Posts tagged SIEM

0 min Security Nation

[Security Nation] Moving Beyond SIEM — Or Not?

The amount of alerts streaming out of security tools can easily lead infosec professionals down the wrong path. But what’s the solution?

3 min SIEM

Detecting Stolen Credentials Requires Endpoint Monitoring

If you are serious about detecting advanced attackers using compromised credentials [https://www.rapid7.com/resources/compromised-credentials.jsp] on your network, there is one fact that you must come to terms with: you need to somehow collect data from your endpoints. There is no way around this fact. It is not only because the most likely way that these attackers will initially access your network is via an endpoint. Yes, that is true, but there are also behaviors, both simple and stealthy, th

5 min SIEM

Why Flexible Analytics Solutions Can Help Your Incident Response Team

I happen to despise buzzwords, so it has been challenging for me to use the term "big data security analytics" in a sentence, mostly because I find it to be a technical description of the solutions in this space, rather than an indicator of the value they provide. However, since we build products based on the security problems we identify, I want to explain how those technologies can be used to target some highly pervasive incident response challenges. Detection and investigation problems conti

5 min Incident Response

What Makes SIEMs So Challenging?

I've been at the technical helm for dozens of demonstrations and evaluations of our incident detection and investigation solution, InsightIDR [https://www.rapid7.com/products/insightidr/], and I've been running into the same conversation time and time again: SIEMs aren't working for incident detection and response.  At least, they aren't working without investing a lot of time, effort, and resources to configure, tune, and maintain a SIEM deployment.  Most organizations don't have the recommende

3 min SIEM

Attackers Thrive on Chaos; Don't Be Blind to It

Many find it strange, but I really enjoy chaos. It is calming to see so many problems around in need of solutions. For completely different reasons, attackers love the chaos within our organizations. It leaves a lot of openings for gaining access and remaining undetected within the noise. Rapid7 has always focused on reducing the weaknesses introduced by chaos. Dr. Ian Malcolm taught us in Jurassic Park that you cannot control chaos. Instead, we strive to help you reduce and understand its impa

4 min SIEM

Enterprise Account Takeover: The Moment Intruders Become Insiders

Every time an attacker successfully breaches an organization, there is a flurry of articles and tweets attempting to explain exactly what happened so information security teams worldwide are able to either a) sleep at night because they have mitigated the vector or b) lose only one night of sleep mitigating it. Here's the problem: every breach is complex and involves a great deal more malicious actions than are published on your chosen 24-hour news website. The least detected action is the use o

4 min SIEM

When Your SIEM Tools Are Just Not Enough

Security Information and Event Management (SIEM) tools have come a long way since their inception in 1997. The initial vision for SIEM tools [http://www.rapid7.com/resources/videos/5-ways-attackers-evade-a-siem.jsp] was to be a ‘security single pane of glass,' eliminating alert fatigue, both in quantity and quality of alerts. Yet the question still remains: have SIEMs delivered on that promise, and if so, can every security team benefit from one? In this blog we'll dive a bit into the history be

3 min SIEM

Alert Fatigue: Incident Response Teams Stop Listening to Monitoring Solutions

"Don't Be Noisy." It's that simple. This motto may be the only remaining principle of the concept that entered incubation in mid-2012 and eventually became InsightIDR. [https://www.rapid7.com/products/insightidr/] Of the pains that our customers shared with us up to that point, there was a very consistent challenge: monitoring products were too noisy. Whether they were talking about a firewall, a web proxy, SIEM, or a solution that doesn't fit into a simple category, these design partners told

5 min Events

RSA 2016: Filtering Through The Noise

The memory is a fickle beast. Perhaps this past RSA Conference was my 14th, or my 8th, or 7th…hmmm, they often run together. In truth this Conference has become such an ingrained part of my life that my wife often jokes about becoming a “RSA Widow” the week of the conference, and then dealing with my “RSAFLU” the next week. Well this year was different team, this year SHE got sick upon my return, along with two of the kids. Oh karma, that was just deserved. And while the fridge is now full of Ta

5 min SIEM

5 Ways Attackers Can Evade a SIEM

I've been in love with the idea of a SIEM since I was a system administrator. My first Real Job™ was helping run a Linux-based network for a public university. We were open source nuts, and this network was our playground. Things did not always work as intended. Servers crashed, performance was occasionally iffy on the fileserver and the network, and we were often responding to outages. Of course, we had tools to alert us when outages were going on. I learned to browse the logs and the system m

5 min SIEM

Whether or Not SIEM Died, the Problems Remain

This post is the second in a series examining the roles of search and analytics in the incident-detection-to-response lifecycle. To read the previous, click here [/2015/10/21/search-will-always-be-a-part-of-incident-investigations]. Various security vendors have made very public declarations claiming everything from “SIEM is dead.” to asking if it has merely “lost its magic”. Whatever your stance on SIEM, what's important to recognize is that while technologies may fail to solve a problem, thi

9 min Log Management

Q & A from the Incident Response & Investigation Webcast: "Storming the Breach, Part 1: Initial Infection Vector"

The recent webcast “Storming the Breach, Part 1: Initial Infection Vector [https://information.rapid7.com/storming-the-breach-part-1-initial-infection-vector.html?CS=blog] ”, with Incident Response experts Wade Woolwine [/author/wade-woolwine] and Mike Scutt sparked so many great questions from our live attendees that we didn't have time to get through all of them! Our presenters took the time to answer additional questions after the fact... so read on for the overflow Q&A on tips and tricks for

2 min SIEM

Get HP ArcSight Alerts on Compromised Credentials, Phishing Attacks and Suspicious Behavior

If you're using HP ArcSight ESM as your SIEM, you can now add user-based incident detection and response to your bag of tricks. Rapid7 is releasing a new integration between Rapid7 UserInsight [http://www.rapid7.com/products/user-insight/] and HP ArcSight ESM [http://www8.hp.com/us/en/software-solutions/arcsight-esm-enterprise-security-management/] , which enables you to detect, investigate and respond to security threats targeting a company's users more quickly and effectively. HP ArcSight is

3 min PCI

PCI 30 seconds newsletter #19 - Your PCI Logbook - What is required in terms of log management?

P>D R is a well-known principle in security. It's a principle that means that the Protective measures in place must be strong enough to resist longer than the time required to Detect something wrong is happening and then React. For example, your door must be strong enough to prevent a malicious individual from getting in for at least the amount time required to detect the incident, alert the police, and have them arrive on site. In this context, log management plays a specific role. It help