The security industry has always evolved rapidly, but we have never dealt with changes as drastic and unprecedented as we are right now. Whether you’re working from home alongside the rest of your organization or in one of the essential industries responsible for continuing onsite operations, you’re likely facing new challenges and pressures of keeping everything running securely.
To help you and your organization respond to the rapidly shifting dynamics brought on by the COVID-19 pandemic, we’ve assembled a list of frequently asked questions that can help you improve management of remote assets as well as maintain your existing security and compliance levels given these new challenges. In addition to this resource, we have created a dedicated page at rapid7.com/covid with customer offers, articles and other content designed to help you navigate your security program in these times.
Frequently Asked Questions
My entire workforce is now working from home. How can I most effectively scan these assets over the VPN?
Unfortunately, network-based assessment becomes very challenging when the network is extended through technologies such as VPN. In addition to bandwidth constraints and users who may join and drop from the VPN throughout the day, each solution also has unique controls for network traffic that may need to be mitigated. Agents are the most ideal solution for these environments, as they are not dependent on network connectivity via VPN to a scan engine. Refer to the next FAQ in this article for guidance on how to deploy agents to remote systems.
The best recommendation if agents are not possible would be to dedicate an engine or engines to just the VPN segments to allow for extremely frequent and ongoing scans. This is the best chance for catching assets while they are connected, since that may be very short lived, and gives ample opportunity for another scan if it is interrupted due to connectivity issues. PPS should be throttled fairly low and retries should be increased, which will increase scan times, but will be most forgiving in this environment.
My entire workforce is now working from home. I want to use the Rapid7 Insight Agent to help me assess these assets for vulnerabilities (and key Indications of Compromise) to keep my company secure. How can I deploy the agent to these systems remotely?
While we don’t currently have in-product functionality to facilitate deployment of agents, we have created a tokenized version of the agent to make it easier to use tools you may already have for mass deployment. Information on that methodology can be found here.
In particular, many of our customers have had success using GPO to push agents to their Windows-based desktops, as detailed here.
If these assets were already being scanned by a scan engine, then deploying agents should not necessarily create so much additional data that it warrants changes to the system specs of the console (i.e., disk space, RAM, CPU, etc.).
Assets that were scanned with an authenticated scan previously will be correlated to the information coming back from the agent via the system UUID, and will not add substantially to the resource consumption.
For assets that were only scanned with unauthenticated scans, enabling the agent UUID will aid in correlation for these assets, as described here.
By enabling the agent UUID to be seen by scans of the asset, the assets with installed agents will correlate to the scanned version of that asset and should not significantly increase the resources consumed on the console. It should be noted for these assets, they would need to be scanned once the agent UUID is enabled for that information to be added to the asset record and the correlation to take place.
How will my newly mobile workforce impact PCI compliance? For example, we now have call center employees who take credit card information forced to work from home; are all their assets in scope for PCI?
Per the PCI-DSS, “The cardholder data environment (CDE) is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.” The systems used by these call center employees who are collecting credit card information are included in that scope. If you have any questions or concerns about how your controls should be applied to these remote systems, you should consult your QSA.
What are some useful dashboards/custom alerts Rapid7 suggests I make in InsightIDR (Rapid7’s SIEM solution) to help monitor my users and my VPN now that they’re all working from home?
The fields that the actual VPN authentication logs contain can vary depending on the type of VPN device that you have, but some generic dashboard cards are provided in InsightIDR that are useful to get started. To use the pre-configured cards, from the Dashboards page, either edit an existing dashboard or create a new one. Select Add Card -> From Card Library -> Ingress Authentication, then add in the cards that are displayed. You can read more about this feature here.
To get the most out of the Dashboards, you should first know that the cards are created based on Log Search queries. You may create your own cards or edit the existing ones to customize the views to what you want to see. We also have a helpful blog available on creating your own queries that contains several specific examples of using Log Search with Ingress Authentication events that can be tailored for your organization. These queries can also be used to create a custom dashboard or alert. For example, you can modify this query for your organization and use it to create both a dashboard card and a custom alert:
where(geoip_country_name AND result=SUCCESS AND geoip_country_name!=/United States|Ireland|United Kingdom|Canada|India|Singapore|Japan|Australia/)groupby(geoip_country_name)
If your VPN logs have fields in them that are of interest to you but that are not parsed out of the logs by default, use the Custom Parsing tool to parse out the interesting fields and view them in a dashboard card. For example, if your logs contain a field with the reasons why a user was disconnected, this is not parsed out by default. However, you can use the Custom Parsing tool to parse this field so that you can easily view, create custom alerts, or dashboard cards for the field.
As a customer of Insight IDR, we are experiencing a lot of ingress alerts that we have not previously. How can we adjust our IDR configs to baseline on the “new normal?”
To tune alerts in InsightIDR, go to the Investigations page and find the associated investigation. When closing the investigation, select the best option to tune the alert as desired. You may also view previously created alert modifications by going to Settings -> Alert Modifications.
On behalf of all of us at Rapid 7, thank you—your ongoing commitment to security during these uncertain times keeps your business running. We are here for you as a resource to keep your organization secure. Please visit rapid7.com/covid for additional offers, articles and guidance to manage your security program in these challenging and unprecedented times.