Last updated at Mon, 10 Feb 2020 14:33:57 GMT
Security teams struggle daily to balance increasing workloads with limited resources, complex ecosystems, and rising cybersecurity threats. Security orchestration, automation, and response (SOAR) solutions like Rapid7 InsightConnect can help those teams accelerate processes and increase efficiency. SOAR refers to software solutions that streamline security operations in three key areas:
- Incident response
- Security operations automation
- Threat and vulnerability management
A valuable feature of InsightConnect is the way it works together with InsightIDR, Rapid7’s security information and event management (SIEM) solution. We spoke with Hendrick Automotive Group’s director of information security, Ben Schoenecker, about his experience with InsightConnect and its connection to InsightIDR. Here are some highlights:
Q: Why choose a SOAR solution?
A: I was at a summit not long ago with all of the large automotive groups. Part of the talk I was giving was about automation. One of the previous presenters said that his organization wasn’t using SOAR because they felt like it wasn’t good for small teams. I went up there the next day and told the opposite story.
I said that we're using security automation because we’re a small team, and it gives us an edge in responding to threats. I think that that's probably one of the primary reasons we're trying to automate things—because we don't have a large team. We can knock out a lot of the low-hanging fruit with automation.
I think that the more you work with automation, the more you go down that rabbit hole. You start realizing more potential. Even if you start with real basic stuff, you start kind of getting deeper into that mindset and finding ways to automate things that you didn't really think about before.
Q: What led you to purchase InsightConnect?
A: From the InsightIDR side, we just like to have everything meshed. One of the things we like about InsightConnect is that it has a close relationship with the SIEM. There are other good automation products out there, but they don't have that close integration with InsightIDR.
The alert triggers confirm that it’s about the easiest possible way. Now all we have to do is focus on getting the alert to the SIEM rather than trying to figure out some other way to trigger an automation queue. It's just easy. We don't have to focus on trying to figure out how to connect these two products.
Q: What were your initial use cases, and what will you do next?
A: Right now our use cases focus on account takeover containment, which is working really well. We're also doing malicious email automation on a couple of different use cases, and we're doing malicious code as well. We’re still improving our existing playbooks and planning for new ones. We’re about to enter a POC with CrowdStrike and SentinelOne, and we know both of those products are highly integrated with InsightConnect as far as their API ability goes.
I don’t think we know fully what’s next yet. I think we’ll start maturing in what we’re sending to InsightIDR a bit more, and next year we’re going to have a big push with InsightVM, Rapid7’s vulnerability risk management solution, so there may be some stuff there that we want to automate. Really we're just in a holding phase waiting to see what comes next. And then if there's a way to automate it, we're going to try to do it.
Q: Was it tough to get started with Alert Triggers?
A: It was totally intuitive. We didn't even refer to any documentation to find the feature. We saw Alert Triggers in the UI and realized we can choose what type of incidents we want to send over and trigger the workflows which showed up in InsightIDR.
Q: How many alerts do you receive daily?
A: In InsightIDR, we get anywhere from two to 20 per day. It really just depends on what sort of stuff we're doing. We've tried to knock out some of the noise, but some of the stuff we like to see even though it may be noisy. For example, we like to look at things like admin accounts being used and people impersonating accounts. Some of that stuff is just more noise, but I would say real incidents kind of fluctuate. We may have two or three real incidents a day that we have to take care of. It can vary.
Your team can achieve the same automation success as Hendrick Automotive Group with Rapid7 InsightConnect. InsightConnect helps accelerate and streamline time-intensive processes by connecting your tools together, so that each tool is used to its maximum potential. Connecting the dots between solutions better informs your security teams and enriches your data and security alerts, leading to major improvements in operational efficiency.