IT environments are becoming increasingly complex. Numerous endpoints, devices & applications are used within companies. Every year, the amount of data grows enormously, attacks become more sophisticated and the optimisation of IT becomes increasingly difficult. This makes it necessary to have insight into the entire network.
Best practice: SOC Visibility Triad
To always stay one step ahead of hackers, more and more security teams choose to invest in Detection & Response technology in addition to existing preventive security solutions. The purpose of such technology is to detect abnormal behaviour of endpoints, networks and users and then to respond to it (automatically). According to research agency Gartner, it is very important to combine various Threat Detection & Response solutions in order to be able to recognise and respond to potential threats at an early stage:
The Security Operation Centre (SOC) Visibility Triad consists of three essential components:
- Collect, correlate and analyse all log data of the entire IT infrastructure (SIEM) and monitor (abnormal) user behaviour (UEBA).
- Analyse all network traffic with Network Detection & Response (NDR).
- Detect processes on all endpoints and respond to abnormal behaviour or malicious processes by, for example, quarantining an individual endpoint with Endpoint Detection & Response (EDR).
These different technologies (SIEM, UEBA, NDR and EDR) and more are all contained in Rapid7 InsightIDR. Below I describe a number of important individual functions within this Detection & Response solution, but first the basics:
Always the latest Threat Intelligence with a Cloud-SIEM.InsightIDR is a cloud-native security solution. Of course, this does not mean that everything runs in the cloud, because you will also need to do something on-premises to be able to collect log data from different systems.
The picture below illustrates how this works:
The advantage of such an architecture is that the collection and encryption of log data takes place on-premises, while the correlation and analysis of the data is done in the cloud. This eliminates the need for heavy servers with lots of processing power to quickly search through log data and the need to continuously schedule software updates to have the latest threat intelligence feeds.
- InsightIDR comes standard with about 900 ready-made detection rules based on the MITRE ATT&CK Framework.
- Because InsightIDR is a cloud solution, new detection rules for new attack methods can be added in real-time by the Rapid7 Security Operations Centre (SOC) to customer InsightIDR tenants.
InsightIDR is equipped with detection rules that cover the behaviour of users, endpoints, servers, peripherals and even network traffic. Once you have connected the 3 mandatory log sources - LDAP, Active Directory and DHCP - you can easily connect all desired IT / Security systems to InsightIDR:
- User Behaviour Analytics
- Attacker Behaviour Analytics:
- Endpoint Detection & Visibility
- Network Traffic Analysis
- Centralized Log Management
- Visual Investigation Timeline
- Deception Technology
- File Integrity Monitoring
Would you like to know how all these functionalities work and which advantages InsightIDR offers for your organisation? Then I or one of my colleagues would be happy to schedule a demo session with you.
You can reach me at 06-40504990 / firstname.lastname@example.org.
Rapid7 InsightIDR 3-Min Overview
Watch for a quick introduction to the capabilities of InsightIDR, Rapid7's incident detection and response solution that unifies SIEM, user behavior analytics, and endpoint detection capabilities.