Tag Archives: Security Operations (SOC)

5 Insights from the Latest Cybersecurity Trends Research

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/02/07/5-insights-from-the-latest-cybersecurity-trends-research/

5 Insights from the Latest Cybersecurity Trends Research

Rapid7 is committed to promoting research that identifies the latest cybersecurity trends so that  organizations can leverage these insights and create programs that make sense for the modern SOC. To that end, we’ve singled out five quick insights security professionals and stakeholders should consider when looking ahead. These findings are based on Top Trends in Cybersecurity for 2024, a new research report from Gartner®.

Organizations Will Focus on Improving Resilience

As cloud continues to be adopted at a frenzied pace across organizations large, small, and everything in between, it’s critical to maintain organizational resiliency as attack surfaces expand and security becomes more urgent than ever. Indeed, the research notes that: “Improving organizational resilience has become a primary driver of security investments for several interconnected reasons:

  • “Digital ecosystems continue to sprawl, due to increasing cloud adoption.
  • Organizations are entrenching hybrid work arrangements.
  • The threat environment continues to evolve as emerging capabilities also embolden attackers.”

Continuous Threat Exposure Management Programs Will Take Off

Organizational attack surfaces have expanded for many reasons: the adoption of SaaS, remote work, custom application development, and more. All of these changes are efficiency drivers for businesses, but can also become liabilities rife with vulnerabilities. As organizations put more products and policies into place –  especially from multiple vendors – it can become more difficult to manage this new attack surface at scale.

The research stipulates that, in order to try and solve this issue, “security and risk management (SRM) leaders have introduced pilot processes that govern the volume and importance of threat exposures and the impact of dealing with them with continuous threat exposure management (CTEM) programs.” Short-term remediations can only go so far; the game is accelerating and long-term solutions must be put into place.

Generative AI Will Inspire Long-Term-Yet-Cautious Hope

Security organizations are embracing generative AI (GenAI) to help gain visibility across hybrid attack surfaces, spot threats fast, and automatically prioritize risk signals. In other sectors, unmanaged and uncontrolled uses of GenAI need reigning in before they can cause real societal damage with things like deepfakes, misinformation, and copyright infringement.

The research states that “the most notable issues were the use of confidential data in third-party GenAI applications and the copyright infringement and brand damage that could result from the use of unvetted generated content.” As AI companies continue to release new products that are more readily customizable by developers, laws and security policies will need to be put into place to curtail this potential third-party threat.

The C-Suite Communications Gap Will Narrow

With clearer outcome-driven metrics (ODMs) comes the ability to more easily convince the boardroom that direct investment in a cybersecurity initiative is imperative. Indeed, CISOs and other key security personnel and stakeholders have for years been running up against budgetary pushback that all too often leads to a porous attack surface as well as the inability to properly respond or prepare.

According to the research, “the 2023 Gartner Evolution of Cybersecurity Leader Survey asked chief information security officers (CISOs) the following question: ‘What has been the impact of changing business objectives on your cybersecurity strategy?’ In response, 60% said there had been some impact or a major impact.” When goals and/or key performance indicators (KPIs) shift, the security organization must be able to readily communicate where potential risk could lie in the changed environment.

ODMs can create a clearer path for security. From the report:

  • “Explain material cyber incidents to executives and guide specific investments to remediate them.
  • Support transparency to educate executives, lines of business and corporate functions about inappropriate or cavalier risk acceptance.
  • Expose matrixed management problems, such as the role the IT team plays in patching problems for which the security organization is typically held accountable.”

Cybersecurity Reskilling Will Help to Future-Proof

There is a continuing cybersecurity talent gap and, at the same time, there seems to be a shift in the types of skills practitioners need to bring to the job. Think of the implications this “moving target” has on both security organizations and people strategy teams tasked with scouring the marketplace for this magical unicorn.

The report details how, “in the U.S. alone, there are only enough qualified cybersecurity professionals to meet 70% of current demand – an all-time low over the past decade.” A plethora of trends are leading to this current disparity, including: accelerated cloud adoption, the emergence of GenAI, threat-landscape expansion, and vendor consolidation.

Greater business acumen as well as AI ethics and human psychology are just a few of the soft skills that will come to have greater prominence in job descriptions of security talent. Indeed, this may signal a stronger coming partnership between talent acquisition teams and security teams so that all parties involved can be sure that the right talent is recruited in the best way possible.

Read the report here.

Gartner, Top Trends in Cybersecurity for 2024, Richard Addiscott, Jeremy D’Hoinne, et al., 2 January 2024

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Building the Best SOC Takes Strategic Thinking

Post Syndicated from Rapid7 original https://blog.rapid7.com/2024/01/25/building-the-best-soc-takes-strategic-thinking/

Building the Best SOC Takes Strategic Thinking

So your security team is ready to scale up its security operations center, or SOC, to better meet the security needs of your organization. That’s great news. But there are some very important strategic questions that need to be answered if you want to build the most effective SOC you can and avoid some of the most common pitfalls teams of any size can encounter.

The Gartner® report SOC Model Guide, is an excellent resource for understanding how to ask the right questions regarding your security needs and what to do once those questions are answered.

Question 1: Which Model is Right for You?

There are several different ways to build an effective SOC. And while some are more complicated (perhaps even prohibitively so) than others, knowing what your needs and resources are at the outset will help you make this crucial initial decision.

Gartner puts it this way:

“A SOC model defines a strategy for variation in the use of internal teams and external service providers when running a SOC. It ensures all roles required to operate a SOC are allocated to those best suited to discharge the associated responsibilities. An effective SOC model lets SRM leaders allocate resources based on business priorities, available skill sets and budget…”

There are effectively three ways to build a SOC: internal, external, and hybrid. The report has this to say:

“Opting for a hybrid SOC is one way to help grow capabilities, while managing scale and cost. A hybrid SOC is one in which more than one team, both insourced and outsourced, plays a role in the activities required for proper SOC operation. The question of which teams, roles, jobs and activities are best kept in-house or outsourced is complex. Building a SOC model helps you answer it and ensure a hybrid SOC is well-balanced.”

Question 2: Who Does What?

Let’s assume your organization is opting for a hybrid approach. The next question you will need to ask yourself is what roles am I outsourcing and what roles am I keeping in-house? Understanding your business needs and whether internal or external partners are the best course of action can take some serious soul-searching on your part.

Luckily, Gartner has some recommendations. From the report:

Gartner says “Some SOC tasks are strategic, such as those performed by the roles of senior investigator, incident response manager and red team tester. They are often best performed by in-house staff who understand the business’s needs and the security issues.

“Other SOC tasks are tactical, such as building detection content for common
attacks. They are generally best performed by a larger external team, which can do
them more efficiently, on a bigger scale, and for longer periods.”

Question 3: How Do We Keep Everything Humming Along?

Once you’ve chosen your SOC model and built your team, it is important to be monitoring and reacting to the ways in which the internal and external partners work together. Let’s assume you’ve followed Gartner recommendations and outsourced your tactical needs and some highly specific skill sets and kept your strategic thinkers in-house, then you need to have a way for the teams to work together that is as dynamic as the environment they are seeking to protect.

Gartner offers this advice:

“Have clear demarcations between objective handlers, but ensure there is shared awareness. A challenge with hybrid models that use different providers or teams to handle objectives is that it can be hard to instill a results-oriented mindset. An external provider or internal team often gets “tunnel vision” — focusing only on its own individual objective — and loses sight of the big picture of SOC performance. You must ensure each provider or team is aware of its impact on adjacent objectives, not just its own.”

Just because different teams are going to have relatively different goals does not mean they should operate in silos. Ensuring that internal and external team members are able to see the big picture and understand the capabilities and limitations of others on the team is a critical component of building a SOC that works well today and grows well together.

Building a SOC from scratch is no easy feat and it is made harder without some serious strategic thinking and soul searching before building the team. Understand your unique needs, the general needs of a SOC team, what your resources are, and the expectations of your organization before building your own A-team of crack security professionals.

To read more about SOC Models check out Gartner SOC Model Guide here.

Gartner, SOC Model Guide, Eric Ahlm, Mitchell Schneider, Pete Shoard, 18 October 2023

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Attackers are Working Around The Clock. Luckily, So Are We.

Post Syndicated from Margaret Wei original https://blog.rapid7.com/2023/11/30/attackers-are-working-around-the-clock-luckily-so-are-we/

Attackers are Working Around The Clock. Luckily, So Are We.

It takes an average of 204 days for organizations to discover a breach, and from there an average of 73 days to contain it. With the average cost of a breach at an all time high of $4.45 million, there’s an undeniable need for teams to enlist the right experts to quickly eradicate threats.

At Rapid7, our expert SOC analysts detect and respond to threats end-to-end for MDR customers – no matter how large or complex. Rapid7’s Active Response, powered by InsightConnect SOAR Automation, enables our analysts to contain endpoints and users on your behalf within minutes of when a threat is identified, reducing attacker dwell time and keeping your organization safe from the damaging consequences of an attack.

24×7 Immediate Containment of Validated Threats with Active Response

Initially launched in 2020, we’ve now expanded Active Response to include broader asset quarantine support across third-party providers — including Crowdstrike, SentinelOne, Carbon Black Cloud, and more — as well as more transparency into MDR analyst activity to bring you more expansive, collaborative detection and response. What you can expect with Active Response:

  • Rapid7 MDR analysts will contain compromised endpoints or users as early in the killchain as possible to keep your organization safe from threats including malware, lateral movement, data exfiltration attempts, and more. We’ve also added a cloud-enabled option for actions to quarantine assets — removing the need for any on-prem components and making containment even faster for your organization.
  • Our team takes action on your behalf when we see a validated threat, but you have control of the parameters with the ability to create containment guardrails to prohibit the containment of critical servers, users, or devices. You always have the option to unquarantine assets or users directly from InsightIDR, making it extremely straightforward and keeping the power in your hands.
  • Rapid7’s coverage doesn’t stop there — with recommended additional actions for containment, remediation, and mitigation, our analysts ensure your organization is as secure as possible.

See How Active Response Stopped Malware in a Recent Rapid7 MDR Investigation

The following is a real-world example of a threat handled by our MDR analysts leveraging Active Response to quarantine an asset and stop malware.

Attacker Activity

  • [USER 1] working on legal cases used Chrome browser to visit a legitimate website compromised by malicious embedded JavaScript functions.
  • Embedded JavaScript file loaded pop-up, invited user to update browser by downloading ZIP archive containing JavaScript file.
  • Once executed, Javascript file communicated with Command and Control (C2) to download and execute a malicious payload, to fingerprint the asset, user, cached password, domains controllers, and trusted domains and output the results to a file at the root of [USER 1]’s %temp% directory to stage the host for subsequent exploitation.
Attackers are Working Around The Clock. Luckily, So Are We.

Build Resilience While You Sleep

Active Response enables teams to immediately quarantine malicious behavior before it can compromise a system, saving teams from the damaging outcomes of a successful security breach as well as costly ransomware, loss of data, and broken customer trust.

Whether it’s an intrusion attempt, suspicious process start activity, or anything in between, Rapid7’s SOC has their eyes on your environment 24x7x365, halting suspicious activity in its tracks so you can sleep peacefully through the night.

To learn more about Active Response, talk to your Customer Advisor or a representative.

Rapid7 Takes Next Step in AI Innovation with New AI-Powered Threat Detections

Post Syndicated from Laura Ellis original https://blog.rapid7.com/2023/11/29/rapid7-takes-next-step-in-ai-innovation-with-new-ai-powered-threat-detections/

Rapid7 Takes Next Step in AI Innovation with New AI-Powered Threat Detections

Digital transformation has created immense opportunity to generate new revenue streams, better engage with customers and drive operational efficiency. A decades-long transition to cloud as the de-facto delivery model of choice has delivered undeniable value to the business landscape. But any change in operating model brings new challenges too.

The speed, scale and complexity of modern IT environments results in security teams being tasked with analyzing mountains of data to keep pace with the ever-expanding threat landscape. This dynamic puts security analysts on their heels, constantly reacting to incoming threat signals from tools that weren’t purpose-built to solve hybrid environments, creating coverage gaps and a need to swivel-chair between a multitude of point solutions. Making matters worse? Attackers have increasingly looked to weaponize AI technologies to launch sophisticated attacks, benefiting from increased scale, easy access to AI-generated malware packages, as well as more effective social engineering and phishing using generative AI.

To combat these challenges, we need to equip our security teams with modern solutions leveraging AI to cut through the noise and boost signals that matter.  Our AI algorithms alleviate alert and action fatigue by delivering visibility across your IT environment and intelligently prioritizing the most important risk signals.

Rapid7 Has Been an AI Innovator for Decades

There has been a groundswell of development and corresponding interest in generative AI, particularly in the last few years as mainstream adoption of large language models (LLMs) grows. Most notably OpenAI’s ChatGPT – has brought AI to the forefront of people’s minds. This buzz has resulted in a number of vendors in the security space launching their own intelligent assistants and working to incorporate AI/ML into their respective solutions to keep pace.

From our perspective, this is great news and a huge step forward in the data & AI space. Rapid7 is also accelerating investment, but we’re certainly not starting from scratch. In fact, Rapid7 was a pioneer in AI development for security use cases, starting all the way back to our earliest days with our VM Expert System in the early 2000’s.

Rapid7 Takes Next Step in AI Innovation with New AI-Powered Threat Detections

Built on decades of risk analysis and continuously trained by our expert SOC team, Rapid7 AI enables your team to focus on what matters most by proactively shrinking your attack surface and intelligently re-balancing the scales between signal and noise.

With visibility across your hybrid attack surface, the Insight Platform enables proactive prevention, leveraging a proprietary AI-based detection engine to spot threats faster than ever and automatically prioritize the signals that matter most based on likelihood of exploitation and potential business impact. Based on learnings from your own environment and security operations over time, the platform will intelligently recommend updates to detection rule settings in an effort to reduce excess noise and eliminate false positives.

By integrating our AI capabilities into the Rapid7 platform, customers benefit from:

  • World class threat efficacy, with AI-driven detection of anomalous activity.  With a vast amount of legitimate activity occurring across customer environments, our AI algorithms validate if activity is actually malicious, allowing teams to spot unknown threats faster than ever.
  • Help to cut through the noise, by identifying the signals that matter most.  Our AI algorithms  automatically prioritize risks and threats, intelligently, suppressing benign alerts to eliminate the noise so analysts can focus on what matters most.
  • The confidence that they’re taking action on AI-generated insights they can trust, built on decades of risk and threat analysis and trained by a team of recognized innovators in AI-driven security.

Recent Innovations in AI-driven Threat Detection

We’ve recently announced two new AI/ML-powered threat detection capabilities aimed at enabling teams to detect unknown threats across a customer’s  environment faster than ever before without introducing excess noise.

  • Cloud Anomaly Detection
    Cloud Anomaly Detection is an AI-powered, agentless detection capability designed to detect and prioritize anomalous activity within an organization’s own cloud environment. The proprietary AI engine goes beyond simply detecting suspicious behavior; it automatically suppresses benign signals to reduce noise, eliminate false positives, and enable teams to focus on investigating highly-probable active threats. For more information on Cloud Anomaly Detection, check out the launch blog here.
  • Intelligent Kerberoasting Detection
    We’ve expanded existing AI-driven detections for attack types such as data exfiltration, phishing and credential theft to include intelligent detection, validation and prioritization of Kerberoasting attacks. The platform goes beyond traditional tactics for detecting Kerberoasting by applying a deep understanding of typical user activity across the organization. With this context, SOC teams can respond with confidence knowing the signals they are receiving are actually indicative of a Kerberoasting attack.

Rapid7 continues to explore and invest in ways we can leverage AI/ML to better-equip our customers to defend their organizations against the ever-expanding threat landscape. Keep an eye out in the near-future for additional innovations to come out in this space.

For now, be sure to stop by the Rapid7 booth (#1270) at AWS Re:Invent, where we’ll be showcasing Cloud Anomaly Detection and talk to us about how your team is thinking about utilizing AI.

Unlock Broader Detections and Forensics with Velociraptor in Rapid7 XDR

Post Syndicated from Shanna Battaglia original https://blog.rapid7.com/2023/09/29/unlock-broader-detections-forensics-with-velociraptor-in-rapid7-xdr/

Unlock Broader Detections and Forensics with Velociraptor in Rapid7 XDR

Nearly 70% of companies that are breached are likely to get breached again within twelve months (CPO). Effective remediation and addressing attacks at the root is key to staying ahead of threats and recurring breaches on the endpoint. Strong Digital Forensics and Incident Response (DFIR) ready to go when any incident occurs is a critical piece of a security team’s toolkit and drives successful response and remediation.

With this in mind, we’re excited to announce the integration of Velociraptor, Rapid7’s leading open-source DFIR framework, into the Insight Platform for InsightIDR Ultimate users — all with no additional deployment or configurations required. Already utilized in the field by our Incident Response experts on behalf of Managed Detection and Response (MDR) customers, InsightIDR Ultimate users can now experience the power of Velociraptor, from daily threat monitoring and hunting to swift threat response.

Key benefits of Velociraptor in InsightIDR:

  • Hunt for threats and vulnerabilities on single endpoints or across the entire fleet conveniently within InsightIDR, enabling faster identification and remediation.
  • Leverage the latest security researcher and practitioner-contributed Artifacts (structured YAML files containing queries) from Velociraptor’s Exchange. This ensures you always have up-to-date coverage across the current threat landscape.
  • Monitor for threat activity as it occurs on the endpoint, and forward matching events to InsightIDR for in-depth investigations into potential threats.
  • Efficiently analyze all of your Velociraptor data inside of InsightIDR with the flexibility of custom Notebooks (used to track and post process hunts or collaborate on an investigation) or the visual navigation of the Virtual File System (a server side cache of the files on the endpoint).
  • Unlock expanded threat detection capabilities – like EVTX or ETW watcher plug-ins to monitor Windows event sources – with Velociraptor’s Client Monitoring feature and forward alert investigations into InsightIDR.
  • Get to the bottom of new threats quickly with the most up-to-date detections thanks to Velociraptor’s expressive query language (rather than code) that makes it faster and easier for teams to share custom detections with the open-source community.

Let’s walk through a potential scenario with InsightIDR and Velociraptor

Jo is a SOC analyst on a team that uses Rapid7 Insight products to monitor and respond to security incidents in a fleet of a few thousand endpoints. This morning, an email notification for a new InsightIDR investigation grabs Jo’s full attention – an endpoint just triggered an alert from a usually quiet detection rule named “Velociraptor – Alert.Windows.ETW.Powershell”, and the data in the preview immediately looks suspicious to Jo.

Jo jumps into InsightIDR to begin their investigation. The endpoint in question has only triggered this single alert so far. It was forwarded from Velociraptor, a recent addition to Jo’s toolset within the Rapid7 Insight Platform. The artifact was one of several they’d deployed to endpoints for continuous monitoring. While InsightIDR and the Sysmon integration could already detect suspicious Powershell commands when included in Process Start commandline arguments, this artifact adds visibility into Windows Powershell ETW provider for logged events.

Jo follows the link to Velociraptor, provided in the InsightIDR Investigation. The link goes directly to the Alert.Windows.ETW.Powershell event page for the endpoint that triggered the investigation. From here, Jo starts a KAPE triage collection on this endpoint. Then they start a hunt across the entire fleet for the indicators of compromise they’ve gathered so far.

Data from Jo’s collection flows into the UI for review. After noticing an unfamiliar grandparent for Powershell in the process list, Jo decides to quarantine the endpoint. They go back to their InsightIDR tab, search for the affected endpoint, and toggle its Quarantine flag. Now that endpoint can only communicate with the Rapid7 Platform, which now includes Velociraptor.  

Among the hundreds in the hunt’s scope, a handful of endpoints return matches for Jo’s initial queries. Jo recruits a few of their teammates to help triage the results and begin deeper investigation. Between Velociraptor’s powerful DFIR capabilities and the skills of Jo’s team, the intruder will be thwarted before completing their mission.  

After the incident response concludes, Jo reviews the new Velociraptor Artifacts they created to detect this new malicious activity. They decide that a few of these will be useful submissions to the Artifact Exchange. They also take the opportunity to browse other recent additions from the DIFR community and deploy a few to their Velociraptor instance.  

With Rapid7’s platform-hosted Velociraptor service, Jo’s team was able to skip another lengthy deployment process and leap right into monitoring and hunting for threats. They were also welcomed to the wider open-source Velociraptor community to share knowledge, threat intel, and DFIR techniques with the practitioners who help Velociraptor thrive.

Learn more about Velociraptor and our expanded endpoint protection.