Managed Detection and Response Overview

Introduction

Rapid7 Managed Detection and Response (MDR) extends your team’s ability to detect, analyze, investigate, and actively respond to threats across your modern environment through 24/7/365 monitoring and tailored security operations designed to stop attackers and advance your security program.

Six Layers of the Service

1. Proprietary Threat Intelligence & Research

As attackers evolve and new threats are discovered, our Threat Intelligence team develops signatures and analytic detections for existing and emerging threats. This data is combined with sourced threat intelligence feeds to enrich the data and deepen our contextual knowledge. All detections ensure coverage for various IOCs that malicious actors use in the wild mapped to the MITRE ATT&CK framework.

  • Intel based on 115+ billion daily security events
  • Constantly evolving detections as new TTPs emerge
  • Tailored tuning and alert suppression

1. Proprietary Threat Intelligence & Research

 

As attackers evolve and new threats are discovered, our Threat Intelligence team develops signatures and analytic detections for existing and emerging threats. This data is combined with sourced threat intelligence feeds to enrich the data and deepen our contextual knowledge. All detections ensure coverage for various IOCs that malicious actors use in the wild mapped to the MITRE ATT&CK framework.

  • Intel based on 115+ billion daily security events
  • Constantly evolving detections as new TTPs emerge
  • Tailored tuning and alert suppression

Rapid7 Threat Intelligence and Detection Engineering (TIDE), part of Managed Services, leads Rapid7’s proprietary, global threat intel program. Together with Rapid7’s research initiatives, TIDE analysts provide customers and MDR SOC analysts with the surrounding context needed to defend against threats with new detection mechanisms for vulnerability exploits and attack campaigns. 

Threat Intelligence and Detection Engineering Team

As attackers evolve and new threats are discovered, TIDE develops signatures and analytic detections for existing and emerging threats. These detections ensure coverage for various IOCs that malicious actors use in the wild, informed by over 1.2 trillion weekly security events observed across our detection and response platform from the sources listed below. All detections improve in fidelity over time as our MDR analysts inform the threat intelligence team of rule suppressions to provide a tailored approach for customers, add granularity, reduce noise, and avoid recurrency. 

Rapid7 Research and Threat Intelligence Sources

We’re committed to openly sharing security information that not only helps the entire cybersecurity community to learn, grow, and address issues in the security world, but also to improve our products and detections. Below are the common sources that lead to Rapid7’s security expertise and intelligence advantage.

 

  • Applied threat research: This component describes our methods of gathering, evaluating, analyzing and institutionalizing threat data. We analyze emerging threats at a fast-paced, operational level, and produce actionable tactical intelligence and detections as a result. Our sources include internal intel and frontline threat data from IR engagements and analyst workflows.  The single most important source of threat data that we transform into our detections is the data derived from MDR & IR intrusion reports.
  • Rapid7 Customers: Our detections are further enhanced from learnings across the 150+ billion daily security events captured by our Insight Agents deployed on Customer endpoints, MDR Customers, and Incident Response engagements.
  • Metasploit Community: Metasploit is the world's most-used penetration testing software used to uncover weaknesses in defenses, with over 3,000 exploits and over 200,000 active contributors.
  • Project Heisenberg Cloud: A collection of over 200 low-interaction, global honeypots distributed both geographically and across IP space. The honeypots offer the front end of various services to learn what other scanners are up to (usually no good), and to conduct "passive scanning" to help enhance our understanding of attacker methods.
  • Project Sonar: A security research project by Rapid7 that conducts internet-wide scans across different services and protocols to gain insight into global exposure to common vulnerabilities.
  • Pen test engagements: Rapid7 service engagements allow us to leverage real-world experiences of our engineers and investigators gathered over thousands of pen tests.

2. Industry-Leading Technology

The MDR service is powered by Rapid7’s Insight Platform. Data from our endpoint agent and other event sources help us gain network- and system-level visibility across your environment. This data is crunched by our Gartner-Leading cloud SIEM, InsightIDR, to analyze user, endpoint, and network data using analytics to uncover threats across your internal network and cloud services to detect advanced attacks early. And, as a customer of MDR, you’ll have full access to see InsightIDR, search logs, and run your own investigations.

  • Unlimited data and event source connections
  • Leverage and integrate your existing security investments across endpoint, network, infrastructure, and cloud solutions
  • Fast deployment and exceptional time to value

 

The Rapid7 Managed Detection and Response service is powered by Rapid7’s Insight Cloud, specifically:

Combined, your MDR service will be operating using products recognized as leaders across the industry.

InsightIDR

The back-end of the MDR service is InsightIDR, Rapid7’s modern cloud SIEM that leverages both User and Attacker Behavior Analytics to detect intruder activity, cutting down on false-positives and days of work for security professionals. InsightIDR goes beyond traditional SIEM monitoring, uniting data from endpoints, logs, and cloud services in a single tool to hunt all of the most common attack vectors behind breaches. 

InsightIDR allows the MDR SOC team to integrate feeds from your existing security infrastructure, giving the Rapid7 MDR team even greater visibility into possible threats across your environment. This combination gives you real-time visibility and detection for malware, fileless attacks, and the use of stolen credentials. In fact, over 90% of all InsightIDR detections occur at or before “Credential Access,” well before any significant attacker impact, as shown in the graphic below.

 

 

IMAGE

 

 

 

By alerting on stealthy intruder behavior as early as possible in the attack chain, InsightIDR provides the comprehensive information and automation capabilities needed to take swift action on threats before they get out of hand.

As a customer of Rapid7 MDR, you’ll have full access to InsightIDR, giving you visibility into the product to perform log searches, create custom alerts for your team, and conduct incident investigations leveraging InsightIDR and all data available in the tool.

Insight Agents

InsightIDR’s primary data source for detection and response comes from the Insight Agent, a lightweight yet powerful software you can install on any asset—whether in the cloud or on-premises—to collect and analyze endpoint data from critical and remote assets across your IT environment.

The data passed to the analyst team by the Insight Agents allows the MDR analysts to get as close to the attacker as possible and perform endpoint investigations and threat hunt with system-level visibility. This endpoint data is parsed against real-time threat intelligence insights from the Rapid7 customer base and sophisticated behavioral analytics (tuned with an in-depth understanding of your business) to uncover threats across your internal network and cloud services.

Without an agent to collect and analyze critical data on the endpoint, customers are unable to detect advanced threats and cannot query the asset, either for incident investigation or response. 

The Rapid7 Insight Agent provides critical, real-time visibility across your Windows, Mac, and Linux assets—no matter where they are in the world. You can detect modern malware that evades today’s antivirus tech, gain visibility into your assets, and even take action through the agent to contain a found threat. The Insight Agent is able to provide context to anomalous behaviors by analyzing:

  • Running processes
  • Security events
  • System event codes
  • Registry data
  • Intruder traps
  • Asset and user data
  • File audit logs
  • File and package data

Insight Network Sensor

While the Insight Agents are responsible for collecting data on your assets, they do not account for network traffic, which is the data moving between your assets. To provide the network traffic visibility that’s needed to detect attackers, Rapid7’s Insight Network Sensor allows you to monitor, capture, and assess the end-to-end network traffic moving throughout your physical and virtual environment. 

Network traffic monitoring is an increasingly significant security gap for organizations today. As a security practitioner looking to minimize your attack surface, you need to know of the types of network data traversing your network and how much of that data is moving, which are two critical areas that could indicate malicious activity in your environment. 

The Insight Sensor is able to provide this while adding several benefits to ensure the tool provides value without downside:

  • Passive monitoring
  • Works on any network
  • Efficient data collection
  • Ideal for sensitive environments
  • One data set for multiple use cases
  • Rapid time to value

InsightIDR can use network sensor data to generate investigations and alerts based on the network traffic traversing your environment based on IPv4 flow data. InsightIDR also leverages DNS and DHCP information that the network sensor extracts from network packets to produce other actionable alerts.

After the data becomes available in InsightIDR, the processed network traffic can be further leveraged as a foundation for log searching, data analysis, building custom reports and dashboards, top external clients making inbound connections, and other data points.

InsightConnect

MDR Elite customers have the option of enabling the Active Response service capability, which leverages a limited license of Rapid7’s SOAR solution, InsightConnect, to drive advanced workflows for immediate response to endpoint- and/or user-based threats. Customers can further extend their SOC automation capabilities and streamline IT and security operations with a full license of InsightConnect.