Rapid7 Blog

Eric Sun  

AUTHOR STATS:

41

InsightIDR Now Supports Multi-Factor Auth and Data Archiving

InsightIDR is now part of the Rapid7 platform. Learn more about our platform vision and how it enables you to have the SIEM solution you've always wanted.…

InsightIDR is now part of the Rapid7 platform. Learn more about our platform vision and how it enables you to have the SIEM solution you've always wanted.

Want to try InsightIDR in Your Environment? Free Trial Now Available

InsightIDR, our SIEM powered by user behavior analytics, is now available to try in your environment. This post shares how it can help your security team.…

InsightIDR, our SIEM powered by user behavior analytics, is now available to try in your environment. This post shares how it can help your security team.

PCI DSS Dashboards in InsightIDR: New Pre-Built Cards

No matter how much you mature your security program and reduce the risk of a breach, your life includes the need to report across the company, and periodically, to auditors. We want to make that part as easy as possible. We built InsightIDR as a…

No matter how much you mature your security program and reduce the risk of a breach, your life includes the need to report across the company, and periodically, to auditors. We want to make that part as easy as possible. We built InsightIDR as a SaaS SIEM on top of our proven User Behavior Analytics (UBA) technology to address your incident detection and response needs. Late last year, we added the ability to create custom dashboards and reports through the Card Library and the Log Entry Query Language (LEQL). Now, we’ve added seven pre-built cards that align directly to PCI DSS v3.2, to help you find important behaviors and communicate it out across the company, the board, and external auditors. Let’s walk through a quick overview of the seven cards and how it ties to the requirements in PCI DSS v3.2. 1.3.5: Denied Connection Attempts PCI Requirement 1 covers installing and maintaining a firewall configuration to protect cardholder data. InsightIDR can easily ingest and visualize all of your security data, and with our cloud architecture, you don’t need to worry about housing and maintaining a datastore, even as your organization grows with global offices or acquisition. The above card is a standard, important use-case to identify anomalies and trends from your firewall data. In this case, the card runs the query, “where(connection_status=DENY) groupby(source_address)” over your firewall log data. 4.1c: Potential Insecure Connections It’s important to identify traffic with destination to port 80, or the use of outdated SSL/TLS, especially for traffic around the CDE. This can help identify misconfigurations and ensure per Req 4, transmission of cardholder data is encrypted. As with all cards, you can click on the top right gear to pivot into log search, for more context around any particular IP address. 7.1.2b & 8.1.4: Users Accessing the CDE Identifying which users have accessed the PCI environment is important, as is digging a layer deeper. When did they last access the CDE, and from what asset? This is all important context used when identifying the use of compromised credentials. If the creds for Emanuel Osborne, who has access to the cardholder environment, are used to log in from a completely new asset, should your team be worried? We think so—and that’s why our pre-built detections will automatically alert you. From this card, you can pivot to log search to identify the date of last access. On the top global search, any name can be entered to show you all of the assets where those credentials have been used (new asset logon is tracked as a notable behavior). 8.1.1: Shared/Linked Accounts in the CDE Credentials being shared by multiple people is dangerous, as it makes it much more difficult to retrace behavior and identify compromise. This card draws from asset authentication data to identify when the source account is not the destination (where(sourceaccount != destinationaccount) groupby(destinationaccount)), so your team can proactively reduce this risk, especially for the critical CDE. 8.1.3a: Monitor Deactivated Accounts Similar to the above, it’s important to know when deactivated accounts are re-enabled and used to access the CDE—many InsightIDR alerts focus on this attack vector as we’ve found that disabled and service accounts are common targets for lateral movement. Related: See how InsightIDR allows you to detect and investigate lateral movement. This card highlights users with accounts deactivated over the last 30 days. 10.2.4: Highlight Relevant Log Events 10.2.5a: Track & Monitor Authentications Ah, the beefy Requirement 10: track and monitor access to network resources and cardholder data. This is where InsightIDR shines. All of your disparate log data is centralized (Req. 10.2) to detect malicious behavior across the attack chain (Req. 10.6). With the standard subscription, the data is stored and fully searchable for 13 months (Req. 10.7). These two cards highlight failed and successful authentications, so you can quickly spot anomalies and dig deeper. If you’ve been able to use InsightIDR for a few months, you already know that we’ll surface important authentication events to you in the form of alerts and notable events. These cards will ease sharing your findings and current posture outside the team. For a comprehensive list of how InsightIDR can help you maintain PCI Compliance, check out our PCI DSS v3.2 guide here. If you don’t have InsightIDR, check out our interactive product tour to see how it can help unify your data, detect across the attack chain, and prioritize your search with security analytics.

More Answers, Less Query Language: Bringing Visual Search to InsightIDR

Sitting down with your data lake and asking it questions has never been easy. In the infosec world, there are additional layers of complexity. Users are bouncing between assets, services, and geographical locations, with each monitoring silo producing its own log files and slivers of…

Sitting down with your data lake and asking it questions has never been easy. In the infosec world, there are additional layers of complexity. Users are bouncing between assets, services, and geographical locations, with each monitoring silo producing its own log files and slivers of the complete picture. From a human perspective, distilling this data requires two unique skillsets: Incident Response: Is this anomalous activity a false positive, a misconfiguration, or true malicious behavior? Data Manipulation: What search query should I construct to get what I need? Do I need to build a custom rule for this, or report on this statistic? We’ve built InsightIDR with the goal of reducing friction and complexity on both of these fronts. On the incident response side, you’re armed with a dossier of user behavior analytics across network, endpoint, and cloud services to make faster, informed decisions. You can now enjoy Visual Search, which aims to lower the level of complexity associated with writing queries and making sense of your wealth of log data. Visual Search was first released in InsightOps, our solution for IT infrastructure monitoring and troubleshooting. It’s had a great reception, and we’re proud that it’s now a shared service also available in InsightIDR. Visual Search identifies anomalies, allows for flexible drill-downs, and helps you build queries without using the Log Entries Query Language (LEQL). Your First Visual Search In InsightIDR, start by heading to Log Search. You’ll notice that we’ve refreshed the look and feel—we’re continuously improving the speed and responsiveness of the search technology. A breakdown of the updated interface: Activate Visual Search by selecting it under the Mode dropdown. At this point, three cards will auto-populate, proactively identifying anomalies from your data. For each data set, we brainstormed with security teams, including our own, to map out interesting starter queries. You can click on the gear to edit, copy, or remove the card. This is the same architecture as the cards in Dashboards, so the suggested queries can improve your LEQL skills and help you see your data differently. From here, you can click into any of the bars or data points on the card to drill further. For example, for the “Group by destination_port” card, we can click on the 5666 bar. It automatically performs the search query, where(destination_port=5666). Visual Search is a great first step in highlighting “where to look”. As each data set is enriched with user and location data, this feature really highlights the user behavior analytics core in InsightIDR. These cards wouldn’t be possible to populate from the raw log data alone. By proactively identifying anomalies tailored to each data set, and guiding you towards LEQL search strings, you can find answers while gaining skill along the way. If you don’t have InsightIDR, but would like to know how customers are using the combined UBA+SIEM+EDR capabilities, head over to our interactive product tour to explore top use-cases.

How Do You Identify Zero-Days and Fileless Malware? Download (the) RAM.

[Banner Source: The ever-handy http://www.downloadmoreram.com.] When a tactic becomes less and less effective, it's important to shift strategies and adapt. With malware, attackers are doing exactly that. As preventative measures such as antivirus and endpoint detection and response continue to improve, it's…

[Banner Source: The ever-handy http://www.downloadmoreram.com.] When a tactic becomes less and less effective, it's important to shift strategies and adapt. With malware, attackers are doing exactly that. As preventative measures such as antivirus and endpoint detection and response continue to improve, it's harder for commodity and even obfuscated malware to successfully install and persist on target machines unnoticed. The most effective pivot, in this continuous back-and-forth, has been to minimize the footprint left after compromising the system. A favorite method is to use stolen credentials—impersonating company employees and services continues to be the top attack vector behind breaches. A newer range of attacks now take advantage of built-in administration tools, such as Powershell and PSExec, that are standard on every Windows machine. This tactic has many names, including: Process Hollowing Hijacking Processes Remote Code Execution This stealthy type of attack works best on high-value assets that can be assumed to be closely monitored. For example, let's take a case where an attacker has internal corporate network access via a remote access trojan (RAT) on a low-value, unmonitored asset. After running reconnaissance, the attacker may use an exploit kit on a vulnerability to gain access to the high-value asset. Once at mission target, they can inject a command & control payload, such as Meterpreter, into a legitimate running process, such as Service Host—svchost.exe. The attacker can then access monetizable files and proceed with data exfiltration. The only traces of this attack exist within Random Access Memory (RAM), rendering it invisible to most antivirus and signature-based detection methods. In fact, if the asset is rebooted, all traces of the attack cease to exist. The attacker can always leave a scheduled task on the system or re-enter the network through the unmonitored asset and laterally move back to the critical target. Well, how do you identify it then? Identifying this type of behavior has been a top request from our Managed Detection and Response (MDR) team. We have integrated the CounterTack Digital DNA (DDNA) technology into our MDR offering, which adds an on-demand memory analysis intelligence engine to investigations. This allows our analysts to investigate a layer deeper on customer endpoints and identify processes running with unexpected capabilities. With the Process Memory Analyzer, every running process is analyzed for suspicious capabilities. If the process is performing suspicious behavior, such as injecting code, or looking up imported functions by checksum, this is flagged, and can be added to to the investigations timeline in InsightIDR. In the above screenshot, you'll notice that the feature ranks processes by risk, so it's easy to pick out anomalous processes which may have been victim to process hollowing. Can I do the same analysis in InsightIDR? Short answer: stay tuned! We're working closely with CounterTack and our MDR team to ensure this feature is available and intuitive for customers. Once it's out, you'll be the first to know via the guided messaging inside InsightIDR. This sounds great if I know which assets to investigate. How do I get ahead of that? Within InsightIDR, we've continued to build our detections library to find attacks other tools miss. For example, you'll receive alerts detecting a wide range of popular pen test and attack tools such as Responder, Mimikatz, Meterpreter, and can easily deploy the included deception technology for earlier attack chain coverage. Learn more about top customer use cases by exploring our InsightIDR Product Tour. If you leverage our Managed Detection and Response service, that comes with an added layer of 24/7 analyst monitoring, vertical-specific threat intelligence, proactive hunts by our analysts, and of course, the detailed reporting and communication provided by your Customer Advisor. If you'd like to learn more, Kimberlee Bachman will be hosting a webcast with SecurityWeek: Managed SOC — Why Some Fail. Learn more and register here!

SIEM Security Tools: Four Expensive Misconceptions

Why modern SIEM security solutions can save you from data and cost headaches. If you want to reliably detect attacks across your organization, you need to see all of the activity that's happening on your network. More importantly, that activity needs to be filtered and…

Why modern SIEM security solutions can save you from data and cost headaches. If you want to reliably detect attacks across your organization, you need to see all of the activity that's happening on your network. More importantly, that activity needs to be filtered and prioritized by risk -- across assets & users – to help you report on how the team is measurably chipping away at Risk Mountain™. Today, the only solution capable of flexibly ingesting, correlating, and visualizing data from a sprawling tool stack is a SIEM solution. SIEMs don't get a lot of love – some might say their deployment felt like a data lake glacier, where budget dollars flowed in, never to leave. Advances in SIEM tools and customer pain are converging, as organizations are looking to cut losses on stagnant deployments and try a new approach. In this post, let's cover four misconceptions that you won't have to suffer from today's nimble and adaptive SIEMs. MISCONCEPTION #1: SIEMs are complex, unwieldy tools that take months to deploy, and a large dedicated staff to keep running. REALITY: Cloud architecture makes SIEM deployment quicker and maintenance easier than ever before. More SIEM security tools today offer cloud deployment as an option, so there is no longer the need for a large, initial hardware investment. In addition, SIEM providers now provide pre-built analytics in their solutions, so security teams don't need to spend recurring hours setting up and refining detection rules as analysts comb through more and more data. The simpler setup of SIEMs running in the cloud, combined with pre-built analytics, means that an organization can get started with SIEM security technology in just a few days instead of months, and that they won't have to continually add staff to keep the SIEM up and running effectively. When choosing a SIEM, define the use cases you'd like the deployment to tackle and consider a Proof of Concept (POC) before making a purchase; you'll have better expectations for success and see how quickly it can identify threats and risk. MISCONCEPTION #2: As SIEMs ingest more data, data processing costs skyrocket into the exorbitant. REALITY: Not all SIEMs come with burdensome cost as deployment size increases. Traditional SIEM pricing models charge by the quantity of data processed or indexed, but this model is penalizing the marketplace. SIEMs become more effective at detecting attacks as more data sources are added over time, especially those that can identify attacker behaviors. As a result, any pricing model that discourages you from adding data sources could hamstring your SIEM's efficacy. Work with your SIEM vendor to determine what data sets you need today and may need in the future, so you can scale effectively without getting burned. MISCONCEPTION #3: SIEMs aren't great at detection. They should primarily be used once you know where to look. REALITY: SIEMs with modern analytics can be extremely effective at detecting real-world attack behaviors in today's complex environments. Related to misconception number two above, if you can't process as many data sources as possible—such as endpoints, networks, and cloud services—then you are potentially limiting your SIEM's ability to detect anomalies and attacks in your environment. In fact, there are many traces of attackers that require the comprehensive data sets fed into SIEM. Two examples are detecting the use of stolen passwords and lateral movement, extremely common behaviors once an attacker has access to the network. At Rapid7, we detect this by first linking together IP Address > Asset > User data and then using graph mining and entity relationship modeling to track what is “normal” in each environment. Outside of SIEMs and User Behavior Analytics (UBA) solutions, this is incredibly hard to detect. In a nutshell: SIEM security tools need that data to be effective, so if you restrict the data coming in, it won't be as effective. A SIEM with modern analytics will be capable of detecting real-world attack behaviors earlier in the attack chain. MISCONCEPTION #4: SIEMs can ingest and centralize log files and network data, but have limited coverage for cloud services and remote workers. REALITY: Today's SIEMs can and should account for data coming in from cloud and endpoints. Network-only data sources may be the norm for more traditional SIEMs on the market, but newer SIEMs also pull in data from endpoints and cloud services to make sure you're detecting attacker behavior no matter where it may occur. Just as the perimeter has shifted from the corporate network walls to the individual user, SIEMs have had to adapt to collect more data from everywhere these users work, namely endpoints and cloud services. Make sure any SIEM security solution you're considering can integrate these additional data sources, not just traditional log files and network data. At Rapid7, we feel strongly that customers shouldn't have to deal with these past pitfalls, and this mindset is expressed throughout InsightIDR, our solution for incident detection and response. On Gartner's Peer Insights page, we've been recognized by customers for resetting expectations around time to value and ease of use: “We are able to monitor many sources with a very small security team and provide our clients with the peace of mind usually only achieved with large security departments.” “[InsightIDR]… on its own, mitigated against 75% of identified threats within our organisation, but with the simplicity of use even my granny could get to grips with.” Want to try InsightIDR at your organization? Start with our on-demand 20 minute demo here, or contact us – we want to learn about your challenges and provide you with answers.

User and Entity Behavior Analytics: A Strategic Primer

If you're investing beyond malware detection, you've probably come across User Behavior Analytics (aka UBA, UEBA, SUBA). Why are organizations deploying UBA, and are they finding value in it? In this primer, let's cover what's being seen in the industry, and then a bit on…

If you're investing beyond malware detection, you've probably come across User Behavior Analytics (aka UBA, UEBA, SUBA). Why are organizations deploying UBA, and are they finding value in it? In this primer, let's cover what's being seen in the industry, and then a bit on how we're approaching the problem here at Rapid7. What Are Organizations Looking For? According to the 2016 Verizon DBIR, 63% of data breaches involved weak, default, or compromised credentials. Companies have solid coverage for known malware and their network perimeter, but teams now need visibility into normal and anomalous user behavior. Largely, the response has been to deploy SIEM technology to monitor for these threats. While the tech is helping with log aggregation and correlation, teams aren't consistently detecting the stealthy behavior real-world attackers are using to breach networks. What Are the Analysts Saying About UBA? Gartner: In their most recent Market Guide for User and Entity Behavior Analytics, they agree that UEBA vendors can help threat detection across a variety of use cases. However, they don't make it easy by listing 29 vendors in the report, so be careful with selection – perhaps the most striking prediction is that “by 2020, less than five stand-alone UEBA solutions will remain in the market, with other vendors focusing on specific use cases and outcomes.” Forrester: In the July 2016 Forrester report, Vendor Landscape: Security User Behavior Analytics (SUBA), a key takeaway is to “require a SUBA demonstration with your own data.” Something everyone is agreeing on is the need for user behavior analytics to be a part of a larger analytics suite, aptly named Security Analytics, which extends beyond SIEM to include network analysis and visibility, endpoint visibility, behavioral analysis, and forensic investigative tools. For more on this shift, we hosted guest speaker, Forrester senior analyst Joseph Blankenship, on the webcast, “The Struggle of SIEM”. 451 Research: In addition to rallying behind the need to go beyond SIEM with Security Analytics, there's agreement that even in 2017, there will be a shakeout in the UBA space. That doesn't just mean life or death for startup vendors, but also the challenge for large SIEM vendors to incorporate UBA into existing legacy platforms. IDG: The suggested approach is under a security operations and analytics platform architecture (SOAPA). While SIEM technology still plays at the core, SOAPA also includes endpoint detection and response, an incident response platform, network security analytics, UBA, vulnerability management, anti-malware sandboxes, and threat intelligence. While that's certainly a mouthful, the important takeaway is that UBA is only one of the technologies that should work together to detect threats across the entire attack chain. Questions to Consider If you're looking at User Behavior Analytics, you've likely already experienced pain with an existing SIEM. Will you have enough resources to maintain both the SIEM deployment and a separate UBA tool? Can you put the technology to the test? If you don't have an internal red team, a great time to POC a UBA vendor is when considering a penetration test. For more, check out our evaluation brief: A Matchmakers Guide to UBA Solutions. And, for added context on the go, we just released a new episode all about UBA on the Security Nation podcast: The Rapid7 Take Since the first GA date of our UBA technology in early 2014, we're proud to be both a first mover and have hundreds of customers using UBA to monitor their environments. However, we found that UBA technology alone still leaves gaps in detection coverage, forcing teams to jump between portals during every incident investigation. For that reason, InsightIDR, our solution for incident detection and response, combines SIEM, UBA, and Endpoint Detection capabilities, without the traditional burdens involved in deploying each of these technologies independently. In addition to the UBA detecting stealthy behavior, InsightIDR also analyzes real-time endpoint data and uses Deception Technology to reveal behavior unseen by log analysis. Through a robust data search and visualization platform, security teams can bring together log search, user activity, and endpoint data for investigations without jumping between multiple tools. Of course, this is a bold claim - if you'd like to learn more, check out the below 3-minute Solution Overview or check out our webcast, User Behavior Analytics, as easy as ABC.

London Infosec Assemble: Join us for a SecurityTalk Breakfast Briefing!

January 30th, 9AM: We'll be joining Okta and Code42 for a breakfast brief to share what we're seeing in security today. If you're worried about the security of your cloud services, ransomware, or simply the top attack vectors attackers are succeeding with today, this is…

January 30th, 9AM: We'll be joining Okta and Code42 for a breakfast brief to share what we're seeing in security today. If you're worried about the security of your cloud services, ransomware, or simply the top attack vectors attackers are succeeding with today, this is a must-attend event. At Rapid7, we understand you're inundated by the sheer amount of data you need to collect, prioritize, and use to make smart decisions. You may be familiar with us from our vulnerability management solution, Nexpose, and Metasploit, the pen-testing framework which needs little introduction. What's new is that from our continued research of the attacker and working closely with security teams like yours, we've also released incident detection and response solutions used by hundreds of global orgs today. I'm sure you're familiar with “Detection, not just Prevention,” and the need to reliably detect across the entire Attack Chain. Still, infosec teams are spending more than ever on monitoring and detection, yet fail to detect pen tests or stealthy attacker behavior like the use of stolen credentials or lateral movement. In our presentation, Sam Humphries and I will give a refresher on the top attack vectors behind breaches today, and then share the Rapid7 approach to incident detection and response. This includes the data sources we value and ingest (e.g. Active Directory, cloud services, endpoint logs), as well as how this data powers the user behavior analytics and deception technology in our technology and services. Whether you're an overworked, multiple-hat team of one, or you're at a leading Security Operations Center, we'd love to see you there! Get additional details and RSVP here: http://r-7.co/2iPReGv In the meanwhile, if you'd like to learn more about our Incident Detection & Response offerings, start with our Solutions Page, or check-out our 3-minute video of InsightIDR, the SIEM you've always wanted.

SIEM Tools Aren't Dead, They're Just Shedding Some Extra Pounds

Security Information and Event Management (SIEM) is security's Schrödinger's cat. While half of today's organizations have purchased SIEM tools, it's unknown if the tech is useful to the security team… or if its heart is even beating or deployed. In response to…

Security Information and Event Management (SIEM) is security's Schrödinger's cat. While half of today's organizations have purchased SIEM tools, it's unknown if the tech is useful to the security team… or if its heart is even beating or deployed. In response to this pain, people, mostly marketers, love to shout that SIEM is dead, and analysts are proposing new frameworks with SIEM 2.0/3.0, Security Analytics, User & Entity Behavior Analytics, and most recently Security Operations & Analytics Platform Architecture (SOAPA).However, SIEM solutions have also evolved from clunky beasts to solutions that can provide value without requiring multiple dedicated resources. While some really want SIEM dead, the truth is it still describes the vision we all share: reliably find insights from security data and detect intruders early in the attack chain. What's happened in this battle of survival of the fittest is that certain approaches and models simply weren't working for security teams and the market.What exactly has SIEM lost in this sweaty regimen of product development exercise? Three key areas have been tightened and toned to make the tech something you actually want to use.No More Hordes of Alerts without User Behavior ContextUser Behavior Analytics. You'll find this phrase at every SIEM vendor's booth, and occasionally in their technology as well. Why? This entire market segment explosion spawned from two major pain-points in legacy SIEM tech: (1) too many false-positive, non-contextual alerts, and a (2) failure to detect stealthy, non-malware attacks, such as the use of stolen credentials and lateral movement.By tying every action on the network to the users and assets behind them, security teams spend less time retracing user activity to validate and triage alerts, and can detect stealthy, malicious behavior earlier in the attack chain. Applying UBA to SIEM data results in higher quality alerts and faster investigations, as teams are spending less time retracing IPs to users and running tedious log searches.Detections now Cover Endpoints Without Heavy LiftingEndpoint Detection and Response. This is another super-hot technology of 2016, and while not every breach originates from the endpoint, endpoints are often an attacker's starting point and provide crucial information during investigations. There are plenty of notable behaviors that if detected, are reliable signs of “investigate-me” behavior.A couple examples:Log DeletionFirst Time Admin Action (or detection of privilege exploit)Lateral MovementAny SIEM that doesn't offer built-in endpoint detection and visibility, or at the very least, automated ways to consume endpoint data (and not just anti-virus scans!), leaves gaps in coverage and across the attack chain. Without endpoint data, it's very challenging to have visibility into traveling and remote workers or detect an attacker before critical assets are breached. It can also complicate and slow incident investigations, as endpoint data is critical for a complete story. The below highlights a standard investigation workflow along with the relevant data sources to consult at each step.Incident investigations are hard. They require both incident response expertise (how many breaches have you been a part of?) and also data manipulation skills to get the information you need. If you can't search for endpoint data from within your SIEM, that slows down the process and may force you to physically access the endpoint to dig deeper.Leading SIEMs today now offer a combination of Agents or an Endpoint Scan to ingest this data, detect local activity, and have it available for investigations. We do all of this and supplement our Endpoint detections with Deception Technology, which includes decoy Honey Credentials that are automatically injected into memory to better detect pass-the-hash and credential attacks.Drop the Fear, Uncertainty, and Doubt About Data ConsumptionThere are a lot of things that excite me, for example, the technological singularity, autonomous driving, loading my mind onto a Westworld host. You know what isn't part of that vision? Missing and incomplete data. Today's SIEM solutions derive their value from centralizing and analyzing everything. If customers need to weigh the value of inputting one data set against another, that results in a fractured, frustrating experience. Fortunately, this too is now a problem of the past.There are a couple of factors behind these winds of change. Memory capacity continues to expand close to a Moore's Law pace, which is fantastic, as our log storage needs are heavier than ever before.Vendors now are offering mature cloud architectures that can securely store and retain log data to meet any compliance need, along with faster search and correlation activity than most on-premise deployments can dream about. The final shift, and one that's currently underway today, is with vendor pricing. Today's models revolve around Events per Second and Data Volume Indexed. But, what's the point of considering endpoint, cloud, and log data if the inevitable data volume balloon means the org can't afford to do so?We've already tackled this challenge and customers have been pleased with it. Over the next few years, new and legacy vendors alike will also shed existing models to also reflect the demand for sensible data pricing that finally arms incident investigators with the data and context they need.There's a lot of pain with existing SIEM technology – we've experienced it ourselves, from customers, and every analyst firm we've spoken with. However, that doesn't mean the goal isn't worthy or the technology has continually failed to adapt. Can you think of other ways SIEM vendors have collectively changed their approach over the years? Share it in the comments! If you're struggling with an existing deployment and are looking to augment or replace, check out our webcast, “Demanding More From Your SIEM”, for recommendations and our approach to the SIEM you've always wanted.

Deception Technology: Can It Detect Intruders Earlier in their Attack Chain?

Every infosec conference is chatting about the Attack Chain, a visual mapping of the steps an intruder must take to breach a network. If you can detect traces of an attack earlier, you not only have more time to respond, but can stop the unauthorized…

Every infosec conference is chatting about the Attack Chain, a visual mapping of the steps an intruder must take to breach a network. If you can detect traces of an attack earlier, you not only have more time to respond, but can stop the unauthorized access to monetizable data and its exfiltration. Even as attackers and pen-testers continue to evolve their techniques, the Attack Chain continues to provide a great baseline framework to map out your security detection program. Many of today's detection solutions only alert on breach of critical assets or anomalous data exfiltration. At this point, the attacker is already at Mission Target, and the damage is likely already done. Similarly, it's dangerous to over-invest in a particular step – many organizations are focused on detecting malware, but once an attacker has internal access to the network, they have multiple ways to move from Infiltration & Persistence to Mission Target without using malware at all. This is where Deception Technology comes in. Justin Pagano, our information security lead, remarks in our latest Security Nation podcast, “Deception tech is a subset of detection that focuses on creating an illusion for attackers…for something they want, to make it easier for you to detect when they're going after it.” And that is the most powerful aspect of deception – it can uniquely detect behavior that is otherwise very hard to spot. Let's look at four techniques attackers use every day, and how deception can detect these stealthy behaviors. 1. Attacker has internal network access -> fires off a network scan (e.g. Nmap) to find next targets. One of the rare times an attacker is at a disadvantage is when he/she first lands on the network. This is because the attacker must learn more about the network infrastructure and where to move next. As these methods of gaining information continue to shift, they become increasingly difficult to detect by monitoring solutions today. This ranges from running a vulnerability or network scan to traffic collection and manipulation. Even comprehensive SIEM deployments struggle in detecting early reconnaissance, as it's challenging to identify by log and traffic analysis alone. A countermeasure is to deploy one or multiple Honeypots across the network, a decoy machine/server with no legitimate function for normal users that lurks and reports if it's been scanned, even if only on a single port. 2. Attacker queries Active Directory to see the full list of users on the network. Tries only 1-2 commonly used passwords (e.g. Fall2016!) across all of those accounts – this is referred to as a vertical brute force. How would you detect this today? In log files, this would appear as one, two failed authentications. There have been cases where an attacker tries a few combinations each week to stay under the radar. This particular attack vector can be detected by creating a dummy user in Active Directory, say, PatchAdmin. This tantalizing user should not have any business purpose or be associated with any employee. If you alert on any authentications to this account, it's a great way to detect that someone is up to no good. 3. Attacker has compromised an employee endpoint. Proceeds to dump credentials / hashes via MimiKatz or other tools. Uses pass-the-hash to continue laterally moving to other machines. There are a few challenges here. Hash extraction and privilege escalation can be performed using Windows Powershell, so no outside malware is required to be successful. That means the behavior can evade anti-virus and anti-malware defenses that rely on identifying “known-bad”. Further, most SIEM solutions don't have endpoint visibility, as it's challenging to setup log forwarding and can result in a lot of added data processing costs. Our Insight Agent [PDF] automatically injects a set of fake credentials onto each endpoint. If this credential is used anywhere else on the network, you'll receive an automatic alert. Of course, the fake credential doesn't grant access to any system, so they are safe to use. 4. Attacker has access to confidential materials and wants to move it off the network. Files in the folder get zipped and then copied elsewhere, often an external drop server or stolen cloud storage account. There's a layer of complexity here as the attacker might be impersonating a legitimate employee or is a malicious insider themselves. While data exfiltration is late in the attack chain, it's important to detect critical files being copied or modified. Wade Woolwine, director of breach detection and response notes, “Most of the time, we see command and control actions going over HTTP/HTTPS ports.” This makes exfiltration difficult to detect via firewalls or existing monitoring solutions. One way to tackle this is to create a dummy file (e.g. Q2-Financials.xls) and place it amongst high-value files. By monitoring all actions taken on this Honey File (opening, editing, copying), you can get file-level visibility without the effort of deploying a standalone File Integrity Monitoring solution. Most importantly, this trap needs to feed into a larger, defense-in-depth detection strategy. It's not hard to identify unauthorized access of critical assets; the challenge is figuring out the users involved, where else the attacker went, and the entire scope of the attack. InsightIDR, our incident detection and response solution, comes standard with this growing library of deception technology: Honeypots, Honey Users, Honey Credentials, and Honey Files. This is used in combination with our User Behavior Analytics and endpoint detection to find intruders earlier in the attack chain. To see our deception technology in action, check out the Solution Short below. Want more? Check out our latest webcast, “Demanding More from Your SIEM,” for a full demo of InsightIDR and to learn the top pain points in SIEM deployments today.

Demanding More from Your SIEM Tools [Webcast Summary]

Do you suffer from too many vague and un-prioritized incident alerts? What about ballooning SIEM data and deployment costs as your organization expands and ingests more data? You're not alone. Last week, over a hundred infosec folks joined us live for Demanding More out of…

Do you suffer from too many vague and un-prioritized incident alerts? What about ballooning SIEM data and deployment costs as your organization expands and ingests more data? You're not alone. Last week, over a hundred infosec folks joined us live for Demanding More out of Your SIEM.Content Shared in the WebcastIn Gartner's Feb 2016, “Security Information and Event Management Architecture and Operational Processes,” Anton Chuvakin and Augusto Barros recommend a “Run-Watch-Tune” model in order to achieve a “SIEM Win”. For those with a Gartner subscription, check out the full report here.While some SIEM vendors recommend 10 full-time analysts for a 24/7 SIEM deployment, at least three full-time employees should serve as the foundation of your deployment. A breakdown of core Run, Watch, and Tune responsibilities:Run: Maintain operational status, monitor uptime, optimize application and system performance.We recommend: Take stock of your existing network and security stack – are there more data sources you should be integrating? From talking to customers and our Incident Detection & Response research, top gaps in SIEM integrations are:DHCP. This integration provides a crucial User-Asset-IP link and powers most User Behavior Analytics solutions today.Endpoint Data. If local authentications aren't centrally logged, attackers can laterally move between endpoints and go undetected by the SIEM. 5 Ways Attackers can Evade a SIEM.Cloud Services. Leading cloud services such as Office 365, Google Apps, and Salesforce expose APIs with audit data, but many SIEMs don't take advantage of this data.Watch: Using the SIEM for security monitoring and incident investigation.We recommend: Today's organizations are getting way too many alerts – here's a poll taken during the webcast.Most security teams have to jump between multiple tools during investigations, are getting too many alerts, and are struggling to identify stealthy attacks, such as the use of compromised credentials and lateral movement, that don't require malware to be successful. Most organizations are alerted on unauthorized access to critical assets, but at that point, intruders are already at Mission Target in the Attack Chain.By mapping your detections to the Attack Chain, you can find intruders earlier and kick them out before data exfiltration occurs.Tune: Customize SIEM content, create rules for specific business use-cases.We recommend: Building queries requires specialized SIEM skills and experience manipulating large data sets, a scarce skillset that differs from incident investigation & response experience. If you've just been handed the reins to an existing SIEM deployment, it's worth the time to do a rule review. While technology like User Behavior Analytics provides robust detection for today's top attack vectors behind breaches, custom work is still necessary to meet specific business needs, such as compliance or a company-specific detection.What I Learned from the AudienceThroughout the talk, we asked a few questions to learn from the audience. 71% currently have a SIEM, 11% don't, and 18% don't but are looking to purchase. Current satisfaction with their existing SIEM for Incident Detection and Response was across the board, with answers ranging from 4-8 on a scale of 1-10. The biggest concern was with data costs, the pricing model behind traditional SIEM solutions.Top questions from our Q&A:1. What is the best way to detect pass-the-hash techniques over servers?The key data source is endpoint event logs. Only local authentication logs contain both the source and destination asset. For a full technical breakdown, check out our whitepaper: Why You Need to Detect More than Pass the Hash, with best practices on how to identify the use of compromised credentials.2. Is there a way to see all InsightIDR integrations on your website?Yes – to see the full list, which ranges from network events, endpoint data, existing log aggregators or SIEMs, and more, check out the Insight Platform Supported Event Sources doc here.3. Is there an [InsightIDR] integration with Nexpose or Metasploit?Yes! Nexpose, our vulnerability management solution, integrates with InsightIDR to provide visibility and security detection across assets and the users behind them. This provides three key benefits:Put a “face” to your vulnerabilitiesAutomatically place vulnerable assets under greater scrutinyFlag users that use actively exploitable assetsLearn more about the Nexpose-InsightIDR integration here. InsightIDR also integrates with Metasploit to track the success of phishing campaigns on your users.I Want More from My SIEM Deployment: Why InsightIDR?InsightIDR works by integrating with your existing network and security stack, including Log Aggregators and SIEMs. The first step is unifying your technology and leveraging SIEM, UBA, and EDR capabilities to leave attackers with nowhere to hide.InsightIDR can augment or replace your existing SIEM deployment. Organizations that use InsightIDR in sync with their SIEM especially enjoy:User Behavior Analytics: Alerts show the actual users and assets affected, not just an IP address. InsightIDR automatically correlates the millions of events generated every day to the users behind them, highlighting notable behaviors to accelerate incident validation and investigations.Endpoint Detection & Visibility: The blend of the Insight Agent and Endpoint Scan means detection and real-time queries for critical assets and endpoints, even off the corporate network. InsightIDR focuses on detecting intruders earlier in the Attack Chain, meaning you'll be alerted on local lateral movement, privilege escalation, log deletion, and other suspicious behavior happening on your endpoints.10x Faster Incident Investigations: The security team can bring real-time user behavior, log search, and endpoint data together in a single visual timeline. No more jumping between disparate log files, retracing user activity across multiple IPs, and requiring physical access to the endpoint to answer questions.If you'd like to learn more, Demanding More from Your SIEM shows a live InsightIDR demo, complete with Q&A from an engaged audience. Or - contact us for a free guided demo!

InsightIDR & Nexpose Integrate for Total User & Asset Security Visibility

Rapid7's Incident Detection and Response and Vulnerability Management solutions, InsightIDR and Nexpose, now integrate to provide visibility and security detection across assets and the users behind them. Combining the pair provides massive time savings and simplifies incident investigations by highlighting risk across your network ecosystem…

Rapid7's Incident Detection and Response and Vulnerability Management solutions, InsightIDR and Nexpose, now integrate to provide visibility and security detection across assets and the users behind them. Combining the pair provides massive time savings and simplifies incident investigations by highlighting risk across your network ecosystem without writing queries or digging through logs.Nexpose proactively identifies & prioritizes weak points on your network, while InsightIDR helps find unknown threats with user behavior analytics, prioritizes where to look with SIEM capabilities, and combines endpoint detection and visibility to leave attackers with nowhere to hide. Let's look at three specific benefits: (1) putting a "face" to your vulnerabilities, (2) automatically placing vulnerable assets under greater scrutiny, and (3) flagging users that use actively exploitable assets.User Context for Your VulnerabilitiesInsightIDR integrates with your existing network & security infrastructure to create a baseline of your users' activity. By correlating all activity to the users behind them, you're alerted of attacks notoriously hard to detect, such as compromised credentials and lateral movement.When InsightIDR ingests the results of your Nexpose vulnerability scans, vulnerabilities are added to each user's profile. When you search by employee name, asset, or IP address, you get a complete look at their user behavior:How this saves you time:See who is affected by what vulnerability – this helps you get buy-in to remediate a vulnerability by putting a face and context on a vulnerability. (“The CFO has this vulnerability on their laptop – let's prioritize remediation.”)Have instant context on the user(s) behind an asset, so you accelerate incident investigations and can see if the attacker laterally moved beyond that endpoint.Proactively reduce your exposed attack surface, by verifying key players are not vulnerable.Automatic Security Detection for Critical AssetsIn Nexpose, you can dynamically tag assets as critical. For example, they may be in the IP range of the DMZ or contain a particular software package/service unique to domain controllers. Combined with InsightIDR, that context extends to the users that access these assets.When InsightIDR ingests scan results, assets tagged as critical are labeled in InsightIDR as Restricted Assets. This integration helps you automatically place vulnerable assets under greater detection scrutiny.Some examples of alerts for Restricted Assets:First authentication from an unfamiliar source asset: InsightIDR doesn't just alert on the IP address, but whenever possible, shows the exact users involved.An unauthorized user attempts to log-in: This can include a contractor or compromised employee attempting to access a financial server.A unique or malicious process hash is run on the asset: A single Insight Agent deployed on your endpoints performs both vulnerability scanning and endpoint detection. Our vision is to reliably find intruders earlier in the attack chain, which includes identifying every process running on your endpoints. We run these process hashes against the wisdom of 50 virus scanners to identify malicious processes, as well as identify unique processes for further investigation.Lateral movement (both local and domain): Once inside your organization's network, intruders typically run a network scan to identify high-value assets. They then laterally move across the network, leaving behind backdoors & stealing higher privilege credentials.Endpoint log deletion: After compromising an asset, attackers look to delete system logs in order to hide their tracks. This is a high-confidence indicator of compromise.Anomalous admin activity, including privilege escalation: Once gaining access to an asset or endpoint, attackers use privilege escalation exploits to gain admin access, allowing them to dump creds or attempt pass-the-hash. We identify and alert on anomalous admin activity across your ecosystem.Identifying Users that Use Exploitable AssetsMany Nexpose customers purchase Metasploit Pro to validate their vulnerabilities and test if assets can be actively exploited in the wild. As an extension of the critical asset functionality above, customers that own all three products can automatically tag assets that are exploited by Metasploit as critical, and thus mark these as restricted assets in InsightIDR. This ensures that assets which are easy to breach are placed under higher scrutiny until the exploitable vulnerabilities are patched.Configuring the InsightIDR-Nexpose IntegrationIf you have InsightIDR & Nexpose, setting up the Event Source is easy.1. In Nexpose, setup a Global Admin. 2. In InsightIDR, on the top right Data Collection tab -> Setup Event Source -> Add Event Source.3. Add the information about the Nexpose Console (Server IP & Port).4. Add the credentials of the newly created Global Admin.And you're all set! If you have any questions, reach out to your Customer Success Manager or Support. Don't have InsightIDR and want to learn how the technology relentlessly hunts threats? Check out an on-demand 20 minute demo here.Nathan Palanov contributed to this post.

800 Million Compromised Credentials Were Exposed This Month. Were You Notified?

In our previous post on third party breaches, we talked about the risk of public compromised credential leaks providing attackers with another ingress vector. This August, InsightIDR, armed with knowledge from a partner, identified a “Very Large Credentials Dump”. Very large? Over 800 million compromised…

In our previous post on third party breaches, we talked about the risk of public compromised credential leaks providing attackers with another ingress vector. This August, InsightIDR, armed with knowledge from a partner, identified a “Very Large Credentials Dump”. Very large? Over 800 million compromised credentials including usernames, passwords, and password hashes were exposed. This pool includes publicly known credential dumps as well as those where the breach source has not been disclosed, but they are available for attackers to re-purpose. Across our hundreds of customers using InsightIDR to monitor their ecosystem 177 alerts were generated across our U.S. customers 50 alerts were generated across our EMEA & APAC customers Many customers have already reached out to us to learn more about the alert and, whenever possible, we can provide the exposed passwords and hashes to your team. Below is an example of the alert in InsightIDR (click to expand): By highlighting this security risk, teams can proactively reset passwords before attackers try their hand. Even better, this is only one of the many detections built in InsightIDR to help you find threats earlier in the attack chain, before intruders breach critical assets. Related Resource: [Video] Understanding the Attack Chain to Detect Intruders If any users are identified at-risk, one click brings up their user page to see authentications, asset info, cloud services, and more. Today, our corporate emails not only log into network services, but also cloud services such as Office 365, Salesforce, and Box. As InsightIDR has direct API integrations with those services, you'll know about any suspicious authentications, whether it be from an unusual location or anomalous admin activity. By applying User Behavior Analytics to link together IP Addresses, Assets, and Users, InsightIDR detects the top attack vectors behind breaches, including phishing, compromised credentials, and malware. I received this alert. What can I do? For affected accounts, we recommend resetting the account password & adding the user to the InsightIDR Watchlist. If you'd like more on the credential dump, please use the in-app feedback button, which automatically opens an InsightIDR support ticket. Alternatively, feel free to email support@rapid7.com. If available, we can further share the exact passwords and hashes in the dump upon request. As an added value, if you have other company-owned domains, we can add the domain name to be monitored for future third party breaches. I want to receive these alerts. What can I do? Take a serious look at InsightIDR (you can see an on-demand demo here), which not only combines the best capabilities of SIEM, UBA, and EDR, but prioritizes finding intruders earlier in the attack chain, before they cause damage. See our latest webcast on how organizations are benefiting from User Behavior Analytics, or contact us for a free guided demo.

10 Years Later: What Have We Learned About Incident Response?

When we take a look at the last ten years, what's changed in attacker methodology, and how has it changed our response? Some old-school methods continue to find success - attackers continue to opportunistically exploit old vulnerabilities and use weak/stolen credentials to move around…

When we take a look at the last ten years, what's changed in attacker methodology, and how has it changed our response? Some old-school methods continue to find success - attackers continue to opportunistically exploit old vulnerabilities and use weak/stolen credentials to move around the network. However, the work of the good guys, reliably detecting and responding to threats, has shifted to accommodate an attack surface that now includes mobile devices, cloud services, and a global workforce that expects access to critical information anywhere, anytime.Today, failure across incident detection to remediation not only results in risk for your critical data, but can result in an attacker overstaying their welcome. We discussed this topic with our incident response teams, who have responded to hundreds of breaches, to develop a new whitepaper that shares how Incident Response has changed and how they prioritize strategic initiatives today. This comes with a framework we use with customers today to measure and improve security programs. Download your copy of A Decade of Incident Response: IDR Evolution & Evaluation here.Incident Detection & Response, Then and NowSince 2006, every step in breach response has continued to evolve – this infographic highlights key differences. For example, breach readiness was an afterthought to availability and optimizing the speed of business processes. Previously, there was little chance of falling victim to a sophisticated targeted attack leveraging a combination of vulnerabilities, compromised credentials, and malware.But today, IT teams are expected to prepare thoroughly in the event of a breach, implementing network defense in depth and organizing and restricting data along least privilege principles. If we look back a decade, it was much easier to retrace how and where an incident occurred and respond accordingly. Today's IR pros must combine expertise in a growing list of areas from forensics to incident management and ensure breach response covers everything from technical analysis to getting the business back up and running.On the other hand, at containment and recovery has continued to improve over the past decade. Thanks to well-rehearsed programs, combined with system image and data restoration processes, IT can return a user's machine in just a day. Security teams can contain threats remotely and use technology to provide scrutiny over previously compromised users/assets.Incident Response MaturityYou can find out more on all of this in the infographic and the new Rapid7 whitepaper: A Decade of Incident Response. Too many security professionals are concerned with how their programs compare to those of their peers. This is the wrong approach. As you evolve your security program, worry only about one thing: how your program measures up against your attackers.In the paper, you're asked seven questions to determine the maturity of your Incident Detection and Response program. We've based this framework on decades of Rapid7 industry experience and we think it'll provide a great place to start evaluating where you need to make changes. Want to learn more about Rapid7's technology and services for incident detection and response? Check out InsightIDR, which combines the best capabilities of UBA, SIEM, and EDR to relentlessly detect attacks across your network.Eric Sun

[Q&A] User Behavior Analytics as Easy as ABC Webcast

Earlier this week, we had a great webcast all about User Behavior Analytics (UBA). If you'd like to learn why organizations are benefiting from UBA, including how it works, top use cases, and pitfalls to avoid, along with a demo of Rapid7 InsightIDR, check out…

Earlier this week, we had a great webcast all about User Behavior Analytics (UBA). If you'd like to learn why organizations are benefiting from UBA, including how it works, top use cases, and pitfalls to avoid, along with a demo of Rapid7 InsightIDR, check out on-demand: User Behavior Analytics: As Easy as ABC or the UBA Buyer's Tool Kit. During the InsightIDR demo, which includes top SIEM, UBA, and EDR capabilities in a single solution, we had a lot of attendee questions (34!). We grouped the majority of questions into key themes, with seven Q&A listed below. Want more? Leave a comment!1. Is [InsightIDR] a SIEM?Yes. We call InsightIDR the SIEM you've always wanted, armed with the detection you'll always need. Built hand-in-hand with incident responders, our focus is to help you reliably find intruders earlier in the attack chain. This is accomplished by integrating with your existing network and security stack, including other log aggregators. However, unlike traditional SIEMs, we require no hardware, come prebuilt with behavior analytics and intruder traps, and monitor endpoints and cloud solutions – all without having to dedicate multiple team members to the project.2. Is InsightIDR a cloud solution?Yes. InsightIDR was designed to equip security teams with modern data processing without the significant overhead of managing the infrastructure. Your log data is aggregated on-premise through an Insight Collector, then securely sent to our multi-tenant analytics cloud, hosted on Amazon Web Services. More information on the Insight Platform cloud architecture.3. Does InsightIDR assist with PCI or SOX compliance, or would I need a different Rapid7 solution?Not with every requirement, but many, including tricky ones. As InsightIDR helps you detect and investigate attackers on your network, it can help with many unique compliance requirements. The underlying user behavior analytics will save you time retracing user activity (who had what IP?), as well as increase the efficiency of your existing stack (over the past month, which users generated the most IPS alerts?). Most notably, you can aggregate, store, and create dashboards out of your log data to solve tricky requirements like, “Track and Monitor Access to Network Resources and Cardholder Data.” More on how InsightIDR helps with PCI Compliance.4. Is it possible to see all shadow cloud SAAS solutions used by our internal users?Yes. InsightIDR gets visibility into cloud services in two ways: (1) direct API integrations with leading services, such as Office 365, Salesforce, and Box, and (2) analyzing Firewall, Web Proxy, and DNS traffic. Through the latter, InsightIDR will identify hundreds of cloud services, giving your team visibility into what's really happening on the network.5. Where does InsightUBA leave off and InsightIDR begin?InsightIDR includes everything in InsightUBA, along with major developments in three key areas:Fully Searchable Data SetEndpoint Interrogation and HuntingCustom Compliance DashboardsFor a deeper breakdown, check out “What's the difference between InsightIDR & InsightUBA?”6. Can we use InsightIDR/UBA with Nexpose?Yes! Nexpose and InsightIDR integrate to provide visibility and security detection across assets and the users behind them. With this combination, you can see exactly which users have which vulnerabilities, putting a face and context to the vuln. If you dynamically tag assets in Nexpose as critical, such as those in the DMZ or containing a software package unique to domain controllers, those are automatically tagged in InsightIDR as restricted assets. Restricted assets in InsightIDR come with a higher level of scrutiny – you'll receive an alert for notable behavior like lateral movement, endpoint log deletion, and anomalous admin activity.7. If endpoint devices are not joined to the domain, can the agents collect endpoint information to send to InsightIDR?Yes. From working with our pen testers and incident response teams, we realize it's essential to have coverage for the endpoint. We suggest customers deploy the Endpoint Scan for the main network, which provides incident detection without having to deploy and manage an agent. For remote workers and critical assets not joined to the domain, our Continuous Agent is available, which provides real-time detection, endpoint interrogation, and even a built-in Intruder Trap, Honey Credentials, to detect pass-the-hash and other password attacks.Huge thanks to everyone that attended the live or on-demand webcast – please share your thoughts below. If you want to discuss if InsightIDR is right for your organization, request a free guided demo here.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now