Last updated at Tue, 09 Jan 2024 21:40:01 GMT

Editor's Note - March 2016: Since this review, UserInsight has now become InsightUBA. Along with the name change comes a completely redesigned user interface, continuous endpoint detection, and another intruder trap to reliably detect attacker behavior outside of logs. We also launched InsightIDR, which combines the full power of InsightUBA with Endpoint Forensics, Machine Data Search, and Compliance Reporting into a single solution.

User behavior analytics (UBA) is a new space that is still unfamiliar to most security professionals. In this review, Jerry Shenk, Senior Analyst at the SANS Institute, does a thorough analysis of UserInsight, Rapid7's user behavior analytics and incident response solution.

Compromised credentials are a leading cause in 3 out of 4 breaches, yet most organizations don't yet have a way to detect them. This is a topic user UserInsight and other behavior analytics solutions address head-on by detecting compromised domain credentials. However, a common attacker methodology is to use a pass-the-hash attack on local credentials to move laterally across the network. This is why UserInsight gives a unique visibility into the endpoints through an agentless scanning technology, enabling security professionals to detect compromised local credentials as well.

Here's what Jerry Shenk, Senior Analyst at the SANS Institute, thought about UserInsight:

“No security tool is capable of doing it all, but UserInsight does fill a big blind spot in many organizations by prioritizing the discovery of user-credential misuse. UserInsight shows good promise of becoming a valuable part of a network's security management portfolio. We found UserInsight to be useful for identifying compromised user accounts, providing alerts and enhancing visibility into the traffic and endpoint-related indicators of compromise.”

Through the Metasploit Project, its penetration testing services, and HD Moore's Rapid7 Labs, Rapid7 has a unique insight into how attackers compromise organizations. One of the first steps attackers will take is to scan anetwork, for example by using nmap, to identify their attack surface. They may also try out short or commonly used passwords on several logins, so-called brute force or dictionary attacks. UserInsight can deploy honeypots on the network and honey users in the directory service to detect both network scans and password bruteforcing. Shank tried out honeypots, and here's what he had to say:

“Honeypots have a reputation for being notoriously complicated and difficult to set up. By contrast, the UserInsight honeypot couldn't be simpler.”