Sometimes tools are blunt because there’s nothing else. Regarding economic controls for example, Fed Chair Jerome Powell said: “We have essentially interest rates, the balance sheet and forward guidance. They are famously blunt tools, they are not capable of surgical precision."
Others are blunt because they’re new and these things take time. For example: stereos in the 1960s shook the floors with unrestrained subwoofers. Yes, it was the Beatles and Ringo Star on the drums, but still. It took years to refine this new technology to enhance the music instead of assaulting our senses.
Taking off shoes at the airport? Blunt.
Years later, Real ID and TSA Pre-Check®? Better.
Coming soon: Facial recognition and biometric screening, better still—after privacy concerns are addressed.
Cybersecurity has used blunt tools, followed by far too many “better ones.” The average security team is now managing 76 tools, and spending more than half their time manually producing reports. The way out is a sharp tool to replace all these better ones—a resource that will actually get the job done. Start with our newly released 2023 XDR Buyer’s Guide.
XDR consolidation and precision has arrived, just know what to look for
Security programs succeed when they have a library of curated, high-fidelity detections backed by threat intelligence that they can trust out-of-the-box. Anything else is low performance guesswork.
Huge numbers of alerts that teams must review and triage can lead to missing high profile threats. Extended Detection and Response (XDR) solutions deliver tailored security alerts that are quantified and scored to improve signal-to-noise ratio and help catch threats early in the attack chain. XDR also eliminates context switching and ensures you have high context, correlated investigation details, blending relevant data from across different event sources into one, coherent picture.
XDR delivered: MDR
With Rapid7, XDR security can also be delivered to you as an end-to-end, turnkey service. Managed detection and response (MDR) can be a game changer, with always-on threat detection, incident validation, and response (such as threat containment). Some providers offer features like threat intelligence, human-led threat hunting, behavior analytics, automation, and more to your capabilities.
A good MDR provider will be 100% end-to-end responsible, however, it should also be an extension of your in-house team. Look for a provider that will freely share the XDR technology with your in-house operation, and work transparently. Your team should be able to observe your environment exactly as the MDR team does, do their own threat hunting, and more—whatever level of collaboration you’d like to see.
2023 is the year of consolidation and XDR. But no change, however awesome or overdue, is easy. We hope this XDR Buyer’s Guide helps.
As we continue to empower security teams with the freedom to focus on what matters most, Q4 focused on investments and releases that contributed to that vision. With InsightIDR, Rapid7’s cloud-native SIEM and XDR solution, teams have the scale, comprehensive contextual coverage, and expertly vetted detections they need to thwart threats early in the attack chain.
This 2022 Q4 recap post offers a closer look at the recent investments and releases we’ve made over the past quarter. Here are some of the highlights:
Easy to create and manage log search, dashboards, and reports
You spoke, we listened! Per our customers, you can now create tables with multiple columns, allowing teams to see all data in one view. For example, simply add a query with a “where” clause and select a table display followed by the columns you want displayed.
Additionally, teams can reduce groupby search results with the having() clause. Customers can filter out what data is returned from groupby results with the option to layer in existing analytics function support (e.g. count, unique, max).
Accelerated time to value
The InsightIDR Onboarding Progress Tracker, available for customers during their 90 day onboarding period, is a self-serve, centralized check-list of onboarding tasks with step-by-step guidance, completion statuses, and context on the “what” and “why” of each task.
No longer onboarding? No problem! We made the progress tracker available beyond the 90-day onboarding period so customers can evaluate setup progress and ensure InsightIDR is operating at full capacity to effectively detect, investigate, and respond to threats.
Visibility across your modern environment
For those that leverage Palo Alto Cortex, you can now configure Palo Alto Cortex Data Lake to send activity to InsightIDR including syslog-encrypted Web Proxy, Firewall, Ingress Authentication, etc. Similarly, for customers leveraging Zscaler, you can now configure Zscaler Log Streaming Service (LSS) to receive and parse user activity and audit logs from Zscaler Private Access through the LSS.
For teams who do not have the bandwidth to set up and manage multiple event sources pertaining to Cisco Meraki, we have added support to ingest Cisco Meraki events through the Cisco Meraki API. This will enable you to deploy and add new event sources with less management.
Customers can now bring data from their Government Community Cloud (GCC) and GCC High environments when setting up the Office365 event source to ensure security standards are met when processing US Government data.
Stay tuned!
We’re always working on new product enhancements and functionality to ensure your team can stay ahead of potential threats and malicious activity. Keep an eye on the Rapid7 blog and the InsightIDR release notes to keep up to date with the latest detection and response releases at Rapid7.
As we get closer to closing out 2022, the talk in the market continues to swirl around extended detection and response (XDR) solutions. What are they? What are the benefits? Should my team adopt XDR, and if yes, how do we evaluate vendors to determine the best approach?
While there continue to be many different definitions of XDR in the market, the common themes around this technology consistently are:
Tightly integrated security products delivering common threat prevention, detection, and incident response capabilities
Out-of-the-box operational efficiencies that require minimal customization
High-quality detection content with limited tuning required
Advanced analytics that can correlate alerts from multiple sources into incidents
Simply put, XDR is an evolution of the security ecosystem in order to provide elevated and stronger security for resource-constrained security teams.
XDR for 2023
Why is XDR the preferred cybersecurity solution? With an ever-expanding attack surface and diverse and complex threats, security operations centers (SOCs) need more visibility and stronger threat coverage across their environment – without creating additional pockets of siloed data from point solutions.
A 2022 study of security leaders found that the average security team is now managing 76 different tools – with sprawl driven by a need to keep pace with cloud adoption and remote working requirements. Because of the exponential growth of tools, security teams are spending more than half their time manually producing reports, pulling in data from multiple siloed tools. An XDR solution offers significant operational efficiency benefits by centralizing all that data to form a cohesive picture of your environment.
Is XDR the right move for your organization?
When planning your security for the next year, consider what outcomes you want to achieve in 2023.
Security product and vendor consolidation
To combat increasing complexity, security and risk leaders are looking for effective ways to consolidate their security stack – without compromising the ability to detect threats across a growing attack surface. In fact, 75% of security professionals are pursuing a vendor consolidation strategy today, up from just 29% two years ago. An XDR approach can be an effective path for minimizing the number of tools your SOC needs to manage while still bringing together critical telemetry to power detection and response. For this reason, many teams are prioritizing XDR in 2023 to spearhead their consolidation movement. It’s predicted that by year-end 2027, XDR will be used by up to 40% of end-user organizations to reduce the number of security vendors they have in place.
As you explore prioritizing XDR in 2023, it’s important to remember that all XDR is not created equal. A hybrid XDR approach may enable you to select top products across categories but will still require significant deployment, configuration, and ongoing management to bring these products together (not to mention multiple vendor relationships and expenses to tackle). A native XDR approach delivers a more inclusive suite of capabilities from a single vendor. For resource-constrained teams, a native approach may be superior to hybrid as there is likely to be less work on behalf of the customer. A native XDR does much of the consolidation work for you, while a hybrid XDR helpsyou consolidate.
Improved security operations efficiency and productivity
“Efficiency” is a big promise of XDR, but this can look different for many teams. How do you measure efficiency today? What areas are currently inefficient and could be made faster or easier? Understanding this baseline and where your team is losing time today will help you know what to prioritize when you pursue an XDR strategy in 2023.
A strong XDR replaces existing tools and processes with alternative, more efficient working methods. Example processes to evaluate as you explore XDR:
Data ingestion: As your organization grows, you want to be sure your XDR can grow with it. Cloud-native XDR platforms will be especially strong in this category, as they will have the elastic foundation necessary to keep pace with your environment. Consider also how you’ll add new event sources over time. This can be a critical area to improve efficiency.
Dashboards and reporting: Is your team equipped to create and manage custom queries, reports, and dashboards? Creating and distributing reports can be extremely time-consuming – especially for newer analysts. If your team doesn’t have the time for constant dashboard creation, consider XDR approaches that offer prebuilt content and more intuitive experiences that will satisfy these use cases.
Detections: With a constant evolution of threat actors and behaviors, it's important to evaluate if your team has the time to bring together the necessary threat intelligence and detection rule creation to stay ahead of emergent threats. Effective XDR can greatly reduce or potentially eliminate the need for your team to manually create and manage detection rules by offering built-in detection libraries. It’s important to understand the breadth and fidelity of the detections library offered by your vendor and ensure that this content addresses the needs of your organization.
Automation: Finding the right balance for your SOC between technology and human expertise will allow analysts to apply their skills and training in critical areas without having to maintain repetitive and mundane tasks additionally. Because different XDR solutions offer different instances of automation, prioritize workflows that will provide the most benefit to your team. Some example use cases would be connecting processes across your IT and security teams, automating incident response to common threats, or reducing any manual or repetitive tasks.
Accelerated investigations and response
While XDR solutions claim to host a variety of features that can accelerate your investigation and response process, it's important to understand how your team currently functions. Start by identifying your mean time to respond (MTTR) at present, then what your goal MTTR is for the future. Once you lay that out, look back at how analysts currently investigate and respond to attacks and note any skill or knowledge gaps, so you can understand what capabilities will best assist your team. XDR aims to paint a fuller picture of attacker behavior, so security teams can better analyze and respond to it.
Some examples of questions that can build out the use cases you require to meet your target ROI for next year.
During an investigation, where is your team spending the majority of their time?
What established processes are currently in place for threat response?
How adaptable is your team when faced with new and unknown threat techniques?
Do you have established playbooks for specific threats? Does your team know what to do when these fire?
Again, having a baseline of where your organization is today will help you define more realistic goals and requirements going forward. When evaluating XDR products, dig into how they will shorten the window for attackers to succeed and drive a more effective response for your team. For a resource-constrained team, you may especially want to consider how an XDR approach can:
Reduce the amount of noise that your team needs to triage and ensure analysts zero in on top priority threats
Shorten the time for effective investigation by providing relevant events, evidence, and intelligence around a specific attack
Provide effective playbooks that maximize autonomy for analysts, enabling them to respond to threats confidently without the need to escalate or do excessive investigation
Deliver one-click automation that analysts can leverage to accelerate a response after they have accessed the situation
Unlock the potential of XDR with Rapid7
If you and your team prioritize XDR in 2023, we’d love to help. Rapid7’s native XDR approach unlocks advanced threat detection and accelerated response for resource-constrained teams. With 360-degree attack surface coverage, teams have a sophisticated view across both the internal – and external – threat landscape. Rapid7 Threat Intelligence and Detection Engineering curate an always up-to-date library of threat detections – vetted in the field by our MDR SOC experts to ensure high-fidelity, actionable alerts. And with recommended response playbooks and pre-built workflows, your team will always be ready to respond to threats quickly and confidently.
As a unified SIEM and XDR solution, InsightIDR gives organizations the tools they need to drive an elevated and efficient compliance program.
Cybersecurity standards and compliance are mission-critical for every organization, regardless of size. Apart from the direct losses resulting from a data breach, non-compliant companies could face hefty fees, loss of business, and even jail time under growing regulations. However, managing and maintaining compliance, preparing for audits, and building necessary reports can be a full-time job, which might not be in the budget. For already-lean teams, compliance can also distract from more critical security priorities like monitoring threats, early threat detection, and accelerated response – exposing organizations to greater risk.
An efficient compliance strategy reduces risk, ensures that your team is always audit-ready, and – most importantly – drives focus on more critical security work. With InsightIDR, security practitioners can quickly meet their compliance and regulatory requirements while accelerating their overall detection and response program.
Here are three ways InsightIDR has been built to elevate and simplify your compliance processes.
1. Powerful log management capabilities for full environment visibility and compliance readiness
Complete environment visibility and security log collection are critical for compliance purposes, as well as for providing a foundation of effective monitoring and threat detection. Enterprises need to monitor user activity, behavior, and application access across their entire environment — from the cloud to on-premises services. The adoption of cloud services continues to increase, creating even more potential access points for teams to keep up with.
InsightIDR’s strong log management capabilities provide full visibility into these potential threats, as well as enable robust compliance reporting by:
Centralizing and aggregating all security-relevant events, making them available for use in monitoring, alerting, investigation, ad hoc searching
Providing the ability to search for data quickly, create data models and pivots, save searches and pivots as reports, configure alerts, and create dashboards
Retaining all log data for 13 months for all InsightIDR customers, enabling the correlation of data over time and meeting compliance mandates.
Automatically mapping data to compliance controls, allowing analysts to create comprehensive dashboards and reports with just a few clicks
To take it a step further, InsightIDR’s intuitive user interface streamlines searches while eliminating the need for IT administrators to master a search language. The out-of-the-box correlation searches can be invoked in real time or scheduled to run regularly at a specific time should the need arise for compliance audits and reporting, updated dashboards, and more.
2. Predefined compliance reports and dashboards to keep you organized and consistent
Pre-built compliance content in InsightIDR enables teams to create robust reports without investing countless hours manually building and correlating data to provide information on the organization’s compliance posture. With the pre-built reports and dashboards, you can:
Automatically map data to compliance controls
Save filters and searches, then duplicate them across dashboards
Create, share, and customize reports right from the dashboard
Make reports available in multiple formats like PDF or interactive HTML files
InsightIDR’s library of pre-built dashboards makes it easier than ever to visualize your data within the context of common frameworks. Entire dashboards created by our Rapid7 experts can be set up in just a few clicks. Our dashboards cover a variety of key compliance frameworks like PCI, ISO 27001, HIPAA, and more.
3. Unified and correlated data points to provide meaningful insights
With strong log management capabilities providing a foundation for your security posture, the ability to correlate the resulting data and look for unusual behavior, system anomalies, and other indicators of a security incident is key. This information is used not only for real-time event notification but also for compliance audits and reporting, performance dashboards, historical trend analysis, and post-hoc incident forensics.
Privileged users are often the targets of attacks, and when compromised, they typically do the most damage. That’s why it’s critical to extend monitoring to these users. In fact, because of the risk involved, privileged user monitoring is a common requirement for compliance reporting in many regulated industries.
InsightIDR provides a constantly curated library of detections that span user behavior analytics, endpoints, file integrity monitoring, network traffic analysis, and cloud threat detection and response – supported by our own native endpoint agent, network sensor, and collection software. User authentications, locational data, and asset activity are baselined to identify anomalous privilege escalations, lateral movement, and compromised credentials. Customers can also connect their existing Privileged Access Management tools (like CyberArk Vault or Varonis DatAdvantage) to get a more unified view of privileged user monitoring with a single interface.
Meet compliance standards while accelerating your detection and response
We know compliance is not the only thing a security operations center (SOC) has to worry about. InsightIDR can ensure that your most critical compliance requirements are met quickly and confidently. Once you have an efficient compliance process, the team will be able to focus their time and effort on staying ahead of emergent threats and remediating attacks quickly, reducing risk to the business.
Years ago, “airline pilot” used to be a high-stress profession. Imagine being in personal control of equipment worth millions hurtling through the sky on an irregular schedule with the lives of all the passengers in your hands.
But today on any given flight, autopilot is engaged almost 90% of the time. (The FAA requires it on long-haul flights or anytime the aircraft is over 28,000 feet.) There are vast stretches of time where the problem isn’t stress – it’s highly trained, intelligent people just waiting to perhaps be needed if something goes wrong.
Of course, automation has made air travel much safer. But over-reliance on it is now considered an emerging risk for pilots. The concerns? Loss of situational awareness, and difficulty taking over quickly and deftly when something fails. FAA scientist Kathy Abbott believes automation has made pilot error more likely if they “abdicate too much responsibility to the automated systems.” This year, the FAA rewrote its guidance, now encouraging pilots to spend more time actually flying and keeping their skills sharp.
What you want at any job is “flow”
Repetitive tasks can be a big part of a cybersecurity analyst’s day. But when you combine monotony (which often leads to boredom) with the need for attentiveness, it’s kryptonite. One neuroscientific study proved chronic boredom affects “judgment, goal-directed planning, risk assessment, attention focus, distraction suppression, and intentional control over emotional responses.”
The goal is total and happy immersion in a task that challenges you but is within your abilities. When you have that, you’re “in the zone.” And you’re not even tempted to multi-task (which isn’t really a thing).
Combine InsightConnect and InsightIDR, and you can find yourself “in the zone” for incident response:
Response playbooks are automatically triggered from InsightIDR investigations and alerts.
Alerts are prioritized, and false alerts are wiped away.
Alerts and investigations are automatically enriched: no more manually checking IP's, DNS names, hashes, etc.
Pathways to PagerDuty, Slack, Microsoft Teams, JIRA, and ServiceNow are already set up for you and tickets are created automatically for alerts.
According to Rapid7‘s Detection and Response Practice Advisor Jeffrey Gardner, the coolest example of InsightIDR’s automaticity is its baselining capability.
“Humans are built to notice patterns, but we can only process so much so quickly,” Gardner says. “Machine learning lets us take in infinitely more data than a human would ever be able to process and find interesting or anomalous activity that would otherwise be missed.” InsightIDR can look at user/system activity and immediately notify you when things appear awry.
The robots are not coming for your job – surely not yours. But humans and machines are already collaborating, and we need to be very thoughtful about exactly, precisely how.
Today’s already resource-constrained security teams are tasked with protecting more as environments sprawl and alerts pile up, while attackers continue to get stealthier and add to their arsenal. To be successful against bad actors, security teams need to be proactive against evolving attacks in their earliest stages and ready to detect and respond to advanced threats that make it past defenses (because they will).
Eliminate blindspots and extinguish threats earlier and faster
Rapid7’s external threat intelligence solution, Threat Command, reduces the noise of numerous threat feeds and external sources, and prioritizes and alerts on the most relevant threats to your organization. When used alongside InsightIDR, Rapid7’s next-gen SIEM and XDR, and InsightConnect, Rapid7’s SOAR solution, you’ll unlock a complete view of your internal and external attack surface with unmatched signal to noise.
Leverage InsightIDR, Threat Command, and InsightConnect to:
Gain 360-degree visibility with expanded coverage beyond the traditional network perimeter thanks to Threat Command alerts being ingested into InsightIDR, giving you a more holistic picture of your threat landscape.
Proactively thwart attack plans with Threat Command alerts that identify active threats from across your attack surface.
Find and eliminate threats faster when you correlate and investigate Threat Command alerts with InsightIDR’s rich investigative capabilities.
Automate your response by attaching an InsightConnect workflow to take action as soon as a detection or a Threat Command alert surfaces in InsightIDR.
Stronger signal to noise with Threat Command Threat Library
The power of InsightIDR and Threat Command doesn’t end there. We added another layer to our threat intelligence earlier this year when we integrated Threat Command’s Threat Library into InsightIDR to give more visibility into new indicators of compromise (IOCs) and continued strength around signal to noise.
All IOCs related to threat actors tracked in Threat Command are automatically applied to customer data sent to InsightIDR, which means you automatically get current and future coverage as new IOCs are found by the research team. Alongside InsightIDR’s variety of detection types — User Behavior Analytics (UBA), Attacker Behavior Analytics (ABA), and custom detections — you’re covered against all infiltrations, from lateral movement to unique attacker behaviors and everything in between. The impact? Your team is never behind on emerging threats to your organization.
Faster, more efficient responses with InsightConnect
Strong signal to noise is taken a step further with automation, so teams can not only identify threats quickly but respond immediately. The expanded integration between InsightConnect and InsightIDR allows you to respond to any alert being generated in your environment. With this, you can easily create and map InsightConnect workflows to any ABA, UBA, or custom detection rule, so tailored response actions can be initiated as soon as there is a new detection.
See something suspicious that didn’t trip a detection? You can invoke on-demand automation with integrated Quick Actions from any page in InsightIDR.
Mapping of InsightConnect workflows to an ABA alert in InsightIDR
Sophisticated XDR without any headaches
With Rapid7, you’ll achieve sophisticated detection and response outcomes with greater efficiency and efficacy — no matter where you and your team are on your security journey. Stay up to date on the latest from InsightIDR, Threat Command, and InsightConnect as we continue to up-level our cross-product integrations to bring you the most comprehensive XDR solution.
Extended detection and response (XDR) is increasingly gaining traction across the industry. In a new research ebook sponsored by Rapid7, SOC Modernization and the Role of XDR, ESG identified that 61% of security professionals claim that they are very familiar with XDR technology. While this is an improvement from ESG’s 2020 research (when only 24% of security professionals were very familiar with XDR), 39% are still only somewhat familiar, not very familiar, or not at all familiar with XDR.
Security professionals are still unsure of all the associated capabilities that they can leverage with XDR, and frankly how to define the solution. ESG reports that 55% of respondents say that XDR is an extension of endpoint detection and response (EDR), while 44% believe XDR is a detection and response product from a single security technology vendor or an integrated and heterogeneous security product architecture designed to interoperate and coordinate on threat prevention, detection, and response. Nevertheless, XDR remains to be standardized in the industry.
Keeping up with threats
XDR, as defined by Rapid7, goes beyond simple data aggregation. It unifies and transforms relevant security data across a modern environment to detect real attacks. XDR provides security teams with high context and actionable insights to extinguish threats quickly. With XDR, organizations can operate efficiently, reduce noise, and help zero in on attacks early.
According to ESG, security professionals seem to have a number of common XDR use cases in mind. 26% of security professionals want XDR to help prioritize alerts based on risk, 26% seek improved detection of advanced threats, 25% want more efficient threat/forensic investigations, 25% desire a layered addition to existing threat detection tools, and 25% think XDR could improve threat detection to reinforce security controls and prevent future similar attacks.
The theme and core capabilities that are common align with filling in gaps within the security tech stack – while improving threat detection and response.
Holistic detection and response
More than half of security professionals, surveyed by ESG, believe XDR will supplement existing security operations technologies; 44% of those surveyed see XDR as consolidating current security operations technologies into a common platform.
Security operation center (SOC) analysts struggle with numerous disparate tools and systems. It often leads to having to sift through a lot of data (often noise) and context-switching (moving from one tool to another). XDR aims to:
Unify broad telemetry sources (e.g. users, endpoints, cloud, network, etc.) into a single view and set of detections. It helps analysts curate detections, comprehensive investigations, and much more ultimately enabling simpler, smarter, and faster executions.
Embed expertise to help guide incident response (e.g. recommendation actions and next steps, automations, etc.) to enable security professionals to respond to threats with a single click – or without resource involvement.
Empower security teams to be more proactive around detection and response by enabling hunting, guiding forensic and investigation use cases, and more automation to streamline SecOps.
Unlock greater efficiency and efficacy for security teams at each step of the detection and response journey (from initial deployment and data collection, to finding threats and incident response).
Regardless of how XDR is defined, security professionals are interested in using XDR to help them address several threat detection and response challenges. InsightIDR, Rapid7’s cloud-native SIEM and XDR, is an XDR solution before it was even “coined” and users are achieving XDR outcomes. XDR has improved security efficacy and efficiency, unified data, and helped streamline security operations.
A recently published ESG research ebook, sponsored by Rapid7, SOC Modernization and the Role of XDR, shows that organizations are increasingly leveraging security orchestration, automation, and response (SOAR) systems in an attempt to keep up with their security operations challenges. This makes sense, as every organization is facing the combined pressure of the growing threat landscape, expanding attack surface, and the cybersecurity skills shortage. To address these challenges, 88% of organizations report that they plan to increase their spending on security operations with the specific goal of better operationalizing threat intelligence, leveraging asset data in their SOC, improving their alert prioritization, and better measuring and improving their KPIs. All of these initiatives fall squarely into the purpose and value of SOAR.
In the same research, ESG also uncovered both praise and challenges for SOAR systems. On the praise side, there is very broad agreement that SOAR tools are effective for automating both complex and basic security operations tasks. But on the challenges side, the same respondents report unexpectedly high complexity and demands on programming and scripting skills that are getting in the way of SOAR-enabled value realization.
The SOC Modernization and the Role of XDR ebook, my years in the security industry, and my last year heavily focused on security operations and SOAR bring to mind five common SOAR myths worth debunking.
Myth #1: SOAR-enabled security automation is about eliminating security analysts
Security professionals, you can put away your wooden shoes (Sabot). There is no risk of job losses resulting from the use of SOAR tools. While in some cases, security tasks can be fully automated away, in the vast majority of SOAR-enabled automations, the value of SOAR is in teeing up the information necessary for security analysts to make good decisions and to leverage downstream integrations necessary to execute those decisions.
If you love manually collecting data from multiple internal and external sources necessary to make an informed decision and then manually opening tickets in IT service management systems or opening admin screens in various security controls to execute those decisions, stay away from using SOAR! Want to hear directly from an organization regarding this myth? Check out this Brooks case study and a supporting blog. The point of SOAR is to elevate your existing security professionals, not eliminate them.
Myth #2: SOAR requires programming skills
While SOARs require programming logic, they don’t generally require programming skills. If you know what process, data, decision points, and steps you need to get the job done, a SOAR system is designed to elevate the implementer of these processes out of the weeds of integrations and code-level logic steps necessary to get the job done.
The purpose of a well-designed SOAR is to elevate the security analyst out of the code and into the logic of their security operations. This is why a SOAR is not a general-purpose automation tool but is specifically designed and integrated to aid in the management and automation of tasks specific to security operations. Programming skills are not a prerequisite for getting value from a SOAR tool.
Myth #3: SOAR is only for incident response
While clearly the origin story of SOAR is closely connected to incident response (IR) and security operations centers (SOCs), it is a myth that SOARs are exclusively used to manage and automate IR-related processes. While responding effectively and quickly to incidents is critical, preparing your IT environment well through timely and efficient vulnerability management processes is equally important to the risk posture of the organization.
We see here at Rapid7 that just as many vulnerability management use cases are enabled with our SOAR product, InsightConnect, as are incident response ones. If you want to see some real life examples of incident response and vulnerability management use cases in action, check out these demos.
Myth #4: You must re-engineer your security processes before adopting SOAR
Some organizations get caught in a security catch-22. They are too busy with manual security tasks to apply automation to help reduce the time necessary to conduct these security tasks. This is a corollary to the problem of being too busy working to do any work. The beauty of SOAR solutions is that you don’t have to know exactly what your security processes need to be before using a SOAR. Fortunately, thousands of your peer organizations have been working on hundreds of these security processes for many years.
Why create from scratch when you can just borrow what has already been crowdsourced? Many SOAR users freely publish what they consider to be the best practice security process automations for the various security incidents and vulnerabilities that you will likely encounter. SOAR vendors, such as Rapid7, curate and host hundreds of pre-built automations that you can study and grab for free to apply (and customize as appropriate) to your organization. These crowdsourced libraries mean that you do not need to start your security automation projects with a blank sheet of paper.
Myth #5: SOAR tools are not needed if you use managed security service providers
There is no question that managed security service providers in general and managed detection and response (MDR) providers – such as Rapid7 – in particular can deliver critical security value to organizations. In fact, in the same ESG research, 88% of organizations reported that they would increase their use of managed services for security operations moving forward. The economic value of an MDR service like Rapid7’s was demonstrated in a newly published Forrester TEI report. But what happens to SOAR when you leverage an MDR provider?
The reality is that managed providers complement and extend your security teams and thus don’t fully replace them. While managed providers can and do automate aspects of your security operations – most typically detections and investigations – rarely are they given full reign to make changes in your IT and security systems or to drive responses directly into your organization. They provide well-vetted recommendations, and you, the staff security professionals, decide how and when best to implement those recommendations. This is where SOAR comes in, doing what it does best: helping you manage and automate the execution of those recommendations. In fact, debunking the myth, SOAR tools can directly complement and extend the value of managed security service providers.
Clearly, there is no shortage of things to do and improve in most organizations to bend the security curve in favor of the good guys. My hope is that this latest research from ESG and the SOAR myth-busting in this blog will help you and your organization bend the security curve in your favor.
New research sponsored by Rapid7 explores the momentum behind security operations center (SOC) modernization and the role extended detection and response (XDR) plays. ESG surveyed over 370 IT and cybersecurity professionals in the US and Canada – responsible for evaluating, purchasing, and utilizing threat detection and response security products and services – and identified key trends in the space.
The first major finding won’t surprise you: Security operations remain challenging.
Cybersecurity is dynamic
A growing attack surface, the volume and complexity of security alerts, and public cloud proliferation add to the intricacy of security operations today. Attacks increased 31% from 2020 to 2021, according to Accenture’s State of Cybersecurity Resilience 2021 report. The number of attacks per company increased from 206 to 270 year over year. The disruptions will continue, ultimately making many current SOC strategies inadequate if teams don’t evolve from reactive to proactive.
In parallel, many organizations are facing tremendous challenges closer to home due to a lack of skilled resources. At the end of 2021, there was a security workforce gap of 377,000 jobs in the US and 2.7 million globally, according to the (ISC)2 Cybersecurity Workforce Study. Already-lean teams are experiencing increased workloads often resulting in burnout or churn.
Key findings on the state of the SOC
In the new ebook, SOC Modernization and the Role of XDR, you’ll learn more about the increasing difficulty in security operations, as well as the other key findings, which include:
Security professionals want more data and better detection rules – Despite the massive amount of security data collected, respondents want more scope and diversity.
SecOps process automation investments are proving valuable – Many organizations have realized benefits from security process automation, but challenges persist.
XDR momentum continues to build – XDR awareness continues to grow, though most see XDR supplementing or consolidating SOC technologies.
MDR is mainstream and expanding – Organizations need help from service providers for security operations; 85% use managed services for a portion or a majority of their security operations.
This Q2 2022 recap post takes a look at some of the latest investments we've made to InsightIDR to drive detection and response forward for your organization.
New interactive HTML reports
InsightIDR's new HTML reports incorporate the interactive features you know and love from our dashboards delivered straight to your inbox. The HTML report file is sent as an email attachment and allows you to scroll through tables, drill in and out of cards, and sort tables in the same way you would explore dashboards.
Increased visibility into malware activity
Traditional intrusion detection systems (IDS) can be noisy. Rapid7's Threat Intelligence and Detection Engineering (TIDE) team has carefully analyzed thousands of IDS events to curate a list of only the most critical and actionable events. We've recently expanded our library to include over 4,500 curated IDS detection rules to help customers detect activity associated with thousands of common pieces of malware.
Catch data exfiltration attempts with Anomalous Data Transfer
Anomalous Data Transfer (ADT) is a new Attacker Behavior Analytics (ABA) detection rule that uses the Insight Network Sensor to identify large transfers of data sent by assets on a network. ADT outputs data exfiltration alerts which make it easier for you to monitor transfer activity and identify unusual behavior to stay ahead of threats. These new detections are available for select InsightIDR packages — see more details here in our documentation.
Build stronger integrations and quickly triage investigations with new InsightIDR APIs
Investigation management APIs
Our new APIs allow you to extract more extensive data from within your investigation and use it to integrate with third-party tools, or build automation workflows to help you save time analyzing and closing investigations. View our documentation to learn more.
Update one or more Investigation fields through a single API call
Retrieve a sortable list of Investigations
Search Investigations
Create a Manual Investigation
User, accounts, and asset APIs
We are excited to release new APIs to allow you to programmatically interface with InsightIDR users, accounts, local accounts, and assets. You can use these APIs to configure new automations that further contextualize alerts generated by InsightIDR or third-party tools and help you to create more actionable views of alert data.
Relative Activity: A new way to analyze detection rules
We've introduced a new score called Relative Activity to ABA detection rules that analyzes how often the Rule Logic matches data in your environment based on certain parameters. The Relative Activity score is calculated over a rolling 24-hour period and can help you:
Identify detection rules that might cause frequent investigations or notable events if switched on
Determine which rules may benefit from tuning, either by changing the Rule Action or adding exceptions
New Relative Activity score for detection rules
Log Search improvements
Enrich Log Search results with new Quick Actions: Earlier this year InsightIDR and InsightConnect teamed up to create Quick Actions, a new feature that provides instant automation within InsightIDR to reduce time to respond to investigations, all with the click of a button. We've recently released new Quick Actions to enable pre-configured actions within InsightIDR's Log Search for InsightIDR Ultimate and InsightIDR legacy customers. Quick Actions are available for select InsightIDR packages, see more details here in our documentation.
Use AWS S3 as a collection method for custom logs: Now customers have the choice to use either Cisco Umbrella or AWS S3 as a collection method when setting up custom logs. Alongside this update, we've also refactored the data source to make it more resilient and effective.
A growing library of actionable detections
In Q2, we added 290 new ABA detection rules to InsightIDR. See them in-product or visit the Detection Library for actionable descriptions and recommendations.
Stay tuned!
As always, we're continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in detection and response at Rapid7.
