Now traditionally, the challenge that SIEM tools have is that most of your time is spent in steps one and two when we really want to be in step three. When we first configure a SIEM, you have to basically configure all of these different event sources and push data from active directory, from your firewall, from individual applications, all the way into the SIEM system. You then have to train the system how to index and correlate that data. Now, some SIEM tools do this better than others automatically but from what I've seen, pretty much across the board, there is some manual effort here to correlate different events. And only once you've correlated those events can you build meaningful alerts. Without correlation, you end up building alerts based on individual events from say, a firewall or from an authentication log. But those tend to be very noisy because there's no correlation behind it to really teach the system something that is actually malicious rather than anomalous.
Now once you're into the detection and alerting phase, there's also a lot of tuning and maintenance that goes into this process. And it's kind of a neverending cycle where you continually teach the system how to respond to different iterations of an alert and it's really never ending. Now, the last phase is actually incident response, where you receive an alert and actually act on it by investigating the incident. Again, the challenge here is time. When we want to be spending our time in incident response and we find ourselves stuck in correlation and detection.
Now, an ideal SIEM tool would really automate most of these first two phases allowing you spend your time in incident response. Basically, we want to be able to understand different logs, automatically correlate them so that they come together and have meaningful context in the interface. And then we're automatically detecting and alerting on activity based on out of the box preconfigured alerts that are understanding user context and attacker behavior. This allows us to basically stand up, deploy the SIEM quickly, have meaningful alerts coming out of the system automatically, and spend most of our time responding to actual incidents.
Now, one of the most time-consuming aspects of incident response is mapping asset-centric data back to the users who are actually responsible. As we've seen in the wild, attackers are using legitimate user credentials during their attacks more and more frequently. So a huge aspect of incident response is not only knowing which assets are compromised but which users and which accounts have been compromised. This is really the driving force behind the user behavior analytics platforms that are currently be brought to market. And the value of those tools is basically automating your understanding of asset data and events and correlating them back to the user who is responsible.
With Rapid7's InsightIDR solution, we've basically designed a user behavior analytics platform as the basis of our incident detection response tool. And that helps automate your indexing correlation by automatically ingesting logs, correlating them, as well as providing meaningful out of the box alerts that are designed to detect attackers as they use compromised credentials. We've built alerts looking for things like lateral movement, administrator impersonation, pass the hash attacks, malware, really the full range of attacker techniques are covered in our automated alerts and we've designed that based off an attacker's kill chain. So that we're not receiving alerts for one specific point in an attack, we're receiving alerts across the entire spectrum as the attacker moves from the exterior to the inside of the organization and finally reaches critical assets and sensitive data.
So if that sounds interesting to you and you want to learn more, then please visit the Rapid7 website and check out InsightIDR. We believe it's the SIEM we've always wanted. That's it for this week's Whiteboard Wednesday. We'll talk to you next week.
