Applying Poker Theory to Incident Detection & Response
Editors Note: Calling Your Bluff: Behavior Analytics in Poker and Incident
was really fun and well received, so here's an encore!
Hold'em & Network Security: Two Games of Incomplete Information
When chatting about my past poker experience, there's one statement that pops up
time and time again:
“So… as a 'pro'… you probably bluff a lot.”
A bluff is a bet made knowing that if called, you have no c
5 Methods For Detecting Ransomware Activity
Recently, ransomware was primarily a consumer problem. However, cybercriminals behind recent ransomware attacks have now shifted their focus to businesses.
Why Flexible Analytics Solutions Can Help Your Incident Response Team
I happen to despise buzzwords, so it has been challenging for me to use the term
"big data security analytics" in a sentence, mostly because I find it to be a
technical description of the solutions in this space, rather than an indicator
of the value they provide. However, since we build products based on the
security problems we identify, I want to explain how those technologies can be
used to target some highly pervasive incident response challenges.
Detection and investigation problems conti
What Makes SIEMs So Challenging?
I've been at the technical helm for dozens of demonstrations and evaluations of
our incident detection and investigation solution, InsightIDR
[https://www.rapid7.com/products/insightidr/], and I've been running into the
same conversation time and time again: SIEMs aren't working for incident
detection and response. At least, they aren't working without investing a lot
of time, effort, and resources to configure, tune, and maintain a SIEM
deployment. Most organizations don't have the recommende
Incident Detection Needs to Account for Disruptive Technologies
Since InsightIDR [https://www.rapid7.com/products/insightidr/] was first
designed, there has been a noteworthy consistency: it collects data from your
legacy networking infrastructure, the mobile devices accessing your resources,
and your cloud infrastructure. This is because we believe that you need to
monitor users wherever they have access to the network to accurately detect
misuse and abuse of company resources, be they malicious or negligent in origin.
This doesn't mean tiptoeing around emp
Leverage Attackers' Need To Explore For Detection
When you examine the sanitized forensic analyses, threat briefings, and
aggregated annual reports, there are a two basic facts that emerge:
1. There are a lot of different attacker groups with access to the same
Internet as baby boomers and short-term contractors.
2. Most of them are proficient at user impersonation once on the network to
remain undetected for months.
In this reality, our organizations need to do more than just build defenses and
sit in waiting until known signature
Attackers Thrive on Chaos; Don't Be Blind to It
Many find it strange, but I really enjoy chaos. It is calming to see so many
problems around in need of solutions. For completely different reasons,
attackers love the chaos within our organizations. It leaves a lot of openings
for gaining access and remaining undetected within the noise.
Rapid7 has always focused on reducing the weaknesses introduced by chaos.
Dr. Ian Malcolm taught us in Jurassic Park that you cannot control chaos.
Instead, we strive to help you reduce and understand its impa
Enterprise Account Takeover: The Moment Intruders Become Insiders
Every time an attacker successfully breaches an organization, there is a flurry
of articles and tweets attempting to explain exactly what happened so
information security teams worldwide are able to either a) sleep at night
because they have mitigated the vector or b) lose only one night of sleep
mitigating it. Here's the problem: every breach is complex and involves a great
deal more malicious actions than are published on your chosen 24-hour news
website. The least detected action is the use o
When Your SIEM Tools Are Just Not Enough
Security Information and Event Management (SIEM) tools have come a long way
since their inception in 1997. The initial vision for SIEM tools
to be a ‘security single pane of glass,' eliminating alert fatigue, both in
quantity and quality of alerts. Yet the question still remains: have SIEMs
delivered on that promise, and if so, can every security team benefit from one?
In this blog we'll dive a bit into the history be
Alert Fatigue: Incident Response Teams Stop Listening to Monitoring Solutions
"Don't Be Noisy." It's that simple. This motto may be the only remaining
principle of the concept that entered incubation in mid-2012 and eventually
became InsightIDR. [https://www.rapid7.com/products/insightidr/]
Of the pains that our customers shared with us up to that point, there was a
very consistent challenge: monitoring products were too noisy. Whether they were
talking about a firewall, a web proxy, SIEM, or a solution that doesn't fit into
a simple category, these design partners told
The Insight Platform Goes to Europe: Now Compliant with European Data Hosting Requirement
Cloud technology is everywhere. From our annual survey, we found that 79% of
organizations are allowing approved cloud services, with Office 365, Google
Apps, and Salesforce coming in as top 3. Our full incident detection &
investigation solution, InsightIDR, our incident detection and response solution
[https://www.rapid7.com/products/insightidr/], and InsightUBA, our user
analytics solution [https://www.rapid7.com/products/insightuba/] are both
cloud-based by design, and hosts in the
Redner's Markets Selects Nexpose & InsightUBA for Compliance and Incident Detection
With breaches making regular headlines, security teams are under more scrutiny
than ever before. This is especially true in retail, where strong security
practices are paramount to protecting customer and organizational data. PCI DSS
compliance is a key component of any retail organization's security program. As
a level 2 merchant, Redner's Markets [http://www.rednersmarkets.com/] must
conduct regular vulnerability scans, collect logs, and review them daily.
“Compliance was what began our rel
Attackers Love When You Stop Watching Your Endpoints, Even For A Minute
One of the plagues of the incident detection space is the bias of functional
fixedness. The accepted thought is that your monitoring is only effective for
systems that are within the perimeter and communicating directly with the domain
controller. And, the logic continues, when they are away from this trusted
realm, your assets are protected only by the preventive software running on
them. Given the continuous rise of remote workers (telecommuting rose 79 percent
from 2005 to 2012), it's now tim
UNITED 2016: Power Up Your Incident Detection and Response
When you think about fall in New England, the visions that should flow through
your head are gorgeous foliage, cool autumn nights... and the evolution of
incident detection and response technology. That's right, it's time we start
talking about UNITED 2016 [http://unitedsummit.org/], Rapid7's annual user
conference held in Boston (this year it's November 1-3).
This UNITED, we have a major initiative to help you cut through the industry
noise, acronyms, and buzzwords around IDR. That is why this
IDC: 70% of Successful Breaches Originate on the Endpoint
This is part 2 of a blog post series on a new IDC infographic covering new data
on compromised credentials and incident detection
. Check out part 1 now
if you missed it.
Most organizations focus on their server infrastructure when thinking about
security – a fact we often see in our Ne