[Q&A] User Behavior Analytics as Easy as ABC Webcast

Last updated at Mon, 28 Oct 2019 16:58:08 GMT

Earlier this week, we had a great webcast all about User Behavior Analytics (UBA). If you'd like to learn why organizations are benefiting from UBA, including how it works, top use cases, and pitfalls to avoid, along with a demo of Rapid7 InsightIDR, check out on-demand: User Behavior Analytics: As Easy as ABC or the UBA Buyer's Tool Kit.

During the InsightIDR demo, which includes top SIEM, UBA, and EDR capabilities in a single solution, we had a lot of attendee questions (34!). We grouped the majority of questions into key themes, with seven Q&A listed below. Want more? Leave a comment!

1. Is [InsightIDR] a SIEM?

Yes. We call InsightIDR the SIEM you've always wanted, armed with the detection you'll always need. Built hand-in-hand with incident responders, our focus is to help you reliably find intruders earlier in the attack chain. This is accomplished by integrating with your existing network and security stack, including other log aggregators. However, unlike traditional SIEMs, we require no hardware, come prebuilt with behavior analytics and intruder traps, and monitor endpoints and cloud solutions – all without having to dedicate multiple team members to the project.

2. Is InsightIDR a cloud solution?

Yes. InsightIDR was designed to equip security teams with modern data processing without the significant overhead of managing the infrastructure. Your log data is aggregated on-premise through an Insight Collector, then securely sent to our multi-tenant analytics cloud, hosted on Amazon Web Services. More information on the Insight Platform cloud architecture.

3. Does InsightIDR assist with PCI or SOX compliance, or would I need a different Rapid7 solution?

Not with every requirement, but many, including tricky ones. As InsightIDR helps you detect and investigate attackers on your network, it can help with many unique compliance requirements. The underlying user behavior analytics will save you time retracing user activity (who had what IP?), as well as increase the efficiency of your existing stack (over the past month, which users generated the most IPS alerts?). Most notably, you can aggregate, store, and create dashboards out of your log data to solve tricky requirements like, “Track and Monitor Access to Network Resources and Cardholder Data.” More on how InsightIDR helps with PCI Compliance.

4. Is it possible to see all shadow cloud SAAS solutions used by our internal users?

Yes. InsightIDR gets visibility into cloud services in two ways: (1) direct API integrations with leading services, such as Office 365, Salesforce, and Box, and (2) analyzing Firewall, Web Proxy, and DNS traffic. Through the latter, InsightIDR will identify hundreds of cloud services, giving your team visibility into what's really happening on the network.

5. Where does InsightUBA leave off and InsightIDR begin?

InsightIDR includes everything in InsightUBA, along with major developments in three key areas:

• Fully Searchable Data Set
• Endpoint Interrogation and Hunting
• Custom Compliance Dashboards

For a deeper breakdown, check out “What's the difference between InsightIDR & InsightUBA?”

6. Can we use InsightIDR/UBA with Nexpose?

Yes! Nexpose and InsightIDR integrate to provide visibility and security detection across assets and the users behind them. With this combination, you can see exactly which users have which vulnerabilities, putting a face and context to the vuln. If you dynamically tag assets in Nexpose as critical, such as those in the DMZ or containing a software package unique to domain controllers, those are automatically tagged in InsightIDR as restricted assets. Restricted assets in InsightIDR come with a higher level of scrutiny – you'll receive an alert for notable behavior like lateral movement, endpoint log deletion, and anomalous admin activity.

7. If endpoint devices are not joined to the domain, can the agents collect endpoint information to send to InsightIDR?

Yes. From working with our pen testers and incident response teams, we realize it's essential to have coverage for the endpoint. We suggest customers deploy the Endpoint Scan for the main network, which provides incident detection without having to deploy and manage an agent. For remote workers and critical assets not joined to the domain, our Continuous Agent is available, which provides real-time detection, endpoint interrogation, and even a built-in Intruder Trap, Honey Credentials, to detect pass-the-hash and other password attacks.

Huge thanks to everyone that attended the live or on-demand webcast – please share your thoughts below. If you want to discuss if InsightIDR is right for your organization, request a free guided demo here.