Introducing Network Traffic Analysis in InsightIDR

Illuminate your network, accelerate detection, and fuel investigations. Now in Open Preview for InsightIDR customers.

Rapid7 is excited to announce the Open Preview of Network Traffic Analysis for InsightIDR customers. As you may recall, Rapid7 acquired NetFort, a leading provider of security analytics and automation, in Spring 2019. This Open Preview represents the first wave of new capabilities fueled by NetFort technology into the Insight platform. 

With deployment of the lightweight Insight Network Sensor, InsightIDR customers can continuously monitor network traffic at any location or site across their network. This data builds visibility across the attack surface and detects intrusions (or other potential security events) on the network. Together, alongside the existing user, log, and endpoint data in InsightIDR, network traffic analysis will help analysts:

  • Ensure continuous visibility everywhere, 
  • Recognize compromise quickly, and 
  • Trace the steps of potential attackers across systems and applications.

Network Traffic Analysis is available in Open Preview today in InsightIDRPlease see below for more details about Network Traffic Analysis and the Open Preview period, and find help documentation here.

Network Traffic Analysis Open Preview FAQs

  • What is Network Traffic Analysis?

    Network Traffic Analysis provides teams with details about the activity and devices on their network. This data can be helpful for early detection of potential compromise, as well as adding context to investigations to see how attackers entered or moved around a network.

  • What does Network Traffic Analysis mean for InsightIDR customers?

    Network Traffic Analysis shines a light on the dark corners of the network. It provides increased visibility and an additional axis for early threat detection, as well as rich device and activity information to accelerate investigations. Rapid7’s approach to Network Traffic Analysis (NTA) is unique in that our Managed Detection and Response (MDR) team has curated a library of the most critical Intrusion Detection System (IDS) alerts for teams to focus on, helping cut down on noise and increase analyst’s confidence in taking action. Rapid7 also leverages a proprietary Deep Packet Inspection (DPI) engine to capture all raw network traffic flows, extracting rich metadata. This approach drastically reduces data volume, but retains the critical data ideal for investigations, deeper forensic activities, and custom rule creation.

    Learn more about the benefits of leveraging network data in InsightIDR in this Intro to the SOC Visibility Triad blog.

  • What does Open Preview mean?

    Open Preview is an opportunity for our customers to test a new feature and provide feedback and insights that will help optimize the ultimate launch of Network Traffic Analysis for InsightIDR customers. 

    During Open Preview, we invite InsightIDR customers to test this new NTA functionality at no additional cost: this includes access to the lightweight Insight Network Sensor, as well as the data collected by the sensor—including Intrusion Detection System (IDS) alerts and Deep Packet Inspection (DPI) data. 

    For the duration of Open Preview, customers will have access to the Insight Network Sensor and both IDS events and DPI data at no additional cost to them. Beyond Open Preview, when Network Traffic Analysis is released, customers can continue to access the Insight Network Sensor and IDS events at no additional cost; however, access to DPI data beyond Open Preview will require the purchase of an add-on module to the InsightIDR description. 

    Customers can work with their Rapid7 account team to understand DPI pricing and purchase this module.

  • Since Open Preview is for a limited time, when will it end?

    We anticipate that we’ll close the Open Preview phase and shift to General Availability of Network Traffic Analysis in Spring 2020. 

  • What's the difference between IDS data and DPI flow data?

    Intrusion Detection System (IDS) data consists of threat events based on defined rules (e.g. known bad activity related to common forms of malware, and other static alerts). These events are captured by an open source Surricata engine and refined by Rapid7's MDR and Data Science teams to help filter out noise and zero in on the most potentially critical indicators. While this data provides increased visibility and an additional axis for early threat detection, it’s solely focused on identifying only known threats.

    The network flow data generated by Rapid7's proprietary Deep Packet Inspection (DPI) engine contains rich detail about network activity, users, and devices. This unique approach produces a massive data reduction over full packet capture, while still retaining granular and actionable detail - delivered in human readable JSON. To use an analogy from physical security - think of the IDS events as the alerts a security guard might get when employees and guests use their badge to enter a building; in that scenario, the flow data would be security cameras watching over every area of the building in real time. This robust flow data can help illuminate investigations, provide rich context to forensic activities, and can be used for custom searches and alerting.

  • What will happen to the DPI data I collect in Open Preview if I choose not to purchase the DPI module once the feature shifts to being Generally Available?

    Customers that deploy the Insight Network Sensor will receive notification ahead of the General Availability period that the Open Preview phase is closing. After Open Preview, all InsightIDR customers will continue to have access to the Insight Network Sensor and IDS events at no additional charge. Customers that choose not to purchase the DPI module after Open Preview will stop collecting new DPI data, but any existing data that was collected during Open Preview will be retained for the duration of their licensed retention period (e.g. customers with a 90-day retention license will retain the data for 90 days after it was collected).

  • How much does the DPI module cost?

    Customers interested in purchasing the DPI module should coordinate with their Rapid7 account executive to understand pricing and license options.

  • I’m an MDR customer, can I also have access to Network Traffic Analysis?

    Yes! MDR customers are invited to test the Network Traffic Analysis capabilities during Open Preview in their InsightIDR instance. You will have the same access and DPI purchase options as InsightIDR customers beyond Open Preview. At this time there is no MDR service component; this means that any alerts triggered by Network Traffic Analysis detections will NOT be investigated by the MDR team. We are actively exploring service offerings around Network Traffic Analysis and will be communicating with MDR customers as soon as those are available.

  • How do I give feedback on Network Traffic Analysis during Open Preview?

    Our User Research team will be proactively reaching out to customers that deploy the Insight Network Sensor during Open Preview to learn more about their experience and any feedback they might have to share.

  • I’m not currently an InsightIDR customer, can I still check out Network Traffic Analysis?

    We invite any active InsightIDR Free Trial users, or users actively engaged in an InsightIDR proof of concept, to test the Network Traffic Analysis functionality. If you have questions, please reach out to your account team for more information.

  • I have more questions about Network Traffic Analysis, where can I go?

    We encourage InsightIDR customers to engage with their account team to learn more about Network Traffic Analysis. You can also learn more in our help docs here: https://sensor.help.rapid7.com/docs