Rapid7's Vulnerability Management and User Behavior Analytics solutions, Nexpose and UserInsight, now integrate to provide visibility and security detection across assets and the users behind them. Combining the pair provides massive time savings and simplifies incident investigations by highlighting risk across your network ecosystem without writing queries or digging through logs.

Related Resource: Download our beginner's guide to User Behavior Analytics with UserInsight Toolkit

Nexpose proactively identifies & prioritizes weak points on your network, while UserInsight helps detect stealthy attacks with behavior analytics, investigate security incidents faster with user context, and expose risky internal behavior from endpoint to cloud. 4-minute UserInsight demo. Let's look at two specific benefits: (1) user context for your vulnerabilities, and (2) automatic security detection for your critical assets.

User Context for Your Vulnerabilities

UserInsight integrates with your existing network & security infrastructure to automatically baseline your users' activity. By correlating all activity to the users behind them, you're alerted of attacks that often go unnoticed, such as compromised credentials and lateral movement.

When UserInsight ingests the results of your Nexpose vulnerability scans, they are also added to each user's profile. By simply searching for an employee name, asset, or IP address, you get a complete look at their activity:

How this saves you time:

  • Immediately see who is affected by what vulnerability – this helps you get buy in to remediate a vulnerability by putting a face and context on a vulnerability (“The CFO has this vulnerability on their laptop – we must remediate immediately so they don't get phished.”)
  • Have instant context on the user behind the asset, so you can assess whether a particular piece of malware that exploits a particular vulnerability could have been successful
  • Proactively bolster and check risk surface – verify key players are not vulnerable

Automatic Security Detection for Critical Assets

In Nexpose, you can dynamically tag assets as critical by factors such as being in the IP range of the DMZ or containing a particular software package/service unique to domain controllers. Critical asset tags can be synced with UserInsight, where they show up as restricted assets.

Some examples of critical asset alerts:

  • First authentication from an unfamiliar source asset: If there's an unfamiliar attempt to authenticate to a restricted asset, you'll receive an alert.
  • An unauthorized user attempts to log-in: This can include a contractor or compromised employee attempting to access a financial server.
  • A unique or malicious process hash is run on the asset: UserInsight uses an agentless endpoint monitor to identify every process run on your endpoints. We run these process hashes against the wisdom of 50 virus scanners to identify malicious processes, as well as identify unique processes for further investigation.
  • Lateral movement (both local and domain): Once inside your organization's network, intruders typically run a network scan to identify high-value assets. They then laterally move across the network, leaving behind backdoors & stealing higher privilege credentials.
  • Endpoint log deletion: After compromising an organization's asset, attackers look to delete system logs in order to hide their tracks. This is a high-confidence indicator of compromise.
  • Anomalous administrative activity, including privilege escalation exploits: Once gaining access to an asset or endpoint, attackers will use privilege escalation exploits to gain administrative access, allowing them to take next steps such as password hash scraping. We identify and alert on anomalous administrative activity across your network ecosystem.

As Nexpose identifies critical or vulnerable assets, UserInsight automatically adjusts its detection thresholds to alert you about things you'll want to know about.

Configuring the UserInsight-Nexpose Integration

If you have Nexpose & UserInsight, setting up the Event Source is easy.

  1. In Nexpose, setup a Global Admin
  2. In UserInsight, click on the Collectors tab -> Rapid7 -> “Add event source”

     3. Add the information about the Nexpose Console (Server IP & Port)

     4. Add the credentials of the newly created Global Admin

And you're all set! If you have any questions, contact your QuickStart Manager or Support. Don't have UserInsight and want to learn about User & Entity Behavior Analytics? Get the Gartner Market Guide for UEBA here.