Rapid7 Blog

User Behavior Analytics  

SIEM Market Evolution And The Future of SIEM Tools

There’s a lot to be learned by watching a market like SIEM adapt as technology evolves, both for the attackers and the analysis.…

There’s a lot to be learned by watching a market like SIEM adapt as technology evolves, both for the attackers and the analysis.

Want to try InsightIDR in Your Environment? Free Trial Now Available

InsightIDR, our SIEM powered by user behavior analytics, is now available to try in your environment. This post shares how it can help your security team.…

InsightIDR, our SIEM powered by user behavior analytics, is now available to try in your environment. This post shares how it can help your security team.

More Answers, Less Query Language: Bringing Visual Search to InsightIDR

Sitting down with your data lake and asking it questions has never been easy. In the infosec world, there are additional layers of complexity. Users are bouncing between assets, services, and geographical locations, with each monitoring silo producing its own log files and slivers of…

Sitting down with your data lake and asking it questions has never been easy. In the infosec world, there are additional layers of complexity. Users are bouncing between assets, services, and geographical locations, with each monitoring silo producing its own log files and slivers of the complete picture. From a human perspective, distilling this data requires two unique skillsets: Incident Response: Is this anomalous activity a false positive, a misconfiguration, or true malicious behavior? Data Manipulation: What search query should I construct to get what I need? Do I need to build a custom rule for this, or report on this statistic? We’ve built InsightIDR with the goal of reducing friction and complexity on both of these fronts. On the incident response side, you’re armed with a dossier of user behavior analytics across network, endpoint, and cloud services to make faster, informed decisions. You can now enjoy Visual Search, which aims to lower the level of complexity associated with writing queries and making sense of your wealth of log data. Visual Search was first released in InsightOps, our solution for IT infrastructure monitoring and troubleshooting. It’s had a great reception, and we’re proud that it’s now a shared service also available in InsightIDR. Visual Search identifies anomalies, allows for flexible drill-downs, and helps you build queries without using the Log Entries Query Language (LEQL). Your First Visual Search In InsightIDR, start by heading to Log Search. You’ll notice that we’ve refreshed the look and feel—we’re continuously improving the speed and responsiveness of the search technology. A breakdown of the updated interface: Activate Visual Search by selecting it under the Mode dropdown. At this point, three cards will auto-populate, proactively identifying anomalies from your data. For each data set, we brainstormed with security teams, including our own, to map out interesting starter queries. You can click on the gear to edit, copy, or remove the card. This is the same architecture as the cards in Dashboards, so the suggested queries can improve your LEQL skills and help you see your data differently. From here, you can click into any of the bars or data points on the card to drill further. For example, for the “Group by destination_port” card, we can click on the 5666 bar. It automatically performs the search query, where(destination_port=5666). Visual Search is a great first step in highlighting “where to look”. As each data set is enriched with user and location data, this feature really highlights the user behavior analytics core in InsightIDR. These cards wouldn’t be possible to populate from the raw log data alone. By proactively identifying anomalies tailored to each data set, and guiding you towards LEQL search strings, you can find answers while gaining skill along the way. If you don’t have InsightIDR, but would like to know how customers are using the combined UBA+SIEM+EDR capabilities, head over to our interactive product tour to explore top use-cases.

Want to bolster your security program? Keep users from making decisions.

How many times have you witnessed security problems caused by a user making bad decisions? I'd venture to guess at least a few dozen if not hundreds. We've all seen where the perfect storm forms through weaknesses in technical controls, user training, and – most…

How many times have you witnessed security problems caused by a user making bad decisions? I'd venture to guess at least a few dozen if not hundreds. We've all seen where the perfect storm forms through weaknesses in technical controls, user training, and – most often – common sense and the outcome is not good. Best case it's ransomware or a similar malware infection. Beyond that, the sky is the limit. Before your organization suffers a breach and is having to answer to the news media and lawyers, there's one thing that you have to do: keep your users out of the security decision-making process. Those of us working in IT and security are not in the business of making people feel good about their jobs. Rather, it's our duty to make sure that everyone is set up for success in day-to-day business processes. Every time you have a user faced with a security decision such as whether or not to click a link, setting a weak or a strong password, or updating software on their computers, you give away your power and put it in the hands of your users – where it does not belong. I understand that it's difficult to manage a network environment especially when you feel like users are working against your efforts every day. If anything, that should give you that much more of a reason to keep them from making security decisions in the first place. I don't think it's insensitive or demeaning to keep people from having to make security decisions. They're not security experts. I know, your annual user awareness training session and security policies are supposed to cover all of that, but reality usually tells a different story. Like it or not, people make bad decisions and you have to do what it takes to keep them from doing so. In many cases, you can do this with technology. For example, in the case of passwords, if people are provided with the option to select a weak password, they will – most of the time. Ditto for backing up their data, updating their software, opening attachments, and so on. Throughout the history of humans, we have seen that people will, by and large, take the path of least resistance. What's easiest and what's going to get them what they need sooner as opposed to later. Instant gratification is the name of the game. Start thinking about how you can set your users, your business, and especially yourself up for success by taking users out of the security equation. Look at your business workflows. Look at your user on-boarding process. Look at your challenges with shadow IT, BYOD, and the like. It's everywhere across your organization. Some things are obvious. Others not so much. But if you look long enough and hard enough you'll find the areas where you need to control things using technologies, process adjustments, or just eliminating the situation altogether. If you continue to ignore this security challenge, your users will continue to make bad security choices, period. That's not what you want. Be proactive. Take charge. I strongly believe that if you spend enough time and effort in this one area of security, you'll can make huge strides towards minimizing your IT-related business risks.

User and Entity Behavior Analytics: A Strategic Primer

If you're investing beyond malware detection, you've probably come across User Behavior Analytics (aka UBA, UEBA, SUBA). Why are organizations deploying UBA, and are they finding value in it? In this primer, let's cover what's being seen in the industry, and then a bit on…

If you're investing beyond malware detection, you've probably come across User Behavior Analytics (aka UBA, UEBA, SUBA). Why are organizations deploying UBA, and are they finding value in it? In this primer, let's cover what's being seen in the industry, and then a bit on how we're approaching the problem here at Rapid7. What Are Organizations Looking For? According to the 2016 Verizon DBIR, 63% of data breaches involved weak, default, or compromised credentials. Companies have solid coverage for known malware and their network perimeter, but teams now need visibility into normal and anomalous user behavior. Largely, the response has been to deploy SIEM technology to monitor for these threats. While the tech is helping with log aggregation and correlation, teams aren't consistently detecting the stealthy behavior real-world attackers are using to breach networks. What Are the Analysts Saying About UBA? Gartner: In their most recent Market Guide for User and Entity Behavior Analytics, they agree that UEBA vendors can help threat detection across a variety of use cases. However, they don't make it easy by listing 29 vendors in the report, so be careful with selection – perhaps the most striking prediction is that “by 2020, less than five stand-alone UEBA solutions will remain in the market, with other vendors focusing on specific use cases and outcomes.” Forrester: In the July 2016 Forrester report, Vendor Landscape: Security User Behavior Analytics (SUBA), a key takeaway is to “require a SUBA demonstration with your own data.” Something everyone is agreeing on is the need for user behavior analytics to be a part of a larger analytics suite, aptly named Security Analytics, which extends beyond SIEM to include network analysis and visibility, endpoint visibility, behavioral analysis, and forensic investigative tools. For more on this shift, we hosted guest speaker, Forrester senior analyst Joseph Blankenship, on the webcast, “The Struggle of SIEM”. 451 Research: In addition to rallying behind the need to go beyond SIEM with Security Analytics, there's agreement that even in 2017, there will be a shakeout in the UBA space. That doesn't just mean life or death for startup vendors, but also the challenge for large SIEM vendors to incorporate UBA into existing legacy platforms. IDG: The suggested approach is under a security operations and analytics platform architecture (SOAPA). While SIEM technology still plays at the core, SOAPA also includes endpoint detection and response, an incident response platform, network security analytics, UBA, vulnerability management, anti-malware sandboxes, and threat intelligence. While that's certainly a mouthful, the important takeaway is that UBA is only one of the technologies that should work together to detect threats across the entire attack chain. Questions to Consider If you're looking at User Behavior Analytics, you've likely already experienced pain with an existing SIEM. Will you have enough resources to maintain both the SIEM deployment and a separate UBA tool? Can you put the technology to the test? If you don't have an internal red team, a great time to POC a UBA vendor is when considering a penetration test. For more, check out our evaluation brief: A Matchmakers Guide to UBA Solutions. And, for added context on the go, we just released a new episode all about UBA on the Security Nation podcast: The Rapid7 Take Since the first GA date of our UBA technology in early 2014, we're proud to be both a first mover and have hundreds of customers using UBA to monitor their environments. However, we found that UBA technology alone still leaves gaps in detection coverage, forcing teams to jump between portals during every incident investigation. For that reason, InsightIDR, our solution for incident detection and response, combines SIEM, UBA, and Endpoint Detection capabilities, without the traditional burdens involved in deploying each of these technologies independently. In addition to the UBA detecting stealthy behavior, InsightIDR also analyzes real-time endpoint data and uses Deception Technology to reveal behavior unseen by log analysis. Through a robust data search and visualization platform, security teams can bring together log search, user activity, and endpoint data for investigations without jumping between multiple tools. Of course, this is a bold claim - if you'd like to learn more, check out the below 3-minute Solution Overview or check out our webcast, User Behavior Analytics, as easy as ABC.

SIEM Tools Aren't Dead, They're Just Shedding Some Extra Pounds

Security Information and Event Management (SIEM) is security's Schrödinger's cat. While half of today's organizations have purchased SIEM tools, it's unknown if the tech is useful to the security team… or if its heart is even beating or deployed. In response to…

Security Information and Event Management (SIEM) is security's Schrödinger's cat. While half of today's organizations have purchased SIEM tools, it's unknown if the tech is useful to the security team… or if its heart is even beating or deployed. In response to this pain, people, mostly marketers, love to shout that SIEM is dead, and analysts are proposing new frameworks with SIEM 2.0/3.0, Security Analytics, User & Entity Behavior Analytics, and most recently Security Operations & Analytics Platform Architecture (SOAPA).However, SIEM solutions have also evolved from clunky beasts to solutions that can provide value without requiring multiple dedicated resources. While some really want SIEM dead, the truth is it still describes the vision we all share: reliably find insights from security data and detect intruders early in the attack chain. What's happened in this battle of survival of the fittest is that certain approaches and models simply weren't working for security teams and the market.What exactly has SIEM lost in this sweaty regimen of product development exercise? Three key areas have been tightened and toned to make the tech something you actually want to use.No More Hordes of Alerts without User Behavior ContextUser Behavior Analytics. You'll find this phrase at every SIEM vendor's booth, and occasionally in their technology as well. Why? This entire market segment explosion spawned from two major pain-points in legacy SIEM tech: (1) too many false-positive, non-contextual alerts, and a (2) failure to detect stealthy, non-malware attacks, such as the use of stolen credentials and lateral movement.By tying every action on the network to the users and assets behind them, security teams spend less time retracing user activity to validate and triage alerts, and can detect stealthy, malicious behavior earlier in the attack chain. Applying UBA to SIEM data results in higher quality alerts and faster investigations, as teams are spending less time retracing IPs to users and running tedious log searches.Detections now Cover Endpoints Without Heavy LiftingEndpoint Detection and Response. This is another super-hot technology of 2016, and while not every breach originates from the endpoint, endpoints are often an attacker's starting point and provide crucial information during investigations. There are plenty of notable behaviors that if detected, are reliable signs of “investigate-me” behavior.A couple examples:Log DeletionFirst Time Admin Action (or detection of privilege exploit)Lateral MovementAny SIEM that doesn't offer built-in endpoint detection and visibility, or at the very least, automated ways to consume endpoint data (and not just anti-virus scans!), leaves gaps in coverage and across the attack chain. Without endpoint data, it's very challenging to have visibility into traveling and remote workers or detect an attacker before critical assets are breached. It can also complicate and slow incident investigations, as endpoint data is critical for a complete story. The below highlights a standard investigation workflow along with the relevant data sources to consult at each step.Incident investigations are hard. They require both incident response expertise (how many breaches have you been a part of?) and also data manipulation skills to get the information you need. If you can't search for endpoint data from within your SIEM, that slows down the process and may force you to physically access the endpoint to dig deeper.Leading SIEMs today now offer a combination of Agents or an Endpoint Scan to ingest this data, detect local activity, and have it available for investigations. We do all of this and supplement our Endpoint detections with Deception Technology, which includes decoy Honey Credentials that are automatically injected into memory to better detect pass-the-hash and credential attacks.Drop the Fear, Uncertainty, and Doubt About Data ConsumptionThere are a lot of things that excite me, for example, the technological singularity, autonomous driving, loading my mind onto a Westworld host. You know what isn't part of that vision? Missing and incomplete data. Today's SIEM solutions derive their value from centralizing and analyzing everything. If customers need to weigh the value of inputting one data set against another, that results in a fractured, frustrating experience. Fortunately, this too is now a problem of the past.There are a couple of factors behind these winds of change. Memory capacity continues to expand close to a Moore's Law pace, which is fantastic, as our log storage needs are heavier than ever before.Vendors now are offering mature cloud architectures that can securely store and retain log data to meet any compliance need, along with faster search and correlation activity than most on-premise deployments can dream about. The final shift, and one that's currently underway today, is with vendor pricing. Today's models revolve around Events per Second and Data Volume Indexed. But, what's the point of considering endpoint, cloud, and log data if the inevitable data volume balloon means the org can't afford to do so?We've already tackled this challenge and customers have been pleased with it. Over the next few years, new and legacy vendors alike will also shed existing models to also reflect the demand for sensible data pricing that finally arms incident investigators with the data and context they need.There's a lot of pain with existing SIEM technology – we've experienced it ourselves, from customers, and every analyst firm we've spoken with. However, that doesn't mean the goal isn't worthy or the technology has continually failed to adapt. Can you think of other ways SIEM vendors have collectively changed their approach over the years? Share it in the comments! If you're struggling with an existing deployment and are looking to augment or replace, check out our webcast, “Demanding More From Your SIEM”, for recommendations and our approach to the SIEM you've always wanted.

User Behavior Analytics and Privacy: It's All About Respect

When I speak with prospects and customers about incident detection and response (IDR), I'm almost always discussing the technical pros and cons. Companies look to Rapid7 to combine user behavior analytics (UBA) with endpoint detection and log search to spot malicious behavior in their environment.…

When I speak with prospects and customers about incident detection and response (IDR), I'm almost always discussing the technical pros and cons. Companies look to Rapid7 to combine user behavior analytics (UBA) with endpoint detection and log search to spot malicious behavior in their environment. It's an effective approach: an analytics engine that triggers based on known attack methods as well as users straying from their normal behavior results in high fidelity detection. Our conversations center on technical features and objections – how can we detect lateral movement, or what does the endpoint agent do, and how can we manage it? That's the nature of technical sales, I suppose. I'm the sales engineer, and the analysts and engineers that I'm speaking with want to know how our stuff works. The content can be complex at times, but the nature of the conversation is simple. An important conversation that is not so simple, and that I don't have often enough, is a discussion on privacy and IDR. Privacy is a sensitive subject in general, and over the last 15 years (or more), the security community has drawn battle lines between privacy and security.  I'd like to talk about the very real privacy concerns that organizations have when it comes to the data collection and behavioral analysis that is the backbone of any IDR program. Let's start by listing off some of the things that make employers and employees leery about incident detection and response. It requires collecting virtually everything about an environment. That means which systems users access and how often, which links they visit, interconnections between different users and systems, where in the world users log in from – and so forth. For certain solutions, this can extend to recording screen actions and messages between employees. Behavioral analysis means that something is always “watching,” regardless of the activity. A person needs to be able to access this data, and sift through it relatively unrestricted. I've framed these bullets in an intentionally negative light to emphasize the concerns. In each case, the entity that either creates or owns the data does not have total control or doesn't know what's happening to the data. These are many of the same concerns privacy advocates have when large-scale government data collection and analysis comes up. Disputes regarding the utility of collection and analysis are rare. The focus is on what else could happen with the data, and the host of potential abuses and misuses available. I do not dispute these concerns – but I contend that they are much more easily managed in a private organization. Let's recast the bullets above into questions an organization needs to answer. Which parts of the organization will have access to this system? Consider first the collection of data from across an enterprise. For an effective IDR program, we want to pull authentication logs (centrally and from endpoints – don't forget those local users!), DNS logs, DHCP logs, firewall logs, VPN, proxy, and on and on. We use this information to profile “normal” for different users and assets, and then call out the aberrations. If I log into my workstation at 8:05 AM each morning and immediately jump over to ESPN to check on my fantasy baseball team (all strictly hypothetical, of course), we'll be able to see that in the data we're collecting. It's easy to see how this makes employees uneasy. Security can see everything we're doing, and that's none of their business! I agree with this sentiment. However, taking a magnifying glass to typical user behavior, such as websites visited or messages sent isn't the most useful data for the security team. It might be interesting to a human resources department, but this is where checks and balances need to start. An information security team looking to bring in real IDR capabilities needs to take a long and hard look at its internal policies and decide what to do with information on user behavior. If I were running a program, I would make a big point of keeping this data restricted to security and out of the hands of HR. It's not personal, HR – there's just no benefit to allowing witch hunts to happen. It'll distract from the real job of security and alienate employees. One of the best alerting mechanisms in every organization isn't technology, it's the employees. If they think that every time they report something it's going to put a magnifying glass on every inane action they take on their computer, they're likely to stop speaking up when weird stuff happens. Security gets worse when we start using data collected for IDR purposes for non-IDR use cases. Who specifically will have access, to what information, and how will that be controlled? What about people needing unfettered access to all of this data? For starters, it's absolutely true. When Bad Things™ are detected, at some point a human is going to have to get into the data, confirm it, and then start to look at more data to begin the response. Consider the privacy implications, though; what is to stop a person from arbitrarily looking at whatever they want, whenever they want, from this system? The truth is organizations deal with this sort of thing every day anyway. Controlling access to data is a core function of many security teams already, and it's not technology that makes these decisions. Security teams, in concert with the many and varied business units they serve, need to decide who has access to all of this data and, more importantly, regularly re-evaluate that level of access. This is a great place for a risk or privacy officer to step in and act as a check as well. I would not treat access into this system any differently than other systems. Build policy, follow it, and amend regularly. Back to if I was running this program. I would borrow pretty heavily from successful vulnerability management exception handling processes. Let's say there's a vulnerability in your environment that you can't remediate, because a business critical system relies on it. In this case, we would put an exception in for the vulnerability. We justify the exception with a reason, place a compensating control around it, get management sign off, and tag an expiration date so it isn't ignored forever. Treat access into this system as an “exception,” documenting who is getting access, why, and define a period in which access will be either re-evaluated or expire, forcing the conversation again. An authority outside of security, such as a risk or privacy officer, should sign off on the process and individual access. Under what circumstances will this system be accessed, and what are the consequences for abusing that access? There need to be well-defined consequences for those that violate the rules and policies set forth around a good incident detection and response system. In the same way that security shouldn't allow HR to perform witch hunts unrelated to security, the security team shouldn't go on fishing trips (only phishing and hunts). Trawls through data need to be justified. This is for the same reasons as the HR case. Alienating our users hurts everyone in the long run. Reasonable people are going to disagree over what is acceptable and what is not, and may even disagree with themselves. One Rapid7 customer I spoke with talked about using an analytics tool to track down a relatively basic financial scam going on in their email system. They were clearly justified in both extracting the data and further investigating that user's activity inside the company. “In an enterprise,” they said, “I think there should be no reasonable expectation of privacy – so any privacy granted is a gift. Govern yourself accordingly.” Of course, not every organization will have this attitude. The important thing here is to draw a distinct line for day to day use, and note what constitutes justification for crossing that line. That information should be documented and be made readily available, not just in a policy that employees have to accept but never read. Take the time to have the conversation and engage with users. This is a great way to generate goodwill and hear out common objections before a crisis comes up, rather than in the middle of one or after. Despite the above practitioner's attitude towards privacy in an enterprise, they were torn. “I don't like someone else having the ability to look at what I'm doing, simply because they want to.” If we, the security practitioners, have a problem with this, so do our users. Let's govern ourselves accordingly. Technology based upon data collection and analysis, like user behavior analytics, is powerful and enables security teams to quickly investigate and act on attackers. The security versus privacy battle lines often get drawn here, but that's not a new battle and there are plenty of ways to address concerns without going to war. Restrict the use of tools to security, track and control who has access, and make sure the user population understands the purpose and rules that will govern the technology. A security organization that is transparent in its actions and receptive to feedback will find its work to be much easier.

Warning: This blog post contains multiple hoorays! #sorrynotsorry

Hooray for crystalware! I hit a marketer's milestone on Thursday – my first official award ceremony, courtesy of the folks at Computing Security Awards, which was held at The Cumberland Hotel in London. Staying out late on a school night when there's a 16 month old…

Hooray for crystalware! I hit a marketer's milestone on Thursday – my first official award ceremony, courtesy of the folks at Computing Security Awards, which was held at The Cumberland Hotel in London. Staying out late on a school night when there's a 16 month old teething toddler in the house definitely took it's toll the following morning, but the tiredness was definitely softened by the sweet knowledge that we'd left the award ceremony brandishing some crystalware. In the two categories that Rapid7 solutions were shortlisted as finalists - SME Security Solution of the Year (Nexpose) and Best New Product of the Year (InsightIDR) - we were awarded winner and runner-up respectively. What's particularly cool about the Computing Security Awards is that the majority of awards, including the two we were up for, are voted for by the general public, so receiving these accolades is very special to us. We'd like to say an absolutely massive THANK YOU to everyone who voted for our products, we are truly very grateful for your support. Hooray for Nexpose! Nexpose storming to the win in the SME category, a space that isn't always top of mind to some security vendors, really validates for me how well designed and engineered the product is. Our customers come in all shapes and sizes, and the maturity of their vulnerability management programs vary just as much, but Nexpose caters for all. In SME the concept of a dedicated security team is certainly less common. More often than not we see that IT teams have security as just one of their many disciplines – so they need a vulnerability management tool which is easy to use, and allows them to quickly prioritise remediation efforts with live data that's relevant to their environment. Nexpose determines and constantly updates vulnerability risk scoring using RealRisk – scoring vulnerabilities from 1-1000, thus removing the nightmare of having umpteen hundred ‘'criticals” which are seemingly all equal. Liveboards (because dashboards don't actually dash – they should really be called meanderboards) provide admins with real time data – you know at all times exactly how well you are winning at remediating. If you're reading this blog and you're thinking about implementing a new VM solution, you should download a free trial here and experience it in action for yourself. Hooray for InsightIDR! InsightIDR receiving an honourable mention in the Best New Product category makes Sam very happy. This product was frankly one of the main reasons I came to work for Rapid7. When I first heard of it back in March my interest was immediately sparked, as I'd never seen anything quite like it.  I've worked in incident response in a previous life, and have seen a vast number of organisations really struggle to find answers when they are in the unfortunate situation of a cyberattack. Some didn't even know they'd been under attack until they received notification from a third party. Incidents would regularly go on for many days, with teams having to work around the clock with great pressure to balance business continuity and incident response, which is the juggling act from hell. More often than not, investigations and Root Cause Analysis reports would take months and months, and would frequently be lacking in details. If you can't see what's happening, you can't properly respond, and you have pretty much a zero chance of taking away any solid learnings from the event. InsightIDR solves these problems by combining SIEM, EDR and UBA capabilities, which mean it detects attacks early in the attack chain, finds compromised credentials, and it provides a clear investigation timeline. It's truly an amazing piece of kit, and I know that every incident I ever worked on would undoubtedly have had a better outcome had InsightIDR been in place at the time. Seeing in this case will definitely result in believing – I'd heartily recommend you arrange a demo today. Hooray for Integrated Solutions! So before I give a shout out to the incredible people behind these two superb products, there's one further piece of good news: you can now integrate [PDF] them too! Hooray for Moose! Our people, our “Moose”, who design, build, test, sell, support and of course market (obvs.) these products are all the winners here. I don't use the term ‘incredible' lightly either – I am privileged to have represented them at the awards ceremony, we have an amazing team across the globe jam-packed with smart, creative, brilliant people. Our solutions are testament to the work they do, their combined knowledge solves difficult customer problems, providing insight to security professionals all over the world. Congratulations Moose – you are a bloody awesome bunch! Thanks again to everyone who voted for our solutions, and a big cheers to the folks at Computing Security who held a brilliant awards bash. We hope to see you again next year!

Demanding More from Your SIEM Tools [Webcast Summary]

Do you suffer from too many vague and un-prioritized incident alerts? What about ballooning SIEM data and deployment costs as your organization expands and ingests more data? You're not alone. Last week, over a hundred infosec folks joined us live for Demanding More out of…

Do you suffer from too many vague and un-prioritized incident alerts? What about ballooning SIEM data and deployment costs as your organization expands and ingests more data? You're not alone. Last week, over a hundred infosec folks joined us live for Demanding More out of Your SIEM.Content Shared in the WebcastIn Gartner's Feb 2016, “Security Information and Event Management Architecture and Operational Processes,” Anton Chuvakin and Augusto Barros recommend a “Run-Watch-Tune” model in order to achieve a “SIEM Win”. For those with a Gartner subscription, check out the full report here.While some SIEM vendors recommend 10 full-time analysts for a 24/7 SIEM deployment, at least three full-time employees should serve as the foundation of your deployment. A breakdown of core Run, Watch, and Tune responsibilities:Run: Maintain operational status, monitor uptime, optimize application and system performance.We recommend: Take stock of your existing network and security stack – are there more data sources you should be integrating? From talking to customers and our Incident Detection & Response research, top gaps in SIEM integrations are:DHCP. This integration provides a crucial User-Asset-IP link and powers most User Behavior Analytics solutions today.Endpoint Data. If local authentications aren't centrally logged, attackers can laterally move between endpoints and go undetected by the SIEM. 5 Ways Attackers can Evade a SIEM.Cloud Services. Leading cloud services such as Office 365, Google Apps, and Salesforce expose APIs with audit data, but many SIEMs don't take advantage of this data.Watch: Using the SIEM for security monitoring and incident investigation.We recommend: Today's organizations are getting way too many alerts – here's a poll taken during the webcast.Most security teams have to jump between multiple tools during investigations, are getting too many alerts, and are struggling to identify stealthy attacks, such as the use of compromised credentials and lateral movement, that don't require malware to be successful. Most organizations are alerted on unauthorized access to critical assets, but at that point, intruders are already at Mission Target in the Attack Chain.By mapping your detections to the Attack Chain, you can find intruders earlier and kick them out before data exfiltration occurs.Tune: Customize SIEM content, create rules for specific business use-cases.We recommend: Building queries requires specialized SIEM skills and experience manipulating large data sets, a scarce skillset that differs from incident investigation & response experience. If you've just been handed the reins to an existing SIEM deployment, it's worth the time to do a rule review. While technology like User Behavior Analytics provides robust detection for today's top attack vectors behind breaches, custom work is still necessary to meet specific business needs, such as compliance or a company-specific detection.What I Learned from the AudienceThroughout the talk, we asked a few questions to learn from the audience. 71% currently have a SIEM, 11% don't, and 18% don't but are looking to purchase. Current satisfaction with their existing SIEM for Incident Detection and Response was across the board, with answers ranging from 4-8 on a scale of 1-10. The biggest concern was with data costs, the pricing model behind traditional SIEM solutions.Top questions from our Q&A:1. What is the best way to detect pass-the-hash techniques over servers?The key data source is endpoint event logs. Only local authentication logs contain both the source and destination asset. For a full technical breakdown, check out our whitepaper: Why You Need to Detect More than Pass the Hash, with best practices on how to identify the use of compromised credentials.2. Is there a way to see all InsightIDR integrations on your website?Yes – to see the full list, which ranges from network events, endpoint data, existing log aggregators or SIEMs, and more, check out the Insight Platform Supported Event Sources doc here.3. Is there an [InsightIDR] integration with Nexpose or Metasploit?Yes! Nexpose, our vulnerability management solution, integrates with InsightIDR to provide visibility and security detection across assets and the users behind them. This provides three key benefits:Put a “face” to your vulnerabilitiesAutomatically place vulnerable assets under greater scrutinyFlag users that use actively exploitable assetsLearn more about the Nexpose-InsightIDR integration here. InsightIDR also integrates with Metasploit to track the success of phishing campaigns on your users.I Want More from My SIEM Deployment: Why InsightIDR?InsightIDR works by integrating with your existing network and security stack, including Log Aggregators and SIEMs. The first step is unifying your technology and leveraging SIEM, UBA, and EDR capabilities to leave attackers with nowhere to hide.InsightIDR can augment or replace your existing SIEM deployment. Organizations that use InsightIDR in sync with their SIEM especially enjoy:User Behavior Analytics: Alerts show the actual users and assets affected, not just an IP address. InsightIDR automatically correlates the millions of events generated every day to the users behind them, highlighting notable behaviors to accelerate incident validation and investigations.Endpoint Detection & Visibility: The blend of the Insight Agent and Endpoint Scan means detection and real-time queries for critical assets and endpoints, even off the corporate network. InsightIDR focuses on detecting intruders earlier in the Attack Chain, meaning you'll be alerted on local lateral movement, privilege escalation, log deletion, and other suspicious behavior happening on your endpoints.10x Faster Incident Investigations: The security team can bring real-time user behavior, log search, and endpoint data together in a single visual timeline. No more jumping between disparate log files, retracing user activity across multiple IPs, and requiring physical access to the endpoint to answer questions.If you'd like to learn more, Demanding More from Your SIEM shows a live InsightIDR demo, complete with Q&A from an engaged audience. Or - contact us for a free guided demo!

Malware and Advanced Threat Protection: A User-Host-Process Model

[Editor's Note: This is a sneak peek at what Tim will be presenting at UNITED 2016 in November. Learn more and secure your pass at http://www.unitedsummit.org!]In today's big data and data science age, you need to think outside the box when…

[Editor's Note: This is a sneak peek at what Tim will be presenting at UNITED 2016 in November. Learn more and secure your pass at http://www.unitedsummit.org!]In today's big data and data science age, you need to think outside the box when it comes to malware and advanced threat protection. For the Analytic Response team at our 24/7 SOC in Alexandria, VA, we use three levels of user behavior analytics to identify and respond to threats. The model is defined as User-Host-Process, or UHP. Using this model and its supporting datasets allows our team to quickly neutralize and protect against advanced threats with a high confidence rate.What is the User-Host-Process Model?The UHP model supports our incident response and SOC analysts by adding context to every finding and pinpointing anomalous behavior. At its essence, it asks three main questions:What users are on the network?What hosts are they accessing?What processes are users running on those hosts?This model also includes several enrichment sources such as operating system anomalies, whitelisting and known evil to help in the decision-making process. Once these datasets are populated, the output from the model can be applied in a variety of different ways.For example, most modern SIEM solutions alert if a user logs in from a new, foreign country IP address. If you need to validate the alert armed only with log files, you'd be hard-pressed to confirm if the activity is malicious or benign.  Our Analytic Response team uses the UHP model to automatically bring in contextual data on users, hosts, and processes to help validate the alert. Here are artifact examples below:User Account InformationAccount created, Active Directory, accessed hosts, public IPs...Host InformationDestination host purpose, location, owner, operating system, service pack, criticality, sensitivity...Process InformationProcess name, process id, parent process id, path, hashes, arguments, children, parents, execution order, network connections...With this supporting data, we build a profiles for each user or artifact found. Circling back to our example “user logged in from a new IP address in a foreign country”, we can add this context:Does the user typically log in and behave in this way?Day/time of login, process execution order, duration of loginHow often does the user run these particular processes?Common, unique, rareHow common is this user's authentication onto this system?How often have these processes executed on this system?Armed with UHP model data, we have a baseline of user activity to aid in threat validation. If this user has never logged in from this remote IP, seldom logs into the destination system, and their process execution chain deviates from historical activity, we know that this alert needs further investigation.Analyzing Malware, the UHP WayAdhering to a UHP model means that for every executable, important metadata and artifacts are collected not only during execution, but also as a static binary. When you're able to compare binary commonality, arguments, execution frequency and other lower level attributes, you now have additional context to make nuanced decisions about suspected malware.For example, for the question, “How unique is a process?”, there are several layers to the question. Let's look at four:Process commonality on a single assetSingle host baselineProcess commonality at an organizational levelAcross all of my assets, how many are running this process?Process commonality at an industry/sector levelAcross organizations in the same vertical, how common is this process?Process commonality for all available datasets.To be most effective, the User, Host, and Process model applies multiple datasets to a specific question to aid in validation. So in the event that the “U” or user dataset finds no anomalies, the next Host layer is applied.  Finally, the Process layer is applied to find anomalies.Use Case: (Webshell)Rapid7 was called to assist on an Incident Response engagement involving potential unauthorized access and suspicious activity on a customer's public facing web server. The customer had deployed a system running Windows Internet Information Services (IIS) to serve static/dynamic content web pages for their clients.We started the engagement by pulling data around the users in the environment, hosts, and real-time process executions to build up the UHP model. While in this case, User and Host models didn't detect any initial anomalies, the real-time process tracking, cross process attributes, baselines and context models was able to identify suspicious command-line execution from the parent process w3wp.exe. This process happens to be the IIS process responsible for running the webserver. Using this data, we pivoted to the weblogs, which identified the suspicious web shell being accessed from a remote IP address. From there we were able to thoroughly remediate the attack.SummaryThe Analytic Response team uses models such as UHP to help automate alert validation and add context to findings. Adding in additional datasets from external sources such as VirusTotal, NSRL and IP related tools helps infuse additional context to the alerts, increasing analyst confidence and slashing incident investigation times. For each of our Analytic Response customers, we take into account their unique user, host, and process profiles. By applying the UHP model during alert triage, hunting and incident response, we can quickly identify and protect against advanced threats and malware in your enterprise quickly and accurately.If you'd like to learn more about Analytic Response, check out our Service Brief [PDF]. If you need Incident Response services, we're always available: 1-844-RAPID-IR.

InsightIDR & Nexpose Integrate for Total User & Asset Security Visibility

Rapid7's Incident Detection and Response and Vulnerability Management solutions, InsightIDR and Nexpose, now integrate to provide visibility and security detection across assets and the users behind them. Combining the pair provides massive time savings and simplifies incident investigations by highlighting risk across your network ecosystem…

Rapid7's Incident Detection and Response and Vulnerability Management solutions, InsightIDR and Nexpose, now integrate to provide visibility and security detection across assets and the users behind them. Combining the pair provides massive time savings and simplifies incident investigations by highlighting risk across your network ecosystem without writing queries or digging through logs.Nexpose proactively identifies & prioritizes weak points on your network, while InsightIDR helps find unknown threats with user behavior analytics, prioritizes where to look with SIEM capabilities, and combines endpoint detection and visibility to leave attackers with nowhere to hide. Let's look at three specific benefits: (1) putting a "face" to your vulnerabilities, (2) automatically placing vulnerable assets under greater scrutiny, and (3) flagging users that use actively exploitable assets.User Context for Your VulnerabilitiesInsightIDR integrates with your existing network & security infrastructure to create a baseline of your users' activity. By correlating all activity to the users behind them, you're alerted of attacks notoriously hard to detect, such as compromised credentials and lateral movement.When InsightIDR ingests the results of your Nexpose vulnerability scans, vulnerabilities are added to each user's profile. When you search by employee name, asset, or IP address, you get a complete look at their user behavior:How this saves you time:See who is affected by what vulnerability – this helps you get buy-in to remediate a vulnerability by putting a face and context on a vulnerability. (“The CFO has this vulnerability on their laptop – let's prioritize remediation.”)Have instant context on the user(s) behind an asset, so you accelerate incident investigations and can see if the attacker laterally moved beyond that endpoint.Proactively reduce your exposed attack surface, by verifying key players are not vulnerable.Automatic Security Detection for Critical AssetsIn Nexpose, you can dynamically tag assets as critical. For example, they may be in the IP range of the DMZ or contain a particular software package/service unique to domain controllers. Combined with InsightIDR, that context extends to the users that access these assets.When InsightIDR ingests scan results, assets tagged as critical are labeled in InsightIDR as Restricted Assets. This integration helps you automatically place vulnerable assets under greater detection scrutiny.Some examples of alerts for Restricted Assets:First authentication from an unfamiliar source asset: InsightIDR doesn't just alert on the IP address, but whenever possible, shows the exact users involved.An unauthorized user attempts to log-in: This can include a contractor or compromised employee attempting to access a financial server.A unique or malicious process hash is run on the asset: A single Insight Agent deployed on your endpoints performs both vulnerability scanning and endpoint detection. Our vision is to reliably find intruders earlier in the attack chain, which includes identifying every process running on your endpoints. We run these process hashes against the wisdom of 50 virus scanners to identify malicious processes, as well as identify unique processes for further investigation.Lateral movement (both local and domain): Once inside your organization's network, intruders typically run a network scan to identify high-value assets. They then laterally move across the network, leaving behind backdoors & stealing higher privilege credentials.Endpoint log deletion: After compromising an asset, attackers look to delete system logs in order to hide their tracks. This is a high-confidence indicator of compromise.Anomalous admin activity, including privilege escalation: Once gaining access to an asset or endpoint, attackers use privilege escalation exploits to gain admin access, allowing them to dump creds or attempt pass-the-hash. We identify and alert on anomalous admin activity across your ecosystem.Identifying Users that Use Exploitable AssetsMany Nexpose customers purchase Metasploit Pro to validate their vulnerabilities and test if assets can be actively exploited in the wild. As an extension of the critical asset functionality above, customers that own all three products can automatically tag assets that are exploited by Metasploit as critical, and thus mark these as restricted assets in InsightIDR. This ensures that assets which are easy to breach are placed under higher scrutiny until the exploitable vulnerabilities are patched.Configuring the InsightIDR-Nexpose IntegrationIf you have InsightIDR & Nexpose, setting up the Event Source is easy.1. In Nexpose, setup a Global Admin. 2. In InsightIDR, on the top right Data Collection tab -> Setup Event Source -> Add Event Source.3. Add the information about the Nexpose Console (Server IP & Port).4. Add the credentials of the newly created Global Admin.And you're all set! If you have any questions, reach out to your Customer Success Manager or Support. Don't have InsightIDR and want to learn how the technology relentlessly hunts threats? Check out an on-demand 20 minute demo here.Nathan Palanov contributed to this post.

From Crisis to Confidence in Only Hours: How Rapid7 Became Our Security Sommelier

This is a guest post by Rapid7 customer, Tom Brown. Faced with a possible data breach after customers reported malicious spam appearing to come from his company, Liberty Wines, he called in the experts. The cyber incident came when I was on a trip to…

This is a guest post by Rapid7 customer, Tom Brown. Faced with a possible data breach after customers reported malicious spam appearing to come from his company, Liberty Wines, he called in the experts. The cyber incident came when I was on a trip to eastern Europe. Staff back at the office said our email had gone into meltdown. They claimed we were under attack – that customers were calling in to report that they were receiving emails from us with an unusual attachment, which turned out to be malicious. In just a short space of time we'd also been bombarded by a backscatter of hundreds of thousands of non-delivery receipts related to the original offending email. We had to be sure an internal breach wasn't to blame. That's when I called in the experts at Rapid7. A bit of background: Liberty Wines is a multi-award winning UK based Wine Importer and Wholesaler headquartered in London. The Desktop Support Engineer and I have around 130 endpoints to look after – a mix of desktops, smartphones and laptops – as well as hosted email and a mix of around 30 on premise and hosted servers. With globetrotting Sales and Buying teams logging-on to the network from locations all round the world, and a heterogeneous IT estate, there's plenty to keep us busy. I had used Rapid7 software in the past and knew of them as a leader in the security space. When I heard that they had released UserInsight [now InsightUBA] I was intrigued. I soon arranged a live demo and was so impressed with it I allocated budget to get it installed the next (this) financial year. We had previously identified a need for something to help us track user behaviour and logins but couldn't find anything suitable. Until UserInsight [now InsightUBA] was launched there really wasn't anything on the market that could easily scale from an SME like us right up to a large Enterprise deployment. The architecture of the InsightIDR system allows it to fit any size organisation while remaining at a realistic “per endpoint” cost for smaller setups like us. Anyway, the incident had brought matters forward somewhat and we rapidly purchased and installed InsightIDR to give us the visibility and tools we needed to deal with the crisis at hand. InsightIDR is an expanded version of InsightUBA, it is an integrated detection and investigation solution that leverages user behaviour and endpoint analytics to spot and contain a compromise quickly and effectively, just what we needed. Down to business With time of the essence, the Rapid7 team worked closely with me, across three different time zones, to resolve the issue. After using Rapid7's Quick Start service to get set-up, the product began collecting and analysing data almost straightaway to provide us with the real-time intelligence it needed to spot if Liberty Wines had been breached or not. It scoured our systems looking for traversal, privilege escalation, unusual service account usage, logins from unexpected locations or devices, and so on. We also set Rapid7's vulnerability management product Nexpose to work identifying any potential security weaknesses in our systems which may have needed urgent attention. Fortunately, InsightIDR found no suspicious user login or process activity on the network. From analysis of the spoofed email and email logs we worked out that the breach had actually come from a customer. The hackers had cloned a genuine email sent from Liberty Wines to a customer and then mass emailed it out to millions of internet users – some of whom were our customers – with the addition of a malicious JavaScript attachment. Still, the Rapid7 team reverse engineered and analysed the malware in question to double check it had not penetrated the network. It was a couple weeks before we could say we had collected enough data to be absolutely sure that there was no suspicious activity going on internally. I have to say that without InsightIDR there is no way that we would have been able to confidently assert that our network was, and continues to be, clean. With the real-time visibility provided by Rapid7, I was also able to draw up a clear and detailed graphical timeline of events for the Liberty Wines board, and inform customers what had happened. A lasting confidence Rapid7 pulled out all the stops to help when the call first came through from us, and together we managed to get InsightIDR set-up in a matter of hours. It's a great system. It gives you that warm feeling inside by catching any suspicious behaviour on the network months before you'd otherwise discover it. Most IT managers accept that something will get through – that there will be a hole somewhere. So it's about finding out where it is quickly and being able to take action and that's what InsightIDR gives you. Although there was no sign of a breach, the new user and process visibility it gave us did highlight a few areas where we needed to tighten up – particularly on user account security, which was quickly actioned. It allows me to see if a user is trying to access work emails on an unsanctioned mobile device, for example, or if they're logging on from a foreign country. We also used Rapid7 Nexpose, which highlighted a number of areas where our patching was falling short. We found plug-ins in unused browsers that were not being updated and it also resulted in us shutting down some legacy systems we had kept running for reference purposes. The risk they posed internally was greater than the need for quick access to old data. Nexpose allowed us to demonstrate this to the business. Going forward, we're embarking on a big website rebuild. We are going to make sure it's bomb-proof before going live. That's why I've already put Rapid7 pen testing into the budget for next year.

800 Million Compromised Credentials Were Exposed This Month. Were You Notified?

In our previous post on third party breaches, we talked about the risk of public compromised credential leaks providing attackers with another ingress vector. This August, InsightIDR, armed with knowledge from a partner, identified a “Very Large Credentials Dump”. Very large? Over 800 million compromised…

In our previous post on third party breaches, we talked about the risk of public compromised credential leaks providing attackers with another ingress vector. This August, InsightIDR, armed with knowledge from a partner, identified a “Very Large Credentials Dump”. Very large? Over 800 million compromised credentials including usernames, passwords, and password hashes were exposed. This pool includes publicly known credential dumps as well as those where the breach source has not been disclosed, but they are available for attackers to re-purpose. Across our hundreds of customers using InsightIDR to monitor their ecosystem 177 alerts were generated across our U.S. customers 50 alerts were generated across our EMEA & APAC customers Many customers have already reached out to us to learn more about the alert and, whenever possible, we can provide the exposed passwords and hashes to your team. Below is an example of the alert in InsightIDR (click to expand): By highlighting this security risk, teams can proactively reset passwords before attackers try their hand. Even better, this is only one of the many detections built in InsightIDR to help you find threats earlier in the attack chain, before intruders breach critical assets. Related Resource: [Video] Understanding the Attack Chain to Detect Intruders If any users are identified at-risk, one click brings up their user page to see authentications, asset info, cloud services, and more. Today, our corporate emails not only log into network services, but also cloud services such as Office 365, Salesforce, and Box. As InsightIDR has direct API integrations with those services, you'll know about any suspicious authentications, whether it be from an unusual location or anomalous admin activity. By applying User Behavior Analytics to link together IP Addresses, Assets, and Users, InsightIDR detects the top attack vectors behind breaches, including phishing, compromised credentials, and malware. I received this alert. What can I do? For affected accounts, we recommend resetting the account password & adding the user to the InsightIDR Watchlist. If you'd like more on the credential dump, please use the in-app feedback button, which automatically opens an InsightIDR support ticket. Alternatively, feel free to email support@rapid7.com. If available, we can further share the exact passwords and hashes in the dump upon request. As an added value, if you have other company-owned domains, we can add the domain name to be monitored for future third party breaches. I want to receive these alerts. What can I do? Take a serious look at InsightIDR (you can see an on-demand demo here), which not only combines the best capabilities of SIEM, UBA, and EDR, but prioritizes finding intruders earlier in the attack chain, before they cause damage. See our latest webcast on how organizations are benefiting from User Behavior Analytics, or contact us for a free guided demo.

The Calm Heroes Fighting Cyber Crime

The call everyone had been waiting for came in: the shuffleboard table arrived, and was ready to be brought upstairs and constructed! The team had been hard at work all morning in the open-style office space with conference rooms and private offices along the perimeter.…

The call everyone had been waiting for came in: the shuffleboard table arrived, and was ready to be brought upstairs and constructed! The team had been hard at work all morning in the open-style office space with conference rooms and private offices along the perimeter. The Security Operations Center (SOC) with computers, many monitors and an open layout was behind a PIN activated door. The team wanted something fun in the office to do when they took a break from defending networks.My office-mates for the week were casually dressed in jeans and either t-shirts or button downs, and they were sweating while laughing and strategizing for how to get a 20-foot shuffleboard table up two flights of stairs and into the office. About five minutes later, the shuffleboard table parts were placed in the open space in the office, and the team was back downstairs figuring out how to dispose of the wood and other protective covering that came with it.  They were calm and happy—the consistent mood throughout the week even when larger puzzles arose. The next morning, the table was fully assembled and there were tests underway for how to straighten the slope.What does a shuffleboard table have to do with my trip to Alexandria and the team I visited? The shuffleboard assembly showed me a lot about how some of the best problem solvers work together to get the job done. The team quickly, quietly, and efficiently solves problems regularly, and they have a lot of fun doing so. They work well together—they collaborate together, eat together, smoke together, and joke together. One way that they mark their success: you never heard about the incident that they solved, it's just solved—similar to how they built the shuffleboard table. One minute, there were many parts in a box that needed to be brought up the stairs and constructed.  A day later, there was a shuffleboard table set up and the packaging has been recycled. Most of the time, however, this teamwork is put to solving some of the largest, most complicated cyber security breaches and problems. Everyone on the team has a distinct role and they rely on each other to creatively problem solve. These are the crime fighters that you don't see or hear. So, how do they do it?They divide and conquer. The team is broken up into three smaller teams—there's an analytic response team, an incident response team, and a threat intelligence team. Their knowledge and collaboration enable quicker threat detection and response and a deep, unparalleled understanding of the threat landscape, user behavior, and attacker behavior.What are these three different teams and how are they not duplicative?Analytic ResponseThe Analytic Response team is a group of people who work in the security operations center and continuously keep an organization's environment safe. The combination of people and technology of Analytic Response act as “detectors” in the environment. With this team monitoring, detecting, and responding to what's going on in your environment, when an incident comes up, you gain an understanding of what is happening and how serious it is. There are three tiers of analysts in the SOC, and each has a different role in detecting and responding. They make it possible to detect and respond to threats in hours instead of months. These people eat, sleep, and breathe problem solving and do so calmly and with ease. Many of these analysts have been coding and participating in hacking events since they were young and have a lot of experience spotting anomalies.Incident ResponseThe Incident Response team is another subset of this larger IDR ecosystem. This group helps teams come up with proactive strategies so that they have a program. They are also the boots on the ground if there's an issue; as the team lead put it, “we're the people you don't want to see at your organization.” When the Incident Response team is called in unexpectedly, it's because there's a cyber-incident that needs to be solved, immediately. They examine and make sense of the virtual crime scene.Threat IntelligenceThe Threat Intelligence team analyzes information on threats and generates intelligence that feeds both analytic and incident response and gives all of the teams situational awareness of emerging and evolving threats. Our leader of the threat intelligence practice is a former Marine Corps network warfare analyst. Threat intelligence helps defenders understand threats and their implications and speeds decision making in the most urgent situations.The three teams that make up Rapid7's broader IDR Services all support each other and make it better for the customer. They may seem like three distinct teams, but they all come together to solve problems quickly and create a vast amount of knowledge to be used by all. The analytic response team is made more efficient by threat intelligence, and the incident response team helps customers experiencing major incidents and utilizes the work done by both teams to solve the problems. They are a integrated, fun, quirky team that calmly and easily solves problems… and they also find time for shuffleboard!Learn more about Analytic Response here.

[Q&A] User Behavior Analytics as Easy as ABC Webcast

Earlier this week, we had a great webcast all about User Behavior Analytics (UBA). If you'd like to learn why organizations are benefiting from UBA, including how it works, top use cases, and pitfalls to avoid, along with a demo of Rapid7 InsightIDR, check out…

Earlier this week, we had a great webcast all about User Behavior Analytics (UBA). If you'd like to learn why organizations are benefiting from UBA, including how it works, top use cases, and pitfalls to avoid, along with a demo of Rapid7 InsightIDR, check out on-demand: User Behavior Analytics: As Easy as ABC or the UBA Buyer's Tool Kit. During the InsightIDR demo, which includes top SIEM, UBA, and EDR capabilities in a single solution, we had a lot of attendee questions (34!). We grouped the majority of questions into key themes, with seven Q&A listed below. Want more? Leave a comment!1. Is [InsightIDR] a SIEM?Yes. We call InsightIDR the SIEM you've always wanted, armed with the detection you'll always need. Built hand-in-hand with incident responders, our focus is to help you reliably find intruders earlier in the attack chain. This is accomplished by integrating with your existing network and security stack, including other log aggregators. However, unlike traditional SIEMs, we require no hardware, come prebuilt with behavior analytics and intruder traps, and monitor endpoints and cloud solutions – all without having to dedicate multiple team members to the project.2. Is InsightIDR a cloud solution?Yes. InsightIDR was designed to equip security teams with modern data processing without the significant overhead of managing the infrastructure. Your log data is aggregated on-premise through an Insight Collector, then securely sent to our multi-tenant analytics cloud, hosted on Amazon Web Services. More information on the Insight Platform cloud architecture.3. Does InsightIDR assist with PCI or SOX compliance, or would I need a different Rapid7 solution?Not with every requirement, but many, including tricky ones. As InsightIDR helps you detect and investigate attackers on your network, it can help with many unique compliance requirements. The underlying user behavior analytics will save you time retracing user activity (who had what IP?), as well as increase the efficiency of your existing stack (over the past month, which users generated the most IPS alerts?). Most notably, you can aggregate, store, and create dashboards out of your log data to solve tricky requirements like, “Track and Monitor Access to Network Resources and Cardholder Data.” More on how InsightIDR helps with PCI Compliance.4. Is it possible to see all shadow cloud SAAS solutions used by our internal users?Yes. InsightIDR gets visibility into cloud services in two ways: (1) direct API integrations with leading services, such as Office 365, Salesforce, and Box, and (2) analyzing Firewall, Web Proxy, and DNS traffic. Through the latter, InsightIDR will identify hundreds of cloud services, giving your team visibility into what's really happening on the network.5. Where does InsightUBA leave off and InsightIDR begin?InsightIDR includes everything in InsightUBA, along with major developments in three key areas:Fully Searchable Data SetEndpoint Interrogation and HuntingCustom Compliance DashboardsFor a deeper breakdown, check out “What's the difference between InsightIDR & InsightUBA?”6. Can we use InsightIDR/UBA with Nexpose?Yes! Nexpose and InsightIDR integrate to provide visibility and security detection across assets and the users behind them. With this combination, you can see exactly which users have which vulnerabilities, putting a face and context to the vuln. If you dynamically tag assets in Nexpose as critical, such as those in the DMZ or containing a software package unique to domain controllers, those are automatically tagged in InsightIDR as restricted assets. Restricted assets in InsightIDR come with a higher level of scrutiny – you'll receive an alert for notable behavior like lateral movement, endpoint log deletion, and anomalous admin activity.7. If endpoint devices are not joined to the domain, can the agents collect endpoint information to send to InsightIDR?Yes. From working with our pen testers and incident response teams, we realize it's essential to have coverage for the endpoint. We suggest customers deploy the Endpoint Scan for the main network, which provides incident detection without having to deploy and manage an agent. For remote workers and critical assets not joined to the domain, our Continuous Agent is available, which provides real-time detection, endpoint interrogation, and even a built-in Intruder Trap, Honey Credentials, to detect pass-the-hash and other password attacks.Huge thanks to everyone that attended the live or on-demand webcast – please share your thoughts below. If you want to discuss if InsightIDR is right for your organization, request a free guided demo here.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now