Rapid7 Managed Detection and Response (MDR) extends your team’s ability to detect, analyze, investigate, and actively respond to threats across your modern environment through 24/7/365 monitoring and tailored security operations designed to stop attackers and advance your security program.
As attackers evolve and new threats are discovered, our Threat Intelligence team develops signatures and analytic detections for existing and emerging threats. This data is combined with sourced threat intelligence feeds to enrich the data and deepen our contextual knowledge. All detections ensure coverage for various IOCs that malicious actors use in the wild mapped to the MITRE ATT&CK framework.
As attackers evolve and new threats are discovered, our Threat Intelligence team develops signatures and analytic detections for existing and emerging threats. This data is combined with sourced threat intelligence feeds to enrich the data and deepen our contextual knowledge. All detections ensure coverage for various IOCs that malicious actors use in the wild mapped to the MITRE ATT&CK framework.
Rapid7 Threat Intelligence and Detection Engineering (TIDE), part of Managed Services, leads Rapid7’s proprietary, global threat intel program. Together with Rapid7’s research initiatives, TIDE analysts provide customers and MDR SOC analysts with the surrounding context needed to defend against threats with new detection mechanisms for vulnerability exploits and attack campaigns.
As attackers evolve and new threats are discovered, TIDE develops signatures and analytic detections for existing and emerging threats. These detections ensure coverage for various IOCs that malicious actors use in the wild, informed by over 1.2 trillion weekly security events observed across our detection and response platform from the sources listed below. All detections improve in fidelity over time as our MDR analysts inform the threat intelligence team of rule suppressions to provide a tailored approach for customers, add granularity, reduce noise, and avoid recurrency.
We’re committed to openly sharing security information that not only helps the entire cybersecurity community to learn, grow, and address issues in the security world, but also to improve our products and detections. Below are the common sources that lead to Rapid7’s security expertise and intelligence advantage.
The MDR service is powered by Rapid7’s Insight Platform. Data from our endpoint agent and other event sources help us gain network- and system-level visibility across your environment. This data is crunched by our Gartner-Leading cloud SIEM, InsightIDR, to analyze user, endpoint, and network data using analytics to uncover threats across your internal network and cloud services to detect advanced attacks early. And, as a customer of MDR, you’ll have full access to see InsightIDR, search logs, and run your own investigations.
The Rapid7 Managed Detection and Response service is powered by Rapid7’s Insight Cloud, specifically:
Combined, your MDR service will be operating using products recognized as leaders across the industry.
The back-end of the MDR service is InsightIDR, Rapid7’s modern cloud SIEM that leverages both User and Attacker Behavior Analytics to detect intruder activity, cutting down on false-positives and days of work for security professionals. InsightIDR goes beyond traditional SIEM monitoring, uniting data from endpoints, logs, and cloud services in a single tool to hunt all of the most common attack vectors behind breaches.
InsightIDR allows the MDR SOC team to integrate feeds from your existing security infrastructure, giving the Rapid7 MDR team even greater visibility into possible threats across your environment. This combination gives you real-time visibility and detection for malware, fileless attacks, and the use of stolen credentials. In fact, over 90% of all InsightIDR detections occur at or before “Credential Access,” well before any significant attacker impact, as shown in the graphic below.
IMAGE
By alerting on stealthy intruder behavior as early as possible in the attack chain, InsightIDR provides the comprehensive information and automation capabilities needed to take swift action on threats before they get out of hand.
As a customer of Rapid7 MDR, you’ll have full access to InsightIDR, giving you visibility into the product to perform log searches, create custom alerts for your team, and conduct incident investigations leveraging InsightIDR and all data available in the tool.
InsightIDR’s primary data source for detection and response comes from the Insight Agent, a lightweight yet powerful software you can install on any asset—whether in the cloud or on-premises—to collect and analyze endpoint data from critical and remote assets across your IT environment.
The data passed to the analyst team by the Insight Agents allows the MDR analysts to get as close to the attacker as possible and perform endpoint investigations and threat hunt with system-level visibility. This endpoint data is parsed against real-time threat intelligence insights from the Rapid7 customer base and sophisticated behavioral analytics (tuned with an in-depth understanding of your business) to uncover threats across your internal network and cloud services.
Without an agent to collect and analyze critical data on the endpoint, customers are unable to detect advanced threats and cannot query the asset, either for incident investigation or response.
The Rapid7 Insight Agent provides critical, real-time visibility across your Windows, Mac, and Linux assets—no matter where they are in the world. You can detect modern malware that evades today’s antivirus tech, gain visibility into your assets, and even take action through the agent to contain a found threat. The Insight Agent is able to provide context to anomalous behaviors by analyzing:
While the Insight Agents are responsible for collecting data on your assets, they do not account for network traffic, which is the data moving between your assets. To provide the network traffic visibility that’s needed to detect attackers, Rapid7’s Insight Network Sensor allows you to monitor, capture, and assess the end-to-end network traffic moving throughout your physical and virtual environment.
Network traffic monitoring is an increasingly significant security gap for organizations today. As a security practitioner looking to minimize your attack surface, you need to know of the types of network data traversing your network and how much of that data is moving, which are two critical areas that could indicate malicious activity in your environment.
The Insight Sensor is able to provide this while adding several benefits to ensure the tool provides value without downside:
InsightIDR can use network sensor data to generate investigations and alerts based on the network traffic traversing your environment based on IPv4 flow data. InsightIDR also leverages DNS and DHCP information that the network sensor extracts from network packets to produce other actionable alerts.
After the data becomes available in InsightIDR, the processed network traffic can be further leveraged as a foundation for log searching, data analysis, building custom reports and dashboards, top external clients making inbound connections, and other data points.
MDR Elite customers have the option of enabling the Active Response service capability, which leverages a limited license of Rapid7’s SOAR solution, InsightConnect, to drive advanced workflows for immediate response to endpoint- and/or user-based threats. Customers can further extend their SOC automation capabilities and streamline IT and security operations with a full license of InsightConnect.