Posts by Christian Kirsch

4 min Incident Detection

IDC: 70% of Successful Breaches Originate on the Endpoint

This is part 2 of a blog post series on a new IDC infographic covering new data on compromised credentials and incident detection [http://www.rapid7.com/resources/infographics/rapid7-efficient-incident-detection-investigation-saves-money.html] . Check out part 1 now [/2014/11/10/more-efficient-incident-detection-and-investigation-saves-400000-per-year-says-idc] if you missed it. Most organizations focus on their server infrastructure when thinking about security – a fact we often see in our Ne

2 min Incident Response

SANS Review of Rapid7 UserInsight (now InsightUBA) for User Behavior Analytics and Incident Response

Editor's Note - March 2016: Since this review, UserInsight has now become InsightUBA. Along with the name change comes a completely redesigned user interface, continuous endpoint detection, and another intruder trap to reliably detect attacker behavior outside of logs. We also launched InsightIDR, which combines the full power of InsightUBA with Endpoint Forensics, Machine Data Search, and Compliance Reporting into a single solution. Learn more about InsightIDR here. [https://www.rapid7.com/prod

4 min Incident Detection

When Hunting is the Right Choice for Your Security Team - and when it's not

The concept of hunting for threats is being hyped by media and vendors – creating a marketing smokescreen of confusion around what hunting is, how it works, and what value looks like when hunting is done effectively. Your security team's ability to hunt is primarily affected by the maturity of your security program, your threat profile, and your resources. Hunting is searching for malice on your network The security lifecycle can be described in a number of ways, I think a good way of describi

4 min Microsoft

From Windows to Office 365: Detecting Intruder Behavior in Microsoft Infrastructures

Microsoft infrastructures have traditionally been on-premise. This is about to change as Microsoft is getting incredible traction with Office 365 deployments. As the corporate infrastructure is changing, many security professionals are concerned about security and transparency of their new strategic cloud services and need to change their incident detection and response programs. This blog post is a quick introduction to this topic. If you're interested in more info, check out our webcast Increa

2 min

UserInsight Ranks Users by Risky Behavior

UserInsight now ranks risky users through behavioral analytics. UserInsight, the User and Entity Behavior Analytics (UEBA) solution [https://www.rapid7.com/products/userinsight/user-behavior-analytics-user-activity-monitoring.jsp] , spots user behavior such as unusual admin activity, authentications to new assets, and new user locations and highlights users that exhibit several such behaviors. The User Risk Ranking augments UserInsight's low-noise incident alerts and enables administrators to g

5 min Phishing

Get Off the Hook: 10 Phishing Countermeasures to Protect Your Organization

The Internet is full of articles for how to tell if an email is phishing but there seems to be a lack of concise checklists how to prepare an organization against phishing attacks, so here you go. Because phishing attacks humans and systems alike, the defense should also cover both aspects. None of the following steps is bullet proof, so layering your defenses is important – and having an incident response plan [https://www.rapid7.com/services/incident-response.jsp] in case someone does get thr

2 min Malware

Hammertoss Demonstrates Need for Applying Attacker Knowledge to Behavior Analytics

A recent report on a new type of malware dubbed “Hammertoss [http://www.cnet.com/news/hammertoss-extra-sneaky-malware-acts-just-like-you/]” highlights the importance of applying knowledge of attacker methodologies to behavior analytics. As an industry, we get very fixated on the latest intruder tools. The risk here is that we can't see the forest for the trees. To effectively detect intruders, we must look at the entire attack chain and the methods attackers will always use to complete their mi

3 min Microsoft

UserInsight Integrates with Microsoft's New Office 365 API to Detect Intruders

If you are at the RSA Conference this week, you may have seen Microsoft's keynote announcing the new Office 365 Activity Feed API this morning. In case you missed it, Microsoft summarized the announcement in today's blog post [http://blogs.office.com/2015/04/21/announcing-the-new-office-365-management-activity-api-for-security-and-compliance-monitoring/] . The new Management Activity API is a RESTful API that provides an unprecedented level of visibility into all user and admin transactions with

2 min Authentication

UserInsight Detects Attacks Using Intruder Tools to Steal Credentials

Attackers will always gravitate to the cheapest and most effective way to get into a network. According to the latest Verizon Data Breach Investigations Report, compromised credentials have been the top attacker methodology for two years in a row now. Credentials enable attackers to move through the network undetected because most companies still have no way to detect them, so attackers enjoy excellent economics. UserInsight has always focused on detecting compromised credentials, but most peop

4 min Endpoints

UserInsight Detects Malicious Processes on Endpoints without Deploying an Agent

Compromised credentials and malware are the top two attacker methodologies according to the 2014 Verizon Data Breach Investigations Report. While UserInsight focuses primarily on detecting compromised credentials, a huge gap in most security programs, UserInsight now helps detect malware on endpoints in your entire organization Ð without having to deploy any software to the endpoints. Protect your endpoints with the wisdom of 50 virus scanners and the footprint of none UserInsight checks each p

2 min Malware

Rapid7 UserInsight Brings User Context to Palo Alto WildFire Alerts

According to the Ponemon Institute's 2014 Industry Report, 74% of security professionals claim incident investigation solutions lack integration with existing security products. UserInsight, our intruder analytics solution, now integrates with Palo Alto WildFire to provide user context and investigative tools to their advanced malware alerts. What does user context mean? For incident alerts, monitoring solutions often provide the IP addresses or assets affected. However, as users connect to the

3 min Higher Education

New Rapid7 Higher Education Program Supports Universities Around the World With Free Licenses, Trainings, and Certifications

40% of security positions will remain unfilled in 2014, according to a recent study by the Ponemon Institute [http://www.hp.com/hpinfo/newsroom/press_kits/2014/RSAConference2014/Ponemon_IT_Security_Jobs_Report.pdf] . The inability to find skilled staff to grow security programs remains one of the key challenges for the industry. By contrast, criminal hacking teams seem to be fully staffed. We've all seen the outcome of this inequality in the high profile breaches of 2014. Universities are doin

2 min Networking

Securing DevOps: Monitoring Development Access to Production Environments

A big factor for securing DevOps environment is that engineers should not have access to the production environment. This is especially true if the production environment contains sensitive data, such as payment card data, protected health information, or personally identifiable information because compromised engineering credentials could expose sensitive data and lead to a breach. While this requirement is a security best practice and has found its way into many compliance regulations, it can

3 min Cloud Infrastructure

Securing the Shadow IT: How to Enable Secure Cloud Services for Your Business

You may fear that cloud services jeopardize your organization's security. Yet, your business relies on cloud services to increase its productivity. Introducing a policy to forbid these cloud services may not be a viable option. The better option is to get visibility into your shadow IT and to enable your business to use it securely to increase productivity and keep up with the market. Step one: Find out which cloud services your organization is using First, you'll want to figure out what is act

3 min Incident Detection

Detecting Compromised Amazon Web Services (AWS) Accounts

As you move more of your critical assets to Amazon Web Services (AWS), you'll need to ensure that only authorized users have access. Three out of four breaches use compromised credentials, yet many companies struggle to detect their use. UserInsight enables organizations to detect compromised credentials, from the endpoint to the cloud. Through its AWS integration, Rapid7 UserInsight monitors all administrator access to Amazon Web Services, so you can detect compromised credentials before they t