Last updated at Thu, 21 May 2020 15:35:32 GMT
Conducting cybersecurity in an industry not heavily regulated by the government still comes with its own challenges. We interviewed Tony Hamil, the senior cybersecurity engineer for a commercial real estate development company in Dallas, Texas, to hear firsthand the challenges he and his team face and how they’re managing security. Hamil’s job includes everything from application setup to maintenance to integrations and checking on alerts. As part of a small security team, Hamil and his colleagues have their hands in every area of security.
Below is a recap of our interview:
Q: What is the nature of an IT environment in real estate, and how is it unique?
A: It’s unique in that there aren’t a lot of government regulations, but we have a CEO who is very security-minded, so we adhere to the CIS and NIST standards even though we aren’t mandated by any of them. This is so important to our company because we have a lot of remote sites and users, so it’s our job to keep everyone contained whether they’re working onsite or remotely. For example, we need to ensure that users don’t do things like log in to a malicious Wi-Fi unit and have their account compromised.
Q: What solutions are you using to keep your company secure?
A: We’ve been using Rapid7’s InsightVM and Metasploit products for almost five years now. We also brought in InsightIDR as well as the Managed Detection and Response (MDR) service as our extended SOC team. Most recently, we brought InsightConnect in to support our initiative for more integration, automation, and orchestration to make our security operations more fluid.
I believe in having a single-pane-of-glass view. This can be tough, since no vendor is great at everything, but InsightIDR does a great job of taking the logs from our other solutions to not only ingest them but alert on them or utilize the data for user behavior analytics. This has allowed us to use InsightIDR as our source of truth for alerts, data, and user activity so we can quickly figure out what’s going on. And now that InsightConnect integrates with InsightIDR, I can see whether a user has done lateral movement and can disable them or kick them off the network, giving us more capabilities on the same platform without the need to jump through multiple platforms.
Q: What are your biggest security challenges?
A: Our biggest problem is patch management. Our team doesn’t always get the patches or install them properly, which can leave our system vulnerable. We need to know when this is happening and have a way to let them know to leave the system on the network for a period of time so that InsightVM can install the patch. Rapid7’s Insight Agent has been very helpful in this process. We have people working from all over the world, many of which don’t VPN in, but the agent allows me to still get data from them.
Another big challenge is user and asset management. When employees join or leave our company, we needed to onboard and offboard them from an IT and security perspective. With InsightConnect, that entire process is automated and everything happens seamlessly.
Q: How do you measure the success of your security program?
A: Our most important metric is: “Have we been breached?” And if there was an incident, how far did it go? Did a user catch it, did we catch it, did we block it, did they exfiltrate data? Our success is determined by if we lost any data, revenue, or reputation. If that hasn’t happened, I consider that a success. And since we have Rapid7’s products, these issues are usually stopped or blocked before anything malicious happens.
Q: How has your approach to vulnerability management evolved since using InsightVM?
A: Our approach is a night-and-day difference over the past two years. The ability to see our endpoints, both remote and onsite, and to gather that data in near real-time is what has helped us the most. Since not everyone is on our network or using VPNs, we need to know what’s going on, and getting that data from InsightVM has been crucial.
We now have reports that go to our infrastructure engineering team that leverages our patching solution. We also have a report that goes to my boss and their boss so they know what our highest-risk assets are and our overall risk score. If the score has gone up, they want to know why, and the report communicates this.
Currently, we’re exploring containers, since we want to embed security at the beginning of our development projects. With InsightVM, we’ll be able to monitor containers during the development process to make sure they’re secure before they’re pushed to production.
Q: How has InsightVM helped uncover some deeper issues inside your network?
A: InsightVM has helped us discover things we didn’t know were going on inside our patching solution. We knew we were patching, but once we put the agent on all of our systems and were able to gather data in near real-time, we saw things that weren’t set up properly. This helped us configure things and make sure certain security concepts were being followed. Now when we log in to our InsightVM dashboard, we can see our metrics improve as we’ve gotten more insight and actionable data about what’s going on inside our environment.
Q: Were you automating any processes prior to using InsightConnect?
A: No, I had a few scripts I’d run on my own, but they weren’t automated. We had been looking at automation for several years and were actually evaluating Komand before Rapid7 even acquired them and it became InsightConnect. The first thing we did was automate and orchestrate our onboarding process. What used to be a five- to six-hour process turned into a five- to six-minute process with InsightConnect. This saves us 30 hours a week of employee time that can now be devoted to something else. It’s also significantly reduced user error because when a process is automated, it happens precisely every time, and if there is a failure, we get an email to fix it right away.
We also utilize InsightConnect to ensure patching happens every time, on time. For example, if a level 10 Eternal Blue vulnerability comes in, we know it needs to be patched ASAP. InsightVM sees that and will push the patch to InsightConnect in real-time, saving hours of human time. It also helps to isolate malicious users or systems by automatically gathering data for us so our team can make a quick decision.
InsightConnect has extended the capabilities of all of our Rapid7 products because they can all gather data from each other to make better detections, decisions, and alerts. It increases the value from each one when they integrate together.
Q: What advice do you have for security teams looking to dive into automation and orchestration?
A: Find out what all the departments in your IT team do and how they can be automated. Talk to your application, server infrastructure, development, and security teams to understand which of their repetitive tasks can be automated. Once you know that, InsightConnect can do the majority of it, even if it requires a bit of manual scripting to begin.
Q: How has the relationships you’ve formed with Rapid7 added value to your team?
A: Rapid7 has one of the best customer relationship programs of the vendors I work with. Most companies promise a lot out of the gate, but as soon as you buy, you never hear from them again. Not with Rapid7. I know the team members by name because they check in every month and want to know what’s going on and how they can help me. We spend time going through alerts and anomalies together—Rapid7 truly makes sure we’re taken care of. With the MDR team, we go through what is normal and abnormal to our environment so that, for example, certain activities are okay for certain accounts, can be whitelisted so they don’t show up on our reports and waste our time.
The training Rapid7 offers also helps us get things set up. And the knowledge base and forums provide a lot of training and support so we can see what else these products are capable of. We want to get everything out of the products we own, and Rapid7 makes it easy to do that.
Q: How does Rapid7 fit into the future goals of your security program?
A: The integrations with the cloud are going to be the biggest focus for us next. We have a lot of activity and logging happening in our cloud environments, so once that data starts coming into InsightIDR or InsightVM, it’ll make our security program even better.
To learn about Rapid7’s products and how they can help integrate, optimize, and scale your security operations, click here.