Rapid7 is excited to announce the release of Global Artifacts to enhance the capabilities that InsightConnect, Rapid7’s security orchestration automation and response (SOAR) solution, provides.
Global Artifacts provide the ability to store, structure, view, and share valuable pieces of data across InsightConnect. Historical data is extremely valuable when handling security events, as it provides additional context into future events and can serve as a data point when trying to measure overall impact to an organization. It can also be extremely beneficial when determining whether an incident is legitimate or a potential false-positive. This all holds true regardless of whether the process you follow to handle an event is completely manual, entirely automated, or a mix of the two.
What is InsightConnect?
InsightConnect is Rapid7’s security orchestration, automation and response (SOAR) solution that is purpose-built to accelerate your teams and tools through automation. InsightConnect does this by connecting your tools so that each tool is used to its maximum potential, connecting the dots between them to better inform your security teams and enrich your data and security alerts. This leads to a major improvement in operational efficiency.
Being able to easily and rapidly automate security-related tasks is quickly becoming a requirement for maintaining a modern security program. To make automation accessible to security teams of all shapes, sizes, and skill sets, InsightConnect combines a library of nearly 300 plugins with an intuitive workflow builder so that common security processes can be easily automated with little to no coding required.
So, how can InsightConnect with Global Artifacts help your security program?
Maintain and update reference data in one centralized location
Security automation is most effective when it is implemented to address myriad use cases for security teams. The types of alerts being handled by automation might vary, but in most cases, the data used to inform decisions in those workflows will be constant. In the past, it could be challenging to make this data accessible to the different workflows being implemented. On top of that, making sure that your workflows are utilizing the most recent updates to this data will, over time, become more and more difficult.
Global Artifacts provides a centralized location to store data that can be dynamically updated so that any workflow referencing this data will always be leveraging up-to-date information with minimal efforts required for upkeep.
Understand the true scope of an incident
A key piece of information to determine an incident’s criticality is its breadth. Security events that affect a single user should never be discounted, but they may not carry the same weight of an incident that affects 50 (or hundreds) of users. With Global Artifacts, key indicators of an incident can be stored during workflow executions, and later executions of the workflow can then perform a lookup into the Global Artifact. This means that logic can be built into a workflow, so if there are multiple occurrences of the same incident, different response actions may be taken.
Cut down on analysis time
When handling an incident, reducing the time it takes to respond to that incident is key. The average length of time to investigate and remediate an incident is 279 days. A major way to reduce dwell time is to introduce automation into the security process. When implementing automation, you will want to find as many places to gain efficiency as possible. One of the more common processes that security teams automate is data enrichment. Sometimes, this is a small piece of an overall process, while other times, it is an entire workflow in and of itself. With Global Artifacts, the enrichment process will become even more efficient. Now, as indicators are analyzed and determinations are made as to whether they are malicious or benign, that data can become available for future executions of the enrichment process to avoid processing the same indicators multiple times.
Quickly view aggregated outcomes from workflow executions
As security teams begin automating their processes, their first goal is most likely to maximize efficiency gained with their automated workflows. But, in order to determine efficiency, they’ll need to be able to easily see the aggregated business impact of each workflow. Whether your workflow is automating the process of deprovisioning users or remediating phishing alerts, there will typically be a subset of the overall data that the workflow generates that will be useful to understand the value the workflow provides. With Global Artifacts, you can have a single location to store—and later review—those key pieces of data, without having to sift through all of the other outputs a workflow may generate.
The mission of InsightConnect is to offer a best-in-class security workflow building experience that makes automation accessible to all security team. Global Artifacts continues to build off of that mission but is certainly not the end! Keep an eye out for more features that will continue to make it easier than ever to achieve security automation.