Category: Detection and Response

Year In Review: Rapid7 InsightIDR

You’re in cybersecurity, so we’ll guess: 2022 crashed in with Log4Shell and, for the most part, got more challenging—never less. So, we kept making tangible improvements to InsightIDR, our cloud-native next-gen SIEM and XDR. We worked with some of our most forward-deployed practitioners: Rapid7 MDR, Threat Intelligence and Detections Engineering, our open source communities, and our customers. New features and functions address pain points and achieve specific goals.

Let’s review some of the highlights:

Accelerated response time with automated Quick Actions

Earlier in the year, InsightIDR launched the Quick Actions feature which provides teams with instant automation to reduce the time it takes to search, investigate, and respond with a simple click. Example use-cases include:

  • Threat hunting within log search. Using the “Look Up File Hash with Threat Crowd” quick action, teams can learn more about a hash within an endpoint log. If the output of the quick action finds the file hash is malicious, practitioners can choose to investigate further.
  • More context around alerts in investigations. Leveraging the “Look Up Domain with WHOIS” quick action enables teams to receive more context around an IP associated with an alert in an investigation
Year In Review: Rapid7 InsightIDR


“InsightIDR is a real savior, we have reduced our time for log correlation, responding to incidents, not opening multiple tabs and logging into different platforms to understand what happened.”—Abhi Patel, Information Security Officer, Prime Bank. Source: TechValidate

Expanded visibility across cloud and external attack surface

With InsightIDR, teams have security that grows and scales alongside their business - both on-prem and in the cloud. This year we focused on empowering security teams with cloud incident response capabilities by providing robust integrations with AWS CloudTrail and Microsoft Azure, while also enabling cloud detections with our AWS Guard Duty Detections, AWS Cloud Trail Detections, and more.Customers have the full context of their cloud telemetry and detections alongside their wider environment to get a full, cohesive picture and investigate malicious activity and threats that may move across multiple devices and infrastructures.

Additionally, with Threat Command and InsightIDR together, customers can unlock a complete view of your external and internal attack surface. You can now view Threat Command alerts alongside their broader detection set in InsightIDR:

  • Prioritize and investigate Threat Command alerts: Use InsightIDR’s investigation management capabilities and seamlessly pivot back to Threat Command to remediate the threat or ask an analyst for help.
  • Tune Threat Command detection rules directly in InsightIDR: Adjust the rule action, set the rule priority, and add exceptions.

Lastly, Rapid7 provides all customers with 13 months of data retention by default—so they are always audit-ready. To support compliance regulations, we launched new dashboards for organizations to ensure they are meeting requirements. For example, we launched new dashboards for CIS, a common security framework, covering:

  • CIS Control 5 - Account Management
  • CIS Control 9 - Email and Web Browser Protections
  • CIS Control 10 - Malware Defense

“With Rapid7’s InsightIDR, we have a greater handle on threats. We are able to resolve issues quicker and reduce maximum tolerable downtime, our incident management procedures and real-time actions have improved immeasurably too, and we have better cyber hygiene as well.”—Security Officer, Medium Enterprise Chemicals Company. Source: TechValidate

Confidence with expertly curated and vetted detections

Rapid7 Threat Intelligence and Detection Engineering (TIDE) team has curated and is continuously updating our XDR detection library that is expertly vetted by the Rapid7 MDR SOC. The detection library is a result of meticulous research, our vast open source community, security forums, and industry expertise to provide your teams the data they need for sophisticated detection and response. Last year we launched a slew of new detections, a bulk being IDS rules, but worth highlighting is the expanded coverage of tracked threat actors with the Threat Command integration. By integrating our Attacker Behavior Analytics (ABA) detection engine with Threat Command’s threat library intelligence, customers can access broader detections, and new threat groups with around 400 new ABA detection rules powered by thousands of new IOCs.

We also added a new ABA detection rule - Anomalous Data Transfer (ADT) that uses the Insight Network Sensor to identify large transfers of data sent by assets on a network and outputs alerts for easier monitoring of unusual behavior and potential exfiltration.

Year In Review: Rapid7 InsightIDR

“InsightIDR provided value to us on Day-1. We didn't have to write long lists of rules or tweak hundreds of settings in order to get security alerts from our operating environment. Better still, the signal-to-noise ratio of the alerts is great; little-to-no false positives."—Philip Daly, VP Infrastructure and Information Security, Carlton One Engagement. Source: TechValidate

Looking ahead

Watch this space! We’re always working on new product enhancements and functionality to ensure your team can stay ahead of potential threats and malicious activity. Keep an eye on the Rapid7 blog and the InsightIDR release notes to keep up to date with the latest detection and response releases at Rapid7.

XDR, the Beatles, and Blunt Instruments

Sometimes tools are blunt because there’s nothing else. Regarding economic controls for example, Fed Chair Jerome Powell said: “We have essentially interest rates, the balance sheet and forward guidance. They are famously blunt tools, they are not capable of surgical precision."

Others are blunt because they’re new and these things take time. For example: stereos in the 1960s shook the floors with unrestrained subwoofers. Yes, it was the Beatles and Ringo Star on the drums, but still. It took years to refine this new technology to enhance the music instead of assaulting our senses.

Taking off shoes at the airport? Blunt.

Years later, Real ID and TSA Pre-Check®? Better.

Coming soon: Facial recognition and biometric screening, better still—after privacy concerns are addressed.  

Cybersecurity has used blunt tools, followed by far too many “better ones.” The average security team is now managing 76 tools, and spending more than half their time manually producing reports. The way out is a sharp tool to replace all these better ones—a resource that will actually get the job done. Start with our newly released 2023 XDR Buyer’s Guide.

XDR consolidation and precision has arrived, just know what to look for

Security programs succeed when they have a library of curated, high-fidelity detections backed by threat intelligence that they can trust out-of-the-box. Anything else is low performance guesswork.

Huge numbers of alerts that teams must review and triage can lead to missing high profile threats. Extended Detection and Response (XDR) solutions deliver tailored security alerts that are quantified and scored to improve signal-to-noise ratio and help catch threats early in the attack chain. XDR also eliminates context switching and ensures you have high context, correlated investigation details, blending relevant data from across different event sources into one, coherent picture.

XDR delivered: MDR

With Rapid7, XDR security can also be delivered to you as an end-to-end, turnkey service. Managed detection and response (MDR) can be a game changer, with always-on threat detection, incident validation, and response (such as threat containment). Some providers offer features like threat intelligence, human-led threat hunting, behavior analytics, automation, and more to your capabilities.

A good MDR provider will be 100% end-to-end responsible, however, it should also be an extension of your in-house team. Look for a provider that will freely share the XDR technology with your in-house operation, and work transparently. Your team should be able to observe your environment exactly as the MDR team does, do their own threat hunting, and more—whatever level of collaboration you’d like to see.

2023 is the year of consolidation and XDR. But no change, however awesome or overdue, is easy. We hope this XDR Buyer’s Guide helps.

XDR, the Beatles, and Blunt Instruments
The High Cost of Human Error In OT Systems

In baseball, a mistake made by a player that could have easily been avoided is sometimes called an “unforced error.” An unforced error is not an official error (that is, they are not reflected in statistics), however, they can result in additional runs being scored, runners getting on base, and even games being lost. This applies in cyber security, as well. Threat actors use all sorts of nefarious tactics to target your networks, but they usually can’t succeed without some mistakes from your team.

Rapid7’s partner SCADAfence recently commissioned a survey of 3500 OT professionals. Among the findings, nearly 80% of respondents believe that human error presents the greatest risk for compromise to operational technology (OT) control systems.

The survey also found that 83% of respondents believe that there is a significant shortfall in the number of skilled workers. This could contribute to the problem, since under-qualified or improperly trained security workers are more likely to make preventable errors.

Still, many organizations continue to ignore the extremely high potential costs of human error.

Real World Consequences

Last year, SCADAfence argued that an explosion at the Freeport LNG natural gas plant, which a Russian group claimed responsibility for, was actually caused by human error. The timing of the explosion, less than two months after a major maintenance upgrade, and several other factors appear to indicate that improper procedures and a lapse in adherence to company policies were the cause. This was later confirmed by the U.S. Pipeline and Hazardous Materials Safety Administration (PHMSA).

Another example is the Oldsmar Water Facility Attack in 2021. According to reports, human error played a large factor in the attack—in which hackers gained unauthorized access to the water facility’s industrial control system (ICS) network and increased sodium hydroxide content in drinking water to poisonous levels. The Oldsmar facility was using Windows 7, even though Microsoft had stopped supporting it a year earlier. All of Oldsmar’s employees shared the same password to access TeamViewer, a remote access software. And, the facility was connected directly to the internet without any type of firewall protection installed. All of these easily preventable factors contributed to the attacker’s ability to gain access to the facility.

Human error in OT systems can take different forms. As stated above, weak, outdated or duplicated passwords have led to any number of cyber security breaches. Firewalls, which are relied on to provide a first line of OT cyber security defense, are frequently misconfigured or improperly deployed by IT staff members. Finally, phishing attacks, a form of social engineering used by malicious actors to gain information from unwitting victims which is then used to access secure systems, are a major starting point for attacks on critical infrastructure.

Rapid7’s Advice

The number one way to prevent human error from leading to costly cyber attacks is training. OT and IT staff should be regularly trained on company security policies and should understand the importance of always following protocol. Also, teams need to work closely together to ensure that proper protections are in place across the network.

There are a number of best practices that have been shown to reduce the frequency and severity of cyber attacks in OT and ICS networks. Organizations should:

  • Require secure passwords that are changed on a regular schedule. Never allow team members to share passwords or access IDs to systems. Each employee that requires access to a system or device should have a unique user name and account.
  • Reduced access privilege access
  • Keep your network updated with important patches and upgrades
  • Make sure the tools your teams rely on are reliable, effective, and up to date.
  • Stay on top of news and information about newly discovered vulnerabilities, and potential threats relevant to your organization.

Finally, if your team lacks bandwidth or necessary skills, consider using managed services to gain insights and relevant threat information about your network.

This article was written in partnership with SCADAfence.

3 Ways to Apply a Risk-Based Approach to Threat Detection, Investigation, and Response: Gartner® Report

In an ongoing effort to help security organizations gain greater visibility into risk, we’re pleased to offer this complimentary Gartner® report, 3 Ways to Apply a Risk-Based Approach to Threat Detection, Investigation, and Response. This insightful research can help a security organization realize what its exposure to risk could be at a given time.

Have you measured risk recently?

This is a critical question, but there may be an even more important one: How would you go about implementing a security program to mitigate risk? A tech stack opens itself to all kinds of ongoing vulnerabilities as it expands in more directions, so hopefully its also innovating and driving profits on behalf of the business.

Therefore, a security operations center (SOC) must constantly contort itself to keep that growing attack surface secure via a threat detection, investigation, and response program. According to Gartner, a SOC should:

  • Break through silos and open dialogue by establishing a quorum of business leaders to openly discuss cybersecurity and its requirements.
  • Reduce unnecessary delays in investigation by ensuring threat detection use cases are fully enriched with internal business context at the point which alerts are generated.
  • Enable incident responders to make effective prioritization and response decisions by centrally recording asset-based and business-level risk information.

A binding factor for risk

Technology: It’s the solution to and cause of business risk and the many issues that follow. Relying on the internet means operations and deployments move faster while the attack surface is simultaneously expanding. As the speed of business increases, so does the “noise” security analysts must sift through to get to the real issue. Gartner says:

“Business-dependent technologies are a focal point for criminals moving into cyberspace, as anonymity is now a commodity, making the dash for profits an exceedingly easy gain. Therefore, SecOps must consider and understand business risk and the impact cyber elements have on these risks. However, the question remains: How do these inundated security technologists reduce the noise and achieve their objectives in an environment where time is a limiting factor?”

Faster risk-based prioritization

If time is indeed a limiting factor, then faster risk-based prioritization is a key step on the road to faster incident response, especially as organizations across all industries are migrating to the cloud at an unprecedented pace to support innovation, scale, and digital transformation. Uniting cloud risk and threat detection has been at the forefront of Rapid7’s effort to prioritize and respond to an incident faster.

Integrating multiple threat feeds and sources of telemetry while correlating that intelligence back to assets in your environment provides the visibility needed to target higher-risk areas. It also lends business context, depending on where those higher risk levels are, empowering security practitioners to quickly prioritize and mitigate risk. Gartner posits that, “risk is the sum of your assets, active threats, resident vulnerabilities, and potential organizational impact.”

In the report, Gartner highlights and dives deep into three key areas for enabling risk-based threat detection, investigation, and response:

  • Use risk-based prioritization for faster incident response: Once the incident responders receive the escalation from the SOC (L3s), they’re typically charged with establishing or validating infection boundaries, identifying the root cause of the infection and offering containment and remediation actions.
  • Enrich risk information into threat detection processes: Cyber risk varies in its measurement; to be effective, organizations must define at least four core areas to measure and collect data: sums of assets, resident vulnerabilities, active threats and organizational impact.
  • Break through silos and open the dialogue: To help executives make the most informed decisions, security risk management (SRM) leaders should cultivate relationships with key stakeholders and report effective risk-based metrics, promoting a business-integrated security capability.

For much more context on each of these areas, read the report linked below. Incident response teams need all the help they can get when attempting to work nearly round-the-clock, always-on, multiple incidents at a time.

A perpetual effort

This is also the fun of the job; attackers constantly evolve, which forces security practitioners to innovate, evolve, and outpace bad actors. When it comes to threat detection, investigation, and response, it is essential to pump up visibility and stay several steps ahead of attackers by unifying and transforming multiple telemetry sources.

We’re pleased to continually offer leading research to help you gain clarity into that risk and supercharge security efforts. Read the complimentary Gartner report to better understand how risk applies to your critical assets and how to mitigate the impact of a potential threat.

Gartner, “3 Ways to Apply a Risk-Based Approach to Threat Detection, Investigation, and Response” Jonathan Nunez, Andrew Davies, Pete Shoard, Al Price. 16 November 2022.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Download the report

Rapid7 Now Available Through Carahsoft’s NASPO ValuePoint

We are happy to announce that Rapid7’s solutions have been added to the NASPO ValuePoint Cloud Solutions contract held by Carahsoft Technology Corp. The addition of this contract enables Carahsoft and its reseller partners to provide Rapid7’s Insight platform to participating States, Local Governments, and Educational (SLED) institutions.

“Rapid7’s Insight platform goes beyond threat detection by enabling organizations to quickly respond to attacks with intelligent automation,” said Alex Whitworth, Sales Director who leads the Rapid7 Team at Carahsoft.

“We are thrilled to work with Rapid7 and our reseller partners to deliver these advanced cloud risk management and threat detection solutions to NASPO members to further protect IT environments across the SLED space.”

NASPO ValuePoint is a cooperative purchasing program facilitating public procurement solicitations and agreements using a lead-state model. The program provides the highest standard of excellence in public cooperative contracting. By leveraging the leadership and expertise of all states and the purchasing power of their public entities, NASPO ValuePoint delivers the highest valued, reliable and competitively sourced contracts, offering public entities outstanding prices.

“In partnership with Carahsoft and their reseller partners, we look forward to providing broader availability of the Insight platform to help security teams better protect their organizations from an increasingly complex and volatile threat landscape,” said Damon Cabanillas, Vice President of Public Sector Sales at Rapid7.

The Rapid7 Insight platform is available through Carahsoft’s NASPO ValuePoint Master Agreement #AR2472. For more information, visit https://www.carahsoft.com/rapid7/contracts.

Rapid7 Added to Carahsoft GSA Schedule Contract

We are happy to announce that Rapid7 has been added to Carahsoft’s GSA Schedule contract, making our suite of comprehensive security solutions widely available to Federal, State, and Local agencies through Carahsoft and its reseller partners.

“With the ever-evolving threat landscape, it is important that the public sector has the resources to defend against sophisticated cyber attacks and vulnerabilities,” said Alex Whitworth, Sales Director who leads the Rapid7 Team at Carahsoft.

“The addition of Rapid7’s cloud risk management and threat detection solutions to our GSA Schedule gives Government customers and our reseller partners expansive access to the tools necessary to protect their critical infrastructure.”

With the GSA contract award, Rapid7 is able to significantly expand its availability to Federal, State, Local, and Government markets. In addition to GSA, Rapid7 was recently added to the Department of Homeland Security (DHS) Continuous Diagnostics Mitigation’s Approved Products List.

“As the attack surface continues to increase in size and complexity, it’s imperative that all organizations have access to the tools and services they need to monitor risk across their environments,” said Damon Cabanillas, Vice President of Public Sector Sales at Rapid7.

“This contract award is a massive step forward for Rapid7 as we work to further serve the public sector.”

Rapid7 is available through Carahsoft’s GSA Schedule No. 47QSWA18D008F. For more information on Rapid7’s products and services, contact the Rapid7 team at Carahsoft at Rapid7@carahsoft.com.

Tap. Eat. Repeat. Regret?

Trading Convenience for Credentials

Using food or grocery delivery apps is great. It really is. Sure, there’s a fee, but when you can’t bring yourself to leave the house, it’s a nice treat to get what you want delivered. As a result, adoption of food apps has been incredibly fast and they are now a ubiquitous part of everyday culture. However, the tradeoff for that convenience is risk. In the past few years, cybercriminals have turned their gaze upon food and grocery delivery apps.

According to McKinsey, food delivery has a global market worth of over $150 billion, more than tripling since 2017. That equates to a lot of people entering usernames, passwords, and credit card numbers into these apps. That’s a lot of growth at an extremely rapid pace, and presents the age-old challenge of security trying to keep pace with that growth. Oftentimes it’s not a successful venture; specifically, credential stuffing (no relation to Thanksgiving stuffing or simply stuffing one’s face) is one of the major attacks of choice for bad actors attempting to break into user accounts or deploy other nefarious attacks inside of these apps.

Sounding the alarm

The FBI, among its many other cybercrime worries, recently raised the alert on credential stuffing attacks on customer app accounts across many industries. The usual-suspect industries—like healthcare and media—are there, but now the report includes “restaurant groups and food-delivery,” as well. This is notable due to that sector’s rapid adoption of apps, their growth in popularity among global consumers, and the previously mentioned challenges of security keeping pace with development instead of slowing it down.

The FBI report notes that, “In particular, media companies and restaurant groups are considered lucrative targets for credential stuffing attacks due to the number of customer accounts, the general demand for their services, and the relative lack of importance users place on these types of accounts.” Combine that with things like tutorial videos on hacker forums that make credential stuffing attacks relatively easy to learn, and it’s a (to continue with the food-centric puns) recipe for disaster.

Some background on credential stuffing

This OWASP cheat sheet describes credential stuffing as a situation when attackers test username/password pairs to gain access to one website or application after obtaining those credentials from the breach of another site or app. The pairs are often part of large lists of credentials sold on attacker forums and/or the dark web. Credential stuffing is typically part of a larger account takeover (ATO), targeting individual user accounts, of which there are so, so many on today’s popular delivery apps.  

To get a bit deeper into it, the FBI report goes on to detail how bad actors often opt for the proxy-less route when conducting credential stuffing attacks. This method actually requires less time and money to successfully execute, all without the use of proxies. And even when leveraging a proxy, many existing security protocols don’t regularly flag them. Add to that the recent rise in the use of bots when scaling credential stuffing attacks and the recipe for disaster becomes a dessert as well (the puns continue).  

All of these aspects contributing to the current state of vulnerability and security on grocery and food-delivery apps are worrying enough, but also creating concern is the fact that mobile apps (the primary method of interaction for food delivery services) typically permit a higher rate of login attempts for faster customer verification. In fairness, that can contribute to a better customer experience, but clearly leaves these types of services more vulnerable to attacks.

Cloud services like AWS and Google Cloud can help their clients fend off credential stuffing attacks with defenses like multifactor authentication (MFA) or a defense-in-depth approach that combines several layers of protection to prevent credential stuffing attacks. Enterprise customers can also take cloud security into their own hands—on behalf of their own customers actually using these apps—when it comes to operations in the cloud. Solutions like InsightCloudSec by Rapid7 help to further govern identity and access management (IAM) by implementing least-privilege access (LPA) for cloud workloads, services, and data.

Solutions to breed customer confidence

In addition to safeguards like MFA and LPA, the FBI report details a number of policies that food or grocery-delivery apps can leverage to make it harder for credential thieves to gain access to the app’s user-account base, such as:

  • Downloading publicly available credential lists and testing them against customer accounts to identify problems and gauge their severity.  
  • Leveraging fingerprinting to detect unusual activity, like attempts by a single address to log into several different accounts.
  • Identifying and monitoring for default user-agent strings leveraged by credential-stuffing attack tools.

Detection and response (D&R) solutions like InsightIDR from Rapid7 can also leverage the use of deception technology to lure attackers attempting to use stolen credentials. By deploying fake honey credentials onto your endpoints to deceive attackers, InsightIDR can automatically raise an alert if those credentials are used anywhere else on the network.

At the end of the day, a good meal is essential. It’s also essential to protect your organization against credential stuffing attacks. Our report, Good Passwords for Bad Bots, offers practical, actionable advice on how to reduce the risk of credential-related attacks to your organization.

Download Good Passwords for Bad Bots today.

What’s New in InsightIDR: Q4 2022 in Review

As we continue to empower security teams with the freedom to focus on what matters most, Q4 focused on investments and releases that contributed to that vision. With InsightIDR, Rapid7’s cloud-native SIEM and XDR solution, teams have the scale, comprehensive contextual coverage, and expertly vetted detections they need to thwart threats early in the attack chain.

This 2022 Q4 recap post offers a closer look at the recent investments and releases we’ve made over the past quarter. Here are some of the highlights:

Easy to create and manage log search, dashboards, and reports

You spoke, we listened! Per our customers, you can now create tables with multiple columns, allowing teams to see all data in one view. For example, simply add a query with a “where” clause and select a table display followed by the columns you want displayed.

Additionally, teams can reduce groupby search results with the having() clause. Customers can filter out what data is returned from groupby results with the option to layer in existing analytics function support (e.g. count, unique, max).

What’s New in InsightIDR: Q4 2022 in Review

Accelerated time to value

The InsightIDR Onboarding Progress Tracker, available for customers during their 90 day onboarding period, is a self-serve, centralized check-list of onboarding tasks with step-by-step guidance, completion statuses, and context on the “what” and “why” of each task.

No longer onboarding? No problem! We made the progress tracker available beyond the 90-day onboarding period so customers can evaluate setup progress and ensure InsightIDR is operating at full capacity to effectively detect, investigate, and respond to threats.

What’s New in InsightIDR: Q4 2022 in Review

Visibility across your modern environment

For those that leverage Palo Alto Cortex, you can now configure Palo Alto Cortex Data Lake to send activity to InsightIDR including syslog-encrypted Web Proxy, Firewall, Ingress Authentication, etc. Similarly, for customers leveraging Zscaler, you can now configure Zscaler Log Streaming Service (LSS) to receive and parse user activity and audit logs from Zscaler Private Access through the LSS.

For teams who do not have the bandwidth to set up and manage multiple event sources pertaining to Cisco Meraki, we have added support to ingest Cisco Meraki events through the Cisco Meraki API. This will enable you to deploy and add new event sources with less management.

What’s New in InsightIDR: Q4 2022 in Review

Customers can now bring data from their Government Community Cloud (GCC) and GCC High environments when setting up the Office365 event source to ensure security standards are met when processing US Government data.

Stay tuned!

We’re always working on new product enhancements and functionality to ensure your team can stay ahead of potential threats and malicious activity. Keep an eye on the Rapid7 blog and the InsightIDR release notes to keep up to date with the latest detection and response releases at Rapid7.

Measuring against the right criteria

Gartner® Report: Questions to Ask When Selecting an MDR Provider

The “right” criteria is whatever works to further your security organization’s specific needs in detection and response (D&R). There’s only so much budget to go around—and successfully obtaining a significant year-over-year increase can be rare. The last thing anyone wants to be known for is depleting that budget on a service provider that doesn’t deliver.

At Rapid7, we’ve spoken extensively about how a security operations center (SOC) can evaluate its current D&R proficiency to determine if it would be beneficial to extend those capabilities with a managed detection and response (MDR) provider. In an ongoing effort to help security organizations thoughtfully consider potential providers, we’re pleased to offer this complimentary Gartner® report, Quick Answer: What Key Questions Should I Ask When Selecting an MDR Provider?

This asset acts as a time-saving report for quick answers when vetting several potential providers. Key questions to ask yourself and your service providers include:

  • Yourself: Are we looking for providers that can improve our incident response capabilities?
  • Yourself: Do we have use cases specific to our environment that the MDR provider must accommodate?
  • Yourself: What functionality do we need from the provider’s portal?
  • Provider: How good are you at detecting threats that have bypassed existing, preventative controls?
  • Provider: How do you secure, and how long do you retain, the data you collect from customers?
  • Provider: What response types are provided as a component of the MDR service, and what is the limit of those response activities?

Before expecting any quick answers though, it’s crucial to consider…

Your criteria framework

Your organization might conduct a new audit of desired outcomes and team capabilities and discover it actually can handle the vast majority of D&R tasks. That’s why it’s crucial to go through that process of discovery of what you really need and determine if you can responsibly avoid spending money. Gartner says:

“Many buyers struggle to formulate effective RFPs that can solicit relevant information from providers to help in the initial evaluation and down-select process. Therefore, it is critical that buyers construct the must have, should have, could have and won’t have (MoSCoW) framework. Using these criteria will ensure they are able to effectively make selection choices based on genuine business needs.”

Also, what is the platform from which you are launching your evaluation process? Will this be the first engagement of an MDR service provider or are you changing providers for one reason or another? If the latter is true, then you’ll most likely have loads of existing data to inform your buying experience this time around. It’s also critical to get a strong sense of what the implementation process will look like after a service agreement has been signed. Gartner says:

“Selecting an MDR service provider to obtain modern SOC services can be a challenging process that requires the appropriate planning and evaluation processes before, during and after an agreement. Gartner clients face several unique challenges when evaluating and implementing MDR services.”

An urgent need

The need for additional or enhanced threat monitoring creeps ever upward, thus the need for regular re-evaluation of your D&R capabilities. Rather than ramping up the evaluation and MDR engagement process at a faster pace each time out, taking the time to think through and document desired outcomes with key stakeholders will ultimately save your security organization headaches…and money. Gartner says:

“The process for scoping use cases and requirements, and assessing MDR service offerings, often includes a negotiation and evaluation exercise where a “best match” and “ideal partner” is identified. Prior to starting any outsourcing initiative, requirements need to be documented and ratified (and continuously updated post onboarding), or else the old adage of “garbage in, garbage out” is likely to be realized.”

Take the time

It can be a rigorous evaluation process when determining your organization’s capacity for effective D&R. If your team is stretched too thin, a managed services provider could help. For a deeper dive into the MDR evaluation process, check out the complimentary Gartner report.

Gartner, “Quick Answer: What Key Questions Should I Ask When Selecting an MDR Provider?” John Collins, Andrew Davies, Craig Lawson, 10 November 2021.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Dated, Vulnerable, Insecure Tech Is All Over the News. Hooray.

Save the links. Pass them around. And consider getting your copy of the new 2023 XDR Buyer’s Guide—because if this isn’t a time for reckoning and progress, what is?

The news: on Wednesday, the United States grounded all flights coast-to-coast for the first time since 9/11. The Federal Aviation Administration’s (FAA) Notice to Air Missions system (NOTAM) failed, leaving pilots without vital information they need to fly.

Separate from air traffic control systems, NOTAM ingests data from over 19,000 U.S. airports big and small. It then alerts specific pilots about specific anomalies to expect during 45,000 flights every day: the very latest runway closures, airspace restrictions, disruption of navigational signals, birds that can threaten a plane’s engines, anything.

Apparently, a corrupted file in the software was to blame for the system failure. This, from NBC News:

“...a government official said a corrupted file that affected both the primary and the backup NOTAM systems appeared to be the culprit. Investigators are working to determine if human error or malice is to blame for taking down the system, which eight contract employees had access to. At least one, perhaps two, of those contractors made the edit that corrupted the system, two government sources said Thursday.”

It will likely be a while before we know exactly what happened. But security practitioners might consider jumping to one conclusion today: your argument for investing in a detection and response solution which will provide visibility across your modern environment just got better. It’s important to have the right tools and systems in place, in all areas of your business from infrastructure to security, in order to have business continuity. Even with initiatives like legacy modernization, security teams need to have a view of their threat landscape as it expands.

Is anyone more responsible for business continuity than you?

Recently, CISOs have been named as defendants in several shareholder, civil, and criminal actions.  At the same time, CISOs are feeling less and less “personal responsibility” for security events, dropping from 71% to 57% in just one year. Security teams are spending more than half their time manually producing reports, pulling in data from multiple siloed tools. And silos present unacceptable risk. Something has to give.

While capabilities can vary across XDR vendors, the promise is to integrate and correlate data from numerous security tools — and from across varying environments — so you can see, prioritize, and eliminate threats, and move on quickly. The vendor evaluation process isn’t easy. But XDR is well worth it.

The 2023 XDR Buyer’s Guide includes:

  • Must-have requirements any real XDR offers
  • How XDR can be a staffing and efficiency game-changer
  • Key questions to ask as you evaluate options

The hidden lesson in the NOTAM outage? Less is more.

Patrick Kiley, Principal Security Consultant and Research Lead at Rapid7 has a long transportation background. He said that when organizations need to migrate off dated systems, it tends to be a “forklift upgrade, which typically requires significant resources.” That could include development, testing, cloud computing or hardware investment, and of course skilled cybersecurity personnel—who are in short supply these days.

“This kind of migration is a bear,” Kiley said, “so organizations tend to put them off.”

What’s not a bear?  Getting your copy of the 2023 XDR Buyer’s Guide.