This blog post is part of an ongoing series about evaluating Managed Detection and Response (MDR) providers. For more insights, check out our guide, “10 Things Your MDR Service Must Do.”
There isn’t a single threat or breach that doesn’t involve attackers using legitimate credentials to cause harm. Unfortunately, our credential footprint has grown beyond the traditional accounts and directory services to online service accounts, single sign-on (SSO), and other web-based authentication mechanisms.
The best Managed Detection and Response (MDR) providers are not only equipped to detect authentication regardless of where it occurs, but they also possess the intelligence and visibility needed to detect when an attacker might be looking to compromise those credentials through social engineering.
How Rapid7 MDR can help
Many traditional SIEM solutions claim to utilize User Behavior Analytics (UBA) detections, but SIEM engines aren’t built for real-time attribution. Users and assets constantly move around in a modern network architecture, leading to an engine that cannot accurately map events to entities. This requires going beyond out-of-the-box detections to require advanced analytics and human threat detectors.
Our team is able to leverage real-time attribution from these UBA indicators within InsightIDR to more easily determine whether a potential threat is an outside attacker impersonating an employee or an actual employee who is presenting risk, whether through negligence or malice. UBA utilizes our purpose-built proprietary attribution engine to detect behaviors indicative of true threats, while sorting out users who may be doing unusual tasks but are not actually compromised. This enables our team to connect network activity to a specific user, as opposed to an IP address or asset, to detect compromised credentials, lateral movement, and other malicious behavior. Learn more about the UBA features in InsightIDR.
This combination allows the MDR analysts to dynamically prioritize and rank alert criticality by:
- Detecting known threats based on single occurrences, or groups of notable events based on specific user behaviors or deviations from known-good baselines.
- Detecting insider threats based on groups of notable events describing the sequence events typically associated with information theft by an authorized party.
- Associating user behaviors based on notable events with alerts and investigations to improve the validation and investigation analyst workflows.
- Providing the data and evidence needed to associate technical analysis with human behaviors for threat reporting.
Find this post helpful? Bee sure to check out other posts in this series here!