Category: SIEM

MDR + SIEM: Why Full Access to Your Security Logs is Non-Negotiable

Many Managed Detection and Response (MDR) providers promise world-class threat detection, but behind the scenes they lock away your security logs, limiting your visibility and control. It’s your data — so why don’t you have full access to it? Isn’t the whole point of security to see everything happening in your environment? Without full access to your own data, you’re left dependent on their tools, their timelines, and their interpretations of security events.

This isn’t just an inconvenience — it’s a risk.

Pairing MDR with a Security Information and Event Management (SIEM) solution ensures complete transparency, enabling real-time investigation, historical threat hunting, compliance readiness, and deeper threat insights. If you don’t have full access to your security logs, you’re not truly in control of your cybersecurity strategy. And in today’s high-stakes environment, that’s simply not an option.

With Rapid7 MDR, you don’t just gain a service — you gain full access and control over your data, unlocking significant advantages for compliance, long-term strategy, and cross-platform analytics.

The Benefits of Owning your Data

When it comes to cybersecurity, data is everything. Logs, events, and alerts are the building blocks of threat detection, incident response, and forensic investigations. Owning your data, particularly with Rapid7’s 13-month data retention, empowers you in ways that vendor-locked solutions cannot match. Here’s how:

  • Cross-platform analytics
    Modern security teams operate across cloud, hybrid, and on-prem environments. Owning your data means you can integrate security telemetry across platforms, enabling immediate answers and deeper correlations between systems for accurate threat detection.
  • Compliance made easier
    Many industries require businesses to retain data for specific periods to meet regulatory standards such as GDPR, HIPAA, or PCI DSS. Rapid7’s extended data retention ensures you’re always audit-ready and compliant without relying on third-party intermediaries for log retrieval.
  • Historical threat hunting and forensics
    Cyber threats evolve over time — sometimes laying dormant for months to manifest into an attack. With 13 months of historical data, the MDR service can trace attack patterns, uncover dormant threats, and conduct deep-dive forensic investigations to prevent repeat breaches. Advanced threats don’t just appear out of nowhere — long-term attack campaigns require long-term visibility. If you don’t know how an attacker got in, how can you ensure they won’t come back?

The hidden risks of limited data access

Many MDR providers operate in a “black box” model, where security data is siloed within their systems, restricting user access and limiting independent investigations. This lack of transparency not only creates dependency on the vendor but can also lead to serious security and operational risks:

  • Slower incident response
    Seconds matter when attackers are inside your environment. Security teams can waste critical time waiting for an MDR provider to retrieve logs or investigate issues, delaying decisive action during cyberattacks.
  • Reduced security visibility
    Cyber threats don’t operate in isolation. Without full data access, security teams miss critical patterns, struggle to correlate events, and lose the ability to conduct independent investigations. The result? A weakened security posture and increased attack exposure.
  • Hindered cross-team collaboration
    Security isn’t just a SOC function — it requires collaboration with IT, compliance, risk, and leadership teams. When data is locked behind an MDR provider’s system, security teams cannot share insights or validate threats with other departments effectively. This slows down decision-making, creates blind spots across IT infrastructure, and reduces the organization’s ability to work as a unified team in responding to threats.
  • Compliance gaps
    If an organization cannot independently access its logs, it may struggle to provide auditors with the necessary evidence for compliance frameworks like GDPR, HIPAA, DORA, NIS2, or PCI DSS.

Rapid7 MDR: Transparency and control

Rapid7’s MDR service offers transparent and unrestricted access to your data through InsightIDR, our cloud-native, next-gen SIEM built for both detection and response. Unlike traditional SIEMs that focus solely on log aggregation, InsightIDR actively identifies and prioritizes real threats by analyzing user and attacker behavior, leveraging deception technology, and utilizing built-in threat intelligence. This ensures not only full visibility but also rapid detection and response to advanced threats, helping security teams act faster. With Rapid7, you get:

  • Real-time insights: Monitor and analyze security data in real-time for faster response to threats — no waiting for vendor-controlled access.
  • Custom dashboards: Rapid7’s dashboards support operational and executive reporting, making it easier for security teams to collaborate with IT, compliance, and leadership on security progress, priorities, and effectiveness.
  • Custom detections:  Security teams can create tailored detections across any data sent to InsightIDR based on their specific infrastructure, threat models, and business needs. This ensures that critical anomalies and suspicious behaviors don’t get lost in generic detection rules.
  • Complete transparency: Audit every action taken by Rapid7 analysts and your SOC team plus see investigations and comments for transparency and collaboration.

Command the SIEM advantage: Context and correlation matter

A key differentiator of Rapid7 MDR is that InsightIDR is more than just a SIEM — it’s a next-gen detection and response platform. Many MDR solutions provide basic alerting but lack the advanced behavioral analytics and automated response capabilities of InsightIDR. By combining SIEM, user behavior analytics, deception technology, and automated response orchestration, InsightIDR proactively detects threats, correlates events across your environment, and enables faster, more precise response actions.

Without a SIEM, organizations struggle with:

  • Limited visibility into user behavior, making it harder to detect insider threats or compromised accounts.
  • No long-term correlation of security events, reducing the ability to uncover sophisticated, multi-stage attacks.
  • Gaps in historical threat hunting, restricting security teams from investigating past incidents, identifying trends, and improving future defenses.

With InsightIDR, Rapid7 MDR goes beyond detection — it  provides comprehensive context, automation, and deep forensic capabilities that elevate an organization’s security maturity.

Take back command of your security data

In a world where vendor lock-in is common, maintaining ownership and access to your security data is not just a convenience, it’s a necessity. Without it, organizations risk compliance failures, slower response times, and reduced visibility into their own security posture.

With Rapid7 MDR, you’re not just subscribing to a service — you’re gaining a proactive security partner. You get unrestricted access, 13-month data retention, and real-time threat detection and response — ensuring compliance, faster incident containment, and smarter security decisions powered by InsightIDR’s built-in detection capabilities.

Don’t settle for an MDR solution that keeps you in the dark. Choose an approach that empowers your security team with full access and control over your data.

Ready to experience the difference? Learn more about Rapid7 MDR today.

Co-authored by Ed Montgomery & René Fusco, Rapid7

New IDR Log Search Enhancements: Accelerate, Streamline, and Simplify Investigations

In today’s cybersecurity landscape, organizations need robust detection and response solutions to stay ahead of evolving threats. Rapid7’s InsightIDR, the foundation of our Managed Detection and Response (MDR) service, empowers security teams with advanced analytics, automation, and expert-led investigations. Whether used as a standalone SIEM and XDR platform or in combination with MDR, InsightIDR’s latest Log Search enhancements bring even more value  across the board. These updates accelerate response times, simplify complex queries, and improve the investigation process for both our MDR clients and product-only customers.

These updates, including Simplified Query Building, Pre-Computed Queries, and Bloom Filters, enhance the speed, accuracy, and accessibility of log search for security teams, ensuring faster, more targeted threat investigations for organizations.

Let’s explore how these updates elevate the detection and response lifecycle.

Simplified Query Building: Empowering Analysts to Act Faster

A key element of any detection and response solution is the ability to quickly turn data into actionable insights. Simplified Query Building enables analysts to construct and refine log searches faster, without complex syntax or technical details. This user-friendly interface enables any InsightIDR user, regardless of technical expertise, to create advanced queries through point-and-click prompts, accessing critical data quickly to streamline investigations.

By lowering the barrier to creating queries, Simplified Query Building provides organizations with timely, data-backed insights into incidents, reducing investigation time for both Rapid7’s MDR team and InsightIDR customers. This update ensures that every security team member, regardless of tenure, can access and leverage the power of InsightIDR’s log data without becoming bogged down by technical complexities.

New IDR Log Search Enhancements: Accelerate, Streamline, and Simplify Investigations
InsightIDR - Simplified Query Building

Pre-Computed Queries: Reducing Time-to-Response for All Investigations

Time is critical when it comes to threat response.With Pre-Computed Queries (PCQs), both MDR and product-only customers benefit from reduced log search times. PCQs enable predictably fast, near-instant access to insights by pre-calculating query results in real-time as data arrives, enhancing responsiveness for all InsightIDR users.

Customer Feedback

"As an MSSP, InsightIDR's ability to handle large amounts of data is key for identifying threats in our client environments. Pre-Computed Queries have reduced return times for complex searches by over 70%, allowing us to create more impactful insights for our clients."
— Mat Cornish, Technical Director, Longwall Security

While InsightIDR already supports saving queries for reuse, PCQs take it further by pre-computing results, helping analysts to instantly identify patterns or gather evidence. Additionally, the Log Search home tab organizes queries by “Recent,” “Saved,” and “Pre-computed,” enabling users to quickly find what they need for streamlined incident handling. Whether you’re a customer conducting an in-house investigation or part of Rapid7’s MDR team, PCQs ensure faster insights and more efficient incident response.

New IDR Log Search Enhancements: Accelerate, Streamline, and Simplify Investigations
InsightIDR - Pre-Computed Queries

Bloom Filters: Accelerating Key Value Pair Searches for Precise Threat Hunts

Not all queries can be pre-calculated in advance. Security teams are frequently asked questions about potential exposure to specific indicators of compromise (IoCs), such as flagged IP addresses or hash values. With Bloom Filters, both MDR and product-only customers gain a performance boost in search time for precise threat hunts by reducing unnecessary data processing.

For exact match searches, like identifying a compromised IP address or hunting for a suspicious hash value where(hash.sha="..."), Bloom Filters optimize search time by ruling out irrelevant data - enabling the algorithm to skip logs that would not have matches. This enhancement is implemented on the backend and occurs automatically for any search that contains an exact match key-value pair. Reducing the search space means accelerating analysts’ ability to hone in on the exact information they need, cutting down investigation time dramatically.

A recent research effort into InsightIDR’s new indexing approach, which leverages Bloom Filters, showed impressive results with:

  • Improved Efficiency: Approximately 40-60% of all searches have experienced noticeable speed improvements since deployment.
  • Increased Precision: The new index has enabled applicable queries to skip irrelevant data three to four times more effectively, leading to shorter search durations for even more efficient investigations.

Bringing It All Together: Faster, More Effective Detection and Response

Whether you’re a Rapid7 MDR customer or an InsightIDR product-only user, these Log Search updates significantly enhance detection and response capabilities. By reducing search times, simplifying complex queries, and pinpointing threats with greater accuracy, we provide every InsightIDR user with faster, more effective security outcomes.

This means:

  • Faster Detection: Pre-Computed Queries and Bloom Filters accelerate search processes, enabling quicker response to incidents across both MDR and product-only use cases.
  • Improved Visibility: Simplified Query Building ensures analysts can quickly refine searches and access the data needed for comprehensive investigations.
  • Targeted Threat Hunts: Optimized key-value pair searches focus on the most relevant data, delivering quicker results for security teams.

Want to see these improvements in action? Contact us today to learn how Rapid7’s MDR service can protect your organization. You can also try InsightIDR for free with a 30-day trial.

Rapid7 Named a Leader in IDC MarketScape: Worldwide SIEM for SMB

Rapid7 is excited to share we have been recognized as a Leader in the IDC MarketScape: Worldwide SIEM for SMB 2024 Vendor Assessment (doc #US52038824, September 2024). We want to thank our customers for their partnership, feedback, and trust, all of which continue to guide how we build and innovate toward our mission to deliver command of the attack surface and keep security teams ready for whatever comes next.

Rapid7 Named a Leader in IDC MarketScape: Worldwide SIEM for SMB

What sets InsightIDR apart from other SIEMs

When we entered this space almost nine years ago, we were driven by customers who were bogged down by the complexity and ineffectiveness of traditional SIEMs. Unfortunately, challenging deployments, constant tuning, unmanageable alerts, and inflated total cost of ownership continue to plague many SIEM users today - making it impossible to maximize utility of these products and challenging team effectiveness.

InsightIDR is different.

1. Intuitive deployment and UI to maximize efficiency

A strong SIEM product can be the nucleus of the SOC - helping to harmonize otherwise disparate data into a clear picture of the attack surface and relevant insights. Unfortunately, many SIEMs are off track from the start due to:

  • Complex deployments
  • High operational overhead
  • Tedious configuration work that consumes team resources

InsightIDR’s cloud-native, SaaS delivery makes it fast and easy to get started without the burdens of heavy infrastructure management, while ensuring you have the scale to grow with your business when you need it. Easily identify the priority data to ingest and quickly start collecting the right information with:

  • Intuitive onboarding wizards
  • Flexibility to leverage our native data collection (endpoint agent, network sensor, collectors)
  • Ability to connect your extended security ecosystem with vast integrations
  • Auto-enrichment of logs with user and asset details via our attribution engine
  • Custom log parsers
  • In-product guidance

With 13 months of readily searchable data and flexible search modes that can accommodate your most experienced to your most junior analysts, InsightIDR puts your data to work for you - not the other way around.


2. Optimized for modern threat detection

While collecting the right telemetry is a critical piece of unifying the attack surface, too many SIEMs are overly indexed on log aggregation. Lost in logs and making sense of data, teams can lose sight of the thing that matters most: staying ahead of an attack.

InsightIDR has taken a detections-first approach to SIEM and is proud to deliver a robust library of out-of-the-box detections that customers can trust and use as a starting line to augment their own threat intelligence and detections engineering programs. With coverage across all phases of the MITRE ATT&CK framework, this is the same detections library used in the field by our own Rapid7 MDR SOC experts - ensuring strong signal-to-noise detections and constant curation to keep teams ahead of emergent threats.

This library marries both AI-charged user and attacker behavioral detections alongside known IOC coverage to ensure you are ready for both evasive, headline-making unknown threats as well as recognized adversary TTPs. Detections are comprehensive across the modern attack surface - from endpoint-to-cloud - and can easily be customized or added onto so customers can feel confident they are covered no matter where threats begin.

3. Ready to respond across the attack surface

With a rapidly expanding attack surface, all teams are challenged to ensure they know how to investigate and respond effectively to alerts. It’s harder than ever to understand lateral movement and the full blast radius, so it’s critical to ensure analysts have enough context to take action - and the right playbooks and tools in place to execute when they’re ready to do so.

InsightIDR is built around making sure analyst teams are ready to respond effectively to threats every time. Highly correlated investigation timelines unify related alerts and events across the security ecosystem to give a cohesive view of an attack and all relevant evidence in one place.

Integrated access to the Velociraptor DFIR framework enables teams to quickly query fleets of endpoints to assess and understand the blast radius of an attack. And when it’s time to take action, alerts are paired with descriptive guidance and recommendations vetted by our own SOC experts. Fully embedded SOAR capabilities and pre-built playbooks accelerate readiness and time-to-respond. We understand the friction and toll that noisy alerts and complex investigations can take on SOC teams; InsightIDR reduces this burnout and the likelihood of analyst churn by decreasing cycles and friction across investigation workflows - creating happier and more effective teams.

4. Tangible return on investment

Probably one of the things that many SIEMs are most notorious for is high and unpredictable costs and resource consumption - with few results to show for it. Traditional ingestion-based models have always been a challenge for security teams - and it’s getting even more difficult as the attack surface becomes increasingly dynamic.

InsightIDR is available in a number of flexible packages designed around real customer needs and security journeys. Our Threat Complete product marries InsightIDR with our leading vulnerability management to deliver proactive, threat-informed risk management to further reduce noise and strengthen security posture.

Predictable, asset-based pricing across our packages means no surprise charges to explain to your C-Suite or Board. And executive dashboards help you share insights and show progress to your wider organization to be able to show how you are advancing your threat detection and incident response program.

We are proud to be a Leader

Thank you to the IDC MarketScape for this recognition. We are proud to be named a Leader, but we are always most proud of the thousands of customers and partners across the globe who trust Rapid7 at the center of their security program. To learn more, access a complimentary excerpt of the IDC MarketScape or start exploring InsightIDR.

Global cybersecurity leader that delivers AI-driven security operations and has been recognized as a Leader in the Gartner Magic Quadrant

Exabeam, a leading global entity in AI-driven security operations, today announced its designation as a Leader in the 2024 Gartner® Magic Quadrant™ for Security Information and Event Management (SIEM), marking the company’s fifth acknowledgment by Gartner (2018, 2020, 2021, 2022, 2024). To download a complimentary copy of the full 2024 Gartner Magic Quadrant for SIEM report, click here.

“Being recognized in the Gartner Magic Quadrant for SIEM for the fifth time is an outstanding accomplishment for us and we believe it is a testament to our team’s relentless focus on delivering innovative security operations advancements,” said Adam Geller, CEO, Exabeam. “The AI-driven Exabeam Security Operations Platform gives our customers the ability to automate, simplify, and accelerate their threat detection, investigation, and response (TDIR) capabilities to stay ahead of attackers and successfully defend their organizations. We are proud to maintain our leadership position in the SIEM market with a differentiated, highly-scalable, cloud-native platform that delivers on what organizations demand today and into the future.”

Per Gartner, “Leaders provide products that are a strong functional match for the market’s general requirements. These vendors have been the most successful at building an installed base and revenue stream in the SIEM market. In addition to providing technology that is a good match for current customer requirements, Leaders show evidence of superior vision and execution for emerging and anticipated requirements. They typically have a relatively high market share and/or strong revenue growth and receive positive customer feedback about their SIEM capabilities and related service and support.”

“Without question, the results of Exabeam’s AI-powered innovation are enhanced by our security-centric expertise and persona-driven approach to TDIR,” said Steve Wilson, Chief Product Officer, Exabeam. “We remain focused on delivering value with AI and helping organizations realize the full potential of their existing security investments. To be recognized again as a Leader in Gartner Magic Quadrant for SIEM remains a very exciting honor to us.”

The Exabeam Security Operations Platform applies AI and automation to security operations workflows for a holistic approach to combating cyberthreats, delivering the most effective threat detection, investigation, and response (TDIR). Since appearing as a leader in the last Gartner Magic Quadrant for SIEM, 2022, Exabeam launched and has continued to innovate on its all-new cloud-native platform. In the past year alone, the company has added more than 400 new product features including Outcomes Navigator, Log Stream, the API developer experience, Threat Center and Exabeam Copilot — a unified workbench for security analysts with generative AI assistance — and much more.

For more information on the AI-driven Exabeam Security Operations Platform, please visit: https://www.exabeam.com/product/.

Source: Gartner, Magic Quadrant for Security Information and Event Management, 8 May 2024.

Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and MAGIC QUADRANT is a registered trademark of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved.

About Exabeam

Exabeam is a global cybersecurity leader that delivers AI-driven security operations. The company was the first to put AI and machine learning in its products to deliver behavioral analytics on top of security information and event management (SIEM). Today, the Exabeam Security Operations Platform includes cloud-scale security log management and SIEM, powerful behavioral analytics, and automated threat detection, investigation and response (TDIR). Its cloud-native product portfolio helps organizations detect threats, defend against cyberattacks, and defeat adversaries. Exabeam learns normal behavior and automatically detects risky or suspicious activity so security teams can take action for faster, more complete response and repeatable security outcomes.

Detect. Defend. Defeat.™ Learn how at www.exabeam.com.

Exabeam, the Exabeam logo, New-Scale SIEM, Detect. Defend. Defeat., Exabeam Fusion, Smart Timelines, Security Operations Platform, and XDR Alliance are service marks, trademarks, or registered marks of Exabeam, Inc. in the United States and/or other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2024 Exabeam, Inc. All rights reserved.

Allyson Stinchfield

Exabeam

ally@exabeam.com

Touchdown PR for Exabeam

exabeamus@touchdownpr.com

The post Exabeam Recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for SIEM, for the Fifth Year appeared first on Cybersecurity Insiders.

Command Your Attack Surface with a next-gen SIEM built for the Cloud First Era

Rapid7 Recognized in the 2024 Gartner® Magic Quadrant™ for SIEM

Rapid7 is excited to share that we are named a Challenger for InsightIDR in the 2024 Gartner Magic Quadrant for SIEM. In a crowded and constantly changing space, this is our sixth time to be recognized in the report. While the Magic Quadrant offers a great snapshot of the current marketplace, we are always looking ahead to what teams will need to be successful in the next era of cybersecurity.

We believe that the future of SIEM will be defined by the ability to:

  1. Connect and synthesize expansive security telemetry as efficiently as possible
  2. Pinpoint the most critical and actionable insights with the scale and speed of AI
  3. Deliver the contextualized data, expert guidance, and automation to confidently take action against threats – wherever they start

We are proud to bring these elevated security outcomes to the thousands of customers across the globe who trust Rapid7 at the center of their SOC.

Actionable Visibility You Can Trust - From Endpoint to Cloud

As organizations’ attack surfaces continue to expand and security systems become more fragmented, teams are challenged to get reliable visibility and context to effectively monitor their environment, end-to-end. As your organization embraces digital transformation, adopts SaaS solutions, and/or fosters agile business development, you need security solutions that can grow with your business without the burden of infrastructure management or lagging scale.

InsightIDR is a cloud-native SIEM – purpose-built to support an organization's scale with the speed of the cloud-first era. With flexible data ingestion – including our own lightweight, native endpoint agent, sensor, and collector as well as the ability to collect and parse diverse data from your wider ecosystem – customers are able to quickly synthesize their most critical telemetry, without the heavy management burdens of traditional SIEM technologies.

Many traditional SIEM approaches leave it all on the customer to figure out how to action their data once in their platform. This leaves resource-constrained teams on their heels and sorting through mounds of data without being able to pinpoint the insights that matter. InsightIDR’s flexible search modes boost both power-users’ and beginners’ ability to quickly turn data into actionable insights and leverage pre-built queries and dashboards as a jumping-off point for action. And with 13-months of readily searchable data logs by default, your data is always ready for you, whenever you need it.

Rapid7 Recognized in the 2024 Gartner® Magic Quadrant™ for SIEM

AI-Driven Behavioral Detections to Pinpoint Today’s Advanced Threats

The current threat climate requires a high degree of vigilance and detections content curation to be able to keep pace with adversaries' ever-growing arsenal of tactics, techniques, and procedures (TTPs). This is one of the most challenging domains for security teams to master and carve out time for – and unfortunately most SIEMs have led with a logging-centric approach, putting the work of threat-intelligence gathering and detections engineering on the customer to parse.

From the beginning, InsightIDR pioneered the detections-centric SIEM, focused on pinpointing and eliminating real threats as quickly as possible. Our library contains over 8,000 detections, giving customers complete coverage across all stages of the MITRE ATT&CK. Our detections engineering experts are constantly curating threat intelligence – including unique raw intelligence from our renowned Rapid7 Open Source Community (including Metasploit, the #1 pentesting tool in the world, Velociraptor digital forensics and incident response framework, and AttackKB vulnerability database) – to ensure customers have coverage against emergent threats (and because our platform is SaaS-delivered, customers immediately receive new detections content ).

Rapid7 holds 56 patents across proprietary analytics frameworks and AI, which contribute to our layered detections strategy. AI-powered attacker and user behavioral analytics detect stealthy attacker behavior and unknown threats that can often go undetected, and complement known indicators of compromise (IOCs) for total coverage. This is the same detections library that our Rapid7 MDR team leverages, so our SIEM customers have high efficacy, low-noise detections they can trust out of the gate.

Rapid7 Recognized in the 2024 Gartner® Magic Quadrant™ for SIEM

Response Built for Cloud and Distributed Environments

In the critical moments of an attack, the last thing a security analyst wants to be doing is hopping tabs between different solutions to get the full picture. But security solution sprawl has forced too many SOCs to be tied up being systems integrators vs. being able to focus on actual security work.

InsightIDR’s investigation views eliminate tab-hopping and disparate alert trails. When an alert is fired, customers see a consolidated timeline view of an attack, lateral movement, impacted users and assets, and related CVEs in a single view. Detailed evidence and intelligence, ATT&CK mapping, and vetted recommendations provide all relevant detail at the customer’s fingertips – so even your most junior analyst can respond like an expert, every time. Customers can also pivot from these investigation views into the Velociraptor DFIR framework to more broadly query distributed endpoint fleets to understand the full scope of an attack and avoid repeat occurrences.

One of the biggest challenges of today’s landscape is navigating response to complex cloud environments. Our simplified cloud threat alert view ensures SOC teams can confidently triage cloud provider alerts – like those from GuardDuty - with a purpose-built alert framework that parses out critical alert summaries, impacted resources, queries, and recommends responses to prioritize and act as quickly as possible on threats across cloud workloads. Regardless of where threats begin, with InsightIDR your team is covered and always knows what to do next.

Let Rapid7 Help You Take Command of Your Attack Surface

The complexities of today’s modern attack surface can be daunting, and are too often compounded by disparate solutions or legacy approaches that can make things worse. Rapid7’s integrated platform approach synthesizes your security data ecosystem to deliver unified exposure management and detection and response that maximizes efficiency and security outcomes. Thank you to our customers and partners who trust Rapid7 as their security consolidation partner of choice, and have contributed to recognitions like this Gartner Magic Quadrant for SIEM.

Learn more:

  • Read the report
  • Please register for our cybersecurity event on May 21st to learn how Rapid7 can help you build cyber resilience and take command of your attack surface.

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER is a registered trademark and service mark of Gartner and Magic Quadrant and Peer Insights are a registered trademark, of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences with the vendors listed on the platform, should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.

Gartner Peer Insights reviews constitute the subjective opinions of individual end users based on their own experiences and do not represent the views of Gartner or its affiliates.

In the world of cybersecurity, change is the only constant. This reality is once again affirmed in a recent interview with Andy Grolnick, the CEO of Graylog, a leading SIEM and log management solutions provider, who has shared some exciting news regarding the future of API security. Andy, who has been at the forefront of innovation in cybersecurity, announced Graylog had acquired Resurface.io’s API security solution that will be integrated with Graylog’s SIEM platform. With this acquisition, Graylog introduced a new product, Graylog API Security, focused on continuous API threat detection and incident response.

Why the Acquisition Matters

The acquisition of Resurface.io by Graylog signifies an important turning point in the field of API security. When Resurface.io was founded, the central thesis was that web and API security brought unique requirements necessitating purpose-built data systems. As Andy remarked, “Using solutions like Elastic or Splunk at scale for API monitoring is prohibitively complex and expensive. Using Hadoop or Kafka requires an army of security professionals to run at any scale.” Consequently, the acquisition is a strategic step towards addressing these challenges in an increasingly interconnected digital world and making API security affordable, integrated and automated.

Understanding the Importance of API Security

The digital world is becoming increasingly dependent on APIs, and with this reliance comes a new set of vulnerabilities and security risks. As Andy highlighted, “The stakes for API security in 2023 are terrifically high.” In fact, he revealed that “70% of API traffic is malicious,” and “half of APIs are unmanaged.” With this acquisition, there’s a sense of urgency to provide a robust, efficient, and scalable solution for API security.

Graylog API Security: A New Chapter in API Monitoring

Firewalls and gateways are no longer enough. Attackers can appear as users and penetrate the perimeter. Internal users and partners, for example, bypass firewalls and can directly access microservices without inspection. In order to address these concerns, Graylog API Security offers a comprehensive API monitoring and security solution. Like a “security analyst in-a-box,” Graylog API Security is built to automate API security by continuously scanning all API traffic at runtime, thus identifying and alerting on zero-day attacks and threats before they reach applications.

Graylog API Security captures complete request and response details, creating a readily accessible datastore for attack detection, fast triage, and threat intelligence. Furthermore, its alert system works with common communication tools like Slack, Teams, Gchat, JIRA or via webhooks, thereby reducing alert fatigue.

With the advent of Graylog API Security, the vision of creating a safer, more secure API landscape is closer than ever. Users interested in getting an in-depth understanding of this new platform can attend the Graylog GO user conference scheduled for October 4-5. It’s clear that the Graylog and Resurface.io teams are excited to guide the community into a new era of robust API security.

Watch a Graylog product demo: https://youtu.be/ZimbvmShtv8

The post Reshaping the API Security Landscape: Graylog Acquires Resurface appeared first on Cybersecurity Insiders.

Steve Povolny is Director of Security Research at Exabeam, a leading cybersecurity firm known for its cutting-edge behavioral profiling and machine learning solutions. The firm’s innovative security management platform employs advanced analytics to detect anomalies and safeguard digital assets. In a recent interview with Steve, we talked about vulnerabilities, the rise in ransomware attacks, the role of users, and the evolving threat landscape.

The Role of Behavior Profiling and Machine Learning in Detecting Threats

As Steve pointed out, “vulnerabilities are the weaknesses that attackers exploit, while IoCs are the signs that a vulnerability has been exploited.” Understanding these concepts is vital to crafting a robust cybersecurity strategy. For instance, a vulnerability might be a weak password that an attacker can easily guess, while the IoC could be an unrecognized IP address logging into a system.

Exabeam stands out in its approach to dealing with such threats, focusing heavily on understanding user behavior, device behavior, and interactions among all digital assets in an organization’s ecosystem. Steve shared that “attackers cannot gain access for the first time to our privileged AD server, for example, without creating anomalies.”

These anomalies, or deviations from standard behavior, serve as warning signs of potential attacks. Exabeam’s sophisticated techniques, honed over a decade of research, help in pinpointing these anomalies and raising red flags.

Exabeam: Delivering Next-Generation Security Solutions

Exabeam stands out in the cybersecurity landscape with its cloud-native Security Operations Platform, a robust solution designed to optimize the efficiency and accuracy of security operations. Its SIEM platform brings cloud-scale Security Log Management capabilities, while its advanced behavioral analytics and automated investigation experience streamline threat detection and incident response. With over 9,470 pre-built log parsers and the capacity to process over a million events per second, it offers an unparalleled fast search experience.

What sets Exabeam apart is its focus on context and outcomes. The platform enriches security data with context from threat intelligence feeds, increasing accuracy in threat detection. Furthermore, its outcome-focused approach simplifies workflows and provides a comprehensive view of the security posture, offering data-driven recommendations to strengthen defenses. This integration of advanced tools and strategic solutions encapsulates Exabeam’s commitment to empowering organizations to detect, defend, and defeat cybersecurity threats effectively.

Evolving Threat Landscape: The Rise of Stealthy Attackers

Today’s attackers are growing more adept at hiding their tracks. They attempt to mimic normal user behavior, making it more challenging to spot their malicious activities. Despite their efforts, Steve explained, attackers will inevitably “boil up to abnormal” at some point, revealing their presence. The key lies in being equipped with the right technology to recognize these subtle changes in behavior patterns.

The Persistent Threat of Ransomware

In a sobering revelation, Steve pointed out that we are in the midst of a surge in ransomware attacks. While 2021 was a record year for ransomware, in terms of both payouts and occurrences, current trends suggest 2023 may follow suit.

This points to the need for organizations to take a more proactive stance in dealing with cybersecurity threats. Steve emphasized the importance of individual responsibility in maintaining security hygiene and urged users to understand basic security tenets.

Povolny emphasized, “It’s so important to make sure you have a rapid patching strategy, that you do incident response, that you deploy a wide range of security tools in the network, at the endpoint.”

Steve’s insights underscore the critical importance of understanding vulnerabilities and IoCs, as well as recognizing the ongoing evolution of the threat landscape. With proactive measures, innovative technology, and a commitment to good security hygiene, we can strengthen our defenses against the consequences of successful cyberattacks.

The User’s Role in Maintaining Security

Povolny didn’t shy away from pointing out that users, both in the consumer and professional space, play a pivotal role in maintaining security hygiene. By raising the bar on user understanding of basic security tenets, we can significantly reduce the attack surface for cybercriminals.

As an example, basic security hygiene might include practices like regularly updating passwords, avoiding suspicious email links, and keeping software up-to-date. Exabeam’s focus on user behavior allows the company to help clients educate their teams on what normal and abnormal behavior looks like, empowering each user to be a part of the solution.

Exabeam: An Innovative Approach to Cybersecurity

Exabeam has been at the forefront of cybersecurity, providing state-of-the-art threat management solutions to tackle ever-evolving cyber threats. With its focus on behavior profiling and machine learning, it has been able to predict, detect, and respond to threats efficiently.

For instance, Exabeam’s Security Management Platform incorporates advanced analytics and automated incident response solutions to ensure rapid detection and containment of threats. These technologies are not only detecting anomalies but are continually learning and adapting to the changing threat landscape, making Exabeam an important player in the cybersecurity space.

The interview with Steve Povolny underscored the reality of the cyber threats we face and the importance of understanding vulnerabilities and IoCs. However, with the proper strategy and the right tools, organizations can equip themselves to better detect, respond to, and recover from attacks. Povolny’s final remarks echoed this sentiment, offering a summary of our shared responsibility in maintaining cybersecurity hygiene and the need for continuous vigilance in the face of evolving threats.

This detailed insight into Exabeam’s approach and the wider cyber threat landscape serves as a reminder that while the risk is real, so too are the defenses we can deploy to protect ourselves and our organizations by taking a proactive, knowledgeable, and comprehensive approach to cybersecurity.

The post The Evolution of Threat Defense – An Interview with Steve Povolny of Exabeam appeared first on Cybersecurity Insiders.

Alerting Rules!: InsightIDR Raises the Bar for Visibility and Coverage

By George Schneider, Information Security Manager at Listrak

I've worked in cybersecurity for over two decades, so I've seen plenty of platforms come and go—some even crash and burn. But Rapid7, specifically InsightIDR, has consistently performed above expectations. In fact, InsightIDR has become an essential resource for maintaining my company’s cybersecurity posture.

Alerting Rules!

Back in the early days, a SIEM didn’t come with a bunch of standardized alerting rules. We had to write all of our own rules to actually find what we were looking for. Today, instead of spending six hours a day hunting for threats, InsightIDR does a lot of the work for the practitioner. Now, we spend a maximum of one hour a day responding to alerts.

In addition to saving time, the out-of-the-box rules are very effective; they find things that our other security products can't detect. This is a key reason I’ve been 100% happy with Rapid7. As a user, I just know it’s functional. It’s clear that InsightIDR is designed by and for users—there’s no fluff, and the kinks are already ironed out. Not only am I saving time and company resources, the solution is a joy to use.

Source Coverage

When scouting SIEM options, we wanted a platform that could ingest a lot of different log sources. Rapid7 covered all of the elements we use in the big platforms and various security appliances we have—and some in the cloud too. InsightIDR can ingest logs from all sources and correlate them (a key to any high-functioning SIEM) on day one.

Trust the Process

I can honestly say this is the first time I’ve ever used a product that adds new features and functionality every single quarter. It’s not just a new pretty interface either, Rapid7 consistently adds capabilities that move the product forward.

What’s also wonderful is that Rapid7 listens to customers, especially their feedback. Not to toot my own horn, but they’ve even released a handful of feature requests that I submitted over the years. So I can say with absolute sincerity that these improvements actually benefit SOC teams. They make us better at detecting the stuff that we’re most concerned about.

Visibility and Coverage, Thanks, Insight Agent!

If you’re not familiar with Insight Agent, it’s time to get acquainted. Insight Agent is critical for running forensics on a machine. If I have a machine that gets flagged for something through an automated alert, I can quickly jump in without delay because of the Insight Agent. I get lots of worthwhile information that helps me consistently finish investigations in a timely manner. I know in pretty short order whether an alert is nefarious or just a false positive.

And this is all built into the Rapid7 platform—it doesn’t require customization or installations to get up and running. You truly have a single pane of glass to do all of this, and it’s somehow super intuitive as well. Using the endpoint agent, I don’t have to switch over to something else to do additional work. It’s all right there.

“Customer support at Rapid7 is outstanding. It’s the gold standard that I now use to evaluate all other customer support.”

Thinking Outside the Pane

I also have to give a shout out to the Rapid7 community. The community at discuss.rapid7.com/ and the support I get from our Rapid7 account team cannot be overlooked. When I have a question about how to use something, my first step is to visit Discuss to see if somebody else has already posted some information about it—often saving me valuable time. If that doesn’t answer my question, the customer support at Rapid7 is outstanding. It’s the gold standard that I now use to evaluate all other customer support.

The Bottom Line

My bottom line? I love this product (and the people). To say it’s useful is an understatement. I would never recommend a product that I didn’t think was outstanding. I firmly believe in the Rapid7InsightIDR and experience how useful it is every day. So does my team.

To learn more about InsightIDR, our industry-leading cloud-native SIEM solution, watch this on-demand demo.

What’s New in InsightIDR: Q4 2022 in Review

As we continue to empower security teams with the freedom to focus on what matters most, Q4 focused on investments and releases that contributed to that vision. With InsightIDR, Rapid7’s cloud-native SIEM and XDR solution, teams have the scale, comprehensive contextual coverage, and expertly vetted detections they need to thwart threats early in the attack chain.

This 2022 Q4 recap post offers a closer look at the recent investments and releases we’ve made over the past quarter. Here are some of the highlights:

Easy to create and manage log search, dashboards, and reports

You spoke, we listened! Per our customers, you can now create tables with multiple columns, allowing teams to see all data in one view. For example, simply add a query with a “where” clause and select a table display followed by the columns you want displayed.

Additionally, teams can reduce groupby search results with the having() clause. Customers can filter out what data is returned from groupby results with the option to layer in existing analytics function support (e.g. count, unique, max).

What’s New in InsightIDR: Q4 2022 in Review

Accelerated time to value

The InsightIDR Onboarding Progress Tracker, available for customers during their 90 day onboarding period, is a self-serve, centralized check-list of onboarding tasks with step-by-step guidance, completion statuses, and context on the “what” and “why” of each task.

No longer onboarding? No problem! We made the progress tracker available beyond the 90-day onboarding period so customers can evaluate setup progress and ensure InsightIDR is operating at full capacity to effectively detect, investigate, and respond to threats.

What’s New in InsightIDR: Q4 2022 in Review

Visibility across your modern environment

For those that leverage Palo Alto Cortex, you can now configure Palo Alto Cortex Data Lake to send activity to InsightIDR including syslog-encrypted Web Proxy, Firewall, Ingress Authentication, etc. Similarly, for customers leveraging Zscaler, you can now configure Zscaler Log Streaming Service (LSS) to receive and parse user activity and audit logs from Zscaler Private Access through the LSS.

For teams who do not have the bandwidth to set up and manage multiple event sources pertaining to Cisco Meraki, we have added support to ingest Cisco Meraki events through the Cisco Meraki API. This will enable you to deploy and add new event sources with less management.

What’s New in InsightIDR: Q4 2022 in Review

Customers can now bring data from their Government Community Cloud (GCC) and GCC High environments when setting up the Office365 event source to ensure security standards are met when processing US Government data.

Stay tuned!

We’re always working on new product enhancements and functionality to ensure your team can stay ahead of potential threats and malicious activity. Keep an eye on the Rapid7 blog and the InsightIDR release notes to keep up to date with the latest detection and response releases at Rapid7.

According to Panther’ recently published second annual “State of SIEM” report, Cost, functionality, and innovation are the top reasons for seeking a new solution. Whether happy or unhappy with their current solution, the most often cited reasons they would decide to switch are what they pay and what their platform won’t do for them.

The report surveyed 285 full-time cybersecurity professionals, each working as part of a team that currently uses a security information and event management (SIEM) platform, including security engineers, analysts, and architects. The goal in benchmarking the State of SIEM is to gain insight into what security operations professionals are seeing, their challenges, frustrations, and what they want to improve.

“This year’s report further indicates how legacy SIEMs are holding security teams back by making their jobs more challenging and far less enjoyable,” said Jack Naglieri, CEO and founder of Panther. “Security teams are using these tools even though they can’t get the scale and flexibility they need as they face new and emerging threats – pains that my team and I also experienced working at companies like Amazon and Airbnb.”

This report highlights how the shift to the cloud has resulted in an explosion of data that security teams need to collect, analyze, and retain to detect threats. Meanwhile, the ‘everything-as-code’ evolution is bringing developer-centric approaches to security operations.

“Modern security teams are operating more like software development teams and want tools built to embrace continuous development workflows that traditional security monitoring tools were simply never built with cloud-scale in mind and cannot meet the demands of today’s modern workloads,” said Naglieri.

The post New Report Finds Cost, Functionality, and Innovation are the Top Reasons Security Practitioners are Seeking New SIEM Vendors appeared first on Cybersecurity Insiders.