Attackers Thrive on Chaos; Don't Be Blind to It

Last updated at Mon, 28 Oct 2019 17:11:35 GMT

Many find it strange, but I really enjoy chaos. It is calming to see so many problems around in need of solutions. For completely different reasons, attackers love the chaos within our organizations. It leaves a lot of openings for gaining access and remaining undetected within the noise.

Rapid7 has always focused on reducing the weaknesses introduced by chaos.

Dr. Ian Malcolm taught us in Jurassic Park that you cannot control chaos. Instead, we strive to help you reduce and understand its impact. Chaos in modern companies is largely an issue of scale. There is so much computing power in use that's creating so much data; no one could be expected to manually find every vulnerability, lacking control, or misconfiguration amid this rapidly growing and disconnected set of data. The solutions that fit into the Threat Exposure Management suite at Rapid7 are wholly focused on automating the discovery of these exposures and providing quick remediation steps.

Detection solutions are often built for specific attack types.

Incident response teams have to solve a completely different problem brought through the same chaotic expansion of data: understanding activity. When new methods of threat detection are invented, they are often highly effective against malware. Organizations gradually recognize their effectiveness and deploy them to prevent and detect a large number of attacks. As this security technology becomes universally adopted, attackers get creative and transition away from the many methods these solutions so effectively stop. This leads to a great deal of disparate solutions that remain effective against specific actions which will never completely disappear. When attempting to pool alerts and information across all of them, the sheer number of sources has led to many incident responders sitting in front of eight or more monitors with a view similar to the security guard command centers frequently navigated by the criminal protagonists in heist movies like The Score.

The tools available are failing to bring sufficient order.

For a decade now, incident response teams have trusted a lot of SIEM solutions which were not even built for incident responders. They were built for IT professionals, auditors, and data miners, so they focused on dealing with chaos in one way: centralization. Pooling all activity data to a single centralized place enabled incident responders to finally monitor something and if the team includes experts in networking and incident analysis, it can operative effectively. This is primarily done by continually building custom scripts to identify known risky behavior and indicators of compromise.

However, combating this multiplying chaos through faster processing doesn't help you understand it better. Big Data technologies are now needed just to maintain the status quo as the attackers explore new technology. You can expand your staff of experts to include data scientists to help reduce the alerting noise, but this is only automating the analysis for data you already collect and know how to explain. Similar to trying to master a competitive sport without ever scrimmaging or working with other teams to improve, this can work, but there has to be a better way.

We built InsightIDR for incident responders in this evolving chaos.

We were consistently hearing this challenge of recognizing the legitimate, undesirable, and malicious behavior amid this growing chaos. So much time is being spent maintaining data collection, creating rules, and adjusting the views of the centralized data that security teams are often left with insufficient time to analyze the tens of thousands of alerts across their many dashboards. We automate this collection, attribution to users, and the normalization of the users' behavior, so your team can focus on analyzing incidents instead of manually checking networking protocols, constructing algorithms, and writing scripts on top of your centralized data.

By combining the knowledge of the Rapid7 research, development, and incident response teams with every customer we bring on board, we are testing and adapting the detection capabilities of each involved organization. Because of the necessity of a detection in depth strategy with the range of current attacker techniques, we integrate with your trusted solutions which detect known malware through malicious network signatures and application characteristics with the benefit of user behavior analytics for all of it, but we also supplement that with effective detection for the many behaviors not involving malware, such as stolen credential use or lateral movement across endpoints and your managed cloud services. With all of these alerts in a single place, we can reduce the noise and simplify the process of scoping an incident in your organization of expanding chaos.

If you want to learn more about how we can do this for your company, check out our Incident Detection and Response page. I think you'll find we have the services and solutions to quickly improve incident response at your organization.