Tag Archives: InsightIDR

Ditch The Duct Tape: Reduce Security Sprawl With XDR

Post Syndicated from Amy Hunt original https://blog.rapid7.com/2023/01/11/ditch-the-duct-tape-reduce-security-sprawl-with-xdr/

Ditch The Duct Tape: Reduce Security Sprawl With XDR

The New Year’s Day edition of The Wall Street Journal asked a big question in a big headline: “Can Southwest Airlines Buy Back Its Customers’ Love?”

While other airlines rebounded from extreme winter weather and service disruptions, Southwest—always top-rated, with a famously loyal following—melted down. It canceled more than 2,300 flights, stranding passengers and their baggage around the country over the Christmas holidays. The U.S. Department of Transportation is putting the entire event “under a microscope.”

Most believe Southwest will, in fact, be loved again. Tickets were refunded, travel expenses were reimbursed, and approximately 25,000 frequent flyer miles were doled out to each stranded customer. Whatever. That’s not why you should pay attention to this tale.

The object lesson that matters? WSJ’s CIO Journal followed up, reporting that “balky crew scheduling technology” caused the disaster. Airline staff who used the system had been frustrated by it for some time, but couldn’t get executive attention. A scathing New York Times op-ed on December 31, “The Shameful Open Secret Behind Southwest’s Failure,” blames the strong incentives to address problems by “adding a bit of duct tape and wire to what you already have.”

Balky tech that frustrates staff: Sound familiar?

Two years ago, ZDNet reported the average enterprise managed 45 different tools to secure their environment. A few weeks ago, the Silicon Valley Business Journal said the number has jumped to 76, with sprawl driven by a need to keep pace with cloud adoption and remote work. Security teams are spending more than half their time manually producing reports, and pulling in data from multiple siloed tools.

The cybersecurity skills gap isn’t going anywhere. And the most tech savvy generation in human history—Gen Z, the latest entrants to adulthood and the workforce—is unlikely to stick it out in a burnout job laden with clunky tools. They grew up with customer-obsessed brands like Apple and Amazon and Zappos. Expectations about technology and elegant simplicity are built into all corners of their lives—work included— and they instantly know the difference between good and shambolic. Younger workers led The Great Resignation of 2021.

The trend toward XDR adoption is part of a solution. While capabilities can vary, XDR should integrate and correlate data from across your environment, letting you prioritize and eliminate threats, automate repetitive tasks, and liberate people to do important work.

If 2023 is your year to consider XDR, start with this Buyer’s Guide

Our new XDR Buyer’s Guide is for all of you who want to consolidate, simplify, and attract top talent. In this guide, you’ll get:

  • Must-have requirements any real XDR offers
  • Ways XDR is a staffing and efficiency game-changer
  • Key questions to ask as you evaluate options

Last year, Southwest announced $2 billion in customer experience investments, including upgraded WiFi, in-seat power, and larger overhead bins, as well as a new multimedia brand campaign, “Go With Heart.”  

After taking very good care of stranded customers—and true  to form, the airline did—it announced a 10-year, $10 million plan to hit carbon reduction goals. The Wall Street Journal asked: “Could not the Southwest IT department have used another $10 million?”

…and you’ve surely heard about this

This morning at 7:20am, the FAA grounded all domestic departures when the NOTAM (Notice to Air Mission) system failed. This critical system ingests information about anomalies at 19,000 airports for 45,000 flights every day, and alerts the right pilots at the right time. We woke up hearing about “failure to modernize” and also possible compromise.

Thanks for reading and come back tomorrow, as we’ll be following this developing story closely.

About Anomalous Data Transfer detection in InsightIDR

Post Syndicated from Dina Durutlic original https://blog.rapid7.com/2022/12/07/about-anomalous-data-transfer-detection-in-insightidr/

About Anomalous Data Transfer detection in InsightIDR

By Shivangi Pandey

Shivangi is a Senior Product Manager for D&R at Rapid7.

Data exfiltration is an unauthorized movement or transfer of data occurring on an organization’s network. This can occur when a malicious actor gains access to a corporation’s network with the intention of stealing or leaking data.

Data exfiltration can also be carried out by inside actors moving data outside of the network accidentally, by uploading corporate files to their personal cloud – or deliberately to leak information that harms the organization.

Identifying this cyber risk is integral to securing your organization’s network.

Of course, attackers use multiple methods

Some use phishing scams to trick users into inputting personal login information into spoofed domains so that they can use the appropriate credentials to infiltrate the network. Once on to the network, the malicious actor can send the files they were searching for outside of their network using remote desktop, SSH, etc.

Another method? Ignoring security controls of a network. For example, employees may download unauthorized software for ease of use, but unintentionally allow a third party to gain access to sensitive information that was not meant to leave the network. People may use personal accounts and devices for work related tasks just because it’s easy. A malicious inside actor can also circumvent security controls to leak information outside of the network.

With many organizations moving to a hybrid model of work, it’s more important than ever to prevent data exfiltration, intended or unintended. This can be done by educating your employees of appropriate conduct when it comes to data usage and data sharing within and outside of your network. Education about common attack vectors attackers may use to steal their credentials will also help your employees keep your network secure. Additionally, education around what devices can access your network will make it easier to monitor whether a data breach is about to occur. Finally, assigning certain privileges based on employee functions will help.

Being able to detect data exfiltration is incredibly important for an organization’s environment and essential to your organization’s security posture. One of our new detections, Anomalous Data Transfer, provides you with the visibility into possible occurrences of data exfiltration within your network.

Rapid7s approach for detecting Anomalous Data Transfers

Anomalous Data Transfer is an InsightIDR detection which utilizes network flow data, produced by the Insight Network Sensor, to identify and mark unusual transfers of data and behavior. The detection identifies anomalously large transfers of data sent by assets out of a network, and outputs data exfiltration alerts

The model dynamically derives a baseline for each asset based on its active periods over 30 days, and each hour, will output network activity that is anomalously high as compared to that baseline as a candidate for further investigation. This process effectively acts as a filter, reducing millions of network connections into a few candidate alerts to bring to the attention of a security analyst.

Further contextual information is included in each candidate alert to help a security team make informed decisions about how to investigate the possible occurrence of data exfiltration.

The user has the ability to tune exceptions for which anomalous data transfer alerts are shown by going into Managed Detections. The user can tune exception rules for Anomalous Data Transfer with the following attributes: Organization, Certificate, and Source IP/Subnet. This allows for the analysts to focus on alerts that are well tailored to their organization’s environment.

Rapid7 Integration For AWS Verified Access

Post Syndicated from Aaron Sawitsky original https://blog.rapid7.com/2022/11/30/rapid7-integration-for-aws-verified-access/

Rapid7 Integration For AWS Verified Access

Today at re:invent, Amazon Web Services (AWS) unveiled its new AWS Verified Access service, and we are thrilled to announce that InsightIDR — Rapid7’s next-gen SIEM and XDR — will support log ingestion from this new service when it is made generally available.

What Is AWS Verified Access?

AWS Verified Access is a new service that allows AWS customers to simplify secure access to private applications running on AWS, without requiring the use of a VPN. Verified Access also lets customers easily implement Zero Trust policies for each application reached via the service. The data needed for these policies is provided by integrations between Verified Access and third-party solutions like IdPs and device management tools. For example:

  • Access to a low-risk application might be granted to any employee who is logged into the organization’s IdP solution
  • Access to a highly sensitive application might only be granted to employees who are logged into the organization’s IdP solution, are part of a specific team at the company, are accessing from a company-managed computer that is fully updated, and have an IP address coming from a country on an allowlist

For customers who already have IdP and device management solutions, Verified Access can integrate with many of these vendors, allowing the customer to use their existing provider to define policies while still getting the convenience of VPN-less access to their private applications through Verified Access.

Unlock a Complete Picture of Your Cloud Security with InsightIDR

Verified Access generates detailed logs for every authorization attempt. InsightIDR will be able to ingest these logs from AWS’s just-announced Amazon Security Lake. InsightIDR customers will be able to see ingress activity from Verified Access alongside ingress events from sources like AWS Identity Access Management (IAM), VPNs, productivity apps, and more — not to mention telemetry from their broader cloud and on-premises environments. Like all ingress activity logs sent to InsightIDR, logs from Verified Access will be able to be used to detect suspicious activity, as well as be brought into investigations to help establish a complete timeline and blast radius of an incident. In addition, customers will have the ability to create custom alerts off of Verified Access logs to further scrutinize and monitor access to sensitive applications.

InsightIDR’s support for Verified Access is just the latest capability to come out of our never-ending dedication to support our customers as they adopt the newest cloud technologies. To learn more about how InsightIDR helps organizations using AWS, click here.

InsightIDR Launches Integration With New AWS Security Data Lake Service

Post Syndicated from Aaron Sawitsky original https://blog.rapid7.com/2022/11/29/insightidr-launches-integration-with-new-aws-security-data-lake-service/

InsightIDR Launches Integration With New AWS Security Data Lake Service

It has been an action-packed day at AWS re:Invent. For security professionals, one of the most exciting announcements has to be the launch of Amazon Security Lake. We see a lot of potential for this new service, which is why Rapid7 is proud to announce the immediate availability of an integration between InsightIDR and Security Lake. Read on to learn more!

What Is Amazon Security Lake?

Amazon Security Lake gives AWS customers a security data lake that centralizes AWS and third-party security logs. What’s more, all data sent to Security Lake is formatted using the recently-launched OCSF standard. That means even if logs come from different services or different vendors, all logs for a given activity (e.g. all cloud activity logs, all network activity logs, etc.) will have the same format in Security Lake. This will make it easy for customers and their third-party vendors to make use of the data in Security Lake without first having to normalize data.

Another big feature in Security Lake is the granular control it offers. Customers can choose which users and third-party integrations can access which data sources and determine the duration of data that is available to each. For example, a customer might give their developers the ability to view CloudTrail data from the past five days so they can troubleshoot issues, but give InsightIDR the ability to view CloudTrail data from the past year.

InsightIDR’s Integration With Amazon Security Lake

InsightIDR’s new integration allows it to ingest log data from Security Lake. At the moment, InsightIDR will only ingest logs from AWS CloudTrail. Over time, we plan to add support for additional OCSF log types, which will allow customers to send data from multiple AWS and third-party services to InsightIDR through one Amazon Security Lake integration. This will give us the potential ability to immediately ingest and parse logs from any new third-party solution that gets introduced, as long as that solution can export its logs to Security Lake. Another customer benefit is that by consolidating the ingestion of multiple logs via Moose, onboarding and ongoing maintenance will be greatly reduced.

If you are an existing InsightIDR customer and want to take advantage of the new integration with Amazon Security Lake, instructions for setup are here.

Search Made Easy: InsightIDR’s Secret Weapon for Efficiency and Efficacy

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/11/22/search-made-easy-insightidrs-secret-weapon-for-efficiency-and-efficacy/

Search Made Easy: InsightIDR’s Secret Weapon for Efficiency and Efficacy

By Matt Heidet

Matt is a Senior Information Security Engineer at a Regional Financial Institution. He is a Customer and Guest Blogger for Rapid7

Have you ever groaned when divvying up incidents from a pen-test amongst an overworked team? Or maybe you’ve struggled to present how you adhere to multiple compliance frameworks to your board. As a Senior Information Security Engineer at a Regional Finance Institute, I’m all too familiar with the daily grind – too many threats, not nearly enough time. Fortunately, Rapid7’s InsightIDR has helped me and my team unify our data, verify the nature of threats, and uphold a security posture that we’re confident in.

InsightIDR has lots of features that have enabled my organization to identify and respond more easily to threats. In this blog post, I’m going to share some insight into my favorite – InsightIDR’s Log Search function.

Back to the Beginning: Why We Chose Rapid7

Choosing InsightIDR was a no-brainer for us. We tried two other products, but as soon as we finished the proof-of-concept with Rapid7, we went straight to purchase. There was no point in even testing the others, as InsightIDR provided us with the visibility and context necessary to keep our environment secure

If you already have InsightVM, Rapid7’s vulnerability management solution, it’s a pretty smooth transition to InsightIDR. As existing InsightVM users, we already had the Rapid7 Insight Agent deployed on our endpoints, which provided us with real-time endpoint monitoring for vulnerabilities. When we added InsightIDR to our environment, we were automatically covered on those same endpoints, without any need to set up anything additional.

We were able to get up and running and integrate with a number of Azure Event Hubs out of the gate (a centralized service from which to collect Azure data and logs). Only a few other tools would provide that same capability – but they wouldn’t fit into our existing environment the way that Rapid7 did.

When we first started using InsightIDR, my team wanted to bring in as much data to InsightIDR as we could to get a clear picture of what was happening in our environment. We knew we needed holistic visibility, but weren’t 100% on what we should be alerting on or necessarily looking for. Luckily, InsightIDR’s Log Search intuitively organized all of our data and helped us get a view of everything in one place, narrowing our focus and enabling us to really focus on high priority data.

InsightIDR removed the complexity of traditional Log Search. If you’re not sure where to start, just start with a simple search – a host name, a kind of attack, or an event. Then, based on your results, you can create a more advanced search by filtering, iterating, or narrowing down your simple searches. From there, you can start creating reports. Your reports can tell you (and you can then customize) how you should be watching an endpoint, how you should be alerted, and more.

Let’s Talk Outcomes

Now it’s time to do something with all this data! We were able to compare data from those sources to the email alerts that we got from Microsoft on Azure and easily generate a report based on the email events we were seeing from Microsoft. From there, we were able to generate custom detections.

One reason this was all so straightforward is that Rapid7’s powerful search language, Log Entry Query Language (LEQL – which allows you to construct queries that can extract the hidden insights within your logs), is easy to pick up. Even if you’re not a programmer or engineer, the structure and syntax of the language are accessible.

Once you get the first couple workflows ironed out, it’s easy to extrapolate to other ones. Once my team focused on this task we were able to come up with 45 custom detections over just three days!

Where Do I Go From Here?

Detections are your bread and butter, of course. But once you’re oriented to the dashboard, the language, and the basics of a workflow, the sky’s the limit. You can then customize your reports to your heart’s desire. My team currently has about 22 reports coming in daily, summarizing almost 100 custom detections that all stem from log search.

Rapid7’s alerting and reporting is hands down the best I’ve ever worked with. But it’s not just about volume – it’s also about versatility. We’re able to monitor all of our Cloud services – including Amazon, Azure, and Google – with ease. In the past, when using managed security providers, this wasn’t nearly as straightforward. We’re looking at InsightIDR’s pre-built Attacker Behavior Analytics (ABA) and User Behavior Analytics (UBA) detections with regularity, using a mix of both custom and pre-built “cards” (a visually appealing representation of data) in our InsightIDR dashboard.

Furthermore, it’s not just that you have options. The pre-built detections that InsightIDR ships out of the box boasts plenty of efficacy, resulting in unprecedented efficiency. The ability to have all of the data you need in one place – the equivalent of a “single pane of glass” – just can’t be overstated.

A SIEM With a Pen Tester’s Eye: How Offensive Security Helps Shape InsightIDR

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/10/14/a-siem-with-a-pen-testers-eye-how-offensive-security-helps-shape-insightidr/

A SIEM With a Pen Tester's Eye: How Offensive Security Helps Shape InsightIDR

To be great at something, you have to be a little obsessed. That’s true whether you want to be a chess grandmaster, become an internationally recognized CEO, or build the best cybersecurity platform on the planet.

At Rapid7, our laser-focus has always been trained on one thing: helping digital defenders spot and stop bad actors. From the start of our story, penetration testing — or pen testing, for short — has been one of the cornerstones of that obsession. The offensive security mindset influenced the way we built and designed InsightIDR, our cloud-native XDR and SIEM.

On the offensive

Before we ever released InsightIDR, there was Metasploit, an open-source pen testing framework. Originally developed by HD Moore, Metasploit allows offensive security teams to think like attackers and infiltrate their own organizations’ environments, pushing the boundaries to see where their systems are vulnerable. Those insights help the business identify the most serious issues to prioritize and patch, remediate, or mitigate.

Offensive security strategies provide a much-needed foundation for assessing your risk landscape and staying a step ahead of threats — but the task of building and operationalizing a security strategy doesn’t end there.

“The biggest misconception about pen testing that I hear repeatedly is, ‘We’re going to pen-test to test our response time or test our tools,'” says Jeffrey Gardner, Rapid7’s Practice Advisor for Detection and Response. “That’s not the purpose of a pen test.”

Pen testing is a critical step in understanding where and how your organization is vulnerable to attackers, and what kinds of activities within your environment might indicate a breach. This is essential information for setting up the detections that your security operations center (SOC) team needs in order to effectively safeguard your systems against intrusion — but they also need a tool that lets them set up those detections, so they can get alerts based on what matters most for your organization’s specific environment.

Pen testing itself isn’t that tool, nor does it test the effectiveness of the tools you have. Rather, pen testing looks for your weaknesses – and once they’re  found, looks for ways to exploit them, including using stolen credentials to move across the network.

Mapping how bad actors behave

That’s where the importance of having a security incident and event management (SIEM) solution built with offensive security in mind comes in — and that’s exactly what our years of experience helping organizations run pen tests and analyze their attack surface have allowed us to build. InsightIDR is a unified SIEM and XDR platform designed with a pen tester’s eye. And the key to that design is user and entity behavior analytics (UEBA).

See, the problem with detecting attackers in your network is that, to the human eye, they can look a lot like regular users. Once they’ve hacked a password or stolen login credentials through a phishing/scam attack, their activities can look relatively unremarkable — until, of course, they make the big move: a major escalation of privilege or some other vector that allows them to steal sensitive data or upend systems entirely.

It takes years of experience understanding how attackers behave once they penetrate networks — and the subtle ways those patterns differ from legitimate users — to be able to catch them in your environment. This is exactly the type of expertise that Rapid7 has been able to gain through 10+ years of in-the-trenches experience in penetration testing, executed through Metasploit. Everything we had learned about User and Entity Behavior Analytics (UEBA) went into  InsightIDR.

InsightIDR continuously baselines healthy user activity in the context of your specific organization. This way, the tool can spot suspicious activity fast — including lateral movement and the use of compromised credentials — and generate alerts so your team can respond swiftly. This detections-first approach means InsightIDR comes with a deep level of insight that’s based on years of studying the attacker, as well as an understanding of what alerts matter most to SOC teams.

Watch a free demo today to see InsightIDR’s attacker-spotting power in action.

What’s New in InsightIDR: Q3 2022 in Review

Post Syndicated from KJ McCann original https://blog.rapid7.com/2022/10/05/whats-new-in-insightidr-q3-2022-in-review/

What's New in InsightIDR: Q3 2022 in Review

This Q3 2022 recap post takes a look at some of the latest investments we’ve made to InsightIDR to drive detection and response forward for your organization.

360-degree XDR and attack surface coverage with Rapid7

The Rapid7 XDR suite — flagship InsightIDR, alongside InsightConnect (SOAR), and Threat Command (Threat Intel) — unifies detection and response coverage across both your internal and external attack surface. Customers detect threats earlier and respond more quickly,  shrinking the window for attackers to succeed.  

With Threat Command alerts now directly ingested into InsightIDR, receive a more holistic picture of your threat landscape, beyond the traditional network perimeter. By unifying these detections and related workflows together in one place, customers can:

  • Manage and tune external Threat Command detections from InsightIDR console
  • Investigate external threats alongside context and detections of their broader internal environment
  • Activate automated response workflows for Threat Command alerts – powered by InsightConnect – from InsightIDR to extinguish threats faster

Rapid7 products have helped us close the gap on detecting and resolving security incidents to the greatest effect. This has resulted in a safer environment for our workloads and has created a culture of secure business practices.

— Manager, Security or IT, Medium Enterprise Computer Software Company via Techvalidate

Eliminate manual tasks with expanded automation

Reduce mean time to respond (MTTR) to threats and increase confidence in your response actions with the expanded integration between InsightConnect and InsightIDR. Easily create and map InsightConnect workflows to any attack behavior analytics (ABA), user behavior analytics (UBA), or custom detection rule, so tailored response actions can be initiated as soon as an alert fires. Quarantine assets, enrich investigations with more evidence, kick off ticketing workflows, and more – all with just a click.

Preview the impact of exceptions on detection rules

Building on our intuitive detection tuning experience, it’s now easier to anticipate how exceptions will impact your alert volume. Preview exceptions in InsightIDR to confirm your logic to ensure that tuning will yield relevant, high fidelity alerts. Exception previews allow you to confidently refine the behavior of ABA detection rules for specific users, assets, IP addresses, and more to fit your unique environments and circumstances.

What's New in InsightIDR: Q3 2022 in Review

Streamline investigations and collaboration with comments and attachments

With teams more distributed than ever, the ability to collaborate virtually around investigations is paramount. Our overhauled notes system now empowers your team to create comments and upload/download rich attachments through Investigation Details in InsightIDR, as well as through the API. This new capability ensures your team has continuity, documentation, and all relevant information at their fingertips as different analysts collaborate on an investigation.

What's New in InsightIDR: Q3 2022 in Review
Quickly and easily add comments and upload and download attachments to add relevant context gathered from other tools and stay connected to your team during an investigation.

New vCenter deployment option for the Insight Network Sensor

As a security practitioner looking to minimize your attack surface, you need to know the types of data on your network and how much of it is moving: two critical areas that could indicate malicious activity in your environment.

With our new vCenter deployment option, you can now use distributed port mirroring to monitor internal east-west traffic and traffic across multiple ESX servers using just a single virtual Insight Network Sensor. When using the vCenter deployment method, choose the GRETAP option via the sensor management page.

First annual VeloCON brings DFIR experts from around the globe together

Rapid7 brought DFIR experts and enthusiasts from around the world together this September to share experiences in using and developing Velociraptor to address the needs of the wider DFIR community.

What's New in InsightIDR: Q3 2022 in Review

Velociraptor’s unique, advanced open-source endpoint monitoring, digital forensic, and cyber response platform provides you with the ability to respond more effectively to a wide range of digital forensic and cyber incident response investigations and data breaches.

Watch VeloCON on-demand to see security experts delve into new ideas, workflows, and features that will take Velociraptor to the next level of endpoint management, detection, and response.

A growing library of actionable detections

In Q3, we added 385 new ABA detection rules to InsightIDR. See them in-product or visit the Detection Library for actionable descriptions and recommendations.

Stay tuned!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in detection and response at Rapid7.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

How to Deploy a SIEM That Actually Works

Post Syndicated from Robert Holzer original https://blog.rapid7.com/2022/09/27/how-to-deploy-a-siem-that-actually-works/

I deployed my SIEM in days, not months – here’s how you can too

How to Deploy a SIEM That Actually Works

As an IT administrator at a highly digitized manufacturing company, I spent many sleepless nights with no visibility into the activity and security of our environment before deploying a security information and event management (SIEM) solution. At the company I work for, Schlotterer Sonnenschutz Systeme GmbH, we have a lot of manufacturing machines that rely on internet access and external companies that remotely connect to our company’s environment – and I couldn’t see any of it happening. One of my biggest priorities was to source and implement state-of-the-art security solutions – beginning with a SIEM tool.

I asked colleagues and partners in the IT sector about their experience with deploying and leveraging SIEM technology. The majority of the feedback I received was that deploying a SIEM was a lengthy and difficult process. Then, once stood up, SIEMs were often missing information or difficult to pull actionable data from.

The feedback did not instill much confidence – particularly as this would be the first time I personally had deployed a SIEM. I was prepared for a long deployment road ahead, with the risk of shelfware looming over us. However, to my surprise, after identifying Rapid7’s InsightIDR as our chosen solution, the process was manageable and efficient, and we began receiving value just days after deployment. Rapid7 is clearly an outlier in this space: able to deliver an intuitive and accelerated onboarding experience while still driving actionable insights and sophisticated security results.

3 key steps for successful SIEM deployment

Based on my experience, our team identified three critical steps that must be taken in order to have a successful SIEM deployment:

  1. Identifying core event sources and assets you intend to onboard before deployment
  2. Collecting and correlating relevant and actionable security telemetry to form a holistic and accurate view of your environment while driving reliable early threat detection (not noise)
  3. Putting data to work in your SIEM so you can begin visualizing and analyzing to validate the success of your deployment

1. Identify core event sources and assets to onboard

Before deploying a SIEM, gather as much information as possible about your environment so you can easily begin the deployment process. Rapid7 provided easy-to-understand help documentation all throughout our deployment process in order to set us up for success. The instructions were highly detailed and easy to understand, making the setup quick and painless. Additionally, they provide a wide selection of pre-built event sources out-of-the-box, simplifying my experience. Within hours, I had all the information I needed in front of me.

Based on Rapid7’s recommendations, we set up what is referred to as the six core event sources:

  • Active Directory (AD)
  • Protocol (LDAP) server
  • Dynamic Host Configuration Protocol (DHCP) event logs
  • Domain Name System (DNS)
  • Virtual Private Network (VPN)
  • Firewall

Creating these event sources will get the most information flowing through your SIEM and if your solution has user behavior entity analytics (UEBA) capabilities like InsightIDR. Getting all the data in quickly begins the baselining process so you can identify anomalies and potential user and insider threats down the road.

2. Collecting and correlating relevant and actionable security telemetry

When deployed and configured properly, a good SIEM will unify your security telemetry into a single cohesive picture. When done ineffectively, a SIEM can create an endless maze of noise and alerts. Striking a balance of ingesting the right security telemetry and threat intelligence to drive meaningful, actionable threat detections is critical to effective detection, investigation, and response. A great solution harmonizes otherwise disparate sources to give a cohesive view of the environment and malicious activity.

InsightIDR came with a native endpoint agent, network sensor, and a host of integrations to make this process much easier. To provide some context, at Schlotterer Sonnenschutz Systeme GmbH, we have a large number of mobile devices, laptops, surface devices, and other endpoints that exist outside the company. The combined Insight Network Sensor and Insight Agent monitor our environment beyond the physical borders of our IT for complete visibility across offices, remote employees, virtual devices, and more.

Personally, when it comes to installing any agent, I prefer to take a step-by-step approach to reduce any potential negative effects the agent might have on endpoints. With InsightIDR, I easily deployed the Insight Agent on my own computer; then, I pushed it to an additional group of computers. The Rapid7 Agent’s lightweight software deployment is easy on our infrastructure. It took me no time to deploy it confidently to all our endpoints.

With data effectively ingested, we prepared to turn our attention to threat detection. Traditional SIEMs we had explored left much of the detection content creation to us to configure and manage – significantly swelling the scope of deployment and day-to-day operations. However, Rapid7 comes with an expansive managed library of curated detections out of the box – eliminating the need for upfront customizing and configuring and giving us coverage immediately. The Rapid7 detections are vetted by their in-house MDR SOC, which means they don’t create too much noise, and I had to do little to no tuning so that they aligned with my environment.

3. Putting your data to work in your SIEM

For our resource-constrained team, ensuring that we had relevant dashboarding and reports to track critical systems, activity across our network, and support audits and regulatory requirements was always a big focus. From talking to my peers, we were weary of building dashboards that would require our team to take on complicated query writing to create sophisticated visuals and reports. The prebuilt dashboards included within InsightIDR were again a huge time-saver for our team and helped us mobilize around sophisticated security reporting out of the gate. For example, I am using InsightIDR’s Active Directory Admin Actions dashboard to identify:

  • What accounts were created in the past 24 hours?
  • What accounts were deleted in the past 24 hours?
  • What accounts changed their password?
  • Who was added as a domain administrator?

Because the dashboards are already built into the system, it takes me just a few minutes to see the information I need to see and export that data to an interactive HTML report I can provide to my stakeholders. When deploying your own SIEM, I recommend really digging into the visualization options, seeing what it will take to build your own cards, and exploring any available prebuilt content to understand how long it may take you to begin seeing actionable data.  

I now have knowledge about my environment. I know what happens. I know for sure that if there is anything malicious or suspicious in my environment, Rapid7, the Insight Agent, or any of the sources we have integrated to InsightIDR will catch it, and I can take action right away.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Rapid7 Makes Security Compliance Complexity a Thing of the Past With InsightIDR

Post Syndicated from KJ McCann original https://blog.rapid7.com/2022/08/30/rapid7-makes-security-compliance-complexity-a-thing-of-the-past-with-insightidr/

Rapid7 Makes Security Compliance Complexity a Thing of the Past With InsightIDR

As a unified SIEM and XDR solution, InsightIDR gives organizations the tools they need to drive an elevated and efficient compliance program.

Cybersecurity standards and compliance are mission-critical for every organization, regardless of size. Apart from the direct losses resulting from a data breach, non-compliant companies could face hefty fees, loss of business, and even jail time under growing regulations. However, managing and maintaining compliance, preparing for audits, and building necessary reports can be a full-time job, which might not be in the budget. For already-lean teams, compliance can also distract from more critical security priorities like monitoring threats, early threat detection, and accelerated response – exposing organizations to greater risk.

An efficient compliance strategy reduces risk, ensures that your team is always audit-ready, and – most importantly – drives focus on more critical security work. With InsightIDR, security practitioners can quickly meet their compliance and regulatory requirements while accelerating their overall detection and response program.

Here are three ways InsightIDR has been built to elevate and simplify your compliance processes.

1. Powerful log management capabilities for full environment visibility and compliance readiness

Complete environment visibility and security log collection are critical for compliance purposes, as well as for providing a foundation of effective monitoring and threat detection. Enterprises need to monitor user activity, behavior, and application access across their entire environment — from the cloud to on-premises services. The adoption of cloud services continues to increase, creating even more potential access points for teams to keep up with.

InsightIDR’s strong log management capabilities provide full visibility into these potential threats, as well as enable robust compliance reporting by:

  • Centralizing and aggregating all security-relevant events, making them available for use in monitoring, alerting, investigation, ad hoc searching
  • Providing the ability to search for data quickly, create data models and pivots, save searches and pivots as reports, configure alerts, and create dashboards
  • Retaining all log data for 13 months for all InsightIDR customers, enabling the correlation of data over time and meeting compliance mandates.
  • Automatically mapping data to compliance controls, allowing analysts to create comprehensive dashboards and reports with just a few clicks

To take it a step further, InsightIDR’s intuitive user interface streamlines searches while eliminating the need for IT administrators to master a search language. The out-of-the-box correlation searches can be invoked in real time or scheduled to run regularly at a specific time should the need arise for compliance audits and reporting, updated dashboards, and more.

2. Predefined compliance reports and dashboards to keep you organized and consistent

Pre-built compliance content in InsightIDR enables teams to create robust reports without investing countless hours manually building and correlating data to provide information on the organization’s compliance posture. With the pre-built reports and dashboards, you can:

  • Automatically map data to compliance controls
  • Save filters and searches, then duplicate them across dashboards
  • Create, share, and customize reports right from the dashboard
  • Make reports available in multiple formats like PDF or interactive HTML files

InsightIDR’s library of pre-built dashboards makes it easier than ever to visualize your data within the context of common frameworks. Entire dashboards created by our Rapid7 experts can be set up in just a few clicks. Our dashboards cover a variety of key compliance frameworks like PCI, ISO 27001, HIPAA, and more.

Rapid7 Makes Security Compliance Complexity a Thing of the Past With InsightIDR

3. Unified and correlated data points to provide meaningful insights

With strong log management capabilities providing a foundation for your security posture, the ability to correlate the resulting data and look for unusual behavior, system anomalies, and other indicators of a security incident is key. This information is used not only for real-time event notification but also for compliance audits and reporting, performance dashboards, historical trend analysis, and post-hoc incident forensics.

Privileged users are often the targets of attacks, and when compromised, they typically do the most damage. That’s why it’s critical to extend monitoring to these users. In fact, because of the risk involved, privileged user monitoring is a common requirement for compliance reporting in many regulated industries.

InsightIDR provides a constantly curated library of detections that span user behavior analytics, endpoints, file integrity monitoring, network traffic analysis, and cloud threat detection and response – supported by our own native endpoint agent, network sensor, and collection software. User authentications, locational data, and asset activity are baselined to identify anomalous privilege escalations, lateral movement, and compromised credentials. Customers can also connect their existing Privileged Access Management tools (like CyberArk Vault or Varonis DatAdvantage) to get a more unified view of privileged user monitoring with a single interface.

Meet compliance standards while accelerating your detection and response

We know compliance is not the only thing a security operations center (SOC) has to worry about. InsightIDR can ensure that your most critical compliance requirements are met quickly and confidently. Once you have an efficient compliance process, the team will be able to focus their time and effort on staying ahead of emergent threats and remediating attacks quickly, reducing risk to the business.

What could you do with the time back?

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Cybersecurity Analysts: Job Stress Is Bad, but Boredom Is Kryptonite

Post Syndicated from Amy Hunt original https://blog.rapid7.com/2022/08/24/cybersecurity-analysts-job-stress-is-bad-but-boredom-is-kryptonite/

Cybersecurity Analysts: Job Stress Is Bad, but Boredom Is Kryptonite

Years ago, “airline pilot” used to be a high-stress profession. Imagine being in personal control of equipment worth millions hurtling through the sky on an irregular schedule with the lives of all the passengers in your hands.

But today on any given flight, autopilot is engaged almost 90% of the time. (The FAA requires it on long-haul flights or anytime the aircraft is over 28,000 feet.) There are vast stretches of time where the problem isn’t stress – it’s highly trained, intelligent people just waiting to perhaps be needed if something goes wrong.

Of course, automation has made air travel much safer. But over-reliance on it is now considered an emerging risk for pilots. The concerns? Loss of situational awareness, and difficulty taking over quickly and deftly when something fails. FAA scientist Kathy Abbott believes automation has made pilot error more likely if they “abdicate too much responsibility to the automated systems.” This year, the FAA rewrote its guidance, now encouraging pilots to spend more time actually flying and keeping their skills sharp.

What you want at any job is “flow”

Repetitive tasks can be a big part of a cybersecurity analyst’s day. But when you combine monotony (which often leads to boredom) with the need for attentiveness, it’s kryptonite. One neuroscientific study proved chronic boredom affects “judgment, goal-directed planning, risk assessment, attention focus, distraction suppression, and intentional control over emotional responses.”

The goal is total and happy immersion in a task that challenges you but is within your abilities. When you have that, you’re “in the zone.” And you’re not even tempted to multi-task (which isn’t really a thing).

Combine InsightConnect and InsightIDR, and you can find yourself “in the zone” for incident response:

  • Response playbooks are automatically triggered from InsightIDR investigations and alerts.
  • Alerts are prioritized, and false alerts are wiped away.
  • Alerts and investigations are automatically enriched: no more manually checking IP’s, DNS names, hashes, etc.
  • Pathways to PagerDuty, Slack, Microsoft Teams, JIRA, and ServiceNow are already set up for you and tickets are created automatically for alerts.

According to Rapid7‘s Detection and Response Practice Advisor Jeffrey Gardner, the coolest example of InsightIDR’s automaticity is its baselining capability.

“Humans are built to notice patterns, but we can only process so much so quickly,” Gardner says. “Machine learning lets us take in infinitely more data than a human would ever be able to process and find interesting or anomalous activity that would otherwise be missed.” InsightIDR can look at user/system activity and immediately notify you when things appear awry.

The robots are not coming for your job – surely not yours. But humans and machines are already collaborating, and we need to be very thoughtful about exactly, precisely how.

Like inattentive commercial pilots, Tesla drivers using Autopilot don’t much look at the road even though they’re required to, and they remain wholly responsible for everything the vehicle does. Teslas are also being hacked, started, and driven off.  A 19-year-old took 25 Teslas. We’re designing our jobs – and life on earth, too.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

360-Degree XDR and Attack Surface Coverage With Rapid7

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2022/08/18/360-degree-xdr-and-attack-surface-coverage-with-rapid7/

360-Degree XDR and Attack Surface Coverage With Rapid7

Today’s already resource-constrained security teams are tasked with protecting more as environments sprawl and alerts pile up, while attackers continue to get stealthier and add to their arsenal. To be successful against bad actors, security teams need to be proactive against evolving attacks in their earliest stages and ready to detect and respond to advanced threats that make it past defenses (because they will).

Eliminate blindspots and extinguish threats earlier and faster

Rapid7’s external threat intelligence solution, Threat Command, reduces the noise of numerous threat feeds and external sources, and prioritizes and alerts on the most relevant threats to your organization. When used alongside InsightIDR, Rapid7’s next-gen SIEM and XDR, and InsightConnect, Rapid7’s SOAR solution, you’ll unlock a complete view of your internal and external attack surface with unmatched signal to noise.

Leverage InsightIDR, Threat Command, and InsightConnect to:

  • Gain 360-degree visibility with expanded coverage beyond the traditional network perimeter thanks to Threat Command alerts being ingested into InsightIDR, giving you a more holistic picture of your threat landscape.
  • Proactively thwart attack plans with Threat Command alerts that identify active threats from across your attack surface.
  • Find and eliminate threats faster when you correlate and investigate Threat Command alerts with InsightIDR’s rich investigative capabilities.
  • Automate your response by attaching an InsightConnect workflow to take action as soon as a detection or a Threat Command alert surfaces in InsightIDR.
360-Degree XDR and Attack Surface Coverage With Rapid7
Threat Command alerts alongside InsightIDR Detection Rules

Stronger signal to noise with Threat Command Threat Library

The power of InsightIDR and Threat Command doesn’t end there. We added another layer to our threat intelligence earlier this year when we integrated Threat Command’s Threat Library into InsightIDR to give more visibility into new indicators of compromise (IOCs) and continued strength around signal to noise.

All IOCs related to threat actors tracked in Threat Command are automatically applied to customer data sent to InsightIDR, which means you automatically get current and future coverage as new IOCs are found by the research team. Alongside InsightIDR’s variety of detection types — User Behavior Analytics (UBA), Attacker Behavior Analytics (ABA), and custom detections — you’re covered against all infiltrations, from lateral movement to unique attacker behaviors and everything in between. The impact? Your team is never behind on emerging threats to your organization.

Faster, more efficient responses with InsightConnect

Strong signal to noise is taken a step further with automation, so teams can not only identify threats quickly but respond immediately. The expanded integration between InsightConnect and InsightIDR allows you to respond to any alert being generated in your environment. With this, you can easily create and map InsightConnect workflows to any ABA, UBA, or custom detection rule, so tailored response actions can be initiated as soon as there is a new detection.

See something suspicious that didn’t trip a detection? You can invoke on-demand automation with integrated Quick Actions from any page in InsightIDR.

360-Degree XDR and Attack Surface Coverage With Rapid7
Mapping of InsightConnect workflows to an ABA alert in InsightIDR

Sophisticated XDR without any headaches

With Rapid7, you’ll achieve sophisticated detection and response outcomes with greater efficiency and efficacy — no matter where you and your team are on your security journey. Stay up to date on the latest from InsightIDR, Threat Command, and InsightConnect as we continue to up-level our cross-product integrations to bring you the most comprehensive XDR solution.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Rapid7 at AWS re:Inforce: 2 Big Announcements

Post Syndicated from Aaron Sawitsky original https://blog.rapid7.com/2022/07/26/rapid7-at-aws-re-inforce-2-big-announcements/

Rapid7 at AWS re:Inforce: 2 Big Announcements

This year’s AWS re:Inforce conference in Boston has been jam-packed with thrilling speakers, deep insights on all things cloud, and some much-needed in-person collaboration from all walks of the technology community. It also coincides with some exciting announcements from AWS — and we’re honored to be a part of two of them. Here’s a look at how Rapid7 is building on our existing partnership with Amazon Web Services to help organizations securely advance in today’s cloud-native business landscape.

InsightIDR awarded AWS Security Competency

For seven years, AWS has issued security competencies to partners who have a proven track record of helping customers secure their AWS environments. Today at re:Inforce, AWS re-launched their Security Competency program, so that it better aligns with customers’ constantly evolving security challenges. Rapid7 is proud to be included in this re-launch, having obtained a security competency under the new criteria for its InsightIDR solution in the Threat Detection and Response category. This is Rapid7’s second AWS security competency and fourth AWS competency.

This designation recognizes that InsightIDR has demonstrated and successfully met AWS’s technical and quality requirements for providing customers with a deep level of software expertise in security incident and event management (SIEM), helping them achieve their cloud security goals.

InsightIDR integrates with a number of AWS services, including CloudTrail, GuardDuty, S3, VPC Traffic Mirroring, and SQS. InsightIDR’s UEBA feature includes dedicated AWS detections. The Insight Agent can be installed on EC2 instances for continuous monitoring. InsightIDR also features an out-of-the-box honeypot purpose-built for AWS environments. Taken together, these integrations and features give AWS customers the threat detection and response capabilities they need, all in a SaaS solution that can be deployed in a matter of weeks.

Adding another competency to Rapid7’s repertoire reaffirms our commitment to giving organizations the tools they need to innovate securely in a cloud-first world.

Rapid7 named a launch partner for AWS GuardDuty Malware Protection

Malware Protection is the new malware detection capability AWS has added to their GuardDuty service — and we’re honored to join them as a launch partner, with two products that support this new GuardDuty functionality.

GuardDuty is AWS’s threat detection service. It monitors AWS environments for suspicious behavior. Malware Protection introduces a new type of detection capability to GuardDuty. When GuardDuty fires an alert that’s related to an Amazon Elastic Cloud Compute (EC2) instance or a container running on EC2, Malware Protection will automatically run a scan on the instance in question and detect malware using machine learning and threat intelligence. When trojans, worms, rootkits, crypto miners, or other forms of malware are detected, they appear as new findings in GuardDuty, so security teams can take the right remediation actions.

Rapid7 customers can ingest GuardDuty findings (including the new malware detections) into InsightIDR and InsightCloudSec. In InsightIDR, each type of GuardDuty finding can be treated as a notable behavior or as an alert which will automatically trigger a new investigation. This allows security teams to know the instant suspicious activity is detected in their AWS environment and react accordingly. Should an investigation be triggered, teams can use InsightIDR’s native automation capabilities to enrich the data from GuardDuty, quarantine a user, and more. In the case where GuardDuty detects malware, teams can pull additional data from the Insight agent and even terminate malicious processes. In addition, customers can use InsightIDR’s Dashboards capability to keep an eye on GuardDuty and spot trends in the findings.

InsightCloudSec customers can likewise build automated bots that automatically react to GuardDuty findings. When GuardDuty has detected malware, a customer might configure a bot that terminates the infected instance. Alternatively, a customer might choose to reconfigure the instance’s security group to effectively isolate it while the team investigates. The options are practically endless.

Rapid7 and AWS continue to deepen partnership to protect your cloud workloads

AWS re:Inforce 2022 provides a welcome opportunity for the community to come together and share insights about managing and securing cloud environments, and we can’t think of better timing to announce these two areas of partnership with AWS. Click here to learn more about what we’re up to at this year’s AWS re:Inforce conference in Boston.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Simplify SIEM Optimization With InsightIDR

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2022/07/22/simplify-siem-optimization-with-insightidr/

Two key ways InsightIDR helps customers tailor reporting, detection, and response — without any headaches

Simplify SIEM Optimization With InsightIDR

For far too many years, security teams have accepted that with a SIEM comes compromise. You could have highly tailored and custom rule sets, but it meant endless amounts of tuning and configuration to create and manage them. You could have pre-built content, but that meant rigidity and noise. You could have all the dashboard bells and whistles, but that meant finding the unicorn that knew how to navigate them. Too many defenders have carried this slog, accepting this traditional SIEM reality as “it is what it is.” No more!

It’s possible to have it all — an intuitive interface and sophisticated tuning and customization

With InsightIDR, Rapid7’s leading SIEM and XDR, you can have the best of both worlds — an easy-to-use tool that’s also incredibly sophisticated. InsightIDR makes it easy and intuitive to tune your detections (without heavy script-writing or configuration required). When it comes to viewing your environment’s data and sharing key metrics, our Dashboard Library and reports are readily available and highly customizable for your unique needs.

Filter out the noise with fine-tuned alerts

Every time an analyst creates an alert it takes work. At Rapid7, we want to save you time and advance your security posture — which is where our Detections Library comes in. Curated and managed by our MDR SOC team, you can rest assured that you’ll only be alerted to behaviors that are worthy of human review so that you can make the most out of your limited time and focus on the threats that really matter.

While we focus on creating a curated, high-fidelity library of detections, we know each environment has its unique challenges — which is why our attacker behavior analytics (ABA) detections are robustly tuneable. You can also get more granular with your tuning and take the following actions:

  • Create custom alerts when your organization calls for niche detections.
  • Customize UBA directions so you’re in control of which you have turned on to align your alerting with your environment.
  • Modify ABA detections by changing the rule action, modifying its priority, and adding exceptions to the rule.
  • Stay on top of potential noise with Relative Activity, a new score for ABA detection rules that analyzes and identifies detection rules that might cause frequent investigations or notable events if switched on, as well as determines which rules may benefit from tuning, either by changing the Rule Action or adding exceptions.

Customize dashboards and reports to best suit your team

With InsightIDR, teams have access to over 45 (and counting) dashboards out of the box — from compliance dashboards for frameworks like HIPAA or ISO to Active Directory Admin Activity — to help your team focus on driving faster decision-making.

Analysts can also leverage this pre-built content as a springboard for customizing their own reports. InsightIDR provides multiple query modes and methods for creating data visualizations — so whether you are more comfortable with loose keyword search, working in our intuitive query language, or simply clicking on charts to narrow down results — every analyst can operate as an expert, regardless of their prior SIEM experience.

Simplify SIEM Optimization With InsightIDR
Easily edit dashboard card properties

InsightIDR also makes it easy to share findings and important metrics with anyone in your organization — send an interactive HTML or PDF report of any dashboard with the click of a button.

Simplify SIEM Optimization With InsightIDR
Create HTML reports in InsightIDR

Check out the other ways InsightIDR can help drive successful detection and response for your team here.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Gimme! Gimme! Gimme! (More Data): What Security Pros Are Saying

Post Syndicated from Dina Durutlic original https://blog.rapid7.com/2022/07/19/gimme-gimme-gimme-more-data-what-security-pros-are-saying/

Gimme! Gimme! Gimme! (More Data): What Security Pros Are Saying

Eight in 10 organizations collect, process, and analyze security operations data from more than 10 sources, ESG identified in a new ebook SOC Modernization and the Role of XDR, sponsored by Rapid7. Security professionals believe that the most important sources are endpoint security data (24%), threat intelligence feeds (21%), security device logs (20%), cloud posture management data (20%), and network flow logs (18%).

While this seems like a lot of data, survey respondents actually want to use more data for security operations in order to keep up with the proliferation of the attack surface. This expansion is driving the need for scalable, high-performance, cloud-based back-end data repositories.

More data, more noise

Organizations are increasingly investing in technology to achieve executive goals and deliver on digital transformation strategies – every company is becoming a software company in order to remain competitive and support the new work normal.

With more technology comes greater potential for vulnerabilities and threats. Security operations center (SOC) analysts are an organization’s first line of defense. In order to effectively stay ahead of potential threats and attacks, security teams rely on vast amounts of data to get an overview of the organization and ensure protection of any vulnerabilities or threats.

However, it’s nearly impossible for organizations to prioritize and mitigate hundreds of risks effectively – and not just due to the skilled resource and knowledge shortage. Security teams need to filter through the noise and identify the right data to act on.

“In security, what we don’t look at, don’t listen to, don’t evaluate, and don’t act upon may actually be more important than what we do,” Joshua Goldfarb recently wrote in Dark Reading.

Focus on what matters with stronger signal-to-noise

Though SOC analysts are adept at collecting vast amounts of security data, they face a multitude of challenges in discerning the most severe, imminent threats and responding to them in an effective, timely manner. These teams are inundated with low-fidelity data and bogged down with repetitive tasks dealing with false positives. In order to reduce the noise, security professionals need a good signal-to-noise ratio. They need high-fidelity intelligence, actionable insight, and contextual data to quickly identify and respond to threats.

With Rapid7, organizations can ensure visibility for their security teams, eliminating blindspots and extinguishing threats earlier and faster. InsightIDR, Rapid7’s cloud-native SIEM and XDR, provides SOC analysts with comprehensive detection and response.

With InsightIDR, security professionals can leverage complete coverage with a native endpoint agent, network sensors, collectors, and APIs. Teams can go beyond unifying data to correlate, attribute, and enrich diverse datasets into a single harmonious picture.

  • Detailed events and investigations Track users and assets as they move around the network, auto-enriching every log line.
  • Correlation across diverse telemetry – Single investigation timeline for each alert, and all the details of an attack in one place.
  • Expert response recommendations – Alerts come with recommended actions from Rapid7’s global MDR SOC and Velociraptor’s digital forensics and incident response playbooks.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

What’s New in InsightIDR: Q2 2022 in Review

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2022/07/06/whats-new-in-insightidr-q2-2022-in-review/

What's New in InsightIDR: Q2 2022 in Review

This Q2 2022 recap post takes a look at some of the latest investments we’ve made to InsightIDR to drive detection and response forward for your organization.

New interactive HTML reports

InsightIDR’s new HTML reports incorporate the interactive features you know and love from our dashboards delivered straight to your inbox. The HTML report file is sent as an email attachment and allows you to scroll through tables, drill in and out of cards, and sort tables in the same way you would explore dashboards.

What's New in InsightIDR: Q2 2022 in Review

Increased visibility into malware activity

Traditional intrusion detection systems (IDS) can be noisy. Rapid7’s Threat Intelligence and Detection Engineering (TIDE) team has carefully analyzed thousands of IDS events to curate a list of only the most critical and actionable events. We’ve recently expanded our library to include over 4,500 curated IDS detection rules to help customers detect activity associated with thousands of common pieces of malware.

Catch data exfiltration attempts with Anomalous Data Transfer

Anomalous Data Transfer (ADT) is a new Attacker Behavior Analytics (ABA) detection rule that uses the Insight Network Sensor to identify large transfers of data sent by assets on a network. ADT outputs data exfiltration alerts which make it easier for you to monitor transfer activity and identify unusual behavior to stay ahead of threats. These new detections are available for select InsightIDR packages — see more details here in our documentation.

What's New in InsightIDR: Q2 2022 in Review

Build stronger integrations and quickly triage investigations with new InsightIDR APIs

Investigation management APIs

Our new APIs allow you to extract more extensive data from within your investigation and use it to integrate with third-party tools, or build automation workflows to help you save time analyzing and closing investigations. View our documentation to learn more.

  • Update one or more Investigation fields through a single API call
  • Retrieve a sortable list of Investigations
  • Search Investigations
  • Create a Manual Investigation

User, accounts, and asset APIs

We are excited to release new APIs to allow you to programmatically interface with InsightIDR users, accounts, local accounts, and assets. You can use these APIs to configure new automations that further contextualize alerts generated by InsightIDR or third-party tools and help you to create more actionable views of alert data.

Relative Activity: A new way to analyze detection rules

We’ve introduced a new score called Relative Activity to ABA detection rules that analyzes how often the Rule Logic matches data in your environment based on certain parameters. The Relative Activity score is calculated over a rolling 24-hour period and can help you:

  • Identify detection rules that might cause frequent investigations or notable events if switched on
  • Determine which rules may benefit from tuning, either by changing the Rule Action or adding exceptions
What's New in InsightIDR: Q2 2022 in Review
New Relative Activity score for detection rules

Log Search improvements

Enrich Log Search results with new Quick Actions: Earlier this year InsightIDR and InsightConnect teamed up to create Quick Actions, a new feature that provides instant automation within InsightIDR to reduce time to respond to investigations, all with the click of a button. We’ve recently released new Quick Actions to enable pre-configured actions within InsightIDR’s Log Search for InsightIDR Ultimate and InsightIDR legacy customers. Quick Actions are available for select InsightIDR packages, see more details here in our documentation.

  • Use AWS S3 as a collection method for custom logs: Now customers have the choice to use either Cisco Umbrella or AWS S3 as a collection method when setting up custom logs. Alongside this update, we’ve also refactored the data source to make it more resilient and effective.

A growing library of actionable detections

In Q2, we added 290 new ABA detection rules to InsightIDR. See them in-product or visit the Detection Library for actionable descriptions and recommendations.

Stay tuned!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in detection and response at Rapid7.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Two Rapid7 Solutions Take Top Honors at SC Awards Europe

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/06/23/two-rapid7-solutions-take-top-honors-at-sc-awards-europe/

Two Rapid7 Solutions Take Top Honors at SC Awards Europe

LONDON—We are pleased to announce that two Rapid7 solutions were recognized on Tuesday, June 21, at the prestigious SC Awards Europe, which were presented at the London Marriott, Grosvenor Square. InsightIDR took the top spot in the Best SIEM Solution category, and Threat Command brought home the award for Best Threat Intelligence Technology for the second year in a row.

The SC Awards Europe recognize and reward products and services that stand out from the crowd and exceed customer expectations. This year’s awards, which come at a time of rapid digital transformation and technology innovation, were assessed by a panel of highly experienced judges from a variety of industries. SC Media UK, which hosts the awards, is a leading information resource for cybersecurity professionals across Europe.

InsightIDR named “Best SIEM”

Security practitioners are using Rapid7 InsightIDR to address the challenges most everyone shares: Digital transformation is driving constant change, the attack surface continues to sprawl, and the skills gap drags on.

Traditional security information and event management (SIEM) solutions put the burden of heavy rule configuration, detection telemetry integration, dashboard and reporting content curation, and incident response on the customer. But industry-leading InsightIDR has always been different. It ties together disparate data from across a customer’s environment, including user activity, logs, cloud, endpoints, network traffic, and more into one place, ending tab-hopping and multi-tasking. Security teams get curated out-of-the box detections, high-context actionable insights, and built-in automation.

With easy SaaS deployment and lightning fast time-to-value, 72% of users report greatly improved team efficiency, 71% report accelerated detection of compromised assets, and most report reducing time to address an incident by 25-50%.  

Threat Command named “Best Threat Intelligence Technology”

Rapid7 Threat Command is an external threat protection solution that proactively monitors thousands of sources across the clear, deep, and dark web. It enables security practitioners to anticipate threats, mitigate business risk, increase efficiency, and make informed decisions.

Threat Command delivers industry-leading AI/ML threat intelligence technology along with expert human intelligence analysis to continuously discover threats and map intelligence to organizations’ digital assets and vulnerabilities. This includes:

  • Patented technology and techniques for the detection, removal, and/or blocking of malicious threats
  • Dark web monitoring from analysts with unique access to invitation-only hacker forums and criminal marketplaces
  • The industry’s only 24/7/365 intelligence support from experts for deeper investigation into critical alerts
  • Single-click remediation including takedowns, facilitated by our in-house team of experts

100% of Threat Command users surveyed said the tool delivered faster time to value than other threat intelligence solutions they’d used, and 85% said adopting Threat Command improved their detection and response capabilities.

InsightIDR + Threat Command

Using InsightIDR and Threat Command together can further increase security teams’ efficiency and reduce risk. Users get a 360-degree view of internal and external threats, enabling them to avert attacks, accelerate investigations with comprehensive threat context, and flag the most relevant information — minimizing the time it takes to respond. With InsightIDR and Threat Command, customers are able to more effectively and efficiently see relevant threat data across their attack surface and quickly pivot to take immediate action – in the earliest stages of attack, even before a threat has fully evolved.

Learn more about how InsightIDR and Threat Command can fit into your organization’s security strategy.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

The Average SIEM Deployment Takes 6 Months. Don’t Be Average.

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2022/06/02/the-average-siem-deployment-takes-6-months-dont-be-average/

The Average SIEM Deployment Takes 6 Months. Don’t Be Average.

If you’re part of the huge growth in demand for cloud-based SIEM (Security Information and Event Management), claim your copy of the new Gartner® Report: “How to Deploy a SIEM Solution Successfully.”

Depending on what SIEM you choose, and how you approach the process, getting to operational and effective can take days, or months, or a lot longer.

Here are the Gartner report’s key findings:

  1. “Ineffective security information and event management (SIEM) deployments occur when requirements and use cases are not aligned with the organization’s risks and risk tolerance.”
  2. “Clients deploying SIEM solutions continue to take an unstructured approach when deciding which event and data sources to onboard, with the goal of getting every source in from the beginning. This leads to long and complex implementations, cost overruns, and higher probabilities of stalled or failed implementations.”
  3. “SIEM buyers struggle to choose between on-premises, cloud, or hybrid deployments due to the complexities created by the various environments that need to be monitored, e.g., on-premises, SaaS, cloud infrastructure and platform services (CIPS), remote workers.”

SIEM centralizes and visualizes your security data to help you identify anomalies in your environment. But nearly all SIEMs require you to do a ton of customizing and configuration. Nearly all disappoint with their detections. And nearly all will exhaust you with false-positive alerts… every hour of every day… until analysts start ignoring alerts, which will surely doom you someday.

Now, here’s what we think

Rapid7 began building InsightIDR nearly a decade ago. While the threat landscape keeps changing, our mission never has: to empower you to find and extinguish evil earlier, faster, easier.

InsightIDR has never been a traditional SIEM. You should consider it if:

Fast deployment is a priority to you. InsightIDR leads the SIEM market in deployment times. With SaaS delivery and a native cloud foundation, customers can be deployed and operational in days and weeks – not months and years.

Time-to-value and tangible ROI matter to your leadership team. InsightIDR combines the best of next-gen SIEM with native extended detection and response (XDR). Get highly correlated UEBA, EDR, NDR, and Cloud detections alongside your critical security logs and policy monitoring, compliance dashboards, and reporting in a single pane of glass.

Your team is tired of false positives. InsightIDR’s expertly vetted detection library provides holistic threat coverage across your entire attack surface. An emphasis on high-fidelity, low-noise detections ensures that all alerts are relevant and ready for action.

You’re ready to accelerate your security posture. InsightIDR empowers teams to up-level their security and achieve sophisticated outcomes – without the complexity of traditional SIEMs. Embedded security orchestration and automation (SOAR) capabilities give you enviable security operations center (SOC) automation and enable even new analysts to respond like experts.

Don’t forget your copy of the new Gartner® Report: “How to Deploy a SIEM Solution Successfully.”

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner, How to Deploy a SIEM Solution Successfully, Andrew Davies, Mitchell Schneider, Toby Bussa, Kelly Kavanagh, 7 July 2021

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Are You in the 2.5% Who Meet This Cybersecurity Job Requirement?

Post Syndicated from Amy Hunt original https://blog.rapid7.com/2022/05/20/are-you-in-the-2-5-who-meet-this-cybersecurity-job-requirement/

Are You in the 2.5% Who Meet This Cybersecurity Job Requirement?

Of course you’re special. (So are we.) But decades of research tells us humans believe they’re good multitaskers – and we are really, seriously not.

It seems a measly 2.5% of us can multitask well.

The rest of us are best when we focus on a single goal, allowing the left and right sides of our brains (specifically the prefrontal cortex) to work in harmony.

When we go for two goals at once, the brain splits duties, and we miss details, make mistakes. And it’s not a perfect 50/50 split: The work effort is more like 40/40, with an overhead charge just for the juggling. Trying to do three tasks? The brain’s information filters fizzle out. We don’t dismiss irrelevancies as quickly. There is guessing involved.

The truth is, multitasking isn’t a thing. The average security operations center (SOC) has 45 different cybersecurity technologies, according to an IBM study. What’s actually happening is task-switching and, even worse, context-switching.

The good news? Trends for 2022 point to change: a year of consolidation, greater detection and response capabilities on endpoints and in the cloud, and the integration of tools that simplifies and smooths the work.

It’s time to say goodbye to context-switching

You’ll never get ahead of attackers without the freedom to focus. And that fact has always inspired Rapid7’s continuous mission to accelerate detection and response with InsightIDR.

  • As a unified SIEM and XDR, InsightIDR automatically creates one cohesive picture from diverse telemetry, including endpoint, cloud, applications, logs, network, and users.
  • Alerts are highly correlated by our SOC experts, and high-context investigation details blend relevant data from different event sources for you.
  • No tab-hopping in and out of multiple tools: Embedded automation workflows powered by Rapid7’s InsightConnect let users focus on threats and decisions in real time.
  • Rather than asking you to do more, InsightIDR’s cloud-native, SaaS foundation ensures that users have the scale, agility, and power to keep up, no matter how their environments grow and change.

Technology that doesn’t understand how to really serve people can stress even the most sophisticated among us. Add to that the frustration that most C-suite executives don’t understand what life in SecOps is like either: Most don’t get that a breach is inevitable, and 97% of them believe security teams have big budgets and could improve on the value they deliver. Here’s ZDNet, reporting on IBM data that reveals security folks generally agree: “74% of [security practitioners] say their cybersecurity planning posture still leaves much to be desired, with no plans, ad-hoc plans, or inconsistency still a thorn in the side of IT staff.”

If the thorn is alert fatigue and context switching – and it probably is – the answer isn’t changing your personal attentiveness habits. When you seek out advice about how to stop all the multitasking, you’ll get suggestions that no CISO can take:

  • “Plan your day,” they say.
  • “Turn off your notifications.”
  • “Learn to say no,” they say.

The human factor is decisive in cybersecurity, so we task our technology to empower you – to give you the freedom to focus on what matters. Of course, it’s theoretically possible you’re in the 2.5% of people who qualify as “supertaskers.” (But as you may have noted from our first comic book we made for you, we think you’re superheroes, which is very, very different.)

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

3 Ways InsightIDR Users Are Achieving XDR Outcomes

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2022/04/12/3-ways-insightidr-users-are-achieving-xdr-outcomes/

3 Ways InsightIDR Users Are Achieving XDR Outcomes

The buzz around extended detection and response (XDR) is often framed in the future tense — here’s what it will be like when we can start bringing more sources of telemetry into our detections, or what will happen when we can use XDR to really start reducing false positives. But users of InsightIDR, Rapid7’s cloud SIEM and XDR solution, are already making those outcomes a reality.

Turns out, InsightIDR has been doing XDR for a long time, bringing those promised results to life before the industry started to associate them with XDR. Here are 3 ways our customers are benefiting from those outcomes.

1. Gain greater visibility

You can’t manage what you don’t measure — and you certainly can’t measure what you don’t see or know is happening. The same applies to threat detection. If you never detect malicious activity, you never have a chance to respond or remediate — until you’re already reeling from the impacts of a breach and trying to limit the damage.

Greater visibility is part of the promise of XDR. By bringing in a wider range of telemetry sources than security operations center (SOC) teams have previously had access to, XDR aims to paint a fuller picture of attacker behavior, so security teams can better analyze and respond to it.

And as it turns out, this enhanced visibility is one of the key benefits InsightIDR has been helping users achieve.

“Rapid7 InsightIDR gives us visibility into the activities on our servers and network. Before, we were blind,” says Karien Greeff, Director, Security at ODEK Technologies.

For many users, this boost in visibility is translating directly into more effective action.

“Rapid7 InsightIDR vastly improved the visibility of our network, endpoints, and weak spots. We now have the ability to respond to threats we didn’t see before we had InsightIDR,” says Robert Middleton, Network Administrator at CU4SD.

2. Focus on what matters

Of course, visibility is only as good as what you do with it. Alert fatigue is a problem SOC analysts know all too well — so if you can suddenly detect a wealth of additional activity on your network, you need some way to prioritize that information.

InsightIDR user Kerry LeBlanc, who is responsible for cybersecurity at medical technology innovator Bioventus, notes that next-level visibility — “Everything comes into InsightIDR. I mean, everything,” he quips in a case study — is just the start of the improvements the tool has made for Kerry and his team.

“The other major change, and this is part of extended detection and response (XDR), is being able to correlate, analyze, prioritize, and remediate as quickly as possible. Rapid7 does that because it has visibility into everything,” he says. “It can build context around the threats and the events. It can help prioritize them for a higher level of awareness. I can focus on them a lot quicker, and it gives me the opportunity to reduce severity and eliminate further impact.”

Kerry isn’t the only one who’s using InsightIDR to help filter out the noise and focus on the alerts that truly matter.

“Rapid7 InsightIDR has given us the ability to hone in on specific incidents without the need to remove the unnecessary chatter,” says one VP of security at a large enterprise financial services company. “We now have the ability to view our environment with a single pane of glass providing relative information quickly.”

3. Do more with one tool

The relationship between XDR and SIEM has been much talked about in security circles, and it’s still a dynamic question. While some see these markets colliding at some point in the distant future, others identify SIEM and XDR as solving separate but complementary use cases. Nevertheless, the ability to consolidate tools and do more with a single solution is one of the hopes for XDR — and some InsightIDR users are already beginning to make that a reality.

“InsightIDR has been a great tool that is easy to deploy and cover several needed security functions such as SIEM, deception, EDR, UBA, alerting, threat feeds, and reporting,” a Senior Director of Security says via Gartner Peer Insights.

That streamlining of the security tech stack can be especially impactful for organizations that haven’t updated their threat detection solutions in some time.

“With Rapid7 InsightIDR, we were able to eliminate multiple old products and workflows,” says one Chief Security Officer at a medium enterprise media and entertainment company.

Start seeing XDR outcomes now

If you’re considering whether to embrace XDR at your organization, it might seem like the payoff will be further down the line, when the product category truly reaches maturity — but as the attack landscape grows increasingly complex, security analysts simply don’t have the luxury to wait. Luckily, those benefits might be closer than you think. With InsightIDR, customers are already enjoying many of the outcomes that SOC teams are seeking from XDR adoption: more visibility, improved signal-to-noise, and a more consolidated security stack.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

What’s New in InsightIDR: Q1 2022 in Review

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2022/04/05/whats-new-in-insightidr-q1-2022-in-review/

Introducing new InsightIDR capabilities to accelerate your detection and response program

What's New in InsightIDR: Q1 2022 in Review

When we talk to customers and security professionals about what they need more of in their security operations center (SOC), there is one consistent theme: time. InsightIDR — Rapid7’s leading cloud SIEM and XDR — helps teams cut through the noise and accelerate their detection and response, without sacrificing comprehensive coverage across modern environments and advanced attacks. This Q1 2022 recap post digs into some of the latest investments we’ve made to drive tangible time savings for customers, while still leveling up your detection and response program with InsightIDR.

New InsightIDR Detections powered by Threat Command by Rapid7’s TIP Threat Library

Following Rapid7’s 2021 acquisition of IntSights and their leading external threat intelligence solution, Threat Command, we are excited to provide InsightIDR customers with new built-in threat intelligence via Threat Command’s threat intelligence platform (TIP).

We have integrated Threat Command’s TIP ThreatLibrary into InsightIDR, bringing its threat intelligence content into our detection library to ensure Rapid7 InsightIDR and Managed Detection and Response (MDR) customers have the most up-to-date and comprehensive detection coverage, more visibility into new IOCs, and continued strength around signal-to-noise.

Using the combined threat intelligence research teams across Rapid7 Threat Command and our services organization, this content will be maintained and updated across the platform – ensuring our customers get real-time protection from evolving threats.

What's New in InsightIDR: Q1 2022 in Review

InsightIDR delivers superior signal-to-noise in latest MITRE Engenuity ATT&CK evaluation

We’re excited to share that InsightIDR has successfully completed the 2022 MITRE Engenuity ATT&CK Evaluation, which focused on how adversaries abuse data encryption for exploitation and/or ransomware. This evaluation tested InsightIDR’s EDR capabilities (powered by our native endpoint agent, the Insight Agent) and our ability to detect these advanced attacks. A few key takeaways and result highlights:

  • InsightIDR demonstrated solid visibility across the cyber kill chain – with visibility across 18 of the 19 phases covered across both simulations.
  • Consistently identified threats early, with alerts firing in the first phase – Initial Compromise – for both the Wizard Spider and Sandworm attacks.
  • Showcased our commitment to signal-to-noise – with targeted and focused detections across each phase of the attack (versus firing loads of alerts for every minute substep).

As our customers know, EDR is just one component of the detection coverage unlocked with InsightIDR. While beyond the scope of this evaluation, beyond endpoint coverage, InsightIDR delivers defense in depth across users and log activity, network, and cloud. Learn more about InsightIDR’s MITRE evaluation results in our recent blog post.

Investigate in seconds with Quick Actions powered by InsightConnect

InsightIDR and InsightConnect teamed up to create Quick Actions, a new feature that provides instant automation within InsightIDR to reduce time to respond to investigations, all with the click of a button.

Quick Actions are pre-configured automation actions that customers can run within their InsightIDR instance to get the answers they need fast and make the investigative process more efficient, and there’s no configuration required. Some Quick Actions use cases include:

  • Threat hunting within log search. Use the “Look Up File Hash with Threat Crowd” quick action to learn more about a hash within an endpoint log. If the output of the quick action finds the file hash is malicious, you can choose to investigate further.
  • More context around alerts in Investigations. Use the “Look Up Domain with WHOIS” quick action to receive more context around an IP associated with an alert in an investigation.



What's New in InsightIDR: Q1 2022 in Review

More customizability with AWS GuardDuty detection rules

We now have over 100 new AWS GuardDuty Attacker Behavior Analytics (ABA) detection rules to provide significantly more customization and tuning ability for customers compared to our previous singular third-party AWS GuardDuty UBA detection rule. With these new ABA alerts, it’s possible to set rule actions, tune rule priorities, or add an exception on each individual GuardDuty detection rule.

What's New in InsightIDR: Q1 2022 in Review

New pre-built CIS control dashboards and overall dashboard improvements

We’re continually expanding our pre-built dashboard library to allow users to easily visualize their data within the context of common frameworks.

The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. We know CIS is one of the most common security frameworks our customers consider, so we’ve recently added 3 new CIS control dashboards that cover CIS Control 5: Account Management, CIS Control 9: Email and Web Browser Protections, and CIS Control 10: Malware Defenses.

What's New in InsightIDR: Q1 2022 in Review

We also continue to make changes and additions to our overall Dashboard capabilities. Within the card builder, we’ve added the ability to:

  • Change chart colors
  • Add a chart caption
  • Swap between linear and logarithmic scale for charts
  • Add data labels on top of dashboard charts

Continuous improvements to Investigation Management

Another area we are continuously making improvements in is Investigation Management. A huge part of this ongoing development is customer feedback, and over the last quarter, we’ve made some additions to the experience based on just that. We’ve added:

  • New filters for alert type, MITRE ATT&CK tactic, and investigation type to provide more options when it comes to tailoring the list view of investigations
  • The new “notes count” feature, which allows customers to save time and track the status of an ongoing collaboration within an investigation
  • Improvements to the bulk-close feature within Investigation Management, and new progress banners so you can easily track the status of each bulk-close request
What's New in InsightIDR: Q1 2022 in Review

Other updates

  • New CATO Networks event source can now be configured to send InsightIDR WAN firewall and internet firewall data.
  • Log Search Syntax Highlighting applies different colors and formatting to the distinct components of a LEQL query (such as the search logic and values) to improve overall readability and provide an easy way to identify potential errors within queries.
  • New curated IDS Rules powered by the Insight Network Sensor help you detect activity associated with thousands of common pieces of malware.
  • Insight Network Sensor management page updates make it easier to deploy and maintain your fleet of Network Sensors. We’ve rebuilt the sensor management page to better surface critical configuration statuses, diagnostic information, and links to support documentation.
What's New in InsightIDR: Q1 2022 in Review

Stay tuned!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in detection and response at Rapid7.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.