Rapid 7

Detect Threats. Respond with Confidence.

IT environments are becoming increasingly complex. Numerous endpoints, devices & applications are used within companies. Every year, the amount of data grows enormously, attacks become more sophisticated and the optimisation of IT becomes increasingly difficult. This makes it necessary to have insight into the entire network.

Rapid7 

Preventive security solutions such as endpoint security, firewalls, spam filters and multi-factor authentication are essential for every organisation in order to keep hackers at bay. But once you have dozens or hundreds of (security) systems, how do you maintain an overview? The most common answer to this question is: with a SIEM. SIEM (Security Information Event and Management) solutions are designed to collect, correlate and analyse log data from all kinds of systems so that all events within the IT environment can be monitored from one central system. This makes it possible to detect remarkable behaviour of systems (or of user accounts) so that an early stage can be discovered if someone tries to infiltrate the company network and/or to exfiltrate data.

So a SIEM is actually a must-have for any serious organisation, but the problem is often that the purchase and implementation as well as the management of such a solution is too complex and expensive. Until now. Actually, SIEM is not quite the right name, otherwise the product would probably have been called InsightSIEM or something similar. Because where VM in InsightVM logically stands for Vulnerability Management, IDR in InsightIDR stands for Incident Detection & Response.

Best practice: SOC Visibility Triad

To always stay one step ahead of hackers, more and more security teams choose to invest in Detection & Response technology in addition to existing preventive security solutions. The purpose of such technology is to detect abnormal behaviour of endpoints, networks and users and then to respond to it (automatically). According to research agency Gartner, it is very important to combine various Threat Detection & Response solutions in order to be able to recognise and respond to potential threats at an early stage: 

The Security Operation Centre (SOC) Visibility Triad consists of three essential components:

  • Collect, correlate and analyse all log data of the entire IT infrastructure (SIEM) and monitor (abnormal) user behaviour (UEBA).
  • Analyse all network traffic with Network Detection & Response (NDR).
  • Detect processes on all endpoints and respond to abnormal behaviour or malicious processes by, for example, quarantining an individual endpoint with Endpoint Detection & Response (EDR).

These different technologies (SIEM, UEBA, NDR and EDR) and more are all contained in Rapid7 InsightIDR. Below I describe a number of important individual functions within this Detection & Response solution, but first the basics: 

Always the latest Threat Intelligence with a Cloud-SIEM.

InsightIDR is a cloud-native security solution. Of course, this does not mean that everything runs in the cloud, because you will also need to do something on-premises to be able to collect log data from different systems.

The picture below illustrates how this works:

The advantage of such an architecture is that the collection and encryption of log data takes place on-premises, while the correlation and analysis of the data is done in the cloud. This eliminates the need for heavy servers with lots of processing power to quickly search through log data and the need to continuously schedule software updates to have the latest threat intelligence feeds.
One of the biggest challenges in most SIEM implementations is writing detection rules: after you have connected various systems to your SIEM and ensured that all log data is collected in one central location, how does the SIEM make sense of the incoming log data? With traditional SIEM solutions, use cases or detection rules need to be written for each event. InsightIDR does this differently. 

  1. InsightIDR comes standard with about 900 ready-made detection rules based on the MITRE ATT&CK Framework. 
  2. Because InsightIDR is a cloud solution, new detection rules for new attack methods can be added in real-time by the Rapid7 Security Operations Centre (SOC) to customer InsightIDR tenants.

InsightIDR is equipped with detection rules that cover the behaviour of users, endpoints, servers, peripherals and even network traffic. Once you have connected the 3 mandatory log sources - LDAP, Active Directory and DHCP - you can easily connect all desired IT / Security systems to InsightIDR:

The initial implementation of InsightIDR, including linking all available log sources, takes no more than a few days for most customers.
This is extremely fast compared to other SIEM implementations, which often take several months. Once all log sources are linked to InsightIDR, customers immediately get value from all the features this security solution has to offer, including:

  • User Behaviour Analytics
  • Attacker Behaviour Analytics:
  • Endpoint Detection & Visibility
  • Network Traffic Analysis
  • Centralized Log Management
  • Visual Investigation Timeline
  • Deception Technology
  • File Integrity Monitoring
  • Automation

Would you like to know how all these functionalities work and which advantages InsightIDR offers for your organisation? Then I or one of my colleagues would be happy to schedule a demo session with you.

You can reach me at 06-40504990 / erik.plenter@infinigate.nl. 

Rapid7 InsightIDR 3-Min Overview

Watch for a quick introduction to the capabilities of InsightIDR, Rapid7's incident detection and response solution that unifies SIEM, user behavior analytics, and endpoint detection capabilities.

For more information, please contact us

 
sales@infinigate.be
Contact now