Non-calamitous conclusions

When teams work in silos, they often can have different interpretations of the same data. There’s no way to leverage the real benefits of automated remediation if this is your reality. Ensuring visibility across teams is a critical component in a shared data set where everyone can come to the same conclusions. And if this understanding and trust between teams is achieved, then you might be ready to get into the particulars of automated remediation.

In the 4 Levels of Automated Remediation Introduction, we introduced the different levels of automated remediation. We discussed how the simple act of automating notifications for events can help keep security personnel honest when it comes to ensuring a proper workflow is maintained. Now, let’s explore the first of the 4 levels of automated remediation.

Logs on, rock on

Properly securing a new cloud account includes calibrating fundamentals. With AWS, these might include:

  • For CloudTrail: Ensuring all logs are aggregated to a central bucket and all regions are logging
  • For S3 buckets: Enabling versioning, logging, and server-side encryption
  • For EBS: Ensuring all volumes associated with an instance are tagged

Fundamentally enabling configurations and logging can have benefits like easier investigation of security events. With InsightIDR, for example, you can create automatic workflows for investigations and easily search logs to detect and respond to threats. Thus, it’s in the organization's best interest to perform thorough and extensive logging.

Anything for integrations

Continuing with AWS use cases, InsightIDR is deeply integrated with critical services on that platform. This means that it’s easy to centralize log management and that you can collect detailed data from:

  • CloudTrail, which monitors and logs account activity and administrative actions
  • GuardDuty, which provides insight into potentially malicious activity within AWS

These are the native integrations. Let’s now talk about how Insight Agents can be deployed to collect forensic log data as well as contain threats by cutting off instances and endpoints from the network. It can help identify log deletions and suspicious privileged escalations. Since the majority of breaches start on a single endpoint—most of the time unbeknownst to the user—enhanced visibility for those endpoints is critical. This means that deceptive detection can occur in real time, and that you can automatically contain compromised assets.

Zooming back out, InsightIDR also supports reporting and compliance, and can point directly to log storage locations. It can also confirm the log history and, importantly, that the right log sources are represented.

If it’s a daily event, do we still call it an event?

We usually think of events as special. An upcoming event is something that causes excitement, for better or worse. However, if they’re happening thousands or millions of times each day, they aren’t really special anymore. It then becomes arduous to search them, hunting for vulnerability clues or attempting to build a story as to what happened after a particularly nasty security event.

Rapid7’s cloud-based architecture enables a smooth search across all logs, with InsightIDR correlating all of those daily events directly to the users and endpoints. Detect faster and build an investigation easier with automatic prioritization that surfaces notable events. Then we really can call those specific situations “events.”

With that, we’re ready for a deep dive into the second of 4 Levels of Automated Remediation. You can also read the first entry in the series here.          

Level 2: Best practices

Read now