One universal truth in Security Operations Centers (SOCs) is that analysts are overwhelmed by the high volume of alerts they receive. In a recent survey, SOC teams reported they are inundated with an average of 4,484 alerts daily, with a staggering 67% being ignored due to alert fatigue and the high volume of false positives. Also reported in the same survey, the number of security alerts they received had “significantly increased” in the last three years. All this can lead to alert fatigue, resulting in missed or ignored alerts and potentially exposing an organization to legitimate threats, impacting SOC performance.

Introducing AI Alert Triage for InsightIDR

Rapid7's AI Alert Triage –  trained and tested by the Rapid7 global MDR service across trillions of alerts worldwide — will soon be available to users of our next-gen SIEM, InsightIDR, at no additional cost. The AI Alert Triage engine quickly suggests an initial disposition (benign or malicious) for alerts, providing clarity into why that disposition was chosen and supporting information from the investigation.

Without access to the Rapid7 AI Alert Triage capability, SOC teams can waste significant time manually evaluating and correctly classifying malicious alerts, increasing their threat exposure and contributing to SOC inefficiency. With AI Alert Triage, SOC analysts can automatically and accurately focus limited security resources on legitimate threats and improve SOC performance.

Built on Decades of AI Expertise in Security

Rapid7 is not new to infusing AI with its security applications. Rapid7 is a pioneer in AI development for security use cases, starting in our earliest days with our VM Expert System in the early 2000s. Since then, Rapid7 has integrated Generative AI into the Command Platform to supercharge SecOps and augment MDR services.

Our AI-powered platform processes more than 8 trillion alerts weekly for our MDR customer base with a 99.93% benign alert closure rate. This has resulted in hundreds of hours of manual effort saved for the SOC analysts.

AI Alert Triage Improves Your SOC’s Effectiveness

SOC analysts being overwhelmed by high volumes of daily alerts is hardly a new phenomenon. However, up until now, SOC analysts have been unable to effectively deal with this massive number of alerts, and organizations have become victims of alert fatigue. The same survey referenced above reports that analysts spend nearly 3 hours (2.7) each day manually triaging alerts, a figure rising to more than 4 hours a day for 27% of respondents. And, on average, security analysts are unable to deal with over two-thirds (67%) of the daily alerts they receive. What’s more, they say 83% of these alerts are false positives and not worth their time.

By using AI Alert Triage, Rapid7 customers can leverage decades of proven Rapid7 AI technology to quickly and accurately classify the deluge of alerts and not be forced into a situation where they intentionally ignore alerts. Key capabilities include:

• Rapid identification and prioritization of genuine threats: AI Alert Triage helps customers quickly distinguish true positives from noise, enabling security teams to prioritize investigations based on validated, high-confidence alerts.
• Enhanced Threat Detection Speed and Accuracy: Leveraging MDR-validated AI ensures alerts reflect real threats, helping SOC teams respond swiftly and confidently to advanced threats and subtle attack indicators.
• Human oversight of automatic classification: AI Alert Triage has attained a 99.93% benign alert closure rate with more than 8 trillion weekly alerts; every alert is documented, with full transparency and opportunity for human intervention.
• Reduced Alert Fatigue and False Positives: With AI Alert Triage validated by MDR analysts, customers experience dramatically reduced false positives, significantly cutting down time wasted on non-critical alerts.
• Streamlined Workflows and Focus: AI Alert Triage automates repetitive tasks to streamline initial analysis, enabling security teams to jumpstart investigations and dedicate more time and resources to critical initiatives.

Transform Your SOC Performance Through Proven AI Assistance

Unmatched 99.93% benign alert accuracy and speed in Rapid7’s AI models drive trust and confidence in automatic decision-making and reduce alert fatigue for SOC analysts, improving SOC performance and speed. At Rapid7, we are pioneering the infusion of artificial intelligence into the Command platform, empowering  SOCs around the globe and dramatically transforming their effectiveness through GenAI.

To learn more about AI Alert Triage, contact your account team or your Customer Success Advisor.

In today’s cybersecurity landscape, organizations need robust detection and response solutions to stay ahead of evolving threats. Rapid7’s InsightIDR, the foundation of our Managed Detection and Response (MDR) service, empowers security teams with advanced analytics, automation, and expert-led investigations. Whether used as a standalone SIEM and XDR platform or in combination with MDR, InsightIDR’s latest Log Search enhancements bring even more value  across the board. These updates accelerate response times, simplify complex queries, and improve the investigation process for both our MDR clients and product-only customers.

These updates, including Simplified Query Building, Pre-Computed Queries, and Bloom Filters, enhance the speed, accuracy, and accessibility of log search for security teams, ensuring faster, more targeted threat investigations for organizations.

Let’s explore how these updates elevate the detection and response lifecycle.

Simplified Query Building: Empowering Analysts to Act Faster

A key element of any detection and response solution is the ability to quickly turn data into actionable insights. Simplified Query Building enables analysts to construct and refine log searches faster, without complex syntax or technical details. This user-friendly interface enables any InsightIDR user, regardless of technical expertise, to create advanced queries through point-and-click prompts, accessing critical data quickly to streamline investigations.

By lowering the barrier to creating queries, Simplified Query Building provides organizations with timely, data-backed insights into incidents, reducing investigation time for both Rapid7’s MDR team and InsightIDR customers. This update ensures that every security team member, regardless of tenure, can access and leverage the power of InsightIDR’s log data without becoming bogged down by technical complexities.

Pre-Computed Queries: Reducing Time-to-Response for All Investigations

Time is critical when it comes to threat response.With Pre-Computed Queries (PCQs), both MDR and product-only customers benefit from reduced log search times. PCQs enable predictably fast, near-instant access to insights by pre-calculating query results in real-time as data arrives, enhancing responsiveness for all InsightIDR users.

Customer Feedback

"As an MSSP, InsightIDR's ability to handle large amounts of data is key for identifying threats in our client environments. Pre-Computed Queries have reduced return times for complex searches by over 70%, allowing us to create more impactful insights for our clients."

— Mat Cornish, Technical Director, Longwall Security

While InsightIDR already supports saving queries for reuse, PCQs take it further by pre-computing results, helping analysts to instantly identify patterns or gather evidence. Additionally, the Log Search home tab organizes queries by “Recent,” “Saved,” and “Pre-computed,” enabling users to quickly find what they need for streamlined incident handling. Whether you’re a customer conducting an in-house investigation or part of Rapid7’s MDR team, PCQs ensure faster insights and more efficient incident response.

Bloom Filters: Accelerating Key Value Pair Searches for Precise Threat Hunts

Not all queries can be pre-calculated in advance. Security teams are frequently asked questions about potential exposure to specific indicators of compromise (IoCs), such as flagged IP addresses or hash values. With Bloom Filters, both MDR and product-only customers gain a performance boost in search time for precise threat hunts by reducing unnecessary data processing.

For exact match searches, like identifying a compromised IP address or hunting for a suspicious hash value where(hash.sha="..."), Bloom Filters optimize search time by ruling out irrelevant data - enabling the algorithm to skip logs that would not have matches. This enhancement is implemented on the backend and occurs automatically for any search that contains an exact match key-value pair. Reducing the search space means accelerating analysts’ ability to hone in on the exact information they need, cutting down investigation time dramatically.

A recent research effort into InsightIDR’s new indexing approach, which leverages Bloom Filters, showed impressive results with:

• Improved Efficiency: Approximately 40-60% of all searches have experienced noticeable speed improvements since deployment.
• Increased Precision: The new index has enabled applicable queries to skip irrelevant data three to four times more effectively, leading to shorter search durations for even more efficient investigations.

Bringing It All Together: Faster, More Effective Detection and Response

Whether you’re a Rapid7 MDR customer or an InsightIDR product-only user, these Log Search updates significantly enhance detection and response capabilities. By reducing search times, simplifying complex queries, and pinpointing threats with greater accuracy, we provide every InsightIDR user with faster, more effective security outcomes.

This means:

• Faster Detection: Pre-Computed Queries and Bloom Filters accelerate search processes, enabling quicker response to incidents across both MDR and product-only use cases.
• Improved Visibility: Simplified Query Building ensures analysts can quickly refine searches and access the data needed for comprehensive investigations.
• Targeted Threat Hunts: Optimized key-value pair searches focus on the most relevant data, delivering quicker results for security teams.

Want to see these improvements in action? Contact us today to learn how Rapid7’s MDR service can protect your organization. You can also try InsightIDR for free with a 30-day trial.

• Surface Command: Unifies asset inventory and attack surface management
• Exposure Command: Brings together the comprehensive visibility of Surface Command with hybrid vulnerability management for true end-to-end risk management
  

While building on our legacy as a pioneer in vulnerability management, we’ve also made expansions on the detection and response side of the house – expanding our Managed Detection and Response capabilities with the release of MDR for the Extended Ecosystem. Read on for more details on these exciting launches across Rapid7 products and services.

Achieve complete attack surface visibility and proactively eliminate exposures from endpoint to cloud

As digital infrastructure continues to evolve from traditional on-prem models to hybrid, distributed teams and systems, one thing remains the same – the attack surface continues to grow, creating more risk and a wider visibility gap.

With the August launches of both Surface Command and Exposure Command, Rapid7 is closing the visibility gap and providing your team with the tools to visualize, prioritize, and remediate risk from endpoint to cloud.

Surface Command: Comprehensive visibility you can trust

Surface Command provides the foundational attack surface visibility that underpins the Command Platform by breaking down security data silos and combining comprehensive external attack surface monitoring with internal asset visibility across hybrid environments. The result? A dynamic 360-degree view of your entire attack surface in one place. With this view, you can:

• Visualize your entire digital estate from endpoint to cloud
• Prioritize and mitigate exposures and potential threats with a risk-aware and adversary-driven view of your entire attack surface
• Identify and address misconfigurations, shadow IT, and compliance issues

Learn more about Surface Command.

Exposure Command: Pinpoint and extinguish critical risks from endpoint to cloud

Exposure Command extends the power of Surface Command by combining complete attack surface visibility with high-fidelity risk context and insight into your organization’s security posture. Exposure Command aggregates findings from both Rapid7’s native exposure detection capabilities as well as third-party exposure and enrichment sources you’ve already got in place, so you are able to:

• Extend risk coverage to cloud environments with real-time agentless assessment
• Zero-in on exposures and vulnerabilities with the threat-aware risk context
• Continuously assess your attack surface, validate exposures, and receive actionable remediation guidance
• Efficiently operationalize your exposure management program and automate enforcement of security and compliance policies with native, no-code automation

Learn more about Exposure Command.

Continuous red teaming at your (managed) service with Vector Command

Attackers are relentlessly looking for weak spots and new access points into your organization – you should be too. Leverage Vector Command – our latest continuous red teaming service – to proactively test your external attack surface with ongoing red team exercises and expert guidance from Rapid7’s team of managed services experts.

With Vector Command, your team will experience:

• Increased visibility of the external attack surface with persistent, proactive reconnaissance of both known and unknown internet-facing assets
• Improved prioritization with ongoing, expert-led red team operations to continuously validate your most critical external exposures
• Same-day reporting of successful exploits with expert-vetted attack paths for multi-vector attack chains and a curated list of “attractive assets” that are likely to be exploited
• Monthly expert consultation to confidently drive remediation efforts and resiliency planning

Learn more about Vector Command.

Improved scale, reliability and contextualized reporting for cloud and on-prem vulnerability management

The increased scale, rate of change, and complexity associated with cloud and on-prem environments makes managing vulnerabilities a challenge. This quarter we continued to advance our agentless vulnerability assessment capabilities to drive improved scalability and extended reporting to allow teams to quickly identify, prioritize, and remediate vulnerabilities at scale. This includes:

• In-cloud assessment for Azure hosts drive improved cost efficiency for running vulnerability assessments at scale across all cloud hosts running on Microsoft Azure.
• Unified cloud vulnerability reporting combines context and insights across discovered CVEs, software and resources with proof data included by default to enable more effective and accelerated vulnerability remediation.
• Increased granularity for cloud vulnerability first found dates enables teams to quickly understand where an organization is exposed to a given CVE both at an organizational level across their environment globally or on a per-resource basis.Accurately report on MTTR with first found date enhancement for on-prem vulnerabilities with the addition of “First Found” and “Reintroduced” columns, providing deeper visibility into when a vulnerability was first discovered and if it was later reintroduced after patching.

Comprehensive content coverage for policies and critical systems

We strive to provide you with fast and broad coverage for critical policies and systems so you can accurately assess the environment for vulnerability and compliance risks. This past quarter we added a number of new policy coverages and enhancements to InsightVM and Nexpose, including:

• Arista EOS coverage: Arista is a popular alternative to Cisco, and this expansion provides you with broader coverage of your boundary devices and better insights into critical assets.
• Released policy coverage for DISA STIG Windows Server 2016 and Windows Server 2019; DISA STIG for Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9; and CIS Benchmark for Fortinet Fortigate to ensure continued compliance.
• Enhanced existing coverages for critical systems like Alpine Linux, Oracle Linux, Windows Server 2022, and Debian Linux.

Pinpoint critical signals and act confidently against threats with cloud-ready detection and response

Introducing MDR for the Extended Ecosystem

In an ever-expanding cybersecurity landscape, organizations are under more pressure than ever to keep pace with the widening attack surface. That’s why we’re so excited to bring extended support and coverage capabilities to our MDR customers with the launch of Rapid7 MDR for the Extended Ecosystem. With this addition, we’re extending our service to include triage, investigation, and response to alerts from third-party tools already in use within customer organizations.

This initial release will bring support for major EPPs such as Microsoft Defender for Endpoint, CrowdStrike Falcon, and SentinelOne, with plans to extend coverage to more third-party tools across cloud, identity, and network in the coming months.

Read this recent blog entry to learn how this extension of MDR sets Rapid7 apart and brings your team coverage, protection, and peace of mind.

Rapid7 named a Leader in IDC MarketScape: Worldwide SIEM for SMB and Enterprise

We’re excited to share we’ve been recognized as a Leader in the IDC MarketScape: Worldwide SIEM for SMB 2024 Vendor Assessment (doc #US52038824, September 2024) and the IDC MarketScape: Worldwide SIEM for Enterprise 2024 Vendor Assessment (doc #US51541324, September 2024). We’re proud that IDC highlights InsightIDR’s superior threat detection content, ease of implementation, and tangible ROI – all areas where we continually invest to provide users with a streamlined, complex-free experience.

To our customers: Thank you. Your partnership, feedback, and trust fuels our dedication to delivering the detection and response functionalities you need to take command of your attack surface and keep your organization safe. Read more about the reports here.

Intuitive log search enhancements to empower practitioners of all levels

Collecting, analyzing, and correlating logs from various sources is table stakes in identifying potential threats, detecting malicious behaviors, and responding to incidents effectively. Within InsightIDR we continue to enhance our Log Search functionality to empower you to go beyond simply correlating logs so you can feel confident securing your organization and enhancing your security posture.

Reformatted Log Search not only optimizes view and streamlines accessibility, but it reduces friction with notable enhancements:

• Pre-computed queries auto-run in less than half a second and can be leveraged from our OOTB library of queries or built custom using “groupby” or “calculate” commands.
• Automatic key suggestions are provided to analysts during query building based on the log selection to ensure faster time to investigate (as opposed to recalling and populating individually).
• Using the select clause, you can leverage new key suggestions to choose those to include in your search results. You can also customize their names and order.

The latest research and intelligence from Rapid7 Labs

Ransomware Radar Report: Findings and insights into the booming ransomware space

According to Rapid7 Labs Ransomware Radar Report, ransomware continues to evolve at a rapid pace. With the first half of 2024 seeing a +67% increase in the average number of ransomware groups actively posting to leak sites each month, it doesn’t appear that things are slowing down.
The report offers analysis and insights to help security practitioners understand and anticipate the latest developments around ransomware attacks. This research is based on data from Rapid7’s Incident Response and Rapid7 Labs teams as well as thousands of publicly reported ransomware incidents observed from January of 2023 through June of 2024.

Read the Ransomware Radar Report now to learn the key takeaways for keeping your organization safe from ransomware.

Emergent Threat Response: Real-time guidance for critical threats

Rapid7’s Emergent Threat Response (ETR) program from Rapid7 Labs delivers fast, expert analysis and first-rate security content for the highest-priority security threats to help both Rapid7 customers and the greater security community understand their exposure and act quickly to defend their networks against rising threats.

In Q3, Rapid7’s Emergent Threat Response team provided expert analysis, InsightIDR and InsightVM content, and mitigation guidance for multiple critical, actively exploited vulnerabilities and widespread attacks:

• July 29: VMware ESXi CVE-2024-37085 Targeted in Ransomware Campaigns
• September 5: Rapid7 discovered and worked with the vendor to disclose CVE-2024-45195, a remote code execution vulnerability in Apache OFBiz
• September 9:
• Multiple Vulnerabilities in Veeam Backup & Replication
• CVE-2024-40766: Critical Improper Access Control Vulnerability Affecting SonicWall Devices
• September 19: High-risk vulnerabilities in common enterprise technologies, including Adobe ColdFusion CVE-2024-41874, Broadcom VMware vCenter Server CVEs (CVE-2024-38812, CVE-2024-38813), and Ivanti Endpoint Manager CVE-2024-29847
• September 26: Multiple Vulnerabilities in Common Unix Printing System (CUPS)

Follow along here to receive the latest emergent threat guidance from our team.

Stay tuned for more!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in product and service investments at Rapid7.

What sets InsightIDR apart from other SIEMs

When we entered this space almost nine years ago, we were driven by customers who were bogged down by the complexity and ineffectiveness of traditional SIEMs. Unfortunately, challenging deployments, constant tuning, unmanageable alerts, and inflated total cost of ownership continue to plague many SIEM users today - making it impossible to maximize utility of these products and challenging team effectiveness.

InsightIDR is different.

1. Intuitive deployment and UI to maximize efficiency

A strong SIEM product can be the nucleus of the SOC - helping to harmonize otherwise disparate data into a clear picture of the attack surface and relevant insights. Unfortunately, many SIEMs are off track from the start due to:

• Complex deployments
• High operational overhead
• Tedious configuration work that consumes team resources
  

InsightIDR’s cloud-native, SaaS delivery makes it fast and easy to get started without the burdens of heavy infrastructure management, while ensuring you have the scale to grow with your business when you need it. Easily identify the priority data to ingest and quickly start collecting the right information with:

• Intuitive onboarding wizards
• Flexibility to leverage our native data collection (endpoint agent, network sensor, collectors)
• Ability to connect your extended security ecosystem with vast integrations
• Auto-enrichment of logs with user and asset details via our attribution engine
• Custom log parsers
• In-product guidance
  

With 13 months of readily searchable data and flexible search modes that can accommodate your most experienced to your most junior analysts, InsightIDR puts your data to work for you - not the other way around.

2. Optimized for modern threat detection

While collecting the right telemetry is a critical piece of unifying the attack surface, too many SIEMs are overly indexed on log aggregation. Lost in logs and making sense of data, teams can lose sight of the thing that matters most: staying ahead of an attack.

InsightIDR has taken a detections-first approach to SIEM and is proud to deliver a robust library of out-of-the-box detections that customers can trust and use as a starting line to augment their own threat intelligence and detections engineering programs. With coverage across all phases of the MITRE ATT&CK framework, this is the same detections library used in the field by our own Rapid7 MDR SOC experts - ensuring strong signal-to-noise detections and constant curation to keep teams ahead of emergent threats.

This library marries both AI-charged user and attacker behavioral detections alongside known IOC coverage to ensure you are ready for both evasive, headline-making unknown threats as well as recognized adversary TTPs. Detections are comprehensive across the modern attack surface - from endpoint-to-cloud - and can easily be customized or added onto so customers can feel confident they are covered no matter where threats begin.

3. Ready to respond across the attack surface

With a rapidly expanding attack surface, all teams are challenged to ensure they know how to investigate and respond effectively to alerts. It’s harder than ever to understand lateral movement and the full blast radius, so it’s critical to ensure analysts have enough context to take action - and the right playbooks and tools in place to execute when they’re ready to do so.

InsightIDR is built around making sure analyst teams are ready to respond effectively to threats every time. Highly correlated investigation timelines unify related alerts and events across the security ecosystem to give a cohesive view of an attack and all relevant evidence in one place.

Integrated access to the Velociraptor DFIR framework enables teams to quickly query fleets of endpoints to assess and understand the blast radius of an attack. And when it’s time to take action, alerts are paired with descriptive guidance and recommendations vetted by our own SOC experts. Fully embedded SOAR capabilities and pre-built playbooks accelerate readiness and time-to-respond. We understand the friction and toll that noisy alerts and complex investigations can take on SOC teams; InsightIDR reduces this burnout and the likelihood of analyst churn by decreasing cycles and friction across investigation workflows - creating happier and more effective teams.

4. Tangible return on investment

Probably one of the things that many SIEMs are most notorious for is high and unpredictable costs and resource consumption - with few results to show for it. Traditional ingestion-based models have always been a challenge for security teams - and it’s getting even more difficult as the attack surface becomes increasingly dynamic.

InsightIDR is available in a number of flexible packages designed around real customer needs and security journeys. Our Threat Complete product marries InsightIDR with our leading vulnerability management to deliver proactive, threat-informed risk management to further reduce noise and strengthen security posture.

Predictable, asset-based pricing across our packages means no surprise charges to explain to your C-Suite or Board. And executive dashboards help you share insights and show progress to your wider organization to be able to show how you are advancing your threat detection and incident response program.

We are proud to be a Leader

Thank you to the IDC MarketScape for this recognition. We are proud to be named a Leader in both reports, but we are always most proud of the thousands of customers and partners across the globe who trust Rapid7 at the center of their security program. To learn more, access a complimentary excerpt of the IDC MarketScape for SMB and Enterprise or start exploring InsightIDR.

Rapid7 acquires Noetic to deliver comprehensive visibility and command of your attack surface

Rapid7 has acquired Noetic, a leading provider of continuous cyber asset inventory, visibility, and management. This acquisition further enhances our ability to provide customers with the necessary control to monitor and manage exposures across their entire attack surface - from endpoint to cloud - with confidence. Visit our announcement overview page to learn more and stay tuned for additional details coming this summer.

Anticipate imminent threats from endpoint to cloud

Uncover multiple paths to risky compromised resources across cloud environments

We continue to enhance Attack Path Analysis in InsightCloudSec, most recently adding a new visualization that shows all of the various paths to a potentially compromised resource, providing a better understanding of the potential blast radius of an attack. We’ve also added the ability to export Attack Path graphs as a PDF, JPG, PNG, or SVG for easy sharing with additional stakeholders.

Automatically prioritize the most at-risk resources based on Layered Context

Layered Context provides insight into the riskiest resources running across cloud environments by taking into account a variety of risk signals from vulnerabilities to identity-related risk and public accessibility. This context makes it easier for security teams to effectively and efficiently prioritize cloud risk remediation efforts.

We recently released the following updates to Layered context:

• Automatic prioritization of riskiest resources by taking into account the presence of toxic combinations to assign a relative risk score to all cloud resources.
• A new risk tab, located on the Resource Details panel, that details all the risks impacting a resource in one view, transparently and efficiently diagnosing what is risky and why.

Access agent-based policy assessment results with InsightVM’s Bulk Export API.

Agent-based policy assessment is used to conduct configuration assessments of IT assets against widely used industry benchmarks or custom internal policies. Now customers can use the new Bulk Export API to export the policy assessment results data to their business intelligence tools and build custom visualizations and workflows that meet their reporting needs. Additionally, this API allows for efficient request and download of large data sets directly from the Insight Platform, avoiding unnecessary load on the Security Console and giving greater flexibility in handling the high volume of data that policy assessments produce.

Insight Agent support for ARM-based Windows 11 devices in InsightVM

Take advantage of the ARM processor chip’s great performance and low power requirements while maintaining agent-based visibility and assessment of remote assets within InsightVM. We also released enhanced vulnerability coverage for Windows 11 to provide customers with even higher quality, accurate vulnerability content.

Pinpoint critical signals of an attack and act confidently against threats

Rapid7 AI Engine extended to include Generative AI, driving improved MDR efficiency

Enhancements to the Rapid7 AI Engine have brought new Generative AI capabilities to the Rapid7 SOC, improving the efficacy and efficiency of our MDR services. These new additions include:

• The new SOC Assistant that guides our internal SOC and MDR analysts through complex investigations and streamlines response workflows by querying sources like the Rapid7 MDR Handbook, keeping our analysts a step ahead.
• The ability to automatically generate incident reports once investigations are closed out, streamlining a typically manual and time-intensive process. Every report that is generated by the Rapid7 AI Engine is reviewed and enhanced as needed by our SOC teams, making certain every data point is accurate and actionable.

Stop attacks before they begin with Rapid7’s patented Ransomware Prevention

Rapid7’s patented, preemptive Ransomware Prevention technology focuses on disrupting the evasive behaviors that ransomware and other forms of malware leverage, preventing both known and unknown (zero-day) attacks before they start. Coexisting alongside NGAV, EDR, and EPP solutions, Ransomware Prevention:

• Provides an additional layer of protection on the endpoint focused on mitigating the risk associated with ransomware by using proprietary Data Encryption detection and response technology.
• Focuses on the inner techniques that malicious and evasive attacks employ and embed in processes (instead of passively looking for patterns and analyzing processes and behaviors on runtime or post-execution), manipulating their logic so that they refrain from execution.

Monitor Crowdstrike Falcon EDR alerts within InsightIDR for streamlined alert triage

Simplify operations and optimize resource allocation by further integrating third party endpoint detection and response solutions with Rapid7. Managed Detection and Response customers can integrate CrowdStrike Falcon Endpoint with InsightIDR and leverage Rapid7’s highly skilled and experienced MDR SOC to help triage incoming alerts.

A growing library of actionable detections in InsightIDR

In Q2 2024 we added over 750 new detection rules. See them in-product or visit the Detection Library for descriptions and recommendations.

The latest in cybersecurity trends and research

New research from Rapid7 Labs: The 2024 Attack Intelligence Report

Since 2020, Rapid7 has tracked huge increases in zero-day exploits, ransomware attacks, mass compromise incidents, and evolutions in attacker behavior. In our 2024 Attack Intelligence Report, Rapid7 Labs analyzed 14 months of attacker behavior and marquee vulnerabilities and provides expert analysis and practical guidance for security professionals.

Dive into key findings—like how 36% of the widely exploited vulnerabilities Rapid7 tracked involved network edge technology—in the report here.

Take Command: Global security leaders, hands-on practitioners, and top researchers weigh in on the latest cybersecurity trends

In May we partnered with AWS for our Take Command 2024 Cybersecurity Summit, where we took a deep dive into new attack intelligence technologies like AI that are disrupting the threat landscape, macro influences on SOC teams, MDR services to build cyber resilience, and more. The sessions deliver clear guidance to zero in on threats and proactively prevent breaches—check them out on demand here.

Stay tuned for more!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in product and service investments at Rapid7.

Rapid7 has successfully completed an Information Security Registered Assessors Program (IRAP) assessment to PROTECTED Level for several of our Insight Platform solutions.

What is IRAP?

An IRAP assessment is an independent assessment of the implementation, appropriateness, and effectiveness of a system’s security controls. Achieving IRAP PROTECTED status means Australian Government agencies requiring PROTECTED level controls can access our industry-leading, practitioner-first security solutions. Meeting this status further strengthens our position as a trusted partner for Australian government organizations seeking to enhance their cybersecurity posture.

Rapid7 is one of the only vendors to be IRAP-assessed across what we consider a consolidated cybersecurity operation. This places us in a unique position to supply services across federal, state, and local government in Australia. It provides our government customers with the confidence that we have the right governance and controls in place for our own business in order to deliver that service effectively for our customers, specifically covering:

• Vulnerability management on traditional infrastructure
• Endpoints
• The secure implementation of web applications
• Detection and response to alerts or threats
• The ability to securely automate workflows

Why is being IRAP PROTECTED important?

Being IRAP-assessed demonstrates our commitment to providing secure and reliable information security services for Government Systems, Cloud Service Providers, Cloud Services, and Information and Communications Technology (ICT) Systems, and more widely to our Australian customers.

Importantly, it highlights how we take the shared responsibility model extremely seriously. It also shows we’re protecting our customers’ information and data across their traditional infrastructure and in the cloud.

Which solutions are approved?

Solutions assessed and approved for PROTECTED Level include InsightIDR (detection and response), InsightVM (vulnerability management), InsightAppSec (application security), and InsightConnect (orchestration and automation). These solutions provide a comprehensive security platform to help government agencies tackle the challenges of today's evolving cybersecurity landscape.

The successful completion of the IRAP assessment at the PROTECTED level demonstrates our commitment to supporting Australian government customers. It means they have access to a comprehensive security platform necessary to tackle the ever-evolving challenges of today's cybersecurity landscape.

As more government agencies migrate to hybrid cloud environments, we can help them better manage the growing complexity of identifying and securing the attack surface.

As attackers become increasingly sophisticated, better armed, and faster, the IRAP assessment is yet another string in our cybersecurity bow, showcasing our potential to support Australian Government agencies and more widely, our customers.

Anticipate Imminent Threats Across Your Environment

Monitor, remediate, and takedown threats with Managed Digital Risk Protection (DRP)

Rapid7’s new Managed Digital Risk Protection (DRP) service provides expert monitoring and remediation of external threats across the clear, deep, and dark web to prevent attacks earlier.

Now available in our highest tier of Managed Threat Complete and as an add on for all other Managed D&R customers, Managed DRP extends your team with Rapid7 security experts to:

• Identify the first signs of a cyber threat to prevent a breach
• Rapidly remediate and takedown threats to minimize exposure
• Protect against ransomware data leakage, phishing, credential leakage, data leakage, and provide dark web monitoring

Read more about the benefits of Managed DRP in our blog here.

Ensure safe AI development in the cloud with Rapid7 AI/ML Security Best Practices

We’ve recently expanded InsightCloudSec’s support for GenAI development and training services (including AWS Bedrock, Azure OpenAI Service and GCP Vertex) to provide more coverage so teams can effectively identify, assess, and quickly act to resolve risks related to AI/ML development.

This expanded generative AI coverage enriches our proprietary compliance pack, Rapid7 AI/ML Security Best Practices, which continuously assesses your environment through event-driven harvesting to ensure your team is safely developing with AI in a manner that won’t leave you exposed to common risks like data leakage, model poisoning, and more.

As with all critical resources connected to your InsightCloudSec environment, these risks are enriched with Layered Context to automatically prioritize AI/ML risk based on exploitability and potential impact. They’re also continuously monitored for effective permissions and actual usage to rightsize permissions to ensure alignment with LPA. In addition to this extensive visibility, InsightCloudSec offers native automation to alert on and even remediate risk across your environment without the need for human intervention.

Stay ahead of emerging threats with insights and guidance from Rapid7 Labs

In the first quarter of this year, Rapid7 initiated the Emergent Threat Response (ETR) process for 12 different threats, including (but not limited to):

• Zero-day exploitation of Ivanti Connect Secure and Ivanti Pulse Secure gateways, the former of which has historically been targeted by both financially motivated and state-sponsored threat actors in addition to low-skilled attackers.
• Critical CVEs affecting outdated versions of Atlassian Confluence and VMware vCenter Server, both widely deployed products in corporate environments that have been high-value targets for adversaries, including in large-scale ransomware campaigns.
• High-risk authentication bypass and remote code execution vulnerabilities in ConnectWise ScreenConnect, widely used software with potential for large-scale ransomware attacks, providing coverage before CVE identifiers were assigned.
• Two authentication bypass vulnerabilities in JetBrains TeamCity CI/CD server that were discovered by Rapid7’s research team.

Rapid7’s ETR program is a cross-team effort to deliver fast, expert analysis alongside first-rate security content for the highest-priority security threats to help you understand any potential exposure and act quickly to defend your network. Keep up with future ETRs on our blog here.

Pinpoint Critical and Actionable Insights to Effectively and Confidently Respond

Introducing the newest tier of Managed Threat Complete

Since we released Managed Threat Complete last year, organizations all over the globe have unified their vulnerability management programs with their threat detection and response programs. Now, teams have a unified view into the full kill chain and a tailored service to turbocharge their program, mitigate the most pressing risks and eliminate threats.

Managed Threat Complete Ultimate goes beyond our previously available Managed Threat Complete bundles to include:

• Managed Digital Risk Protection for monitoring and remediation of threats across the clear, deep, and dark web
• Managed Vulnerability Management for clarity guidance to remediate the highest priority risk
• Velociraptor, Rapid7’s leading open-source DFIR framework, from monitoring and hunting to in-depth investigations into potential threats, access the tool that is leveraged by our Incident Response experts on behalf of our managed customers
• Ransomware Prevention for recognizing threats and stopping attacks before they happen with multi-layered prevention (coming soon - stay tuned)

Get to the data you need faster with new Log Search and Investigation features in InsightIDR

Our latest enhancements to Log Search and Investigations will help drive efficiency for your team and give you time back in your day-to-day—and when you really need it in the heat of an incident. Faster search times, easier-to-write queries, and intuitive recommendations will help you find event trends within your data and save you time without sacrificing results.

• Triage investigations faster with log data readily accessible from the investigations timeline - with a click of the new “view log entry” button you’ll instantly see the context and log data behind an associated alert.
• Create precise queries quickly with new automatic suggestions - as you type in Log Search, the query bar will automatically suggest the elements of LEQL that you can use in your query to get to the data you need—like users, IP addresses, and processes—faster.
• Save time sifting through search results with new LEQL ‘select’ clause - define exactly what keys to return in the search results so you can quickly answer questions from log data and avoid superfluous information.

Easily view vital cloud alert context with Simplified Cloud Threat Alerts

This quarter we launched Simplified Cloud Threat Alerts within InsightIDR to make it easier to quickly understand what a cloud alert - like those from AWS GuardDuty - means, which can be a daunting task for even the most experienced analysts due to the scale and complexity of cloud environments.

With this new feature, you can view details and known issues with the resources (e.g. assets, users, etc.) implicated in the alert and have clarity on the steps that should be taken to appropriately respond to the alert. This will help you:

• Quickly understand what a given cloud resource is, its intended purpose, what applications it supports and who “owns” it.
• Get a clear picture around what an alert means, what next steps to take to verify the alert, or how to respond if the alert is in fact malicious.
• Prioritize response efforts based on potential impact with insight into whether or not the compromised resource is misconfigured, has active vulnerabilities, or has been recently updated in a manner that signals potential pre-attack reconnaissance.

A growing library of actionable detections in InsightIDR

In Q1 2024 we added 1,349 new detection rules. See them in-product or visit the Detection Library for descriptions and recommendations.

Stay tuned!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in product and service investments at Rapid7.

Stop attacks before they happen with Next-Gen Antivirus in Managed Threat Complete

As endpoint attacks become more elusive and frequent, we know security teams need reliable coverage to keep their organizations safe. To provide teams with protection from both known and unknown threats, we’ve released multilayered prevention with Next-Gen Antivirus in Managed Threat Complete. Available through the Insight Agent, you’ll get immediate coverage with no additional configurations or deployments. With Managed Next-Gen Antivirus you’ll be able to:

• Block known and unknown threats early in the kill chain
• Halt malware that’s built to bypass existing security controls
• Maximize your security stack and ROI with existing Insight Agent
• Leverage the expertise of our MDR team to triage and investigate these alerts
  

To see more on our Managed Next-Gen Antivirus offering, including a demo walkthrough, visit our Endpoint Hub Page here.

Achieve faster DFIR outcomes with Velociraptor now integrated into the Insight Platform

As security teams are facing more and more persistent threats on their endpoints, it’s crucial to have proactive security measures that can identify attacks early in the kill chain, and the ability to access detailed evidence to drive complete remediation. We’re excited to announce that InsightIDR Ultimate customers can now recognize the value of Velociraptor, Rapid7’s open-source DFIR framework, faster than ever with its new integration into the Insight Platform.

With no additional deployment or configurations required, InsightIDR customers can deploy Velociraptor through their existing Insight Agents for daily threat monitoring and hunting, swift threat response, and expanded threat detection capabilities. For more details, check out our recent blog post here.

A view of Velociraptor in InsightIDR

Tailor alerts to your unique needs with Custom Detection Rules

We know every organization has unique needs when it comes to detections and alerting on threats. While InsightIDR provides over 3,000 out-of-the-box detection rules to detect malicious behaviors, we've added additional capabilities with Custom Detection Rules to offer teams the ability to author rules tailored to their own individual needs. With Custom Detection Rules, you will be able to:

• Build upon Rapid7’s library of expertly curated detection rules by creating rules that uniquely fit your organization’s security needs
• Use LEQL to write rule logic against a variety of data sources
• Add grouping and threshold conditions to refine your rule logic over specific periods of time to decrease unnecessary noise
• Assess the rules activity before it starts to trigger alerts for downstream teams
• Group alerts by specific keys such as by user or by asset within investigations to reduce triage time
• Create exceptions and view modification history as you would with out-of-the-box ABA detection rules
• Attach InsightConnect automation workflows to your custom rules to mitigate manual tasks such as containing assets and enriching data, or set up notifications when detections occur

Creating a Custom Detection Rule in InsightIDR

Enhanced Attacker Behavior Analytics (ABA) alert details in Investigations

Easily view information about your ABA alerts that are a part of an investigation with our updated Evidence panel. With these updates, you’ll see more information on alerts, including their source event data and detection rule logic that generated them. Additionally, the Evidence button has also been renamed to Alert Details to more accurately reflect its function.

New alert details include:

• A brief description of the alert and a recommendation for triage
• The detection rule logic that generated the alert and the corresponding key-value payload from your environment
• The process tree, which displays details about the process that occurred when the alert was generated and the processes that occurred before and after (only for MDR customers)

Dashboard Improvements: Revamped card builder and a new heat map visualization

Our recently released revamped card builder provides more functionality to make it faster and easier to build dashboard cards. For a look at what’s new, check out the demo below.

The new calendar heat map visualization allows you to more easily visualize trends in your data over time so you can quickly spot trends and anomalies. To see this new visualization in action, check out the demo below.

Export data locally with new Log Search option

You now have more flexibility when it comes to exporting your log search data, making it easier to gather evidence related to incidents for additional searching, sharing with others in your organization, or gathering evidence associated with incidents.

With this update you can now:

• Use edit key selection to define what columns to export to csv
• Export results from a grouby/calculate query to a csv file
  

New event sources

• Microsoft Internet Information Services (IIS): A web server that is used to exchange web content with internet users. Read the documentation
• Amazon Security Lake: A security data lake service that allows customers to aggregate & manage security-related logs. Read the documentation
• Salesforce Threat Detection: Uses machine learning to detect threats within a Salesforce organization. Read the documentation

A growing library of actionable detections

In Q3 2023 we added 530 new ABA detection rules. See them in-product or visit the Detection Library for actionable descriptions and recommendations.

Stay tuned!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in detection and response at Rapid7.

Keenly focused on our mission to deliver solutions for consolidated, end-to-end security operations and a practitioner-focused experience, Rapid7 recently introduced Managed Threat Complete (MTC), which brings together our leading MDR service and industry-leading vulnerability management technology, enabling customers to level up their detection and response programs with complete coverage and a team of Rapid7 experts.

At the core of MTC is InsightIDR (IDR), our cloud-native XDR technology that cuts through the noise and enables practitioners to focus on what matters most. Read on to learn about recent updates to MTC and IDR, including Log Search Open Preview, which is now the default experience for users, and support for AWS AppFabric.

New Faster and Streamlined Log Search Experience Is Live!

We are always striving to drive greater efficacy, productivity, and efficiency for our customers–and since querying data is such a huge part of security practitioners’ day-to-day, Log Search is always a significant area of focus. We are excited to officially introduce our new Log Search experience, which is now live and available for all InsightIDR and MDR customers.  This new experience delivers a faster and more simplified UI, while also unlocking more paths to build sophisticated queries and dashboards. Highlights include:

• Easily Access Saved Queries: Identify, capture, edit, and share saved queries via the new Log Search interface. The “home page” gives you single-click access for all search-related activities.
• Refine Detection Rules From Search: Refine existing or create new detection rules directly from queries.
• Master Visualizations: Tweak and perfect visualizations before they are added to dashboards.

Expanded Partnership with Amazon Web Services (AWS) Improves Cloud D&R Efficiency

As part of our continued commitment to helping customers secure cloud infrastructure, InsightIDR now supports AWS AppFabric, which quickly connects SaaS applications for streamlined security management using a standard schema. By ingesting logs from AppFabric, customers have improved visibility into SaaS app activity and the ability to centralize security data within the Insight Platform—and ultimately, detect and respond to cloud threats faster. For additional information, see Rapid7’s recent press release and blog post on this exciting news.

More Flexibility for Detection Rule Exceptions

We take pride in the fidelity of our out-of-the-box Detection Library while recognizing our customers’ need for flexibility to prioritize threats, fine-tune alerts, and manage detection exceptions for their unique environments. InsightIDR users can now use exceptions to modify and prioritize detection rules for specific users and asset levels. When creating an exception, users can convert the key-value pair into Log Entry Query Language (LEQL) for more specificity. The ability to write exceptions with multiple conditions in a single query saves valuable time and allows analysts to fine-tune specific detections where applicable. To learn more about leveraging LEQL for more complex tuning capability, read the documentation.

API Event Source for Palo Alto Cortex XDR Accelerates Triage

A new API integration enables customers to ingest alerts from Cortex XDR into InsightIDR, providing an easy and secure way to triage PAN alerts. Users can set up a new event source to request incidents from the Incidents API within Cortex XDR and generate third-party alerts. Find configuration details here.

Insight Agent Updates Improve Monitoring and Management

• Users can configure how long Insight Agents are tracked to better monitor and manage the health and status of endpoint Agents. See our updated Agent Management settings documentation for configuration instructions and more details.
• The Agent update limit is now dynamic based on a throttle percentage you specify. This percentage is configurable in 5% increments up to 100%, which effectively turns off update throttling.

Velociraptor Version Release

Rapid7 is excited to announce version 0.6.9 of Velociraptor–the premier open-source DFIR platform. Enhancements include direct SMB support, improvements to the GUI and the VQL scripting language, and the introduction of “lock down” server mode.

MSSP Multi-Customer Investigations Support Prioritization Efficiency

MSSPs now have access to an enhanced multi-customer investigation experience that improves the customer management workflow for analysts and increases the speed of investigations.

The new interface enables MSSP analysts to manage customers at scale. They can see a list of all of their customers in a single view, click into each individual customer to manage their investigations, and switch between managed customers without leaving InsightIDR. Learn more in the documentation.

Attacker Behavior Analytics (ABA) Detection Rules

In Q2, we added 1197 new ABA detection rules for threats. See them in-product or visit the Detection Library for actionable descriptions and recommendations.

Stay tuned!

We’re always working on new product enhancements and functionality to ensure teams can stay ahead of potential threats and respond to attacks as quickly as possible. Keep an eye on the Rapid7 blog and the InsightIDR release notes to keep up to date with the latest Detection and Response releases at Rapid7.

I've worked in cybersecurity for over two decades, so I've seen plenty of platforms come and go—some even crash and burn. But Rapid7, specifically InsightIDR, has consistently performed above expectations. In fact, InsightIDR has become an essential resource for maintaining my company’s cybersecurity posture.

Alerting Rules!

Back in the early days, a SIEM didn’t come with a bunch of standardized alerting rules. We had to write all of our own rules to actually find what we were looking for. Today, instead of spending six hours a day hunting for threats, InsightIDR does a lot of the work for the practitioner. Now, we spend a maximum of one hour a day responding to alerts.

In addition to saving time, the out-of-the-box rules are very effective; they find things that our other security products can't detect. This is a key reason I’ve been 100% happy with Rapid7. As a user, I just know it’s functional. It’s clear that InsightIDR is designed by and for users—there’s no fluff, and the kinks are already ironed out. Not only am I saving time and company resources, the solution is a joy to use.

Source Coverage

When scouting SIEM options, we wanted a platform that could ingest a lot of different log sources. Rapid7 covered all of the elements we use in the big platforms and various security appliances we have—and some in the cloud too. InsightIDR can ingest logs from all sources and correlate them (a key to any high-functioning SIEM) on day one.

Trust the Process

I can honestly say this is the first time I’ve ever used a product that adds new features and functionality every single quarter. It’s not just a new pretty interface either, Rapid7 consistently adds capabilities that move the product forward.

What’s also wonderful is that Rapid7 listens to customers, especially their feedback. Not to toot my own horn, but they’ve even released a handful of feature requests that I submitted over the years. So I can say with absolute sincerity that these improvements actually benefit SOC teams. They make us better at detecting the stuff that we’re most concerned about.

Visibility and Coverage, Thanks, Insight Agent!

If you’re not familiar with Insight Agent, it’s time to get acquainted. Insight Agent is critical for running forensics on a machine. If I have a machine that gets flagged for something through an automated alert, I can quickly jump in without delay because of the Insight Agent. I get lots of worthwhile information that helps me consistently finish investigations in a timely manner. I know in pretty short order whether an alert is nefarious or just a false positive.

And this is all built into the Rapid7 platform—it doesn’t require customization or installations to get up and running. You truly have a single pane of glass to do all of this, and it’s somehow super intuitive as well. Using the endpoint agent, I don’t have to switch over to something else to do additional work. It’s all right there.

“Customer support at Rapid7 is outstanding. It’s the gold standard that I now use to evaluate all other customer support.”

Thinking Outside the Pane

I also have to give a shout out to the Rapid7 community. The community at discuss.rapid7.com/ and the support I get from our Rapid7 account team cannot be overlooked. When I have a question about how to use something, my first step is to visit Discuss to see if somebody else has already posted some information about it—often saving me valuable time. If that doesn’t answer my question, the customer support at Rapid7 is outstanding. It’s the gold standard that I now use to evaluate all other customer support.

The Bottom Line

My bottom line? I love this product (and the people). To say it’s useful is an understatement. I would never recommend a product that I didn’t think was outstanding. I firmly believe in the Rapid7InsightIDR and experience how useful it is every day. So does my team.

When organizations adopt new technologies and applications, they inadvertently introduce new opportunities for attackers through vulnerabilities and points of entry. To stay ahead of potential security concerns, teams need to rely on data in order to get an overview of their environment—ensuring protection.

Where this becomes a bigger challenge is two fold:

1. Security professionals need to secure SaaS applications, but each app has its own methodology for generating and storing vital security and usage data.
2. Even if a security team puts in the work to centralize all this data, it must be normalized and standardized in order to be usable, which creates more work and visibility gaps.

Elevating Security Posture Around SaaS Applications

As part of our continued commitment to ensuring customers stay future-ready and secure through their cloud adoption, we’re excited to announce our work with AWS on their new service that will continue the effort around data standardization. AWS AppFabric quickly connects SaaS applications across the organization, so IT and security teams can easily manage and secure applications using a standard schema.

By using AppFabric to natively connect SaaS productivity and security applications to each other, security teams can automatically normalize application data (into the Open Cybersecurity Schema Framework (OCSF) format) for administrators to set common policies, standardize security alerts, and easily manage user access across multiple applications.

For Rapid7 customers, InsightIDR will be able to ingest logs from AppFabric so security teams have access to that data—stay tuned for more! This is just one in a series of investments we are making to help secure your cloud infrastructure.

To learn more about how customers are leveraging Rapid7's elite security expertise and practitioner first platform to elevate their security program, check out  Managed XDR.

In our effort to empower practitioners to feel confident in their detection and response capabilities, we focused on functionality that accelerates investigation and response time. Below you will find  key launches and enhancements from the last three months.

Augmented Practitioner Log Search Experience: Faster Search Capabilities & Redesigned UI

Equipped with new features and better interactivity for a more seamless user experience, the new Log Search provides teams the ability to load selected log sets 3x faster in addition to providing:

• Easy share and analysis of Log Search queries.
• Customization of log data in Table View, JSON Format, and Condensed Format.

Learn more about the improved Log Search here.

Increased Visibility, More Coverage with Updated Investigations Functionality

InsightIDR now provides more visibility into actions taken during an investigation. The investigation audit log records updates made in the investigation, when those updates were made, and the user who made them. Additional features include visibility in Log Search as a part of the Audit Logs log set.

To learn more about Viewing the Audit Log click here.

Additionally, two new options are added in Investigations to help practitioners more accurately describe an investigation’s current state - waiting status and unknown disposition. Teams can:

• Use the Waiting status to indicate that the investigation is in a pending state while more information is gathered.
• Use the Unknown disposition to indicate that the maliciousness of the investigation couldn’t be determined.

Understand Traffic data via VLANs or Ports with ERSPAN Support for Insight Network Sensor

Security teams can now use Encapsulated Remote SPAN (ERSPAN) with the Insight Network

Sensor to mirror traffic associated with one or more VLANs or ports. When configured, a switch will send the SPAN traffic to a Sensor over IP. This allows teams to deploy a Sensor on whatever platform they want and get a copy of network traffic from a crucial network location such as a core switch. Practitioners can enable ERSPAN on a per Sensor basis from the  Sensor Management page.

Enriched Endpoint Response with Enhanced Endpoint Telemetry (EET) Data

InsightIDR customers can now leverage EET (captured by the Insight Agent) and capture endpoint process start metadata to create custom detections, accelerate investigations, and help respond with greater precision. InsightIDR Advanced customers have access to a 7 day view; while InsightIDR Ultimate customers have a 13 month view.

Learn more about the Enhanced Endpoint Telemetry release here.

Stay tuned!

Rapid7 provides organizations the world’s only, practitioner-first security solutions. Each product, including InsightIDR, is purpose-built by practitioners, for practitioners to ensure teams achieve elevated outcomes without compromise.

We’re always working on new product enhancements and functionality to ensure teams can stay ahead of potential threats and malicious activity. Keep an eye on the Rapid7 blog and the InsightIDR release notes to keep up to date with the latest detection and response releases at Rapid7.

Let’s review some of the highlights:

Accelerated response time with automated Quick Actions

Earlier in the year, InsightIDR launched the Quick Actions feature which provides teams with instant automation to reduce the time it takes to search, investigate, and respond with a simple click. Example use-cases include:

• Threat hunting within log search. Using the “Look Up File Hash with Threat Crowd” quick action, teams can learn more about a hash within an endpoint log. If the output of the quick action finds the file hash is malicious, practitioners can choose to investigate further.
• More context around alerts in investigations. Leveraging the “Look Up Domain with WHOIS” quick action enables teams to receive more context around an IP associated with an alert in an investigation
  

“InsightIDR is a real savior, we have reduced our time for log correlation, responding to incidents, not opening multiple tabs and logging into different platforms to understand what happened.”—Abhi Patel, Information Security Officer, Prime Bank. Source: TechValidate

Expanded visibility across cloud and external attack surface

With InsightIDR, teams have security that grows and scales alongside their business - both on-prem and in the cloud. This year we focused on empowering security teams with cloud incident response capabilities by providing robust integrations with AWS CloudTrail and Microsoft Azure, while also enabling cloud detections with our AWS Guard Duty Detections, AWS Cloud Trail Detections, and more.Customers have the full context of their cloud telemetry and detections alongside their wider environment to get a full, cohesive picture and investigate malicious activity and threats that may move across multiple devices and infrastructures.

Additionally, with Threat Command and InsightIDR together, customers can unlock a complete view of your external and internal attack surface. You can now view Threat Command alerts alongside their broader detection set in InsightIDR:

• Prioritize and investigate Threat Command alerts: Use InsightIDR’s investigation management capabilities and seamlessly pivot back to Threat Command to remediate the threat or ask an analyst for help.
• Tune Threat Command detection rules directly in InsightIDR: Adjust the rule action, set the rule priority, and add exceptions.

Lastly, Rapid7 provides all customers with 13 months of data retention by default—so they are always audit-ready. To support compliance regulations, we launched new dashboards for organizations to ensure they are meeting requirements. For example, we launched new dashboards for CIS, a common security framework, covering:

• CIS Control 5 - Account Management
• CIS Control 9 - Email and Web Browser Protections
• CIS Control 10 - Malware Defense

“With Rapid7’s InsightIDR, we have a greater handle on threats. We are able to resolve issues quicker and reduce maximum tolerable downtime, our incident management procedures and real-time actions have improved immeasurably too, and we have better cyber hygiene as well.”—Security Officer, Medium Enterprise Chemicals Company. Source: TechValidate

Confidence with expertly curated and vetted detections

Rapid7 Threat Intelligence and Detection Engineering (TIDE) team has curated and is continuously updating our XDR detection library that is expertly vetted by the Rapid7 MDR SOC. The detection library is a result of meticulous research, our vast open source community, security forums, and industry expertise to provide your teams the data they need for sophisticated detection and response. Last year we launched a slew of new detections, a bulk being IDS rules, but worth highlighting is the expanded coverage of tracked threat actors with the Threat Command integration. By integrating our Attacker Behavior Analytics (ABA) detection engine with Threat Command’s threat library intelligence, customers can access broader detections, and new threat groups with around 400 new ABA detection rules powered by thousands of new IOCs.

We also added a new ABA detection rule - Anomalous Data Transfer (ADT) that uses the Insight Network Sensor to identify large transfers of data sent by assets on a network and outputs alerts for easier monitoring of unusual behavior and potential exfiltration.

“InsightIDR provided value to us on Day-1. We didn't have to write long lists of rules or tweak hundreds of settings in order to get security alerts from our operating environment. Better still, the signal-to-noise ratio of the alerts is great; little-to-no false positives."—Philip Daly, VP Infrastructure and Information Security, Carlton One Engagement. Source: TechValidate

Looking ahead

Watch this space! We’re always working on new product enhancements and functionality to ensure your team can stay ahead of potential threats and malicious activity. Keep an eye on the Rapid7 blog and the InsightIDR release notes to keep up to date with the latest detection and response releases at Rapid7.

“Rapid7’s Insight platform goes beyond threat detection by enabling organizations to quickly respond to attacks with intelligent automation,” said Alex Whitworth, Sales Director who leads the Rapid7 Team at Carahsoft.

“We are thrilled to work with Rapid7 and our reseller partners to deliver these advanced cloud risk management and threat detection solutions to NASPO members to further protect IT environments across the SLED space.”

NASPO ValuePoint is a cooperative purchasing program facilitating public procurement solicitations and agreements using a lead-state model. The program provides the highest standard of excellence in public cooperative contracting. By leveraging the leadership and expertise of all states and the purchasing power of their public entities, NASPO ValuePoint delivers the highest valued, reliable and competitively sourced contracts, offering public entities outstanding prices.

“In partnership with Carahsoft and their reseller partners, we look forward to providing broader availability of the Insight platform to help security teams better protect their organizations from an increasingly complex and volatile threat landscape,” said Damon Cabanillas, Vice President of Public Sector Sales at Rapid7.

The Rapid7 Insight platform is available through Carahsoft’s NASPO ValuePoint Master Agreement #AR2472. For more information, visit https://www.carahsoft.com/rapid7/contracts.

This 2022 Q4 recap post offers a closer look at the recent investments and releases we’ve made over the past quarter. Here are some of the highlights:

Easy to create and manage log search, dashboards, and reports

You spoke, we listened! Per our customers, you can now create tables with multiple columns, allowing teams to see all data in one view. For example, simply add a query with a “where” clause and select a table display followed by the columns you want displayed.

Additionally, teams can reduce groupby search results with the having() clause. Customers can filter out what data is returned from groupby results with the option to layer in existing analytics function support (e.g. count, unique, max).

Accelerated time to value

The InsightIDR Onboarding Progress Tracker, available for customers during their 90 day onboarding period, is a self-serve, centralized check-list of onboarding tasks with step-by-step guidance, completion statuses, and context on the “what” and “why” of each task.

No longer onboarding? No problem! We made the progress tracker available beyond the 90-day onboarding period so customers can evaluate setup progress and ensure InsightIDR is operating at full capacity to effectively detect, investigate, and respond to threats.

Visibility across your modern environment

For those that leverage Palo Alto Cortex, you can now configure Palo Alto Cortex Data Lake to send activity to InsightIDR including syslog-encrypted Web Proxy, Firewall, Ingress Authentication, etc. Similarly, for customers leveraging Zscaler, you can now configure Zscaler Log Streaming Service (LSS) to receive and parse user activity and audit logs from Zscaler Private Access through the LSS.

For teams who do not have the bandwidth to set up and manage multiple event sources pertaining to Cisco Meraki, we have added support to ingest Cisco Meraki events through the Cisco Meraki API. This will enable you to deploy and add new event sources with less management.

Customers can now bring data from their Government Community Cloud (GCC) and GCC High environments when setting up the Office365 event source to ensure security standards are met when processing US Government data.

Stay tuned!

We’re always working on new product enhancements and functionality to ensure your team can stay ahead of potential threats and malicious activity. Keep an eye on the Rapid7 blog and the InsightIDR release notes to keep up to date with the latest detection and response releases at Rapid7.

While other airlines rebounded from extreme winter weather and service disruptions, Southwest—always top-rated, with a famously loyal following—melted down. It canceled more than 2,300 flights, stranding passengers and their baggage around the country over the Christmas holidays. The U.S. Department of Transportation is putting the entire event “under a microscope.”

Most believe Southwest will, in fact, be loved again. Tickets were refunded, travel expenses were reimbursed, and approximately 25,000 frequent flyer miles were doled out to each stranded customer. Whatever. That’s not why you should pay attention to this tale.

The object lesson that matters? WSJ’s CIO Journal followed up, reporting that “balky crew scheduling technology” caused the disaster. Airline staff who used the system had been frustrated by it for some time, but couldn’t get executive attention. A scathing New York Times op-ed on December 31, "The Shameful Open Secret Behind Southwest’s Failure," blames the strong incentives to address problems by “adding a bit of duct tape and wire to what you already have.”

Balky tech that frustrates staff: Sound familiar?

Two years ago, ZDNet reported the average enterprise managed 45 different tools to secure their environment. A few weeks ago, the Silicon Valley Business Journal said the number has jumped to 76, with sprawl driven by a need to keep pace with cloud adoption and remote work. Security teams are spending more than half their time manually producing reports, and pulling in data from multiple siloed tools.

The cybersecurity skills gap isn’t going anywhere. And the most tech savvy generation in human history—Gen Z, the latest entrants to adulthood and the workforce—is unlikely to stick it out in a burnout job laden with clunky tools. They grew up with customer-obsessed brands like Apple and Amazon and Zappos. Expectations about technology and elegant simplicity are built into all corners of their lives—work included— and they instantly know the difference between good and shambolic. Younger workers led The Great Resignation of 2021.

The trend toward XDR adoption is part of a solution. While capabilities can vary, XDR should integrate and correlate data from across your environment, letting you prioritize and eliminate threats, automate repetitive tasks, and liberate people to do important work.

If 2023 is your year to consider XDR, start with this Buyer’s Guide

Our new XDR Buyer’s Guide is for all of you who want to consolidate, simplify, and attract top talent. In this guide, you’ll get:

• Must-have requirements any real XDR offers
• Ways XDR is a staffing and efficiency game-changer
• Key questions to ask as you evaluate options

Last year, Southwest announced $2 billion in customer experience investments, including upgraded WiFi, in-seat power, and larger overhead bins, as well as a new multimedia brand campaign, “Go With Heart.”  

After taking very good care of stranded customers—and true  to form, the airline did—it announced a 10-year, $10 million plan to hit carbon reduction goals. The Wall Street Journal asked: “Could not the Southwest IT department have used another $10 million?”

…and you’ve surely heard about this

This morning at 7:20am, the FAA grounded all domestic departures when the NOTAM (Notice to Air Mission) system failed. This critical system ingests information about anomalies at 19,000 airports for 45,000 flights every day, and alerts the right pilots at the right time. We woke up hearing about “failure to modernize” and also possible compromise.

Thanks for reading and come back tomorrow, as we'll be following this developing story closely.

Data exfiltration can also be carried out by inside actors moving data outside of the network accidentally, by uploading corporate files to their personal cloud – or deliberately to leak information that harms the organization.

Identifying this cyber risk is integral to securing your organization’s network.

Of course, attackers use multiple methods

Some use phishing scams to trick users into inputting personal login information into spoofed domains so that they can use the appropriate credentials to infiltrate the network. Once on to the network, the malicious actor can send the files they were searching for outside of their network using remote desktop, SSH, etc.

Another method? Ignoring security controls of a network. For example, employees may download unauthorized software for ease of use, but unintentionally allow a third party to gain access to sensitive information that was not meant to leave the network. People may use personal accounts and devices for work related tasks just because it’s easy. A malicious inside actor can also circumvent security controls to leak information outside of the network.

With many organizations moving to a hybrid model of work, it’s more important than ever to prevent data exfiltration, intended or unintended. This can be done by educating your employees of appropriate conduct when it comes to data usage and data sharing within and outside of your network. Education about common attack vectors attackers may use to steal their credentials will also help your employees keep your network secure. Additionally, education around what devices can access your network will make it easier to monitor whether a data breach is about to occur. Finally, assigning certain privileges based on employee functions will help.

Being able to detect data exfiltration is incredibly important for an organization’s environment and essential to your organization’s security posture. One of our new detections, Anomalous Data Transfer, provides you with the visibility into possible occurrences of data exfiltration within your network.

Rapid7s approach for detecting Anomalous Data Transfers

Anomalous Data Transfer is an InsightIDR detection which utilizes network flow data, produced by the Insight Network Sensor, to identify and mark unusual transfers of data and behavior. The detection identifies anomalously large transfers of data sent by assets out of a network, and outputs data exfiltration alerts.

The model dynamically derives a baseline for each asset based on its active periods over 30 days, and each hour, will output network activity that is anomalously high as compared to that baseline as a candidate for further investigation. This process effectively acts as a filter, reducing millions of network connections into a few candidate alerts to bring to the attention of a security analyst.

Further contextual information is included in each candidate alert to help a security team make informed decisions about how to investigate the possible occurrence of data exfiltration.

The user has the ability to tune exceptions for which anomalous data transfer alerts are shown by going into Managed Detections. The user can tune exception rules for Anomalous Data Transfer with the following attributes: Organization, Certificate, and Source IP/Subnet. This allows for the analysts to focus on alerts that are well tailored to their organization’s environment.

What Is AWS Verified Access?

AWS Verified Access is a new service that allows AWS customers to simplify secure access to private applications running on AWS, without requiring the use of a VPN. Verified Access also lets customers easily implement Zero Trust policies for each application reached via the service. The data needed for these policies is provided by integrations between Verified Access and third-party solutions like IdPs and device management tools. For example:

• Access to a low-risk application might be granted to any employee who is logged into the organization’s IdP solution
• Access to a highly sensitive application might only be granted to employees who are logged into the organization’s IdP solution, are part of a specific team at the company, are accessing from a company-managed computer that is fully updated, and have an IP address coming from a country on an allowlist

For customers who already have IdP and device management solutions, Verified Access can integrate with many of these vendors, allowing the customer to use their existing provider to define policies while still getting the convenience of VPN-less access to their private applications through Verified Access.

Unlock a Complete Picture of Your Cloud Security with InsightIDR

Verified Access generates detailed logs for every authorization attempt. InsightIDR will be able to ingest these logs from AWS’s just-announced Amazon Security Lake. InsightIDR customers will be able to see ingress activity from Verified Access alongside ingress events from sources like AWS Identity Access Management (IAM), VPNs, productivity apps, and more — not to mention telemetry from their broader cloud and on-premises environments. Like all ingress activity logs sent to InsightIDR, logs from Verified Access will be able to be used to detect suspicious activity, as well as be brought into investigations to help establish a complete timeline and blast radius of an incident. In addition, customers will have the ability to create custom alerts off of Verified Access logs to further scrutinize and monitor access to sensitive applications.

InsightIDR’s support for Verified Access is just the latest capability to come out of our never-ending dedication to support our customers as they adopt the newest cloud technologies.

What Is Amazon Security Lake?

Amazon Security Lake gives AWS customers a security data lake that centralizes AWS and third-party security logs. What’s more, all data sent to Security Lake is formatted using the recently-launched OCSF standard. That means even if logs come from different services or different vendors, all logs for a given activity (e.g. all cloud activity logs, all network activity logs, etc.) will have the same format in Security Lake. This will make it easy for customers and their third-party vendors to make use of the data in Security Lake without first having to normalize data.

Another big feature in Security Lake is the granular control it offers. Customers can choose which users and third-party integrations can access which data sources and determine the duration of data that is available to each. For example, a customer might give their developers the ability to view CloudTrail data from the past five days so they can troubleshoot issues, but give InsightIDR the ability to view CloudTrail data from the past year.

InsightIDR’s Integration With Amazon Security Lake

InsightIDR’s new integration allows it to ingest log data from Security Lake. At the moment, InsightIDR will only ingest logs from AWS CloudTrail. Over time, we plan to add support for additional OCSF log types, which will allow customers to send data from multiple AWS and third-party services to InsightIDR through one Amazon Security Lake integration. This will give us the potential ability to immediately ingest and parse logs from any new third-party solution that gets introduced, as long as that solution can export its logs to Security Lake. Another customer benefit is that by consolidating the ingestion of multiple logs via Security Lake, onboarding and ongoing maintenance will be greatly reduced.

If you are an existing InsightIDR customer and want to take advantage of the new integration with Amazon Security Lake, instructions for setup are here.

Matt is a Senior Information Security Engineer at a Regional Financial Institution. He is a Customer and Guest Blogger for Rapid7

Have you ever groaned when divvying up incidents from a pen-test amongst an overworked team? Or maybe you’ve struggled to present how you adhere to multiple compliance frameworks to your board. As a Senior Information Security Engineer at a Regional Finance Institute, I’m all too familiar with the daily grind – too many threats, not nearly enough time. Fortunately, Rapid7’s InsightIDR has helped me and my team unify our data, verify the nature of threats, and uphold a security posture that we’re confident in.

InsightIDR has lots of features that have enabled my organization to identify and respond more easily to threats. In this blog post, I’m going to share some insight into my favorite – InsightIDR’s Log Search function.

Back to the Beginning: Why We Chose Rapid7

Choosing InsightIDR was a no-brainer for us. We tried two other products, but as soon as we finished the proof-of-concept with Rapid7, we went straight to purchase. There was no point in even testing the others, as InsightIDR provided us with the visibility and context necessary to keep our environment secure

If you already have InsightVM, Rapid7’s vulnerability management solution, it’s a pretty smooth transition to InsightIDR. As existing InsightVM users, we already had the Rapid7 Insight Agent deployed on our endpoints, which provided us with real-time endpoint monitoring for vulnerabilities. When we added InsightIDR to our environment, we were automatically covered on those same endpoints, without any need to set up anything additional.

We were able to get up and running and integrate with a number of Azure Event Hubs out of the gate (a centralized service from which to collect Azure data and logs). Only a few other tools would provide that same capability – but they wouldn’t fit into our existing environment the way that Rapid7 did.

Getting Started with Log Search

When we first started using InsightIDR, my team wanted to bring in as much data to InsightIDR as we could to get a clear picture of what was happening in our environment. We knew we needed holistic visibility, but weren’t 100% on what we should be alerting on or necessarily looking for. Luckily, InsightIDR’s Log Search intuitively organized all of our data and helped us get a view of everything in one place, narrowing our focus and enabling us to really focus on high priority data.

InsightIDR removed the complexity of traditional Log Search. If you’re not sure where to start, just start with a simple search – a host name, a kind of attack, or an event. Then, based on your results, you can create a more advanced search by filtering, iterating, or narrowing down your simple searches. From there, you can start creating reports. Your reports can tell you (and you can then customize) how you should be watching an endpoint, how you should be alerted, and more.

Let’s Talk Outcomes

Now it’s time to do something with all this data! We were able to compare data from those sources to the email alerts that we got from Microsoft on Azure and easily generate a report based on the email events we were seeing from Microsoft. From there, we were able to generate custom detections.

One reason this was all so straightforward is that Rapid7’s powerful search language, Log Entry Query Language (LEQL – which allows you to construct queries that can extract the hidden insights within your logs), is easy to pick up. Even if you’re not a programmer or engineer, the structure and syntax of the language are accessible.

Once you get the first couple workflows ironed out, it’s easy to extrapolate to other ones. Once my team focused on this task we were able to come up with 45 custom detections over just three days!

Where Do I Go From Here?

Detections are your bread and butter, of course. But once you’re oriented to the dashboard, the language, and the basics of a workflow, the sky’s the limit. You can then customize your reports to your heart’s desire. My team currently has about 22 reports coming in daily, summarizing almost 100 custom detections that all stem from log search.

Rapid7’s alerting and reporting is hands down the best I’ve ever worked with. But it’s not just about volume – it’s also about versatility. We’re able to monitor all of our Cloud services – including Amazon, Azure, and Google – with ease. In the past, when using managed security providers, this wasn’t nearly as straightforward. We’re looking at InsightIDR’s pre-built Attacker Behavior Analytics (ABA) and User Behavior Analytics (UBA) detections with regularity, using a mix of both custom and pre-built “cards” (a visually appealing representation of data) in our InsightIDR dashboard.

Furthermore, it’s not just that you have options. The pre-built detections that InsightIDR ships out of the box boasts plenty of efficacy, resulting in unprecedented efficiency. The ability to have all of the data you need in one place – the equivalent of a “single pane of glass” – just can’t be overstated.