Author: Aaron Sawitsky

Rapid7 Integration For AWS Verified Access

Today at re:invent, Amazon Web Services (AWS) unveiled its new AWS Verified Access service, and we are thrilled to announce that InsightIDR — Rapid7’s next-gen SIEM and XDR — will support log ingestion from this new service when it is made generally available.

What Is AWS Verified Access?

AWS Verified Access is a new service that allows AWS customers to simplify secure access to private applications running on AWS, without requiring the use of a VPN. Verified Access also lets customers easily implement Zero Trust policies for each application reached via the service. The data needed for these policies is provided by integrations between Verified Access and third-party solutions like IdPs and device management tools. For example:

  • Access to a low-risk application might be granted to any employee who is logged into the organization’s IdP solution
  • Access to a highly sensitive application might only be granted to employees who are logged into the organization’s IdP solution, are part of a specific team at the company, are accessing from a company-managed computer that is fully updated, and have an IP address coming from a country on an allowlist

For customers who already have IdP and device management solutions, Verified Access can integrate with many of these vendors, allowing the customer to use their existing provider to define policies while still getting the convenience of VPN-less access to their private applications through Verified Access.

Unlock a Complete Picture of Your Cloud Security with InsightIDR

Verified Access generates detailed logs for every authorization attempt. InsightIDR will be able to ingest these logs from AWS’s just-announced Amazon Security Lake. InsightIDR customers will be able to see ingress activity from Verified Access alongside ingress events from sources like AWS Identity Access Management (IAM), VPNs, productivity apps, and more — not to mention telemetry from their broader cloud and on-premises environments. Like all ingress activity logs sent to InsightIDR, logs from Verified Access will be able to be used to detect suspicious activity, as well as be brought into investigations to help establish a complete timeline and blast radius of an incident. In addition, customers will have the ability to create custom alerts off of Verified Access logs to further scrutinize and monitor access to sensitive applications.

InsightIDR’s support for Verified Access is just the latest capability to come out of our never-ending dedication to support our customers as they adopt the newest cloud technologies. To learn more about how InsightIDR helps organizations using AWS, click here.

InsightIDR Launches Integration With New AWS Security Data Lake Service

It has been an action-packed day at AWS re:Invent. For security professionals, one of the most exciting announcements has to be the launch of Amazon Security Lake. We see a lot of potential for this new service, which is why Rapid7 is proud to announce the immediate availability of an integration between InsightIDR and Security Lake. Read on to learn more!

What Is Amazon Security Lake?

Amazon Security Lake gives AWS customers a security data lake that centralizes AWS and third-party security logs. What’s more, all data sent to Security Lake is formatted using the recently-launched OCSF standard. That means even if logs come from different services or different vendors, all logs for a given activity (e.g. all cloud activity logs, all network activity logs, etc.) will have the same format in Security Lake. This will make it easy for customers and their third-party vendors to make use of the data in Security Lake without first having to normalize data.

Another big feature in Security Lake is the granular control it offers. Customers can choose which users and third-party integrations can access which data sources and determine the duration of data that is available to each. For example, a customer might give their developers the ability to view CloudTrail data from the past five days so they can troubleshoot issues, but give InsightIDR the ability to view CloudTrail data from the past year.

InsightIDR’s Integration With Amazon Security Lake

InsightIDR’s new integration allows it to ingest log data from Security Lake. At the moment, InsightIDR will only ingest logs from AWS CloudTrail. Over time, we plan to add support for additional OCSF log types, which will allow customers to send data from multiple AWS and third-party services to InsightIDR through one Amazon Security Lake integration. This will give us the potential ability to immediately ingest and parse logs from any new third-party solution that gets introduced, as long as that solution can export its logs to Security Lake. Another customer benefit is that by consolidating the ingestion of multiple logs via Moose, onboarding and ongoing maintenance will be greatly reduced.

If you are an existing InsightIDR customer and want to take advantage of the new integration with Amazon Security Lake, instructions for setup are here.

Rapid7 at AWS re:Inforce: 2 Big Announcements

This year's AWS re:Inforce conference in Boston has been jam-packed with thrilling speakers, deep insights on all things cloud, and some much-needed in-person collaboration from all walks of the technology community. It also coincides with some exciting announcements from AWS — and we're honored to be a part of two of them. Here's a look at how Rapid7 is building on our existing partnership with Amazon Web Services to help organizations securely advance in today's cloud-native business landscape.

InsightIDR awarded AWS Security Competency

For seven years, AWS has issued security competencies to partners who have a proven track record of helping customers secure their AWS environments. Today at re:Inforce, AWS re-launched their Security Competency program, so that it better aligns with customers’ constantly evolving security challenges. Rapid7 is proud to be included in this re-launch, having obtained a security competency under the new criteria for its InsightIDR solution in the Threat Detection and Response category. This is Rapid7’s second AWS security competency and fourth AWS competency.

This designation recognizes that InsightIDR has demonstrated and successfully met AWS's technical and quality requirements for providing customers with a deep level of software expertise in security incident and event management (SIEM), helping them achieve their cloud security goals.

InsightIDR integrates with a number of AWS services, including CloudTrail, GuardDuty, S3, VPC Traffic Mirroring, and SQS. InsightIDR’s UEBA feature includes dedicated AWS detections. The Insight Agent can be installed on EC2 instances for continuous monitoring. InsightIDR also features an out-of-the-box honeypot purpose-built for AWS environments. Taken together, these integrations and features give AWS customers the threat detection and response capabilities they need, all in a SaaS solution that can be deployed in a matter of weeks.

Adding another competency to Rapid7’s repertoire reaffirms our commitment to giving organizations the tools they need to innovate securely in a cloud-first world.

Rapid7 named a launch partner for AWS GuardDuty Malware Protection

Malware Protection is the new malware detection capability AWS has added to their GuardDuty service — and we’re honored to join them as a launch partner, with two products that support this new GuardDuty functionality.

GuardDuty is AWS’s threat detection service. It monitors AWS environments for suspicious behavior. Malware Protection introduces a new type of detection capability to GuardDuty. When GuardDuty fires an alert that’s related to an Amazon Elastic Cloud Compute (EC2) instance or a container running on EC2, Malware Protection will automatically run a scan on the instance in question and detect malware using machine learning and threat intelligence. When trojans, worms, rootkits, crypto miners, or other forms of malware are detected, they appear as new findings in GuardDuty, so security teams can take the right remediation actions.

Rapid7 customers can ingest GuardDuty findings (including the new malware detections) into InsightIDR and InsightCloudSec. In InsightIDR, each type of GuardDuty finding can be treated as a notable behavior or as an alert which will automatically trigger a new investigation. This allows security teams to know the instant suspicious activity is detected in their AWS environment and react accordingly. Should an investigation be triggered, teams can use InsightIDR’s native automation capabilities to enrich the data from GuardDuty, quarantine a user, and more. In the case where GuardDuty detects malware, teams can pull additional data from the Insight agent and even terminate malicious processes. In addition, customers can use InsightIDR’s Dashboards capability to keep an eye on GuardDuty and spot trends in the findings.

InsightCloudSec customers can likewise build automated bots that automatically react to GuardDuty findings. When GuardDuty has detected malware, a customer might configure a bot that terminates the infected instance. Alternatively, a customer might choose to reconfigure the instance’s security group to effectively isolate it while the team investigates. The options are practically endless.

Rapid7 and AWS continue to deepen partnership to protect your cloud workloads

AWS re:Inforce 2022 provides a welcome opportunity for the community to come together and share insights about managing and securing cloud environments, and we can't think of better timing to announce these two areas of partnership with AWS. Click here to learn more about what we're up to at this year's AWS re:Inforce conference in Boston.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.