UserInsight: Find The Attackers You're Missing
Detect and investigate compromised credentials and other security incidents
- Detect intruders quickly, before an incident turns into a breach
- See all lateral movement without an endpoint agent, identifying common attacks without overhead
- Discern unwanted use of critical systems, protecting your most valuable assets
- Use honeypots to detect illegitimate network scans, catching attackers early as they map out the network
- Flag credentials compromised in third-party breaches, reducing the risk from credential reuse
- Contain serious incidents faster by linking assets and incidents to users
- Track the attacker’s movement within the network, identifying all users involved in an incident
- Identify the impact of an incident
- Instantly search through months or years of security data
- Plan containment and streamline communication
- Reduce the impact of phishing attacks through quick and easy investigation
- Identify assets with known vulnerabilities during your investigation
- Visualize user behavior at a glance to identify risks and policy violations
- Monitor privileged and risky accounts to eliminate key attacker targets
- Discover and monitor cloud services to ensure users aren’t putting data at risk
- Identify mobile devices in use to spot stolen or vulnerable devices
Effectively detect compromised credentials and other security incidents
Stopping the attacker requires more than hardened perimeter defenses. Based on Rapid7's understanding of attack methodologies, UserInsight detects attacks on defenses and enables you to identify and contain attackers who get in.
Detect the attackers entry
Getting a user's credentials through phishing, third-party breaches or old-fashioned brute-force guessing remains surprisingly simple. UserInsight detects the common patterns like dictionary attacks but also builds a baseline of user behavior to understand when users are accessing the network from an unusual location, touching critical assets that they haven't used before, or trying to access the network from two locations simultaneously. With the combination of rules and analysis, you can easily spot the attacker with high accuracy.
See all lateral movement without an endpoint agent
Once inside the network, attackers will look for privileged accounts and try to move laterally. Spotting these attack patterns requires monitoring the endpoint, which used to require an agent. UserInsight provides agentless endpoint inspection that detects lateral movement and privilege escalation. Identify and eliminate attacks that are hard to detect, for example pass the hash operations.
Endpoint monitoring also enables UserInsight to flag rare or unique processes as potential indications of malware.
Discern unwanted use of critical systems
Key applications exist inside and outside of your firewall. UserInsight makes it easy to monitor user activity on common enterprise cloud applications such as Google Apps, SalesForce, Box and Okta without installing a reverse proxy or other agent. Armed with this visibility, you can detect attacks such as somebody accessing your VPN in Boston but your Google Apps account from Eastern Europe.
Changes in access patterns to on-premise applications can also indicate an attack in progress. UserInsight monitors access to key applications such as SQL Server and Confluence to secure corporate data and prevent attackers from exfiltrating your most valuable information.
Use Honeypots to detect network scans
Once attackers gain access to the environment, they need to scan the network to identify additional targets. Security teams can deploy a honeypot to detect and alert on scans but honeypots have traditionally been hard to deploy and maintain. UserInsight's integrated honeypot detects and alerts on network scans so you can stop intruders on the network as they're taking their first steps.
Identify credentials compromised in third-party breaches
Most users have a small set of passwords that they reuse across a large number of sites. By identifying credentials which may have been compromised in public, third-party breaches, such as the Adobe or LinkedIn breach, and alerting the security team about them, UserInsight makes it harder for attackers to reuse credentials to gain the first foothold into the environment.
For more information about detecting and eliminating attacks targeted at users, download our free whitepaper "The Kill Chain: From Compromising User Credentials to Exfiltrating Data"
"We want to emphasize what the user is doing versus what a device is doing. We like UserInsight's unique point of focus on the user."
– Marketing company
Investigate incidents quickly
UserInsight significantly reduces incident investigation time from hours to minutes by eliminating the need to correlate logs from various IT and security systems. Investigate and respond to alerts by linking incidents to users, providing insight to the underlying user behavior and recognizing other users taking similar actions.
Contain incidents by linking activity to users
One of key challenges of containing any incident is identifying all of the users involved and whether their behavior has changed after the incident. UserInsight enables you to associate users, assets and activity, giving you a quick answer to the question: "Who took this action?"
Track the attacker's movement within the network
Attack response involves following the attacker through the network to identify any assets that they've touched and other users which they may have compromised. UserInsight's user graph allows you to graphically follow which assets a user accesses and highlights critical assets and attempts to elevate privileges. Armed with this information, teams can greatly accelerate incident response and identify other users who may have been involved.
Identify the impact of an incident
UserInsight’s interactive incident timeline greatly reduces research time by providing instant access to all user activities and asset details. UserInsight is the only user behavior analytics solution to provide investigative capabilities for user activity on the network, endpoints, mobile devices, and in the cloud. Incident responders can quickly sift through events in a graphical interface, accelerating investigations, getting to the data they need in seconds.
Instantly search through months or years of security data
Most organizations using SIEM or log management solutions can only afford to keep data in searchable storage for 30 days. Investigating incidents that reach further back in time often requires loading data from tape archives. This can considerably slow down an incident investigation. UserInsight’s interactive incident timeline can search data back to the first day of its deployment – serving up insights in seconds. Built on secure cloud storage, keeping data long-term searchable incurs no additional storage or maintenance cost for subscribers.
Plan containment and streamline communication
UserInsight is the only user behavior analytics solution that enables information security professionals to effortlessly map incident investigation findings on an interactive timeline as they sift through data. The final report helps information security professionals clearly and quickly communicate incident context and impact to others involved in the containment and remediation process.
Reduce the impact of phishing attacks
Phishing is one of the most dangerous – and effective – forms of attack. The 2014 Verizon Data Breach Investigation Report showed that phishing was the third most common attack vector in 2014 and 18% of users will click the link in a phishing email. Once a user has fallen for a phishing attack, you need to be able to identify other users who may have fallen for the same phish and use that information to respond to the incident. UserInsight integrates an Exchange Transport Agent to identify the other impacted users and helps to detect variants of the same phishing attack.
Identify vulnerable assets and users
UserInsight integrates vulnerability data from Nexpose to show you which users have vulnerabilities on their assets which makes attacks on them more likely to succeed. Armed with this information, you can prioritize incident response.
"Thanks to UserInsight, we can immediately answer the question, 'Sally got terminated yesterday. What did she do before she got terminated?'"
– Public R&D company
Discover Risky or Unexpected User Behavior
Security teams struggle to maintain a comprehensive view of their environment, particularly when so much activity is happening outside the firewall on cloud services and mobile devices. UserInsight makes sense of your security data so you can really see what’s going on and identify what's unusual.
Visualize user behavior at a glance
Security teams have a variety of data logs but lack simple insight to user behaviors and policy violations. UserInsight provides an easy-to-explore visual layout that simplifies the discovery of risky user behavior and policy violations.
Monitor privileged and risky accounts
Attackers use privileged, disabled, and machine accounts for their movement within the network. Keeping a close eye on these accounts is a key security practice. UserInsight provides insight into these accounts and enables the discovery of risks, such as accounts with unnecessary privileges and user accounts with non-expiring passwords.
Discover and monitor cloud services
Visibility from UserInsight extends from the endpoint to the cloud. See what cloud services are in use and establish tight monitoring of key corporate-supplied cloud services including Amazon Web Services, Google Apps, Okta and Box. Many cloud monitoring solutions require reverse proxies or custom configuration to understand how users are employing corporate-supplied cloud services. UserInsight leverages available logging information within cloud services instead, providing visibility without any overhead.
Identify mobile devices in use
More than 80% of organizations support some form of BYOD, yet few organizations have effective tools to monitor user activity or spot device risk such as out-of-date or vulnerable operating systems. UserInsight ties mobile devices to a user so you can see who is using the most devices, most vulnerable devices, or devices from the most geographically dispersed locations.