Category: Managed Detection and Response

Secrets of a cybersecurity employer-of-choice

By Jay Prescott, Director, Global SOC Operations

While the staffing crisis is real, our global MDR SOCs are thriving with top-notch analysts, DFIR talent, and no revolving doors (they like it here). In a high-pressure, high-stakes business, these are our lessons learned.

Measure your staffing performance meticulously and publicly

In an industry plagued by burnout, churn, and open jobs everywhere, be obsessed with your metrics to retain top talent. We do.

  • Last year, we grew our global Managed Detection and Response (MDR) teams by 68%
  • Our voluntary attrition for SOC analysts is under 5%
  • Since the start of Rapid7 MDR seven years ago, we've only lost about one to two analysts per year (as competition for cybersecurity talent went white-hot)

Rapid7 recruits talent from all over the world to join us in our state-of-the-art SOC locations. Each SOC has incredibly high retention rates.

We prioritize investments in training, competitive pay, project work and extracurricular activities, and ensuring analysts are doing the work they enjoy. The leadership team is in tune with job satisfaction and directly attacks any aspect of the analyst duties that causes friction.

Peter Drucker said it best:  “Culture eats strategy for breakfast.”

According to a survey by Mimecast, 84% of security professionals are experiencing burnout due to the constant barrage of threats, the  talent shortage, and other employees’ mistakes (as a result of burnout).  And, while everyone battles “The Great Resignation” and our collective 5-year skills crisis, ZDNet reports it’s going to get worse. Nearly a third of the global cybersecurity workforce plans to leave the industry—not their jobs, but the entire industry—within two years.

To prevent burnout, we encourage a culture of friendship and after-hours socialization. People who work alongside friends help more and perform better. They trust one another.  Like just about anyone in our line of work, Rapid7 MDR employees know they can go anywhere and do what they do. They also know we greatly appreciate the fact they choose to do it here.

A member of one of our SOC had his car in the shop for far too long due to a supply chain shortage of the missing part.  There was only one thing to do for April Fool’s day:

Secrets of a cybersecurity employer-of-choice


As one member of the team stated, “we work at a place that crowdsourced a $700 prank!”

You don’t need budget for team-building consultants and “trust exercises.”  Camaraderie is created in Slack channels and karaoke nights at the bar on the first floor of the Rapid7 Arlington , VA office.

Create a learning organization

We’ve heard it called “alphabet soup after your name.” While certifications are important, real-world experience and constant learning trumps a course any day of the week. And the best way for the SOC to learn? By doing first-hand and sharing those learnings with everyone. Here’s some of the lessons learned:

First, eliminate silos. Each of our MDR SOCs are  composed of three tiers of analysts, working together on customer environments. There’s complete threat detection coverage, multiple layers of escalation and validation, and redundant knowledge. Additionally, the technology used by the SOC captures relevant details of the environment, detected threats, and analysis notes which are available to all analysts.

Second, train constantly. Rapid7 has a robust training program: a combination of external live training (SANS, Chris Sanders courses), self-paced learning (TCM malware analysis & forensics courses), as well as a robust internal security training program (modeled after specific incidents Rapid7 MDR has handled) to train our analysts quickly and effectively. All training is heavily focused on endpoint forensics, incident response, threat hunting, coding/scripting, and foundational security concepts. All analysts have the chance to attend external training every year. Internally, analysts learn from each other with weekly “lunch n’ learns” to level up their stills by learning from others around them and show off the latest threat they were able to thwart for our customers.

Third, we organized around learning in new ways. Over a year ago, Rapid7 merged our Incident Response Consulting Team with our MDR SOC to create an integrated team of Detection and Response experts. If an incident investigation appears to be major, analysts simply (and literally) swivel their chairs and tap Senior IR consultants and DFIR practitioners on the shoulder.

For major incidents, Rapid7’s TIDE Team (Threat Intelligence and Detections Engineering) is right there too. “We ride along with them and are watching what they're discovering and we develop new detections,” says Eoin Miller, Manager of Detection and Response Services. “It helps not only that customer but any other customer that may be a current or future victim of that same attacker.”

Rapid7 MDR  also created a "Tactical Operations" (TacOps) team, which is primarily used as a “farm system” for analyst development. Typically, Associate Analysts at other Security Operation Centers are relegated to Tier 1 roles, focusing on low severity alert triage with little exposure to actual malicious activity or complex investigations. Rapid7 takes a different approach by throwing these Associate Analysts into the deep end to deal with real, high priority threats (the things we know are evil), which accelerates their learning curve. They’re actually looking at malicious activity all day, not just hundreds of benign alerts.

Our Associate level analysts have even gone on to publish their work and were tapped to lead a technical malware deep dive on one of the most popular security webinars in the world (Ultimate IT Security). Not too shabby for "entry level" folks to be presenting to a broad audience after only a year working in our SOC. Not surprisingly, we focus on promoting from within, with many analysts taking on advanced roles in forensic analysis and IR.

Finally, we’ve reorganized our services organization to bring our penetration testing team SOC analysts under one roof. We feel the best way to learn (and improve our ability to detect and respond effectively) is to encourage collaboration and knowledge sharing between both our offensive-minded and defensive-minded security practitioners. Iron sharpens iron.

Never compromise your standards

MDR analyst candidates go through an initial technical assessment (live on phone responses) with our Talent Acquisition partners in order to pre-screen candidates before the live technical interview panel.

During the interview Technical Panel, our interviewers' goal is to push the candidate to the edge of their knowledge. We ask a series of questions which are progressively more difficult using real-world scenarios: "If you see XYZ behavior, walk me through the process from start to finish:

  • What technology and methodology would you use?
  • What data are you looking for?
  • Deep dive into why and how you're looking at it?
  • How do you come to the determination that the behavior is malicious or benign?

This allows us to question various tools and techniques used in the course of an investigation. We then hire based on the candidate's knowledge, skill set, and culture fit.

More questions like these and other best practices we use can be found in our guide, the 13 Tips for Overcoming the Cybersecurity Talent Shortage.

Say what your values are

Rapid7 has company core values. We’ve added to it with our “Culture Code for the MDR SOC.” Every organization and each SOC’s values are different. These are ours:

  • Ownership: Know what you’re responsible for and own it. We expect you to own your mission fully. Don’t make excuses, and don’t point fingers at others.
  • Customer-Centric: We are here for one reason—to deliver the managed security services our customers expect and deserve.
  • Passion and Purpose: Love what you do. While not everything you do every day is exciting, our team members genuinely enjoy their work and understand the importance of it.
  • Don’t Just ‘Turn The Wheel’: We’re not here just to handle alerts, run scans, perform hunts, or throw alerts over the fence for our customers to handle. We’re here to bring our security expertise to bear in the most effective way to better protect our customers at scale.
  • Risk Taking: Choosing not to take a risk is often the biggest risk. We will never fault someone for taking a well informed risk in order to better serve our customers.
  • Integrity: We never mislead customers or prospects or act against their best interests, and we are open and honest with our fellow Moose.
  • Never Done: This is not a clock-in / clock-out kind of job. While many days are predictable, others are not. Our North Star is customer outcomes, not time-based.
  • Glass Half Full: Security operations can be unforgiving—but we will remain positive and optimistic.
  • Have Fun: Get your job done, but have fun doing it.

We’re always looking for great security professionals to join our team. If the above piques your interest and you’re looking to join a part of something special, come check out our open Career opportunities.

[The Lost Bots] S03E02: Finding unknowns, even spy balloons

When a balloon crossed through Canada and the United States, everyone lost their minds. The news was all-balloon, all-the-time. And the big, obvious, serious questions flew too: “why didn't we see the balloon sooner? Have there been other balloons?”

That sounded pretty familiar to Rapid7 Detection and Response Practice Advisor Jeffrey Gardner. When the U.S. Military responded to the visibility problem in the airspace, it discussed “adjusting filters.” And that sounded familiar too. Because that’s what security practitioners are expected to do every day: find things they don’t even know exist.

While this Lost Bots episode is packed with practical guidance (you’ll likely watch parts of it more than once) it’s delivered by the “Team America” avatars of Gardner and co-host Stephen Davis, Lead Technical Customer Advisor for MDR.

Anyone in cybersecurity is in it for the humans, but we can still be fun.

The Next Generation of Managed Detection and Response is Here

Humans are great at adapting to change—but objectively the pace of technological change has been way, way too fast.  

Security teams manage an average of 76 different tools. Breaches have gone from “s#&@!” to “inevitable.”  That’s why we built  Managed Threat Complete to address the reality of today’s threat environment. By 2025, Gartner says 50% of organizations will decide to partner with an MDR (Managed Detection and Response) service for 24x7 monitoring.

Now, one move can consolidate and rebalance your work

Managed Threat Complete: It’s always-on MDR plus unlimited vulnerability management with a single subscription.

Combine these two historically siloed pieces of a security program, and you have a complete picture of your risk profile and threat landscape. Since the service  combines proactive, responsive, and strategic support of your program, it gets smarter and more resilient over time: a continuously-improving, virtuous cycle.

Most importantly, Managed Threat Complete lets you prove you’re building measurable capacity to be effective at detection and response—and improve the definitions of success that matter most to you. We call it the R-factor, and it measures:

  • How ready you are to react to your sprawling attack surface
  • How responsive you can be when something inevitably gets through
  • How effectively you’re able to remediate after the fact
  • How you measure your results and show provable outcomes
The Next Generation of Managed Detection and Response is Here

Forrester Consulting did the math on Rapid7 MDR, and you win

Forrester’s June 2022 Total Economic Impact™ study commissioned by Rapid7 found that Rapid7 MDR produced extraordinary results:

  • 5.5x ROI over 3 years
  • <3 month payback
  • 90% reduction in the likelihood of a breach

While your team methodically reduces your risks with unlimited VRM scanning, Managed Threat Complete gives you a full team of SOC experts dealing with threats in your environment using advanced XDR technology. And that means really responding, remediating, and making your organization safe and secure—no matter what.

It’s MDR so different, think of it as MDR 2.0.

Typical MDR vendors will simply alert a CISO to a problem. If you’re breached, they’ll tell you to hire an outside Incident Response firm to take it the rest of the way.  Managed Threat Complete gives you unlimited Incident Response (the same level you’d get with an IR retainer) included, with DFIR professionals already embedded on your team.

Typical MDR vendors charge by data ingestion and retention. We prioritize visibility into your environment so our analysts can detect and respond without compromise.

Typical MDR vendors take a black box approach to their technology. But with Managed Threat Complete, we give customers unlimited access to our cloud-native XDR technology, sprawling detections library, all of it. See transparently into what your Rapid7 MDR partners are doing. Run your own investigations and threat hunting. Log in once a day or once a year, it’s at your fingertips.

Managed Threat Complete delivers a holistic approach to risk and threat management, so you can consolidate costs and be ready for whatever comes next.

Managed Threat Complete

Focus on proactive, strategic work, while our team delivers 24/7/365, end-to-end detection and response.

LEARN MORE

Year In Review: Rapid7 InsightIDR

You’re in cybersecurity, so we’ll guess: 2022 crashed in with Log4Shell and, for the most part, got more challenging—never less. So, we kept making tangible improvements to InsightIDR, our cloud-native next-gen SIEM and XDR. We worked with some of our most forward-deployed practitioners: Rapid7 MDR, Threat Intelligence and Detections Engineering, our open source communities, and our customers. New features and functions address pain points and achieve specific goals.

Let’s review some of the highlights:

Accelerated response time with automated Quick Actions

Earlier in the year, InsightIDR launched the Quick Actions feature which provides teams with instant automation to reduce the time it takes to search, investigate, and respond with a simple click. Example use-cases include:

  • Threat hunting within log search. Using the “Look Up File Hash with Threat Crowd” quick action, teams can learn more about a hash within an endpoint log. If the output of the quick action finds the file hash is malicious, practitioners can choose to investigate further.
  • More context around alerts in investigations. Leveraging the “Look Up Domain with WHOIS” quick action enables teams to receive more context around an IP associated with an alert in an investigation
Year In Review: Rapid7 InsightIDR


“InsightIDR is a real savior, we have reduced our time for log correlation, responding to incidents, not opening multiple tabs and logging into different platforms to understand what happened.”—Abhi Patel, Information Security Officer, Prime Bank. Source: TechValidate

Expanded visibility across cloud and external attack surface

With InsightIDR, teams have security that grows and scales alongside their business - both on-prem and in the cloud. This year we focused on empowering security teams with cloud incident response capabilities by providing robust integrations with AWS CloudTrail and Microsoft Azure, while also enabling cloud detections with our AWS Guard Duty Detections, AWS Cloud Trail Detections, and more.Customers have the full context of their cloud telemetry and detections alongside their wider environment to get a full, cohesive picture and investigate malicious activity and threats that may move across multiple devices and infrastructures.

Additionally, with Threat Command and InsightIDR together, customers can unlock a complete view of your external and internal attack surface. You can now view Threat Command alerts alongside their broader detection set in InsightIDR:

  • Prioritize and investigate Threat Command alerts: Use InsightIDR’s investigation management capabilities and seamlessly pivot back to Threat Command to remediate the threat or ask an analyst for help.
  • Tune Threat Command detection rules directly in InsightIDR: Adjust the rule action, set the rule priority, and add exceptions.

Lastly, Rapid7 provides all customers with 13 months of data retention by default—so they are always audit-ready. To support compliance regulations, we launched new dashboards for organizations to ensure they are meeting requirements. For example, we launched new dashboards for CIS, a common security framework, covering:

  • CIS Control 5 - Account Management
  • CIS Control 9 - Email and Web Browser Protections
  • CIS Control 10 - Malware Defense

“With Rapid7’s InsightIDR, we have a greater handle on threats. We are able to resolve issues quicker and reduce maximum tolerable downtime, our incident management procedures and real-time actions have improved immeasurably too, and we have better cyber hygiene as well.”—Security Officer, Medium Enterprise Chemicals Company. Source: TechValidate

Confidence with expertly curated and vetted detections

Rapid7 Threat Intelligence and Detection Engineering (TIDE) team has curated and is continuously updating our XDR detection library that is expertly vetted by the Rapid7 MDR SOC. The detection library is a result of meticulous research, our vast open source community, security forums, and industry expertise to provide your teams the data they need for sophisticated detection and response. Last year we launched a slew of new detections, a bulk being IDS rules, but worth highlighting is the expanded coverage of tracked threat actors with the Threat Command integration. By integrating our Attacker Behavior Analytics (ABA) detection engine with Threat Command’s threat library intelligence, customers can access broader detections, and new threat groups with around 400 new ABA detection rules powered by thousands of new IOCs.

We also added a new ABA detection rule - Anomalous Data Transfer (ADT) that uses the Insight Network Sensor to identify large transfers of data sent by assets on a network and outputs alerts for easier monitoring of unusual behavior and potential exfiltration.

Year In Review: Rapid7 InsightIDR

“InsightIDR provided value to us on Day-1. We didn't have to write long lists of rules or tweak hundreds of settings in order to get security alerts from our operating environment. Better still, the signal-to-noise ratio of the alerts is great; little-to-no false positives."—Philip Daly, VP Infrastructure and Information Security, Carlton One Engagement. Source: TechValidate

Looking ahead

Watch this space! We’re always working on new product enhancements and functionality to ensure your team can stay ahead of potential threats and malicious activity. Keep an eye on the Rapid7 blog and the InsightIDR release notes to keep up to date with the latest detection and response releases at Rapid7.

Measuring against the right criteria

Gartner® Report: Questions to Ask When Selecting an MDR Provider

The “right” criteria is whatever works to further your security organization’s specific needs in detection and response (D&R). There’s only so much budget to go around—and successfully obtaining a significant year-over-year increase can be rare. The last thing anyone wants to be known for is depleting that budget on a service provider that doesn’t deliver.

At Rapid7, we’ve spoken extensively about how a security operations center (SOC) can evaluate its current D&R proficiency to determine if it would be beneficial to extend those capabilities with a managed detection and response (MDR) provider. In an ongoing effort to help security organizations thoughtfully consider potential providers, we’re pleased to offer this complimentary Gartner® report, Quick Answer: What Key Questions Should I Ask When Selecting an MDR Provider?

This asset acts as a time-saving report for quick answers when vetting several potential providers. Key questions to ask yourself and your service providers include:

  • Yourself: Are we looking for providers that can improve our incident response capabilities?
  • Yourself: Do we have use cases specific to our environment that the MDR provider must accommodate?
  • Yourself: What functionality do we need from the provider’s portal?
  • Provider: How good are you at detecting threats that have bypassed existing, preventative controls?
  • Provider: How do you secure, and how long do you retain, the data you collect from customers?
  • Provider: What response types are provided as a component of the MDR service, and what is the limit of those response activities?

Before expecting any quick answers though, it’s crucial to consider…

Your criteria framework

Your organization might conduct a new audit of desired outcomes and team capabilities and discover it actually can handle the vast majority of D&R tasks. That’s why it’s crucial to go through that process of discovery of what you really need and determine if you can responsibly avoid spending money. Gartner says:

“Many buyers struggle to formulate effective RFPs that can solicit relevant information from providers to help in the initial evaluation and down-select process. Therefore, it is critical that buyers construct the must have, should have, could have and won’t have (MoSCoW) framework. Using these criteria will ensure they are able to effectively make selection choices based on genuine business needs.”

Also, what is the platform from which you are launching your evaluation process? Will this be the first engagement of an MDR service provider or are you changing providers for one reason or another? If the latter is true, then you’ll most likely have loads of existing data to inform your buying experience this time around. It’s also critical to get a strong sense of what the implementation process will look like after a service agreement has been signed. Gartner says:

“Selecting an MDR service provider to obtain modern SOC services can be a challenging process that requires the appropriate planning and evaluation processes before, during and after an agreement. Gartner clients face several unique challenges when evaluating and implementing MDR services.”

An urgent need

The need for additional or enhanced threat monitoring creeps ever upward, thus the need for regular re-evaluation of your D&R capabilities. Rather than ramping up the evaluation and MDR engagement process at a faster pace each time out, taking the time to think through and document desired outcomes with key stakeholders will ultimately save your security organization headaches…and money. Gartner says:

“The process for scoping use cases and requirements, and assessing MDR service offerings, often includes a negotiation and evaluation exercise where a “best match” and “ideal partner” is identified. Prior to starting any outsourcing initiative, requirements need to be documented and ratified (and continuously updated post onboarding), or else the old adage of “garbage in, garbage out” is likely to be realized.”

Take the time

It can be a rigorous evaluation process when determining your organization’s capacity for effective D&R. If your team is stretched too thin, a managed services provider could help. For a deeper dive into the MDR evaluation process, check out the complimentary Gartner report.

Gartner, “Quick Answer: What Key Questions Should I Ask When Selecting an MDR Provider?” John Collins, Andrew Davies, Craig Lawson, 10 November 2021.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

New MITRE Engenuity ATT&CK® Evaluation: Rapid7 MDR Excels

Every Managed Services organization claims they have the expertise and technology to effectively detect and respond to threats. But can they prove it?

Assessing these services and how they’d perform in a real-world scenario just got easier with results from the first ever MITRE ATT&CK Evaluations for Managed Services.

Rapid7 MDR was excited to participate in this inaugural evaluation, along with 16 other Managed Service providers. We battle adversaries on behalf of our customers every single day, but most of this work goes largely unseen. This evaluation was an opportunity to show a wider audience the early detection, accelerated action, and deep partnership engagement that Rapid7 MDR delivers to customers across the globe every day.

And the results speak for themselves.

Rapid7 reported malicious activity across all 10 ATT&CK Evaluation steps

Rapid7 MDR reported 63 of the 74 total attacker ‘techniques’ within these steps, accurately describing the full scope and impact of the breach while maintaining the strong signal-to-noise ratio that everyone expects of Rapid7.

This evaluation offers visibility into a real-world engagement with Rapid7. What our team delivered to MITRE Engenuity wasn’t ‘special’ treatment, but rather a demonstration of the resources, experience, and technology we bring to bear for all customers as part of the unlimited incident response service included with Rapid7 MDR.

Here are other highlights:

Reliable, early detection: we stopped OilRig (a.k.a. APT34) at the starting line

The attack began in a familiar way: a phishing email was used to drop a malicious payload and establish persistence on the workstation of an unsuspecting user. With a foothold in the environment, the attacker performed discovery actions and dumped user credentials, before moving laterally across the organization and eventually collecting and exfiltrating sensitive data.

Rapid7 MDR identified the very first step in the attack, notifying MITRE about the download and execution of the initial malicious payload and providing recommended actions to contain the threat. Had this been a ‘real world’ customer incident, the attack would have stopped here.

Comprehensive coverage across kill chain

As the attack was allowed to continue, our team went on to identify and report to MITRE Engenuity all major steps of the compromise – from discovery and credential dumping to Web shell installation, data staging, data exfiltration, and cleanup.

Robust, actionable reporting

The evaluation also highlights the comprehensive reporting, robust communications, detailed timelines, and deep forensic investigation that Rapid7 MDR customers receive. At the conclusion of the engagement, we delivered a comprehensive 40 page incident report describing in detail the full scope and impact of the breach and attributed the activity to APT group OilRig, an Iran-linked hacking group known to target critical infrastructure.

MDR left the environment better than we found it

While containment was out of scope for this evaluation, you’ll see that Rapid7 provided detailed response and mitigation recommendations along the way. While other Managed Services put work back on the customer to figure out how to resolve incidents and harden their security to prevent similar incidents in the future, Rapid7 provides this guidance and partners with customers to ensure these recommendations are implemented. We provide an end-to-end detection and response program.

Finally, what the MITRE ATT&CK Evaluation doesn’t show you

What’s reported out here is just a slice of what’s possible with Rapid7 MDR.

While this evaluation was largely endpoint-focused, our customers get complete coverage: endpoints, network, users, cloud, and more. As the attack surface grows in complexity, you need a real MDR partner, scaling with your business, driving the end-to-end results, staying ahead of the most advanced attacks, working as a seamless extension of your team.

Our many differences, including integrated DFIR, add up.

To learn more about our evaluation, join our webcast.

The Empty SOC Shop: Where Has All the Talent Gone?

Anyone involved in hiring security analysts in the last few years is likely painfully aware of the cybersecurity skills shortage – but the talent hasn’t “gone anywhere” so much as it’s been bouncing around all over the place, looking for the highest bidder and most impactful work environment. Particularly since the advent of the pandemic, more highly skilled cybersecurity talent has been able to take advantage of work-from-anywhere opportunities, as well as other factors like work/life balance, the desire to avoid negative office politics – and, of course, potentially higher wages elsewhere.  

Retain where it counts

Money isn’t everything, but it’s a lot. An awful lot. That’s what it may seem like to an experienced analyst who’s been working in the security operations center (SOC) for long hours over years, who doesn’t feel like they can really take time off, and who perhaps has been on LinkedIn of late just to “see what’s out there.” Having casual conversations with a recruiter can quickly turn into a conversation with you, their manager, that begins, “I need to put in my two-week notice.”

There are simply companies out there that will pay more and hire away your talent faster than you can say “onboarding.” You can attempt to shore up some budget to retain talent, but if money isn’t just one prong of a larger mix to keep your best and brightest, they’ll slowly start to join the quiet-quitting club and look elsewhere.

The balance shouldn’t be an act

It’s true that life – especially as we become adults – becomes a delicate balancing act. But for companies pitching a great work/life balance to prospective cybersecurity talent, that pitch needs to be genuine. A 2021 Gartner survey saw 43% of respondents say that flexibility in work hours helped them achieve greater productivity. And if the attempt is to woo talent with longer, more illustrious resumes, that attempt should highlight a meaningful work/life balance that’s able to coexist with the company’s values and mission – not to mention one that fits in well with the team dynamic that talent is entering or helping to build.

After all, you’re asking potential employees to sit in the trenches with their peers, fending off threats from some of the most ruthless attackers and organizations in the world. That can sometimes be a dark place to spend your days. Thus, the pervading environment around that function should be one of positivity, camaraderie, inclusivity, and celebration.

The pandemic took work/life balance to another level, one in which companies were forced to adopt work-from-home measures at least semi-permanently. In that scenario, the employee gained the ability to demand a better balance. And that’s something that can’t be taken away, even in part. Because talent loves a good party – and they can always leave yours.

Burn(out) ban in effect

One of the major reasons talent might decide that the party at your SOC has come to an end? Burnout. Currently, around 71% of SOC analysts say they feel burned out on the job. Reasons for this may have nothing to do with the environment in your SOC shop or greater organization. Burnout could be the result of a seasonal uptick in incident-response activities (end-of-year or holiday retail activities come to mind) or in response to the latest emergent threat. However, it’s good to be vigilant of how talent churn might become a common occurrence and how you can institute a ban on burnout.

  • It takes a team: To build out a fully operational SOC and achieve something close to 24x7 coverage, it takes several people. So, if you’re placing the hopes of round-the-clock coverage on the shoulders of, say, six analysts, they’re likely to burn bright for a short period of time and then leave the party.  
  • The same thing, over and over: Your workday expectations may be music to the ears of prospective talent: 9 to 5, and then you log off and go home. That kind of schedule can be great for work/life balance. But is it pretty much the same thing, every day, year in and year out? Is there a heavy amount of alert fatigue that could be offset by a more efficient solution? Are you leveraging automation to its fullest, so that your SOC doesn’t become full of expert talent spending their days doing mundane tasks?
  • Burnout may come back to bite you: Glassdoor… it’s a thing. And people will talk. Your SOC may have developed a reputation for burnout without you even realizing it. It’s called social media, and you can sink or succeed by it – especially if it isn’t just one former analyst on Glassdoor talking about your security organization in relation to burnout. What if you find out it’s 50 people over the span of five years? Sure, it’s actionable data, but by then it may be too late.

The soul of your SOC

Think about it from their point of view. What do your employees consider a positive work environment? What would constitute a brain-drain culture? Taking proactive measures like sending out a survey and soliciting anonymous responses is an easy way of taking the temperature of the culture.

And if burnout is becoming a real thing, maybe it’s time to think about a managed services partner who can take on some of the more mundane security tasks and free up your in-house talent to innovate.

You can also read our recent ebook, "13 Tips for Overcoming the Cybersecurity Talent Shortage," for a deeper dive into how your organization might take steps to overcome its own cybersecurity skills gap.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


3 Mistakes Companies Make in Their Detection and Response Programs

The goal of a detection and response (D&R) program is to act as quickly as possible to identify and remove threats while minimizing any fallout. Many organizations have identified the need for D&R as a critical piece of their security program, but it's often the hardest — and most costly — piece to implement and run.

As a result, D&R programs tend to suffer from common mistakes, and security teams often run into obstacles that hamper the value a solid program can deliver.

Recognizing this fact, our team of security experts at Rapid7 has put together a list of the top mistakes companies make in their D&R programs as well as tips to overcome or avoid them entirely.

1. Trying to analyze too much data

To have a successful and truly comprehensive D&R program, you should have complete visibility across your modern environment – from endpoints to users, cloud, network, and all other avenues attackers may enter. With all this visibility, you may think you need all the data you can get your hands on. The reality? Data “analysis paralysis” is real.

While data fuels detection and response, too much of it will leave you wading through thousands of false positives and alert noise, making it hard to focus on the needle in a haystack full of other needles. The more data, the harder it is to understand which of those needles are sharp and which are dull.

So it ends up being about collecting the right data without turning your program into an alert machine. It’s key to understand which event sources to connect to your SIEM or XDR platform and what information is the most relevant. Typically, you’re on the right path if you’re aligning your event sources with use cases. The most impactful event sources we usually see ingested are:

  • Endpoint agents (including start/stop processes)
  • DHCP
  • LDAP
  • DNS
  • Cloud services (O365, IIS, load balancers)
  • VPN
  • Firewall
  • Web proxy
  • Active Directory for user attribution
  • For even greater detail, throw on network sensors, IDS, deception technology, and other log types

At the end of the day, gaining visibility into your assets, understanding user behaviors, collecting system logs, and piecing it all together will help you build a clearer picture of your environment. But analyzing all that data can prove challenging, especially for larger-scale environments.

That's where Managed Security Service Providers (MSSP) and Managed Detection and Response (MDR) providers can come in to offload that element to a 24x7 team of experts.

2. Not prioritizing risks and outcomes

Not all D&R programs will focus on the same objectives. Different companies have different risks. For example, healthcare providers and retail chains will likely deal with threats unique to their respective industries. Hospitals, in particular, are prime targets for ransomware. Something as simple as not having two-factor authentication in place could leave a privileged account susceptible to a brute-force attack, creating wide-open access to medical records. It’s not overstating to say that could ultimately make it more difficult to save lives.

Taking this into account, your D&R program should identify the risks and outcomes that will directly impact your business. One of the big mistakes companies make is trying to cover all the bases while ignoring more targeted, industry-specific threats.

As mentioned above, healthcare is a heavily targeted industry. Phishing attacks like credential harvesting are extremely common. As we should all know by now, it can be disastrous for even one employee to click a suspicious link or open an attachment in an email. In the healthcare sector, customer and patient data were leaked about 58% of the time, or in about 25 out of 43 incidents. Adversaries can now move laterally with greater ease, quickly escalating privileges and getting what they want faster. And when extortion is the name of the game, the goal is often to disrupt mission-critical business operations. This can cripple a hospital's ability to run, holding data for ransom and attempting to tarnish a company’s reputation in the process.

3. Finding help in the wrong place

Building a modern security operations center (SOC) today requires significant investments. An internal 24x7 SOC operation essentially needs around a dozen security personnel, a comprehensive security playbook with best practices clearly defined and outlined, and a suite of security tools that all go toward providing 24/7 monitoring. Compound these requirements with the cybersecurity skills shortage, and not many organizations will be able to set up or manage an internal SOC, let alone helm a fully operational D&R program. In a recent Forrester Consulting Total Economic Impact™ (TEI) study commissioned by Rapid7, it was identified that Rapid7’s MDR service was able to prevent security teams from hiring five full-time analysts – each at an annual salary of at least $135,000.

There are two critical mistakes organizations make that can send D&R programs down the wrong path:

  • Choosing to go it all alone and set up your own SOC without the right people and expertise
  • Partnering with a provider that doesn't understand your needs or can't deliver on what they promise

Partnering with an MDR provider is an effective way to ramp up security monitoring capabilities and fill this gap. But first, it’s important to evaluate an MDR partner across the following criteria:

  • Headcount and expertise: How experienced are the MDR analysts? Does the provider offer alert triage and investigation as well as digital forensics and incident response (DFIR) expertise?
  • Technology: What level of visibility will you have across the environment? And what detection methods will be used to find threats?
  • Collaboration and partnership: What do daily/monthly service interactions look like? Is the provider simply focused on security operations, or will they also help you advance your maturity?
  • Threat hunting: Will they go beyond real-time threat monitoring and offer targeted, human-driven threat hunting for unknown threats?
  • Process and service expectations: How will they help you achieve rapid time-to-value?
  • Managed response and incident response (IR) expertise: How will they respond on your behalf, and what will they do if an incident becomes a breach?
  • Security orchestration, automation, and response (SOAR): Will they leverage SOAR to automate processes?
  • Pricing: Will they price their solution to ensure transparency, predictability, and value?

An extension of your team

Services like MDR can enable you to obtain 24/7, remotely delivered SOC capabilities when you have limited or no existing internal detection and response expertise or need to augment your existing security operations team.

The key questions and critical areas of consideration discussed above can help you find the MDR partner who will best serve your needs — one who will provide the necessary MDR capabilities that can serve your short- and long-term needs. After all, the most important thing is that your organization comes out the other side better protected in the face of today's threats.

Looking for more key considerations and questions to ask on your D&R journey to keeping your business secure? Check out our 2022 MDR Buyer's Guide that details everything you need to know about evaluating MDR solutions.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


6 Reasons Managed Detection and Response Is Hitting Its Stride

Cyber threats have risen to the #1 concern of CEOs, which means security teams — in the hot seat for years — are really feeling it now. Files and data live in the cloud. Work is hybrid or remote. There’s turmoil around the world. Cyberattacks are not just a distant boogieman – they’re here and happening every day.

As companies try to make sure their existing security infrastructure can keep up, they confront the skills gap, a 0% industry unemployment rate, and no room for mistakes. Managed Detection and Response (MDR) is having a moment.

According to a recent ESG study, MDR is one of the fastest growing areas of cybersecurity today. A whopping 85% of surveyed organizations currently use or plan to use managed services for their security operations. And 88% say they will increase their use of managed services in the next 1-2 years.

What’s driving this move to MDR? Let’s take a look at six main factors.

1. Focus

Augmenting an internal security team means internal security personnel can focus on more strategic security initiatives rather than day-to-day operational tasks. In fact, 55% of surveyed organizations want to focus their internal security teams on more strategic initiatives rather than spend time on daily basics, the ESG study found.

By partnering with an MDR provider, alert triaging and investigations are generally taken care of by the external team. Of course, your organization still has some things you’ll need to do – partnership is the name of the game. But by working with a MDR service, security teams suddenly have more time and bandwidth to work strategically.

2. Services

ESG reports that 52% of companies surveyed believe managed service providers can do a better job with security operations than they can.

What you would once have to train your detection and response team to do, MDR providers take over. That means they’re able to detect active attackers within your environment and contain threats. Analyze incidents and provide recommendations for remediation, and apply learnings from other environments they manage to your environment to make sure you're protected from the latest attacker behaviors. Finally, good MDR providers are able to pivot into breach response if an attacker is live within your network.

To learn more about how to evaluate MDR providers on eight core capabilities, read the MDR Buyers Guide here.

3. Augmentation

About half of organizations (49%) believe a service provider can augment their security operations center (SOC) team with additional support.

Most companies that are able to build internal SOCs are generally well-funded, can afford roughly 10-12 full-time personnel, have a large array of security tools at their disposal, and have extensive processes already outlined. Sound doable? Great! If not, augmentation by way of an MDR provider is your tall glass of water.

Sign on with an MDR provider, get deployed, and your team is instantly extended. Benefits include time savings, cost savings, and experience level that most companies can't afford to hire at scale.

4. Skills

No surprise, 42% of surveyed organizations in the ESG study believe they don’t have adequate skills for security operations in-house.

MDR is more than outsourcing 24x7x365 monitoring. It’s a partnership that helps you move towards a more secure stature with guidance and expertise.

This type of partnership allows teams to contextualize metrics and reports, get a better understanding of investigations that take place within their environment, and have someone to walk through processes should an attack take place. You also have an expert in your corner during CISO, board, or executive meetings.

5. Price

40% of surveyed organizations did a cost analysis and found that it would cost less to use a service provider than to do it themselves.

We won’t sugar-coat it – partnering with an MDR service provider is expensive. But so is building out an internal team that can actually monitor and investigate within an organization’s environment round the clock.

The cost of partnering with an MDR provider pales in comparison to the cost of employing 10-12 security personnel that operate an around-the-clock SOC, and it can offer ROI much more quickly.

Check out this recent Forrester study to learn more about cost-saving outcomes of partnering with Rapid7’s MDR team.

6. Staff

Finally, ESG tells us that 35% of surveyed organizations don’t have an adequately sized staff for security operations.

Even with unlimited budget to hire a full team, it would be an incredibly labor-intensive and time-consuming process. It would be nearly impossible for most organizations to accomplish. Not only is finding qualified candidates and hiring a huge pain point, but the resources needed to onboard and train staff often aren't there.

Of course, all MDR services are not the same

Keep these three things in mind:

  • Forrester found Rapid7 MDR reduced breaches by 90%
  • Forrester found Rapid7 MDR delivered 549% ROI
  • In the event of a breach, Rapid7 MDR pivots to full-on digital forensics and incident response, no delay, no limits

Check out our full MDR Buyer's Guide for 2022 here.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


4 key statistics to build a business case for an MDR partner

From one person to the next, the word “impact” may have wildly different connotations. Is the word being used in a positive or negative sense? For an understaffed security organization attempting to fend off attacks and plug vulnerabilities, the impact of all of that work is most likely negative: more work, less success to show for it, and more stress to take home.

That's why Rapid7 commissioned Forrester Consulting to conduct a June 2022 Total Economic Impact™ (TEI) study to learn how our real MDR customers are seeing tangible impacts to their bottom line by partnering with Rapid7.

The study found that Rapid7's SOC expertise – with XDR technology that generated improved visibility – enabled a composite organization using Rapid7 Managed Detection and Response (MDR) to:

  • Quickly extend its coverage with skilled headcount
  • Put formal processes in place for cyberattack detection and response

The analysis was conducted using a hypothetical composite organization created for the purposes of the study, with insights gleaned from four real-life MDR customers. This composite reflects a profile we see often: a small team of two security analysts tasked with protecting 1,800 employees and 2,100 assets.

The study concluded that partnering with Rapid7 MDR services experts enabled the composite organization to achieve end-to-end coverage and cut down on detection and response times. Impact like that can open the door to true progress.

Any MDR financial justification like this will come down to four main factors: return on investment (ROI), savings from building out your SOC team, the reduction in risk to your organization, and the time to see value/impact. Let’s break down these four key statistics from the study in more detail.

1. ROI

In the Forrester study, the composite organization – once partnered with Rapid7 – saw productivity gains accelerate efficiencies across alert investigation, response actions, and report creation. They were also protected with 24/7 eyes-on-glass and expert security support. Savings from security-team productivity gains totaled over $930,000 and Rapid7 MDR services in total delivered an ROI of 549% for the composite organization over the course of the three-year analysis. That kind of money can be reinvested to strengthen other parts of a security program and act as a profit driver for the business.

This greater overall visibility is powered by XDR capabilities that can customize protection to assess and block specific threats. Continuously analyzing activity in this way enables more targeted and prioritized containment actions that lead to better curation.

2. Hiring savings

In any sort of managerial capacity, the word “headcount” can have an exhausting connotation. Having to hire a skilled professional, onboard that person to the point they’re contributing in a meaningful way, and then do it all again to fill out perhaps multiple vacancies in pursuit of a productive SOC team – it’s a lot. And it sucks up time and valuable resources, which is perhaps the biggest advantage attackers have over a security organization in need.  

Partnering with Rapid7 MDR afforded the composite organization:

  • Time savings for existing security team members
  • Avoided headcount and onboarding for potential new team members
  • Security-breach cost avoidance by extending the team with a dedicated MDR services provider

This led to total quantified benefits with a present value of $4.03 million over three years.

3. Potential benefit

The above stat is great, but you may be asking what sort of start-up costs did the composite organization incur? According to the Forrester study, for the composite organization, partnering with Rapid7 MDR meant spending around $620,000 over the course of three years. Digging into that number a bit more, the organization spread the investment into smaller yearly increments.

Compared to the costs of hiring multiple full-time employees (FTEs) who can do exactly what one needs them to do (and hopefully more), $620,000 quickly begins to look more attractive than what one might pay those FTEs over, say, five years. For a deeper dive into the actual purchasing process of MDR services, check out this handy MDR buyer’s guide.

4. Payback period

For the total three-year investment of just over $620,000, the composite organization experienced payback in less than three months! At the time of the investment in Rapid7 MDR, the composite organization had key objectives like improved visibility across the entire security environment, a complete security solution backed by the right expertise, and 24/7/365 coverage.

The chief information security officer at a healthcare firm said it took two members of their security team, each working four hours a day over the course of two weeks, to complete implementation. In some instances, Rapid7 MDR was able to detect and respond to incidents the first day the service was live.

A complete economic picture

When it comes to under-resourced teams, the economics boil down to a simple comparison: The costs for an MDR provider like Rapid7 versus a potential multiyear attempt to stretch an already-overloaded staff to investigate every alert and mitigate every threat.

Impact aside, a year of MDR service can often equate to the cost of one or two open headcounts. At that point, the economic benefits are the cherry on top. After all, it’s always easier (and more impactful) to instantly extend your team with expert headcount, saving time and resources in onboarding and bringing in experts ready to make an impact from day one. Bundle it all together and you’re building a business case for the potential to bring your organization greater expertise, significant cost avoidance, and positive ROI.

At the end of the day, Rapid7 MDR can give existing security specialists some much-needed breathing room while helping the business into a better overall competitive position. Put another way: More coverage. More money. More time. Less stress.
You can read the entire Forrester Consulting TEI study to get the deep-dive from interviewed customers – along with the numbers and stories they shared – on Rapid7 MDR.