Margaret Wei – CyberSecurity Confabulation

What’s New in Rapid7 Products & Services: Q3 2024 in Review

Posted 1 month ago by Margaret Wei

This was one of the most exciting quarters at Rapid7 as we announced the next chapter in our mission to give customers command of their attack surface: the Rapid7 Command Platform, our unified threat exposure and detection and response platform. With this, we introduced two exciting new products:

Surface Command: Unifies asset inventory and attack surface management
Exposure Command: Brings together the comprehensive visibility of Surface Command with hybrid vulnerability management for true end-to-end risk management

While building on our legacy as a pioneer in vulnerability management, we’ve also made expansions on the detection and response side of the house – expanding our Managed Detection and Response capabilities with the release of MDR for the Extended Ecosystem. Read on for more details on these exciting launches across Rapid7 products and services.

Achieve complete attack surface visibility and proactively eliminate exposures from endpoint to cloud

As digital infrastructure continues to evolve from traditional on-prem models to hybrid, distributed teams and systems, one thing remains the same – the attack surface continues to grow, creating more risk and a wider visibility gap.

With the August launches of both Surface Command and Exposure Command, Rapid7 is closing the visibility gap and providing your team with the tools to visualize, prioritize, and remediate risk from endpoint to cloud.

Surface Command: Comprehensive visibility you can trust

Surface Command provides the foundational attack surface visibility that underpins the Command Platform by breaking down security data silos and combining comprehensive external attack surface monitoring with internal asset visibility across hybrid environments. The result? A dynamic 360-degree view of your entire attack surface in one place. With this view, you can:

Visualize your entire digital estate from endpoint to cloud
Prioritize and mitigate exposures and potential threats with a risk-aware and adversary-driven view of your entire attack surface
Identify and address misconfigurations, shadow IT, and compliance issues

Learn more about Surface Command.

Exposure Command: Pinpoint and extinguish critical risks from endpoint to cloud

Exposure Command extends the power of Surface Command by combining complete attack surface visibility with high-fidelity risk context and insight into your organization’s security posture. Exposure Command aggregates findings from both Rapid7’s native exposure detection capabilities as well as third-party exposure and enrichment sources you’ve already got in place, so you are able to:

Extend risk coverage to cloud environments with real-time agentless assessment
Zero-in on exposures and vulnerabilities with the threat-aware risk context
Continuously assess your attack surface, validate exposures, and receive actionable remediation guidance
Efficiently operationalize your exposure management program and automate enforcement of security and compliance policies with native, no-code automation

Learn more about Exposure Command.

Continuous red teaming at your (managed) service with Vector Command

Attackers are relentlessly looking for weak spots and new access points into your organization – you should be too. Leverage Vector Command – our latest continuous red teaming service – to proactively test your external attack surface with ongoing red team exercises and expert guidance from Rapid7’s team of managed services experts.

With Vector Command, your team will experience:

Increased visibility of the external attack surface with persistent, proactive reconnaissance of both known and unknown internet-facing assets
Improved prioritization with ongoing, expert-led red team operations to continuously validate your most critical external exposures
Same-day reporting of successful exploits with expert-vetted attack paths for multi-vector attack chains and a curated list of “attractive assets” that are likely to be exploited
Monthly expert consultation to confidently drive remediation efforts and resiliency planning

Learn more about Vector Command.

Improved scale, reliability and contextualized reporting for cloud and on-prem vulnerability management

The increased scale, rate of change, and complexity associated with cloud and on-prem environments makes managing vulnerabilities a challenge. This quarter we continued to advance our agentless vulnerability assessment capabilities to drive improved scalability and extended reporting to allow teams to quickly identify, prioritize, and remediate vulnerabilities at scale. This includes:

In-cloud assessment for Azure hosts drive improved cost efficiency for running vulnerability assessments at scale across all cloud hosts running on Microsoft Azure.
Unified cloud vulnerability reporting combines context and insights across discovered CVEs, software and resources with proof data included by default to enable more effective and accelerated vulnerability remediation.
Increased granularity for cloud vulnerability first found dates enables teams to quickly understand where an organization is exposed to a given CVE both at an organizational level across their environment globally or on a per-resource basis.Accurately report on MTTR with first found date enhancement for on-prem vulnerabilities with the addition of “First Found” and “Reintroduced” columns, providing deeper visibility into when a vulnerability was first discovered and if it was later reintroduced after patching.

Comprehensive content coverage for policies and critical systems

We strive to provide you with fast and broad coverage for critical policies and systems so you can accurately assess the environment for vulnerability and compliance risks. This past quarter we added a number of new policy coverages and enhancements to InsightVM and Nexpose, including:

Arista EOS coverage: Arista is a popular alternative to Cisco, and this expansion provides you with broader coverage of your boundary devices and better insights into critical assets.
Released policy coverage for DISA STIG Windows Server 2016 and Windows Server 2019; DISA STIG for Red Hat Enterprise Linux 8 and Red Hat Enterprise Linux 9; and CIS Benchmark for Fortinet Fortigate to ensure continued compliance.
Enhanced existing coverages for critical systems like Alpine Linux, Oracle Linux, Windows Server 2022, and Debian Linux.

Pinpoint critical signals and act confidently against threats with cloud-ready detection and response

Introducing MDR for the Extended Ecosystem

In an ever-expanding cybersecurity landscape, organizations are under more pressure than ever to keep pace with the widening attack surface. That’s why we’re so excited to bring extended support and coverage capabilities to our MDR customers with the launch of Rapid7 MDR for the Extended Ecosystem. With this addition, we’re extending our service to include triage, investigation, and response to alerts from third-party tools already in use within customer organizations.

This initial release will bring support for major EPPs such as Microsoft Defender for Endpoint, CrowdStrike Falcon, and SentinelOne, with plans to extend coverage to more third-party tools across cloud, identity, and network in the coming months.

Read this recent blog entry to learn how this extension of MDR sets Rapid7 apart and brings your team coverage, protection, and peace of mind.

Rapid7 named a Leader in IDC MarketScape: Worldwide SIEM for SMB and Enterprise

We’re excited to share we’ve been recognized as a Leader in the IDC MarketScape: Worldwide SIEM for SMB 2024 Vendor Assessment (doc #US52038824, September 2024) and the IDC MarketScape: Worldwide SIEM for Enterprise 2024 Vendor Assessment (doc #US51541324, September 2024). We’re proud that IDC highlights InsightIDR’s superior threat detection content, ease of implementation, and tangible ROI – all areas where we continually invest to provide users with a streamlined, complex-free experience.

To our customers: Thank you. Your partnership, feedback, and trust fuels our dedication to delivering the detection and response functionalities you need to take command of your attack surface and keep your organization safe. Read more about the reports here.

Intuitive log search enhancements to empower practitioners of all levels

Collecting, analyzing, and correlating logs from various sources is table stakes in identifying potential threats, detecting malicious behaviors, and responding to incidents effectively. Within InsightIDR we continue to enhance our Log Search functionality to empower you to go beyond simply correlating logs so you can feel confident securing your organization and enhancing your security posture.

Reformatted Log Search not only optimizes view and streamlines accessibility, but it reduces friction with notable enhancements:

Pre-computed queries auto-run in less than half a second and can be leveraged from our OOTB library of queries or built custom using “groupby” or “calculate” commands.
Automatic key suggestions are provided to analysts during query building based on the log selection to ensure faster time to investigate (as opposed to recalling and populating individually).
Using the select clause, you can leverage new key suggestions to choose those to include in your search results. You can also customize their names and order.

The latest research and intelligence from Rapid7 Labs

Ransomware Radar Report: Findings and insights into the booming ransomware space

According to Rapid7 Labs Ransomware Radar Report, ransomware continues to evolve at a rapid pace. With the first half of 2024 seeing a +67% increase in the average number of ransomware groups actively posting to leak sites each month, it doesn’t appear that things are slowing down.
The report offers analysis and insights to help security practitioners understand and anticipate the latest developments around ransomware attacks. This research is based on data from Rapid7’s Incident Response and Rapid7 Labs teams as well as thousands of publicly reported ransomware incidents observed from January of 2023 through June of 2024.

Read the Ransomware Radar Report now to learn the key takeaways for keeping your organization safe from ransomware.

Emergent Threat Response: Real-time guidance for critical threats

Rapid7’s Emergent Threat Response (ETR) program from Rapid7 Labs delivers fast, expert analysis and first-rate security content for the highest-priority security threats to help both Rapid7 customers and the greater security community understand their exposure and act quickly to defend their networks against rising threats.

In Q3, Rapid7’s Emergent Threat Response team provided expert analysis, InsightIDR and InsightVM content, and mitigation guidance for multiple critical, actively exploited vulnerabilities and widespread attacks:

July 29: VMware ESXi CVE-2024-37085 Targeted in Ransomware Campaigns
September 5: Rapid7 discovered and worked with the vendor to disclose CVE-2024-45195, a remote code execution vulnerability in Apache OFBiz
September 9:
Multiple Vulnerabilities in Veeam Backup & Replication
CVE-2024-40766: Critical Improper Access Control Vulnerability Affecting SonicWall Devices
September 19: High-risk vulnerabilities in common enterprise technologies, including Adobe ColdFusion CVE-2024-41874, Broadcom VMware vCenter Server CVEs (CVE-2024-38812, CVE-2024-38813), and Ivanti Endpoint Manager CVE-2024-29847
September 26: Multiple Vulnerabilities in Common Unix Printing System (CUPS)

Follow along here to receive the latest emergent threat guidance from our team.

Stay tuned for more!

As always, we’re continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in product and service investments at Rapid7.

What’s New in Rapid7 Products & Services: Q2 2024 in Review

Posted 4 months ago by Margaret Wei

This quarter we continued to make investments that provide security professionals with a holistic, actionable view of their entire attack surface. In Q2, we focused on enhancing visualization, prioritization, and integration capabilities across our key products and services. Below we’ve highlighted key releases and updates from the quarter across Rapid7 products and services—including InsightCloudSec, InsightVM, InsightIDR, Managed Detection and Response, and Rapid7 Labs.

Rapid7 acquires Noble to deliver comprehensive visibility and command of your attack surface

Rapid7 has acquired Noble, a leading provider of continuous cyber asset inventory, visibility, and management. This acquisition further enhances our ability to provide customers with the necessary control to monitor and manage exposures across their entire attack surface - from endpoint to cloud - with confidence. Visit our announcement overview page to learn more and stay tuned for additional details coming this summer.

Anticipate imminent threats from endpoint to cloud

Uncover multiple paths to risky compromised resources across cloud environments

We continue to enhance Attack Path Analysis in InsightCloudSec, most recently adding a new visualization that shows all of the various paths to a potentially compromised resource, providing a better understanding of the potential blast radius of an attack. We’ve also added the ability to export Attack Path graphs as a PDF, JPG, PNG, or SVG for easy sharing with additional stakeholders.

Automatically prioritize the most at-risk resources based on Layered Context

Layered Context provides insight into the riskiest resources running across cloud environments by taking into account a variety of risk signals from vulnerabilities to identity-related risk and public accessibility. This context makes it easier for security teams to effectively and efficiently prioritize cloud risk remediation efforts.

We recently released the following updates to Layered context:

Automatic prioritization of riskiest resources by taking into account the presence of toxic combinations to assign a relative risk score to all cloud resources.
A new risk tab, located on the Resource Details panel, that details all the risks impacting a resource in one view, transparently and efficiently diagnosing what is risky and why.

Access agent-based policy assessment results with InsightVM’s Bulk Export API.

Agent-based policy assessment is used to conduct configuration assessments of IT assets against widely used industry benchmarks or custom internal policies. Now customers can use the new Bulk Export API to export the policy assessment results data to their business intelligence tools and build custom visualizations and workflows that meet their reporting needs. Additionally, this API allows for efficient request and download of large data sets directly from the Insight Platform, avoiding unnecessary load on the Security Console and giving greater flexibility in handling the high volume of data that policy assessments produce.

Insight Agent support for ARM-based Windows 11 devices in InsightVM

Take advantage of the ARM processor chip’s great performance and low power requirements while maintaining agent-based visibility and assessment of remote assets within InsightVM. We also released enhanced vulnerability coverage for Windows 11 to provide customers with even higher quality, accurate vulnerability content.

Pinpoint critical signals of an attack and act confidently against threats

Rapid7 AI Engine extended to include Generative AI, driving improved MDR efficiency

Enhancements to the Rapid7 AI Engine have brought new Generative AI capabilities to the Rapid7 SOC, improving the efficacy and efficiency of our MDR services. These new additions include:

The new SOC Assistant that guides our internal SOC and MDR analysts through complex investigations and streamlines response workflows by querying sources like the Rapid7 MDR Handbook, keeping our analysts a step ahead.
The ability to automatically generate incident reports once investigations are closed out, streamlining a typically manual and time-intensive process. Every report that is generated by the Rapid7 AI Engine is reviewed and enhanced as needed by our SOC teams, making certain every data point is accurate and actionable.

Stop attacks before they begin with Rapid7’s patented Ransomware Prevention

Rapid7’s patented, preemptive Ransomware Prevention technology focuses on disrupting the evasive behaviors that ransomware and other forms of malware leverage, preventing both known and unknown (zero-day) attacks before they start. Coexisting alongside NGAV, EDR, and EPP solutions, Ransomware Prevention:

Provides an additional layer of protection on the endpoint focused on mitigating the risk associated with ransomware by using proprietary Data Encryption detection and response technology.
Focuses on the inner techniques that malicious and evasive attacks employ and embed in processes (instead of passively looking for patterns and analyzing processes and behaviors on runtime or post-execution), manipulating their logic so that they refrain from execution.

Monitor Crowdstrike Falcon EDR alerts within InsightIDR for streamlined alert triage

Simplify operations and optimize resource allocation by further integrating third party endpoint detection and response solutions with Rapid7. Managed Detection and Response customers can integrate CrowdStrike Falcon Endpoint with InsightIDR and leverage Rapid7’s highly skilled and experienced MDR SOC to help triage incoming alerts.

A growing library of actionable detections in InsightIDR

In Q2 2024 we added over 750 new detection rules. See them in-product or visit the Detection Library for descriptions and recommendations.

The latest in cybersecurity trends and research

New research from Rapid7 Labs: The 2024 Attack Intelligence Report

Since 2020, Rapid7 has tracked huge increases in zero-day exploits, ransomware attacks, mass compromise incidents, and evolutions in attacker behavior. In our 2024 Attack Intelligence Report, Rapid7 Labs analyzed 14 months of attacker behavior and marquee vulnerabilities and provides expert analysis and practical guidance for security professionals.

Dive into key findings—like how 36% of the widely exploited vulnerabilities Rapid7 tracked involved network edge technology—in the report here.

Take Command: Global security leaders, hands-on practitioners, and top researchers weigh in on the latest cybersecurity trends

In May we partnered with AWS for our Take Command 2024 Cybersecurity Summit, where we took a deep dive into new attack intelligence technologies like AI that are disrupting the threat landscape, macro influences on SOC teams, MDR services to build cyber resilience, and more. The sessions deliver clear guidance to zero in on threats and proactively prevent breaches—check them out on demand here.

Stay tuned for more!

What’s New in Rapid7 Products & Services: Q1 2024 in Review

Posted 7 months ago by Margaret Wei

We kicked off 2024 with a continued focus on bringing security professionals (which if you're reading this blog, is likely you!) the tools and functionality needed to anticipate risks, pinpoint threats, and respond faster with confidence. Below we’ve highlighted some key releases and updates from this past quarter across Rapid7 products and services—including InsightCloudSec, InsightVM, InsightIDR, Rapid7 Labs, and our managed services.

Anticipate Imminent Threats Across Your Environment

Monitor, remediate, and takedown threats with Managed Digital Risk Protection (DRP)

Rapid7’s new Managed Digital Risk Protection (DRP) service provides expert monitoring and remediation of external threats across the clear, deep, and dark web to prevent attacks earlier.

Now available in our highest tier of Managed Threat Complete and as an add on for all other Managed D&R customers, Managed DRP extends your team with Rapid7 security experts to:

Identify the first signs of a cyber threat to prevent a breach
Rapidly remediate and takedown threats to minimize exposure
Protect against ransomware data leakage, phishing, credential leakage, data leakage, and provide dark web monitoring

Read more about the benefits of Managed DRP in our blog here.

Ensure safe AI development in the cloud with Rapid7 AI/ML Security Best Practices

We’ve recently expanded InsightCloudSec’s support for GenAI development and training services (including AWS Bedrock, Azure OpenAI Service and GCP Vertex) to provide more coverage so teams can effectively identify, assess, and quickly act to resolve risks related to AI/ML development.

This expanded generative AI coverage enriches our proprietary compliance pack, Rapid7 AI/ML Security Best Practices, which continuously assesses your environment through event-driven harvesting to ensure your team is safely developing with AI in a manner that won’t leave you exposed to common risks like data leakage, model poisoning, and more.

As with all critical resources connected to your InsightCloudSec environment, these risks are enriched with Layered Context to automatically prioritize AI/ML risk based on exploitability and potential impact. They’re also continuously monitored for effective permissions and actual usage to rightsize permissions to ensure alignment with LPA. In addition to this extensive visibility, InsightCloudSec offers native automation to alert on and even remediate risk across your environment without the need for human intervention.

Stay ahead of emerging threats with insights and guidance from Rapid7 Labs

In the first quarter of this year, Rapid7 initiated the Emergent Threat Response (ETR) process for 12 different threats, including (but not limited to):

Zero-day exploitation of Ivanti Connect Secure and Ivanti Pulse Secure gateways, the former of which has historically been targeted by both financially motivated and state-sponsored threat actors in addition to low-skilled attackers.
Critical CVEs affecting outdated versions of Atlassian Confluence and VMware vCenter Server, both widely deployed products in corporate environments that have been high-value targets for adversaries, including in large-scale ransomware campaigns.
High-risk authentication bypass and remote code execution vulnerabilities in ConnectWise ScreenConnect, widely used software with potential for large-scale ransomware attacks, providing coverage before CVE identifiers were assigned.
Two authentication bypass vulnerabilities in JetBrains TeamCity CI/CD server that were discovered by Rapid7’s research team.

Rapid7’s ETR program is a cross-team effort to deliver fast, expert analysis alongside first-rate security content for the highest-priority security threats to help you understand any potential exposure and act quickly to defend your network. Keep up with future ETRs on our blog here.

Pinpoint Critical and Actionable Insights to Effectively and Confidently Respond

Introducing the newest tier of Managed Threat Complete

Since we released Managed Threat Complete last year, organizations all over the globe have unified their vulnerability management programs with their threat detection and response programs. Now, teams have a unified view into the full kill chain and a tailored service to turbocharge their program, mitigate the most pressing risks and eliminate threats.

Managed Threat Complete Ultimate goes beyond our previously available Managed Threat Complete bundles to include:

Managed Digital Risk Protection for monitoring and remediation of threats across the clear, deep, and dark web
Managed Vulnerability Management for clarity guidance to remediate the highest priority risk
Velociraptor, Rapid7’s leading open-source DFIR framework, from monitoring and hunting to in-depth investigations into potential threats, access the tool that is leveraged by our Incident Response experts on behalf of our managed customers
Ransomware Prevention for recognizing threats and stopping attacks before they happen with multi-layered prevention (coming soon - stay tuned)

Get to the data you need faster with new Log Search and Investigation features in InsightIDR

Our latest enhancements to Log Search and Investigations will help drive efficiency for your team and give you time back in your day-to-day—and when you really need it in the heat of an incident. Faster search times, easier-to-write queries, and intuitive recommendations will help you find event trends within your data and save you time without sacrificing results.

Triage investigations faster with log data readily accessible from the investigations timeline - with a click of the new “view log entry” button you’ll instantly see the context and log data behind an associated alert.
Create precise queries quickly with new automatic suggestions - as you type in Log Search, the query bar will automatically suggest the elements of LEQL that you can use in your query to get to the data you need—like users, IP addresses, and processes—faster.
Save time sifting through search results with new LEQL ‘select’ clause - define exactly what keys to return in the search results so you can quickly answer questions from log data and avoid superfluous information.

Easily view vital cloud alert context with Simplified Cloud Threat Alerts

This quarter we launched Simplified Cloud Threat Alerts within InsightIDR to make it easier to quickly understand what a cloud alert - like those from AWS GuardDuty - means, which can be a daunting task for even the most experienced analysts due to the scale and complexity of cloud environments.

With this new feature, you can view details and known issues with the resources (e.g. assets, users, etc.) implicated in the alert and have clarity on the steps that should be taken to appropriately respond to the alert. This will help you:

Quickly understand what a given cloud resource is, its intended purpose, what applications it supports and who “owns” it.
Get a clear picture around what an alert means, what next steps to take to verify the alert, or how to respond if the alert is in fact malicious.
Prioritize response efforts based on potential impact with insight into whether or not the compromised resource is misconfigured, has active vulnerabilities, or has been recently updated in a manner that signals potential pre-attack reconnaissance.

A growing library of actionable detections in InsightIDR

In Q1 2024 we added 1,349 new detection rules. See them in-product or visit the Detection Library for descriptions and recommendations.

Stay tuned!

What’s New in Rapid7 Products & Services: 2023 Year in Review

Posted 11 months ago by Margaret Wei

Throughout 2023 Rapid7 has made investments across the Insight Platform to further our mission of providing security teams with the tools to proactively anticipate imminent risk, prevent breaches earlier, and respond faster to threats. In this blog you'll find a review of our top releases from this past year, all of which were purpose-built to bring your team a holistic, unified approach to security operations and command of your attack surface.

Proactively secure your environment

Endpoint protection with next-gen antivirus in Managed Threat Complete

To provide protection against both known and unknown threats, we released multilayered prevention with Next-Gen Antivirus in Managed Threat Complete. Available through the Insight Agent, you’re immediately able to:

Block known and unknown threats early in the kill chain
Halt malware that’s built to bypass existing security controls
Maximize your security stack and ROI with existing Insight Agent
Leverage the expertise of our MDR team to triage and investigate these alerts

New capabilities to help prioritize risk in your cloud and on-premise environments and effectively communicate risk posture

As the attack surface expands, we know it’s critical for you to have visibility into vulnerabilities across your hybrid environments and communicate it with your executive and remediation stakeholders. This year we made a series of investments in this area to help customers better visualize, prioritize, and communicate risk.

Executive Risk View, available as a part of Cloud Risk Complete, provides security leaders with the visibility and context needed to track total risk across cloud and on-premises assets to better understand organizational risk posture and trends.
Active Risk, our new vulnerability risk-scoring methodology, helps security teams prioritize vulnerabilities that are actively exploited or most likely to be exploited in the wild. Our approach enriches the latest version of the Common Vulnerability Scoring System (CVSS) with multiple threat intelligence feeds, including intelligence from proprietary Rapid7 Labs research. Active Risk normalizes risk scores across cloud and on-premises environments within InsightVM, InsightCloudSec, and Executive Risk View.
The new risk score in InsightCloudSec’s Layered Context makes it easier for you to understand the riskiest resources within your cloud environment. Much like Layered Context, the new risk score combines a variety of risk signals - including Active Risk - and assigns a higher risk score to resources that suffer from toxic combinations or multiple risk vectors that present an increased likelihood or impact of compromise.
Two new dashboard cards in InsightVM to help security teams communicate risk posture cross-functionally and provide context on asset and vulnerability prioritization:
Vulnerability Findings by Active Risk Score Severity - ideal for executive reporting, this dashboard card indicates total number of vulnerabilities across the Active Risk severity levels and number of affected assets and instances.
Vulnerability Findings by Active Risk Score Severity and Publish Age - ideal for sharing with remediation stakeholders to assist with prioritizing vulnerabilities for the next patch cycle, or identifying critical vulnerabilities that may have been missed.

Coverage and expert analysis for critical vulnerabilities with Rapid7 Labs

Rapid7 Labs provides easy-to-use threat intelligence and guidance, curated by our industry-leading attack experts, to the security teams.

Emergent Threat Response (ETR) program, part of Rapid7 Labs, provides teams with accelerated visibility, alerting, and guidance on high-priority threats. Over this past year we provided coverage and expert analysis within 24 hours for over 30 emergent threats, including Progress Software’s MOVEit Transfer solution where our security research team was one of the first to detect exploitation—four days before the vendor issued public advisory. Keep up with future ETRs on our blog here.

Detect and prioritize threats anywhere, from the endpoint to the cloud

Enhanced alert details in InsightIDR Investigations

An updated evidence panel for attacker behavior analytics (ABA) alerts gives you a description of the alert and recommendations for triage, rule logic that generated the alert and associated data, and a process tree (for MDR customers) to show details about what occurred before, during, and after the alert was generated.

AI-driven detection of anomalous activity with Cloud Anomaly Detection

Cloud Anomaly Detection provides AI-driven detection of anomalous activity occurring across your cloud environments, with automated prioritization to assess the likelihood that activity is malicious. With Cloud Anomaly Detection, your team will benefit from:

A consolidated view that aggregates threat detections from CSP-native detection engines and Rapid7’s AI-driven proprietary detections.
Automated prioritization to focus on the activity that is most likely to be malicious.
The ability to detect and respond to cloud threats using the same processes and tools your SOC teams are using today with easy API-based ingestion into XDR/SIEM tools for threat investigations and prioritizing remediation efforts.

Detailed views into risks across your cloud environment with Identity Analysis and Attack Path Analysis

We’re constantly working to improve the ways with which we provide a real-time and comprehensive view of your current cloud risk posture. This year, we made some major strides in this area, headlined by two exciting new features:

Identity Analysis provides a unified view into identity-related risk across your cloud environments, allowing you to achieve least privileged access (LPA) at scale. By utilizing machine learning (ML), Identity Analysis builds a baseline of access patterns and permissions usage, and then correlates the baseline against assigned permissions and privileges. This enables your team to identify overly-permissive roles or unused access so you can automatically right-size permissions in accordance with LPA.
Attack Path Analysis enables you to analyze relationships between resources and quickly identify potential avenues bad actors could navigate within your cloud environment to exploit a vulnerable resource and/or access sensitive information. This visualization helps teams communicate risk across the organization, particularly for non-technical stakeholders that may find it difficult to understand why a compromised resource presents a potentially larger risk to the business.

More flexible alerting with Custom Detection Rules

Every environment, industry, and organization can have differing needs when it comes to detections. With custom detection rules in InsightIDR, you can detect threats specific to your needs while take advantage of the same capabilities that are available for out-of-the-box detection rules, including:

The ability to set a rule action and rule priority to choose how you are alerted when your rule detects suspicious activity.
The ability to add exceptions to your rule for specific key-value pairs.

A growing library of actionable detections in InsightIDR

In 2023 we added over 3,000 new detection rules. See them in-product or visit the Detection Library for descriptions and recommendations.

Agent-Based Policy supports custom policy assessment in InsightVM

Guidelines from Center for Internet Security (CIS) and Security Technical Implementation Guides (STIG) are widely used industry benchmarks for configuration assessment. However, a benchmark or guideline as-is may not meet the unique needs of every business.

Agent-Based Policy assessment now supports Custom Policies. Global Administrators can customize built-in policies, upload policies, or enable a copy of existing custom policies for agent-based assessments. Learn more here.

Investigate and respond with confidence

Faster containment and remediation of threats with expansion of Active Response for Managed Detection and Response customers

Attackers work quickly and every second you wait to take action can have detrimental impacts on your environment. Enter automation—Active Response enables Rapid7 SOC analysts to immediately quarantine assets and users in a customer’s environment with response actions powered by InsightConnect, Rapid7’s SOAR solution.

Active Response has you covered to quarantine via our Insight Agent, as well as a variety of third-party providers—including Crowdstrike and SentinelOne. And with MDR analyst actions logged directly in InsightIDR, you have more expansive, collaborative detection and response faster than ever before. Read what Active Response can do for your organization—and how it stopped malware in a recent MDR Investigation—here.

Velociraptor integrates with InsightIDR for broader DFIR coverage

The attack surface is continually expanding, and so should your visibility into potential threats across it. This year we integrated Velociraptor, Rapid7’s open-source DFIR framework, with our Insight Platform to bring the data you need for daily threat monitoring and hunting into InsightIDR for investigation via our Insight Agent.

This integration brings you faster identification and remediation, always-on monitoring for threat activity across your endpoint fleet, and expanded threat detection capabilities. Read more about what this integration unlocks here.

Stay tuned!

Attackers are Working Around The Clock. Luckily, So Are We.

Posted 12 months ago by Margaret Wei

It takes an average of 204 days for organizations to discover a breach, and from there an average of 73 days to contain it. With the average cost of a breach at an all time high of $4.45 million, there’s an undeniable need for teams to enlist the right experts to quickly eradicate threats.

At Rapid7, our expert SOC analysts detect and respond to threats end-to-end for MDR customers – no matter how large or complex. Rapid7’s Active Response, powered by InsightConnect SOAR Automation, enables our analysts to contain endpoints and users on your behalf within minutes of when a threat is identified, reducing attacker dwell time and keeping your organization safe from the damaging consequences of an attack.

24x7 Immediate Containment of Validated Threats with Active Response

Initially launched in 2020, we’ve now expanded Active Response to include broader asset quarantine support across third-party providers — including Crowdstrike, SentinelOne, Carbon Black Cloud, and more — as well as more transparency into MDR analyst activity to bring you more expansive, collaborative detection and response. What you can expect with Active Response:

Rapid7 MDR analysts will contain compromised endpoints or users as early in the killchain as possible to keep your organization safe from threats including malware, lateral movement, data exfiltration attempts, and more. We’ve also added a cloud-enabled option for actions to quarantine assets — removing the need for any on-prem components and making containment even faster for your organization.
Our team takes action on your behalf when we see a validated threat, but you have control of the parameters with the ability to create containment guardrails to prohibit the containment of critical servers, users, or devices. You always have the option to unquarantine assets or users directly from InsightIDR, making it extremely straightforward and keeping the power in your hands.
Rapid7’s coverage doesn’t stop there — with recommended additional actions for containment, remediation, and mitigation, our analysts ensure your organization is as secure as possible.

See How Active Response Stopped Malware in a Recent Rapid7 MDR Investigation

The following is a real-world example of a threat handled by our MDR analysts leveraging Active Response to quarantine an asset and stop malware.

Attacker Activity

[USER 1] working on legal cases used Chrome browser to visit a legitimate website compromised by malicious embedded JavaScript functions.
Embedded JavaScript file loaded pop-up, invited user to update browser by downloading ZIP archive containing JavaScript file.
Once executed, Javascript file communicated with Command and Control (C2) to download and execute a malicious payload, to fingerprint the asset, user, cached password, domains controllers, and trusted domains and output the results to a file at the root of [USER 1]’s %temp% directory to stage the host for subsequent exploitation.

Build Resilience While You Sleep

Active Response enables teams to immediately quarantine malicious behavior before it can compromise a system, saving teams from the damaging outcomes of a successful security breach as well as costly ransomware, loss of data, and broken customer trust.

Whether it’s an intrusion attempt, suspicious process start activity, or anything in between, Rapid7’s SOC has their eyes on your environment 24x7x365, halting suspicious activity in its tracks so you can sleep peacefully through the night.

To learn more about Active Response, talk to your Customer Advisor or a representative.

What’s New in Rapid7 Detection & Response: Q3 2023 in Review

Posted 1 year ago by Margaret Wei

This post takes a look at some of the investments we've made throughout Q3 2023 to our Detection and Response offerings to provide advanced DFIR capabilities with Velociraptor, more flexibility with custom detection rules, enhancements to our dashboard and log search features, and more.

Stop attacks before they happen with Next-Gen Antivirus in Managed Threat Complete

As endpoint attacks become more elusive and frequent, we know security teams need reliable coverage to keep their organizations safe. To provide teams with protection from both known and unknown threats, we’ve released multilayered prevention with Next-Gen Antivirus in Managed Threat Complete. Available through the Insight Agent, you’ll get immediate coverage with no additional configurations or deployments. With Managed Next-Gen Antivirus you’ll be able to:

Block known and unknown threats early in the kill chain
Halt malware that’s built to bypass existing security controls
Maximize your security stack and ROI with existing Insight Agent
Leverage the expertise of our MDR team to triage and investigate these alerts

To see more on our Managed Next-Gen Antivirus offering, including a demo walkthrough, visit our Endpoint Hub Page here.

Achieve faster DFIR outcomes with Velociraptor now integrated into the Insight Platform

As security teams are facing more and more persistent threats on their endpoints, it’s crucial to have proactive security measures that can identify attacks early in the kill chain, and the ability to access detailed evidence to drive complete remediation. We’re excited to announce that InsightIDR Ultimate customers can now recognize the value of Velociraptor, Rapid7’s open-source DFIR framework, faster than ever with its new integration into the Insight Platform.

With no additional deployment or configurations required, InsightIDR customers can deploy Velociraptor through their existing Insight Agents for daily threat monitoring and hunting, swift threat response, and expanded threat detection capabilities. For more details, check out our recent blog post here.

A view of Velociraptor in InsightIDR

Tailor alerts to your unique needs with Custom Detection Rules

We know every organization has unique needs when it comes to detections and alerting on threats. While InsightIDR provides over 3,000 out-of-the-box detection rules to detect malicious behaviors, we've added additional capabilities with Custom Detection Rules to offer teams the ability to author rules tailored to their own individual needs. With Custom Detection Rules, you will be able to:

Build upon Rapid7’s library of expertly curated detection rules by creating rules that uniquely fit your organization’s security needs
Use LEQL to write rule logic against a variety of data sources
Add grouping and threshold conditions to refine your rule logic over specific periods of time to decrease unnecessary noise
Assess the rules activity before it starts to trigger alerts for downstream teams
Group alerts by specific keys such as by user or by asset within investigations to reduce triage time
Create exceptions and view modification history as you would with out-of-the-box ABA detection rules
Attach InsightConnect automation workflows to your custom rules to mitigate manual tasks such as containing assets and enriching data, or set up notifications when detections occur

Creating a Custom Detection Rule in InsightIDR

Enhanced Attacker Behavior Analytics (ABA) alert details in Investigations

Easily view information about your ABA alerts that are a part of an investigation with our updated Evidence panel. With these updates, you’ll see more information on alerts, including their source event data and detection rule logic that generated them. Additionally, the Evidence button has also been renamed to Alert Details to more accurately reflect its function.

New alert details include:

A brief description of the alert and a recommendation for triage
The detection rule logic that generated the alert and the corresponding key-value payload from your environment
The process tree, which displays details about the process that occurred when the alert was generated and the processes that occurred before and after (only for MDR customers)

Dashboard Improvements: Revamped card builder and a new heat map visualization

Our recently released revamped card builder provides more functionality to make it faster and easier to build dashboard cards. For a look at what’s new, check out the demo below.

The new calendar heat map visualization allows you to more easily visualize trends in your data over time so you can quickly spot trends and anomalies. To see this new visualization in action, check out the demo below.

Export data locally with new Log Search option

You now have more flexibility when it comes to exporting your log search data, making it easier to gather evidence related to incidents for additional searching, sharing with others in your organization, or gathering evidence associated with incidents.

With this update you can now:

Use edit key selection to define what columns to export to csv
Export results from a grouby/calculate query to a csv file

New event sources

Microsoft Internet Information Services (IIS): A web server that is used to exchange web content with internet users. Read the documentation
Amazon Security Lake: A security data lake service that allows customers to aggregate & manage security-related logs. Read the documentation
Salesforce Threat Detection: Uses machine learning to detect threats within a Salesforce organization. Read the documentation

A growing library of actionable detections

In Q3 2023 we added 530 new ABA detection rules. See them in-product or visit the Detection Library for actionable descriptions and recommendations.

Stay tuned!

360-Degree XDR and Attack Surface Coverage With Rapid7

Posted 2 years ago by Margaret Wei

Today’s already resource-constrained security teams are tasked with protecting more as environments sprawl and alerts pile up, while attackers continue to get stealthier and add to their arsenal. To be successful against bad actors, security teams need to be proactive against evolving attacks in their earliest stages and ready to detect and respond to advanced threats that make it past defenses (because they will).

Eliminate blindspots and extinguish threats earlier and faster

Rapid7’s external threat intelligence solution, Threat Command, reduces the noise of numerous threat feeds and external sources, and prioritizes and alerts on the most relevant threats to your organization. When used alongside InsightIDR, Rapid7’s next-gen SIEM and XDR, and InsightConnect, Rapid7’s SOAR solution, you’ll unlock a complete view of your internal and external attack surface with unmatched signal to noise.

Leverage InsightIDR, Threat Command, and InsightConnect to:

Gain 360-degree visibility with expanded coverage beyond the traditional network perimeter thanks to Threat Command alerts being ingested into InsightIDR, giving you a more holistic picture of your threat landscape.
Proactively thwart attack plans with Threat Command alerts that identify active threats from across your attack surface.
Find and eliminate threats faster when you correlate and investigate Threat Command alerts with InsightIDR’s rich investigative capabilities.
Automate your response by attaching an InsightConnect workflow to take action as soon as a detection or a Threat Command alert surfaces in InsightIDR.

Stronger signal to noise with Threat Command Threat Library

The power of InsightIDR and Threat Command doesn’t end there. We added another layer to our threat intelligence earlier this year when we integrated Threat Command’s Threat Library into InsightIDR to give more visibility into new indicators of compromise (IOCs) and continued strength around signal to noise.

All IOCs related to threat actors tracked in Threat Command are automatically applied to customer data sent to InsightIDR, which means you automatically get current and future coverage as new IOCs are found by the research team. Alongside InsightIDR’s variety of detection types — User Behavior Analytics (UBA), Attacker Behavior Analytics (ABA), and custom detections — you’re covered against all infiltrations, from lateral movement to unique attacker behaviors and everything in between. The impact? Your team is never behind on emerging threats to your organization.

Faster, more efficient responses with InsightConnect

Strong signal to noise is taken a step further with automation, so teams can not only identify threats quickly but respond immediately. The expanded integration between InsightConnect and InsightIDR allows you to respond to any alert being generated in your environment. With this, you can easily create and map InsightConnect workflows to any ABA, UBA, or custom detection rule, so tailored response actions can be initiated as soon as there is a new detection.

See something suspicious that didn’t trip a detection? You can invoke on-demand automation with integrated Quick Actions from any page in InsightIDR.

Sophisticated XDR without any headaches

With Rapid7, you’ll achieve sophisticated detection and response outcomes with greater efficiency and efficacy — no matter where you and your team are on your security journey. Stay up to date on the latest from InsightIDR, Threat Command, and InsightConnect as we continue to up-level our cross-product integrations to bring you the most comprehensive XDR solution.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Simplify SIEM Optimization With InsightIDR

Posted 2 years ago by Margaret Wei

Two key ways InsightIDR helps customers tailor reporting, detection, and response — without any headaches

Simplify SIEM Optimization With InsightIDR

For far too many years, security teams have accepted that with a SIEM comes compromise. You could have highly tailored and custom rule sets, but it meant endless amounts of tuning and configuration to create and manage them. You could have pre-built content, but that meant rigidity and noise. You could have all the dashboard bells and whistles, but that meant finding the unicorn that knew how to navigate them. Too many defenders have carried this slog, accepting this traditional SIEM reality as "it is what it is." No more!

It's possible to have it all — an intuitive interface and sophisticated tuning and customization

With InsightIDR, Rapid7's leading SIEM and XDR, you can have the best of both worlds — an easy-to-use tool that's also incredibly sophisticated. InsightIDR makes it easy and intuitive to tune your detections (without heavy script-writing or configuration required). When it comes to viewing your environment's data and sharing key metrics, our Dashboard Library and reports are readily available and highly customizable for your unique needs.

Filter out the noise with fine-tuned alerts

Every time an analyst creates an alert it takes work. At Rapid7, we want to save you time and advance your security posture — which is where our Detections Library comes in. Curated and managed by our MDR SOC team, you can rest assured that you'll only be alerted to behaviors that are worthy of human review so that you can make the most out of your limited time and focus on the threats that really matter.

While we focus on creating a curated, high-fidelity library of detections, we know each environment has its unique challenges — which is why our attacker behavior analytics (ABA) detections are robustly tuneable. You can also get more granular with your tuning and take the following actions:

Create custom alerts when your organization calls for niche detections.
Customize UBA directions so you're in control of which you have turned on to align your alerting with your environment.
Modify ABA detections by changing the rule action, modifying its priority, and adding exceptions to the rule.
Stay on top of potential noise with Relative Activity, a new score for ABA detection rules that analyzes and identifies detection rules that might cause frequent investigations or notable events if switched on, as well as determines which rules may benefit from tuning, either by changing the Rule Action or adding exceptions.

Customize dashboards and reports to best suit your team

With InsightIDR, teams have access to over 45 (and counting) dashboards out of the box — from compliance dashboards for frameworks like HIPAA or ISO to Active Directory Admin Activity — to help your team focus on driving faster decision-making.

Analysts can also leverage this pre-built content as a springboard for customizing their own reports. InsightIDR provides multiple query modes and methods for creating data visualizations — so whether you are more comfortable with loose keyword search, working in our intuitive query language, or simply clicking on charts to narrow down results — every analyst can operate as an expert, regardless of their prior SIEM experience.

InsightIDR also makes it easy to share findings and important metrics with anyone in your organization — send an interactive HTML or PDF report of any dashboard with the click of a button.

Check out the other ways InsightIDR can help drive successful detection and response for your team here.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

What’s New in InsightIDR: Q2 2022 in Review

Posted 2 years ago by Margaret Wei

This Q2 2022 recap post takes a look at some of the latest investments we've made to InsightIDR to drive detection and response forward for your organization.

New interactive HTML reports

InsightIDR's new HTML reports incorporate the interactive features you know and love from our dashboards delivered straight to your inbox. The HTML report file is sent as an email attachment and allows you to scroll through tables, drill in and out of cards, and sort tables in the same way you would explore dashboards.

Increased visibility into malware activity

Traditional intrusion detection systems (IDS) can be noisy. Rapid7's Threat Intelligence and Detection Engineering (TIDE) team has carefully analyzed thousands of IDS events to curate a list of only the most critical and actionable events. We've recently expanded our library to include over 4,500 curated IDS detection rules to help customers detect activity associated with thousands of common pieces of malware.

Catch data exfiltration attempts with Anomalous Data Transfer

Anomalous Data Transfer (ADT) is a new Attacker Behavior Analytics (ABA) detection rule that uses the Insight Network Sensor to identify large transfers of data sent by assets on a network. ADT outputs data exfiltration alerts which make it easier for you to monitor transfer activity and identify unusual behavior to stay ahead of threats. These new detections are available for select InsightIDR packages — see more details here in our documentation.

Build stronger integrations and quickly triage investigations with new InsightIDR APIs

Investigation management APIs

Our new APIs allow you to extract more extensive data from within your investigation and use it to integrate with third-party tools, or build automation workflows to help you save time analyzing and closing investigations. View our documentation to learn more.

Update one or more Investigation fields through a single API call
Retrieve a sortable list of Investigations
Search Investigations
Create a Manual Investigation

User, accounts, and asset APIs

We are excited to release new APIs to allow you to programmatically interface with InsightIDR users, accounts, local accounts, and assets. You can use these APIs to configure new automations that further contextualize alerts generated by InsightIDR or third-party tools and help you to create more actionable views of alert data.

Relative Activity: A new way to analyze detection rules

We've introduced a new score called Relative Activity to ABA detection rules that analyzes how often the Rule Logic matches data in your environment based on certain parameters. The Relative Activity score is calculated over a rolling 24-hour period and can help you:

Identify detection rules that might cause frequent investigations or notable events if switched on
Determine which rules may benefit from tuning, either by changing the Rule Action or adding exceptions

Log Search improvements

Enrich Log Search results with new Quick Actions: Earlier this year InsightIDR and InsightConnect teamed up to create Quick Actions, a new feature that provides instant automation within InsightIDR to reduce time to respond to investigations, all with the click of a button. We've recently released new Quick Actions to enable pre-configured actions within InsightIDR's Log Search for InsightIDR Ultimate and InsightIDR legacy customers. Quick Actions are available for select InsightIDR packages, see more details here in our documentation.

Use AWS S3 as a collection method for custom logs: Now customers have the choice to use either Cisco Umbrella or AWS S3 as a collection method when setting up custom logs. Alongside this update, we've also refactored the data source to make it more resilient and effective.

A growing library of actionable detections

In Q2, we added 290 new ABA detection rules to InsightIDR. See them in-product or visit the Detection Library for actionable descriptions and recommendations.

Stay tuned!

As always, we're continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in detection and response at Rapid7.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

The Average SIEM Deployment Takes 6 Months. Don’t Be Average.

Posted 2 years ago by Margaret Wei

If you’re part of the huge growth in demand for cloud-based SIEM (Security Information and Event Management), claim your copy of the new Gartner® Report: “How to Deploy a SIEM Solution Successfully.”

Depending on what SIEM you choose, and how you approach the process, getting to operational and effective can take days, or months, or a lot longer.

Here are the Gartner report’s key findings:

“Ineffective security information and event management (SIEM) deployments occur when requirements and use cases are not aligned with the organization’s risks and risk tolerance.”
“Clients deploying SIEM solutions continue to take an unstructured approach when deciding which event and data sources to onboard, with the goal of getting every source in from the beginning. This leads to long and complex implementations, cost overruns, and higher probabilities of stalled or failed implementations.”
“SIEM buyers struggle to choose between on-premises, cloud, or hybrid deployments due to the complexities created by the various environments that need to be monitored, e.g., on-premises, SaaS, cloud infrastructure and platform services (CIPS), remote workers.”

SIEM centralizes and visualizes your security data to help you identify anomalies in your environment. But nearly all SIEMs require you to do a ton of customizing and configuration. Nearly all disappoint with their detections. And nearly all will exhaust you with false-positive alerts… every hour of every day… until analysts start ignoring alerts, which will surely doom you someday.

Now, here’s what we think

Rapid7 began building InsightIDR nearly a decade ago. While the threat landscape keeps changing, our mission never has: to empower you to find and extinguish evil earlier, faster, easier.

InsightIDR has never been a traditional SIEM. You should consider it if:

Fast deployment is a priority to you. InsightIDR leads the SIEM market in deployment times. With SaaS delivery and a native cloud foundation, customers can be deployed and operational in days and weeks – not months and years.

Time-to-value and tangible ROI matter to your leadership team. InsightIDR combines the best of next-gen SIEM with native extended detection and response (XDR). Get highly correlated UEBA, EDR, NDR, and Cloud detections alongside your critical security logs and policy monitoring, compliance dashboards, and reporting in a single pane of glass.

Your team is tired of false positives. InsightIDR's expertly vetted detection library provides holistic threat coverage across your entire attack surface. An emphasis on high-fidelity, low-noise detections ensures that all alerts are relevant and ready for action.

You’re ready to accelerate your security posture. InsightIDR empowers teams to up-level their security and achieve sophisticated outcomes – without the complexity of traditional SIEMs. Embedded security orchestration and automation (SOAR) capabilities give you enviable security operations center (SOC) automation and enable even new analysts to respond like experts.

Don’t forget your copy of the new Gartner® Report: “How to Deploy a SIEM Solution Successfully.”

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner, How to Deploy a SIEM Solution Successfully, Andrew Davies, Mitchell Schneider, Toby Bussa, Kelly Kavanagh, 7 July 2021

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.