Rapid7 Blog

Insight platform  

Introducing InsightOps: A New Approach to IT Monitoring and Troubleshooting

Today we are announcing the general availability of a brand new solution: Rapid7 InsightOps. This latest addition to the Insight platform continues our mission to transform data into answers, giving you the confidence and control to act quickly. InsightOps is Rapid7's first IT-specific solution, enabling…

Today we are announcing the general availability of a brand new solution: Rapid7 InsightOps. This latest addition to the Insight platform continues our mission to transform data into answers, giving you the confidence and control to act quickly. InsightOps is Rapid7's first IT-specific solution, enabling users to centralize data from infrastructure, assets and applications, so they can monitor and troubleshoot operational issues. Getting in with the IT crowd Every day, IT and security teams work hand-in-hand towards keeping their organizations secure, optimized and operational. Yet today's IT environment is more complex than ever. Infrastructure is hosted across physical servers, virtual machines, Docker containers and cloud services. The corporate network is accessed by internal and remote employees, from a mix of known and unknown devices that are all using applications, both internally hosted and cloud-based. This complexity creates enormous amounts of data, dispersed across the modern IT environment. Managing this data is critical, but for most resource constrained IT and security teams, it's simply too complex or too expensive to monitor it all. And unmonitored IT data creates risk. That's where Rapid7 comes in. Today, our customers leverage the Rapid7 Insight platform to collect data from across their entire IT environment for identifying security vulnerabilities with Rapid7 InsightVM and catching attackers in the act with Rapid7 InsightIDR. InsightOps builds on this, enabling them to manage and optimize IT operations across their technology landscape. Introducing Rapid7 InsightOps We built InsightOps to be easy to set up and scale. It requires no infrastructure to run, no configuration of indexers to search, and you can collect data in any format from anywhere in your environment. With your data centralized in one place, it's easier to then monitor for known issues or anomalous trends. Monitoring with InsightOps helps you proactively address issues before they become widespread. Ultimately, InsightOps was built for turning IT data into answers. With features like Visual Search and Endpoint Interrogator, it's easier to get answers from your data without ever even having to type a search query. And log data is just the beginning. Sometimes you need answers directly from your IT assets, like what software is running on an employee workstation or which servers are over 75% disk utilization. InsightOps combines log management with IT asset visibility and interrogation, enabling you to trace issues all the way from discovery to resolution. Ready to transform your unmonitored IT data into answers? Start your free 30-day trial of InsightOps today.

Protecting Your Web Apps with AppSpider Defend Until They Can Be Patched

AppSpider scans can detect exploitable vulnerabilities in your applications, but once these vulnerabilities are detected how long does it take your development teams to create code fixes for them?  In some cases it could take several days to weeks before a fix/patch to…

AppSpider scans can detect exploitable vulnerabilities in your applications, but once these vulnerabilities are detected how long does it take your development teams to create code fixes for them?  In some cases it could take several days to weeks before a fix/patch to resolve the vulnerability can be deployed, and during this time someone could be actively exploiting this issue in your application.  AppSpider Defend, which is now integrated into AppSpider Pro, helps to protect your applications until a fix for the identified vulnerabilities are deployed.Defend allows you to easily create custom defenses for Web Application Firewalls(WAFs), Intrusion Protection Systems(IPS), or Intrusion Detection Systems(IDS), based on the results of vulnerability scans conducted with AppSpider .Using innovative automated rule generation, Defend, part of AppSpider Pro, helps security professionals to patch web application vulnerabilities with custom rules in a matter of minutes, instead of the days or weeks it can take by hand. Without the need to build a custom rule for a WAF or IPS or the need to deliver a source code patch, Defend allows developers the time to identify the root cause of the problem and fix it in the code. When you are ready to generate Defend rules, simply:Click on the Load Findings icon.Select the vulnerability summary XML file from a completed AppSpider scan.Determine which of the discovered vulnerabilities you would like to generate Defend rules for.Select the WAF/IDS/IPS that you want to configure with Defend. The current supported WAF/IDS/IPS's are the following:  ModSecurity, SourceFire/Snort, Nitro/Snort, Imperva, Secui/Snort, Akamai, Barracuda, F5, and DenyAll.Then click on the Export Rules icon to generate a Defend rules file which can be uploaded into your WAF/IDS/IPS solution.With these 5 easy steps you can generate a set of Defend rules that, along with your existing WAF/IDS/IPS solution, can help protect against exploits discovered by AppSpider.Once you have loaded the Defend rule set into your WAF/IDS/IPS solution you can verify that the Defend protection has been enabled by clicking the Defend Scan icon which will launch a Defend Quick scan to replay the attacks which AppSpider used to discover the vulnerabilities and confirm that the attacks are no longer successful due to the Defend rules being deployed.For more information on how the Defend functionality works you can review the AppSpider Pro User Guide.

Multiple Vulnerabilities Affecting Four Rapid7 Products

Today, we'd like to announce eight vulnerabilities that affect four Rapid7 products, as described in the table below. While all of these issues are relatively low severity, we want to make sure that our customers have all the information they need to make informed security…

Today, we'd like to announce eight vulnerabilities that affect four Rapid7 products, as described in the table below. While all of these issues are relatively low severity, we want to make sure that our customers have all the information they need to make informed security decisions regarding their networks. If you are a Rapid7 customer who has any questions about these issues, please don't hesitate to contact your customer success manager (CSM), our support team, or leave a comment below. For all of these vulnerabilities, the likelihood of exploitation is low, due to an array of mitigating circumstances, as explained below. Rapid7 would like to thank Noah Beddome, Justin Lemay, Ben Lincoln (all of NCC Group); Justin Steven; and Callum Carney - the independent researchers who discovered and reported these vulnerabilities, and worked with us on pursuing fixes and mitigations. Rapid7 ID CVE Product Vulnerability Status NEX-49834 CVE-2017-5230 Nexpose Hard-Coded Keystore Password Fixed (6.4.50-2017-0809) MS-2417 CVE-2017-5228 Metasploit stdapi Dir.download() Directory Traversal Fixed (4.13.0-2017020701) MS-2417 CVE-2017-5229 Metasploit extapi Clipboard.parse_dump() Directory Traversal Fixed (4.13.0-2017020701) MS-2417 CVE-2017-5231 Metasploit stdapi CommandDispatcher.cmd_download() Globbing Directory Traversal Fixed (4.13.0-2017020701) PD-9462 CVE-2017-5232 Nexpose DLL Preloading Fixed (6.4.24) PD-9462 CVE-2017-5233 AppSpider Pro DLL Preloading Fix in progress (6.14.053) PD-9462 CVE-2017-5234 Insight Collector DLL Preloading Fixed (1.0.16) PD-9462 CVE-2017-5235 Metasploit Pro DLL Preloading Fixed (4.13.0-2017022101) CVE-2017-5230: Rapid7 Nexpose Static Java Keystore Passphrase Cybersecurity firm NCC Group discovered a design issue in Rapid7's Nexpose vulnerability management solution, and has released an advisory with the relevant details here. This section briefly summarizes NCC Group's findings, explains the conditions that would need to be met in order to successfully exploit this issue, and offers mitigation advice for Nexpose users. Conditions Required to Exploit One feature of Nexpose, as with all other vulnerability management products, is the ability to configure a central repository of service account credentials so that a VM solution can login to networked assets and perform a comprehensive, authenticated scan for exposed, and patched, vulnerabilities. Of course, these credentials tend to be sensitive, since they tend to have broad reach across an organization's network, and care must be taken to store them safely. The issue identified by NCC Group revolves around our Java keystore for storing these credentials, which is encrypted with a static, vendor-provided password, "r@p1d7k3y5t0r3." If a malicious actor were to get a hold of this keystore, that person could use this password to decrypt and expose all stored scan credentials. While this is not obviously documented, this password is often known to Nexpose customers and Rapid7 support engineers, since it's used in some backup recovery scenarios. This vulnerability is not likely to offer an attacker much of an advantage however, since they would need to already have extraordinary control over your Nexpose installation in order to exercise it. This is because you need high level privileges to be able to actually get hold of the keystore that contains the stored credentials. So, in order to obtain and decrypt this file, an attacker would need to already have at least root/administrator privileges on the server running the Nexpose console, OR have a Nexpose console "Global Administrator" account, OR have access to a backup of a Nexpose console configuration. If the attacker already has root on the Nexpose console, the jig is up; customers are already advised to restrict access to Nexpose servers through normal operating system and network controls. This level of access would already represent a serious security incident, since the attacker would have complete control over the Nexpose services and could leverage one of any number of techniques to extend privileges to other network assets, such as conducting local man-in-the-middle network monitoring, local memory profiling, or other, more creative techniques to increase access. Similarly, Global Administrator access to the Nexpose console would, at minimum, allow an attacker to obtain a list of every vulnerable system in scope, alter or skip scheduled scans, and create new and malicious custom scan templates. That leaves Nexpose console backups, which we believe represents the most likely attack vector. Sometimes, backups of critical configurations are stored in networked locations that aren't as secure as the backed-up system itself. We advise against this, for obvious reasons; if backups are not secured at least as well as the Nexpose server itself, it is straightforward to restore the backup to a machine under the attacker's control (where he would have root/administrator), and proceed to leverage that local privilege as above. Designing a Fix While encrypting these credentials at rest is clearly important for safety's sake, eventually these credentials do have to be decrypted, and the key to that decryption has to be stored somewhere. After all, the whole point of a scheduled, authenticated scan is to automate logins. Storing that key offline, in an operator's head, means having to deal with a password prompt anytime a scan kicks off. This would be a significant change in how the product works, and would be a change for the worse. Designing a workable fix to this exposure is challenging. The simple solution is to enable users to pick their own passwords for this keystore, or generate one per installation. This would at least force attackers who have gained access to critical network infrastructure to do the work of either cracking the saved keystore, or do the slightly more complicated work of stepping through the decryption process as it executes. Unfortunately, this approach would immediately render existing backups of the Nexpose console unusable -- a fact that tends to only be important at the least opportune time, after a disaster has taken out the hosting server. Given the privilege requirements of the attack, this trade-off, in our opinion, isn't worth the future disaster of unrestorable backups. While we do expect to implement a new strategy for encrypting stored credentials in a future release, care will need to be taken to both ensure that the customer experience with disaster recovery remains the same and support costs aren't unreasonably impacted by this change. Mitigations for CVE-2017-5320 As of August of 2017, a fixed version has been released. CVE-2017-5228, CVE-2017-5229, CVE-2017-5231: Metasploit Meterpreter Multiple Directory Traversal Issues Metasploit Framework contributor and independent security researcher Justin Steven reported three issues in the way Metasploit Meterpreter handles certain directory structures on victim machines, which can ultimately lead to a directory traversal issue on the Meterpreter client. Justin reported his findings in an advisory, here. Conditions Required to Exploit In order to exploit this issue, we need to first be careful when discussing the "attacker" and "victim." In most cases, a user who is loading and launching Meterpreter on a remote computer is the "attacker," and that remote computer is the "victim." After all, few people actually want Meterpreter running on their machine, since it's normally delivered as a payload to an exploit. However, this vulnerability flips these roles around. If a computer acts as a honeypot, and lures an attacker into loading and running Meterpreter on it, that honeypot machine has a unique opportunity to "hack back" at the original Metasploit user by exploiting these vulnerabilities. So, in order for an attack to be successful, the attacker, in this case, must entice a victim into establishing a Meterpreter session to a computer under the attacker's control. Usually, this will be the direct result of an exploit attempt from a Metasploit user. Designing a Fix Justin worked closely with the Metasploit Framework team to develop fixes for all three issues. The fixes themselves can be inspected in the open source Metasploit framework repository, at Pull Requests 7930, 7931, and 7932, and ensure that data from Meterpreter sessions is properly inspected, since that data can possibly be evil. Huge thanks to Justin for his continued contributions to Metasploit! Mitigations for CVE-2017-5228, CVE-2017-5229, CVE-2017-5230 In addition to updating Metasploit to at least version 4.3.20, Metasploit users can help protect themselves from the consequences of interacting with a purposefully malicious host with the use of Meterpreter's "Paranoid Mode," which can significantly reduce the threat of this and other undiscovered issues involving malicious Meterpreter sessions. CVE-2017-5232, CVE-2017-5233, CVE-2017-5234, CVE-2017-5235: DLL Preloading Independent security researcher Callum Carney reported to Rapid7 that the Nexpose and AppSpider installers ship with a DLL Preloading vulnerability, wherein an attacker could trick a user into running malicious code when installing Nexpose for the first time. Further investigation from Rapid7 Platform Delivery teams revealed that the installation applications for Metasploit Pro and the Insight Collector exhibit the same vulnerability. Conditions Required to Exploit DLL Preloading vulnerabilities are well described by Microsoft, here, but in short, DLL preloading vulnerabilities occur when a program fails to specify an exact path to a system DLL; instead, the program can seek that DLL in a number of default system locations, as well as the current directory. In the case of an installation program, that current directory may be a general "Downloads" folder, which can contain binaries downloaded from all sorts of places. If an attacker can convince a victim to download a malicious DLL, store it in the same location as one of the Rapid7 installers identified above, and then install one of those applications, the victim can trigger the vulnerability. In practice, DLL preloading vulnerabilities occur more often on shared workstations, where the attacker specifically poisons the Downloads directory with a malicious DLL and waits for the victim to download and install an application susceptible to this preloading attack. It is also sometimes possible to exercise a browser vulnerability to download (but not execute) an arbitrary file, and again, wait for the user to run an installer later. In all cases, the attacker must already have write permissions to a directory that contains the Rapid7 product installer. Usually, people only install Rapid7 products once each per machine, so the window of exploitation is also severely limited. Designing a Fix In the case of Metasploit Pro, Nexpose, and the Insight Collector, the product installers were updated to define exactly where system DLLs are located, and no longer rely on dynamic searching for missing DLLs. An updated installer for Appspider Pro will be made available once testing is completed. Mitigations for CVE-2017-5232, CVE-2017-5233, CVE-2017-5234, CVE-2017-5235 In all cases, users are advised to routinely clean out their "Downloads" folder, as this issue tends to crop up in installer packages in general. Of course, users should be aware of where they are downloading and running executable software, and Microsoft Windows executables support a robust, certificate-based signing procedure that can ensure that Windows binaries are, in fact, what they purport to be. Users who keep historical versions of installers for backup and downgradability purposes should be careful to only launch those installation applications from empty directories, or at least, directories that do not contain unknown, unsigned, and possibly malicious DLLs. Coordinated Disclosure Done Right NCC Group, Justin Steven, and Callum Carney all approached Rapid7 with these issues privately, and have proven to be excellent and accommodating partners in reporting these vulnerabilities to us. As a publisher of vulnerability information ourselves, Rapid7 knows that this kind of work can at times be combative, unpleasant, and frustrating. Thankfully, that was not the case with these researchers, and we greatly appreciate their willingness to work with us and lend us their expertise. If you're a Rapid7 customer who has any questions about this advisory, please don't hesitate to contact your regular support channel, or leave a comment below.

Overcome Nephophobia - Don't be a Shadow IT Ostrich!

Overcome Nephophobia - Don't be a Shadow IT Ostrich! Every cloud….. When I was much younger and we only had three TV channels, I used to know a lot of Names of Things. Lack of necessity and general old age has meant I've now long…

Overcome Nephophobia - Don't be a Shadow IT Ostrich! Every cloud….. When I was much younger and we only had three TV channels, I used to know a lot of Names of Things. Lack of necessity and general old age has meant I've now long since forgotten most of them (but thanks to Google, my second brain, I can generally “remember” them again as long as there's data available). Dinosaurs, trees, wild flowers, and clouds were all amongst the subject matters in which my five-year-old self was a bit of an expert. I would point at the sky and wow my parents with my meteorological prowess, all learnt from the pages of a book. Good times. These days I can manage about three cloud names off the top of my head before reaching for the Internet. Cirrus, stratus, cumulonimbus (OK I had to double check the last one).  Failing memory aside, I still love clouds, and frankly there's little that beats a decent sunset – which wouldn't be anywhere near as good without some clouds. So assuming you're still reading and not googling cloud names (because it can't just be me), I'd like you to think of a cloud please, an actual one, not a digital one. Chances are it's all fluffy and white, the cumulus (oh yeah) type. Of all the words I could use to describe a cumulus cloud “scary” isn't one of them. But did you know that Nephophobia - the irrational fear of clouds - is a real condition? Nephophobics struggle to look up into the sky, and in some cases won't even look at a picture of a cloud. Any phobia by its very nature is debilitating, leaving the sufferer feeling anxious at best, or totally unable to function at worst. I live with a six-foot strapping arachnophobe who is reduced to a gibbering wreck at anything larger than a money spider. Digital Nephophobia Nephophobia exists in our digital world too. Use of the cloud is written off and immediately written in to policy. “We don't use the cloud” is something I've heard far too frequently. And sometimes “don't” is more “can't” (blocked from doing so by government regulation) or “won't” (we just don't want to, we don't trust it), but actually “do…but don't know it” is more often the reality. This is where anxiety caused by the cloud is at its most valid – lack of visibility into the cloud services your users are already using (aka Shadow IT) is frankly terrifying for anyone concerned with data privacy or data security. I recently met with an IT Security Manager of a global network, who rightly said “if you're not providing the services your users need and expect, then whether you like it or not you are probably being exposed to Shadow IT”. Pretending it's not happening won't make it go away either, as many a mauled ostrich will merrily testify. Digital Therapy Many phobia therapies involve facing the fear head on. Now I'm not suggesting that the best medicine to cure digital nephophobia is to burn the “we don't use the cloud” policy and open up your network to every cloud service available, far from it. First of all, it's vital to understand what is really happening within your environment now – which cloud services your users have using without your knowledge. From there you can work out which cloud services you should be formally provisioning, which you should be monitoring, and which you should be locking down. Perform the due diligence – any cloud vendor worth their salt will be able to provide you with the reassurance that their service is secured, with in-depth details of how it is secured, what happens to your data in transit and at rest, how it is segmented from other organisations' data, who has access, and more. Set yourself free Once you've worked out what you need, and are confident in the service provider's security processes (which are likely going to be on par or indeed even better than those in your own network), the weight of digital nephophobia will begin to lift. The benefits of using the cloud are huge – a huge reduction in provisioning, administration, and maintenance overheads for a start. The speed in which you can provide new services compared to the old world of doing it all in-house is staggering – how many times have you heard users moan about how long it takes IT to bring in a new service? Speaking of moaning – how about those 79 bajillion helpdesk tickets and IMs and calls that come in because The Server's Down….Again? Distant memories – uptime is another benefit to embracing cloud services.  You'll be in good company too - organisations from every vertical are using the cloud – financial institutions, governments, healthcare, defense, manufacturing, charities, the list goes on and on. Tackling Shadow IT is the first step in the journey from Nephophobe to Nephophile Our aforementioned ostrich friend wants to be a lesson to you. If you can't see where your problems are, you can't begin to do something about them, and if you bury your head in the sand you are in dire risk of becoming lion lunch. Visibility into cloud services, whether they are sanctioned or shadow IT services, is a string that every IT Security professional needs to have in their bow. InsightIDR gives you that string (and a whole bunch more too!) – at the tips of your fingers lies a wealth of information on which cloud apps are being accessed, who is using them, when they are being used, and how frequently. And you don't have to code a bunch of complex queries to access this information – the interactive dashboard has it all: Want to learn more about how InsightIDR gives organisations insight into cloud services, user behaviour, and accelerates incident investigations by over 20x (told you there were more bow strings available!)? We'd love to show you a demo. And if you would like to know more about our approach to cloud platform security you can read all about here right here.

10 Years Later: What Have We Learned About Incident Response?

When we take a look at the last ten years, what's changed in attacker methodology, and how has it changed our response? Some old-school methods continue to find success - attackers continue to opportunistically exploit old vulnerabilities and use weak/stolen credentials to move around…

When we take a look at the last ten years, what's changed in attacker methodology, and how has it changed our response? Some old-school methods continue to find success - attackers continue to opportunistically exploit old vulnerabilities and use weak/stolen credentials to move around the network. However, the work of the good guys, reliably detecting and responding to threats, has shifted to accommodate an attack surface that now includes mobile devices, cloud services, and a global workforce that expects access to critical information anywhere, anytime.Today, failure across incident detection to remediation not only results in risk for your critical data, but can result in an attacker overstaying their welcome. We discussed this topic with our incident response teams, who have responded to hundreds of breaches, to develop a new whitepaper that shares how Incident Response has changed and how they prioritize strategic initiatives today. This comes with a framework we use with customers today to measure and improve security programs. Download your copy of A Decade of Incident Response: IDR Evolution & Evaluation here.Incident Detection & Response, Then and NowSince 2006, every step in breach response has continued to evolve – this infographic highlights key differences. For example, breach readiness was an afterthought to availability and optimizing the speed of business processes. Previously, there was little chance of falling victim to a sophisticated targeted attack leveraging a combination of vulnerabilities, compromised credentials, and malware.But today, IT teams are expected to prepare thoroughly in the event of a breach, implementing network defense in depth and organizing and restricting data along least privilege principles. If we look back a decade, it was much easier to retrace how and where an incident occurred and respond accordingly. Today's IR pros must combine expertise in a growing list of areas from forensics to incident management and ensure breach response covers everything from technical analysis to getting the business back up and running.On the other hand, at containment and recovery has continued to improve over the past decade. Thanks to well-rehearsed programs, combined with system image and data restoration processes, IT can return a user's machine in just a day. Security teams can contain threats remotely and use technology to provide scrutiny over previously compromised users/assets.Incident Response MaturityYou can find out more on all of this in the infographic and the new Rapid7 whitepaper: A Decade of Incident Response. Too many security professionals are concerned with how their programs compare to those of their peers. This is the wrong approach. As you evolve your security program, worry only about one thing: how your program measures up against your attackers.In the paper, you're asked seven questions to determine the maturity of your Incident Detection and Response program. We've based this framework on decades of Rapid7 industry experience and we think it'll provide a great place to start evaluating where you need to make changes. Want to learn more about Rapid7's technology and services for incident detection and response? Check out InsightIDR, which combines the best capabilities of UBA, SIEM, and EDR to relentlessly detect attacks across your network.Eric Sun

Alert Fatigue: Incident Response Teams Stop Listening to Monitoring Solutions

"Don't Be Noisy." It's that simple. This motto may be the only remaining principle of the concept that entered incubation in mid-2012 and eventually became InsightIDR. Of the pains that our customers shared with us up to that point, there was a very…

"Don't Be Noisy." It's that simple. This motto may be the only remaining principle of the concept that entered incubation in mid-2012 and eventually became InsightIDR. Of the pains that our customers shared with us up to that point, there was a very consistent challenge: monitoring products were too noisy. Whether they were talking about a firewall, a web proxy, SIEM, or a solution that doesn't fit into a simple category, these design partners told us that they were often relying on a "gut feel" to determine if the email alert on their phone warranted a deeper look. This meant that a vast majority of alerts were forever unread in a folder not named "Inbox". You very likely remember Aesop's Fable about "The Boy Who Cried Wolf", but it seemed that these existing security solutions were designed by the small population that forgets the lesson behind it. So what? That's the question in your head, right? Well, the "so what?" is that there are some very good reasons why most products don't follow this rule, but two stand out above the rest: There is a TON of data on your network, so just getting access to it can feel like a massive accomplishment sometimes. This is why "big data security analytics" is such a popular buzzphrase. To lean on a cliche from the sixteenth century, we are in the business of finding the "needle in the haystack". It can be discouraging for someone on the InsightIDR team to spend weeks researching and building a given indicator of compromise (IOC) only to see it get scrapped when it lights up the Rapid7 install of the product that serves as our laboratory. Then, when it passes the sanity test and goes to our customers, it is actually great if it only triggers once every couple of months at each customer. If you are looking to prove the value of your solution to interested parties, it always helps the POC to alert 200 times on the first day on IOCs missed by other solutions in the customer environment. It gives an obvious "shiny object" for easy budget justification. It is hard to foresee from this evidence that you cannot live without the solution that your team will probably stop listening. Our resolve strengthened The motto that we kept despite the option to take a clearly simpler path was here to stay once we read the quotes coming from the security teams in the most famous US retail breaches: Target - "Like any large company, each week at Target there are a vast number of technical events that take place and are logged. Through our investigation, we learned that after these criminals entered our network, a small amount of their activity was logged and surfaced to our team." This was not the clear case of incompetence that many people perceived. Neiman Marcus - “These 60,000 [alert] entries, which occurred over a three-and-a-half month period, would have been on average around 1 percent or less of the daily entries on these endpoint protection logs, which have tens of thousands of entries every day.” This says it all. Too noisy. Validation I am certainly not making claims that we have created a detection solution that will spot everything and never give you a false positive. Anyone that says that is a liar. What I am saying is that we have built noise reduction into InsightIDR. When we added IOCs such as one account authenticating to an administrator account (i.e. impersonation), we did not trust baselining alone to reduce the noise because account abuse/misuse could potentially get marked as normal in a baseline. We instead opted to have the solution learn from the user what is acceptable and manage any necessary whitelisting/blacklisting to automate the process. The goal here was to alert only when something concerning happens and, if that proves to be a false positive, never alert on it again. Our approach was recently validated when we spoke with an InsightIDR customer and were told that in their organization of tens of thousands of employees, we alert "5-10 times per day". Every alert is considered valuable. If you want to hear how well we have stuck to our motto, I suggest you start by watching our 20 minute demo.

The Insight Platform Goes to Europe: Now Compliant with European Data Hosting Requirement

Cloud technology is everywhere. From our annual survey, we found that 79% of organizations are allowing approved cloud services, with Office 365, Google Apps, and Salesforce coming in as top 3. Our full incident detection & investigation solution, InsightIDR, our incident detection and response solution,…

Cloud technology is everywhere. From our annual survey, we found that 79% of organizations are allowing approved cloud services, with Office 365, Google Apps, and Salesforce coming in as top 3. Our full incident detection & investigation solution, InsightIDR, our incident detection and response solution, and InsightUBA, our user behavior analytics solution are both cloud-based by design, and hosts in the US-based Amazon S3 cloud. Driven by market demand, we now offer a European hosting option to help meet regional data hosting compliance requirements. This means when you come aboard, you can choose between Amazon hosting centers in the US and Germany. Bitte sehr! (You're welcome!)With this flexibility in hosting jurisdiction, you have more choice with regards to privacy laws. Rapid7 will use Amazon Web Services in the EU, which has been declared compliant with EU privacy regulations by the Article 29 Working Party, a European data rights group. With Germany having one of the strongest data privacy laws in the world, your data is well protected. To learn more about the security of the Insight Platform, visit our Rapid7 Trust page.The Insight Platform Cloud ArchitectureWe're obsessively focused on detecting and stopping intruders anywhere they go in your ecosystem. InsightIDR and InsightUBA reliably detect intruders taking over user accounts using stealthy attacks, such as stolen credentials and lateral movement. By providing visibility into intruder behavior across the entire network, from the endpoint to the cloud, a security team can respond quickly and with confidence. It eliminates alert fatigue, puts all ecosystem activity into the context of a user, and accelerates incident response time by an order of magnitude.Below is an architecture diagram showing how we integrate with your network & security stack to send those events securely to the cloud.European organizations from a wide range of industries are already leveraging InsightIDR and InsightUBA, including technology, retail, professional services, and media. These organizations are driven by the need to detect and stop intruders, speed up incident investigations, and handle their growing mountain of security data without having to deploy a hardware farm.European hosting is available immediately. If you're interested in how InsightIDR detects intruders earlier in the attack chain, check out our 20-minute on-demand demo video here.Related Resource: Want to know how to get from compromise to containment fast? Download our Incident Detection and Response Toolkit today.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now