Tag Archives: Product Updates

What’s New in InsightVM and Nexpose: Q3 2022 in Review

Post Syndicated from Roshnee Mistry Shah original https://blog.rapid7.com/2022/09/28/whats-new-in-insightvm-and-nexpose-q3-2022-in-review/

What’s New in InsightVM and Nexpose: Q3 2022 in Review

Another quarter comes to a close! While we definitely had our share of summer fun, our team continued to invest in the product, releasing features and updates like recurring coverage for enterprise technologies, performance enhancements, and more. Let’s take a look at some of the key releases in InsightVM and Nexpose from Q3.

[InsightVM and Nexpose] Recurring coverage for VMware vCenter

Recurring coverage provides ongoing, automatic vulnerability coverage for popular enterprise technology and systems. We recently added VMware vCenter to our list.

VMware vCenter Server is a centralized management platform used to manage virtual machines, ESXi hosts, and dependent components from a single host. Last year, vCenter was a significant target for bad actors and became the subject of a number of zero-days. Rapid7 provided ad hoc coverage to protect you against the vulnerabilities. Now, recurring coverage ensures fast, comprehensive protection that provides offensive and defensive security against vCenter vulnerabilities as they arise.

[InsightVM and Nexpose] Tune Assistant

The Security Console in InsightVM and Nexpose contains components that benefit from performance tuning. Tune Assistant is a built-in feature that will calculate performance tuning values based on resources allocated to the Security Console server, then automatically apply those values.

Tuning is calculated and applied to all new consoles when the product first starts up, and customers experiencing performance issues on existing consoles can now easily increase their own resources. For more information, read our docs page on configuring maximum performance in an enterprise environment.

What’s New in InsightVM and Nexpose: Q3 2022 in Review

[InsightVM and Nexpose] Windows Server 2022 Support

We want to ensure InsightVM and Nexpose are supported on business-critical technologies and operating systems. We added Windows Server 2022, the latest operating system for servers from Microsoft, to our list. The Scan Engine and Security Console can be installed and will be supported by Rapid7 on Windows Server 2022. Learn more about the systems we support.

[InsightVM and Nexpose] Checks for notable vulnerabilities

With exploitation of major vulnerabilities in Mitel MiVoice Connect, multiple Confluence applications, and other popular solutions, the threat actors definitely did not take it easy this summer. InsightVM and Nexpose customers can assess their exposure to many of these CVEs for vulnerability checks, including:

  • Mitel MiVoice Connect Service Appliance | CVE-2022-29499: An onsite VoIP business phone system, MiVoice Connect had a data validation vulnerability, which arose from insufficient data validation for a diagnostic script. The vulnerability potentially allowed an unauthenticated remote attacker to send specially crafted requests to inject commands and achieve remote code execution. Learn more about the vulnerability and our response.
  • “Questions” add-on for Confluence Application | CVE-2022-26138: This vulnerability affected “Questions,” an add-on for the Confluence application. It was quickly exploited in the wild once the hardcoded password was released on social media. Learn more about the vulnerability and our response.
  • Multiple vulnerabilities in Zimbra Collaboration Suite: Zimbra, a business productivity suite, was affected by five different vulnerabilities, one of which was unpatched, and four of which were being actively and widely exploited in the wild by well-organized threat actors. Learn more about the vulnerability and our response.
  • CVE-2022-30333
  • CVE-2022-27924
  • CVE-2022-27925
  • CVE-2022-37042
  • CVE-2022-37393

We were hard at work this summer making improvements and increasing the level of protections against attackers for our customers. As we head into the fall and the fourth quarter of the year, you can bet we will continue to make InsightVM the best and most comprehensive risk management platform available. Stay tuned for more great things, and have a happy autumn.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

One Year After IntSights Acquisition, Threat Intel’s Value Is Clear

Post Syndicated from Stacy Moran original https://blog.rapid7.com/2022/09/22/one-year-after-intsights-acquisition-threat-intels-value-is-clear/

Rapid7 Strengthens Market Position With 360-Degree XDR and Best-in-Class Threat Intelligence Offerings

One Year After IntSights Acquisition, Threat Intel’s Value Is Clear

Time flies… and provides opportunities to establish proof points. After recently passing the one-year milestone of Rapid7’s acquisition of IntSights, the added value threat intelligence brings to our product portfolio is unmistakable.  

Cross-platform SIEM, SOAR, and VM integrations expand capabilities and deliver super-charged XDR

Integrations with Rapid7 InsightIDR (SIEM) and InsightConnect (SOAR) strengthen our product offerings. Infusing these tools with threat intelligence elevates customer security outcomes and delivers greater visibility across applications, while speeding response times. The combination of expertly vetted detections, contextual intelligence, and automated workflows within the security operations center (SOC) helps teams gain immediate visibility into the external attack surface from within their SIEM environments.

The threat intelligence integration with IDR is unique to Rapid7. It’s the only XDR solution in the market to infuse both generic threat intelligence IOCs and customized digital risk protection coverage. Users receive contextual, tailored alerts based on their digital assets, enabling them to detect potential threats before they hit endpoints and become incident response cases.

One Year After IntSights Acquisition, Threat Intel’s Value Is Clear

Capabilities

  • Expand and accelerate threat detection with native integration of Threat Command alerts and TIP Threat Library IOCs with InsightIDR.
  • Proactively thwart attack plans with alerts that identify active threats across the attack surface.
One Year After IntSights Acquisition, Threat Intel’s Value Is Clear

Benefits

  • 360-degree visibility and protection across your internal and external attack surface
  • Faster automated discovery and elimination of threats via correlation of Threat Command alerts with InsightIDR investigative capabilities

Learn more: 360-Degree XDR and Attack Surface Coverage, XDR Solution Brief

One Year After IntSights Acquisition, Threat Intel’s Value Is Clear

The Threat Command Vulnerability Risk Analyzer (VRA) + InsightVM integration delivers complete visibility into digital assets and vulnerabilities across your attack surface, including attacker perspective, trends, and active discussions and exploits. Joint customers can import data from InsightVM into their VRA environment where CVEs are enriched with valuable context and prioritized by vulnerability criticality and risk, eliminating the guesswork of manual patch management. VRA is a bridge connecting objective critical data with contextualized threat intelligence derived from tactical observations and deep research. In addition to VRA, customers can leverage Threat Command’s Browser Extension to obtain additional context on CVEs, and TIP module to see related IOCs and block actively exploited vulnerabilities.

Integration benefits

  • Visibility: Continuously monitor assets and associated vulnerabilities.
  • Speed: Instantly assess risk from emerging vulnerabilities and improve patching cadence.
  • Assessment: Eliminate blind spots with enhanced vulnerability coverage.
  • Productivity: Reduce time security analysts spend searching for threats by 75% or more.
  • Prioritization: Focus on the vulnerabilities that matter most.
  • Automation: Integrate CVEs enriched with threat intelligence into existing security stack.
  • Simplification: Rely on intuitive dashboards for centralized vulnerability management.
One Year After IntSights Acquisition, Threat Intel’s Value Is Clear

Learn how to leverage this integration to effectively prioritize and accelerate vulnerability remediation in this short demo and Integration Solution Brief.

In addition to these game-changing integrations that infuse Rapid7 Insight Platform solutions with external threat intelligence, Threat Command also introduced numerous feature and platform enhancements during the past several months.

Expanded detections and reduced noise

Of all mainstream social media platforms, Twitter has the fewest restrictions and regulations; coupled with maximum anonymity, this makes the service a breeding ground for hostile discourse.

Twitter by the numbers (in 2021)

One Year After IntSights Acquisition, Threat Intel’s Value Is Clear

Threat Command Twitter Chatter coverage continually monitors Twitter discourse and alerts customers regarding mentions of company domains. Expanded Twitter coverage later this year will include company and brand names.

One Year After IntSights Acquisition, Threat Intel’s Value Is Clear

Threat Command’s Information Stealers feature expands the platform’s botnets credentials coverage. We now detect and alert on information-stealing malware that gathered leaked credentials and private data from infected devices. Customers are alerted when employees or users have been compromised (via corporate email, website, or mobile app). Rely on extended protection against this prevalent and growing malware threat based on our unique ability to obtain compromised data via our exclusive access to threat actors.

Accelerated time to value

The recently enhanced Threat Command Asset Management dashboard provides visibility into the risk associated with specific assets, displays asset targeting trends, and enables drill-down for alert investigation. Users can now categorize assets using tags and comments, generate bulk actions for multiple assets, and see a historical perspective of all activity related to specific assets.

Better visibility for faster decisions

One Year After IntSights Acquisition, Threat Intel’s Value Is Clear

Strategic Intelligence is now available to existing Threat Command customers for a limited time in Open Preview mode. The Strategic Intelligence dashboard, aligned to the MITRE ATT&CK framework, enables CISOs and other security executives to track risk over time and assess, plan, and budget for future security investments.

Capabilities

  • View potential vulnerabilities attackers may use to execute an attack – aligned to the MITRE ATT&CK framework (tactics & techniques).
  • See trends in your external attack surface and track progress over time in exposed areas.
  • Benchmark your exposure relative to other Threat Command customers in your sector/vertical.
  • Easily communicate gaps and trends to management via dashboard and/or reports.

Benefits

  • Rapid7 is the first vendor in the TI space to provide a comprehensive strategic view of an organization’s external threat landscape.
  • Achieve your security goals with complete, forward-looking, and actionable intelligence context about your external assets.
  • Bridge the communication and reporting gap between your CTI analysts dealing with everyday threats and the CISO, focused on the bigger picture.
One Year After IntSights Acquisition, Threat Intel’s Value Is Clear

Stay tuned!

There are many more exciting feature enhancements and new releases planned by year end.

Learn more about how Threat Command simplifies threat intelligence, delivering instant value  for organizations of any size or maturity, while reducing risk exposure.

One Year After IntSights Acquisition, Threat Intel’s Value Is Clear

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Additional reading:

Are Your Apps Exposed? Know Faster With Application Discovery in InsightAppSec

Post Syndicated from Ronan McCrory original https://blog.rapid7.com/2022/08/16/are-your-apps-exposed-know-faster-with-application-discovery-in-insightappsec/

Are Your Apps Exposed? Know Faster With Application Discovery in InsightAppSec

“Yes, I know what applications we have publicly exposed.”  

How many times have you said that with confidence? I bet not too many. With the rapid pace of development that engineering teams can work at, it is becoming increasingly difficult to know what apps you have exposed to the internet, adding potential security risks to your organization.

This is where InsightAppSec’s new application discovery feature, powered by Rapid7’s Project Sonar, can help to fill in these gaps.

What exactly is application discovery?

Using the data supplied by Project Sonar — which was started almost a decade ago and conducts internet-wide surveys across more than 70 different services and protocols — you can enter a domain within InsightAppSec and run a discovery search. You will get back a list of results that are linked to that initial domain, along with some useful metadata.

We have had this feature open as a beta for various customers and received real-world examples of how they used it. Here are two key use cases for this functionality.

Application ports

After running a discovery scan, one customer noticed that a “business-critical web application was found on an open port that it shouldn’t have been on.”  After getting this data, they were able to work with that application team and get it locked down.

App inventory

Various customers noted that running a discovery scan helped them to get a better sense of their public-facing app inventory. From this, they were able to carry out various tasks, including “checking the list against their own list for accountability purposes” and “having relevant teams review the list before attacking.” They did this by exporting the discovery results to a CSV file and reviewing them outside of InsightAppSec.

How exactly does it work?

Running a discovery search shouldn’t be difficult, so we’ve made the process as easy as possible. Start by entering a domain that you own, and hit “Discover.”  This will bring back a list of domains, along with their IP, Port, and Last Seen date (based on the last time a Sonar scan has found it.)

Are Your Apps Exposed? Know Faster With Application Discovery in InsightAppSec

Are Your Apps Exposed? Know Faster With Application Discovery in InsightAppSec

From here, you could add a domain to your allow list and then run a scan against it, using the scan config setup process.

Are Your Apps Exposed? Know Faster With Application Discovery in InsightAppSec

If you see some domains that you are not sure about, you might decide that you need to know more about the domains before you run a scan. You can do this by exporting the data as a CSV and then running your own internal process on these before taking any next steps.

Are Your Apps Exposed? Know Faster With Application Discovery in InsightAppSec

How do I access application discovery?

Running a discovery scan is currently available to all InsightAppSec Admins, but Admins can grant other users or sets of users access to the feature using the InsightPlatform role-based access control feature.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

What’s New in InsightVM and Nexpose: Q2 2022 in Review

Post Syndicated from Randi Whitcomb original https://blog.rapid7.com/2022/07/28/whats-new-in-insightvm-and-nexpose-q2-2022-in-review/

What’s New in InsightVM and Nexpose: Q2 2022 in Review

The Vulnerability Management team kicked off Q2 by remediating the instances of Spring4Shell (CVE-2022-22965) and Spring Cloud (CVE-2022-22963) vulnerabilities that impacted cybersecurity teams worldwide. We also made several investments to both InsightVM and Nexpose throughout the second quarter that will help improve and better automate vulnerability management for your organization. Let’s dive in!

New dashboard cards based on CVSS v3 Severity (InsightVM)

CVSS (Common Vulnerability Scoring System) is an open standard for scoring the severity of vulnerabilities; it’s a key metric that organizations use to prioritize risk in their environments. To empower organizations with tools to do this more effectively, we recently duplicated seven CVSS dashboard cards in InsightVM to include a version that sorts the vulnerabilities based on CVSS v3 scores.The v3 CVSS system made some changes to both quantitative and qualitative scores. For example, Log4Shell had a score of 9.3 (high) in v2 and a 10 (critical) in v3.

Having both V2 and V3 version dashboards available allows you to prioritize and sort vulnerabilities according to your chosen methodology. Security is not one-size-fits all, and the CVSS v2 scoring might provide more accurate vulnerability prioritization for some customers. InsightVM allows customers to choose whether v2 or v3 scoring is a better option for their organizations’ unique needs.  

The seven cards now available for CVSS v3 are:

  • Exploitable Vulnerabilities by CVSS Score
  • Exploitable Vulnerability Discovery Date by CVSS Score
  • Exploitable Vulnerability Publish Age by CVSS Score
  • Vulnerability Count By CVSS Score Over Time
  • Vulnerabilities by CVSS Score
  • Vulnerability Discovery Date by CVSS Score
  • Vulnerability Publish Age by CVSS Score
What’s New in InsightVM and Nexpose: Q2 2022 in Review

Asset correlation for Citrix VDI instances (InsightVM)

You asked, and we listened. By popular demand, InsightVM can now identify agent-based assets that are Citrix VDI instances and correlate them to the user, enabling more accurate asset/instance tagging.

Previously, when a user started a non-persistent VDI, it created a new AgentID, which then created a new asset in the console and consumed a user license. The InsightVM team is excited to bring this solution to our customers for this widely persistent problem.

Through the Improved Agent experience for Citrix VDI instances, when User X logs into their daily virtual desktop, it will automatically correlate to User’s experience, maintain the asset history, and consume only one license. The result is a smoother, more streamlined experience for organizations that deploy and scan Citrix VDI.

Scan Assistant made even easier to manage (Nexpose and InsightVM)

In December 2021, we launched Scan Assistant, a lightweight service deployed on an asset that uses digital certificates for handshake instead of account-based credentials; This alleviates the credential management headaches VM teams often encounter. The Scan Assistant is also designed to drive improved vulnerability scanning performance in both InsightVM and Nexpose, with faster completion times for both vulnerability and policy scans.

We recently released Scan Assistant 1.1.0, which automates Scan Assistant software updates and digital certificate rotation for customers seeking to deploy and maintain a fleet of Scan Assistants. This new automation improves security – digital certificates are more difficult to compromise than credentials – and simplifies administration for organizations by enabling them to centrally manage features from the Security Console.

Currently, these enhancements are only available on Windows OS. To opt into automated Scan Assistant software updates and/or digital certificate rotation, please visit the Scan Assistant tab in the Scan Template.

What’s New in InsightVM and Nexpose: Q2 2022 in Review

What’s New in InsightVM and Nexpose: Q2 2022 in Review

Recurring coverage (Nexpose and InsightVM)

Rapid7 is committed to providing ongoing monitoring and coverage for a number of software products and services. The Vulnerability Management team continuously evaluates items to add to our recurring coverage list, basing selections on threat and security advisories, overall industry adoption, and customer requests.

We recently added several notable software products/services to our list of recurring coverage, including:

  • AlmaLinux and Rocky Linux. These free Linux operating systems have grown in popularity among Rapid7 Vulnerability Management customers seeking a replacement for CentOS. Adding recurring coverage for both AlmaLinux and Rocky Linux enables customers to more safely make the switch and maintain visibility into their vulnerability risk profile.
  • Oracle E-Business Suite. ERP systems contain organizations’ “crown jewels” – like customer data, financial information, strategic plans, and other proprietary data – so it’s no surprise that attacks on these systems have increased in recent years. Our new recurring coverage for the Oracle E-Business Suite is one of the most complex pieces of recurring coverage added to our list, providing coverage for several different components to ensure ongoing protection for Oracle E-Business Suite customers’ most valuable information.
  • VMware Horizon. The VMware Horizon platform enables the delivery of virtual desktops and applications across a number of operating systems. VDI is a prime target for bad actors trying to access customer environments, due in part to its multiple entry points; once a hacker gains entry, it’s fairly easy for them to jump into a company’s servers and critical files. By providing recurring coverage for both the VMware server and client, Rapid7 gives customers broad coverage of this particular risk profile.

Remediation Projects (InsightVM)​​

Remediation Projects help security teams collaborate and track progress of remediation work (often assigned to their IT ops counterparts). We’re excited to announce a few updates to this feature:

Better way to track progress for projects

The InsightVM team has updated the metric that calculates progress for Remediation Projects. The new metric will advance for each individual asset remediated within a “solution” group. Yes, this means customers no longer have to wait for all the affected assets to be remediated to see progress. Security teams can thus have meaningful discussions about progress with assigned remediators or upper management. Learn more.

Remediator Export

We added a new and much requested solution-based CSV export option to Remediation Projects. Remediator Export contains detailed information about the assets, vulnerabilities, proof data, and more for a given solution. This update makes it easy and quick for the Security teams to share relevant data with the Remediation team. It also gives remediators all of the information they need.On the other hand, the remediators will have all the information they need. We call this a win-win for both teams! Learn more.

Project search bar for Projects

Our team has added a search bar on the Remediation Projects page. This highly requested feature empowers customers to easily locate a project instead of having to scroll down the entire list.

What’s New in InsightVM and Nexpose: Q2 2022 in Review

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Q2 InsightVM Release Update: Let’s Focus on Remediation for Just a Minute

Post Syndicated from Devin Krugly original https://blog.rapid7.com/2022/07/14/q2-insightvm-release-update-lets-focus-on-remediation-for-just-a-minute/

Q2 InsightVM Release Update: Let’s Focus on Remediation for Just a Minute

Think of an endeavor in your life where your success is entirely dependent on the success of others. What’s the first example that comes to mind? It’s common in team sports – a quarterback and a wide receiver, a fullback and their goalie, an equestrian and their horse.

What if you narrow the scope to endeavors or activities at work? A little more difficult, right? A large project is an easy candidate, but those are generally distributed across many people over a long time period, which allows for mitigation and planning.

For those that make a living in cybersecurity, the example that immediately comes to mind is vulnerability management (VM). VM, which really falls under the heading of risk management, requires deft handling of executive communications, sometimes blurred to abstract away the tedious numbers and present a risk statement. At the same time, judicious management of vulnerability instances and non-compliant configurations that exceed organization thresholds – i.e., all the numbers – requires very detailed and often painstaking focus on the minutiae of a VM program. Then, layer in the need for situational awareness to answer context-specific questions like, “Are we vulnerable, and if so, do we need to act immediately?” or “Why did the security patch fail on only 37 of the 2184 target systems?” It becomes glaringly apparent that communication and alignment among all stakeholders – security team, IT operations, and business leadership – are paramount to achieve “dependent” success.

Based on customer feedback and directional input, we’re pleased to release two updates that are aimed at not only improving VM program success but also reducing the effort to get you there.

Remediation Project progress

In what may be the most exciting and warmly received update for some, we are releasing a new method to calculate and display progress for Remediation Projects. Historically, credit for patching and subsequent reporting of “percent complete” toward closing any one Remediation Project was only given when all affected assets for a single solution were remediated. So we’ve updated the calculation to account for “partial” credit. Now, remediation teams will see incremental progress as individual assets for specific solutions (i.e. patches) are applied. This is a much more accurate representation of the work and effort invested. It is also a much more precise indication of what additional effort is needed to close out the last few pesky hosts that have so far resisted your best remediation efforts.

For some, the scope and scale of risk management in the world of VM has outgrown original designs – more assets, more vulns. We’ve acted on the sage wisdom of many who have suggested such an update and made that available in Version 6.6.150

Q2 InsightVM Release Update: Let’s Focus on Remediation for Just a Minute

This update will affect all Remediation Projects, so we encourage teams to leverage this blog post to share the details behind this release as a heads-up and possibly improve relations with your teammates. It’s only by partnering and aligning on the effort involved that this “success dependency” becomes a power-up, rather than a power drain.

Remediator Export

I am particularly excited about this seemingly minor but mighty update, because I can remember having to script around or find automation to stitch together different source documents to produce what we have elected to refer to as a Remediator Export. The number of stakeholders and the diversity of teams involved in modern VM programs necessitate on-demand access to the supporting data and associated context. This export is for – you guessed it – the teams that have the heaviest lift in any VM program: the folks that push patches, update configs, apply mitigating controls, and are usually involved in all the necessary testing – the Remediators. Whether the catalyst for such a detailed export (26 data fields in all) is to troubleshoot a failed install or to simply have more direct access to vulnerability proof data the Remediator Export will offer improvements for nearly every remediation team.

Q2 InsightVM Release Update: Let’s Focus on Remediation for Just a Minute

You can access this upcoming solution based export from any Remediation Project peek panel. The Export to CSV dropdown now has an additional option that includes the data fields cited above and helps meet team’s needs where they are today.

Q2 InsightVM Release Update: Let’s Focus on Remediation for Just a Minute

The Remediator CSV file is accessible to anyone with permission to Remediation Projects, Goals, and SLAs and carries the following naming convention: “Project-Name_Solution-UUID.csv.” We are already thinking about options to provide similar capability at the Remediation Project level.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

It’s the Summer of AppSec: Q2 Improvements to Our Industry-Leading DAST and WAAP

Post Syndicated from Tom Caiazza original https://blog.rapid7.com/2022/07/13/its-the-summer-of-appsec-q2-improvements-to-our-industry-leading-dast-and-waap/

It’s the Summer of AppSec: Q2 Improvements to Our Industry-Leading DAST and WAAP

Summer is in full swing, and that means soaring temperatures, backyard grill-outs, and the latest roundup of Q2 application security improvements from Rapid7. Yes, we know you’ve been waiting for this moment with more anticipation than Season 4 of Stranger Things. So let’s start running up that hill, not beat around the bush (see what we did there?), and dive right in.

OWASP Top 10 for application security

Way, way back in September of 2021 (it feels like it was yesterday), the Open Web Application Security Project (OWASP) released its top 10 list of critical web application security risks. Naturally, we were all over it, as OWASP is one of the most trusted voices in cybersecurity, and their Top 10 lists are excellent places to start understanding where and how threat actors could be coming for your applications. We released a ton of material to help our customers better understand and implement the recommendations from OWASP.

This quarter, we were able to take those protections another big step forward by providing an OWASP 2021 Attack Template and Report for InsightAppSec. With this new feature, your security team can work closely with development teams to discover and remediate vulnerabilities in ways that jive with security best practice. It also helps to focus your AppSec program around the updated categories provided by OWASP (which we highly suggest you do).

The new attack template includes all the relevant attacks included in the updated OWASP Top 10 list which means you can focus on the most important vulnerabilities to remediate, rather than be overwhelmed by too many vulnerabilities and not focusing on the right ones. Once the vulns are discovered, InsightAppSec helps your development team to remediate the issues in several different ways, including a new OWASP Top 10 report and the ability to let developers confirm vulnerabilities and fixes with Attack Replay.

Scan engine and attack enhancements

Product support for OWASP 2021 wasn’t the only improvement we made to our industry-leading DAST this quarter. In fact, we’ve been quite busy adding additional attack coverage and making scan engine improvements to increase coverage and accuracy for our customers. Here are just a few.

Spring4Shell attacks and protections with InsightAppSec and tCell

We instituted a pair of improvements to InsightAppSec and tCell meant to identify and block the now-infamous Spring4Shell vulnerability. We now have included a default RCE attack module specifically to test for the Spring4Shell vulnerability with InsightAppSec. That feature is available to all InsightAppSec customers right now, and we highly recommend using it to prevent this major vulnerability from impacting your applications.

Additionally, for those customers leveraging tCell to protect their apps, we’ve added new detections and the ability to block Spring4Shell attacks against your web applications. In addition, we’ve added Spring4Shell coverage for our Runtime SCA capability. Check out more here on both of these new enhancements.

New out-of-band attack module

We’ve added a new out-of-band SQL injection module similar to Log4Shell, except it leverages the DNS protocol, which is typically less restricted and used by the adversary. It’s included in the “All Attacks” attack template and can be added to any customer attack template.

Improved scanning for session detection

We have made improvements to our scan engine on InsightAppSec to better detect unwanted logouts. When configuring authentication, the step-by-step instructions will guide you through configuring this process for your web applications.

Making it easier for our customers

This wouldn’t be a quarterly feature update if we didn’t mention ways we are making InsightAppSec and tCell even easier and more efficient for our customers. In the last few months, we have moved the “Manage Columns” function into “Vulnerabilities” in InsightAppSec to make it even more customizable. You can now also hide columns, drag and drop them where you would like, and change the order in ways that meet your needs.

We’ve also released an AWS AMI of the tCell nginx agent to make it easier for current customers to deploy tCell. This is perfect for those who are familiar with AWS and want to get up and running with tCell fast. Customers who also want a basic understanding of how tCell works and want to share tCell’s value with their dev teams will find this new AWS AMI to provide insight fast.

Summer may be a time to take it easy and enjoy the sunshine, but we’re going to be just as hard at work making improvements to InsightAppSec and tCell over the next three months as we were in the last three. With a break for a hot dog and some fireworks in there somewhere. Stay tuned for more from us and have a great summer.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

What’s New in InsightIDR: Q2 2022 in Review

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2022/07/06/whats-new-in-insightidr-q2-2022-in-review/

What's New in InsightIDR: Q2 2022 in Review

This Q2 2022 recap post takes a look at some of the latest investments we’ve made to InsightIDR to drive detection and response forward for your organization.

New interactive HTML reports

InsightIDR’s new HTML reports incorporate the interactive features you know and love from our dashboards delivered straight to your inbox. The HTML report file is sent as an email attachment and allows you to scroll through tables, drill in and out of cards, and sort tables in the same way you would explore dashboards.

What's New in InsightIDR: Q2 2022 in Review

Increased visibility into malware activity

Traditional intrusion detection systems (IDS) can be noisy. Rapid7’s Threat Intelligence and Detection Engineering (TIDE) team has carefully analyzed thousands of IDS events to curate a list of only the most critical and actionable events. We’ve recently expanded our library to include over 4,500 curated IDS detection rules to help customers detect activity associated with thousands of common pieces of malware.

Catch data exfiltration attempts with Anomalous Data Transfer

Anomalous Data Transfer (ADT) is a new Attacker Behavior Analytics (ABA) detection rule that uses the Insight Network Sensor to identify large transfers of data sent by assets on a network. ADT outputs data exfiltration alerts which make it easier for you to monitor transfer activity and identify unusual behavior to stay ahead of threats. These new detections are available for select InsightIDR packages — see more details here in our documentation.

What's New in InsightIDR: Q2 2022 in Review

Build stronger integrations and quickly triage investigations with new InsightIDR APIs

Investigation management APIs

Our new APIs allow you to extract more extensive data from within your investigation and use it to integrate with third-party tools, or build automation workflows to help you save time analyzing and closing investigations. View our documentation to learn more.

  • Update one or more Investigation fields through a single API call
  • Retrieve a sortable list of Investigations
  • Search Investigations
  • Create a Manual Investigation

User, accounts, and asset APIs

We are excited to release new APIs to allow you to programmatically interface with InsightIDR users, accounts, local accounts, and assets. You can use these APIs to configure new automations that further contextualize alerts generated by InsightIDR or third-party tools and help you to create more actionable views of alert data.

Relative Activity: A new way to analyze detection rules

We’ve introduced a new score called Relative Activity to ABA detection rules that analyzes how often the Rule Logic matches data in your environment based on certain parameters. The Relative Activity score is calculated over a rolling 24-hour period and can help you:

  • Identify detection rules that might cause frequent investigations or notable events if switched on
  • Determine which rules may benefit from tuning, either by changing the Rule Action or adding exceptions
What's New in InsightIDR: Q2 2022 in Review
New Relative Activity score for detection rules

Log Search improvements

Enrich Log Search results with new Quick Actions: Earlier this year InsightIDR and InsightConnect teamed up to create Quick Actions, a new feature that provides instant automation within InsightIDR to reduce time to respond to investigations, all with the click of a button. We’ve recently released new Quick Actions to enable pre-configured actions within InsightIDR’s Log Search for InsightIDR Ultimate and InsightIDR legacy customers. Quick Actions are available for select InsightIDR packages, see more details here in our documentation.

  • Use AWS S3 as a collection method for custom logs: Now customers have the choice to use either Cisco Umbrella or AWS S3 as a collection method when setting up custom logs. Alongside this update, we’ve also refactored the data source to make it more resilient and effective.

A growing library of actionable detections

In Q2, we added 290 new ABA detection rules to InsightIDR. See them in-product or visit the Detection Library for actionable descriptions and recommendations.

Stay tuned!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in detection and response at Rapid7.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

DFIR Without Limits: Moving Beyond the “Sucker’s Choice” of Today’s Breach Response Services

Post Syndicated from Warwick Webb original https://blog.rapid7.com/2022/05/23/dfir-without-limits/

DFIR Without Limits: Moving Beyond the “Sucker's Choice” of Today’s Breach Response Services

Three-quarters of CEOs and their boards believe a major breach is “inevitable.” And those closest to the action? Like CISOs? They’re nearly unanimous.

Gartner is right there, too. Their 2021 Market Guide for Digital Forensics and Incident Response (DFIR) Services recommends you “operate under the assumption that security breaches will occur, the only variable factors being the timing, the severity, and the response requirements.”

When that breach happens, you’ll most likely need help. For Rapid7 MDR customers, we’re there for you when you need us, period. Our belief is that, if a breach is inevitable, then a logical, transparent, collaborative, and effective approach to response should be, too.

I’m not just talking about the table-stakes “response” to everyday security threats. I’m talking about digital forensics and world-class incident response for any incident – no matter if it’s a minor breach like a phishing email with an attached maldoc or a major targeted breach involving multiple endpoints compromised by an advanced attacker.

Protecting your environment is our shared responsibility. As long as you are willing and able to partner with us during and after the Incident Response process, we are here for you. Rapid7 does the DFIR heavy lift. You cooperate to eradicate the threat and work to improve your security posture as a result.

Unfortunately, that’s not how all of the market sees it.

How vendors typically provide DFIR

Some managed detection and response (MDR) vendors or managed security services providers (MSSPs) do understand that there’s an R in MDR. Typically, they’ll do a cursory investigation, validation and – if you’re lucky – some form of basic or automated response.

For most, that’s where the R stops. If they can’t handle an emergency breach response situation (or if you’re on your own without any DFIR on staff), you’ll wind up hiring a third-party incident response (IR) consulting service. This will be a service you’ve found, or one that’s required by your cyber insurance provider. Perhaps you planned ahead and pre-purchased an hourly IR retainer.

Either way, how you pay for IR determines your customer experience during “response.” It’s a model designed to maximize provider profits, not your outcomes.

At a glance

IR Consulting Services IR Included in Managed Services
Scope Unbounded Limited to managed services in-scope environments
Time Limit Capped by number of hours or number of incidents Capped by number of hours or number of incidents
Expertise Senior IR Consultants Capped by number of hours or number of incidents
24×7 IR No Yes
Tooling Often will deploy a separate tooling stack, without easy access to historical data Existing tooling, utilizing historical data but potentially lacking in forensic capability
Time to Respond Slower (limited by legal documents, SLAs, lack of familiarity in the customer environment, time for tool deployment) Faster (24×7, uses existing tools, multiple analysts)
Pricing Model Proactively purchased as a retainer or reactively on an hourly basis Included in purchase, up to an arbitrarily defined limit

There’s a good reason DFIR experts are reserved for expensive consulting services engagements. They’re a rare breed.

Most MDR teams can’t afford to staff the same DFIR experts that answer the Breach Response hotline. Security vendors price, package, and deliver these services in a way to reserve their more experienced (and expensive) experts for IR consulting.

Either you purchase Managed Services and expensive IR consulting hours (and play intermediary between these two separate teams), or you settle for “Incident Response lite” from your Managed Services SOC team.

If this seems like a “lesser of two evils” approach with two unappealing options, it is.

The future of incident response has arrived

Over a year ago, Rapid7 merged our Incident Response Consulting Team with our MDR SOC to ensure all MDR customers receive the same high-caliber DFIR expertise as a core capability of our service – no Breach Response hotlines or retainer hours needed.

This single, integrated team of Detection and Response experts started working together to execute on our response mission: early detection and rapid, highly effective investigation, containment, and eradication of threats.

Our SOC analysts are experts on alert triage, tuning, and threat hunting. They have the most up-to-date knowledge of attackers’ current tactics, techniques, and procedures and are extremely well-versed in attacker behavior, isolating malicious activity and stopping it in its tracks. When a minor incident is detected, our SOC analysts begin incident investigation – root cause analysis, malware reverse engineering, malicous code deobfuscation, and more – and response immediately. If the scope becomes large and complex, we (literally) swivel our chair to tap our IR reinforcements on the shoulder.

Senior IR consultants are seasoned DFIR practitioners. They’re also the experts leading the response to major breaches, directing investigation, containment, and eradication activities while clearly communicating with stakeholders on the status, scope, and impact of the incident.

Both teams benefit. The managed services SOC team has access to a world class Incident Response team. And the expert incident response consultants have a global team of (also world class) security analysts trained to assist with forensic investigation and response around the clock (including monitoring the compromised environment for new attacker activity).

Most importantly, our MDR customers benefit. This reimagining of how we work together delivers seamless, effective incident response for all. When every second counts, an organization cannot afford the limited response of most MDR providers, or the delay and confusion that comes with engaging a separate IR vendor.

Grab a coffee, it’s major breach story time

Here’s a real-life example of how our integrated approach works.

In early January, a new MDR client was finishing the onboarding process by installing the Insight Agent on their devices. Almost immediately upon agent installation, the MDR team noticed critical alerts flowing into InsightIDR (our unified SIEM and XDR solution).

Our SOC analysts dug in and realized this wasn’t a typical attack. The detections indicated a potential major incident, consistent with attacker behavior for ransomware. SOC analysts immediately used Active Response to quarantine the affected assets and initiated our incident response process.

The investigation transitioned to the IR team within minutes, and a senior IR consultant (from the same team responsible for leading breach response for Rapid7’s off-the-street or retainer customers) took ownership of the incident response engagement.

After assessing the early information provided by the SOC, the IR consultant identified the highest-priority investigation and response actions, taking on some of these tasks directly and assigning other tasks to additional IR consultants and SOC analysts. The objective: teamwork and speed.

The SOC worked around the clock together with the IR team to search these systems and identify traces of malicious activity. The team used already-deployed tools, such as InsightIDR and Velociraptor (Rapid7’s open-source DFIR tool).

This major incident was remediated and closed within three days of the initial alert, stopping the installation of ransomware within the customer’s environment and cutting out days and even weeks of back-and-forth between the customer, the MDR SOC team, and a third-party Breach Response team.

Now, no limits and a customer experience you’ll love

The results speak for themselves. Not only does the embedded IR model enable each team to reach beyond its traditional boundaries, it brings faster and smoother outcomes to our customers.

And now we’re taking this a step further.

Previously, our MDR services included up to two “uncapped” (no limit on IR team time and resources) Remote Incident Response engagements per year. While this was more than enough for most customers (and highly unusual for an MDR provider), we realized that imposing any arbitrary limits on DFIR put unnecessary constraints on delivering on our core mission.

For this reason, we have removed the Remote Incident Response limits from our MDR service across all tiers. Rapid7 will now respond to ALL incidents within our MDR customers’ in-scope environments, regardless of incident scope and complexity, and bring all the necessary resources to bear to effectively investigate, contain and eradicate these threats.

Making these DFIR engagements – often reserved for breach response retainer customers – part of the core MDR service (not just providing basic response or including hours for a retainer) just raised the “best practices” bar for the industry.

It’s not quite unlimited, but it’s close. The way we see it, we’ll assist with the hard parts of DFIR, while you partner with us to eradicate the threat and implement corrective actions. That partnership is key: Implementing required remediation, mitigation, and corrective actions will help to reduce the likelihood of incident recurrence and improve your overall security posture.

After all, that’s what MDR is all about.

P.S.: If you’re a security analyst or incident responder, we’re hiring!

In addition to providing world-class breach response services to our MDR customers, this new approach makes Rapid7 a great place to work and develop new skills.

Our SOC analysts develop their breach response expertise by working shoulder-to-shoulder with our Incident Response team. And our IR team focuses on doing what they love – not filling out time cards and stressing over their “utilization” as consultants, but leading the response to complex, high-impact breaches and being there for our customers when they need us the most. Plus, with the support and backing of a global SOC, our IR team can actually sleep at night!

Despite the worldwide cybersecurity skills crisis and The Great Resignation sweeping the industry, Rapid7’s MDR team grew by 30% last year with only 5% voluntary analyst turnover – in line with our last three years.

Part of this exceptionally low turnover is due to:

  • Investment in continuing education, diversity, and employee retention benefits
  • A robust training program, clear career progression, the opportunity to level up skills by teaming with IR mentors, and flexibility for extra-curricular “passion project” work (to automate processes and improve aspects of MDR services)
  • Competitive pay, and a focus on making sure analysts are doing work they enjoy day in and day out with a healthy work-life balance (there’s no such thing as a “night shift” since we use a follow-the-sun SOC model)

If you’re a Security Analyst or Incident Responder looking for a new challenge, come join our herd. I think Jeremiah Dewey, VP of Rapid7’s Managed Services, said it best:

“Work doesn’t have to be a soul-sucking, boring march to each Friday. You can follow your passion, have fun in what you’re doing, and be successful in growing your career and growing as a human being.”

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Velociraptor Version 0.6.4: Dead Disk Forensics and Better Path Handling Let You Dig Deeper

Post Syndicated from Carlos Canto original https://blog.rapid7.com/2022/04/25/velociraptor-version-0-6-4-dead-disk-forensics-and-better-path-handling-let-you-dig-deeper-2/

Velociraptor Version 0.6.4: Dead Disk Forensics and Better Path Handling Let You Dig Deeper

Rapid7 is pleased to announce the release of Velociraptor version 0.6.4 – an advanced, open-source digital forensics and incident response (DFIR) tool that enhances visibility into your organization’s endpoints. This release has been in development and testing for several months now and has a lot of new features and improvements.

The main focus of this release is in improving path handling in VQL to allow for more efficient path manipulation. This leads to the ability to analyze dead disk images, which depends on accurate path handling.

Path handling

A path is a simple concept – it’s a string similar to /bin/ls that can be used to pass to an OS API and have it operate on the file in the filesystem (e.g. read/write it).

However, it turns out that paths are much more complex than they first seem. For one thing, paths have an OS-dependent separator (usually / or \). Some filesystems support path separators inside a filename too! To read about the details, check out Paths and Filesystem Accessors, but one of the most interesting things with the new handling is that stacking filesystem accessors is now possible. For example, it’s possible to open a docx file inside a zip file inside an ntfs drive inside a partition.

Dead disk analysis

Velociraptor offers top-notch forensic analysis capability, but it’s been primarily used as a live response agent. Many users have asked if Velociraptor can be used on dead disk images. Although dead disk images are rarely used in practice, sometimes we do encounter these in the field (e.g. in cloud investigations).

Previously, Velociraptor couldn’t be used easily on dead disk images without having to carefully tailor and modify each artifact. In the 0.6.4 release, we now have the ability to emulate a live client from dead disk images. We can use this feature to run the exact same VQL artifacts that we normally do on live systems, but against a dead disk image. If you’d like to read more about this new feature, check out Dead Disk Forensics.

Resource control

When collecting artifacts from endpoints, we need to be mindful of the overall load that collection will cost on endpoints. For performance-sensitive servers, our collection can cause operational disruption. For example, running a yara scan over the entire disk would utilize a lot of IO operations and may use a lot of CPU resources. Velociraptor will then compete for these resources with the legitimate server functionality and may cause degraded performance.

Previously, Velociraptor had a setting called Ops Per Second, which could be used to run the collection “low and slow” by limiting the rate at which notional “ops” were utilized. In reality, this setting was only ever used for Yara scans because it was hard to calculate an appropriate setting: Notional ops didn’t correspond to anything measurable like CPU utilization.

In 0.6.4, we’ve implemented a feedback-based throttler that can control VQL queries to a target average CPU utilization. Since CPU utilization is easy to measure, it’s a more meaningful control. The throttler actively measures the Velociraptor process’s CPU utilization, and when the simple moving average (SMA) rises above the limit, the query is paused until the SMA drops below the limit.

Velociraptor Version 0.6.4: Dead Disk Forensics and Better Path Handling Let You Dig Deeper
Selecting resource controls for collections

The above screenshot shows the latest resource controls dialog. You can now set a target CPU utilization between 0 and 100%. The image below shows how that looks in the Windows task manager.

Velociraptor Version 0.6.4: Dead Disk Forensics and Better Path Handling Let You Dig Deeper
CPU control keeps Velociraptor at 15%

By reducing the allowed CPU utilization, Velociraptor will be slowed down, so collections will take longer. You may need to increase the collection timeout to correspond with the extra time it takes.

Note that the CPU limit refers to a percentage of the total CPU resources available on the endpoint. So for example, if the endpoint is a 2 core cloud instance a 50% utilization refers to 1 full core. But on a 32 core server, a 50% utilization is allowed to use 16 cores!

IOPS limits

On some cloud resources, IO operations per second (IOPS) are more important than CPU loading since cloud platforms tend to rate limit IOPS. So if Velociraptor uses many IOPS (e.g. in Yara scanning), it may affect the legitimate workload.

Velociraptor now offers limits on IOPS which may be useful for some scenarios. See for example here and here for a discussion of these limits.

The offline collector resource controls

Many people use the Velociraptor offline collector to collect artifacts from endpoints that they’re unable to install a proper client/server architecture on. In previous versions, there was no resource control or time limit imposed on the offline collector, because it was assumed that it would be used interactively by a user.

However, experience shows that many users use automated tools to push the offline collector to the endpoint (e.g. an EDR or another endpoint agent), and therefore it would be useful to provide resource controls and timeouts to control Velociraptor acquisitions. The below screenshot shows the new resource control page in the offline collector wizard.

Velociraptor Version 0.6.4: Dead Disk Forensics and Better Path Handling Let You Dig Deeper
Configuring offline collector resource controls

GUI changes

Version 0.6.4 brings a lot of useful GUI improvements.

Notebook suggestions

Notebooks are an excellent tool for post processing and analyzing the collected results from various artifacts. Most of the time, similar post processing queries are used for the same artifacts, so it makes sense to allow notebook templates to be defined in the artifact definition. In this release, you can define an optional suggestion in the artifact yaml to allow a user to include certain cells when needed.

The following screenshot shows the default suggestion for all hunt notebooks: Hunt Progress. This cell queries all clients in a hunt and shows the ones with errors, running and completed.

Velociraptor Version 0.6.4: Dead Disk Forensics and Better Path Handling Let You Dig Deeper
Hunt notebooks offer a hunt status cell

Velociraptor Version 0.6.4: Dead Disk Forensics and Better Path Handling Let You Dig Deeper
Hunt notebooks offer a hunt status cell

Multiple OAuth2 authenticators

Velociraptor has always had SSO support to allow strong two-factor authentication for access to the GUI. Previously, however, Velociraptor only supported one OAuth2 provider at a time. Users had to choose between Google, Github, Azure, or OIDC (e.g. Okta) for the authentication provider.

This limitation is problematic for some organizations that need to share access to the Velociraptor console with third parties (e.g. consultants need to provide read-only access to customers).

In 0.6.4, Velociraptor can be configured to support multiple SSO providers at the same time. So an organization can provide access through Okta for their own team members at the same time as Azure or Google for their customers.

Velociraptor Version 0.6.4: Dead Disk Forensics and Better Path Handling Let You Dig Deeper
The Velociraptor login screen supports multiple providers

The Velociraptor knowledge base

Velociraptor is a very powerful tool. Its flexibility means that it can do things that you might have never realized it can! For a while now, we’ve been thinking about ways to make this knowledge more discoverable and easily available.

Many people ask questions on the Discord channel and learn new capabilities in Velociraptor. We want to try a similar format to help people discover what Velociraptor can do.

The Velociraptor Knowledge Base is a new area on the documentation site that allows anyone to submit small (1-2 paragraphs) tips about how to do a particular task. Knowledge base tips are phrased as questions to help people search for them. Provided tips and solutions are short, but they may refer users to more detailed information.

If you learned something about Velociraptor that you didn’t know before and would like to share your experience to make the next user’s journey a little bit easier, please feel free to contribute a small note to the knowledge base.

Importing previous artifacts

Updating the VQL path handling in 0.6.4 introduces a new column called OSPath (replacing the old FullPath column), which wasn’t present in previous versions. While we attempt to ensure that older artifacts should continue to work on 0.6.4 clients, it’s possible that the new VQL artifacts built into 0.6.4 won’t work correctly on older versions.

To make migration easier, 0.6.4 comes built in with the Server.Import.PreviousReleases artifact. This server artifact will load all the artifacts from a previous release into the server, allowing you to use those older versions with older clients.

Velociraptor Version 0.6.4: Dead Disk Forensics and Better Path Handling Let You Dig Deeper
Importing previous versions of core artifacts

Try it out!

If you’re interested in the new features, take Velociraptor for a spin by downloading it from our release page. It’s available for free on GitHub under an open source license.

As always, please file bugs on the GitHub issue tracker or submit questions to our mailing list by emailing [email protected] You can also chat with us directly on our discord server.

Learn more about Velociraptor by visiting any of our web and social media channels below:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

What’s New in InsightVM and Nexpose: Q1 2022 in Review

Post Syndicated from Roshnee Mistry Shah original https://blog.rapid7.com/2022/04/19/whats-new-in-insightvm-and-nexpose-q1-2022-in-review/

What's New in InsightVM and Nexpose: Q1 2022 in Review

The world of cybersecurity never has a dull moment. While we are still recovering from the aftermath of Log4Shell, the recent ContiLeaks exposed multiple vulnerabilities that have been exploited by the Conti ransomware group. It’s critical for your team to identify the risk posed by such vulnerabilities and implement necessary remediation measures. As you will see, the product updates our vulnerability management (VM) team has made to InsightVM and Nexpose in the last quarter will empower you to stay in charge — not the vulnerabilities.

But that’s not all we’ve improved on. We’ve increased the scope of vulnerabilities tracked by incorporating CISA’s known exploited vulnerabilities (KEV) in the Threat Feed, usability enhancements, targeted reporting and scanning, and Log4Shell mitigation checks. And we’ve released our annual Vulnerability Intelligence Report to help you make sense of the vulns that impacted us last year and understand the trends that we will all be facing this year. Our team also offers practical guidance to help the security teams better protect themselves.

Let’s dive into the key feature releases and updates on the vulnerability management front for Q1 2022.

CISA’s KEV list: Detect, prioritize, and meet regulatory compliance

[InsightVM] ContiLeaks Helpful Query to easily detect ContiLeaks vulns and ensure compliance

CISA’s KEV catalog is part of the agency’s binding operative directive that has reporting requirements for federal agencies and civilian contractors. The recent ContiLeaks revealed over 30 vulns that are now a part of CISA’s KEV. While users could always build a query in IVM to identify these vulns, doing so is time-consuming and can be prone to error. The ContiLeaks Helpful Query takes out the manual effort  and lets customers easily locate 30+ ContiLeaks vulnerabilities in their environments. When the query is loaded into our Specific Vulnerability Dashboard template, it can give an at-a-glance view of the company’s risk posture as it relates to the Conti threat. In addition to helping customers identify the exploited vulnerabilities in their environment, the update will also help them stay within the bounds of CISA’s operative directive.

What's New in InsightVM and Nexpose: Q1 2022 in Review

What's New in InsightVM and Nexpose: Q1 2022 in Review

[InsightVM] Threat feed dashboard now includes CISA’s KEV catalog

While we are on the topic of CISA, you will be excited to learn that we have expanded the scope of vulnerabilities tracked to incorporate CISA’s KEV catalog in the InsightVM Threat Feed Dashboard, including the Assets With Actively Targeted Vulnerabilities card and the Most Common Actively Targeted Vulnerabilities card. The CISA inclusion makes it easy to see how exposed your organization is to active threats and inform prioritization decisions around remediation efforts.

We have also added a new “CISA KEV (known exploited vulnerability)” vulnerability category to allow for more targeted scanning (i.e. scanning the environment for CISA KEV entries only). You can also use the CISA KEV category to filter scan reports.

What's New in InsightVM and Nexpose: Q1 2022 in Review

Improvements to credentials

[Insight VM and Nexpose] A new credential type to support scanning Oracle Databases by Service Name

InsightVM and Nexpose customers have always been able to scan Oracle databases using SIDs (system identifiers) but were previously unable to provide a Service Name in the credential. This meant a gap in visibility for Oracle databases that could only be accessed via their Service Name. We were not happy with this limitation. Now, you now configure Oracle Database scans to specify a Service Name instead of an SID (you can still use the SID, if you want!) when authenticating. You now have the visibility into a wider range of deployment configurations of Oracle Database and the ability to configure scan using Service Name or SID.

What's New in InsightVM and Nexpose: Q1 2022 in Review

[Insight VM and Nexpose] Automatic Scan Assistant credentials generation

Last year, we introduced Scan Assistant, which alleviates the credential management (for Scan Engine) burden on vulnerability management teams. For the Scan Assistant to communicate with the Scan Engine, it requires digital certificates to be manually created and deployed on both the target assets and the Nexpose / IVM Security Console. Manually creating the public / private key pair is a complex and error-prone process.

With this update, we are taking some more burden off the vulnerability management teams. You can now use the Shared Credentials management UI to automatically generate Scan Assistant credentials. This not only reduces the technical expertise and time required to manage Scan Assistant credentials but also makes for a user-friendly experience for you.

Learn more in our recent blog post on passwordless scanning.

What's New in InsightVM and Nexpose: Q1 2022 in Review

[Insight VM and Nexpose] Log4Shell mitigation checks

The product improvements list would be incomplete without an update on Log4Shell.

If you are vulnerable to Log4Shell, you can edit the JAR files on a system to take out the vulnerable code and thus not get exploited. However, it is difficult to keep a check on this manually. This update adds that extra capability to not only look at the version of Log4j that was present in your environment but also check if it has been mitigated — i.e., if the vulnerable code is removed.

Authenticated scans and Agent-based assessments can now determine whether the JNDILookup class removal mitigation for Log4Shell has been applied to Log4j JAR files on Windows systems. This will reduce the number of reports of the vulnerability on systems that are not exploitable. We also added an Obsolete Software vulnerability check for Log4j 1.x, which will let you find obsolete versions of Log4j in your environment.

Stay in charge

As always, we hope these updates will make it easier for you to stay ahead of vulnerabilities.

It almost felt like the quarter might end on a calm note, but then the world of cybersecurity never has a dull moment. The end of the quarter saw Spring4Shell, another zero-day vulnerability in the Spring Core module of Spring Framework. Learn more about Rapid7 response to this vulnerability and how we are working around the clock to help our customers protect their own environments from Spring4Shell.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Let’s Dance: InsightAppSec and tCell Bring New DevSecOps Improvements in Q1

Post Syndicated from Nate Crampton original https://blog.rapid7.com/2022/04/15/lets-dance-insightappsec-and-tcell-bring-new-devsecops-improvements-in-q1/

To the left, to the left, to the right, right — the CI/CD Pipeline is on the move.

Let's Dance: InsightAppSec and tCell Bring New DevSecOps Improvements in Q1

DevSecOps is all about adding security across the application lifecycle. A popular approach to application security is to shift left, which means moving security earlier in the software development lifecycle (SDLC). This makes sense: If you find a critical security bug in production, it costs a lot more to resolve it than if you found it in development.

In Q1 2022, we’ve continued to invest in improvements to InsightAppSec and tCell that help organizations shift left and automate security testing prior to production deployment. And at the same time, we’ve made other enhancements to make your life easier. Oh… and we added new attacks and blocking rules for Spring4Shell.

Shifting app security testing left in the CI/CD pipeline

Your development teams are innovating and releasing features and new experiences faster than ever before. Manual testing can no longer keep up with the speed of innovation. Taking a DevSecOps approach means baking security across the application lifecycle and includes shifting left whenever possible.

Dynamic application security testing (DAST) solutions simulate attacks just like the attackers, and they’re known for their accuracy and coverage across a wide range of technologies. However, traditional DAST solutions have struggled to work with modern applications and software development methodologies.

Since the launch of InsightAppSec — Rapid7’s industry leading cloud-native DAST — we’ve focused on providing coverage of modern applications, as well as being able to integrate as far left as the build process.

“Our app developers don’t need to come to me, they don’t need to come to our team, they don’t need to send emails. They don’t need to go through any formalities. When they commit code, the scan happens automatically. And, we created the metrics. So, if they see high-rated vulnerabilities they cannot push to production. The code will get blocked and they have to remediate it.”

– Midhun Kumar, Head of Infrastructure and Cloud Operations, Pearl Data Direct

Building on the success of our Jenkins Plugin, Atlassian Bamboo Plugin, and Azure DevOps CI/CD integrations, we recently added native GitHub Actions and GitLab CI/CD integrations into InsightAppSec.

GitHub

GitHub Actions allows development teams to automate software workflows. With our new InsightAppSec Scan Action for GitHub, you can easily pull down the repo and add it to your DevOps pipelines. As part of your actions, you can trigger the InsightAppSec scan and have the results passed back into GitHub actions. If you want, you can add scan gating to prevent vulnerable code from being deployed to production.

This is available for no additional cost in the GitHub Marketplace.

GitLab

GitLab CI/CD can automatically build, test, deploy, and monitor your applications. With our new InsightAppSec Scan Job, you can add a Docker command in your pipeline to trigger a scan. The results are sent back, and you can add scan gating to prevent vulnerable code from being deployed to production.

The feature is available for no additional cost, and we have resources to help you learn how to setup the GitLab integration.

Spring4Shell testing and protection

CVE-2022-22965, a zero-day vulnerability announced on April 1st, is no April Fools’ Day joke. While it’s not as dreadful as Log4Shell, it should still be patched, and there are reports of the Spring4Shell flaw being used to install the Mirai Botnet malware.

To help our customers secure their applications and understand their risk from Spring4Shell, Rapid7 released new capabilities, including:

  • New RCE Attack Module for Spring4Shell (InsightAppSec)
  • New Block Rule for Spring4Shell (tCell)
  • New Detection of CVE-2022-22965 in running applications (tCell)

Other enhancements

InsightAppSec comes with the ability to create custom dashboards to quickly view and get insights on the risk and status of your program. Relying on feedback from customers, we recently added the ability to create dashboards based on certain apps or groups of apps. This allows you to quickly view risk in context of what matters.

Customers often like to manage their applications at scale, and one of the easiest ways to do that is via the tCell API. Significant feature enhancements include App Firewall event and block rules, OS commands, Local Files, suspicious actors, and more have all been added or updated. Check out our API documentation.

Rapid7’s application security portfolio can help you shift left as well as shift right, depending on your needs and the status of your program. You can integrate InsightAppSec DAST into your CI/CD pipelines before deployment to production. And with tCell, you can add web application and API protection for your production environments.

Stay tuned for all we have in store in Q2!

Additional reading

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

What’s New in InsightIDR: Q1 2022 in Review

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2022/04/05/whats-new-in-insightidr-q1-2022-in-review/

Introducing new InsightIDR capabilities to accelerate your detection and response program

What's New in InsightIDR: Q1 2022 in Review

When we talk to customers and security professionals about what they need more of in their security operations center (SOC), there is one consistent theme: time. InsightIDR — Rapid7’s leading cloud SIEM and XDR — helps teams cut through the noise and accelerate their detection and response, without sacrificing comprehensive coverage across modern environments and advanced attacks. This Q1 2022 recap post digs into some of the latest investments we’ve made to drive tangible time savings for customers, while still leveling up your detection and response program with InsightIDR.

New InsightIDR Detections powered by Threat Command by Rapid7’s TIP Threat Library

Following Rapid7’s 2021 acquisition of IntSights and their leading external threat intelligence solution, Threat Command, we are excited to provide InsightIDR customers with new built-in threat intelligence via Threat Command’s threat intelligence platform (TIP).

We have integrated Threat Command’s TIP ThreatLibrary into InsightIDR, bringing its threat intelligence content into our detection library to ensure Rapid7 InsightIDR and Managed Detection and Response (MDR) customers have the most up-to-date and comprehensive detection coverage, more visibility into new IOCs, and continued strength around signal-to-noise.

Using the combined threat intelligence research teams across Rapid7 Threat Command and our services organization, this content will be maintained and updated across the platform – ensuring our customers get real-time protection from evolving threats.

What's New in InsightIDR: Q1 2022 in Review

InsightIDR delivers superior signal-to-noise in latest MITRE Engenuity ATT&CK evaluation

We’re excited to share that InsightIDR has successfully completed the 2022 MITRE Engenuity ATT&CK Evaluation, which focused on how adversaries abuse data encryption for exploitation and/or ransomware. This evaluation tested InsightIDR’s EDR capabilities (powered by our native endpoint agent, the Insight Agent) and our ability to detect these advanced attacks. A few key takeaways and result highlights:

  • InsightIDR demonstrated solid visibility across the cyber kill chain – with visibility across 18 of the 19 phases covered across both simulations.
  • Consistently identified threats early, with alerts firing in the first phase – Initial Compromise – for both the Wizard Spider and Sandworm attacks.
  • Showcased our commitment to signal-to-noise – with targeted and focused detections across each phase of the attack (versus firing loads of alerts for every minute substep).

As our customers know, EDR is just one component of the detection coverage unlocked with InsightIDR. While beyond the scope of this evaluation, beyond endpoint coverage, InsightIDR delivers defense in depth across users and log activity, network, and cloud. Learn more about InsightIDR’s MITRE evaluation results in our recent blog post.

Investigate in seconds with Quick Actions powered by InsightConnect

InsightIDR and InsightConnect teamed up to create Quick Actions, a new feature that provides instant automation within InsightIDR to reduce time to respond to investigations, all with the click of a button.

Quick Actions are pre-configured automation actions that customers can run within their InsightIDR instance to get the answers they need fast and make the investigative process more efficient, and there’s no configuration required. Some Quick Actions use cases include:

  • Threat hunting within log search. Use the “Look Up File Hash with Threat Crowd” quick action to learn more about a hash within an endpoint log. If the output of the quick action finds the file hash is malicious, you can choose to investigate further.
  • More context around alerts in Investigations. Use the “Look Up Domain with WHOIS” quick action to receive more context around an IP associated with an alert in an investigation.



What's New in InsightIDR: Q1 2022 in Review

More customizability with AWS GuardDuty detection rules

We now have over 100 new AWS GuardDuty Attacker Behavior Analytics (ABA) detection rules to provide significantly more customization and tuning ability for customers compared to our previous singular third-party AWS GuardDuty UBA detection rule. With these new ABA alerts, it’s possible to set rule actions, tune rule priorities, or add an exception on each individual GuardDuty detection rule.

What's New in InsightIDR: Q1 2022 in Review

New pre-built CIS control dashboards and overall dashboard improvements

We’re continually expanding our pre-built dashboard library to allow users to easily visualize their data within the context of common frameworks.

The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. We know CIS is one of the most common security frameworks our customers consider, so we’ve recently added 3 new CIS control dashboards that cover CIS Control 5: Account Management, CIS Control 9: Email and Web Browser Protections, and CIS Control 10: Malware Defenses.

What's New in InsightIDR: Q1 2022 in Review

We also continue to make changes and additions to our overall Dashboard capabilities. Within the card builder, we’ve added the ability to:

  • Change chart colors
  • Add a chart caption
  • Swap between linear and logarithmic scale for charts
  • Add data labels on top of dashboard charts

Continuous improvements to Investigation Management

Another area we are continuously making improvements in is Investigation Management. A huge part of this ongoing development is customer feedback, and over the last quarter, we’ve made some additions to the experience based on just that. We’ve added:

  • New filters for alert type, MITRE ATT&CK tactic, and investigation type to provide more options when it comes to tailoring the list view of investigations
  • The new “notes count” feature, which allows customers to save time and track the status of an ongoing collaboration within an investigation
  • Improvements to the bulk-close feature within Investigation Management, and new progress banners so you can easily track the status of each bulk-close request
What's New in InsightIDR: Q1 2022 in Review

Other updates

  • New CATO Networks event source can now be configured to send InsightIDR WAN firewall and internet firewall data.
  • Log Search Syntax Highlighting applies different colors and formatting to the distinct components of a LEQL query (such as the search logic and values) to improve overall readability and provide an easy way to identify potential errors within queries.
  • New curated IDS Rules powered by the Insight Network Sensor help you detect activity associated with thousands of common pieces of malware.
  • Insight Network Sensor management page updates make it easier to deploy and maintain your fleet of Network Sensors. We’ve rebuilt the sensor management page to better surface critical configuration statuses, diagnostic information, and links to support documentation.
What's New in InsightIDR: Q1 2022 in Review

Stay tuned!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in detection and response at Rapid7.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

InsightAppSec GitHub Integration Keeps Risky Code From Reaching Production

Post Syndicated from Nate Crampton original https://blog.rapid7.com/2022/03/02/insightappsec-github-integration-keeps-risky-code-from-reaching-production/

InsightAppSec GitHub Integration Keeps Risky Code From Reaching Production

We’ve all been there. The software development life cycle (SDLC) is moving at a mile a minute. Developers are writing code, updating features, and all the while attempting to keep everything introduced into production as safe and secure as possible. GitHub Actions are essential to automation and allow you to build, test, and deploy your code right from GitHub, faster than ever.

But it comes with risks.

How can you be sure your running applications aren’t vulnerable to exploitation? How will we know it’s problematic before it gets into production? Can we realistically perform kick-off, test, and provide feedback to development not using automation?

Secure apps through automation

A DevSecOps mindset is needed, with security baked into the SDLC — and now, GitHub Actions makes this easier than ever. This new integration — offered completely free to InsightAppSec customers — allows security and development teams to automate dynamic application security testing (DAST) as part of the CI/CD build pipeline workflow. For example, you can easily configure the integration to scan your team’s work for vulnerabilities, and if high-severity vulnerabilities are found, you can have it notify and/or block risky code before it reaches production environments.

Here’s how it works:

InsightAppSec GitHub Integration Keeps Risky Code From Reaching Production

All this happens automatically, so your team isn’t spending time finding and communicating application risk — they’re focusing on building a great application security program.

That’s not where the benefits end, however.

1) It helps integrate DevOps into the Security workflow: In order to help build a Dev SecOps mindset across teams, this integration allows DevOps and Security teams to work together earlier in the lifecycle, improving cross-team outcomes and making your organization safer.

2) Automate DAST as part of your CI/CD workflow: This integration fits in seamlessly with what you’re already doing, and automatically provides the vulnerability information your teams need to stay aware of risk and keep unsafe code out of your prod environments.

3) Quick and easy setup: Simply add the IAS Scan steps to your build pipeline as defined in the insightappsec-scan-github-action repo (assuming you have valid Github and InsightAppSec licenses).

And it is all for free. We’re continuously working to make InsightAppSec the easiest and most powerful security platform for your web applications and teaming with Github will supercharge your development lifecycle in the safest way possible, automatically.

Want to learn more? Here’s what you need to know about this integration.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Velociraptor Version 0.6.3: Dig Deeper With More Speed and Scalability

Post Syndicated from Carlos Canto original https://blog.rapid7.com/2022/02/03/velociraptor-version-0-6-3-dig-deeper-with-more-speed-and-scalability/

Velociraptor Version 0.6.3: Dig Deeper With More Speed and Scalability

Rapid7 is very excited to announce the latest Velociraptor release 0.6.3. This release has been in the making for a few months now and has several exciting new features.

Scalability and speed have been the main focus of development since our previous release. Working with some of our larger partners on scaling Velociraptor to a large number of endpoints, we’ve addressed a number of challenges that we believe have improved Velociraptor for everyone at any level of scale.

Performance running on EFS

Running on a distributed filesystem such as EFS presents many advantages, not the least of which is removing the risk that disk space will run out. Many users previously faced disk full errors when running large hunts and accidentally collecting too much data from endpoints. Since Velociraptor is so fast, it’s quite easy to do a hunt collecting a large number of files, but before you know it, the disk may be full.

Using EFS removed this risk, since storage is essentially infinite (but not free). So there is a definite advantage to running the data store on EFS even when not running multiple frontends. When scaling to multiple frontends, EFS use is essential to facilitate a shared distributed filesystem among all the servers.

However, EFS presents some challenges. Although conceptually EFS behaves as a transparent filesystem, in reality the added network latency of EFS IO has caused unacceptable performance issues.

In this release, we employed a number of strategies to improve performance on EFS — and potentially other distributed filesystems, such as NFS. You can read all about the new changes here, but the gist is that added caching and delayed writing strategies help isolate the GUI performance from the underlying EFS latency, making the GUI snappy and quick even with slow filesystems.

We encourage everyone to test the new release on an EFS backend, to assess the performance on this setup — there are many advantages to this configuration. While this configuration is still considered experimental, it’s running successfully in a number of environments.

Searching and indexing

More as a side effect of the EFS work, Velociraptor 0.6.3 moves the client index into memory. This means that searching for clients by DNS name or labels is almost instant, significantly improving the performance of these operations over previous versions.

VQL queries that walk over all clients are now very fast as well. For example, the following query iterates over all clients (maybe thousands!) and checks if their last IP came from a particular subnet:

SELECT * , split(sep=":", string=last_ip)[0] AS LastIp
FROM clients()
WHERE cidr_contains(ip=LastIp, ranges="192.168.1.0/16")

This query will complete in a few seconds even with a large number of clients.

The GUI search bar can now search for IP addresses (e.g. ip:192.168*), and the online only filter is much faster as a result.

Velociraptor Version 0.6.3: Dig Deeper With More Speed and Scalability
Searching is much faster

Another benefit of rapid index searching is that we can now quickly estimate how many hosts will be affected by a hunt (calculated based on how many hosts are included and how many are excluded from the hunt). When users have multiple label groups, this helps to quickly understand how targeted a specific hunt is.

Velociraptor Version 0.6.3: Dig Deeper With More Speed and Scalability
Estimating hunt scope

Regular expressions and Yara rules

Velociraptor artifacts are just a way of wrapping a VQL query inside a YAML file for ease of use. Artifacts accept parameters that are passed to the VQL itself, controlling how it runs.

Velociraptor artifacts accept a number of parameters of different types. Sometimes, they accept a windows path — for example, the Windows.EventLogs.EvtxHunter artifact accepts a Windows glob path like %SystemRoot%\System32\Winevt\Logs\*.evtx. In the same artifact, we also can provide a PathRegex, which is a regular expression.

A regular expression is not the same thing as a path at all. In fact, when users get mixed up providing something like C:\Windows\System32 to a regular expression field, this is an invalid expression — backslashes have a specific meaning in a regular expression.

In 0.6.3, there are now dedicated GUI elements for Regular Expression inputs. Special regex patterns, such as backslash sequences, are visually distinct. Additionally, the GUI verifies that the regex is syntactically correct and offers suggestions. Users can type ? to receive further regular expression suggestions and help them build their regex.

Velociraptor Version 0.6.3: Dig Deeper With More Speed and Scalability
Entering regex in the GUI

To receive a RegEx GUI selector in your custom artifacts, simply denote the parameter’s type as regex.

Similarly, other artifacts require the user to enter a Yara rule to use the yara() VQL plugin. The Yara domain specific language (DSL) is rather verbose, so even for very simple search terms (e.g. a simple keyword search) a full rule needs to be constructed.

To help with this task, the GUI now presents a specific Yara GUI element. Users can press ? to automatically fill in a skeleton Yara rule suitable for a simple keyword match. Additionally, syntax highlighting gives visual feedback to the validity of the yara syntax.

Velociraptor Version 0.6.3: Dig Deeper With More Speed and Scalability
Entering Yara Rules in the GUI

Some artifacts allow file upload as a parameter to the artifact. This allows users to upload larger inputs, for example a large Yara rule-set. The content of the file will be made available to the VQL running on the client transparently.

To receive a RegEx GUI selector in your custom artifacts, simply denote the parameter’s type as yara. To allow uploads in your artifact parameters simply denote the parameter as an upload type. Within the VQL, the content of the uploaded file will be available as that parameter.

Overriding Generic.Client.Info

When a new client connects to the Velociraptor server, the server performs an Interrogation flow by scheduling the Generic.Client.Info artifact on it. This artifact collects basic metadata about the client, such as the type of OS it is, the hostname, and the version of Velociraptor. This information is used to feed the search index and is also displayed in the “VQL drilldown” page of the Host Information screen.

In the latest release, it’s possible to customize the Generic.Client.Info artifact, and Velociraptor will use the customized version instead to interrogate new clients. This allows users to add more deployment specific collections to the interrogate flow and customize the “VQL drilldown” page. Simply search for Generic.Client.Info in the View Artifact screen, and customize as needed.

Root certificates are now embedded

By default, Golang searches for root certificates from the running system so it can verify TLS connections. This behavior caused problems when running Velociraptor on very old unpatched systems that did not receive the latest Let’s Encrypt Root Certificate update. We decided it was safer to just include the root certs in the binary so we don’t need to rely on the OS itself.

Additionally, Velociraptor will now accept additional root certs embedded in its config file — just add all the certs in PEM format under the Client.Crypto.root_certs key in the config file. This helps deployments that must use a MITM proxy or traffic inspection proxies.

When adding a Root Certificate to the configuration file, Velociraptor will treat that certificate as part of the public PKI roots — therefore, you’ll need to have Client.use_self_signed_ssl as false.

This allows Velociraptor to trust the TLS connection — however, bear in mind that Velociraptor’s internal encryption channel is still present. The MITM proxy won’t be able to actually decode the data or interfere with the communications by injecting or modifying data. Only the outer layer of TLS encryption can be stripped by the MITM proxy.

VQL changes

Glob plugin improvements

The glob plugin now has a new option: recursion_callback. This allows much finer control over which directories to visit making file searches much more efficient and targeted. To learn more about it, read our previous Velociraptor blog post “Searching for Files.”

Notable new artifacts

Many people use Velociraptor to collect and hunt for data from endpoints. Once the data is inspected and analyzed, often the data is no longer needed.

To help with the task of expiring old data, the latest release incorporates the Server.Utils.DeleteManyFlows and Server.Utils.DeleteMonitoringData artifacts that allow users to remove older collections. This helps manage disk usage and reduce ongoing costs.

Try it out!

If you’re interested in the new features, take Velociraptor for a spin by downloading it from our release page. It’s available for free on GitHub under an open source license.

As always, please file bugs on the GitHub issue tracker or submit questions to our mailing list by emailing [email protected]. You can also chat with us directly on our discord server.

Learn more about Velociraptor by visiting any of our web and social media channels below:

Dig Deeper!

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

2021 Cybersecurity Superlatives: An InsightIDR Year in Review

Post Syndicated from KJ McCann original https://blog.rapid7.com/2022/01/31/2021-cybersecurity-superlatives-an-insightidr-year-in-review/

2021 Cybersecurity Superlatives: An InsightIDR Year in Review

We laughed, we cried, we added over 750 new detections. It’s been a rollercoaster of a year for everyone. So let’s have some fun with our 2021 year in review — shall we?

The last year was an exciting one for InsightIDR, Rapid7’s industry-leading extended detection and response (XDR) and SIEM solution. We used the past 12 months to continually invest in the product to help customers level up their security programs and achieve success in their desired outcomes. A major highlight for InsightIDR was being named as a Leader in the 2021 Gartner Magic Quadrant for SIEM for the second year in a row. We are honored to be recognized as one of the six 2021 Magic Quadrant Leaders — and in celebration, we’d like to announce a few awards ourselves for 2021, high-school-superlative style.

Presenting our 2021 superlatives (drum roll, please)…

Most likely to be overworked: Cybersecurity professionals

“We need more time!” exhausted cybersecurity specialists shout into the void. Luckily, we deployed our Insight Agent into the void, so we heard you. While we were in there, we also picked up the following alerts:

  • There aren’t enough people to do it all.
  • More than 3 out of 4 CISOs have 16 or more cybersecurity products, and 12% have 46 or more (my head is spinning).
  • It is getting more difficult to recruit and hire new professionals onto security teams.
  • The workload is growing, and teams are suffering from burnout.

We heard the problem — and took action with our products. Our product updates focused on the following:

  • Improved detection and response capabilities: We added strong detections with a more comprehensive view of threats.
  • Greater efficiency: We helped teams cut down the number of disparate tools and events they have to manage, providing automation and leveling up analysts by giving them embedded guidance and a common experience.
  • Improved scale and agility: When your organization evolves and grows, so do we.
  • Customization: Every environment is unique, and we want to make sure InsightIDR not only works well but works the way you want it.

All sounds good, right? Let’s keep going down the list to see how we continued to evolve our product to align these themes.

Most likely to (help you) succeed: MITRE ATT&CK mapping in InsightIDR

Red pill or blue pill… Psych! They are both the same pill. Welcome to the matrix — the MITRE ATT&CK matrix, that is.

As of Q4 2021, all of our Attacker Behavior Analytics (ABA) map to the ATT&CK framework in InsightIDR.

OK, great… so what does that mean for you?

MITRE ATT&CK matrix for detection rules: Within the Detection Rules tab, you now have a direct view into where you have coverage with Rapid7’s out-of-the-box detection library across common attacker tactics and techniques, and you can also quickly unlock more context and intelligence about detections.

Refreshed Investigation Management experience: Now, you can click into the new MITRE ATT&CK tab of the Evidence panel in Investigation to see descriptions of each tactic, technique, and sub-technique curated by MITRE. Then go directly to attack.mitre.org for more information.

Learn more about InsightIDR and the MITRE ATT&CK matrix.

Best glow-up: Our Investigation Management experience

A security analyst’s time is precious and limited. That’s why we upgraded our Investigation Management experience to help you manage, prioritize, and triage investigations faster. Make sure you check out the following:

  • A revamped user interface with expandable cards displaying investigation information
  • The ability to view, set, and update the priority, status, or disposition of an investigation
  • Filtering by the following fields: date range, assignee, status, priority level
  • That sweet MITRE integration we talked about earlier

Most sophisticated: Our customization capabilities

InsightIDR customers now have more customization and increased visibility for ABA detections. We’re continuing to make improvements and additions to our detections management experience.

  • Detection rules: Filter detection rules by threat group, rule behavior, and attributes for more visibility into your alerts and investigations.
  • Create exceptions to a detection rule: With exceptions for ABA alerts, you can filter out noise very precisely using data from the alert.
  • New detection rules management interface: With this new interface, you can see a priority field for each detection provided by InsightIDR with new actions available.
  • Customizable priorities for UBA detection rules and custom alerts: Associate a rule priority (Critical, High, Medium, or Low) for all UBA and custom alert detection rules.
  • A simplified way to create exceptions: We added a new section to detection rule details within “create exception” to better inform on which data to write exceptions against. So now, when you go to write exceptions, you have all the information you may need within one window.

Most likely to brighten up your day: Pre-built dashboards and enhanced search capabilities

InsightIDR’s Dashboard Library has a growing repository of pre-built dashboards to save you time and eliminate the need for you to build them from scratch. Our pre-built dashboards are accessible to all users. We added the following dashboards to provide you with immediate value, out of the box.

  • Compliance (PCI, HIPAA, ISO)
  • General Security (Firewall, Asset Authentication)
  • Security Tools (Okta, Palo Alto, Crowdstrike)
  • Enhanced Network Traffic Analysis
  • Cloud Security

Check out the whole dashboard library here.

Speaking of saving time, we continued to make investments in Log Search to make searching for actionable information faster and easier for customers. Spend less time searching and more time fighting off the bad guys. You’ve never seen Spiderman spend an hour searching an address in a phone book, have you?

Power couple: IntSights Threat Intelligence and Rapid7’s Insight Platform

This year Rapid7 acquired IntSights, a leading provider of external threat intelligence and remediation. Their flagship external threat intelligence product, Threat Command, is now part of our Rapid7 portfolio.

Threat Command allows any SecOps team, regardless of size or capability maturity, to expand identification and remediation across an ever-expanding attack surface, while automating threat mitigation.

IntSights is already leveling up threat intelligence at Rapid7 — and we are so excited for more synergies on the road ahead in 2022.

We know this romance is going to last. Congrats to the lovely couple!

Brightest future: Rapid7 customers

Our 2022 New Year’s resolution is to not just be your technology vendor but to be your strategic partner. Complacency is not in our vocabulary, so make sure you keep up to date with all of our upcoming releases as we continue to level up your InsightIDR experience with more capabilities, context, customization while keeping our intuitive user experience.

Our customers’ outcomes define our success, and we wouldn’t have it any other way. We are looking forward to accelerating together.

Have a great year!

Additional reading

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

A December to Remember — Or, How We Improved InsightAppSec in Q4 in the Midst of Log4Shell

Post Syndicated from Tom Caiazza original https://blog.rapid7.com/2022/01/12/a-december-to-remember-or-how-we-improved-insightappsec-in-q4-in-the-midst-of-log4shell/

A December to Remember — Or, How We Improved InsightAppSec in Q4 in the Midst of Log4Shell

Ho, ho, holy cow — what a wild way to wrap up the year that was. Thousands of flights were cancelled during Christmas week, nearly every holiday party became a super-spreader event, and we lost a legend in Betty White. In our neck of the woods, Log4Shell has been dominating the conversation for nearly the entire holiday season. But now that much of the initial fervor has passed, we wanted to take a moment to recap some of InsightAppSec and tCell’s Q4 highlights and give us all a little much-deserved break from the madness.

RBAC

It may not seem like much, but remote-based access control — or RBAC— is a game-changer for many teams looking to streamline their access to InsightAppSec. Essentially, we make it super simple to configure access to the platform perfectly for every member of your team, create tiers of accessibility for different job roles, and ensure everyone has exactly what they need to do their jobs on day one.

Included is a new pre-built remediator role, which was designed to only show developers what they need in order to address a that vulnerability. They can drill into it, see reference details and remediation steps, and replay the attack in their dev or staging environments, all in an easy, navigable interface. This new role helps prevent the back-and-forth between security and development passing vulnerability details.

The key to our new feature is scalability. Regardless of whether you have a team of 10 or a team of 1,000, each group will only have the permissions they need to view the data you want them to see — all without the back-and-forth that comes with creating permissions ad hoc. It’s a time-saver, for sure, but it can also reduce headaches and make costly mistakes far less likely. If you want to learn more check out our blog post on the subject (it’s got a cute Goldilocks theme — you’ll get the drift).

ServiceNow

Oh, yeah, we’re fully integrated with ServiceNow. It’s just a leader in IT service management, and InsightAppSec is fully integrated, working seamlessly, and available in the ServiceNow app store for, like, zero dollars. No biggie.

This integration offers a lot of great features that will save your team time and effort, improving everything from visibility, to prioritization, to remediation. In fact, remediation will happen even faster than it already does with updates automatically happening across both ServiceNow and InsightAppSec tickets. And it’s so simple and quick to install, you’ll be benefiting from it in minutes. Oh, and did we mention zero dollars?

Log4Shell

OK, break’s over. Yes, we made many improvements to InsightAppSec this quarter, but we would be remiss if we didn’t mention the ones we made for Log4Shell. The big one is a new InsightAppSec default attack template for Out of Band Injection specific to Log4Shell attacks. Attack templates are InsightAppSec’s bread and butter, testing every part of your application against known attack vectors. With this feature, we have an attack template that can automate a sophisticated attack by simulating an attacker on your website and injects code in your application. If the code is vulnerable, it calls a Log4j function to send a JNDI call to a Rapid7 server validating the exploitability of the application. This helps you identify and prioritize Log4Shell vulnerabilities before they become real threats.

For even more flexibility, we’ve added an attack module that actually does the out-of-band Log4Shell attack during testing. You can easily select this in the Log4Shell attack template, but you can can also create a custom template and add the new Log4Shell attack module to that.

We’ve also improved tCell’s ability to protect against Log4Shell attacks. We launched a new app firewall protection specifically for Log4Shell attacks. The new firewall lets our customers know if their apps have been attacked through the Log4Shell vulnerability and drill down to specifics on the attack. We’ve also created a default pattern that allows you to block well known Log4Shell patterns and as more become known, we will continue our updates.

Even more

While these were just a few of the major improvements we made to InsightAppSec and tCell this quarter, there were certainly a host of minor ones that are sure to make the platform easier and more efficient. They include custom NGINX builds and support for .Net 6.0 for tCell, Archiving Scan Targets, and customizing executive reports for InsightAppSec, among others.

Those are the highlights from the fourth quarter of 2021 from here in InsightAppSec-land. We’re well on our way to making Q1 2022 even better for our customers, though we can’t do anything about those flight cancellations. And while we’re at it, someone check on Keith Richards.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

What’s New in InsightIDR: Q4 2021 in Review

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2022/01/06/whats-new-in-insightidr-q4-2021-in-review/

What's New in InsightIDR: Q4 2021 in Review

More context and customization around detections and investigations, expanded dashboard capabilities, and more.

This post offers a closer look at some of the recent releases in InsightIDR, our extended detection and response (XDR) solution, from Q4 2021. Over the past quarter, we delivered updates to help you make more informed decisions, accelerate your time to respond, and customize your detections and investigations. Here’s a rundown of the highlights.

More customization options for your detection rules

InsightIDR provides a highly curated detections library, vetted by the security and operations center (SOC) experts on our managed detection and response (MDR) team — but we know some teams may want the ability to fine tune these even further. In our Q3 wrap-up, we highlighted our new detection rules management experience. This quarter, we’ve made even more strides in leveling up our capabilities around detections to help you make more informed decisions and accelerate your time to respond.

What's New in InsightIDR: Q4 2021 in Review
Attacker Behavior Analytics Detection Rules viewed and sorted by rule priority

  • New detection rules management interface: With this new interface, you can see a priority field for each detection provided by InsightIDR with new actions available.
    • Change priority of detections and exceptions that are set to Creates Investigation as the Rule Action.
    • View and sort on priority from the main detection management screen.
    • More details on our detection rules experience can be found in our help docs, here.

  • Customizable priorities for UBA detection rules and custom alerts: Customers can now associate a rule priority (Critical, High, Medium, or Low) for all of their UBA and custom alert detection rules. The priority is subsequently applied to investigations created by a detection rule.
  • A simplified way to create exceptions: We added a new section to detection rule details within “create exception” to better inform on which data to write exceptions against. This will show up to the 5 most recent matches associated with that said detection rule — so now, when you go to write exceptions, you have all the information you may need all within one window.

MITRE ATT&CK Matrix for detection rules

This new view maps detection rules to MITRE tactics and techniques commonly used by attackers. The view lets you see where you have coverage with Rapid7’s out-of-the-box detection rules for common attacker use cases and dig into each rule to understand the nature of that detection.

What's New in InsightIDR: Q4 2021 in Review
MITRE ATT&CK Matrix within Detection Rules

Investigation Management reimagined

At Rapid7, we know how limited a security analyst’s time is, so we reconfigured our Investigation Management experience to help our users improve the speed and quality of their decision-making when it comes to investigations. Here’s what you can expect:

  • A revamped user interface with expandable cards displaying investigation information
  • The ability to view, set, and update the priority, status, or disposition of an investigation
  • Filtering by the following fields: date range, assignee, status, priority level
What's New in InsightIDR: Q4 2021 in Review
New investigations interface

We also introduced MITRE-driven insights in Investigations. Now, you can click into the new MITRE ATT&CK tab of the Evidence panel in Investigation to see descriptions of each tactic, technique, and sub-technique curated by MITRE and link out to attack.mitre.org for more information.

What's New in InsightIDR: Q4 2021 in Review
MITRE ATT&CK tab within Investigations Evidence panel

Rapid7’s ongoing emergent threat response to Log4Shell

Like the rest of the security community, we have been internally responding to the critical remote code execution vulnerability in Apache’s Log4j Java library (a.k.a. Log4Shell).

Through continuous collaboration and ongoing threat landscape monitoring, our Incident Response, Threat Intelligence and Detection Engineering, and MDR teams are working together to provide product coverage for the latest techniques being used by malicious actors. You can see updates on our InsightIDR and MDR detection coverage here and in-product.

Stay up to date with the latest on Log4Shell:

A continually expanding library of pre-built dashboards

InsightIDR’s Dashboard Library has a growing repository of pre-built dashboards to save you time and eliminate the need for you to build them from scratch. In Q4, we released 15 new pre-built dashboards covering:

  • Compliance (PCI, HIPAA, ISO)
  • General Security (Firewall, Asset Authentication)
  • Security Tools (Okta, Palo Alto, Crowdstrike)
  • Enhanced Network Traffic Analysis
  • Cloud Security
What's New in InsightIDR: Q4 2021 in Review
Dashboard Library in InsightIDR

Additional dashboard and reporting updates

  • Updates to dashboard filtering: Dashboard Filtering gives users the ability to further query LEQL statements and the data across all the cards in their dashboard. Customers can now populate the dashboard filter with Saved Queries from Log Search, as well as save a filter to a dashboard, eliminating the need to rebuild it every session.
  • Chart captions: We’ve added the ability for users to write plain text captions on charts to provide extra context about a visualization.
  • Multi-group-by queries and drill-in functionality: We’ve enabled Multi-group-by queries (already being used in Log search) so that customers can leverage these in their dashboards and create cards with layered data that they can drill in and out of.

Updates to Log Search and Event Sources

We recently introduced Rapid7 Resource Names (RRN), which are unique identifiers added to users, assets, and accounts in log search. An RRN serves as a unique identifier for platform resources at Rapid7. This unique identifier will stay consistent with the resource regardless of any number of names/labels associated with the resource.

In log search, an “R7_context” object has been added for log sets that have an attributed user, asset, account, or local accounts. Within the “R7_context” object, you will see any applicable RRNs appended. You can utilize the RRN as a search in log search or in the global search (which will link to users and accounts or assets and endpoints pages) to assist with more reliable searches for investigation processes.

What's New in InsightIDR: Q4 2021 in Review
New “r7_context” Rapid7 Resource Name (RRN) data in Log Search

Event source updates

  • Log Line Attribution for Palo Alto Firewall & VPN, Proofpoint TAP, Fortinet Fortigate: When setting up an event source you now have an option to leverage information directly present in source log lines, rather than relying solely on InsightIDR’s traditional attribution engine.
  • Cylance Protect Cloud event source: You can configure CylancePROTECT cloud to send detection events to InsightIDR to generate virus infection and third-party alerts.
  • InsightIDR Event Source listings available in the Rapid7 Extensions Hub: Easily access all InsightIDR event source related content in a centralized location.

Updates to Network Traffic Analysis capabilities

Insight Network Sensor optimized for 10Gbs+ deployments: We have introduced a range of performance upgrades that make high-speed traffic analysis more accessible using off-the-shelf hardware, so you’re able to gain east-west and north-south traffic visibility within physical, virtual and cloud based networks. If you want to take full advantage of these updates check out the updated sensor requirements here.

InsightIDR Asset Page Updates: We have introduced additional data elements and visuals to the Assets page. This delivers greater context for investigations and enables faster troubleshooting, as assets and user information is in one location. All customers have access to:

  • Top IDS events triggered by asset
  • Top DNS queries

For customers with Insight Network Sensors and ENTA, these additional elements are available:

  • Top Applications
  • Countries by Asset Location
  • Top Destination IP Addresses
What's New in InsightIDR: Q4 2021 in Review

Stay tuned!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in detection and response at Rapid7.