Posts by Matt Hathaway

5 min Incident Response

Noise Canceling Security: Extract More Value From IPS/IDS, Firewalls, and Anti-Virus

Based on a common pain and your positive feedback on last month's blog post entitled "Don't Be Noisy" [/2016/05/02/alert-fatigue-incident-response-teams-stop-listening-to-monitoring-solutions/] , we have started significantly expanding the scope of our noise reduction efforts. Rather than reinvent the great technology that intrusion detection/prevention systems (IDS/IPS), firewalls, and anti-virus products offer, we are aiming to provide an understanding of the massive amounts of data produced b

2 min Phishing

Dogfooding at Rapid7: How UserInsight Saved Us from Getting Phished

A lot of companies talk about how they "eat their own dogfood." For those of you unfamiliar with the colloquialism, it means that they use their own products to validate both value and quality. This is a much easier thing to do in high technology than at, well, a dog food manufacturer. I feel that I may have breezed over the fact when I mentioned in a previous UserInsight blog that we test out the noise of an alert by enabling it at Rapid7 (among other ways) before pushing it to our customer bas

2 min Metasploit

Detecting the Use of Stolen Passwords

Rarely in life will software vendors let you in on some of their secret sauce. Rapid7 obviously believes in information sharing and the open source community, so in that same vein, the UserInsight team decided to write a guide to gathering the right data to fully understand how stolen passwords are being (mis)used in your organization. The result is a Technical Paper [] called "Why You Need to Detect More Than

3 min Authentication

Find the Shared Credentials That Make Security Sad

No matter what risk framework or security standards you hold most dear, I know for sure that you consider users sharing accounts to be a violation of the common sense that is the necessary foundation of any security awareness training. When the UserInsight team set out to identify evasive attacker behaviors like "account impersonation" and "local credential testing" (that I covered in a blog you can read here [/2014/08/19/lateral-movement-not-just-for-t3h-1337-h4x02]), one of the most important

2 min Incident Response

Single Pane of Glass Series: FireEye Threat Analytics Platform (TAP)

As UserInsight grows and we look to add value to more incident response teams that have already chosen the solution that serves as their "single pane of glass", this series will update you on the integrations we build to share valuable context with those solutions. The Solution While FireEye and Mandiant were separately disrupting the security industry, they obtained a great deal of threat intelligence and indicators of compromise along the way. The FireEye Threat Analytics Platform (TAP for sh

4 min Incident Response

Involve Us to Spend More Time Investigating Incidents

There is a discussion on the active feedback loop that all software vendors need to have with their customers. When we are showing a demo of UserInsight to incident response teams, I commonly hear a skeptical question: "Our environment is unlike any other I have seen. How much of the feature set that you show here can we expect to get?" Here's the thing: Every organization's network is unique. It's this complexity and uniqueness that makes securing an organization so incredibly difficult and al

2 min Honeypots

Like Playing with Honeypots? Stop Playing, Start Using

Honeypots are machines whose only purpose is to entrap attackers who scan or even hack into them. Honeypots are very powerful for detecting incidents because every interaction with them is illegitimate by definition: honeypots do not host legitimate data or services, so there is no reason for a regular user to interact with them. However, honeypots come with one major drawback: a great deal of security professionals have told me that they built a honeypot, played around with it, and eventually

5 min Events

Walking the Black Hat Conference Floor - 2014 Edition

Alright. I am back in, and mostly adjusted to, my regular time zone again, so let's review what I saw on this year's Black Hat "Business Hall". As I mention every 6 months or so (Black Hat 2013 [/2013/08/07/black-hat-conference-floor] and RSA Conference 2014 [/2014/03/03/walking-the-rsa-conference-floor-a-working-title]), I always try to find time at industry events to walk around the conference floor and talk to the vendors that are new (to me, at least). While I love catching up with the funn

4 min Events

Walking the RSA Conference Floor

Greetings from balmy Boston! I hope that everyone's return from the RSA Conference was smoother than mine. As I mentioned in my blog post [/2013/08/07/black-hat-conference-floor] about last year's Black Hat floor, I always reserve some of my time at industry events to visit other vendors' booths. It is exciting to see the emerging technologies on the outskirts of the exhibit hall and get a feel for how approaches and trends are starting to change in light of perceived shortcomings of the securi

2 min Authentication

Adobe breach - worse than Target?

Even though the Target [] breach announced last week is the second largest credit card breach ever, I would argue that its immediate effect on your organization is probably small. In fact, the recent Adobe breach probably had a much bigger direct impact on other organizations than the Target breach. Why? It's all about passwords. And no - this is not a blog about the extremely low complexity found in

2 min

Send the Attackers Elsewhere

I often see security vendors offering a way to "Stop APTs!" and "Eliminate Targeted Attacks!" and I know that organizations successfully use these solutions to reduce the numbers of attacks that get onto their network, but maybe it is the skeptic in me that has a hard time believing that any solution could ever single-handedly deliver on these promises to make your defenses bulletproof. Due to this heightened sense of never expecting people to deliver on their promises, I want to talk blog ab

1 min

Tying it Back to a Chair: The Impersonal Nature of Network Traffic

Security teams have a great deal of tools at their disposal: vulnerability scanning, penetration testing, anti-malware software, intrusion prevention systems, security information and events... the list goes on. However, every time a security event is discovered at an organization, management asks 3 questions: 1. What happened? 2. When? 3. Who? And among all of these solutions, the one consistent question that frequently goes unanswered is "who?" Not as in "which asset?" and you are so cl

1 min Cloud Infrastructure

Introducing Rapid7 UserInsight!

Hello SecurityStreet, When we announced UserInsight at our UNITED summit, it was more of a preview. We were still in Beta at the time. Now however? It is available for everyone! UserInsight was developed under the internal codename of Razor. Why? It was named after Ockham's razor, which we all remember Jodie Foster paraphrasing William of Ockham's philosophy in "Contact" as "All things being equal, the simplest explanation tends to be the right one." This overarching goal of simplicity was alw

1 min Social Engineering

The Threat Within: RiskRater User Risk Report

Last week, we released the third of three reports from our RiskRater [] research. The first two reports focused on mobile devices [] and endpoint devices []. The latest report is centered around the risks posed by the one thing that no organization can operate without: Users. With the amount of protections in place at the perimeter, attackers have shifted much of the

1 min User Experience

Flatten the Learning Curve

"Enterprise products have always worked this way. Our users are familiar with it." -- I am drawing from memory, so I would not dare say that is an exact quote, but I have had various software professionals say it to me as recently as a year ago. It really bothered me to hear someone so comfortable with the status quo when there was absolutely no reason for it. While I understand that their requirements, like user management and administrator roles, will live on and with good reason. Still, buil