Companion Guide:

Rapid7 Answers 10 Key Questions Around Cloud SIEM

Industry Quote

Gartner quote:

In recent Gartner research, their strategic planning assumption is, “By 2023, 80% of SIEM solutions will have capabilities that are only delivered via the cloud (for example, log storage, analytics, incident management), up from 20% currently.”
 

Introduction

Nearly every company today is a data company, with the direct need to quickly, flexibly, and securely develop and advance across on-premises, remote, and cloud environments. Today’s security teams want better visibility into their cloud services and infrastructure, as well as an easier, more holistic approach to centralizing disparate log data, threat detection, and response.

This is why teams around the globe are adopting cloud SIEM solutions. With modern data storage and analytics, security teams are doing more than being compliant with their data: They are finding threats in real time and building sustainable detection processes that directly feed into prevention defenses. In this guide, we’d like to share the vision and security architecture behind our Rapid7 Insight cloud. We’ll cover the following questions that Gartner recommends security teams ask SaaS SIEM vendors:

1. Where is the solution delivered from, and where is my data stored?
2. How is my data protected?
3. Does the solution provide the scaling and ease of management benefits of a true SaaS model?
4. How is my data collected and transported to the SIEM?
5. What is the expected impact on network or internet links?
6. How does the vendor balance the cadence of feature and function upgrades with adequate testing to ensure availability and quality?
7. How does the vendor support security technologies that are part of their platform?
8. Is the licensing and pricing model SaaS-like?
9. How does the vendor ensure availability of the SIEM solution?
10. What happens at the end of the agreement?

While this focuses on our InsightIDR cloud SIEM technology, you can solve multiple security challenges across our Insight cloud, ranging from vulnerability management to application security to security orchestration and automation.

1. Delivery and storage

"Where is the solution delivered from? Where is my data stored?"

Our Rapid7 Insight cloud is hosted on Amazon Web Services (AWS). We carefully uphold our responsibilities in the Shared Responsibility Model, and fully use their data analytics technologies and strong security architecture. The result: the data you entrust to us is reliable, available, and confidential.

You can select where your data is physically stored with AWS Availability Zone deployment options across the US, EU, CA, and AU regions. InsightIDR deployment starts with easy-to-use, on-premises collectors responsible for secure data transport to the Insight cloud. These collectors sit behind your firewall, respond to changes in your environment, and securely transmit relevant data to our platform for analysis.

InsightIDR is a multi-tenant application: Every Rapid7 customer’s data is isolated and encrypted at rest in its own individual database, preventing other customers from accessing your user data. As an additional safeguard, each customer’s log data is tokenized using a unique UUID that walls the data off from other customers, isolating your company’s data.

2. Data protection

"How is my data protected?

All of your data is encrypted before it is pushed from deployed on-premises collectors to the Insight cloud. InsightIDR employs public key cryptography and challenge-response handshakes to ensure the security of your data and the integrity of the credentials entrusted to the Insight cloud.

Several foundational architecture choices provide layered data security. The collector only uses TLS (HTTPS) to communicate with our platform, and it is explicitly coded to trust only certificates verifiable by Java trust store Certificate Authorities (CAs). This mitigates the risk of a malicious agent attempting to impersonate the endpoint. It also prevents a malicious agent from attempting to feed the collector arbitrary credentials. Successfully doing so would require a Man-in-the-Middle (MitM) attack using a forged SSL certificate.

Our Insight cloud continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. This includes an annual SOC 2 Type II audit, compliance with GDPR, SOC 3, FedRAMP Partner Package, and ISO 27001:2013 SoA (further details can be provided upon request).

The data you send to the Insight cloud is securely stored in AWS and encrypted at rest. InsightIDR is multi-tenant, so all of your ingested data is logically separated from all other customers. For more technical detail or compliance reports, visit rapid7.com/trust. We can share further information under NDA.

3. Scaling and ease of management

"Does the solution provide the scaling and ease of management benefits of a true SaaS model?"

Yes: with InsightIDR’s continuous deployment model, you benefit from automatic updates, detections, and new features. Many of our customers oversee extremely diverse environments, such as universities with a large transient student body, and healthcare companies with regular M&A activity. With Rapid7 Insight, they can detect common and targeted attacks and meet stringent SLAs around vulnerability management and audit logging.

As a cloud-native SIEM, InsightIDR is architected to automatically scale to ingest, analyze, and return data to our customers based on load. This is accomplished using auto-scaling groups, queue-based analytics, and database technologies like AWS Aurora.

You don’t need to worry about data infrastructure or scaling, and can slot InsightIDR into your existing change control and role-based access permissions without taking on new recurring work. You get the full benefits of the cloud: easy deployment, minimal maintenance, and no scaling constraints.

Our 800+ customers oversee diverse, ever-changing networks. This includes large universities with transient student classes, multinational corporations, and companies with steady merger and acquisition activity. InsightIDR automatically scales to ingest, analyze, and return data to customers based on load.

4. Data collection and delivery

"How is my data collected and transported to the SIEM?"

There are three ways your data flows to the Insight cloud: (1) Collectors, (2) the Insight Agent, and (3) API. Data is securely transmitted from your data center, corporate HQ and offices, remote workers, cloud apps, and cloud hosting to our cloud platform for User Behavior Analytics, machine learning, centralized log management, and compliance.

Collectors aggregate log data primarily by pulling security logs from domain controllers, reading log events from log files, calling cloud service APIs, and ingesting syslog streams from network appliances. Other collection methods may be available based on the data source. Agents monitor local security logs and host process start/stop activity and upload data either directly to the Insight cloud or proxy data through a Collector.

As part of a secure design, your on-premises collectors always initiate conversation with our platform; the Insight cloud cannot reach through your firewall and initiate commands. Through this collector polling architecture, built atop a challenge-response handshake (further details available under NDA), this reduces the need to define special inbound firewall rules, and allows the Insight cloud to validate that the polling request is from a legitimate collector instance.

Data is collected and transported to the Insight cloud via (1) Collectors, (2) the Insight Agent, and (3) API. Each method has provisions for secure transfer and allows InsightIDR to detect threats across your entire network—not just your on-premises systems. Since analytics take place in the cloud, there is minimal impact to your internal network and end user systems.

5. Network and internet links

"What is the expected impact on network or internet links?"

As touched on in question 4, data is sent to the Insight cloud via (1) Collector, (2) Agent, and (3) API. Rapid7 data collection technologies are designed to minimize the impact to your network and internet links. We use compression thoroughly, achieving approximately 10x compression with our Insight Collector.

The Insight Agent, which supports Windows, Mac, and Linux, can be deployed on all assets and remote endpoints, and typically sends 1-2MB/endpoint/day depending on workload.

You can easily monitor your data transmission from within Settings, explore the data you’re sending with Log Search, and relax knowing that our pricing is transparent, consistent, and won’t penalize you for sending important security data to the platform for analysis.

For further technical details and recommendations, please see our Collector Requirements Help Documentation.

If you have steady, relatively fast internet, you can deploy InsightIDR.

Insight Agent: Typically 1-2MB/endpoint/day is sent from your endpoints to Insight.
API: InsightIDR can interact with leading cloud apps and IaaS to collect authentication and admin behavior to expose risky actions and compromised accounts.

6. Balance of upgrades and testing

"How does the vendor balance feature and function upgrades with adequate testing?"

InsightIDR operates on a continuous deployment model. We understand it is absolutely critical that we do not introduce noisy detections, and that we prioritize up-time and builds to ensure quality in feature rollout models.

Here are a few tenets of our methodology that ensure availability and quality:

  • Early access and beta programs: As we roll out impactful features such as in-product containment or file integrity monitoring (FIM), we work closely with customers to ensure we’re tackling the underlying challenge while being easy to use.
  • Detection rollout methodology: When our Rapid7 Managed Detection and Response (MDR) services team contributes Attacker Behavior Analytics detections into InsightIDR, we employ numerous techniques such as backtesting, and running new analytics in diagnostic modes to understand signal:noise ratio and potential impact.
  • Shared services across the Insight cloud: Key features and analytics, such as the Insight Agent, dashboards, and threat intelligence, are used across multiple products in our portfolio. About half of our InsightIDR customers also own and use another Insight product. Focus is therefore placed on reliability, extensibility, resilience for modern network architectures, and modern threats.

While we operate on a continuous deployment model—so detections, data parsers, and the Insight Agent stay up to date automatically, we take several steps in our feature releases to prioritize quality. This includes early access and beta programs, applying detections against anonymized community data, and heavily investing in extensible services that are shared across the Insight cloud.

7. Support for platform technologies

"How does the vendor support security technologies that are part of their platform?"

When you partner with Rapid7, a key advantage is our wide range of domain knowledge and deep security expertise. We use the mantra, “Collect the data once, use it hundreds of times.” That’s why our one Insight Agent is used across our portfolio, and why so many of our customers continue to leverage the Insight cloud: outcome-focused solutions, extensible integrations, and support for your modern network and security stack.

Solve multiple use cases with the Insight cloud. Half of our InsightIDR customers use another Insight product, such as InsightVM for vulnerability management.

8. Licensing and pricing model

"Is the licensing and pricing model SaaS-like?"

InsightIDR is priced by total number of assets in your organization. This is in deliberate contrast to data volume, events per second, or any other “consumption-based” pricing model. Organizations are often challenged with rising data costs (overages) and exponentially huge upsells over time. With InsightIDR, you get a transparent model that allows for consistent budgeting and no surprises. You aren’t forced to choose between ingesting different types of security data due to prohibitive costs.

With the standard InsightIDR subscription, any ingested logs are stored and available for search, visualization, and investigations for one year. This data retention time is entirely flexible: your subscription can be tailored to exactly meet your business and compliance needs. As you expand with InsightIDR, you don’t need to worry about scaling infrastructure, versions, or patches. See our pricing page for further details here.

Our pricing model and details are available right on our website. We hear consistent pain around ballooning log data, unexpected data overage charges, and expansion costs. Our pricing is simple, transparent, and makes it easy for you to scale quickly with confidence.

9. Ensuring SIEM solution availability

"How does the vendor ensure availability of the SIEM solution?"

You can always reference https://status.rapid7.com/ to see our global availability and any recent notable events, including any and all outages. Data storage and processing for analytics is all hosted on Amazon Web Services (AWS). Therefore, customers benefit from automatic backup, redundancy, and high availability. AWS has SOC 1, 2, and 3 reports to attest to their backup methodology—if needed, we can work with AWS to provide you with these reports.

On the Rapid7 side, our network infrastructure has redundancy, backup, and recovery capabilities. Our data centers have disaster recovery plans and their own risk assessments.

We take advantage of the automatic backup, redundancy, and high availability provided by AWS. On the Rapid7 side, we also do the same—our data centers have disaster recovery plans and their own risk assessments.

As a customer, you’ll be proactively notified around any maintenance or disruption. Full updates are always available at: https://status.rapid7.com/.

10. End of the agreement

"What happens at the end of the agreement?"

You own the data you collect, and therefore you control access to that data. If you opt to leave a Rapid7 service, you can request deletion of the data, for which we’ll process that request within 14 days. An attestation of data deletion can be made available upon request.

Throughout your InsightIDR product lifetime, you can have all log search data sent to InsightIDR also sent to an AWS S3 bucket that you control on a daily basis. This is a convenient way to have a copy for in-house analytics or specific retention regulations, as well as transitions between data lakes or log management platforms.

As an Insight customer, you own and control all of the data you send to the cloud. If you unsubscribe from InsightIDR, we can work with you around data export and data destruction. For example, you can send all incoming data to InsightIDR to a separate AWS S3 bucket that you control. If you need an attestation of data deletion, we can help you with that.

About InsightIDR

InsightIDR unifies your data with simple, cloud-based data collection, detects common and targeted attacks, and gives your team the context and power to take action. Detect malicious activity across the entire ATT&CK chain, and report to compliance auditors with confidence. Backed by Rapid7 SOC detections, community threat intel sharing, and future-ready data collection, InsightIDR breaks the traditional SIEM mold while boasting the fastest deployment times in the industry.

Ready to see what cloud SIEM could look like for your organization? Start your free 30-day trial of InsightIDR today.