Last updated at Wed, 26 Jul 2023 21:53:13 GMT
his blog post is part of an ongoing series, MDR Vendor Must-Haves.
Cybersecurity teams continue to be challenged by resource constraints and disconnected toolsets. One method of solving this is to partner with a Managed Detection and Response (MDR) provider to strengthen your security operations and detect threats before they become problems.
That won’t always work, though. Focusing on what matters most can be difficult.
As much as you’d like to offload to your managed security services, your team may still need to run internal investigations or use manual processes to respond to threats. You need a way to do more with less and free your team to get some time back.
Even the most adept security teams with the best-in-class MDR provider need ways to respond efficiently to security threats. And while today’s security organizations continuously procure new, best-of-breed software to bolster their programs, many teams often tell us that they struggle to integrate their security tools.
As a result, context switching between a large toolset begets inefficient utilization of work-hours and the underutilization of tools. What’s more, traditional MDR providers do nothing to operationalize a security organization’s stack and often rely on users to take recommendations and remediate on their own.
That’s where automation comes in.
With security automation, your team can:
- Connect disparate technology solutions so your Security and IT workflow works for you, not the technology.
- Respond quickly and effortlessly using automation to lower your mean time to respond (MTTR).
- Have confidence your team can respond quickly to any threat.
- Expedite your eradication process.
- Automate tedious, manual tasks to free your analysts time to take on greater challenges.
Now, not every vendor will offer all of this with their MDR service. Some may offer parts through some type of managed response capability. Others may go beyond that to include automations for you in their technology and service. Some, like Rapid7, do a combination of both and also offer a Security Orchestration, Automation, and Response (SOAR) solution that can complement the service.
Because every second between a finding and closure risks a growing blast radius, it’s crucial that MDR providers integrate automated incident response processes so action can be taken to quickly mitigate and remediate threats leveraging existing tools.
How Rapid7 MDR can help
Rapid7 has a few different ways that we can help with automation.
The first use case is to respond to threats automatically when they’re validated. That’s the promise of combining Rapid7’s MDR service with Active Response with our industry-leading SOAR tool, InsightConnect.
So, what about beyond Active Response?
The second use case is through our InsightIDR SIEM technology. Because Rapid7 MDR customers have full access to InsightIDR, they can leverage the automated workflows built inside the tool—accessed directly from the investigations—to take enrichment and containment actions instantly. These automation workflows streamline response and eliminate repetitive, low-value work.
For example, through InsightIDR—the backend of the MDR service—you can look up indicator reputation with open source threat intelligence, kill malicious processes, quarantine infected endpoints from the network, deprovision users, reset passwords, and more, all from day one as an MDR customer.
For more bespoke use cases, InsightConnect expands this ability, allowing users to customize additional automation tasks. InsightConnect extends automation abilities to allow users to build workflows leveraging over 290 plugins for well-known and oft-used security tools, as well as create custom integrations. In this way, time to respond is minimized, and you can sleep easily knowing that applying recommendations is as easy as a simple deployment of pre-built workflows.
One of the most popular InsightConnect workflows for MDR customers is an automation triggered by a custom alert in InsightIDR. Building this workflow can automate your team's response to threats identified by custom alerts to automatically initiate a predefined action (or actions) in your environment each time a custom alert rule is triggered. For example, you can configure workflows to post notifications to a Slack channel when an alert threshold is reached, or send email notifications to your security team when someone signed onto the VPN violates a company policy. This capability would enable you to leverage automation for use cases that wouldn’t cause a notification with the MDR service.
Want to take your detection and response program to the next level (and get your IT to love you for it, too)? With Rapid7 MDR and InsightConnect, you’ll be able to:
- Respond quickly with zero effort. No more frantic “drop everything and respond now” moments. Have peace of mind knowing that Rapid7’s SOC will take action for you at any time, day or night. Our team will monitor threats, validate them, and take on the initial response to paralyze the attacker with our Active Response service included with MDR Elite.
- Expand coverage. Create workflows to automatically initiate predefined action(s) for your custom alerts. For example, you can automatically trigger a workflow to disable a compromised user account and stop internal threats based on a custom alert for when a user’s account changes permissions on several files in a short period of time.
- Eradicate threats effectively and with speed. Orchestrate existing technology stack for immediate response. Leverage integrations with your existing technology investments like EDR, firewall, and IAM tools to block IP addresses and ban hashes to automate remediation and mitigation actions beyond what MDR with Active Response can do for you.
- Mitigate threats from reoccurring. Respond to threats with speed while also preventing future malicious activity. Automate aspects of remediation and mitigation to reduce your team’s time spent implementing the recommendations from the MDR Findings Reports. Blacklist hashes or block IP addresses, URLs, domains, and ports using automated workflows to prevent future security issues and give your security team time back in their day.
- Speed up the process to get things done. Streamline operations and incident tracking. ITSM technologies are critical to your IR programs, especially when it comes to managing tasks between security and IT teams. Build workflows to create and update tickets to track incidents from the detection and analysis phase to containment, eradication, and recovery.
The built-in automation with Rapid7 MDR will allow you to both keep the focus on the important things and lessen the burdens of the day-to-day actions with automation. By uniting the power of MDR Elite with InsightConnect, you can save time by connecting across IT and Security, while also automating your playbooks to contain threats, extend your team, connect disparate systems, and eliminate manual processes.
