive the latest Let’s Encrypt Root Certificate update. We decided it was safer to just include the root certs in the binary so we don’t need to rely on the OS itself.
Additionally, Velociraptor will now accept additional root certs embedded in its config file — just add all the certs in PEM format under the Client.Crypto.root_certs key in the config file. This helps deployments that must use a MITM proxy or traffic inspection proxies.
When adding a Root Certificate to the configuration file, Velociraptor will treat that certificate as part of the public PKI roots — therefore, you’ll need to have Client.use_self_signed_ssl as false.
This allows Velociraptor to trust the TLS connection — however, bear in mind that Velociraptor’s internal encryption channel is still present. The MITM proxy won’t be able to actually decode the data or interfere with the communications by injecting or modifying data. Only the outer layer of TLS encryption can be stripped by the MITM proxy.
VQL changes
Glob plugin improvements
The glob plugin now has a new option: recursion_callback. This allows much finer control over which directories to visit making file searches much more efficient and targeted. To learn more about it, read our previous Velociraptor blog post “Searching for Files.”
Notable new artifacts
Many people use Velociraptor to collect and hunt for data from endpoints. Once the data is inspected and analyzed, often the data is no longer needed.
To help with the task of expiring old data, the latest release incorporates the Server.Utils.DeleteManyFlows and Server.Utils.DeleteMonitoringData artifacts that allow users to remove older collections. This helps manage disk usage and reduce ongoing costs.
Try it out!
If you’re interested in the new features, take Velociraptor for a spin by downloading it from our release page. It’s available for free on GitHub under an open source license.
As always, please file bugs on the GitHub issue tracker or submit questions to our mailing list by emailing [email protected]. You can also chat with us directly on our discord server.
Learn more about Velociraptor by visiting any of our web and social media channels below:
Innovations solve longstanding problems in creative, impactful ways — but they also raise new questions, especially when they’re in the liminal space between being an emerging idea and a fully fledged, widely adopted reality. One of the still-unanswered questions about extended detection and response (XDR) is what its relationship is with security information and event management (SIEM), a more broadly understood and implemented product category that most security teams have already come to rely on.
When looking at the foundations of XDR, it seems like it could be a replacement for, or an alternative to, SIEM. But as Forrester analyst Allie Mellen noted in her recent conversation with Rapid7’s Sam Adams, VP for Detection and Response, the picture isn’t quite that simple.
“Some SIEM vendors are repositioning themselves as XDR,” Allie said, “kind of trying to latch onto that new buzzword.” She added, “The challenge with that is it’s very hard to see what they’re able to offer that’s actually differentiating from SIEM.”
Where SIEM stands today
To really understand how the rise of XDR is impacting SIEM and what relationship we should expect between the two product types, we first need to ask a key question: How are security operations center (SOC) teams actually using their SIEMs today?
At Forrester, Allie recently conducted a survey asking SOC teams this very question. While some have focused on the compliance use case as a main driver for SIEM adoption, Allie found that just wasn’t the case with her survey respondents. Overwhelmingly, security analysts are using their SIEMs for detection and response, making it the core tool within the SOC.
More than that, Allie’s survey actually found the old adage that security teams hate their SIEMs just isn’t true. The vast majority of analysts she surveyed love using their SIEMs (even if they wish it cost them less).
Together, for now
With SIEM claiming such an integral role in the SOC, Allie acknowledged that we likely shouldn’t expect it to be simply replaced by XDR in the near term.
“For the time being, I definitely see XDR and SIEM living together in a very cohesive fashion,” she said.
She went on to suggest that maybe in 5 years or so, we’ll start to see XDR offerings that truly tackle all SIEM use cases and fully deliver on some capabilities that are only in the realm of possibility today. But until XDR can fully address compliance, for example, we’re likely to see it exist alongside and, ideally, in harmony with SIEM.
The XDR opportunity
So, what will that coexistence of SIEM and XDR look like? Sam suggested it might be the fulfillment of the original vision of SIEM solutions like InsightIDR: to make the security analyst superhuman by enabling them to be hyper-efficient at detecting and responding to threats. Allie echoed this sentiment, noting that XDR is all about elevating the role of the SOC analyst rather than automating their tasks away.
“I am not a big believer in the autonomous SOC or this idea that we’re going to take away all the humans from this process,” she said. “At the end of the day, it’s a human-to-human fight. The attackers are not automating themselves away, so it’s very unlikely that we’ll be able to create a product that can keep up with as many human beings as there are attacking us all the time.”
For Allie, the really exciting thing about XDR is its potential to humanize security operations. By reducing the amount of repetitive work analysts have to do, it frees them up to be truly creative and visionary in their threat detection efforts. This can also help improve retention rates among security pros as organizations scramble to fill the cybersecurity skills gap.
“It’s a lofty dream, a lofty vision,” Allie acknowledged, “but XDR is definitely pushing down that path.”
We laughed, we cried, we added over 750 new detections. It’s been a rollercoaster of a year for everyone. So let’s have some fun with our 2021 year in review — shall we?
The last year was an exciting one for InsightIDR, Rapid7’s industry-leading extended detection and response (XDR) and SIEM solution. We used the past 12 months to continually invest in the product to help customers level up their security programs and achieve success in their desired outcomes. A major highlight for InsightIDR was being named as a Leader in the 2021 Gartner Magic Quadrant for SIEM for the second year in a row. We are honored to be recognized as one of the six 2021 Magic Quadrant Leaders — and in celebration, we’d like to announce a few awards ourselves for 2021, high-school-superlative style.
Most likely to be overworked: Cybersecurity professionals
“We need more time!” exhausted cybersecurity specialists shout into the void. Luckily, we deployed our Insight Agent into the void, so we heard you. While we were in there, we also picked up the following alerts:
There aren’t enough people to do it all.
More than 3 out of 4 CISOs have 16 or more cybersecurity products, and 12% have 46 or more (my head is spinning).
The workload is growing, and teams are suffering from burnout.
We heard the problem — and took action with our products. Our product updates focused on the following:
Improved detection and response capabilities: We added strong detections with a more comprehensive view of threats.
Greater efficiency: We helped teams cut down the number of disparate tools and events they have to manage, providing automation and leveling up analysts by giving them embedded guidance and a common experience.
Improved scale and agility: When your organization evolves and grows, so do we.
Customization: Every environment is unique, and we want to make sure InsightIDR not only works well but works the way you want it.
All sounds good, right? Let’s keep going down the list to see how we continued to evolve our product to align these themes.
Most likely to (help you) succeed: MITRE ATT&CK mapping in InsightIDR
Red pill or blue pill… Psych! They are both the same pill. Welcome to the matrix — the MITRE ATT&CK matrix, that is.
MITRE ATT&CK matrix for detection rules: Within the Detection Rules tab, you now have a direct view into where you have coverage with Rapid7’s out-of-the-box detection library across common attacker tactics and techniques, and you can also quickly unlock more context and intelligence about detections.
Refreshed Investigation Management experience: Now, you can click into the new MITRE ATT&CK tab of the Evidence panel in Investigation to see descriptions of each tactic, technique, and sub-technique curated by MITRE. Then go directly to attack.mitre.org for more information.
Best glow-up: Our Investigation Management experience
A security analyst’s time is precious and limited. That’s why we upgraded our Investigation Management experience to help you manage, prioritize, and triage investigations faster. Make sure you check out the following:
A revamped user interface with expandable cards displaying investigation information
The ability to view, set, and update the priority, status, or disposition of an investigation
Filtering by the following fields: date range, assignee, status, priority level
That sweet MITRE integration we talked about earlier
Most sophisticated: Our customization capabilities
InsightIDR customers now have more customization and increased visibility for ABA detections. We’re continuing to make improvements and additions to our detections management experience.
Detection rules: Filter detection rules by threat group, rule behavior, and attributes for more visibility into your alerts and investigations.
Create exceptions to a detection rule: With exceptions for ABA alerts, you can filter out noise very precisely using data from the alert.
New detection rules management interface: With this new interface, you can see a priority field for each detection provided by InsightIDR with new actions available.
Customizable priorities for UBA detection rules and custom alerts: Associate a rule priority (Critical, High, Medium, or Low) for all UBA and custom alert detection rules.
A simplified way to create exceptions: We added a new section to detection rule details within “create exception” to better inform on which data to write exceptions against. So now, when you go to write exceptions, you have all the information you may need within one window.
Most likely to brighten up your day: Pre-built dashboards and enhanced search capabilities
InsightIDR’s Dashboard Library has a growing repository of pre-built dashboards to save you time and eliminate the need for you to build them from scratch. Our pre-built dashboards are accessible to all users. We added the following dashboards to provide you with immediate value, out of the box.
Speaking of saving time, we continued to make investments in Log Search to make searching for actionable information faster and easier for customers. Spend less time searching and more time fighting off the bad guys. You’ve never seen Spiderman spend an hour searching an address in a phone book, have you?
Power couple: IntSights Threat Intelligence and Rapid7’s Insight Platform
This year Rapid7 acquired IntSights, a leading provider of external threat intelligence and remediation. Their flagship external threat intelligence product, Threat Command, is now part of our Rapid7 portfolio.
Threat Command allows any SecOps team, regardless of size or capability maturity, to expand identification and remediation across an ever-expanding attack surface, while automating threat mitigation.
IntSights is already leveling up threat intelligence at Rapid7 — and we are so excited for more synergies on the road ahead in 2022.
We know this romance is going to last. Congrats to the lovely couple!
Brightest future: Rapid7 customers
Our 2022 New Year’s resolution is to not just be your technology vendor but to be your strategic partner. Complacency is not in our vocabulary, so make sure you keep up to date with all of our upcoming releases as we continue to level up your InsightIDR experience with more capabilities, context, customization while keeping our intuitive user experience.
Our customers’ outcomes define our success, and we wouldn’t have it any other way. We are looking forward to accelerating together.
In the Middle Ages, the Black Death killed half of Europe’s population. It also killed off the feudal system of landowning lords exploiting laborer serfs. Rampant death caused an extreme labor shortage and forced the lords to pay wages. Eventually, serfs had bargaining power and escalating wages as aristocrats competed for people to work their lands.
Think we invented “The Great Resignation?” 14th-century peasants did.
Here are four ideas about how to prepare for it and win.
1. You’ll do better if you label it The Great Rethinking
COVID-19’s daily specter of illness and death has spurred existential questions. “If life is so short, what am I doing? Is this all there is?”
Isolated with family every day, month after month, some of us have decided we’re happier than ever. Others are causing a big spike in divorce and the baby bust. Either way, people are confronting the quality of their relationships. Some friendships have made it into our small, carefully considered “safety pods,” and others haven’t.
As we rethink our most profound human connections, we’re surely going to rethink work and how we spend most of our waking hours.
Nearly all cybercrime is conducted by highly organized criminal gangs and adversarial nation states. They’ve breached power grids and pipelines, air traffic, nuclear installations, hospitals, and the food supply. Roughly 1 in 20 people a year suffer identity theft, which can produce damaging personal consequences that drag on and on. In December, hackers shut down city bus service in Honolulu and the Handi-Van, which people with disabilities count on to get around.
How many jobs can be defined simply and accurately as good vs evil? How many align everyday people with the aims of the FBI and the Department. of Justice? With lower-wage workers leading the Great Resignation last year, the focus has been on salary and raises. But don’t underestimate meaning.
3. Winners know silos equal stress and will get rid of them
Remote work, hybrid work, and far-flung digital infrastructure are here to stay. So are attackers who’ve thrived in the last two years, shattering all records. If you’re among the 76% of security professionals who admit they really don’t understand XDR, know you’re not alone – but also know that XDR will soon separate winners from losers. Transforming your SOC with it will change what work is like for both you and your staff, and give you a competitive advantage.
4. You can take this message to the C-suite
Lower-wage workers started the trend, but CEO resignations are surging now (and it’s not just Jeff Bezos and Jack Dorsey). They’re employees, too, and the Great Rethinking has also arrived in their homes. Maybe COVID-19 meant they finally spent real time with their kids, and they’d like more of it, please. Maybe they’re exhausted from communicating on Zoom for the last two years. Maybe they think a new deal is in order for everyone.
As you make the case for XDR, consider your ability to give new, compelling context to your recommendations. XDR is the ideal collaboration between humans and machines, each doing what they do best. It reduces the chance executives will have to explain themselves on the evening news. It helps create work-life balance. Of course it makes sense.
And what about when things get back to normal? The history of diseases is they don’t really leave and we don’t really return to “normal.” Things change. We change. You can draw a straight line from the Black Death, to the idea of a middle class, then to the Renaissance. Here’s hoping.
Want more info on how XDR can help you meet today’s challenges?
Cyberthreats are now the No. 1 source of stress among CEOs, with 71% of respondents to PwC’s 2021 CEO Study reporting they are “extremely concerned” about the issue. At the same time, the cybersecurity skills gap continues to grow, with 95% of security pros saying the shortage of talent in their field hasn’t improved. So while the seriousness of the problem has increased, the availability of in-house resources to adequately address it has not — particularly when it comes to finding talent with the specialized skills in detection and response.
These trends have led many organizations to partner with managed detection and response (MDR) service providers to address resource and skills gap challenges and build a strong competency to find and stop attackers in their environment.
By instantly extending your internal team’s capabilities with detection and response experts, MDR services can provide you the confidence that your environment is protected at all times.
And for those that struggle to build a fully staffed security operations center (SOC) with the right headcount, technology, and process to be effective — all while staying under a tight budget — MDR may provide a cost-effective method to quickly stand up a complete detection and response program.
In our 2022 MDR Buyer’s Guide, we outline the core capabilities that provide the foundation for evaluating MDR vendors. They include:
Digital forensics and incident/breach response (DFIR)
Automation
A simple, predictable pricing
SLA delivery standards
If you’re looking for a deep dive into each of these criteria, download the full guide!
In this post, we’ll streamline the discussion into 4 big-picture questions, providing you a quick-reference guide to use in the early stages of your MDR vendor selection journey, as you begin to identify your needs and narrow down your options.
1. Is this partner simply an outsourced SOC, or can they help us advance our overall security program?
An MDR provider is not just a vendor but a partner — and people are the foundation of any great partnership. You’ll want to ensure you ask the right questions regarding who will be servicing your organization and how, including:
How many MDR SOC analysts will be monitoring my environment 24×7?
What’s the experience level of the MDR SOC team we’ll be working with?
What is the average tenure and attrition rate of the team?
Will your partner suggest operational and strategic guidance to improve your program based on real-time threat monitoring and proactive threat hunting?
Is there someone who will be our Security Advisor that we meet with regularly?
What is the customer experience like when I need to connect with the MDR team?
2. Do they have the right tools at their disposal?
MDR combines real-time threat monitoring across the most critical elements of your IT environment — endpoints, network, users, and cloud sources. And in case you haven’t noticed, those environments are becoming increasingly complex. The cloud is enabling rapid scaling, and threats can come from virtually anywhere.
To carry out their duties well in this context, MDR providers need to be using the right XDR technology for complete visibility and coverage. Here are some questions to ask that can help you get a better sense of how the MDR vendors you’re considering approach their technology implementation — and how that affects you as the customer.
Is the MDR SOC team using multiple third-party solutions, or a technology built by an embedded engineering team?
How do you detect threats that bypass preventative controls?
Will I have full access to your back-end technology? If not, will you provide self-service log search and dashboards?
Does the SOC perform proactive threat hunts on top of the real-time detections?
Will we have the ability to add SOAR automation capabilities to expedite the remediation process?
3. Can they pair insight with action?
The last thing you want to hear from an MDR provider is, “Hey, we found this threat — now you have to go fix it.” The vendors you’re considering should have a managed response approach to effectively curb attacks after detection.
To understand when and how vendors will respond to threats they detect, start with these key questions:
What types of managed response actions will the MDR SOC advisors take?
In what instances will the MDR service take response action on our behalf?
Will I have the opportunity to deny the containment response if I don’t want the SOC team to take action?
4. Does the service scale to our needs and budget?
Even if an MDR vendor sounds great on paper across all of these points, that doesn’t necessarily mean they’re right for you. After all, you wouldn’t buy a two-seater car as your primary vehicle for a family of four. It’s critical to evaluate your MDR provider on the axes of your program maturity and desired security outcomes — both as it is now and for your goals for the future. Here are a few questions that will help you get a sense of whether an MDR vendor’s service and pricing structure fits your organization’s requirements.
How is the MDR service priced?
In the event of a breach, does MDR include DFIR as you’d get if you had an incident response retainer?
Are there data allotment or retention limitations?
What is your mean time to detect (MTTD) and mean time to respond (MTTR)?
These kinds of questions should help point you in the right direction in your initial conversations with potential MDR vendors. As you begin to make more fine-tuned decisions, you’ll want to have a few more detailed questions to ask — which means understanding the ins and outs of the MDR landscape a little more fully.
Check out our full MDR Buyer’s Guide for 2022 to help you navigate your choices with confidence and clarity.
In our first post on demystifying the concepts and practices behind extended detection and response (XDR) technology, Forrester analyst Allie Mellen joined Sam Adams, Rapid7’s VP for Detection and Response, to outline the basic framework for XDR and highlight the key outcomes it can help security teams achieve. One of the core components of XDR is that it expands the sources of telemetry available to security operations center (SOC) teams so they have richer, more complete data to help them detect and respond to threats.
That raises the question: How do SOC analysts keep productivity high while sifting through huge volumes of data?
Automation is one of the key ways SOC teams make their processes more efficient as they identify the most relevant threats and initiate the right responses. But automation can’t do everything an analyst can, and finding the right balance between machine learning and human know-how is an essential part of a successful XDR implementation.
Become the bridge
As Sam pointed out in his discussion with Allie, the security analyst acts as a bridge between what the data is saying and what the right course of action is in response to it.
“I got the alert, and you know, that’s not the hard part anymore,” he said. “The hard part is responding to the alert and figuring out what to do with that alert – and really, what the impact is on my company.”
For Allie, XDR helps analysts find a balance between security and productivity, but not by leaning too heavily on automation. In fact, she suggested we’ve had a “misplaced hope” for what machine learning can help us accomplish. Instead, it’s about setting up automation that augments the analysts’ work by helping them ask the right questions up front — and get to the answers faster.
The expert and the end user
In addition, automation can’t always tell us who the expert actually is about a particular security event. Sam gave the example of a suspicious login from Bermuda: After receiving that alert, it’s actually no longer the analyst who’s the expert on that incident, but the end user who was involved. The logical next step is to pick up the phone or send an email and ask that user, “Are you in Bermuda?” — and that takes a human touch rather than an automated action.
“We assume we can get everything we need from the tools,” Allie pointed out, “and they abstract us away from the rest of the enterprise in that way. But it can be just as easy as turning to the person next to you and saying, ‘Hey, did you log into this?'”
Allie went on to note that this is one of the main reasons why it’s so important to foster a security culture throughout the whole business. When you build connections between the security team and individuals from other parts of the organization, and keep that rapport strong over time, SOC analysts can get many of the answers they need from their peers in other departments — and get to the answers much more quickly and accurately than a machine ever could.
Culture is a uniquely human thing, one that machines can never replicate or replace — and security culture is no exception. XDR broadens the data and tools that SOC teams can use to help them protect the organization, but even the best technology is no replacement for an educated team of end users who know how to implement security best practices, not to mention the sharp insights of seasoned SOC analysts. The real magic happens when all these elements, human and automated, work together — and in an XDR model, automation fills the gaps instead of taking center stage.
More context and customization around detections and investigations, expanded dashboard capabilities, and more.
This post offers a closer look at some of the recent releases in InsightIDR, our extended detection and response (XDR) solution, from Q4 2021. Over the past quarter, we delivered updates to help you make more informed decisions, accelerate your time to respond, and customize your detections and investigations. Here’s a rundown of the highlights.
More customization options for your detection rules
InsightIDR provides a highly curated detections library, vetted by the security and operations center (SOC) experts on our managed detection and response (MDR) team — but we know some teams may want the ability to fine tune these even further. In our Q3 wrap-up, we highlighted our new detection rules management experience. This quarter, we’ve made even more strides in leveling up our capabilities around detections to help you make more informed decisions and accelerate your time to respond.
Attacker Behavior Analytics Detection Rules viewed and sorted by rule priority
New detection rules management interface: With this new interface, you can see a priority field for each detection provided by InsightIDR with new actions available.
Change priority of detections and exceptions that are set to Creates Investigation as the Rule Action.
View and sort on priority from the main detection management screen.
More details on our detection rules experience can be found in our help docs, here.
Customizable priorities for UBA detection rules and custom alerts: Customers can now associate a rule priority (Critical, High, Medium, or Low) for all of their UBA and custom alert detection rules. The priority is subsequently applied to investigations created by a detection rule.
A simplified way to create exceptions: We added a new section to detection rule details within “create exception” to better inform on which data to write exceptions against. This will show up to the 5 most recent matches associated with that said detection rule — so now, when you go to write exceptions, you have all the information you may need all within one window.
MITRE ATT&CK Matrix for detection rules
This new view maps detection rules to MITRE tactics and techniques commonly used by attackers. The view lets you see where you have coverage with Rapid7’s out-of-the-box detection rules for common attacker use cases and dig into each rule to understand the nature of that detection.
MITRE ATT&CK Matrix within Detection Rules
Investigation Management reimagined
At Rapid7, we know how limited a security analyst’s time is, so we reconfigured our Investigation Management experience to help our users improve the speed and quality of their decision-making when it comes to investigations. Here’s what you can expect:
A revamped user interface with expandable cards displaying investigation information
The ability to view, set, and update the priority, status, or disposition of an investigation
Filtering by the following fields: date range, assignee, status, priority level
New investigations interface
We also introduced MITRE-driven insights in Investigations. Now, you can click into the new MITRE ATT&CK tab of the Evidence panel in Investigation to see descriptions of each tactic, technique, and sub-technique curated by MITRE and link out to attack.mitre.org for more information.
MITRE ATT&CK tab within Investigations Evidence panel
Rapid7’s ongoing emergent threat response to Log4Shell
Like the rest of the security community, we have been internally responding to the critical remote code execution vulnerability in Apache’s Log4j Java library (a.k.a. Log4Shell).
Through continuous collaboration and ongoing threat landscape monitoring, our Incident Response, Threat Intelligence and Detection Engineering, and MDR teams are working together to provide product coverage for the latest techniques being used by malicious actors. You can see updates on our InsightIDR and MDR detection coverage here and in-product.
A continually expanding library of pre-built dashboards
InsightIDR’s Dashboard Library has a growing repository of pre-built dashboards to save you time and eliminate the need for you to build them from scratch. In Q4, we released 15 new pre-built dashboards covering:
Compliance (PCI, HIPAA, ISO)
General Security (Firewall, Asset Authentication)
Security Tools (Okta, Palo Alto, Crowdstrike)
Enhanced Network Traffic Analysis
Cloud Security
Dashboard Library in InsightIDR
Additional dashboard and reporting updates
Updates to dashboard filtering: Dashboard Filtering gives users the ability to further query LEQL statements and the data across all the cards in their dashboard. Customers can now populate the dashboard filter with Saved Queries from Log Search, as well as save a filter to a dashboard, eliminating the need to rebuild it every session.
Chart captions: We’ve added the ability for users to write plain text captions on charts to provide extra context about a visualization.
Multi-group-by queries and drill-in functionality: We’ve enabled Multi-group-by queries (already being used in Log search) so that customers can leverage these in their dashboards and create cards with layered data that they can drill in and out of.
Updates to Log Search and Event Sources
We recently introduced Rapid7 Resource Names (RRN), which are unique identifiers added to users, assets, and accounts in log search. An RRN serves as a unique identifier for platform resources at Rapid7. This unique identifier will stay consistent with the resource regardless of any number of names/labels associated with the resource.
In log search, an “R7_context” object has been added for log sets that have an attributed user, asset, account, or local accounts. Within the “R7_context” object, you will see any applicable RRNs appended. You can utilize the RRN as a search in log search or in the global search (which will link to users and accounts or assets and endpoints pages) to assist with more reliable searches for investigation processes.
New “r7_context” Rapid7 Resource Name (RRN) data in Log Search
Event source updates
Log Line Attribution for Palo Alto Firewall & VPN, Proofpoint TAP, Fortinet Fortigate: When setting up an event source you now have an option to leverage information directly present in source log lines, rather than relying solely on InsightIDR’s traditional attribution engine.
Cylance Protect Cloud event source: You can configure CylancePROTECT cloud to send detection events to InsightIDR to generate virus infection and third-party alerts.
InsightIDR Event Source listings available in the Rapid7 Extensions Hub: Easily access all InsightIDR event source related content in a centralized location.
Updates to Network Traffic Analysis capabilities
Insight Network Sensor optimized for 10Gbs+ deployments: We have introduced a range of performance upgrades that make high-speed traffic analysis more accessible using off-the-shelf hardware, so you’re able to gain east-west and north-south traffic visibility within physical, virtual and cloud based networks. If you want to take full advantage of these updates check out the updated sensor requirements here.
InsightIDR Asset Page Updates: We have introduced additional data elements and visuals to the Assets page. This delivers greater context for investigations and enables faster troubleshooting, as assets and user information is in one location. All customers have access to:
Top IDS events triggered by asset
Top DNS queries
For customers with Insight Network Sensors and ENTA, these additional elements are available:
Top Applications
Countries by Asset Location
Top Destination IP Addresses
Stay tuned!
As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in detection and response at Rapid7.
Editor’s note: We had planned to publish our Hacky Holidays blog series throughout December 2021 – but then Log4Shell happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it’s 2022, we’re feeling in need of some holiday cheer, and we hope you’re still in the spirit of the season, too. Throughout January, we’ll be publishing Hacky Holidays content (with a few tweaks, of course) to give the new year a festive start. So, grab an eggnog latte, line up the carols on Spotify, and let’s pick up where we left off.
My kid stopped believing this year.
I did what they recommend: said she was big enough to know the truth, that we are all Santas, and now she must be one, too. Every one of us — whether December means Christmas, Hanukkah, Kwanzaa, or just winter — is expected to give generously and sometimes anonymously, just to spread the goodness. And ideally, we do it a whole lot more than once a year.
Then, the a-ha moment arrived. You know who some of the best Santas on Earth are? The cybersecurity community. It’s full of givers, mostly with names we’ll never know.
Rewind to the early years of the internet: A 15-year-old hacked the source code for NASA’s International Space Station; Russians extracted $10 million from Citibank; the Department of Justice and Los Alamos National Laboratory (site of the Manhattan Project and home to classified nuclear and weapons secrets) were breached.
What happened next? Organized beneficence
In 1999, MITRE researchers released the first searchable public record of 321 common vulnerabilities. In less than 3 years, there were 2,000+ vulnerabilities shared. By 2013, the effort resulted in the MITRE ATT&CK Framework that documented attacker tactics and techniques based on real-world observations of advanced persistent threat actors. With this framework, the security community has a common language and library to understand attackers — and what we can do to stop them.
MITRE ATT&CK is open and available to anyone for use at no charge. Of course, detailed ATT&CK mapping is part of InsightIDR’s vast library of critical attacker behaviors and endpoint detections.
Not long after MITRE published its first vulnerabilities, military systems at the Pentagon and NASA were breached by a guy looking for evidence of UFOs. The fun never ends. That same year, security expert and open source guru H.D. Moore released the first edition of his Metaspoit Project with 11 exploits. Metasploit 2.0 followed quickly. With the 3.0 release, users began to contribute and a community was born.
Today, Rapid7’s Metasploit is a voluntary collaboration between 300,000+ users and contributors around the world, including Rapid7 security engineers. It includes more than 1677 exploits organized over 25 platforms, and nearly 500 payloads. And it’s a favorite of pen testers and red teamers worldwide.
The Cyber Threat Alliance took everything up a notch
A nonprofit working to improve the security of our global digital ecosystem by enabling near real-time, high-quality threat information sharing, the Cyber Threat Alliance (CTA) has staff and a technology platform for sharing advanced threat data. CTA members — often competitors — work together in good faith to distribute timely, actionable, contextualized, and campaign-based intelligence.
Rapid7 is among the members who, on average, share 5 million observable events per month. And the result: We all get ever-better at thwarting adversaries and improving our collective security.
In 2017, the holiday spirit became a quarterly thing for us
That’s the year Rapid7 released our first threat intelligence report. Today, our quarterly Threat Reports share clear, distilled learnings and practical guidance from the wealth of data we continuously gather. Our sources include:
Metasploit, now the world’s most used pen testing framework
Rapid7’s Insight platform, covering vulnerability management, application security, detection and response, external threat intelligence, orchestration and automation, and more
Rapid7’s Project Sonar, which conducts internet-wide surveys across more than 70 different services and protocols to gain insights into global exposure to common vulnerabilities typically unknown to IT teams
Project Heisenberg, a globally distributed, low-interaction honeypot network that monitors for malicious inbound connections, and a forum for collaboration and confirmation relationships with other internet-scale researchers
Our global network of Managed Detection and Response (MDR) SOCs that use and vet Rapid7 products, do proactive threat hunting along with daily triage and remote incident response, and provide raw intelligence around emergent threats
The Internet connects everyone and everything with no centralized control. We put it together that way, and there’s clearly no grand plan to make it secure. So we step up. Every time the malware operation Emotet resurfaces, a group of security researchers and system administrators reunites to fight it. (The only name we really know is what they call themselves: “Cryptolaemus.” That’s a mealy bug that goes after unhealthy plants.)
Yes, humans are cybersecurity’s weakest link, but…
My father-in-law sent a $300 gift card to a hacker. We’re easy marks, ruled by emotions that haven’t changed much since we were cave-dwelling Paleolithic hominins.
But we’re also us. You.
Whatever winter holiday you celebrated, here’s hoping it was a good one. And that you raised a glass to all the good folks, the good fight. Don’t stop believing.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Still, XDR is new vocabulary for many security operations center (SOC) teams, and the contours of this wide-ranging term can often feel a little fuzzy.
Sam Adams, VP for Detection and Response at Rapid7, recently sat down with Forrester Analyst Allie Mellen to dig deeper into the conceptual framework behind XDR and unpack how organizations can benefit from this approach.
Defining XDR
Allie and her colleagues at Forrester think of XDR “as an extension of endpoint detection and response technology,” she told Sam. “It’s about taking that philosophy that endpoint detection and response vendors have had for a long time around protecting where the business data is, around protecting the endpoint, and recognizing that, ultimately, that’s not enough for a SOC.”
The key concept behind XDR is to expand the sources of telemetry that SOC teams have at their disposal in order to widen their capabilities and help them better protect their organizations.
Identifying the right detections
Sam echoed the importance of this shift in mindset. He noted that when Rapid7 first launched InsightIDR as a security information and event management (SIEM) tool, we started out with a more prescriptive mindset: “Let’s find attacker behavior we’re interested in finding and figure out what sort of data we need to collect that.” But that quickly shifted to an approach that opened up the data sources, rather than narrowing them down.
“What we realized really early in our SIEM journey, and in our journey in building a detection and response platform, was that the endpoint data was an incredibly rich source of detections,” Sam said.
But at some point, you have to figure out what detections are most important. Allie noted that while SIEM has been an integral tool for SOC teams because it lets them easily bring in new sources of telemetry, endpoint detection and response vendors are introducing tools with much more targeted detections. An XDR vendor’s ability to identify threats and author detections for them is a key value-add for many end users.
“One of the reasons that they’re drawn to XDR is because a lot of the detection engineering is done for them,” Allie said, “and they know that they can trust it because it’s backed by this vendor that specializes not only in the technology but also has a whole threat research team dedicated to finding these threats and turning them into detections.”
Threat detected — what next?
These capabilities also enhance the “R” in XDR, with dynamic response recommendations that reflect the detections themselves, rather than a predetermined playbook. And given the current cybersecurity talent shortage, it’s all the more important for security teams to democratize this skill set so they can act quickly, with better insight.
But as Allie points out, it’s the intermediary step between detection and response that often trips teams up.
“The longest part of the incident response life cycle is investigation,” she said. This step can be especially difficult when detections are particularly complex.
But while investigation and root cause analysis remain a challenge, the slow-downs in this stage of the detection-and-response life cycle provide an important insight into the gaps that XDR needs to fill.
“While tools are able to provide detections and while we can orchestrate response actions, we’re not really giving the analyst everything they need to make a decision up front,” Allie said.
3 key outcomes of XDR
With XDR, Allie says, the goal is to better understand what’s going on in your environment and what to do about it by bringing in data across telemetry sources beyond just the endpoint. This drives better outcomes in 3 core areas:
Improving detection efficacy: Whether you’re looking to lighten your detection engineer’s workload or you simply don’t have one on staff, XDR aims to provide the most effective detections on an ongoing basis.
Making investigation easier: XDR makes analysts’ lives easier, too, by expanding the pool of telemetry sources to provide more comprehensive data and insights on threats.
Enabling faster response: With better, shorter investigations, SOC analysts will know what to do next — and be able to put the gears in motion more quickly.
By bringing these benefits along with proactive use cases like threat hunting, the vision is for XDR to become the go-to tool for everything SOC teams need to do to keep organizations secure.
Globally, 3.5 million cybersecurity jobs remain unfilled, and of those candidates who do apply for open jobs, only 25% are qualified. Industry news and conferences are full of hot takes about XDR and how it will change everything in, say, another 5 years. The question is, who has that kind of time?
And don’t count on artificial intelligence to save the day: While it will be used to combat attacks with something like a “digital immune system,” the bad guys will use AI to enable attacks, too. We’ll always need humans and machines to collaborate, each doing what they do best.
Why the answer can’t be (and isn’t) another 5 years away
You know digital transformation and cloud migration are straining traditional security tools. Most enterprises are cobbling together a (sort of) full picture, running an average of 45 different cybersecurity-related tools on their networks. Most have arduous deployments, long ramp-ups, and heavy configurations. When all that’s done, they’re still tracking multiple threat intelligence feeds, drowning in alerts, and processing them manually. (ISC)2 is piloting a new, entry-level cybersecurity certification for fresh talent. Can anyone really train for all that?
But right now, today, a number of Rapid7 customers are achieving XDR efficiency and outcomes with InsightIDR. It’s reducing workloads, simplifying operations, easing staffing requirements, and preventing burnout. (If you haven’t yet, take a look at InsightIDR’s origin story, and you’ll understand exactly how and why.)
XDR is here, helping analysts at every level operate like experts
InsightIDR – a cloud-native, SaaS-delivered, unified SIEM and XDR – gives you contextualized intelligence from the clear, deep, and dark web, along with expertly vetted detections and the guided automation teams need. It fundamentally changes data analysis, investigation, threat hunting, and response.
Teams get curated detections out of the box, as well as a prescriptive approach to attacks. Expect automated response recommendations and prebuilt workflows for activities like containing threats on an endpoint, suspending user accounts, and integrating with ticketing systems like Jira and ServiceNow. Wizard guides help even the greenest analyst know where to go next.
InsightIDR also opens up end-to-end automation opportunities. You can automate common security tasks that reduce noise from alerts, directly contain threats such as malware or stolen credentials, integrate with ticketing and case management tools, and more.
Analysts handle anomalies quickly and well with intuitive search and query language, attribution of data to specific users, detailed correlation across events, and visualizations. InsightIDR lightens the workload and gives analysts a big jump start on the things that matter most.
A prediction
The day is coming (and who knows — it might be here) when cybersecurity job candidates will want to know exactly what technology they’ll be working with at your company. They’ll expect XDR. And they’ll have their own interview questions:
Are the more mundane, repetitive tasks automated yet?
Are you still tab-hopping, multi-tasking, and working distracted?
What’s your signal-to-noise ratio these days?
What’s the stress level like? Is it really a 40-hour week?
Millennials (ages 25-40) and Gen Z (recently in the job market and our future) are the most tech-savvy generations yet; Gen Z in particular is off the charts. Both put work-life balance above any other job characteristic — including pay and advancement opportunities. Techvalidate just asked InsightIDR customers if the platform ushered in better work-life balance. Almost 40% said yes.
The workplace is already trying to adjust, culturally and otherwise.
Both Millennials and Gen Z experience more anxiety and stress than older workers and their bosses. And while Millennials hope and angle for good work-life balance, Gen Z demands it rather assertively. They’ll ask for “mental health days” from time to time. No job gets to make their personal lives shambolic — it’s just not worth it. And the #1 source of job information they turn to? Your current and former employees.
If you have a band of stressed-out burnouts posting on Glassdoor, think about how that looks to a potential candidate. How you and your current staff are doing matters.
Here’s the thing — and forgive the rose-colored glasses
Cybersecurity is important, pioneering work that makes a difference. You protect companies, our economy, our country, and individual human beings. Security professionals do daily battle with criminal organizations, adversarial nation-states, and everyday duplicity. And it’s a job that didn’t even exist when most entry-level applicants were born.
Forrester analyst Allie Mellen believes in humanizing security operations, “taking away all the boring minutia we hate to do, and just leaving the really cool, creative stuff for us.” Mellen said, “XDR is definitely pushing down that path.” We think that’s an adventure anyone would line up for, as good as anything NASA has.
MITRE ATT&CK is considered by practitioners and the analyst community to be the most comprehensive framework of cybersecurity attacks and mitigation techniques available today. MITRE helps the security industry speak the same language and stick to a well-known, common framework.
To get more details on MITRE’s ATT&CK Matrix for Enterprise and its impact, I spoke with 3 members of Rapid7’s Managed Detection and Response team who have firsthand experience working with this framework every day — read our conversation below!
Laying some groundwork here, what are your thoughts on the MITRE ATT&CK framework?
John Fenninger, Manager of Rapid7’s Detection and Response Services, kicked us off by sharing his perspective:
“MITRE ATT&CK is an incredibly valuable framework for both vendors and customers. From things like compliance to more immediate needs like investigating an ongoing attack, MITRE makes it easy to see specific techniques that customers may not have heard of and helps think of tactical moves customers can protect against. With InsightIDR specifically, we align our detections to MITRE to give both our MDR SOC analysts and customers visibility into how far along a threat is on the ATT&CK chain.”
Rapid7 is not only a consumer of the MITRE ATT&CK Framework but an active contributor as well — in 2020, Rapid7 Incident Response Consultant Ted Samuels made a contribution to MITRE around a discovery for group policy objects that is now in the latest version of the ATT&CK framework.
Can you share your perspective on how the MITRE framework is used, and by who?
When it comes to leveraging the MITRE ATT&CK framework, there are 2 key audiences to consider, says Rapid7’s Senior Detection & Response Analyst, Vidya Tambe:
“There are 2 main categories of users — people who write detections and people who do the analysis of the detections, and the MITRE framework is important for both. From the analyst side, we want to know what stage of attack each alert is at, and based on where the alert falls, we know how critical an incident is. With MITRE, we can track how an attacker got to where they are and what kind of escalations they did — overall, it helps us back-track to see what they were able to compromise.
“From the detection writing standpoint, we want to stop attacks before they get too far into someone’s environment. Attacker techniques are always evolving, and while we aim to write detections for all the phases, a primary focus is to try and write detections early on to stop attackers as early in the ATT&CK chain as possible.”
What advice do you have for security teams when it comes to leveraging the MITRE framework to drive successful detection and response?
Rapid7 Detection and Response Analyst Carlo Anez Mazurco shared some advice for teams when it comes to using the MITRE framework at their organization:
“The MITRE Framework allows us to build a threat-informed defense. It shows us the 3 main areas that we need to focus on for data collection, data analysis, and expansion of detections. For teams to successfully utilize the MITRE framework, they need visibility into the following data sources at a minimum:
Process and process command line monitoring can be collected via Sysmon, Windows Event Logs, and many EDR platforms
File and registry monitoring is also often collected by Sysmon, Windows Event Logs, and many EDR platforms
Authentication logs collected from the domain controller
Packet capture, especially east/west capture, such as those collected between hosts and enclaves in your network
“Teams need a platform like InsightIDR, Rapid7’s extended detection and response solution, where the data from all of these sources can be ingested. Whatever platform or tool teams choose to use for this data ingestion should include MITRE mappings to attacker behaviors to understand what attackers are trying to do inside our environment at each stage, the TTPs (Tactics, Techniques, Procedures) of each threat actor should be documented in each alert — InsightIDR maps its detections to the MITRE framework to do just this for users.”
You mentioned InsightIDR has MITRE mapping — can you dig a little more into how this impacts customers?
“Our InsightIDR platform helps our customers collect all the necessary data sources,” Carlo continued. “That includes process and process command line monitoring via our endpoint Insight Agent, as well as file monitoring. Plus, authentication logs are collected from domain controllers and also via the Insight Agent, and network flow inside the environment can be gathered through our Insight Network Sensor.
“Our ABA and UBA detections are mapped to the MITRE framework to show our customers which TTPs are the most commonly used by threat actors in their environment, and it gives an insight into the attack patterns in real time. You can see an example of this in one of our past Rapid7 Threat Reports here.
“Additionally, our Rapid7 Threat Intelligence team is always developing new threat detections based on the threat intelligence feeds and public repositories of attacker behaviors. These new detections are mapped to the TTPs inside the MITRE framework and pushed out to all Rapid7 customers.”
We also recently released a new view of Detection Rules in InsightIDR where all detections are mapped to the MITRE ATT&CK Framework, and users can see associated MITRE tactics, techniques, and sub-techniques for detections while performing an investigation.
Interested in learning more?
As you can see, we really value the MITRE ATT&CK framework here at Rapid7. With InsightIDR your detections are vetted by a team of professional SOC analysts and mapped to MITRE to take the guessing game of what an attacker might do next.
If you’re looking to hear more from us on MITRE, watch a quick 3-minute rundown on the framework here.
Threat intelligence is a critical part of an organization’s cybersecurity strategy, but given how quickly the state of cybersecurity evolves, is the traditional model still relevant?
Whether you’re a cybersecurity expert or someone who’s looking to build a threat intelligence program from the ground up in 2021, this simple framework transforms the traditional model, so it can apply to the current landscape. It relies on the technologies available today and can be implemented in four simple steps.
A quick look at the threat intelligence framework
The framework we’ll be referencing here is called the Intelligence Cycle, which breaks down into four phases:
This is the traditional framework you can use to implement a threat intelligence program in your organization. Let’s take a deeper look at each step, update them for the modern day, and outline how you can follow them in 2021.
To do this, we’ll leverage a use case of credential leakage as an example, which is a very important use case today. According to Verizon’s 2021 Data Breach Investigations Report, credentials remain one of the most sought-after data types, and it’s this type of data that gets compromised the fastest. As such, credential leakage is an area organizations of all sizes should be aware of and familiar with, making it an optimal choice for illustrating how to build an effective threat intelligence program.
1. Set a direction
The first step in this process is to set the direction of your program, meaning you need to outline what you’re looking for and what questions you want to ask and answer. To help with this, you can create Prioritized Intelligence Requirements, or PIRs, and a desired outcome.
For both your PIRs and desired outcome, you should aim to be as explicit as possible. In the case of credential leakage, for example, let’s set our PIR as: “I want to identify any usernames and passwords belonging to my employees that have been exposed to an unauthorized entity.”
We’ve selected these credentials for this example, because they are risky for the organization. Depending on your needs, you may identify different credentials with higher risk, but this is the type we’re focusing on for this use case.
With this very specific PIR outlined, we can now determine a desired outcome, which would be something like: “I want to force password reset for any of these passwords that are being used in the corporate environment before threat actors can use them.”
This is crucial, and later, we’ll see how the desired outcome impacts how we build this threat intelligence program.
2. Map out what data to collect
Once you’ve set your PIRs and desired outcome, you need to map out the sources of intelligence that will serve the direction.
For this use case, let’s identify how threat actors gain credentials. A few of the most common sources include:
Endpoints (usually harvested by botnets)
Third-party breaches
Code repositories
Posts on a forum/pastebin
Dark web black markets that buy/sell credentials
In the past, you might have turned to individual vendors who could help you with each of these areas. For example, you may have worked with an organization that specializes in endpoint security and another that could tackle incident response management for third-party breaches. But today, you’re better off finding a vendor who can support all the sources you need and provide complete coverage for all areas of risk, especially for something like credential leakage.
Regardless, by mapping out these sources, you can outline the areas you need to focus on for analysis.
3. Select your approach to analysis
Next up is analysis. You can take two approaches:
Automated analysis: You can leverage AI or sophisticated algorithms that will classify relevant data into alerts of credential leakage, where the emails and passwords can be extracted and pulled out.
Manual analysis: You can manually analyze the information by gathering all the data and having the analysts on your team review the data and decide what’s relevant to your organization.
The biggest advantage of manual analysis is flexibility. You can put more human resources, intelligence, and insight into the process to surface only what is relevant. But there are also disadvantages — for example, this process is much slower than automated analysis.
In the first phase of our program, we specified that we want to force password resets before threat actors leverage them for a cyberattack. This means that speed is extremely crucial in this use case. Now, you can see how the desired outcome is helping us make a decision about the type of approach we should take for analysis.
Automated analysis also requires significantly fewer resources. You don’t need a bunch of analysts to sort through the raw data and surface what is relevant. The classification and alerting of credential leakage is fully automated here. Plus, if threats are being automatically classified, they can likely be automatically remediated.
Let’s take a look at this in practice: Say your algorithm finds an email and password mentioned on a forum. The AI can classify the incident and extract the relevant information (e.g., the email/username and password) in a machine-readable format. Then, a response can be automatically applied, like force resetting the password for the identified user.
As you can see, there are advantages and disadvantages for each approach. When you assess them against our desired outcome, it’s clear that we should go with an automated approach for our credential leakage use case.
4. Disseminate analysis to take action
Finally, we come to the final phase: dissemination. Traditionally, when it comes to the intelligence cycle and the dissemination of threat intelligence, we talk about sending alerts and reports to the relevant stakeholders to review, so they can take action and respond accordingly.
But, as our example in the previous section shows, the future (and current state) of this process is fully automated remediation. With this in mind, we shouldn’t just discuss how we distribute alerts and information in the organization — we should also think about how we can take the intelligence and distribute it to security devices to automatically prevent the upcoming attack.
For leaked credentials, this could mean sending the intelligence to the active directory to automatically force password reset without human intervention. This is a great example of how shifting to an automated solution can dramatically reduce the time to remediation.
Once again, let’s go back to our PIR and desired outcome: We want to force the password reset before the threat actor uses the password. Speed is key here, so we should definitely automate the remediation. As such, we need a solution that takes the intelligence from the sources we’ve mapped out, automatically produces an alert with the information extracted, and then automatically remediates the threat to reduce risk as fast as possible.
This is how detection and response should look in 2021.
A simplified and modernized approach to threat intelligence
In summary, this revamped Intelligence Cycle resembles how to build an effective threat intelligence program today.
Start by identifying your PIRs and desired outcome. Then, decide on a collection plan by outlining all sources that will drive the relevant intelligence. Next, for the vast majority of use cases, it’s important to have an automated analysis algorithm in place to classify alerts quickly and precisely. And finally, you should transition from manual dissemination to automated remediation, which can dramatically reduce time to remediation — something that’s more critical than ever due to the current state of cybersecurity.
By following these steps, you can build an effective threat intelligence program, and with this foundation in place, you can fine-tune it until you have a seamless process that saves your organization time and reduces risk across the board.
Velociraptor and Rapid7 are excited to announce the winners of our 2021 Velociraptor Contributor Competition on Friday, October 8. This competition encourages development of useful content and extensions to the Velociraptor platform. Submissions include new functionality in the form of VQL artifacts, Velociraptor plugins, or new Velociraptor code and integrations. Judging will be done by a panel of various digital forensics and incident response (DFIR) industry leaders and security experts.
You can watch the announcement of the winners LIVE at the SANS Threat Hunting Summit on Friday, October 8th at 1 pm ET. To register for the summit, head to this page and click on the “Register for Summit” link. Registration is completely free.
The competition carries 3 prize levels: First prize is $5,000 USD, second prize is $3,000 USD, and third prize is $2,000 USD. The winning submissions will also be published on the Velociraptor website.
Velociraptor is an advanced DFIR tool that enhances visibility into all of your endpoints. To learn more about Velociraptor, visit our website or follow us on Twitter @velocidex.
This post offers a closer look at some of the recent updates and releases in InsightIDR, our extended detection and response solution, from Q3 2021.
Welcome IntSights to the Rapid7 Insight Platform family!
As you may have seen in recent communications, Rapid7 acquired IntSights, a leading provider of external threat intelligence and remediation. We’re excited to introduce their flagship external threat intelligence product, Threat Command, as part of our Rapid7 portfolio. Threat Command allows any SecOps team, regardless of size or capability maturity, to expand identification and remediation across an ever-expanding attack surface, while automating threat mitigation.
New detection rule management experience
We’re excited to announce that InsightIDR customers now have more customization and increased visibility for Attacker Behavior Analytics (ABA) detections. We’re continuing to make improvements and additions to our detections management experience — here are the latest additions:
Detection rules — Filter detection rules by threat group, rule behavior, and attributes for more visibility into your alerts and investigations.
MITRE ATT&CK mapping — View and filter detections by specific MITRE ATT&CK framework tactics and techniques for more context to the alerts in your environment.
Create exceptions to a detection rule — In the past, IDR customers could only turn alerts on or off for notable events. Now, you can create an exception that allows you to filter out noise and turn off detections based on key value pairs.
See the latest detection management experience in the demo below:
526 new ABA detection rules added to IDR
We’ve also added 526 new ABA detection rules into InsightIDR to expand its coverage of Windows, Mac, and Linux suspicious process threats, covering a wide variety of techniques on the MITRE ATT&CK matrix. These detection rules can be tuned to your environment by creating exceptions and modifying the rule action to only receive the alerts you care about. Visit the Detection Library for actionable descriptions and recommendations.
MITRE ATT&CK details in investigations
In addition to our detections updates, we’ve made improvements to our investigations experience to provide deeper insight into an attacker’s position in the killchain and give context into the nature of an alert.
When performing an investigation in InsightIDR, detections will be mapped to a description of the associated MITRE tactics, techniques, and sub-techniques. You’ll also be prompted to visit attack.mitre.org to view context rich adversary behavior profiles with descriptions, mitigation strategies, and detection recommendations for each tactic, technique and sub-technique, developed by MITRE.
Monitor event source health
We recently released new visual tools to help you easily view the health of your event source data. You now have extensive visibility into data transmission and parsing rates of your event source. This allows you to check if an event source is running as intended, quickly identify any issues or unusual activity, or visually compare data for each event source.
New pre-built dashboards for HIPAA, ISO 27001, and more
We recently introduced a library of pre-built dashboards that make it easier than ever to get insight from your environment. Entire dashboards, created by our Rapid7 experts, can be set up in just a few clicks. Our dashboards cover a variety of topics, including key compliance frameworks like PCI, ISO 27001, and HIPAA; security tools like Zscaler and Okta; and more general dashboards covering Asset Authentication and Firewall activity.
The Lost Bots vlog series
Rapid7’s latest vlog series, The Lost Bots, hosted by Detection and Response Practice Advisor and former CISO Jeffrey Gardner, offers a look into the latest and greatest in security. In each episode, Jeffrey talks with fellow industry experts about current events and trends in the security space, best practices, and lessons from our Rapid7 SOC team. Each episode is available on our blog, as well as our Rapid7 YouTube channel.
Rapid7 MDR named an IDC MarketScape Leader
We’re thrilled that Rapid7’s MDR was recognized as a Leader in the IDC MarketScape: Managed Detection and Response 2021 Vendor Assessment. This IDC MarketScape report shows an unbiased look at 15 MDR players in the US market, evaluating each on capabilities. We credit this recognition to customers like you who provide the critical feedback and guidance to improve our service — thank you!
Attack Surface Visibility, now in MDR Essentials
Our goal with Attack Surface Visibility — built exclusively for our MDR Essentials — is to help customers act proactively with a monthly snapshot of how exposed their attack surface looks to an opportunistic attacker. While this certainly is not a replacement for a true vulnerability management program, Attack Surface Visibility lets your team see obvious weak points that attackers may exploit and helps optimize your efforts with clear, prioritized actions to remediate risks and improve your security posture.
Stay tuned!
As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in detection and response at Rapid7.
NEVER MISS A BLOG
Get the latest stories, expertise, and news about security today.
Welcome back to The Lost Bots, a vlog series where Rapid7 Detection and Response Practice Advisor Jeffrey Gardner talks all things security with fellow industry experts. In this episode, we’re joined by fellow Practice Advisor Devin Krugly to discuss how Detection and Response + Vulnerability Management = a winning combination. Often viewed as two separate and distinct entities, Jeffrey and Devin explore how the combination can greatly improve your response efforts and the ways in which you can set up a successful vulnerability management program.
Stay tuned for future episodes of The Lost Bots! Coming soon: Jeffrey discusses veterans in cybersecurity with fellow security professionals who are vets themselves.
It’s that time of year once again: The SANS Institute — the most trusted resource for cybersecurity research — has conducted its sixth annual Threat Hunting Survey, sponsored by Rapid7. The goal of this survey is to better understand the current threat hunting landscape and the benefits provided to an organization’s security posture as a result of threat hunting.
This year’s survey, “A SANS 2021 Survey: Threat Hunting in Uncertain Times,” has a unique focus, one that’s taken into consideration the impact of COVID-19 and how it’s affected organizations’ threat hunting. The findings indicate that the global pandemic has had a relatively mixed impact on the organizations surveyed, with many respondents unsure of what type of impact it’s had — and will have — on their threat hunting efforts.
Here’s a preview of the survey’s findings and its takeaways for organizations navigating today’s cybersecurity landscape.
Fewer organizations are performing threat hunting in 2021
According to the survey results, 12.6% fewer organizations are performing threat hunting in 2021 when compared to those surveyed in 2020. This is concerning, as threat hunting is an ever-evolving field, and organizations that don’t dedicate resources to it won’t be able to keep pace with the changes in tactics and techniques needed to find threat actors.
But what caused this dip? It seems to be a combination of organizations reducing their external spend with third parties and their overall internal staff in response to COVID-19. That said, this reduction cannot be fully accounted for by the pandemic.
Despite this decrease, there is good news: 93.1% of respondents indicated they have dedicated threat hunting staff, and the majority of respondents plan to increase spending on staffing and tools for threat hunting in the near future. Over the year to come, we’ll likely see an extended detection and response (XDR) approach leveraging tools like InsightIDR playing a key role in these efforts.
The tools organizations are using to conduct threat hunting are evolving — but have they advanced enough to keep up with the modern cybersecurity landscape?
The output of threat hunting depends on three factors: visibility, skills, and threat intelligence. To achieve this output, threat hunters need the right tools. After asking respondents about their organizations’ tool chests, SANS found that over 75% of respondents are using a tool set that includes EDRs, SIEMs, and IDS/IPS.
It should come as no surprise that these tools are at the top — these are essential to establishing visibility. What is interesting, however, is the second-place spot taken by customizable tools, followed by threat intelligence platforms. This indicates there’s room for improvement for solutions vendors regarding threat hunting — and users are looking for deep insights. Tools like Rapid7’s cloud SIEM solution that cut through the noise and surface the threats that really matter are key in today’s complex IT environments.
Overall security posture has improved — but there’s room to grow
The improvements seen in organizations’ overall security posture as a result of threat hunting continue to show steady numbers. According to the study, organizations have seen anywhere from a 10-25% improvement in their security posture from threat hunting over the last year. In addition, 72.3% of respondents claimed threat hunting had a positive improvement on their organization over time.
These are brilliant results to see, and they reinforce the positive impact threat hunting can have, even in the face of today’s extraordinary challenges.
That said, while there are clear benefits to threat hunting, there are some barriers to success for organizations, namely:
Over half (51.3%) of all respondents indicated the primary barrier for them as threat hunters is a lack of skilled staff and training.
This was closely followed (43%) by an even split of challenges between the limitations of tools or technologies and a lack of defined processes.
Organizations can start addressing these challenges in a variety of ways, including adopting best-in-class detection and response tooling and owning documentation, education, and maintenance at scale. These are manageable barriers that will come down with time, and despite a global pandemic, the overall outlook is good, as the general trend to more threat hunting appears to sustain with this year’s survey.
Hopefully, these numbers continue to increase next year, and more organizations will reap the benefits of threat hunting.
Welcome back to The Lost Bots, a vlog series where Rapid7 Detection and Response Practice Advisor Jeffrey Gardner talks all things security with fellow industry experts. This episode, we’re joined by Alan Foster (Manager, Domain Engineers) to discuss insider threats. It’s a topic we’ve all heard about, especially for those of us who are compliance-focused, but it’s also one whose definition has changed in response to recent breaches. Watch below to learn about the various types of insider threats (including those you may not have thought about), which threat(s) could cause the most damage, and tips to reduce the risk.
Stay tuned for future episodes of The Lost Bots! Coming soon: Jeffrey tackles vulnerability management and how it can not only reduce risk but also assist in your incident response programs.
The collective thoughts of the interwebz
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.
![[The Lost Bots] Episode 6: D&R + VM = WINNING!](https://blog.rapid7.com/content/images/2021/10/-The-Lost-Bots--Episode-1--External-Threat-Intelligence.jpeg)
![[The Lost Bots] Episode 6: D&R + VM = WINNING!](https://play.vidyard.com/sEgEy3WJVZJ7j2oQG5kNJ5.jpg)
![[The Lost Bots] Episode 5: Insider Threat](https://blog.rapid7.com/content/images/2021/09/-The-Lost-Bots--Episode-1--External-Threat-Intelligence.jpeg)
![[The Lost Bots] Episode 5: Insider Threat](https://play.vidyard.com/fEtK639L5UQ8jreJDqLByG.jpg)