2 min
SIEM
Rapid7 Excels at Advanced Analytics and User Monitoring in Gartner's 2017 SIEM Critical Capabilities Report
If you’re looking for a SIEM solution [https://www.rapid7.com/solutions/siem/],
chances are you’ve at least heard of the Gartner Magic Quadrant for Security
Information and Event Management (SIEM)
[https://www.rapid7.com/info/gartner-2017-magic-quadrant-critical-capabilities-siem/]
. But what about its companion guide, the Critical Capabilities report? Still
yes, probably. If you want to understand the various features and integrations
your peers need in a SIEM tool [https://www.rapid7.com/funda
5 min
SIEM
SIEM Market Evolution And The Future of SIEM Tools
There’s a lot to be learned by watching a market like SIEM adapt as technology evolves, both for the attackers and the analysis.
4 min
SIEM
Displace SIEM "Rules" Built for Machines with Custom Alerts Built For Humans
If you've ever been irritated with endpoint detection being a black box and SIEM
[https://www.rapid7.com/solutions/siem.jsp?CS=blog] detection putting the entire
onus on you, don't think you had unreasonable expectations; we have all wondered
why solutions were only built at such extremes. As software has evolved and our
base expectations with it, a lot more people have started to wonder why it
requires so many hours of training just to make solutions do what they are
designed to do. Defining a
6 min
InsightIDR
Analytics By Any Other Name: New InsightIDR Detections Released
New detections have been introduced regularly since we first started developing
our Incident Detection and Response (IDR) solutions
[https://www.rapid7.com/solutions/incident-detection/?CS=blog] four years ago.
In fact, as of today, we have a collection of more than 50 of these running
across customer data. But what does that mean? And what are the very latest
detections to help your security program? Vendors have fancy names for what is
under the covers of their tools: “machine learning,” “adva
4 min
Malware
Attackers Take Advantage Of The Options You Give Them - Malware vs. Credentials
When InsightIDR was purpose-built to detect compromised credentials in the first
months of 2014, we did so because we identified a significant gap in detection
solutions currently available to security teams. The 2014 Verizon DBIR just
happened to subsequently quantify the size of this gap (and it has repeated in
2015 and 2016). User behavior analytics, as an industry, emerged to cover this
gap in SIEM and other solutions. This does not mean that malware is not heavily
used in attacks today, but
4 min
InsightIDR
Underestimating Attackers Gives Them an Advantage
All too often, the media reaction to data breaches is to tout the incredible
sophistication of responsible parties, as if it is a shock that technological
developments have made these events increasingly easier. There are some very key
areas in which we need to stop underestimating the average attacker's abilities
if we are going to slow down the growth of massive breaches and detect intruders
more effectively.
The term 'APT' distracts organizations from rational concerns
When people first star
5 min
SIEM
Why Flexible Analytics Solutions Can Help Your Incident Response Team
I happen to despise buzzwords, so it has been challenging for me to use the term
"big data security analytics" in a sentence, mostly because I find it to be a
technical description of the solutions in this space, rather than an indicator
of the value they provide. However, since we build products based on the
security problems we identify, I want to explain how those technologies can be
used to target some highly pervasive incident response challenges.
Detection and investigation problems conti
5 min
Detection and Response
You Need To Understand Lateral Movement To Detect More Attacks
Thanks to well-structured industry reports like the annual Verizon DBIR,
Kaspersky "Carbanak APT" report, and annual "M-Trends" from FireEye, the
realities of modern attacks are reaching a much broader audience. While a great
deal of successful breaches were not the work of particularly sophisticated
attackers, these reports make it very clear that the techniques once only known
to espionage groups are now mainstream.
Lateral movement technologies have crossed the chasm
I have written before ab
4 min
Incident Detection
Attackers Love When You Stop Watching Your Endpoints, Even For A Minute
One of the plagues of the incident detection space is the bias of functional
fixedness. The accepted thought is that your monitoring is only effective for
systems that are within the perimeter and communicating directly with the domain
controller. And, the logic continues, when they are away from this trusted
realm, your assets are protected only by the preventive software running on
them. Given the continuous rise of remote workers (telecommuting rose 79 percent
from 2005 to 2012), it's now tim
5 min
Log Management
If You Work In Operations, Your Security Team Needs The Logs, Too
This post is the final in a series examining the roles of search and analytics
in the incident-detection-to-response lifecycle. To read the previous six, click
one [/2015/10/21/search-will-always-be-a-part-of-incident-investigations], two
[/2015/10/29/whether-or-not-siem-died-the-problems-remain], three
[/2015/11/05/investigating-an-incident-doesnt-end-at-the-perimeter], four
[/2015/11/11/making-sure-search-is-not-your-incident-response-bottleneck], five
[/2015/11/19/siems-dont-detect-attacks-a
4 min
Incident Response
Even With 80% Automation For Detection, You Need to Ease the 20% Human Diligence
This post is the penultimate in a series examining the roles of search and
analytics in the incident-detection-to-response lifecycle. To read the first
five, click here
[/2015/10/21/search-will-always-be-a-part-of-incident-investigations], here
[/2015/10/29/whether-or-not-siem-died-the-problems-remain], here
[/2015/11/05/investigating-an-incident-doesnt-end-at-the-perimeter], here
[/2015/11/11/making-sure-search-is-not-your-incident-response-bottleneck], and
here [/2015/11/19/siems-dont-detect-a
5 min
Incident Response
Making Sure Search Is Not Your Incident Response Bottleneck
This post is the fourth in a series examining the roles of search and analytics
in the incident-detection-to-response lifecycle. To read the first three, click
here [/2015/10/21/search-will-always-be-a-part-of-incident-investigations], here
[/2015/10/29/whether-or-not-siem-died-the-problems-remain], and here
[/2015/11/05/investigating-an-incident-doesnt-end-at-the-perimeter].
Nearly a year ago, I likened the incident handling process to continuous flow
manufacturing [/2014/12/12/attackers-prey
4 min
Incident Response
Investigating An Incident Doesn't End At The Perimeter
This post is the third in a series examining the roles of search and analytics
in the incident-detection-to-response lifecycle. To read the first two, click
here [/2015/10/21/search-will-always-be-a-part-of-incident-investigations] and
here [/2015/10/29/whether-or-not-siem-died-the-problems-remain].
In the second blog of this series
[/2015/10/29/whether-or-not-siem-died-the-problems-remain], I touched on the
need for solutions more flexible than the traditional SIEM architecture focused
prima
5 min
SIEM
Whether or Not SIEM Died, the Problems Remain
This post is the second in a series examining the roles of search and analytics
in the incident-detection-to-response lifecycle. To read the previous, click
here [/2015/10/21/search-will-always-be-a-part-of-incident-investigations].
Various security vendors have made very public declarations claiming everything
from “SIEM is dead.” to asking if it has merely “lost its magic”. Whatever your
stance on SIEM, what's important to recognize is that while technologies may
fail to solve a problem, thi
4 min
Incident Response
Search Will Always Be A Part of Incident Investigations
This post is the first in a series examining the roles of search and analytics
in the incident-detection-to-response lifecycle.
Strong data analytics have recently enabled security teams to simplify and speed
incident detection and investigation, but at some point of every incident
investigation, a search through machine data is nearly always necessary to
answer a one-time question before the investigation can be closed. Whether your
incident response team is just trying to combat the flood of