Last updated at Fri, 14 Oct 2022 13:02:28 GMT

To be great at something, you have to be a little obsessed. That's true whether you want to be a chess grandmaster, become an internationally recognized CEO, or build the best cybersecurity platform on the planet.

At Rapid7, our laser-focus has always been trained on one thing: helping digital defenders spot and stop bad actors. From the start of our story, penetration testing — or pen testing, for short — has been one of the cornerstones of that obsession. The offensive security mindset influenced the way we built and designed InsightIDR, our cloud-native XDR and SIEM.

On the offensive

Before we ever released InsightIDR, there was Metasploit, an open-source pen testing framework. Originally developed by HD Moore, Metasploit allows offensive security teams to think like attackers and infiltrate their own organizations' environments, pushing the boundaries to see where their systems are vulnerable. Those insights help the business identify the most serious issues to prioritize and patch, remediate, or mitigate.

Offensive security strategies provide a much-needed foundation for assessing your risk landscape and staying a step ahead of threats — but the task of building and operationalizing a security strategy doesn't end there.

"The biggest misconception about pen testing that I hear repeatedly is, 'We're going to pen-test to test our response time or test our tools,'" says Jeffrey Gardner, Rapid7's Practice Advisor for Detection and Response. "That's not the purpose of a pen test."

Pen testing is a critical step in understanding where and how your organization is vulnerable to attackers, and what kinds of activities within your environment might indicate a breach. This is essential information for setting up the detections that your security operations center (SOC) team needs in order to effectively safeguard your systems against intrusion — but they also need a tool that lets them set up those detections, so they can get alerts based on what matters most for your organization's specific environment.

Pen testing itself isn't that tool, nor does it test the effectiveness of the tools you have. Rather, pen testing looks for your weaknesses – and once they’re  found, looks for ways to exploit them, including using stolen credentials to move across the network.

Mapping how bad actors behave

That's where the importance of having a security incident and event management (SIEM) solution built with offensive security in mind comes in — and that's exactly what our years of experience helping organizations run pen tests and analyze their attack surface have allowed us to build. InsightIDR is a unified SIEM and XDR platform designed with a pen tester's eye. And the key to that design is user and entity behavior analytics (UEBA).

See, the problem with detecting attackers in your network is that, to the human eye, they can look a lot like regular users. Once they've hacked a password or stolen login credentials through a phishing/scam attack, their activities can look relatively unremarkable — until, of course, they make the big move: a major escalation of privilege or some other vector that allows them to steal sensitive data or upend systems entirely.

It takes years of experience understanding how attackers behave once they penetrate networks — and the subtle ways those patterns differ from legitimate users — to be able to catch them in your environment. This is exactly the type of expertise that Rapid7 has been able to gain through 10+ years of in-the-trenches experience in penetration testing, executed through Metasploit. Everything we had learned about User and Entity Behavior Analytics (UEBA) went into  InsightIDR.

InsightIDR continuously baselines healthy user activity in the context of your specific organization. This way, the tool can spot suspicious activity fast — including lateral movement and the use of compromised credentials — and generate alerts so your team can respond swiftly. This detections-first approach means InsightIDR comes with a deep level of insight that's based on years of studying the attacker, as well as an understanding of what alerts matter most to SOC teams.

Watch a free demo today to see InsightIDR's attacker-spotting power in action.