Category: Security Operations (SOC)

Securing Success: Stories from the SOC Webinar Series

In today’s fast-paced threat landscape, SOC (Security Operations Center) teams are under relentless pressure. Cyberattacks are evolving, threat volumes are skyrocketing, and attackers are exploiting vulnerabilities faster than ever. To navigate these challenges, Rapid7 has launched the "Securing Success: Stories from the SOC" webinar series.

This three-part series provides practical insights, expert advice, and actionable strategies for SOC teams. Featuring Rapid7’s leading experts and real-world case studies, the series covers everything from tackling incidents to building long-term resilience in your SOC.

Why Watch? Key Insights from the Series

Webinar 1: Securing Success: Spotlight on the SOC

Kicking off the series, this webinar offers a behind-the-scenes look at Rapid7’s SOC data and incident trends. Learn how attackers are leveraging cloud misconfigurations, exploiting vulnerabilities, and bypassing MFA. The session highlights actionable steps to detect these threats earlier and optimize your defenses.
Watch the Webinar

Webinar 2: Securing Success: Unlimited Incident Response

Dive into an in-depth case study of a ransomware attack and explore how Rapid7’s unlimited incident response service empowers teams to contain and recover from attacks. Discover the importance of leveraging tools like Velociraptor for forensic investigation, implementing robust containment measures, and prioritizing response actions to mitigate impact.
Watch the Webinar

Webinar 3: Securing Success: Strengthening Your SOC

In the series finale, Rapid7’s top experts, including Jaya Baloo and Raj Samani, address how to enhance SOC operations amidst rising attack volumes and evolving threats. From prioritizing vulnerabilities to leveraging curated threat intelligence, this session equips you with the strategies needed to strengthen your SOC and prepare for the future.
Watch the Webinar

Real Stories, Real Solutions

Each session delivers actionable insights through real-world examples and expert guidance:

  • Improving Detection and Response: Learn how to identify attackers earlier by addressing common access methods like phishing, cloud misconfigurations, and unpatched vulnerabilities.
  • Streamlining Incident Response: Explore Rapid7’s methodologies for tackling complex incidents, ensuring swift containment, and preventing future breaches.
  • Building a Resilient SOC: Discover how threat intelligence, prioritization, and collaboration can help your team focus on what truly matters.

Take the Next Step in Protecting Your Organization

Your attack surface is growing, and defending it requires the right tools and the right team of experts by your side. Learn how Rapid7’s Managed Detection & Response can help your organization unify total risk and threat coverage and keep you secure around the clock.

Amplify your SOC with the insights and tools to outsmart emerging threats, zero-in on the high fidelity signals that threaten your organization, and expertly respond around the clock. Discover how to take command with Managed Threat Complete here.

Unlocking the Power of AI in Cybersecurity: Key Takeaways from Our Latest Webinar

Today's SOC teams have to face dramatic challenges that include overwhelming volumes of alerts, blurred perimeter protections, and resource constraints; meanwhile, AI is bursting into SOC workflows as one of the most important elements in addressing these issues more productively and letting teams truly focus on what matters most.

In our recent webinar, "Enhancing MDR with AI: Real-World Use Cases & Security Insights," cybersecurity and AI experts shared their perspectives on how advancements in artificial intelligence are reshaping security operations. The session featured Hannah Coakley (Product Manager, Rapid7), Katie Wilbur (Senior Data Scientist, Rapid7), and Steven Warwick (Solutions Architect, AWS), who discussed the role of AI in addressing today’s most pressing challenges in SOC environments.

Here’s a snapshot of what we covered and why you’ll want to watch the full webinar.

  • AI-Powered Auto Triaging Enhances SOC Efficiency
    AI models can categorize thousands of daily alerts, filtering out noise and prioritizing critical threats. This allows analysts to focus their attention on incidents that matter most, improving response times and reducing manual workloads.
  • Generative AI Speeds Up and Standardizes Reporting
    Incident reporting, a traditionally time-intensive task, is streamlined with generative AI. By producing consistent first drafts, it saves time and ensures clarity in reports, enabling quicker decision-making in high-pressure environments.
  • Responsible AI Practices Build Trust and Transparency
    Effective AI implementation requires keeping humans in the loop to verify outputs and reduce biases. Responsible AI supports analysts rather than replacing them, ensuring its use enhances security efforts while maintaining trust.

You’ll Also Learn

  • The challenges SOCs face with alert volume and how AI helps address this issue.
  • The trade-off between explainability and accuracy when selecting AI models for cybersecurity.
  • How rigorous testing ensures AI models adapt to evolving threats in the cybersecurity landscape.

These are just a few of the insights that came out of an engaging session on the future of AI in cybersecurity. For a deeper dive into how AI is transforming SOC workflows and reshaping the field, watch the full webinar.

Watch the full webinar here to find out how integrating AI into your SOC closes the security gap and enables your team to work at its best.

Navigating Choppy Waters: Top Security Predictions from Rapid7's 2025 Webinar

It's that time of year again — one year is ending and another is set to begin.. And what a year it's been for the security community! The sheer scale of incidents has left SecOps teams breathless, so thinking about what could be in store next year can be overwhelming.

But there's no need to panic; despite the disruption, the community has rallied together and risen to the challenge, demonstrating adaptability, collaboration, and resilience. And, most of all, why this industry isn't for the faint of heart!

Over the last few years, we've seen significant interest in our annual Security Predictions webinar. Security teams use the session to take stock of the current year and use the predictions to get a head start on planning for the next.

This year, the webinar was shot in person from Rapid7's office in Belfast, a city that has emerged as a modern tech innovation hub. From its origins as the shipyards that birthed the Titanic, Belfast's history is a testament to both ambition and resilience, so it is fitting that this city served as the stage for Rapid7's annual Security Predictions webinar.

Hosted by industry heavy hitter Brian Honan, CEO of BH Consulting, the webinar brought together Rapid7 security and policy experts Raj Samani, Chief Scientist, and Sabeen Malik, VP of Global Government Affairs and Public Policy.

Looking Back: 2024's Predictions in Review

Before diving into the future, the panel revisited their predictions for 2024, which focused on three core areas:

1. Increasing risks and regulations will intensify pressure on businesses to navigate evolving demands across a complex global landscape.

Sabeen Malik highlighted that the forecasted rise in cyber regulations materialized, with frameworks like NIS2 and the SEC's cybersecurity mandates intensifying global compliance demands.

2. Expect a surge in the growth of real-time information sharing within global public-private cyber partnerships.

While strides were made, Raj Samani noted that much of the shared data lacks actionable context, calling for enriched, actionable intelligence that organizations can immediately act upon.

3. The continued use of zero-day vulnerabilities exploited by ransomware groups will compel SOCs to focus on exposure management and validation strategies.

As predicted, ransomware groups continued to exploit zero-day vulnerabilities, a trend exacerbated by their increasing sophistication and access to novel attack vectors.

"2024 was pretty much on the button," said Brian Honan. "The predictions were accurate, but the challenges they highlighted are far from over."

2025 could be Iceberg Alley/Visibility as a Life Preserver

Prediction 1: Greater visibility will act as a life preserver for security teams treading water across an increasingly complex attack surface.

Visibility isn't just a cybersecurity buzzword—it's the foundation of effective defense. Raj Samani summarized this challenge succinctly: "You can't protect what you don't know about."

In today's environment, where assets span on-premise systems, cloud services, and third-party integrations, organizations often need help to map their full attack surface. Raj explained how conflicting data from multiple tools complicates this task: "Your endpoint provider says one thing, your VPN provider says another — how do you normalize this information?"

After further discussion, the panellists provided a short, medium and long-term action plan to help defenders strengthen their visibility.

Prediction 2: To thrive in a world where regulatory change is an ongoing concern, SecOps should prepare for both the predictable and the unpredictable.

In cybersecurity, the only constant is change. The panel emphasized the need for agile Security Operations Centers (SOCs) to respond effectively to both expected and unexpected threats.

"This is about moving beyond checkbox exercises," said Sabeen. "SOC teams must adopt continuous processes and infrastructure to manage a rapidly changing landscape." She pointed to regulatory frameworks like DORA and NIS2, which mandate real-time monitoring and frequent vulnerability assessments, as drivers of this shift.

The panelists also provided an action plan that prioritizes incident response, real-time threat detection, and continuous vulnerability management to meet evolving compliance and security needs.

Prediction 3: Cybercriminals will increasingly exploit zero-day vulnerabilities, expanding potential entry points and bypassing traditional security measures to deliver more ransomware attacks.

Ransomware remains a dominant threat, evolving as attackers adopt zero-day vulnerabilities to bypass traditional defenses. Raj explained how this shift is lowering the technical barriers for cybercriminals: "Access to zero-days allows even unsophisticated actors to execute devastating attacks."

The professionalization of ransomware groups further exacerbates the threat. As Sabeen noted, "This is no longer a scattered effort. It's a highly organized, professional ecosystem, and it's growing at an unsustainable rate."

The team outlined an action plan to combat ransomware, including the critical action step of engaging organizational leadership to prioritize cybersecurity investments and ensure board-level awareness of the risks.

"Use this as an opportunity to have meaningful discussions with your board," Raj advised. "Ransomware is a top concern, and preparation is key."

Final Thoughts: Staying Resilient in Choppy Waters

While the challenges of 2025 may seem daunting, the panel concluded on a hopeful note. Raj highlighted Rapid7's commitment to empowering the industry through open-source tools and resources like AttackerKB, Metasploit, and Velociraptor.

"Don't be overwhelmed," Raj said. "We're all in this together, and Rapid7 is here to help with actionable insights and tools that protect what matters most."

As Brian wrapped up, he reflected on Belfast's legacy and the lessons it offers. "The Titanic reminds us of both the heights of ambition and the importance of preparation. In cybersecurity, as in life, visibility, adaptability, and resilience are the keys to navigating choppy waters."

To get a full understanding of what 2025 could bring, watch the Top Cybersecurity Predictions webinar on-demand.

Unlock 24/7 SOC Coverage: Rapid7 MXDR Now Supports with Microsoft Security Products

In today’s complex threat landscape, organizations need every advantage at their disposal to stay secure–starting with maximizing the tools they already have within their ecosystem. With the launch of Rapid7 MXDR’s SOC support for key Microsoft security products, we’re making it possible for organizations to layer security defenses and amplify outcomes by combining their existing Microsoft telemetry with the 24x7 coverage, broad security ecosystem telemetry and in-depth expertise of Rapid7’s MXDR service.

By connecting directly to key Microsoft event sources—like Microsoft O365, Defender for Cloud, Defender for Endpoint, Defender for Vulnerability Management, Defender for Identity, and Entra Identity—MXDR amplifies detection, visibility, and response capabilities across the technology you rely on, without needing additional infrastructure or complex setups. From uncovering hidden threats to responding to incidents faster, this integration leverages Microsoft’s event data to help security teams achieve 24x7 comprehensive Microsoft coverage throughout their tool stack.

Organizations of every size can now harness the best of both worlds: the familiarity and depth of their Microsoft environment and the advanced detection, correlation, automation, and forensic response capabilities of Rapid7’s MXDR service.

Importance of Microsoft Event Sources in Today’s Threat Landscape

Microsoft tools are foundational in many organizations’ tech stacks, and help teams collect  security-critical data that can enhance threat detection and incident response. Without an integrated technology stack and 24x7 SOC triage, investigation, and response coverage across the Microsoft tools that teams already rely on, normalizing inputs and pinpointing real signs of attacker behavior can be nearly impossible for teams of all sizes.

By supporting Microsoft event sources as a layer on top of native telemetry provided through the Rapid7 Detection Engine, we’re making it easier for security teams to correlate data across their environment from key areas in their Microsoft toolset.

Teams can now customize their Rapid7 MXDR support to cover triage, investigation, and response to threats across key Microsoft Security tools, including:

  • Microsoft Entra Identity Protection
  • Microsoft Defender for Identity
  • Microsoft Defender for Cloud
  • Microsoft Defender for Endpoint
  • Microsoft Defender for O365
  • Microsoft Defender for Vulnerability Management

By incorporating support for Microsoft security tools, Rapid7 MXDR maximizes your existing Microsoft investment, helping your security team stay agile and resilient in the face of an ever-evolving threat landscape.

Maintaining our Commitment to Securing Your Attack Surface

We’re on a mission for our MDR service to bring unified visibility to the attack surface and comprehensive defense capabilities to your security program. By extending 24x7 expert SOC coverage to Microsoft Security tools, we’re bringing:

  • Customization through integrating the tools you already rely on with Rapid7’s native telemetry to create a tailored service that layers alert data and accelerates response.
  • Visibility from both native and existing tool telemetry, to eliminate blind spots and respond rapidly to abnormal and malicious activity across your entire attack surface​.
  • Broader response capabilities by extending the insights for the Rapid7 SOC to respond to and contain malicious behavior before it can cause harm to your environment, business, and brand.

Getting Started

As we extend our MXDR service with more comprehensive coverage to meet security teams where they are, we’re excited to partner with you to secure your extended ecosystem. If you’re a Rapid7 MDR customer, reach out to your account team to learn more about our extended coverage. If you’re not a Rapid7 MDR customer yet, request a demo here.

Takeaways From The Take Command Summit: Navigating Modern SOC Challenges

At our recent Take Command summit, experts delved into the pressing challenges faced by SOC teams. With 2,365 more data breaches in 2023 than in 2022 (74% of which were a direct result of cyber attacks), the need for robust security operations has never been greater.

Key takeaways from the 25 minute panel:

  1. Emphasizing Proactive Defense: SOC teams must prioritize proactive threat detection and intelligence gathering to stay ahead of evolving cyber threats.
  2. Enhancing Response Times: Reducing incident response times is crucial for mitigating the impact of security breaches and minimizing damage.
  3. Leveraging Advanced Tools: Utilizing advanced threat detection technologies, such as AI and machine learning, can significantly improve the ability to identify and respond to sophisticated attacks.

Key Quote:

"The increasing use of native tools by threat actors means they can stay hidden longer, complicating our detection efforts."  - Lonnie Best, Detection & Response Services Manager, Rapid7.

The evolving threat landscape requires SOC teams to enhance detection capabilities and streamline operations. To dive deeper into these insights, click through to watch the full discussion.

Rapid7 Infuses Generative AI into the InsightPlatform to Supercharge SecOps and Augment MDR Services

In the ever-evolving landscape of cybersecurity, staying ahead of threats is not just a goal—it's a necessity. At Rapid7, we are pioneering the infusion of artificial intelligence (AI) into our platform and service offerings, transforming the way security operations centers (SOCs) around the globe operate. We’ve been utilizing AI in our technologies for decades, establishing patented models to better and more efficiently solve customer challenges. Furthering this endeavor, we’re excited to announce we’ve extended the Rapid7 AI Engine to include new Generative AI capabilities being used by our internal SOC teams, transforming the way we deliver our MDR services.

A Thoughtful, Deliberate Approach to AI Model Deployment

At Rapid7, one of our core philosophical beliefs is that vendors - like ourselves - should not lean on customers to tune our models. This belief is showcased by our approach to deploying AI models, with a process that entails initially releasing them to our internal SOC teams to be trained and battle-tested before being released to customers via in-product experiences.

Another core pillar of our AI development principles is that human supervision is essential and can’t be completely removed from the process. We believe wholeheartedly in the efficacy of our models, but the reality is that AI is not immune from making mistakes. At Rapid7, we have the advantage of working in lockstep with one of the world's leading SOC teams. With a continuous feedback loop in place between our frontline analysts and our AI and data science team, we’re constantly fine-tuning our models, and MDR customers benefit from knowing our teams are validating any AI-generated output for accuracy.

Intelligent Threat Detection and Continuous Alert Triage Validation

The first line of defense in any cybersecurity strategy is the ability to detect threats accurately and efficiently. The Rapid7 AI Engine leverages the massive volume of high-fidelity risk and threat data to enhance alert triage by accurately distinguishing between malicious and benign alerts, ensuring analysts can focus on only the alerts that are truly malicious. The engine has also been extended to include a combination of both traditional machine learning (ML) and Generative AI models to ensure new security alerts are accurately labeled as malicious or benign. This work boosts the signal to noise ratio, thereby enabling Rapid7 analysts to spend more time investigating the security signals that matter to our customers.

Introducing Our AI-Powered SOC Assistant

Generative AI is not just a tool; it's a game-changer for SOC efficiency. Our AI-native SOC assistant empowers MDR analysts to quickly respond to security threats and proactively mitigate risks on behalf of our customers. Because we fundamentally believe AI should be trained by the knowledge of our teams and vetted processes, our SOC assistant utilizes our vast internal knowledge bases. Sources like the Rapid7 MDR Handbook - a resource amassed over decades of experience cultivated by our elite SOC team - enable the assistant to guide analysts through complex investigations and streamline response workflows, keeping our analysts a step ahead.

Rapid7 is further using generative AI to carefully automate the drafting of security reports for SOC analysts, typically a manual and time-intensive process. With more than 11,000 customers globally, the Rapid7 SOC triages a huge volume of activity each month, with summaries that are critical for keeping customers fully updated on what’s happening in their environment and actions performed on their behalf. While AI is a key tool to streamline report building and delivery, every report that is generated by the Rapid7 AI Engine is augmented and enhanced by our SOC teams, making certain every data point is accurate and actionable. Beyond providing expert guidance, the AI assistant also has the ability to automatically generate incident reports once investigations are closed out, streamlining the process and ensuring we can communicate updates with customers in a timely manner.

An Enabler for Secure AI/ML Application Development

We know we’re not alone in developing Generative AI solutions, and as such we’re also focused on delivering capabilities that allow our customers to implement and adhere to AI/ML development best practices. We continue to expand our support for Generative AI services from major cloud service providers (CSPs), including AWS Bedrock, Azure OpenAI service and GCP Vertex. These services can be continuously audited against best practices outlined in the Rapid7 AI/ML Security Best Practices compliance pack, which includes the mitigations outlined in the OWASP Top 10 for ML and large language models (LLMs). Our continuous auditing process, enriched by InsightCloudSec’s Layered Context, offers a comprehensive view of AI-related cloud risks, ensuring that our customers' AI-powered assets are secure.

Rapid7 Infuses Generative AI into the InsightPlatform to Supercharge SecOps and Augment MDR Services

The Future of MDR Services is Powered by AI

The integration of Generative AI into the Insight Platform is not just about helping our teams keep pace - it's about setting the pace. With unparalleled scalability and adaptability, Rapid7 is committed to maintaining a competitive edge in the market, particularly as it relates to leveraging AI to transform security operations. Our focus on operational efficiencies, cost reduction, and improved quality of service is unwavering. We're not just responding to the changing threat landscape – we're reshaping it.

The future of MDR services is here, and it's powered by the Rapid7 AI Engine.

5 Insights from the Latest Cybersecurity Trends Research

Rapid7 is committed to promoting research that identifies the latest cybersecurity trends so that  organizations can leverage these insights and create programs that make sense for the modern SOC. To that end, we’ve singled out five quick insights security professionals and stakeholders should consider when looking ahead. These findings are based on Top Trends in Cybersecurity for 2024, a new research report from Gartner®.

Organizations Will Focus on Improving Resilience

As cloud continues to be adopted at a frenzied pace across organizations large, small, and everything in between, it’s critical to maintain organizational resiliency as attack surfaces expand and security becomes more urgent than ever. Indeed, the research notes that: “Improving organizational resilience has become a primary driver of security investments for several interconnected reasons:

  • “Digital ecosystems continue to sprawl, due to increasing cloud adoption.
  • Organizations are entrenching hybrid work arrangements.
  • The threat environment continues to evolve as emerging capabilities also embolden attackers.”

Continuous Threat Exposure Management Programs Will Take Off

Organizational attack surfaces have expanded for many reasons: the adoption of SaaS, remote work, custom application development, and more. All of these changes are efficiency drivers for businesses, but can also become liabilities rife with vulnerabilities. As organizations put more products and policies into place –  especially from multiple vendors – it can become more difficult to manage this new attack surface at scale.

The research stipulates that, in order to try and solve this issue, “security and risk management (SRM) leaders have introduced pilot processes that govern the volume and importance of threat exposures and the impact of dealing with them with continuous threat exposure management (CTEM) programs.” Short-term remediations can only go so far; the game is accelerating and long-term solutions must be put into place.

Generative AI Will Inspire Long-Term-Yet-Cautious Hope

Security organizations are embracing generative AI (GenAI) to help gain visibility across hybrid attack surfaces, spot threats fast, and automatically prioritize risk signals. In other sectors, unmanaged and uncontrolled uses of GenAI need reigning in before they can cause real societal damage with things like deepfakes, misinformation, and copyright infringement.

The research states that “the most notable issues were the use of confidential data in third-party GenAI applications and the copyright infringement and brand damage that could result from the use of unvetted generated content.” As AI companies continue to release new products that are more readily customizable by developers, laws and security policies will need to be put into place to curtail this potential third-party threat.

The C-Suite Communications Gap Will Narrow

With clearer outcome-driven metrics (ODMs) comes the ability to more easily convince the boardroom that direct investment in a cybersecurity initiative is imperative. Indeed, CISOs and other key security personnel and stakeholders have for years been running up against budgetary pushback that all too often leads to a porous attack surface as well as the inability to properly respond or prepare.

According to the research, “the 2023 Gartner Evolution of Cybersecurity Leader Survey asked chief information security officers (CISOs) the following question: ‘What has been the impact of changing business objectives on your cybersecurity strategy?’ In response, 60% said there had been some impact or a major impact.” When goals and/or key performance indicators (KPIs) shift, the security organization must be able to readily communicate where potential risk could lie in the changed environment.

ODMs can create a clearer path for security. From the report:

  • “Explain material cyber incidents to executives and guide specific investments to remediate them.
  • Support transparency to educate executives, lines of business and corporate functions about inappropriate or cavalier risk acceptance.
  • Expose matrixed management problems, such as the role the IT team plays in patching problems for which the security organization is typically held accountable.”

Cybersecurity Reskilling Will Help to Future-Proof

There is a continuing cybersecurity talent gap and, at the same time, there seems to be a shift in the types of skills practitioners need to bring to the job. Think of the implications this “moving target” has on both security organizations and people strategy teams tasked with scouring the marketplace for this magical unicorn.

The report details how, “in the U.S. alone, there are only enough qualified cybersecurity professionals to meet 70% of current demand – an all-time low over the past decade.” A plethora of trends are leading to this current disparity, including: accelerated cloud adoption, the emergence of GenAI, threat-landscape expansion, and vendor consolidation.

Greater business acumen as well as AI ethics and human psychology are just a few of the soft skills that will come to have greater prominence in job descriptions of security talent. Indeed, this may signal a stronger coming partnership between talent acquisition teams and security teams so that all parties involved can be sure that the right talent is recruited in the best way possible.

Read the report here.

Gartner, Top Trends in Cybersecurity for 2024, Richard Addiscott, Jeremy D’Hoinne, et al., 2 January 2024

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Building the Best SOC Takes Strategic Thinking

So your security team is ready to scale up its security operations center, or SOC, to better meet the security needs of your organization. That’s great news. But there are some very important strategic questions that need to be answered if you want to build the most effective SOC you can and avoid some of the most common pitfalls teams of any size can encounter.

The Gartner® report SOC Model Guide, is an excellent resource for understanding how to ask the right questions regarding your security needs and what to do once those questions are answered.

Question 1: Which Model is Right for You?

There are several different ways to build an effective SOC. And while some are more complicated (perhaps even prohibitively so) than others, knowing what your needs and resources are at the outset will help you make this crucial initial decision.

Gartner puts it this way:

“A SOC model defines a strategy for variation in the use of internal teams and external service providers when running a SOC. It ensures all roles required to operate a SOC are allocated to those best suited to discharge the associated responsibilities. An effective SOC model lets SRM leaders allocate resources based on business priorities, available skill sets and budget…”

There are effectively three ways to build a SOC: internal, external, and hybrid. The report has this to say:

"Opting for a hybrid SOC is one way to help grow capabilities, while managing scale and cost. A hybrid SOC is one in which more than one team, both insourced and outsourced, plays a role in the activities required for proper SOC operation. The question of which teams, roles, jobs and activities are best kept in-house or outsourced is complex. Building a SOC model helps you answer it and ensure a hybrid SOC is well-balanced."

Question 2: Who Does What?

Let’s assume your organization is opting for a hybrid approach. The next question you will need to ask yourself is what roles am I outsourcing and what roles am I keeping in-house? Understanding your business needs and whether internal or external partners are the best course of action can take some serious soul-searching on your part.

Luckily, Gartner has some recommendations. From the report:

Gartner says "Some SOC tasks are strategic, such as those performed by the roles of senior investigator, incident response manager and red team tester. They are often best performed by in-house staff who understand the business’s needs and the security issues.

"Other SOC tasks are tactical, such as building detection content for common
attacks. They are generally best performed by a larger external team, which can do
them more efficiently, on a bigger scale, and for longer periods."

Question 3: How Do We Keep Everything Humming Along?

Once you’ve chosen your SOC model and built your team, it is important to be monitoring and reacting to the ways in which the internal and external partners work together. Let’s assume you’ve followed Gartner recommendations and outsourced your tactical needs and some highly specific skill sets and kept your strategic thinkers in-house, then you need to have a way for the teams to work together that is as dynamic as the environment they are seeking to protect.

Gartner offers this advice:

“Have clear demarcations between objective handlers, but ensure there is shared awareness. A challenge with hybrid models that use different providers or teams to handle objectives is that it can be hard to instill a results-oriented mindset. An external provider or internal team often gets “tunnel vision” — focusing only on its own individual objective — and loses sight of the big picture of SOC performance. You must ensure each provider or team is aware of its impact on adjacent objectives, not just its own.”

Just because different teams are going to have relatively different goals does not mean they should operate in silos. Ensuring that internal and external team members are able to see the big picture and understand the capabilities and limitations of others on the team is a critical component of building a SOC that works well today and grows well together.

Building a SOC from scratch is no easy feat and it is made harder without some serious strategic thinking and soul searching before building the team. Understand your unique needs, the general needs of a SOC team, what your resources are, and the expectations of your organization before building your own A-team of crack security professionals.

To read more about SOC Models check out Gartner SOC Model Guide here.

Gartner, SOC Model Guide, Eric Ahlm, Mitchell Schneider, Pete Shoard, 18 October 2023

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Attackers are Working Around The Clock. Luckily, So Are We.

It takes an average of 204 days for organizations to discover a breach, and from there an average of 73 days to contain it. With the average cost of a breach at an all time high of $4.45 million, there’s an undeniable need for teams to enlist the right experts to quickly eradicate threats.

At Rapid7, our expert SOC analysts detect and respond to threats end-to-end for MDR customers – no matter how large or complex. Rapid7’s Active Response, powered by InsightConnect SOAR Automation, enables our analysts to contain endpoints and users on your behalf within minutes of when a threat is identified, reducing attacker dwell time and keeping your organization safe from the damaging consequences of an attack.

24x7 Immediate Containment of Validated Threats with Active Response

Initially launched in 2020, we’ve now expanded Active Response to include broader asset quarantine support across third-party providers — including Crowdstrike, SentinelOne, Carbon Black Cloud, and more — as well as more transparency into MDR analyst activity to bring you more expansive, collaborative detection and response. What you can expect with Active Response:

  • Rapid7 MDR analysts will contain compromised endpoints or users as early in the killchain as possible to keep your organization safe from threats including malware, lateral movement, data exfiltration attempts, and more. We’ve also added a cloud-enabled option for actions to quarantine assets — removing the need for any on-prem components and making containment even faster for your organization.
  • Our team takes action on your behalf when we see a validated threat, but you have control of the parameters with the ability to create containment guardrails to prohibit the containment of critical servers, users, or devices. You always have the option to unquarantine assets or users directly from InsightIDR, making it extremely straightforward and keeping the power in your hands.
  • Rapid7’s coverage doesn’t stop there — with recommended additional actions for containment, remediation, and mitigation, our analysts ensure your organization is as secure as possible.

See How Active Response Stopped Malware in a Recent Rapid7 MDR Investigation

The following is a real-world example of a threat handled by our MDR analysts leveraging Active Response to quarantine an asset and stop malware.

Attacker Activity

  • [USER 1] working on legal cases used Chrome browser to visit a legitimate website compromised by malicious embedded JavaScript functions.
  • Embedded JavaScript file loaded pop-up, invited user to update browser by downloading ZIP archive containing JavaScript file.
  • Once executed, Javascript file communicated with Command and Control (C2) to download and execute a malicious payload, to fingerprint the asset, user, cached password, domains controllers, and trusted domains and output the results to a file at the root of [USER 1]’s %temp% directory to stage the host for subsequent exploitation.
Attackers are Working Around The Clock. Luckily, So Are We.

Build Resilience While You Sleep

Active Response enables teams to immediately quarantine malicious behavior before it can compromise a system, saving teams from the damaging outcomes of a successful security breach as well as costly ransomware, loss of data, and broken customer trust.

Whether it’s an intrusion attempt, suspicious process start activity, or anything in between, Rapid7’s SOC has their eyes on your environment 24x7x365, halting suspicious activity in its tracks so you can sleep peacefully through the night.

To learn more about Active Response, talk to your Customer Advisor or a representative.

Rapid7 Takes Next Step in AI Innovation with New AI-Powered Threat Detections

Digital transformation has created immense opportunity to generate new revenue streams, better engage with customers and drive operational efficiency. A decades-long transition to cloud as the de-facto delivery model of choice has delivered undeniable value to the business landscape. But any change in operating model brings new challenges too.

The speed, scale and complexity of modern IT environments results in security teams being tasked with analyzing mountains of data to keep pace with the ever-expanding threat landscape. This dynamic puts security analysts on their heels, constantly reacting to incoming threat signals from tools that weren’t purpose-built to solve hybrid environments, creating coverage gaps and a need to swivel-chair between a multitude of point solutions. Making matters worse? Attackers have increasingly looked to weaponize AI technologies to launch sophisticated attacks, benefiting from increased scale, easy access to AI-generated malware packages, as well as more effective social engineering and phishing using generative AI.

To combat these challenges, we need to equip our security teams with modern solutions leveraging AI to cut through the noise and boost signals that matter.  Our AI algorithms alleviate alert and action fatigue by delivering visibility across your IT environment and intelligently prioritizing the most important risk signals.

Rapid7 Has Been an AI Innovator for Decades

There has been a groundswell of development and corresponding interest in generative AI, particularly in the last few years as mainstream adoption of large language models (LLMs) grows. Most notably OpenAI’s ChatGPT - has brought AI to the forefront of people’s minds. This buzz has resulted in a number of vendors in the security space launching their own intelligent assistants and working to incorporate AI/ML into their respective solutions to keep pace.

From our perspective, this is great news and a huge step forward in the data & AI space. Rapid7 is also accelerating investment, but we’re certainly not starting from scratch. In fact, Rapid7 was a pioneer in AI development for security use cases, starting all the way back to our earliest days with our VM Expert System in the early 2000’s.

Rapid7 Takes Next Step in AI Innovation with New AI-Powered Threat Detections

Built on decades of risk analysis and continuously trained by our expert SOC team, Rapid7 AI enables your team to focus on what matters most by proactively shrinking your attack surface and intelligently re-balancing the scales between signal and noise.

With visibility across your hybrid attack surface, the Insight Platform enables proactive prevention, leveraging a proprietary AI-based detection engine to spot threats faster than ever and automatically prioritize the signals that matter most based on likelihood of exploitation and potential business impact. Based on learnings from your own environment and security operations over time, the platform will intelligently recommend updates to detection rule settings in an effort to reduce excess noise and eliminate false positives.

By integrating our AI capabilities into the Rapid7 platform, customers benefit from:

  • World class threat efficacy, with AI-driven detection of anomalous activity.  With a vast amount of legitimate activity occurring across customer environments, our AI algorithms validate if activity is actually malicious, allowing teams to spot unknown threats faster than ever.
  • Help to cut through the noise, by identifying the signals that matter most.  Our AI algorithms  automatically prioritize risks and threats, intelligently, suppressing benign alerts to eliminate the noise so analysts can focus on what matters most.
  • The confidence that they’re taking action on AI-generated insights they can trust, built on decades of risk and threat analysis and trained by a team of recognized innovators in AI-driven security.

Recent Innovations in AI-driven Threat Detection

We’ve recently announced two new AI/ML-powered threat detection capabilities aimed at enabling teams to detect unknown threats across a customer’s  environment faster than ever before without introducing excess noise.

  • Cloud Anomaly Detection
    Cloud Anomaly Detection is an AI-powered, agentless detection capability designed to detect and prioritize anomalous activity within an organization’s own cloud environment. The proprietary AI engine goes beyond simply detecting suspicious behavior; it automatically suppresses benign signals to reduce noise, eliminate false positives, and enable teams to focus on investigating highly-probable active threats. For more information on Cloud Anomaly Detection, check out the launch blog here.
  • Intelligent Kerberoasting Detection
    We’ve expanded existing AI-driven detections for attack types such as data exfiltration, phishing and credential theft to include intelligent detection, validation and prioritization of Kerberoasting attacks. The platform goes beyond traditional tactics for detecting Kerberoasting by applying a deep understanding of typical user activity across the organization. With this context, SOC teams can respond with confidence knowing the signals they are receiving are actually indicative of a Kerberoasting attack.

Rapid7 continues to explore and invest in ways we can leverage AI/ML to better-equip our customers to defend their organizations against the ever-expanding threat landscape. Keep an eye out in the near-future for additional innovations to come out in this space.

For now, be sure to stop by the Rapid7 booth (#1270) at AWS Re:Invent, where we’ll be showcasing Cloud Anomaly Detection and talk to us about how your team is thinking about utilizing AI.