Rapid7 acquired NetFort, a leading provider of security analytics and automation, in Spring 2019. Following this acquisition, we are thrilled to incorporate network traffic analysis as part of our leading SaaS based SIEM, InsightIDR. This release represents the first wave of new capabilities fueled by NetFort technology on the Insight platform.
With deployment of the lightweight Insight Network Sensor, InsightIDR customers can continuously monitor network traffic at any location or site across their on-premises network and in-cloud networks, such as Amazon virtual private clouds. This data builds visibility across the attack surface and detects intrusions (or other potential security events) on the network.
Together, alongside the existing user, log, and endpoint data in InsightIDR, network traffic analysis will help analysts:
Network Traffic Analysis provides teams with details about the activity and devices on their network. This data can be helpful for early detection of potential compromise, as well as adding context to investigations to see how attackers entered or moved around a network.
Network Traffic Analysis shines a light on the dark corners of the network. It provides increased visibility and an additional axis for early threat detection, as well as rich device and activity information to accelerate investigations. Rapid7’s approach to Network Traffic Analysis (NTA) is unique in that our Managed Detection and Response (MDR) team has curated a library of the most critical Intrusion Detection System (IDS) alerts for teams to focus on, helping cut down on noise and increase analyst’s confidence in taking action. Rapid7 also leverages a proprietary Deep Packet Inspection (DPI) engine to capture all raw network traffic flows, extracting rich metadata. This approach drastically reduces data volume, but retains the critical data ideal for investigations, deeper forensic activities, and custom rule creation.
Learn more about the benefits of leveraging network data in InsightIDR in this Intro to the SOC Visibility Triad blog.
Intrusion Detection System (IDS) data consists of threat events based on defined rules (e.g. known bad activity related to common forms of malware, and other static alerts). These events are captured by an open source Surricata engine and refined by Rapid7's MDR and Data Science teams to help filter out noise and zero in on the most potentially critical indicators. While this data provides increased visibility and an additional axis for early threat detection, it’s solely focused on identifying only known threats.
The network flow data generated by Rapid7's proprietary Deep Packet Inspection (DPI) engine contains rich detail about network activity, users, and devices. This unique approach produces a massive data reduction over full packet capture, while still retaining granular and actionable detail - delivered in human readable JSON. To use an analogy from physical security - think of the IDS events as the alerts a security guard might get when employees and guests use their badge to enter a building; in that scenario, the flow data would be security cameras watching over every area of the building in real time. This robust flow data can help illuminate investigations, provide rich context to forensic activities, and can be used for custom searches and alerting.
Customers interested in purchasing the flow data module should coordinate with their Rapid7 account executive to understand pricing and license options.
Customers that deployed the Insight Network Sensor received a notification ahead of the General Availability period that the Open Preview phase was closing.
Now that Open Preview has ended, all InsightIDR customers will continue to have access to the Insight Network Sensor and IDS events at no additional charge. Customers that chose not to purchase the flow data module have stopped collecting new DPI flow data, but any existing data that was collected during Open Preview will be retained for the duration of their licensed retention period (e.g. customers with a 90-day retention license will retain the data for 90 days after it was collected).
Yes! MDR customers have access to the Insight Network Sensor and IDS events as part of their existing subscription. For customers that deploy the Sensor, MDR Analysts will monitor IDS event alerts like they would other R7 alerts.
Elite MDR customers can purchase access to flow data to leverage for deeper investigations and forensic activities in the InsightIDR portal. Please note: there is not an MDR service component around flow data at this time; this data would be for use by the customer in the InsightIDR portal. We are actively exploring service offerings around flow data and will be communicating with MDR customers as soon as those are available.
Yes! Any active InsightIDR Free Trial users, or users actively engaged in an InsightIDR proof of concept, will have access to the Network Traffic Analysis functionality. If you have questions, please reach out to your account team for more information.
We encourage InsightIDR customers to engage with their account team to learn more about Network Traffic Analysis. You can also learn more in our help docs here: https://sensor.help.rapid7.com/docs