Tag Archives: Extended Detection and Response

Demystifying XDR: Where SIEM and XDR Collide

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2022/02/02/demystifying-xdr-where-siem-and-xdr-collide/

Demystifying XDR: Where SIEM and XDR Collide

Innovations solve longstanding problems in creative, impactful ways — but they also raise new questions, especially when they’re in the liminal space between being an emerging idea and a fully fledged, widely adopted reality. One of the still-unanswered questions about extended detection and response (XDR) is what its relationship is with security information and event management (SIEM), a more broadly understood and implemented product category that most security teams have already come to rely on.

When looking at the foundations of XDR, it seems like it could be a replacement for, or an alternative to, SIEM. But as Forrester analyst Allie Mellen noted in her recent conversation with Rapid7’s Sam Adams, VP for Detection and Response, the picture isn’t quite that simple.

“Some SIEM vendors are repositioning themselves as XDR,” Allie said, “kind of trying to latch onto that new buzzword.” She added, “The challenge with that is it’s very hard to see what they’re able to offer that’s actually differentiating from SIEM.”

Where SIEM stands today

To really understand how the rise of XDR is impacting SIEM and what relationship we should expect between the two product types, we first need to ask a key question: How are security operations center (SOC) teams actually using their SIEMs today?

At Forrester, Allie recently conducted a survey asking SOC teams this very question. While some have focused on the compliance use case as a main driver for SIEM adoption, Allie found that just wasn’t the case with her survey respondents. Overwhelmingly, security analysts are using their SIEMs for detection and response, making it the core tool within the SOC.

More than that, Allie’s survey actually found the old adage that security teams hate their SIEMs just isn’t true. The vast majority of analysts she surveyed love using their SIEMs (even if they wish it cost them less).



Demystifying XDR: Where SIEM and XDR Collide

Together, for now

With SIEM claiming such an integral role in the SOC, Allie acknowledged that we likely shouldn’t expect it to be simply replaced by XDR in the near term.

“For the time being, I definitely see XDR and SIEM living together in a very cohesive fashion,” she said.

She went on to suggest that maybe in 5 years or so, we’ll start to see XDR offerings that truly tackle all SIEM use cases and fully deliver on some capabilities that are only in the realm of possibility today. But until XDR can fully address compliance, for example, we’re likely to see it exist alongside and, ideally, in harmony with SIEM.

The XDR opportunity

So, what will that coexistence of SIEM and XDR look like? Sam suggested it might be the fulfillment of the original vision of SIEM solutions like InsightIDR: to make the security analyst superhuman by enabling them to be hyper-efficient at detecting and responding to threats. Allie echoed this sentiment, noting that XDR is all about elevating the role of the SOC analyst rather than automating their tasks away.

“I am not a big believer in the autonomous SOC or this idea that we’re going to take away all the humans from this process,” she said. “At the end of the day, it’s a human-to-human fight. The attackers are not automating themselves away, so it’s very unlikely that we’ll be able to create a product that can keep up with as many human beings as there are attacking us all the time.”

For Allie, the really exciting thing about XDR is its potential to humanize security operations. By reducing the amount of repetitive work analysts have to do, it frees them up to be truly creative and visionary in their threat detection efforts. This can also help improve retention rates among security pros as organizations scramble to fill the cybersecurity skills gap.

“It’s a lofty dream, a lofty vision,” Allie acknowledged, “but XDR is definitely pushing down that path.”

Want more XDR insights from our conversation with Allie? Check out the full talk.

Additional reading

The Great Resignation: 4 Ways Cybersecurity Can Win

Post Syndicated from Amy Hunt original https://blog.rapid7.com/2022/01/24/the-great-resignation-4-ways-cybersecurity-can-win/

The Great Resignation: 4 Ways Cybersecurity Can Win

Pandemics change everything.

In the Middle Ages, the Black Death killed half of Europe’s population. It also killed off the feudal system of landowning lords exploiting laborer serfs. Rampant death caused an extreme labor shortage and forced the lords to pay wages. Eventually, serfs had bargaining power and escalating wages as aristocrats competed for people to work their lands.

Think we invented “The Great Resignation?” 14th-century peasants did.

Last year, more than 40 million Americans  quit their jobs. The trend raged across Europe. Workers in China went freelance. The Harvard Business Review reports resignations are highest in tech and healthcare, both seriously strained by the pandemic. Of course, cybersecurity has had a talent shortage for years now. As 2022 and back-to-office plans take shape, expect another tidal wave.

Here are four ideas about how to prepare for it and win.

1. You’ll do better if you label it The Great Rethinking

COVID-19’s daily specter of illness and death has spurred existential questions. “If life is so short, what am I doing? Is this all there is?”

Isolated with family every day, month after month, some of us have decided we’re happier than ever. Others are causing a big spike in divorce and the baby bust. Either way, people are confronting the quality of their relationships. Some friendships have made it into our small, carefully considered “safety pods,” and others haven’t.

As we rethink our most profound human connections, we’re surely going to rethink work and how we spend most of our waking hours.

2. Focus on our collective search for meaning

A mere 17% of us say jobs or careers are a source of meaning in life. But here, security professionals have a rare advantage.

Nearly all cybercrime is conducted by highly organized criminal gangs and adversarial nation states. They’ve breached power grids and pipelines, air traffic, nuclear installations, hospitals, and the food supply. Roughly 1 in 20 people a year suffer identity theft, which can produce damaging personal consequences that drag on and on. In December, hackers shut down city bus service in Honolulu and the Handi-Van, which people with disabilities count on to get around.

How many jobs can be defined simply and accurately as good vs evil? How many align everyday people with the aims of the FBI and the Department. of Justice? With lower-wage workers leading the Great Resignation last year, the focus has been on salary and raises. But don’t underestimate meaning.

3. Winners know silos equal stress and will get rid of them

Along with meaning and good pay, consider ways to make your security operations center (SOC) a better place to be. Consolidate your tools. Integrate systems. Extend your visibility. Improve signal-to-noise ratio. The collision of security information and event management (SIEM) and extended detection and response (XDR) protects you from a whole lot more than malicious attacks.

Remote work, hybrid work, and far-flung digital infrastructure are here to stay. So are attackers who’ve thrived in the last two years, shattering all records. If you’re among the 76% of security professionals who admit they really don’t understand XDR, know you’re not alone – but also know that XDR will soon separate winners from losers. Transforming your SOC with it will change what work is like for both you and your staff, and give you a competitive advantage.

4. You can take this message to the C-suite

Lower-wage workers started the trend, but CEO resignations are surging now (and it’s not just Jeff Bezos and Jack Dorsey). They’re employees, too, and the Great Rethinking has also arrived in their homes. Maybe COVID-19 meant they finally spent real time with their kids, and they’d like more of it, please. Maybe they’re exhausted from communicating on Zoom for the last two years. Maybe they think a new deal is in order for everyone.

As you make the case for XDR, consider your ability to give new, compelling context to your recommendations. XDR is the ideal collaboration between humans and machines, each doing what they do best. It reduces the chance executives will have to explain themselves on the evening news. It helps create work-life balance. Of course it makes sense.

And what about when things get back to normal? The history of diseases is they don’t really leave and we don’t really return to “normal.” Things change. We change. You can draw a straight line from the Black Death, to the idea of a middle class, then to the Renaissance. Here’s hoping.

Want more info on how XDR can help you meet today’s challenges?

Check out our resource center.

Demystifying XDR: How Humans and Machines Join Forces in Threat Response

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2022/01/12/demystifying-xdr-how-humans-and-machines-join-forces-in-threat-response/

Demystifying XDR: How Humans and Machines Join Forces in Threat Response

In our first post on demystifying the concepts and practices behind extended detection and response (XDR) technology, Forrester analyst Allie Mellen joined Sam Adams, Rapid7’s VP for Detection and Response, to outline the basic framework for XDR and highlight the key outcomes it can help security teams achieve. One of the core components of XDR is that it expands the sources of telemetry available to security operations center (SOC) teams so they have richer, more complete data to help them detect and respond to threats.

That raises the question: How do SOC analysts keep productivity high while sifting through huge volumes of data?

Automation is one of the key ways SOC teams make their processes more efficient as they identify the most relevant threats and initiate the right responses. But automation can’t do everything an analyst can, and finding the right balance between machine learning and human know-how is an essential part of a successful XDR implementation.

Become the bridge

As Sam pointed out in his discussion with Allie, the security analyst acts as a bridge between what the data is saying and what the right course of action is in response to it.

“I got the alert, and you know, that’s not the hard part anymore,” he said. “The hard part is responding to the alert and figuring out what to do with that alert – and really, what the impact is on my company.”

For Allie, XDR helps analysts find a balance between security and productivity, but not by leaning too heavily on automation. In fact, she suggested we’ve had a “misplaced hope” for what machine learning can help us accomplish. Instead, it’s about setting up automation that augments the analysts’ work by helping them ask the right questions up front — and get to the answers faster.



Demystifying XDR: How Humans and Machines Join Forces in Threat Response

The expert and the end user

In addition, automation can’t always tell us who the expert actually is about a particular security event. Sam gave the example of a suspicious login from Bermuda: After receiving that alert, it’s actually no longer the analyst who’s the expert on that incident, but the end user who was involved. The logical next step is to pick up the phone or send an email and ask that user, “Are you in Bermuda?” — and that takes a human touch rather than an automated action.

“We assume we can get everything we need from the tools,” Allie pointed out, “and they abstract us away from the rest of the enterprise in that way. But it can be just as easy as turning to the person next to you and saying, ‘Hey, did you log into this?'”

Allie went on to note that this is one of the main reasons why it’s so important to foster a security culture throughout the whole business. When you build connections between the security team and individuals from other parts of the organization, and keep that rapport strong over time, SOC analysts can get many of the answers they need from their peers in other departments — and get to the answers much more quickly and accurately than a machine ever could.

Culture is a uniquely human thing, one that machines can never replicate or replace — and security culture is no exception. XDR broadens the data and tools that SOC teams can use to help them protect the organization, but even the best technology is no replacement for an educated team of end users who know how to implement security best practices, not to mention the sharp insights of seasoned SOC analysts. The real magic happens when all these elements, human and automated, work together — and in an XDR model, automation fills the gaps instead of taking center stage.

Want more XDR insights from our conversation with Allie? Check out the full talk.

What’s New in InsightIDR: Q4 2021 in Review

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2022/01/06/whats-new-in-insightidr-q4-2021-in-review/

What's New in InsightIDR: Q4 2021 in Review

More context and customization around detections and investigations, expanded dashboard capabilities, and more.

This post offers a closer look at some of the recent releases in InsightIDR, our extended detection and response (XDR) solution, from Q4 2021. Over the past quarter, we delivered updates to help you make more informed decisions, accelerate your time to respond, and customize your detections and investigations. Here’s a rundown of the highlights.

More customization options for your detection rules

InsightIDR provides a highly curated detections library, vetted by the security and operations center (SOC) experts on our managed detection and response (MDR) team — but we know some teams may want the ability to fine tune these even further. In our Q3 wrap-up, we highlighted our new detection rules management experience. This quarter, we’ve made even more strides in leveling up our capabilities around detections to help you make more informed decisions and accelerate your time to respond.

What's New in InsightIDR: Q4 2021 in Review
Attacker Behavior Analytics Detection Rules viewed and sorted by rule priority

  • New detection rules management interface: With this new interface, you can see a priority field for each detection provided by InsightIDR with new actions available.
    • Change priority of detections and exceptions that are set to Creates Investigation as the Rule Action.
    • View and sort on priority from the main detection management screen.
    • More details on our detection rules experience can be found in our help docs, here.

  • Customizable priorities for UBA detection rules and custom alerts: Customers can now associate a rule priority (Critical, High, Medium, or Low) for all of their UBA and custom alert detection rules. The priority is subsequently applied to investigations created by a detection rule.
  • A simplified way to create exceptions: We added a new section to detection rule details within “create exception” to better inform on which data to write exceptions against. This will show up to the 5 most recent matches associated with that said detection rule — so now, when you go to write exceptions, you have all the information you may need all within one window.

MITRE ATT&CK Matrix for detection rules

This new view maps detection rules to MITRE tactics and techniques commonly used by attackers. The view lets you see where you have coverage with Rapid7’s out-of-the-box detection rules for common attacker use cases and dig into each rule to understand the nature of that detection.

What's New in InsightIDR: Q4 2021 in Review
MITRE ATT&CK Matrix within Detection Rules

Investigation Management reimagined

At Rapid7, we know how limited a security analyst’s time is, so we reconfigured our Investigation Management experience to help our users improve the speed and quality of their decision-making when it comes to investigations. Here’s what you can expect:

  • A revamped user interface with expandable cards displaying investigation information
  • The ability to view, set, and update the priority, status, or disposition of an investigation
  • Filtering by the following fields: date range, assignee, status, priority level
What's New in InsightIDR: Q4 2021 in Review
New investigations interface

We also introduced MITRE-driven insights in Investigations. Now, you can click into the new MITRE ATT&CK tab of the Evidence panel in Investigation to see descriptions of each tactic, technique, and sub-technique curated by MITRE and link out to attack.mitre.org for more information.

What's New in InsightIDR: Q4 2021 in Review
MITRE ATT&CK tab within Investigations Evidence panel

Rapid7’s ongoing emergent threat response to Log4Shell

Like the rest of the security community, we have been internally responding to the critical remote code execution vulnerability in Apache’s Log4j Java library (a.k.a. Log4Shell).

Through continuous collaboration and ongoing threat landscape monitoring, our Incident Response, Threat Intelligence and Detection Engineering, and MDR teams are working together to provide product coverage for the latest techniques being used by malicious actors. You can see updates on our InsightIDR and MDR detection coverage here and in-product.

Stay up to date with the latest on Log4Shell:

A continually expanding library of pre-built dashboards

InsightIDR’s Dashboard Library has a growing repository of pre-built dashboards to save you time and eliminate the need for you to build them from scratch. In Q4, we released 15 new pre-built dashboards covering:

  • Compliance (PCI, HIPAA, ISO)
  • General Security (Firewall, Asset Authentication)
  • Security Tools (Okta, Palo Alto, Crowdstrike)
  • Enhanced Network Traffic Analysis
  • Cloud Security
What's New in InsightIDR: Q4 2021 in Review
Dashboard Library in InsightIDR

Additional dashboard and reporting updates

  • Updates to dashboard filtering: Dashboard Filtering gives users the ability to further query LEQL statements and the data across all the cards in their dashboard. Customers can now populate the dashboard filter with Saved Queries from Log Search, as well as save a filter to a dashboard, eliminating the need to rebuild it every session.
  • Chart captions: We’ve added the ability for users to write plain text captions on charts to provide extra context about a visualization.
  • Multi-group-by queries and drill-in functionality: We’ve enabled Multi-group-by queries (already being used in Log search) so that customers can leverage these in their dashboards and create cards with layered data that they can drill in and out of.

Updates to Log Search and Event Sources

We recently introduced Rapid7 Resource Names (RRN), which are unique identifiers added to users, assets, and accounts in log search. An RRN serves as a unique identifier for platform resources at Rapid7. This unique identifier will stay consistent with the resource regardless of any number of names/labels associated with the resource.

In log search, an “R7_context” object has been added for log sets that have an attributed user, asset, account, or local accounts. Within the “R7_context” object, you will see any applicable RRNs appended. You can utilize the RRN as a search in log search or in the global search (which will link to users and accounts or assets and endpoints pages) to assist with more reliable searches for investigation processes.

What's New in InsightIDR: Q4 2021 in Review
New “r7_context” Rapid7 Resource Name (RRN) data in Log Search

Event source updates

  • Log Line Attribution for Palo Alto Firewall & VPN, Proofpoint TAP, Fortinet Fortigate: When setting up an event source you now have an option to leverage information directly present in source log lines, rather than relying solely on InsightIDR’s traditional attribution engine.
  • Cylance Protect Cloud event source: You can configure CylancePROTECT cloud to send detection events to InsightIDR to generate virus infection and third-party alerts.
  • InsightIDR Event Source listings available in the Rapid7 Extensions Hub: Easily access all InsightIDR event source related content in a centralized location.

Updates to Network Traffic Analysis capabilities

Insight Network Sensor optimized for 10Gbs+ deployments: We have introduced a range of performance upgrades that make high-speed traffic analysis more accessible using off-the-shelf hardware, so you’re able to gain east-west and north-south traffic visibility within physical, virtual and cloud based networks. If you want to take full advantage of these updates check out the updated sensor requirements here.

InsightIDR Asset Page Updates: We have introduced additional data elements and visuals to the Assets page. This delivers greater context for investigations and enables faster troubleshooting, as assets and user information is in one location. All customers have access to:

  • Top IDS events triggered by asset
  • Top DNS queries

For customers with Insight Network Sensors and ENTA, these additional elements are available:

  • Top Applications
  • Countries by Asset Location
  • Top Destination IP Addresses
What's New in InsightIDR: Q4 2021 in Review

Stay tuned!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in detection and response at Rapid7.

Demystifying XDR: A Forrester Analyst Lays the Foundation

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2021/12/08/demystifying-xdr-a-forrester-analyst-lays-the-foundation/

Demystifying XDR: A Forrester Analyst Lays the Foundation

Extended detection and response (XDR) is no longer a future state in cybersecurity practice — it’s a full-fledged reality for some. In fact, it’s been a thing for a lot longer than you might think.

Still, XDR is new vocabulary for many security operations center (SOC) teams, and the contours of this wide-ranging term can often feel a little fuzzy.

Sam Adams, VP for Detection and Response at Rapid7, recently sat down with Forrester Analyst Allie Mellen to dig deeper into the conceptual framework behind XDR and unpack how organizations can benefit from this approach.

Defining XDR

Allie and her colleagues at Forrester think of XDR “as an extension of endpoint detection and response technology,” she told Sam. “It’s about taking that philosophy that endpoint detection and response vendors have had for a long time around protecting where the business data is, around protecting the endpoint, and recognizing that, ultimately, that’s not enough for a SOC.”



Demystifying XDR: A Forrester Analyst Lays the Foundation

The key concept behind XDR is to expand the sources of telemetry that SOC teams have at their disposal in order to widen their capabilities and help them better protect their organizations.

Identifying the right detections

Sam echoed the importance of this shift in mindset. He noted that when Rapid7 first launched InsightIDR as a security information and event management (SIEM) tool, we started out with a more prescriptive mindset: “Let’s find attacker behavior we’re interested in finding and figure out what sort of data we need to collect that.” But that quickly shifted to an approach that opened up the data sources, rather than narrowing them down.

“What we realized really early in our SIEM journey, and in our journey in building a detection and response platform, was that the endpoint data was an incredibly rich source of detections,” Sam said.

But at some point, you have to figure out what detections are most important. Allie noted that while SIEM has been an integral tool for SOC teams because it lets them easily bring in new sources of telemetry, endpoint detection and response vendors are introducing tools with much more targeted detections. An XDR vendor’s ability to identify threats and author detections for them is a key value-add for many end users.

“One of the reasons that they’re drawn to XDR is because a lot of the detection engineering is done for them,” Allie said, “and they know that they can trust it because it’s backed by this vendor that specializes not only in the technology but also has a whole threat research team dedicated to finding these threats and turning them into detections.”

Threat detected — what next?

These capabilities also enhance the “R” in XDR, with dynamic response recommendations that reflect the detections themselves, rather than a predetermined playbook. And given the current cybersecurity talent shortage, it’s all the more important for security teams to democratize this skill set so they can act quickly, with better insight.

But as Allie points out, it’s the intermediary step between detection and response that often trips teams up.

“The longest part of the incident response life cycle is investigation,” she said. This step can be especially difficult when detections are particularly complex.



Demystifying XDR: A Forrester Analyst Lays the Foundation

But while investigation and root cause analysis remain a challenge, the slow-downs in this stage of the detection-and-response life cycle provide an important insight into the gaps that XDR needs to fill.

“While tools are able to provide detections and while we can orchestrate response actions, we’re not really giving the analyst everything they need to make a decision up front,” Allie said.

3 key outcomes of XDR

With XDR, Allie says, the goal is to better understand what’s going on in your environment and what to do about it by bringing in data across telemetry sources beyond just the endpoint. This drives better outcomes in 3 core areas:

  1. Improving detection efficacy: Whether you’re looking to lighten your detection engineer’s workload or you simply don’t have one on staff, XDR aims to provide the most effective detections on an ongoing basis.
  2. Making investigation easier: XDR makes analysts’ lives easier, too, by expanding the pool of telemetry sources to provide more comprehensive data and insights on threats.
  3. Enabling faster response: With better, shorter investigations, SOC analysts will know what to do next — and be able to put the gears in motion more quickly.

By bringing these benefits along with proactive use cases like threat hunting, the vision is for XDR to become the go-to tool for everything SOC teams need to do to keep organizations secure.

Want more XDR insights from our conversation with Allie? Check out the full talk.

The End of the Cybersecurity Skills Crisis (Maybe?)

Post Syndicated from Amy Hunt original https://blog.rapid7.com/2021/11/22/the-end-of-the-cybersecurity-skills-crisis-maybe/

The End of the Cybersecurity Skills Crisis (Maybe?)

In just 4 years, you can learn to be fluent in Mandarin.

In 2 years, NASA can get you through astronaut training.

But the cybersecurity skills gap? It’s dire and dead-stuck in its fifth straight year of zero progress.

Globally, 3.5 million cybersecurity jobs remain unfilled, and of those candidates who do apply for open jobs, only 25% are qualified. Industry news and conferences are full of hot takes about XDR and how it will change everything in, say, another 5 years. The question is, who has that kind of time?

And don’t count on artificial intelligence to save the day: While it will be used to combat attacks with something like a “digital immune system,” the bad guys will use AI to enable attacks, too. We’ll always need humans and machines to collaborate, each doing what they do best.

Why the answer can’t be (and isn’t) another 5 years away

You know digital transformation and cloud migration are straining traditional security tools. Most enterprises are cobbling together a (sort of) full picture, running an average of 45 different cybersecurity-related tools on their networks. Most have arduous deployments, long ramp-ups, and heavy configurations. When all that’s done, they’re still tracking multiple threat intelligence feeds, drowning in alerts, and processing them manually. (ISC)2 is piloting a new, entry-level cybersecurity certification for fresh talent. Can anyone really train for all that?

But right now, today, a number of Rapid7 customers are achieving XDR efficiency and outcomes with InsightIDR. It’s reducing workloads, simplifying operations, easing staffing requirements, and preventing burnout. (If you haven’t yet, take a look at InsightIDR’s origin story, and you’ll understand exactly how and why.)

XDR is here, helping analysts at every level operate like experts

InsightIDR – a cloud-native, SaaS-delivered, unified SIEM and XDR – gives you contextualized intelligence from the clear, deep, and dark web, along with expertly vetted detections and the guided automation teams need. It fundamentally changes data analysis, investigation, threat hunting, and response.

Teams get curated detections out of the box, as well as a prescriptive approach to attacks. Expect automated response recommendations and prebuilt workflows for activities like containing threats on an endpoint, suspending user accounts, and integrating with ticketing systems like Jira and ServiceNow. Wizard guides help even the greenest analyst know where to go next.

InsightIDR also opens up end-to-end automation opportunities. You can automate common security tasks that reduce noise from alerts, directly contain threats such as malware or stolen credentials, integrate with ticketing and case management tools, and more.

Analysts handle anomalies quickly and well with intuitive search and query language, attribution of data to specific users, detailed correlation across events, and visualizations. InsightIDR lightens the workload and gives analysts a big jump start on the things that matter most.

A prediction

The day is coming (and who knows — it might be here) when cybersecurity job candidates will want to know exactly what technology they’ll be working with at your company. They’ll expect XDR. And they’ll have their own interview questions:

  • Are the more mundane, repetitive tasks automated yet?
  • Are you still tab-hopping, multi-tasking, and working distracted?
  • What’s your signal-to-noise ratio these days?
  • What’s the stress level like? Is it really a 40-hour week?

Millennials (ages 25-40) and Gen Z (recently in the job market and our future) are the most tech-savvy generations yet; Gen Z in particular is off the charts. Both put work-life balance above any other job characteristic — including pay and advancement opportunities. Techvalidate just asked InsightIDR customers if the platform ushered in better work-life balance. Almost 40% said yes.

The workplace is already trying to adjust, culturally and otherwise.

Both Millennials and Gen Z experience more anxiety and stress than older workers and their bosses. And while Millennials hope and angle for good work-life balance, Gen Z demands it rather assertively. They’ll ask for “mental health days” from time to time. No job gets to make their personal lives shambolic — it’s just not worth it. And the #1 source of job information they turn to? Your current and former employees.

If you have a band of stressed-out burnouts posting on Glassdoor, think about how that looks to a potential candidate. How you and your current staff are doing matters.

Here’s the thing — and forgive the rose-colored glasses

Cybersecurity is important, pioneering work that makes a difference. You protect companies, our economy, our country, and individual human beings. Security professionals do daily battle with criminal organizations, adversarial nation-states, and everyday duplicity. And it’s a job that didn’t even exist when most entry-level applicants were born.

Forrester analyst Allie Mellen believes in humanizing security operations, “taking away all the boring minutia we hate to do, and just leaving the really cool, creative stuff for us.” Mellen said, “XDR is definitely pushing down that path.” We think that’s an adventure anyone would line up for, as good as anything NASA has.

Start by downloading our eBook: “4 Ways XDR Levels Up Security Programs.”

Better Together: XDR, SOAR, Vulnerability Management, and External Threat Intelligence

Post Syndicated from Matthew Gardiner original https://blog.rapid7.com/2021/11/15/better-together-xdr-soar-vulnerability-management-and-external-threat-intelligence/

Better Together: XDR, SOAR, Vulnerability Management, and External Threat Intelligence

One of the biggest challenges with both incident response and vulnerability management is not just the raw number of incidents and vulnerabilities organizations need to triage and manage, but the fact that it’s often difficult to separate the critical incidents and vulnerabilities from the minor ones. If all incidents and vulnerabilities are treated as equal, teams will tend to underprioritize the critical ones and overprioritize those that are less significant. In fact, ZDNet reports that only 5.5% of all vulnerabilities are ever exploited in the wild. Meaning that fixing all vulnerabilities with equal priority is a significant misallocation of resources, as 95% of them will likely never be exploited.

Unjamming incident response and vulnerability management

My experience with organizations over the years shows a similar issue with security incidents. Clearly not all incidents are created equal in terms of risk and potential impact, so if your organization is treating them equally, this also is a sign of misprioritization. And what organization has a surplus of incident response cycles to waste? Without some informed triaging and prioritization, the remediation of both incidents and vulnerabilities can get jammed up, and the security team can be blamed for “crying wolf” by raising the security alarm too often without strong evidence.

How to better prioritize security incidents and vulnerabilities? Fundamentally, it comes down to simultaneously having the right data and intelligence from both inside your IT environment and the world outside. What if you could know with high certainty what you have, what is currently going on inside your IT environment, and how and whether the threat actors’ current tools, tactics, techniques, and procedures are currently active and relevant to you? If this information and analysis was available at the right time, it would go a long way to helping prioritize responses to both detected incidents and discovered vulnerabilities.

Integrating XDR, SOAR, vulnerability management, and external threat intelligence

The key building blocks of this approach require the combination of extended detection and response (XDR) for continuous visibility and threat detection; vulnerability management for vulnerability detection and management; SOAR for security management, integration, and automation; and external threat intelligence to inject information about what threat actors are actually doing and how this relates back to the organization. The intersection of these four security systems and sources of intelligence is where the magic happens.

Separately, XDR, SOAR, vulnerability management, and external threat intelligence are valuable in their own right. But when used closely together, they deliver greater security insights that help guide incident response and vulnerability management. Together, they help security teams focus their limited resources on the risks that matter most.

What Rapid7 is doing about it

Rapid7 is on the forefront of bringing this integrated approach to market. It starts — but does not end — with possessing all the underlying technology and expertise necessary to bring this approach to life through our products in XDR, SOAR, vulnerability management, and external threat intelligence. New and particularly important to this story is how Rapid7’s external threat intelligence offering, brought forward by the recent acquisition of IntSights, is integrated and directly available to assist with incident and vulnerability management prioritization and automation.

The newly released InsightConnect for IntSights Plugin enables, among other capabilities, the enrichment of indicators — IP addresses, domains, URLs, file hashes — with what is known about them in the outside world, such as whether they are part of attackers’ infrastructure, their registration details, when they were first seen, any associations with threat actor groups, severity, and other key aspects. This information, when linked to alerts and vulnerabilities, can help drive the response prioritizations that are incredibly important to improving incident response and vulnerability management effectiveness and efficiency.

This is just the start of integrating IntSights threat intelligence into Rapid7’s broader set of security offerings. Stay tuned for additional integration news as Rapid7 brings best-of-breed solutions further, combining our vulnerability management, detection and response, and threat intelligence products and services to solve more real-world security challenges.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Building Threat-Informed Defenses: Rapid7 Experts Share Their Thoughts on MITRE ATT&CK

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2021/11/04/building-threat-informed-defenses-rapid7-experts-share-their-thoughts-on-mitre-att-ck/

Building Threat-Informed Defenses: Rapid7 Experts Share Their Thoughts on MITRE ATT&CK

MITRE ATT&CK is considered by practitioners and the analyst community to be the most comprehensive framework of cybersecurity attacks and mitigation techniques available today. MITRE helps the security industry speak the same language and stick to a well-known, common framework.

To get more details on MITRE’s ATT&CK Matrix for Enterprise and its impact, I spoke with 3 members of Rapid7’s Managed Detection and Response team who have firsthand experience working with this framework every day — read our conversation below!

Laying some groundwork here, what are your thoughts on the MITRE ATT&CK framework?

John Fenninger, Manager of Rapid7’s Detection and Response Services, kicked us off by sharing his perspective:

“MITRE ATT&CK is an incredibly valuable framework for both vendors and customers. From things like compliance to more immediate needs like investigating an ongoing attack, MITRE makes it easy to see specific techniques that customers may not have heard of and helps think of tactical moves customers can protect against. With InsightIDR specifically, we align our detections to MITRE to give both our MDR SOC analysts and customers visibility into how far along a threat is on the ATT&CK chain.”

Rapid7 is not only a consumer of the MITRE ATT&CK Framework but an active contributor as well — in 2020, Rapid7 Incident Response Consultant Ted Samuels made a contribution to MITRE around a discovery for group policy objects that is now in the latest version of the ATT&CK framework.

Can you share your perspective on how the MITRE framework is used, and by who?

When it comes to leveraging the MITRE ATT&CK framework, there are 2 key audiences to consider, says Rapid7’s Senior Detection & Response Analyst, Vidya Tambe:

“There are 2 main categories of users — people who write detections and people who do the analysis of the detections, and the MITRE framework is important for both. From the analyst side, we want to know what stage of attack each alert is at, and based on where the alert falls, we know how critical an incident is. With MITRE, we can track how an attacker got to where they are and what kind of escalations they did — overall, it helps us back-track to see what they were able to compromise.

“From the detection writing standpoint, we want to stop attacks before they get too far into someone’s environment. Attacker techniques are always evolving, and while we aim to write detections for all the phases, a primary focus is to try and write detections early on to stop attackers as early in the ATT&CK chain as possible.”

What advice do you have for security teams when it comes to leveraging the MITRE framework to drive successful detection and response?

Rapid7 Detection and Response Analyst Carlo Anez Mazurco shared some advice for teams when it comes to using the MITRE framework at their organization:

“The MITRE Framework allows us to build a threat-informed defense. It shows us the 3 main areas that we need to focus on for data collection, data analysis, and expansion of detections. For teams to successfully utilize the MITRE framework, they need visibility into the following data sources at a minimum:

  • Process and process command line monitoring can be collected via Sysmon, Windows Event Logs, and many EDR platforms
  • File and registry monitoring is also often collected by Sysmon, Windows Event Logs, and many EDR platforms
  • Authentication logs collected from the domain controller
  • Packet capture, especially east/west capture, such as those collected between hosts and enclaves in your network

“Teams need a platform like InsightIDR, Rapid7’s extended detection and response solution, where the data from all of these sources can be ingested. Whatever platform or tool teams choose to use for this data ingestion should include MITRE mappings to attacker behaviors to understand what attackers are trying to do inside our environment at each stage, the TTPs (Tactics, Techniques, Procedures) of each threat actor should be documented in each alert — InsightIDR maps its detections to the MITRE framework to do just this for users.”

You mentioned InsightIDR has MITRE mapping — can you dig a little more into how this impacts customers?

“Our InsightIDR platform helps our customers collect all the necessary data sources,” Carlo continued. “That includes process and process command line monitoring via our endpoint Insight Agent, as well as file monitoring. Plus, authentication logs are collected from domain controllers and also via the Insight Agent, and network flow inside the environment can be gathered through our Insight Network Sensor.

“Our ABA and UBA detections are mapped to the MITRE framework to show our customers which TTPs are the most commonly used by threat actors in their environment, and it gives an insight into the attack patterns in real time. You can see an example of this in one of our past Rapid7 Threat Reports here.

“Additionally, our Rapid7 Threat Intelligence team is always developing new threat detections based on the threat intelligence feeds and public repositories of attacker behaviors. These new detections are mapped to the TTPs inside the MITRE framework and pushed out to all Rapid7 customers.”

We also recently released a new view of Detection Rules in InsightIDR where all detections are mapped to the MITRE ATT&CK Framework, and users can see associated MITRE tactics, techniques, and sub-techniques for detections while performing an investigation.

Interested in learning more?

As you can see, we really value the MITRE ATT&CK framework here at Rapid7. With InsightIDR your detections are vetted by a team of professional SOC analysts and mapped to MITRE to take the guessing game of what an attacker might do next.

If you’re looking to hear more from us on MITRE, watch a quick 3-minute rundown on the framework here.

SANS Experts: 4 Emerging Enterprise Attack Techniques

Post Syndicated from Aaron Wells original https://blog.rapid7.com/2021/09/02/sans-experts-4-emerging-enterprise-attack-techniques/

SANS Experts: 4 Emerging Enterprise Attack Techniques

In a recent report, a panel of SANS Institute experts broke down key takeaways and emerging attack techniques from this year’s RSA Security Conference. The long and short of it? This next wave of malicious methodologies isn’t on the horizon — it’s here.

When it comes to supply-chain and ransomware attacks, bad actors seem to have migrated to new ground over the last 2 years. The SANS Institute report found that government, healthcare, and retail (thanks in large part to online spending at the height of the pandemic) were the sectors showing the largest spike from the first quarter of 2020 to this year, in terms of finding themselves in attackers’ crosshairs. As larger incidents increase in frequency, let’s take a look at 4 specific attack formats trending toward the norm and how you can stay ahead of them.

1. Cracks in the facade of software integrity

Developers are under greater pressure to prioritize security (i.e., shift left) within the Continuous Integration/Continuous Delivery (CI/CD) lifecycle. This would seem to be at stark odds with the number of applications built on open-source software (OSS). And, if a security organization is part of a supply chain, how many pieces of OSS are being used at one time along that chain? The potential is huge for an exponential jump in the number of vulnerabilities in that group of interdependent organizations.

There are ways to mitigate these seemingly unstoppable threats. Measures like file integrity monitoring (FIM) surface changes to critical files on your network, alerting you to suspicious activity while also providing context as to the affected users and/or assets. Threat hunting can also help to expose vulnerabilities.

Used with a cloud-native, extended-detection-and-response (XDR) approach, Rapid7’s proactive threat-hunting capabilities leverage multiple security and telemetry sources to act on fine-grained insights and empower teams to quickly take down threats.

2. Do you have a token to get into that session?

Commonly, applications make use of tokens to identify a person wishing to access secure data, like banking information. A user’s mobile app will exchange the token with a server somewhere to verify that, indeed, this is the actual user requesting the information and not an attacker. Improper session handling happens when the protocols according to which these applications are working don’t properly secure identifying tokens.

The issue of improper user authentication was exacerbated by the onslaught of the pandemic, as companies raced to secure — or not — enterprise software for a quickly scaled-up remote workforce. To resolve this issue, individual users can simply make it a best practice to always hit that little “log off/out” button once they’re finished. Businesses can also do this by setting tokens to automatically expire after a predetermined length of time.  

At the enterprise level, security organizations can use a comprehensive application-testing strategy to monitor for weak session handling and nefarious attacker actions like:

  • Guessing a valid session token after only short-term monitoring
  • Using static tokens to target users, even if they’re not logged in
  • Leveraging a token to delete user data without knowing the username/password

3. Turning the machines against us

No, that’s not a Terminator reference. If someone has built out a machine-learning (ML) algorithm correctly, it should do nothing but assist an organization in accomplishing its business goals. When it comes to security, this means being able to recognize traffic patterns that are relatively unknown and classifying them according to threat level.

However, attackers are increasingly able to corrupt ML algorithms and trick them into labeling malicious traffic as safe. Another sophisticated method is for attackers to purchase their own ML products and use them as training grounds to produce and deploy malware. InsightIDR from Rapid7 leverages user-behavior analytics (UBA) to stay ahead of malicious actions against ML algorithms.

Understanding how your ML product functions is key; it should build a baseline of normal user behavior across the network, then match new actions against data gleaned from a combination of machine learning and statistical algorithms. In this way, UBA exposes threats without relying on prior identification in the wild.

4. Ramping up ransomware

Let’s face it: Attackers all over the world are essentially creating repositories and educational platforms in how to evolve and deploy ransomware. It takes sophistication, but ransomware packages are now available more widely to the non-tech set to, for lack of a more apt phrase, plug and play.

As attack methodologies ramp up in frequency and size, it’s not just data at risk anymore. Bad actors are threatening companies with wide public exposure and potentially a catastrophic loss to reputation. But there are opportunities to learn offensive strategies, as well as how attacker techniques can become signals for detection.

Target shifts

If the data in the SANS report tells us anything, it’s that attackers and their evolving methodologies — like those mentioned above — are constantly searching not just for bigger targets and paydays, but also easier paths to their goals.

Targeted industry shifts in year-over-year data show that the company or sector you’re in clearly makes no difference. Perhaps the biggest factor in bad actors’ strategies is the degree of ease with which they get what they want — and some industries still fall woefully behind when it comes to security and attack readiness.

Learn more about the latest threat trends

Read the full SANS report

[The Lost Bots] Episode 2: Extended Detection and Response (XDR)

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/08/02/the-lost-bots-episode-2-extended-detection-and-response-xdr/

[The Lost Bots] Episode 2: Extended Detection and Response (XDR)

Welcome back to The Lost Bots, a new vlog series where Rapid7 Detection and Response Practice Advisor Jeffrey Gardner talks all things security with fellow industry experts. In this second episode, Jeffrey sits down with Dan Martin, a lead product manager for our platform at Rapid7, to discuss Extended Detection and Response (XDR). They cover what it is, different approaches to XDR (open, hybrid, and native), and some tips for how teams can start to evaluate which solution and approach are best for their organization.

[The Lost Bots] Episode 2: Extended Detection and Response (XDR)

Stay tuned for future episodes of The Lost Bots! Coming up next: Jeffrey breaks down a war story with a member of our Rapid7 MDR SOC team, where they’ll talk about lessons learned and best practices for staying ahead of threats in your environment. You don’t want to miss it!

[The Lost Bots] Episode 1: External Threat Intelligence

Post Syndicated from Rapid7 original https://blog.rapid7.com/2021/07/19/lost-bots-vlog/

[The Lost Bots] Episode 1: External Threat Intelligence

Welcome to The Lost Bots, a new vlog series where Rapid7 resident expert and former CISO Jeffrey Gardner (virtually) sits down with fellow industry experts to spill the tea on current events and trends in the security space. They’ll also share security best practices and trade war stories with the Rapid7 SOC team. The best part? Each episode is short, sweet, and to the (end)point – so you gain insights from the industry’s brightest in just 15 minutes.

For this inaugural episode, Jeffrey sits down with Rapid7 Insight Platform SVP Pete Rubio and IntSights Cofounder and CPO Alon Arvats to discuss how teams can successfully leverage external threat intelligence to identify and mitigate lurking attacks. They tackle the “what”, “why”, and “how” of external threat intelligence. They also share how security teams can effectively put external threat intel into action and what behaviors and telemetry are the most useful to find advanced threats.

[The Lost Bots] Episode 1: External Threat Intelligence

Stay tuned for future episodes of The Lost Bots! For our second installment, Jeffrey will be back to discuss a topic we’ve all been hearing a lot about in recent months: Extended Detection and Response, or XDR.

Rapid7 + XDR: Security that Moves as Fast as Your Business

Post Syndicated from Rich Perkett original https://blog.rapid7.com/2021/07/19/extended-detection-response/

Rapid7 + XDR: Security that Moves as Fast as Your Business

Since launching InsightIDR almost six years ago, our mission has remained constant: make it possible for any security team to achieve fast, sophisticated threat detection and response programs that scale with their business. Making threat detection and response as agile and simple as possible enables security professionals to focus their time and energy on the most critical incidents and the things that matter most.

We didn’t set out to build another security incident and event management (SIEM) or endpoint detection and response (EDR) product. Industry approaches at the time were — and largely remain — broken. We set out to build a more effective, efficient way to tackle threat detection and response across modern, distributed, hybrid cloud environments. Through the early days of introducing the user and entity behavior analytics (UEBA) category, to the addition of the Rapid7 agent to unlock EDR and attacker behavior analytics (ABA), and continued value delivery with deception technology, file integrity monitoring (FIM), automation, network traffic analysis (NTA), cloud detections, and security orchestration and automated response (SOAR), we were always informed by what we learned from customers, what we saw in our own service engagements, and community-infused threat intelligence projects, like Metasploit, Velociraptor, Project Sonar, and Project Heisenberg.

We are excited that analysts and others in the market are now validating the approach that we’ve taken from the start. For some time, we knew we had an “X factor” that differentiated InsightIDR — and made it challenging to put it into a specific pre-existing market category. It’s so fitting that the market is starting to equate our approach with extended detection and response, or XDR.

We’re happy to continue to lead from the front, and, regardless of the acronym, we remain unwavering in our promise to continue enabling security operations professionals to detect threats earlier and respond smarter and faster to secure their environments — regardless of scale. As part of our commitment to continue to forge the frontier of threat detection and response, we are thrilled to leverage technology and talent from IntSights. It supercharges the Threat Engine that powers our attack mapping and out-of-the-box detections — strengthening the signal-to-noise and extinguishing threats faster.

XDR that delivers the freedom to focus

XDR unifies and transforms relevant security data from across your modern environment to detect real attacks and provide security teams with high-context and actionable insights. By aggregating threat detection and response across multiple controls, XDR can improve threat detection and response efficacy and efficiency.

After countless conversations with customers, thousands of professional services engagements, and living in customers’ shoes with our managed detection and response (MDR) SOC experience, we consistently heard one thing: what eludes security teams is not attackers, it’s time. Teams simply don’t have the time or resources to do it all, and forced trade-offs create opportunities for attackers to get in. That’s why we purpose-built InsightIDR to give teams time back to focus on successful, proactive and complete threat detection and response programs.

Empower every analyst to be an expert. Today’s security analyst has to be a Renaissance player to be successful versus attackers. But longer onboarding cycles, antiquated rule sets created by previous employees, and steep learning curves make it challenging to ensure every analyst is productive. InsightIDR is cloud-native and SaaS-delivered to eliminate the distractions of months-to-years-long deployments and configurations. With a focus on flexibility, intuitive UI, and a highly contextualized view of the environment “out of the box,” InsightIDR helps teams level-up resources and see value on day one.

Transform security with your business. As every organization pursues digital transformation and cloud computing becomes the default, security teams struggle to bring legacy tools along and manage a vast array of disparate point solutions to try to get the full picture. InsightIDR has always had a forward-looking view of the attack surface, providing a harmonious, correlated view of users, endpoints, network, cloud, and applications — immediately. No more tab-hopping.

Trust your detections, immediately. One of the more egregious and frustrating errors that accompanies alternative threat detection and response offerings is the volume of false positives. Given that teams already have so little time to spare, even spending a moment chasing a false alarm is irritating; when it happens during dinner or on a weekend, it’s infuriating. InsightIDR takes a multi-layered detection approach, leveraging our knowledge of customer environments along with our internal and community-infused threat intelligence to fuel our Threat Engine. This engine encompasses all of our proprietary machine learning and algorithms that enable us to zero in on both known and unknown threats, with further human curation by our detections engineering experts. This highly curated library is then expertly tested in the field by our industry-leading MDR SOC. The result is a library of high-fidelity, relevant detections teams can feel confident acting on.

Accelerate response, stay ahead of attackers. When your team is up against an attack, every second matters; we don’t want to waste even a single mouse-click. With our detailed, correlated investigations, teams have the full timeline of an attack and all relevant information they need in one place. With expert- and community-driven playbooks, and containment and automation built in, analysts are empowered to eliminate threats faster — before attackers can succeed.

Strengthening our signal-to-noise with IntSights

As we look ahead to what’s next, a theme has emerged: signal-to-noise. The sprawl of data and noise is infinite. What matters is finding what matters.

With the acquisition of IntSights, we doubled down on our goal to deliver the highest-fidelity set of detections to thwart attackers. As a leading provider of contextualized external threat intelligence and proactive remediation, IntSights further strengthens our XDR offering, delivering improved signal-to-noise and higher-fidelity alerts to drive earlier threat detection and accelerated response. Combining IntSights’ external threat view with Rapid7’s knowledge of customers’ digital footprints and community-infused threat intelligence unlocks the most comprehensive, tailored view of a customer’s attack surface available.

We have a lot to be optimistic about when it comes to IntSights. One of the most exciting things is our shared view that we can democratize sophisticated intelligence, detection, and response. We are thrilled to collaborate with them on this next chapter, and look forward to sharing more with customers soon.

Rapid7 Acquires IntSights to Tackle the Expanding Threat Landscape

Post Syndicated from Corey Thomas original https://blog.rapid7.com/2021/07/19/rapid7-acquires-intsights/

Rapid7 Acquires IntSights to Tackle the Expanding Threat Landscape

I am pleased to share the exciting news that, today, Rapid7 acquired IntSights, a leading provider of cloud-native, external threat intelligence and proactive threat remediation. The IntSights team is fantastic, and their threat intelligence capabilities are equally impressive. I’ll share more about why IntSights is a great fit for Rapid7 and our customers, but let me first share some context for this acquisition.

We’ve seen firsthand that with digital transformation the attack surface has increased exponentially and customers are recognizing that improved visibility to their internal risk profile is just one part of the security equation. With today’s threat landscape, it’s imperative for security teams to have early, contextualized threat detection across their internal and external environment. Yet most security teams are already under-resourced and overburdened, struggling to identify and address what needs immediate action. So, under these circumstances, how can we help security teams stay one step ahead of the attackers? Enter IntSights.

IntSights offers a leading, cloud-native, external threat intelligence and remediation solution that helps customers solve this emerging challenge. Sophisticated threat intelligence capabilities are typically only realistic for the most mature, well-resourced organizations. But IntSights is disrupting that and democratizing threat intelligence so that every organization can protect itself, regardless of size or capabilities.

There’s no shortage of threat intelligence information available today, but much of it lacks context, creating too much alert noise and additional work for already-overburdened security teams. IntSights’ flagship Threat Command offering turns complex signals into contextualized attack-surface intelligence, making threat intelligence easier for organizations of any size to remediate their most critical external threats.

For example, IntSights monitors the clear, deep, and dark webs to identify threats specifically targeting an organization’s digital footprint, including things like data and credential leakage, malicious activity tied to their brand, and fraud. But IntSights goes beyond monitoring and takes action by proactively remediating with automated takedowns of threats.

Coupling IntSights’ tailored, external threat-intelligence capabilities with Rapid7’s community-infused threat intelligence and deep understanding of customer environments will enable customers with a unified view into threats, attack-surface monitoring, greater signal-to-noise ratio, relevant insights, and proactive threat mitigation.

What’s next

IntSights has built a tremendous business and we look forward to making Threat Command available as a standalone offering to an even broader set of customers through this acquisition. At the same time, we will begin integrating IntSights’ threat-intelligence capabilities into the Rapid7 Insight Platform to unlock earlier threat identification and faster remediation across our entire portfolio. Learn more about how we intend to accelerate security operations and emergent threat response with our platform.

In addition, we will leverage IntSights’ capabilities to enhance our cloud-native, extended detection and response (XDR) capabilities by enabling high-quality, high-fidelity alerts to ensure efficient security operations, earlier threat detection, and accelerated response times. Learn more about how the acquisition of IntSights enhances our best-in-class XDR offering.

Welcome, IntSights!

From its beginning, IntSights set out on a mission to democratize threat intelligence, something that is very culturally synergistic with Rapid7, as we continue our journey to close the security achievement gap and bring high-quality and efficient security operations to organizations of all sizes and capabilities. I want to welcome IntSights’ customers, partners, and team members to Rapid7. Today we begin a new and exciting chapter together as we continue to innovate in the threat-intelligence space, always keeping the needs of our customers at the forefront. I look forward to what will undoubtedly be great things to come.

Accelerating SecOps and Emergent Threat Response with the Insight Platform

Post Syndicated from Lee Weiner original https://blog.rapid7.com/2021/07/19/insight-platform-and-extended-detection-response/

Accelerating SecOps and Emergent Threat Response with the Insight Platform

When we talk to customers about the Insight Platform and how to best support their evolving needs, they’re often not asking for another product, but rather a capability that enhances a current experience. Our customers have the core ingredients of a robust security program, but as their attack surfaces endlessly sprawl, they’re looking for ways to double down on the efficiency and streamlining of security operations they’re already experiencing from the platform today. Efficiency and streamlined operations are 2 areas where our team will continue to focus efforts in order to deliver value across Rapid7’s growing best-in-class portfolio, while enabling cross-capability experiences that improve security-team effectiveness.

Responding to emerging threats and vulnerabilities: Alerts are not enough

One of Rapid7’s greatest strengths is the fact that we have market-leading products in detection and response, cloud security, and vulnerability management. As we increasingly see customers leveraging our products, there are many similar expectations from those user bases. One that stands out is the expectation/demand that Rapid7 quickly respond to emerging threats and new vulnerabilities in a way that provides actionable context. We refer to this program as Emergent Threat Response. We spend a lot of time on this today, though we need to do more here for our customers to help them combat emerging threats. We’re often addressing and detailing out what we know and what we’re doing about high-profile threats (e.g. SolarWinds SUNBURST, Microsoft Exchange Zero-Day), and while our customers have responded very positively to this type of outreach, they have also asked for more of it!

We have a unique opportunity with customers to enable a 2-way conversation. Our customers need to improve signal-to-noise, and our Emergent Threat Response approach does help to accomplish that. We can do a lot more though, and with more intelligence on the internal and external threat landscape we can offer more context and treat more threats with Emergent Threat Response. We’re constantly obsessing over improving signal-to-noise, so we’re careful to pick our spots. However, while an emerging threat may only impact a very small percentage of machines across our customer base, impacted customers may categorize those machines as high-value assets. Customers may also have a lot of interest in a specific threat group and are eager to learn more about them and the detections we have available for their known techniques. In both of these use cases — whether we’re pushing our intelligence or allowing customers to pull it — we can maintain our high standards for signal-to-noise as long as we’re always prioritizing relevancy.

The Insight Platform + IntSights: Enriching alerts and driving contextualized intelligence

When customers are battling emergent threats, core alerts and vulnerability information is important; but our customers are increasingly looking to understand more about adversary groups, tactics and techniques, and why they were targeted. Today we have a very comprehensive view of our customers’ internal networks. This is incredibly helpful to power every product we provide, but investing in more scalable ways to connect this internal profile to an external view of the world increases our ability to deliver timely, relevant, and actionable intelligence. With IntSights joining the Rapid7 family, this aspiration has become a reality. Beyond the Emergent Threat Response use case we drilled into here, the platform will leverage IntSights’ contextualized external threat intelligence to power and strengthen our threat library, risk scoring, and vulnerability prioritization. We believe we can add/enhance capabilities across the portfolio to not only help our customers solve the security concerns of today, but also take a proactive approach to defend against the security concerns of tomorrow.

Learn more about what’s in store for the Insight Platform as Rapid7 welcomes IntSights.