Neil Johnson, security manager at UK-based financial organization Evercore, needed a security information and event management (SIEM) solution that could get a handle on user behavior and provide a robust log search for data analysis. Johnson turned to InsightIDR, Rapid7’s incident detection and response solution, and paired it with Nexpose, Rapid7’s on-premise vulnerability management solution, in order to meet those needs. In this Q&A, Johnson discusses how his security program has evolved from the partnership.
Who are you and what do you do
Johnson: I’m Neil Johnson, security manager at Evercore. As a financial organization, security is paramount. We deal with some very confidential information, potentially altering things like the stock markets, so we have to have a paramount level of security to protect all that data.
Tell us about your security team and program
Johnson: We are a smaller security team, so Rapid7 products are good for us because they allow ease of use very quickly, especially to get things set up. One or two people can sit there and manage the entire suite.
What Rapid7 products are you using
Johnson: We have InsightIDR and the Nexpose vulnerability management solution.
What brought you to Rapid7
Johnson: I was familiar with Rapid7 from previous roles when dealing with Nexpose. And then we had an opportunity to look at a SIEM tool and InsightIDR popped up. I believe I spun it up in two days and was gathering information, much to the surprise of a few of the technical people.
And then we brought in Nexpose, because I knew InsightIDR had the capability to ingest the Nexpose scan results. We did have an existing vulnerability management solution that was managed by a third party, but it wasn't meeting our requirements. I installed Nexpose to get it feeding into InsightIDR, and I showcased the combination to management. My manager was blown away.
What specific capabilities were you looking for in InsightIDR
Johnson: One of the drivers behind getting InsightIDR was the ability to alert on users logging in from anomalous or multiple locations. The head if IT was very keen on that side of things, and l wanted better user monitoring and to ensure that employee credentials weren’t compromised. In one case, we could see activity like people leaving their iPad at home when traveling, triggering a multiple-country alert.
The log search was another primary driver for me personally to get the InsightIDR solution. I'm a technical security person, and I want to see raw logs, analyze data, and know what's going on. The ability to throw pretty much every log at InsightIDR and then have the ability to search and view in real-time is something that was a primary driver for purchase.
How do the solutions enable your small team to be more efficient
Johnson: From an InsightIDR point of view, it enables us to hand-off alerts directly to our service desk. We've done a lot of training, not just with the rest of IT, but with management as well to show what the solutions do, what the alerts are, and how to deal with it, which works quite well. We throw that information straight in to create a ticket. We were able to get some very high-profile alerts directly into the service desk and get them to quickly take action. InsightIDR is at the forefront of our alerting program to get these things dealt with.
With Nexpose, we use dynamic asset lists to categorize systems into infrastructure networks, desktops, and things like that so we can specifically target areas of systems on the network. There are people outside of security that have access to [Nexpose] that have the ability to view system reports and run scans against their own assets. As a small security team, we have to have this support from the infrastructure team.
How have you leveraged the advanced capabilities of InsightIDR
Johnson: With InsightIDR, we don't just throw the standard logs at it; I actually throw a lot of raw logs at it to have everything in one place. Combining Active Directory logs with remote logs, Outlook Web Access, and more gives us a better complete picture. Then, we write customizable alerts. We have quite a few custom alerts coming through for things specific to our environment, such as monitoring groups—people getting added and removed from them. We took the standard capabilities of InsightIDR and have progressed and advanced it to fit our needs.
How would you describe the partnership between Evercore and Rapid7
Johnson: The partnership with Rapid7 is really great. We have a lot of back and forth around our products, as well as new products coming in that we're looking to use to bolster our security suites. At some point we'll probably have every Rapid7 product available. I get to meet up with the team at various other conferences as well, and have been invited to infosec shows and things like that. And I've talked on the stand, so I like to think that I'm liked by Rapid7 as much as we like them.