Posts by Christian Kirsch

3 min Endpoint Security

IDC: 70% of Successful Breaches Originate on the Endpoint

Most organizations focus on their server infrastructure when thinking about security – a fact we often see in our Nexpose [https://www.rapid7.com/products/nexpose/] user base where many companies only scan their servers. However, IDC finds that 70% of successful breaches originate on the endpoint. This does not necessarily imply insider threats, it is rather a sign that phishing is prevalent, cheap, and surprisingly effective in compromising machines. Given this compelling data, I strongly urge

1 min Incident Response

SANS Review of Rapid7 UserInsight (now InsightUBA) for User Behavior Analytics and Incident Response

Editor's Note - March 2016: Since this review, UserInsight has now become InsightUBA. Along with the name change comes a completely redesigned user interface, continuous endpoint detection, and another intruder trap to reliably detect attacker behavior outside of logs. We also launched InsightIDR, which combines the full power of InsightUBA with Endpoint Forensics, Machine Data Search, and Compliance Reporting into a single solution. User behavior analytics (UBA) is a new space that is still un

2 min

UserInsight Ranks Users by Risky Behavior

UserInsight now ranks risky users through behavioral analytics. UserInsight, the User and Entity Behavior Analytics (UEBA) solution [https://www.rapid7.com/products/userinsight/user-behavior-analytics-user-activity-monitoring.jsp] , spots user behavior such as unusual admin activity, authentications to new assets, and new user locations and highlights users that exhibit several such behaviors. The User Risk Ranking augments UserInsight's low-noise incident alerts and enables administrators to g

5 min Phishing

10 Phishing Countermeasures to Protect Your Organization

The Internet is full of articles for how to tell if an email is phishing but there seems to be a lack of concise checklists how to prepare an organization against phishing attacks [https://www.rapid7.com/fundamentals/phishing-attacks/] , so here you go. Because phishing attacks humans and systems alike, the defense should also cover both aspects. None of the following steps is bullet proof, so layering your defenses is important – and having an incident response plan in case someone does get th

3 min Cloud Infrastructure

Securing the Shadow IT: How to Enable Secure Cloud Services for Your Business

You may fear that cloud services jeopardize your organization's security. Yet, your business relies on cloud services to increase its productivity. Introducing a policy to forbid these cloud services may not be a viable option. The better option is to get visibility into your shadow IT [https://www.rapid7.com/fundamentals/shadow-it/] and to enable your business to use it securely to increase productivity and keep up with the market. Step one: Find out which cloud services your organization is u

3 min User Behavior Analytics

Detecting Compromised Amazon Web Services (AWS) Accounts

As you move more of your critical assets to Amazon Web Services (AWS), you'll need to ensure that only authorized users have access. Three out of four breaches use compromised credentials, yet many companies struggle to detect their use. UserInsight enables organizations to detect compromised credentials, from the endpoint to the cloud. Through its AWS integration, Rapid7 UserInsight monitors all administrator access to Amazon Web Services, so you can detect compromised credentials before they

2 min Incident Detection

UserInsight Integrates with LogRhythm SIEM to Accelerate Incident Detection and Response

Rapid7 UserInsight finds the attacks you're missing by detecting and investigating indications of compromised users from the endpoint to the cloud. UserInsight [http://www.rapid7.com/products/user-insight/] now integrates with LogRhythm, a leading Gartner-rated SIEMs in the industry. If you have already integrated all of your data sources with LogRhythm, you can now configure UserInsight to consume its data through LogRhythm, significantly simplifying your UserInsight deployment. UserInsight

2 min Authentication

Protect Your Service Accounts: Detecting Service Accounts Authenticating from a New Host

IT professionals set up service accounts to enable automated processes, such as backup services and network scans. In UserInsight, we can give you quick visibility into service accounts by detecting which accounts do not have password expiration enabled. Many UserInsight subscribers love this simple feature, which is available the instant they have integrated their LDAP directory with UserInsight. In addition, UserInsight has several new ways to detect compromised service accounts. To do their

2 min SIEM

Get HP ArcSight Alerts on Compromised Credentials, Phishing Attacks and Suspicious Behavior

If you're using HP ArcSight ESM as your SIEM, you can now add user-based incident detection and response to your bag of tricks. Rapid7 is releasing a new integration between Rapid7 UserInsight [http://www.rapid7.com/products/user-insight/] and HP ArcSight ESM [http://www8.hp.com/us/en/software-solutions/arcsight-esm-enterprise-security-management/] , which enables you to detect, investigate and respond to security threats targeting a company's users more quickly and effectively. HP ArcSight is

2 min Vulnerability Disclosure

UserInsight Gets the All-Clear for ShellShock and Helps Detect Attackers on Your Network

If you're in security, you've likely already heard about the ShellShock vulnerability [http://www.rapid7.com/resources/bashbug.jsp] (aka Bash Bug, CVE-2014-6271, and CVE-204-7169). We have reviewed how ShellShock is being exploited, and the disclosed vectors are not applicable to our UserInsight deployment, yet we're following the security community's lead around patching all of our systems. In case other systems on your network have been compromised, you should be extra vigilant about suspicio

2 min Metasploit

Feedback on Rapid7's Tech Preview Process and Metasploit Pro 4.10

By guest blogger Sean Duffy, IS Team Lead, TriNet Rapid7 invited me to participate in pre-release testing of Metasploit 4.10, a process they call Tech Preview. They asked me to openly share my thoughts with the community. Preparation and Logistics I always enjoy working with Rapid7. Preparatory meetings and documentation made the installation and testing process a breeze. Rapid7 was also kind enough to extend my testing and feedback sessions when work so rudely intruded on the fun. Zero comp

4 min Metasploit

Hunting for Credentials: How Metasploit Pro Beat Me on the Command Line

By guest blogger Robert Jones, Information Security Manager, City of Corpus Christi I had the opportunity to participate in a tech preview of Metasploit Pro's new credentials features. In our shop, we use Metasploit Pro, Nexpose, UserInsight and ControlsInsight, all by Rapid7. I certainly wish I could spend the majority of my time pentesting, but instead I often times I find myself using Metasploit to educate users by showing them how I can compromise their machines. It is incredibly compelli

2 min Metasploit

Metasploit Pro's New Credentials Features Save Us Time in Workflows

By guest blogger Dustin Heywood, Manager, Security Assurance, ATB Financial Recently I was invited to participate in Metasploit Pro's Tech Preview Program, where customers are given early access to new product releases.  I've taken part in this program before and I have always loved the experience. For those of you who haven't been involved in a Rapid7 Tech Preview program: It starts out with a call with the customer engagement manager and the product management team, who gave me an overview

2 min Metasploit

Hacker's Dome: An Online Capture-the-Flag (CTF) Competition on May 17

Many folks ask me how you can get started as a penetration tester. Save for a real-life penetration test, capture-the-flag (CTF) competitions are probably the most effective ways for you to hone your offensive security skills. What's best: they're a ton of fun, even for experienced pentesters. The folks over at CTF365.com [http://www.ctf365.com/] have put together a one-off CTF called Hacker's Dome, which will start on May 17th and run for 48 hours, so save the date. Hacker's Dome - First Bloo

4 min Metasploit

Security Advisory: OpenSSL Heartbleed Vulnerability (CVE-2014-0160) in Metasploit (Updated 4/11/14 2:20pm EDT)

Metasploit 4.9.0 and earlier vulnerable to Heartbleed, update 4.9.1 addresses critical cases The Metasploit editions Metasploit Pro, Metasploit Express, and Metasploit Community in versions 4.9.0 or earlier are vulnerable to the OpenSSL Heartbleed Vulnerability (CVE-2014-0160). Please update to version 4.9.1 to remediate critical vulnerabilities. See below for remediation instructions. Metasploit Framework itself is not affected, but it has dependencies on other components that may need to be u