Compromised credentials and malware are the top two attacker methodologies according to the 2014 Verizon Data Breach Investigations Report. While UserInsight focuses primarily on detecting compromised credentials, a huge gap in most security programs, UserInsight now helps detect malware on endpoints in your entire organization Ð without having to deploy any software to the endpoints.

Protect your endpoints with the wisdom of 50 virus scanners and the footprint of none

UserInsight checks each process against a database of malware scanning results of over 50 virus scanners and alerts if the process is reported to be malicious. While individual anti-virus scanners will always have blind spots, installing several scanners on the endpoint is not an option because they would conflict with each other and grind performance to a halt. UserInsight leverages the wisdom of more than 50 virus scanners by checking processes against a database of previous scanning results, protecting UserInsight subscribers against malware as soon as malware vendors detect a new piece of malware.

UserInsight customers who have piloted this new functionality have already reported successes. They detected mass malware on their endpoints that had previously remained undetected by their existing virus scanners.

Individual virus scanners not only have blind spots but also false positives. This is why UserInsight enables organizations to set thresholds of how many virus scanners must flag a process as malicious before it is being reported as an alert, helping us reduce the false positive rate and alert fatigue.

Some types of malware run under the names of legitimate processes to avoid detection. UserInsight takes a hash of the process to help detect these kinds of malware as well.

The endpoint monitoring does not require the deployment or management of a software agent to the endpoints, which can be a burden for overworked IT organizations. UserInsight achieves this through credentialed scanning of endpoints, greatly reducing the amount of overhead for monitoring endpoints. The new endpoint malware detection works with both Windows and Mac operating systems.

New endpoint malware detection builds on existing malware functionality

The new endpoint malware detection methods build on UserInsight's existing capability to detect malicious processes.

  • Rare and unique processes: While the new functionality extends the detection to known mass malware, UserInsight already gave customers visibility of malware that uses polymorphism or malware that was customized for a targeted attack. Custom or obfuscated malware stands out as an anomaly when compared to other processes that run in an organization. For example, an office application would be present on thousands of machines in an organization, while a piece of malware would only show on one or two. In addition, legitimate processes are often digitally signed by an organization. UserInsight detects unsigned rare and unique processes in an organization to help incident responders detect these types of targeted attacks.
  • User context for advanced malware: Advanced malware solutions use sandboxes to scrutinize executables and files for malicious behavior. Because organizations are afraid of false positive alerts impacting the productivity of their users, most IT security teams deploy advanced malware solutions only in detection mode without blocking emails or web access. As a result, alerts must be closely monitored and investigated. However, it can be difficult to investigate an attack given only the IP address of a machine that caused an alert, especially in environments with dynamic IP addresses. UserInsight has existing integrations with FireEye NX Series and Palo Alto Wildfire to help incident responders easily identify the user connected to an alert and provides the full context of activities of that user to accelerate the investigation.
  • Adding alerts from endpoint protection platforms to investigations: Endpoint protection platforms are typically set up to quarantine malware, so they are rarely centrally monitored because there is no follow-up required. UserInsight provides malware alerts from endpoint protection platforms to provide more context in incident investigations. For example, let's assume an intruder tries three times to phish a user Ð the first two attempts are blocked by the virus scanner, but the third attempt goes through. In an investigation, the endpoint protection platform would report the first two blocked attempts, providing useful context about the initial attack vector.

How to set up UserInsight to detect malware on endpoints

Using the malware endpoint detection with UserInsight is very easy. If you are already using the endpoint monitoring, you will see 'MALICIOUS PROCESS ON ASSET' alerts showing up in your incident alerts.
If you don't have endpoint monitoring set up yet, here is how you do it:

  1. Go to the Collectors page in UserInsight.
  2. Click on 'Rapid7' in the event sources list on the left.
  3. Click the sign on the collector for the location where you'd like to add endpoint scanning.
  4. Select 'Rapid7 Endpoint Monitor' for Windows or 'Rapid7 Mac Endpoint Monitor' for Mac endpoints and ensure that you activate the dissolvable agent.

The new functionality to detect malicious processes is available immediately. If you'd like to test it out, please contact us to schedule a 1:1 demo or talk about evaluating UserInsight.