Posts by Christian Kirsch

4 min Incident Detection

IDC: 70% of Successful Breaches Originate on the Endpoint

This is part 2 of a blog post series on a new IDC infographic covering new data on compromised credentials and incident detection [] . Check out part 1 now [/2014/11/10/more-efficient-incident-detection-and-investigation-saves-400000-per-year-says-idc] if you missed it. Most organizations focus on their server infrastructure when thinking about security – a fact we often see in our Ne

2 min Incident Response

SANS Review of Rapid7 UserInsight (now InsightUBA) for User Behavior Analytics and Incident Response

Editor's Note - March 2016: Since this review, UserInsight has now become InsightUBA. Along with the name change comes a completely redesigned user interface, continuous endpoint detection, and another intruder trap to reliably detect attacker behavior outside of logs. We also launched InsightIDR, which combines the full power of InsightUBA with Endpoint Forensics, Machine Data Search, and Compliance Reporting into a single solution. Learn more about InsightIDR here. [

4 min Incident Detection

When Hunting is the Right Choice for Your Security Team - and when it's not

The concept of hunting for threats is being hyped by media and vendors – creating a marketing smokescreen of confusion around what hunting is, how it works, and what value looks like when hunting is done effectively. Your security team's ability to hunt is primarily affected by the maturity of your security program, your threat profile, and your resources. Hunting is searching for malice on your network The security lifecycle can be described in a number of ways, I think a good way of describi

2 min

UserInsight Ranks Users by Risky Behavior

UserInsight now ranks risky users through behavioral analytics. UserInsight, the User and Entity Behavior Analytics (UEBA) solution [] , spots user behavior such as unusual admin activity, authentications to new assets, and new user locations and highlights users that exhibit several such behaviors. The User Risk Ranking augments UserInsight's low-noise incident alerts and enables administrators to g

5 min Phishing

Get Off the Hook: 10 Phishing Countermeasures to Protect Your Organization

The Internet is full of articles for how to tell if an email is phishing but there seems to be a lack of concise checklists how to prepare an organization against phishing attacks [] , so here you go. Because phishing attacks humans and systems alike, the defense should also cover both aspects. None of the following steps is bullet proof, so layering your defenses is important – and having an incident response plan [

3 min Microsoft

UserInsight Integrates with Microsoft's New Office 365 API to Detect Intruders

If you are at the RSA Conference this week, you may have seen Microsoft's keynote announcing the new Office 365 Activity Feed API this morning. In case you missed it, Microsoft summarized the announcement in q blog post. The new Management Activity API is a RESTful API that provides an unprecedented level of visibility into all user and admin transactions within Office 365. Rapid7 got early access to this technology through Microsoft Technology Adoption Program and is one of the first companies

2 min Authentication

UserInsight Detects Attacks Using Intruder Tools to Steal Credentials

Attackers will always gravitate to the cheapest and most effective way to get into a network. According to the latest Verizon Data Breach Investigations Report, compromised credentials have been the top attacker methodology for two years in a row now. Credentials enable attackers to move through the network undetected because most companies still have no way to detect them, so attackers enjoy excellent economics. UserInsight has always focused on detecting compromised credentials, but most peop

4 min Endpoint Security

UserInsight Detects Malicious Processes on Endpoints without Deploying an Agent

Compromised credentials and malware are the top two attacker methodologies according to the 2014 Verizon Data Breach Investigations Report. While UserInsight focuses primarily on detecting compromised credentials, a huge gap in most security programs, UserInsight now helps detect malware on endpoints in your entire organization Ð without having to deploy any software to the endpoints. Protect your endpoints with the wisdom of 50 virus scanners and the footprint of none UserInsight checks each p

2 min Malware

Rapid7 UserInsight Brings User Context to Palo Alto WildFire Alerts

According to the Ponemon Institute's 2014 Industry Report, 74% of security professionals claim incident investigation solutions lack integration with existing security products. UserInsight, our intruder analytics solution, now integrates with Palo Alto WildFire to provide user context and investigative tools to their advanced malware alerts. What does user context mean? For incident alerts, monitoring solutions often provide the IP addresses or assets affected. However, as users connect to the

2 min Networking

Securing DevOps: Monitoring Development Access to Production Environments

A big factor for securing DevOps environment is that engineers should not have access to the production environment. This is especially true if the production environment contains sensitive data, such as payment card data, protected health information, or personally identifiable information because compromised engineering credentials could expose sensitive data and lead to a breach. While this requirement is a security best practice and has found its way into many compliance regulations, it can

3 min Cloud Infrastructure

Securing the Shadow IT: How to Enable Secure Cloud Services for Your Business

You may fear that cloud services jeopardize your organization's security. Yet, your business relies on cloud services to increase its productivity. Introducing a policy to forbid these cloud services may not be a viable option. The better option is to get visibility into your shadow IT and to enable your business to use it securely to increase productivity and keep up with the market. Step one: Find out which cloud services your organization is using First, you'll want to figure out what is act

3 min Incident Detection

Detecting Compromised Amazon Web Services (AWS) Accounts

As you move more of your critical assets to Amazon Web Services (AWS), you'll need to ensure that only authorized users have access. Three out of four breaches use compromised credentials, yet many companies struggle to detect their use. UserInsight enables organizations to detect compromised credentials, from the endpoint to the cloud. Through its AWS integration, Rapid7 UserInsight monitors all administrator access to Amazon Web Services, so you can detect compromised credentials before they t

3 min Incident Detection

More Efficient Incident Detection and Investigation Saves $400,000 per Year, Says IDC

IDC just published an infographic on how credentials are abused by cyber criminals. These are interesting and important statistics: * 80% of companies will suffer at least one successful attack causing serious harm that requires remediation * 33% will not be able to prevent over half of the attacks These stats explain why many security experts are advising companies to shift their security spending to detection mechanisms instead of relying too heavily on prevention. Measuring incident c

3 min Incident Detection

UserInsight Speeds Investigations with New Interactive Incident Timeline

Rapid7 UserInsight features a new interactive incident timeline, which enables you to quickly understand the context of an incident, determine what happened, and prioritize the appropriate response. With the new capabilities, incident responders can identify indicators of compromise and map a possible attack by correlating events such as authentications, IPS alerts, and vulnerabilities across users, assets and IP addresses. UserInsight is the only user behavior analytics solution [https://www.ra

3 min Antivirus

UserInsight's New User Statistics Provide Great Visibility for Incident Responders

Nate Silver made statistics sexy, and we're riding that wave. But seriously, breaking down some of the more noisy alerts on the network by users and showing you spikes can really help you detect and investigate unusual activity. That's why we've built a new UserInsight feature that shows you anti-virus alerts, vulnerabilities, firewall activity, IDS/IPS alerts, and authentications by users that show the most activity and enable you to dig in deeper by filtering by user. You can get to the new st