Category: Managed Detection and Response

Rapid7 MDR Reduced Breaches by 90% via Greater Efficiency to Detect, Investigate, Respond to, and Remediate Breaches

When a security operations center (SOC) is operating at a deficit, they increase the possibility of beach reductions. That is, the likelihood they won’t be able to travel to any beaches – or any vacation destinations whatsoever – anytime in the near future. That can lead to burnout, which can lead to security talent loss, which can lead to the entire business being incredibly vulnerable.

So now let’s talk about breach reduction. As in, the charter of any security team.

No team can investigate every alert, but forging a valuable partnership with a Managed Detection and Response (MDR) provider can provide a turnkey solution and near-immediate headcount extension to your SOC.

A June 2022 Total Economic Impact™ study by Forrester Consulting commissioned by Rapid7 found that Rapid7's SOC expertise – with XDR technology that generated improved visibility – enabled a composite organization using Rapid7 MDR to reduce the likelihood of a breach by 90% in the first year of partnership

The analysis was conducted using a hypothetical composite organization created for the purposes of the study, with insights gleaned from four real-life MDR customers. This composite reflects a security team profile we see often: a small team of two security analysts tasked with protecting 1,800 employees and 2,100 assets. We at Rapid7 see this as a tall order, but it’s one that (unfortunately) represents the state of security operations today.

The study concluded that partnering with Rapid7 MDR services experts enabled the composite organization to achieve end-to-end coverage and cut down on detection and response times. Let’s break down how Rapid7 MDR helped security teams reduce the likelihood of breaches by 90%.

1. Complete visibility into security environments

OK, so extended detection and response (XDR) isn’t exactly apples-to-apples with X-ray technology, but it’s an apt metaphor. Greater visibility, after all, helps to improve your overall security risk posture, and customers interviewed for the TEI study said their organizations were more secure thanks in part to this improved visibility. Rapid7’s InsightIDR uses its XDR superpowers to unify data from all over and beyond your modern environment, so it’s easier than ever to see and respond to a transgression.

The Rapid7 MDR team’s expertise in cloud-scalable XDR technology enables stronger signal-to-noise capabilities, so you only become aware of alerts that matter and get the peace of mind that comes from knowing we’ve got you covered. After all, being aware of a breach is better than not being aware of one – or having a customer alert you to the existence of a breach, which could lead to a different kind of breach: the relationship.

2. Detect and respond literally all day, every day

According to the Forrester TEI study, interviewed organizations had outdated technology that was used by staff to manually investigate each alert prior to partnering with Rapid7 MDR. These organizations’ security teams lacked expertise, were understaffed, and lacked visibility – the perfect storm to miss security incidents. Interviewees said there would be no way for them to implement a 24x7 detection and response program on their own without using Rapid7 MDR. As an interviewed director of information security for a financial services company said, “If we didn’t acquire Rapid7 MDR, I would have had to do a lot more manual work, and it would have kept me from other tasks.”  

With the modern proliferation of threats, the only thing to do is to have 24x7x365 coverage of your entire network. As referenced above, that can be expensive and near-impossible to maintain, unless you’re gaining leverage with the right MDR partner.

For example, with Rapid7 MDR, customers can opt in to Active Response, which enables our expert SOC analysts to respond to a validated threat on your behalf. The service also removes quite a few headaches, providing the flexibility to configure or cancel responses so that unauthorized quarantines occur less frequently (as they may with automated containment actions).

A customer SOC team will also have their own access to InsightIDR, the underlying technology of Rapid7’s MDR services. With the ability to also run your own investigations, your team will be able to see what we see, and follow along with the process. No black boxes or Wizard of Oz reenactments here.

These days we say that round-the-clock monitoring isn’t just important – it’s a must. A good MDR provider will be able to take on those duties, raising any incidents discovered and validated, day and night. In particular, Rapid7 utilizes a follow-the-sun methodology. This purpose-built monitoring engine leverages incident-response (IR) teams all over the world – Australia, Ireland, the United States, and more – to ensure awake and active detection and response experts are investigating security alerts and only notifying you when there’s an actual incident. From the SOC or remote locations, these IR teams can perform real-time log analysis, threat hunting, and alert validation, for any customer.

Redundancy is key here. Attackers never take a day off, but security professionals working 9 to 5 do. Whether it’s national holidays or vacation season, the majority of attacks occur around these specific times security experts might set their status to “away.”

3. Gain more freedom to focus their energy elsewhere

In the TEI study, Forrester found that Rapid7 MDR was able to provide security teams with greater information and curated alert detections, with the ability to block specific threats. MDR also improved response times to detections by providing teams with a security resource dedicated to security incidents that require any response. This meant internal security teams could focus on other priorities and business objectives without dealing with:

Alert triage and investigations

An interviewed senior cybersecurity analyst at a technology solutions firm said analysts previously spent three to four hours a day on alert management. Now, with MDR, that same process only takes 10 minutes of their time! That means the small team can focus on other elements of their security program knowing there’s another team of experts monitoring their environment around the clock.

Threat response

An interviewed CISO at a healthcare firm reported that their response could take up to two weeks prior to MDR. That’s a long time! With Rapid7 MDR, the security team was able to detect and respond in three days instead. The interviewed senior cybersecurity analyst from the technology solutions firm said response may have taken days prior to Rapid7 MDR, but now the security team can respond in 30 minutes! Greater efficiency (and faster response) meant lower likelihood of future breaches and lower impact of any breaches.

Post-detection reporting

The interviewed cybersecurity analyst from the technology solutions firm said that before Rapid7 MDR, it took an entire day to compile a quarterly executive summary and two monthly reports because it meant parsing through log data and finding the right information. Now with MDR, the report is created for them and their ability to create and deliver this to their team is more efficient. That means they can spend more time protecting the organization, not reporting.

4. $1.6 million in savings over 3 years

When an organization can reduce the likelihood of attacks by 90%, that can result in some serious ROI. How serious? The composite organization profiled in the Forrester study was able to see a breach cost avoidance – or savings – of $1.6 million over three years when partnered with Rapid7 MDR.

The composite organization saw an average of 2.5 incidents per year, with an average cost per security breach $654,846. This average cost included damage to brand equity and customer loyalty. We at Rapid7 are also cognizant of the mental toll those incidents take on the entire business, as well as the loss of forward momentum on any current initiatives – it all comes to a stop when a breach occurs and disrupts. This is why it’s critical to have a team spot threats early and respond to them quickly.

For the more advanced, large-scale breaches, sometimes it requires backup. Luckily, Rapid7 MDR now includes Unlimited IR to ensure major incidents are handled by our Digital Forensics and Incident Response (DFIR) experts. The merger of the MDR and IR Consulting teams accelerates a breach investigation by instantly pulling in senior-level IR experts to an emergency situation and ensuring the response is as efficient as possible.

Rapid7 MDR teams use our open-source DFIR tool, Velociraptor, the same tools and experience you’d receive if you called the breach hotline. These experts leverage multiple types of forensics (file-system, memory, and network), as well as attack intelligence and enhanced endpoint visibility to quickly organize and interpret data. Then? Kick the threat out and slam the door behind them.

Defense in depth

Beyond the need for agile detection and response abilities, preventive solutions are also of critical importance. At a device level, it is of course always prudent to ensure things like multifactor authentication (MFA), antivirus or NGAV (NextGen Antivirus) software, and/or an endpoint protection platform (EPP) – designed to detect suspicious behavior and stop attacks – are part of your preventive behavior.

At a more macro level (i.e., a SOC in the security organization of a Fortune 500 company independent of the Forrester study), the following preventive solutions should always be part of the mix:  

  • Vulnerability Risk Management: It’s easier to detect and respond to the bad guys in the environment when you limit the number of doors they can walk through. Vulnerabilities are always at risk of exploitation. Managing that risk is what InsightVM was made to do. It helps to secure your entire attack surface with visibility and behavioral assessment of your network-wide assets, as well as analyzing business context so it can prioritize the most critical issues.
  • Cloud Security: It takes cloud-native to protect cloud-based. InsightCloudSec provides visibility of all of your cloud assets in one, user-friendly place. Get immediate risk assessment with full context across infrastructure, orchestration, workload, and data tiers.    
  • Application Security: More complex apps means more security required. With the ability to crawl and assess these modern web apps, InsightAppSec returns fewer false positives via features like the Universal Translator and its ability to bring flexibility to the security testing process. Finding threats with Dynamic Application Security Testing (DAST) – using the same exploits that an attacker would – is one of the keys to stopping web application-based attacks.
  • Security Orchestration Automation and Response (SOAR): The composite organization from the Forrester study took advantage of Rapid7 MDR’s utilization of Active Response, Rapid7’s Security Orchestration, Automation, and Response (SOAR) technology, as well as skilled SOC experts to quickly respond to and remediate threats.  

By incorporating preventive and responsive solutions, you’ll work less by working smarter. Which, oftentimes, means letting someone else take on key aspects of your program. You can read the entire Forrester TEI study to get the deep-dive from interviewed customers – along with the numbers and stories they shared – on Rapid7 MDR.

But what the study does not quantify is Rapid7’s commitment to partnering with our customers to improve their security maturity, providing expertise that drives returns for your detection and response program where and when you need it. Considering MDR but don't know where to start? We put together an MDR Buyer’s Guide that includes priority questions to ask when you’re seeking the right partner.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


Rapid7 MDR Delivered 549% ROI via Headcount Avoidance, Time Savings, and Breach Risk Reduction

In-house security organizations these days are operating at an extreme deficit. Skeleton crews are running entire security operations centers (SOCs). A constant barrage of alerts is making it difficult for these teams to detect and investigate every alert and stay ahead of today’s evolving threats. The odds are heavily in favor of the attacker.

But there is hope. Managed security service providers (MSSPs) – and more specifically, managed detection and response (MDR) providers – enable access to specialized detection and response expertise and headcount, bypassing the talent- and skill-gap challenges that plague the industry.

MDR offers a way for internal security teams to extend their capabilities in threat detection, alert triage, malware analysis, incident investigation, and response capabilities quickly and at scale. For under-resourced teams, MDR is a turnkey solution for a fully operational SOC at a fraction of the cost to build one out internally. How much, exactly?

A June 2022 Total Economic Impact™ study by Forrester Consulting commissioned by Rapid7 found that Rapid7's “secret sauce” – a blend of extended detection and response (XDR) technology, improved visibility, and SOC expertise – enabled a composite Rapid7 MDR customer to capture an estimated 549% return on their investment (ROI) over three years and to see a payback for that investment in less than 3 months! That’s almost a 5.5x ROI!

The analysis was conducted using a hypothetical composite organization created for the purposes of the study, using insights gleaned from four real-life MDR customers. This composite reflects a security team profile we see often: a small team of two security professionals tasked with protecting 1,800 employees and 2,100 assets. A tall order, and one that (unfortunately) represents the state of security operations today.

The study concluded that Rapid7 MDR services experts integrate with an existing security organization to quickly cut down on detection and response times. Subsequently, the interviewed customers saw substantial returns from working alongside the MDR team as a trusted partner to mature their program.

Here are four key takeaways from the Forrester Consulting study.

Rapid7 MDR offered improved visibility through XDR technology

Detection can only be as good as the visibility the technology provides and what’s being monitored. In the words of an interviewed director of information security for a financial services company, “I didn’t have full visibility into the security activity of all devices across my enterprise. It was a ‘fingers-crossed’ [hope] that there isn’t something going on within my network.”

Luckily, MDR as a partner can ensure complete monitoring and visibility across the entire environment – comprehensive coverage to detect across all endpoints, user accounts, network traffic, deception technologies, the cloud, and more – offering a winning strategy.

In the study, Forrester found that Rapid7 MDR utilizes XDR capabilities to help customers see beyond the confines of a traditional security information and event management (SIEM) and endpoint detection and response (EDR) tools, with coverage across the entire modern environment.

Combined with the latest threat intelligence and machine learning to continuously analyze attacker activity, the MDR provider can help you anticipate that threat and form a more proactive response. That’s a winning strategy.

Rapid7 MDR saved time for security teams

Alerts can fire constantly. Each of them needs triaging and investigation. Every confirmed incident then needs a response plan, remediation, mitigation actions, and a post-incident report. The challenge is, all of this takes time.

With MDR, those alerts are handled without spending countless cycles from the customer’s internal teams. Investigation, response, and reporting are, too. This frees up the security team to focus on other aspects of their program.

Going from understaffed to capably staffed can be an incredible time saver. As a director of information security in financial services said to Forrester, “If we didn’t acquire MDR, I would have had to do a lot more manual work and it would have kept me from other tasks.”

The Forrester study concluded that Rapid7 MDR – by providing improved focus and outsourcing of detection and response activities – reduced the amount of time spent by:

  • 87.5% on alert investigation
  • 97.5% on response, remediation, and recovery
  • 83.3% on research and reporting

Rapid7 MDR helped avoid the hefty costs of hiring security talent

The Gartner® 2021 SOC Model Guide report suggests that “by 2025, 33% of organizations that currently have internal security functions will attempt and fail to build an effective internal SOC due to resource constraints, such as lack of budget, expertise, and staffing.” This is partially because of the difficulty to hire and retain top detection and response talent.

Hiring a full SOC team is incredibly expensive. For example, the Gartner SOC Model Guide suggested an industry benchmark closer to “at least 10-12 personnel for 24/7 coverage," with the Forrester TEI study placing one full-time employee (FTE) at $135,000 annually.

Because of this, many teams are turning to MDR to implement a hybrid-SOC model that integrates an MDR SOC alongside an internal SOC team. Gartner suggests, “By 2025, 90% of SOCs in the G2000 will use a hybrid model by outsourcing at least 50% of the operational workload.” This approach has certainly become the most optimal and economic option.

Partnering with an MDR provider is certainly one way to avoid prohibitive time and hiring costs. According to the Forrester Consulting study, Rapid7 was able to save the composite organization $1.5 million over the course of three years by avoiding the need to hire five full-time security analysts in order to achieve 24x7 coverage (in year 1). And those numbers might be low compared to other industry SOC FTE benchmarks.

Rapid7 MDR greatly reduced the risk of a security breach

There will always be new zero-days, new TTPs, and emerging threats that make it impossible to prevent (and stop) every breach. The Forrester Consulting Cost Of A Cybersecurity Breach Survey from 2020 Q4 estimated that an organization will have an average of 2.5 significant security breaches each year with an average cost of $654,846 per breach.

That’s where partnering with an MDR provider can help reduce that number. In fact, the Forrester study notes that Rapid7 MDR reduced the likelihood of a major security breach by 90% for the composite organization!

At Rapid7, some of our MDR capabilities that help prevent breaches from occurring are:

  • XDR technology to see complete visibility across your attack surface (with an ability for customers to have full access to InsightIDR for log search, data storage, reporting, and more)
  • 24x7x365 monitoring of the environment from a global, follow-the-sun SOC team of detection and response experts
  • Proactive, hypothesis-driven threat hunts from human MDR analysts
  • Active Response to contain assets and users instantly when there’s a validated incident

What about the 10% of incidents that get through? We at Rapid7 offer an industry-first, unlimited Incident/Breach Response baked into our MDR service, leveraging our integrated Digital Forensics and Incident Response (DFIR) team to ensure we’re able to assist customers with any security incident, no matter how minor or major.

All of this is why a director of information security in financial services who was interviewed for the Forrester study said, “I’d say we’re 100% more prepared to handle a security incident with Rapid7 MDR.”

MDROI

Ultimately, the goal of the security department is to invest in technology and services that help protect the organization. But when that investment is able to positively impact the company’s bottom line, it’s a win-win.

It’s not just about alleviating some of the stress on the security team. It’s also about having access to that MDR provider’s technology, their library of advanced detection methodologies and resources, and the collaboration that can lead to strengthening your security posture.

You can read the entire Forrester TEI study to get the full breakdown on Rapid7 MDR alongside the numbers and stories from customers.

But what the study does not quantify is our commitment to partnering with our customers to improve their security maturity, providing expertise that drives returns for your detection and response program where and when you need it.

Considering MDR but don't know where to start? We put together an MDR Buyer’s Guide that includes the questions to ask and what to look for to help the decision-making process.

Forrester Consulting Study, “The Total Economic Impact™ Of Rapid7 Managed Detection And Response (MDR)” commissioned by Rapid7.

The Gartner® 2021 SOC Model Guide, 19 October 2021, John Collins, Mitchell Schneider, Pete Shoard

Gartner® is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.



DFIR Without Limits: Moving Beyond the “Sucker's Choice” of Today’s Breach Response Services

Three-quarters of CEOs and their boards believe a major breach is “inevitable.” And those closest to the action? Like CISOs? They’re nearly unanimous.

Gartner is right there, too. Their 2021 Market Guide for Digital Forensics and Incident Response (DFIR) Services recommends you “operate under the assumption that security breaches will occur, the only variable factors being the timing, the severity, and the response requirements.”

When that breach happens, you’ll most likely need help. For Rapid7 MDR customers, we’re there for you when you need us, period. Our belief is that, if a breach is inevitable, then a logical, transparent, collaborative, and effective approach to response should be, too.

I’m not just talking about the table-stakes “response” to everyday security threats. I’m talking about digital forensics and world-class incident response for any incident – no matter if it’s a minor breach like a phishing email with an attached maldoc or a major targeted breach involving multiple endpoints compromised by an advanced attacker.

Protecting your environment is our shared responsibility. As long as you are willing and able to partner with us during and after the Incident Response process, we are here for you. Rapid7 does the DFIR heavy lift. You cooperate to eradicate the threat and work to improve your security posture as a result.

Unfortunately, that’s not how all of the market sees it.

How vendors typically provide DFIR

Some managed detection and response (MDR) vendors or managed security services providers (MSSPs) do understand that there’s an R in MDR. Typically, they’ll do a cursory investigation, validation and – if you’re lucky – some form of basic or automated response.

For most, that’s where the R stops. If they can’t handle an emergency breach response situation (or if you’re on your own without any DFIR on staff), you’ll wind up hiring a third-party incident response (IR) consulting service. This will be a service you’ve found, or one that’s required by your cyber insurance provider. Perhaps you planned ahead and pre-purchased an hourly IR retainer.

Either way, how you pay for IR determines your customer experience during “response.” It’s a model designed to maximize provider profits, not your outcomes.

At a glance

IR Consulting Services IR Included in Managed Services
Scope Unbounded Limited to managed services in-scope environments
Time Limit Capped by number of hours or number of incidents Capped by number of hours or number of incidents
Expertise Senior IR Consultants Capped by number of hours or number of incidents
24x7 IR No Yes
Tooling Often will deploy a separate tooling stack, without easy access to historical data Existing tooling, utilizing historical data but potentially lacking in forensic capability
Time to Respond Slower (limited by legal documents, SLAs, lack of familiarity in the customer environment, time for tool deployment) Faster (24x7, uses existing tools, multiple analysts)
Pricing Model Proactively purchased as a retainer or reactively on an hourly basis Included in purchase, up to an arbitrarily defined limit


There’s a good reason DFIR experts are reserved for expensive consulting services engagements. They’re a rare breed.

Most MDR teams can’t afford to staff the same DFIR experts that answer the Breach Response hotline. Security vendors price, package, and deliver these services in a way to reserve their more experienced (and expensive) experts for IR consulting.

Either you purchase Managed Services and expensive IR consulting hours (and play intermediary between these two separate teams), or you settle for "Incident Response lite" from your Managed Services SOC team.

If this seems like a “lesser of two evils” approach with two unappealing options, it is.

The future of incident response has arrived

Over a year ago, Rapid7 merged our Incident Response Consulting Team with our MDR SOC to ensure all MDR customers receive the same high-caliber DFIR expertise as a core capability of our service – no Breach Response hotlines or retainer hours needed.

This single, integrated team of Detection and Response experts started working together to execute on our response mission: early detection and rapid, highly effective investigation, containment, and eradication of threats.

Our SOC analysts are experts on alert triage, tuning, and threat hunting. They have the most up-to-date knowledge of attackers’ current tactics, techniques, and procedures and are extremely well-versed in attacker behavior, isolating malicious activity and stopping it in its tracks. When a minor incident is detected, our SOC analysts begin incident investigation – root cause analysis, malware reverse engineering, malicous code deobfuscation, and more – and response immediately. If the scope becomes large and complex, we (literally) swivel our chair to tap our IR reinforcements on the shoulder.

Senior IR consultants are seasoned DFIR practitioners. They’re also the experts leading the response to major breaches, directing investigation, containment, and eradication activities while clearly communicating with stakeholders on the status, scope, and impact of the incident.

Both teams benefit. The managed services SOC team has access to a world class Incident Response team. And the expert incident response consultants have a global team of (also world class) security analysts trained to assist with forensic investigation and response around the clock (including monitoring the compromised environment for new attacker activity).

Most importantly, our MDR customers benefit. This reimagining of how we work together delivers seamless, effective incident response for all. When every second counts, an organization cannot afford the limited response of most MDR providers, or the delay and confusion that comes with engaging a separate IR vendor.

Grab a coffee, it’s major breach story time

Here’s a real-life example of how our integrated approach works.

In early January, a new MDR client was finishing the onboarding process by installing the Insight Agent on their devices. Almost immediately upon agent installation, the MDR team noticed critical alerts flowing into InsightIDR (our unified SIEM and XDR solution).

Our SOC analysts dug in and realized this wasn’t a typical attack. The detections indicated a potential major incident, consistent with attacker behavior for ransomware. SOC analysts immediately used Active Response to quarantine the affected assets and initiated our incident response process.

The investigation transitioned to the IR team within minutes, and a senior IR consultant (from the same team responsible for leading breach response for Rapid7’s off-the-street or retainer customers) took ownership of the incident response engagement.

After assessing the early information provided by the SOC, the IR consultant identified the highest-priority investigation and response actions, taking on some of these tasks directly and assigning other tasks to additional IR consultants and SOC analysts. The objective: teamwork and speed.

The SOC worked around the clock together with the IR team to search these systems and identify traces of malicious activity. The team used already-deployed tools, such as InsightIDR and Velociraptor (Rapid7’s open-source DFIR tool).

This major incident was remediated and closed within three days of the initial alert, stopping the installation of ransomware within the customer’s environment and cutting out days and even weeks of back-and-forth between the customer, the MDR SOC team, and a third-party Breach Response team.

Now, no limits and a customer experience you’ll love

The results speak for themselves. Not only does the embedded IR model enable each team to reach beyond its traditional boundaries, it brings faster and smoother outcomes to our customers.

And now we’re taking this a step further.

Previously, our MDR services included up to two “uncapped” (no limit on IR team time and resources) Remote Incident Response engagements per year. While this was more than enough for most customers (and highly unusual for an MDR provider), we realized that imposing any arbitrary limits on DFIR put unnecessary constraints on delivering on our core mission.

For this reason, we have removed the Remote Incident Response limits from our MDR service across all tiers. Rapid7 will now respond to ALL incidents within our MDR customers' in-scope environments, regardless of incident scope and complexity, and bring all the necessary resources to bear to effectively investigate, contain and eradicate these threats.

Making these DFIR engagements – often reserved for breach response retainer customers – part of the core MDR service (not just providing basic response or including hours for a retainer) just raised the “best practices” bar for the industry.

It’s not quite unlimited, but it’s close. The way we see it, we’ll assist with the hard parts of DFIR, while you partner with us to eradicate the threat and implement corrective actions. That partnership is key: Implementing required remediation, mitigation, and corrective actions will help to reduce the likelihood of incident recurrence and improve your overall security posture.

After all, that's what MDR is all about.

P.S.: If you’re a security analyst or incident responder, we’re hiring!

In addition to providing world-class breach response services to our MDR customers, this new approach makes Rapid7 a great place to work and develop new skills.

Our SOC analysts develop their breach response expertise by working shoulder-to-shoulder with our Incident Response team. And our IR team focuses on doing what they love – not filling out time cards and stressing over their “utilization” as consultants, but leading the response to complex, high-impact breaches and being there for our customers when they need us the most. Plus, with the support and backing of a global SOC, our IR team can actually sleep at night!

Despite the worldwide cybersecurity skills crisis and The Great Resignation sweeping the industry, Rapid7’s MDR team grew by 30% last year with only 5% voluntary analyst turnover – in line with our last three years.

Part of this exceptionally low turnover is due to:

  • Investment in continuing education, diversity, and employee retention benefits
  • A robust training program, clear career progression, the opportunity to level up skills by teaming with IR mentors, and flexibility for extra-curricular “passion project” work (to automate processes and improve aspects of MDR services)
  • Competitive pay, and a focus on making sure analysts are doing work they enjoy day in and day out with a healthy work-life balance (there’s no such thing as a “night shift” since we use a follow-the-sun SOC model)

If you’re a Security Analyst or Incident Responder looking for a new challenge, come join our herd. I think Jeremiah Dewey, VP of Rapid7’s Managed Services, said it best:

“Work doesn't have to be a soul-sucking, boring march to each Friday. You can follow your passion, have fun in what you're doing, and be successful in growing your career and growing as a human being.”

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.



Getting the most from managed services

MDR, MEDR, SOCaaS: Which Is Right for You?

Even if a security team was given a blank check to spend whatever they wanted and hire however they wanted, it would still be a massive effort to build a detection and response (D&R) program tailored to that organization’s specific needs. Thankfully, the plethora of managed services options available can help with that problem.

But with multiple types of managed services providers out there, how do you know which type of services are right for your organization? How can you effectively interview providers, attempt to then construct a D&R suite with the right vendor, and simultaneously continue to fortify your security program against threats?

For an organization beginning the search for a managed services partner that can actually add value, there is some starter legwork that can be done. There are many approaches to managed services providers along the D&R vein, such as:

  • Managed Detection and Response (MDR)
  • Managed Endpoint Detection and Response (MEDR)
  • Managed Security Service Provider (MSSP)

That last one, MSSP, is a blanket term for a provider that can assist with many specialized services like outsourced Security Operations Center-as-a-service (SOCaaS), MDR, or management of security tools such as a security information and event management (SIEM), firewalls, vulnerability risk management, and more. Knowing all this, while looking for the right managed service it’s simply a fact that you’re going to talk to a lot of vendors. Each one of them can say they’ll help you boost security defenses – they’ll say they have great people, they use the best technology, and they have a process to ensure your success.

The challenge? Every vendor's marketing material will begin to sound the same. What it really comes down to is determining which provider’s strategy is best suited for your program's needs. Let’s take a closer look at these three types of managed services to help you decide the best fit for your organization.

MDR

An MDR provider works with a customer to gain visibility and complete coverage across the customer’s entire environment. This helps a security practitioner better see when and where malicious-looking activity may be taking place.

MDR providers help solve operational challenges by instantly becoming an extension of their customers’ teams – providing headcount and extending coverage to 24x7x365. An MDR partner can also provide expertise and technologies to help find attacker behavior quickly and stop it before it becomes a wider issue.

More and more companies are becoming the focus of targeted attacks – specific aggressions designed to infiltrate an individual organization’s defenses. An MDR provider becomes a partner in helping to identify a targeted threat (read: reputational threat), repair affected systems, and focus efforts into both taking down the threat and providing recommendations for making the affected system more secure in the future.

There are a lot of MDR providers that go beyond “throwing alerts over the fence” to let clients parse and triage themselves. These days more MDR providers are finding it worth their while – and their bottom lines – to become a more strategic partner to security organizations. They help further security initiatives, build cyber resilience, and work with clients to get deeper visibility in their threat landscapes by:

  • Providing post-incident investigational insights
  • Weeding out benign events and only reporting true positive threats
  • Providing tailored remediation and mitigation recommendations

The role of XDR

More recently, managed services providers (including Rapid7) have integrated extended detection and response (XDR) into their overarching MDR solutions. This creates a more powerful and proactive D&R process by:    

  • Recognizing there is no perimeter for data as it’s rushing back and forth from endpoints to clouds and beyond
  • Relieving security teams of steep analytical analysis so more of the focus is on threat hunting, as parsing alerts is automatically incorporated into threat intelligence
  • Curating high-fidelity detections and actionable telemetry to create efficient responses

These are all great benefits in extending what is possible with D&R and being proactive about extinguishing threats. However, MDR providers incorporating XDR into their approaches can’t simply add the letter “X” into the list of services and call it a day. XDR must help the organization actually gain control and visibility across its entire attack surface, from the nearest endpoint(s) to compromised user accounts, network traffic, cloud sources, and more.

When folded into a cohesive strategy that places emphasis on more proactive efforts, products like InsightIDR can be that solution that takes in telemetry from these disparate sources, correlates the data, and provides greater context to a potential threat.

MEDR

MEDR is a flavor of MDR that’s aligned more as an add-on management service that sits on top of endpoint-protection technology deployment. While MEDR does provide benefits like gaining visibility across wherever agents are set up, the EDR-centric approach won’t show the full story of a threat and its scope; an agent will simply tell the service provider what it gathers from the endpoint.  

Many breaches, however, do begin at the endpoint. Why? Attackers can easily bypass firewalls and all sorts of implemented security controls by compromising just one endpoint, such as a user’s laptop. From there, they can move throughout a network, scooping up valuable internal/external data and quickly ruining a company’s reputation in the process. Even if they’re quickly found, what have they gotten away with?

Thus, focusing on endpoints is important. That’s simply an indisputable fact. EDR-based services are powerful tools within a managed services program. They provide advantages like:

  • Prevention aspects with integrated endpoint prevention platform (EPP) agent capabilities, such as Antivirus (NGAV) and stopping malicious file execution
  • Detecting compromised endpoints earlier in the attack chain
  • File integrity monitoring (FIM) capabilities so your team is alerted on changes to specific files on a given endpoint (if you’re monitoring for yourself)

Focusing only on endpoints, however, does miss key network- and cloud-spanning analysis that can deliver important telemetry in the fight against potential threats. MEDR typically lacks the ability to analyze network-spanning data, user analytics, and compliance behaviors, glean actionable insights, and use them to effectively respond to an incident. So the downside comes with the engagement model. Some MEDR players will rely on the tech to do most of the heavy lifting. Prevention is there to stop the threat early.

But if the attacker gets past this point, the managed services provider might take automated actions to handle alerts using the EDR tool or, worse, pass that alert on to their client for them to manage the investigation and response efforts. (And if you think that automated EDR actions are great, you’re encouraged to read about the risks associated with taking automated response actions without human intervention.)

SOCaaS

SOCaaS. That’s a heavy acronym. But the concept of “security operations center-as-a-service” is trying to fill a heavy need of any modern company: the implementation and management of a strong and sound cybersecurity program. Any MSSP who offers a holistic SOCaaS option should be able to provide the bottom-line benefit of enabling security practitioners to focus time and energy on innovations in other parts of the business.  

A team of experts who can proactively defend, respond to threats, and provide (hopefully) round-the-clock support on behalf of a customer is probably the closest definition to SOCaaS that’s been bandied about in recent years. They can be a virtual SOC for a company, serving as a tactical console to enable team members to perform day-to-day tasks. They’ll also help teams strategize amidst bigger, longer-term security trends. So, in what ways can SOCaaS providers act as that strategic detection-and-response center for security teams?

  • Advanced SIEM functionality – In the midst of potentially billions of security events each day, a SIEM can help to prioritize the ones that truly deserve follow-up. A good SOCaaS provider will contextualize a proper response plan by taking into account user- and attacker-behavior analytics, performance metrics, incident response, and endpoint detection.
  • The human element – In the incredibly competitive marketplace for today’s security talent, it can be a daunting task for company leadership to source, develop, and retain an entire SOC of capable personnel. This is particularly true in efforts to maintain diversity in cybersecurity hiring. For example, Forrester says that women currently make up just 24% of security professionals worldwide.
  • Established processes – It typically takes nothing less than an extremely sophisticated process framework – established over a long period of time and testing – to be able to accurately identify, prioritize, and remediate a potential threat. It can be an incredible benefit to a business to forgo having to build out their own SOC with key personnel that – even when assembled – must take the necessary trial-and-error time to be able to work together efficiently and respond to threats effectively.  
  • D&R expertise – If the goal of engaging SOCaaS is not to augment an existing D&R program, then vetting the provider for their expertise in that area is incredibly important. It really comes down to what you’re looking to achieve; as mentioned above, a modern MDR provider will leverage multiple sources of telemetry to detect and respond to threats. But when fully outsourcing a SOC, it’s incumbent upon security personnel representing the customer to figure out how D&R expertise figures into the larger picture of outsourced SOC operations at the vendor organization.  
  • Communications – Beyond anything at all to do with technology and security, a SOCaaS provider must have great communication skills. How will the provider present information – especially about a potentially dire threat that could affect the company, its reputation, and its bottom line – to their client’s customer and executive team? Is there a dedicated point-of-contact (POC) or a team with whom you’ll be regularly working and interfacing?

If this is looking like a menu from which security teams looking for managed services can choose, that’s because it is. However, in this context we’re discussing SOCaaS as a fully outsourced arm of a business. For whatever reason – the need for speed/growth in other parts of the business, lack of recruitment power for talented security practitioners, etc. – a business may simply wish to staff a security “skeleton crew” who interfaces with the SOCaaS provider and relies on that provider to run, monitor, manage, and support all of the functionalities.  

Bottom line: Choose the managed security services partner that best fits your needs

If your security organization is considering a managed services provider, that means your team is most likely looking to offload tedious and/or technical operational tasks that your existing security team simply doesn’t have the hours in a day to manage. Or you might need some augmentation and expertise to help with round-the-clock coverage. It also means you’re ready to find a partner to provide deep analysis and actionable insights so you can find out:

  • What is going on, and…
  • Is it something the company should worry about?

After that, your specialized provider should be able to make recommendations on how to respond – or, better yet, take those actions on your behalf. Because at the end of the day, it all depends on the outcome(s) you’re looking to achieve. Turnkey D&R services while your team focuses on other important things? Simple endpoint monitoring from a traditional MSSP? Or, are you looking to farm out your SOC operations and let someone else deal with all things security, not just some things security?

For those looking for that more comprehensive solution targeted at strictly strengthening the D&R muscle, leveraging an MDR provider with XDR capabilities is the way to go.

It’s going to take some budget, sure. But most of the time that same budget is earmarked for a similar cost as one of an open headcount (depending on the size of the environment). The capital expenditure (CapEx) cost is relative – and oftentimes far more affordable – when compared to the ongoing operating expenses (OpEx) outlay it takes to hire, train, and build an in-house SOC program. Whichever outcome your team is focused on, managed services as a whole is an affordable way to help build a D&R program at scale.

Looking for even more analysis to help you make an informed managed services decision? Check out the 2022 MDR Buyer’s Guide from Rapid7, or contact us for more info.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


MDR Plus Threat Intel: 414 New Detections in 251 Days (You’re Welcome)

Last summer, Rapid7 acquired IntSights and its advanced external threat intelligence solution (now Threat Command by Rapid7). Threat Command monitors hundreds of thousands of sources across the clear, deep, and dark web, identifying malicious actors and notifying customers of potential attacks against their organizations.

The reason for the acquisition? With these external intelligence sources built into InsightIDR, its breadth of high-fidelity, low-noise detections would be unmatched.

Detections have been a Rapid7 thing since the start.

In an industry focused on ingesting data – and placing the burden on security teams to write their own detections – we went another way. We went detections first, delivering the most robust set of actionable detections out of the box.

Today, our detections library includes threat intelligence from our open-source communities, advanced attack surface mapping, proprietary machine learning, research projects, real-world follow-the-sun security operations center (SOC) experience, and 2.1+ trillion weekly security events observed across our detection and response (D&R) platform.

Now, Threat Command’s threat intelligence platform (TIP) content is integrated with our leading detection and response products and services. You get earlier threat identification and faster remediation.

MDR and InsightIDR customers have an even larger, expertly curated library

Right now, Rapid7 customers can find a lot more needles in haystacks. And we’ve made sure you can spot them quickly, easily, and reliably.

Our Threat Intelligence and Detection Engineering Team (TIDE) has done its work developing signatures and analytic detections for existing and emerging threats. TIDE analysts continuously provide InsightIDR users and managed detection and response (MDR) SOC analysts with the surrounding context needed to defend against threats with new detection mechanisms for vulnerability exploits and attack campaigns.

The detections are for newcomers as well as familiar names like the notorious Russian hacking group EvilCorp. As always, detections ensure coverage for various indicators of compromise (IOCs) that they and other attackers use in the wild.

Think of us as your research and execution team: As additional IOCs are added to the Rapid7 Threat Command Threat Library, they are automatically tested and applied to your logs to create alerts when identified.

What’s better and better, by the numbers

Now, InsightIDR has your back with:

  • 138 threats powered by Threat Command's Threat Library
  • 414 detection rules powered by dynamic IOC feeds
  • Monitoring for all IOCs associated with each threat actor is automatic as they are added to the Threat Library

The mission is always to deliver more actionable alerts (with recommendations) and to reduce noise. So our TIDE Team tests IOCs and disables those we find to be unsuitable for alerting.

And this is just the beginning: All detections improve in fidelity over time as our MDR analysts inform the threat intelligence team of rule suppressions to provide a tailored approach for customers, add granularity, reduce noise, and avoid recurrency. And as Threat Command adds IOCs, they’ll turn into meticulous, out-of-the-box detections – whether you use InsightIDR, rely on our MDR SOC analysts, or collaborate with us to keep your environment secure.

If you’re an MDR customer or just considering it, here are other numbers to know:

  • With a 95% 4-year analyst retention rate, Rapid7 is an employer of choice during the cybersecurity staffing crisis and The Great Resignation
  • Our team of 24/7/365  global SOC analysts are proven threat hunters and DFIR experts
  • Together, the staff has a combined  500+ security certifications

Now, with even more detections, the strongest back-end system capturing threats as they evolve, and unmatched knowledge in the field, you can level up your D&R program with Rapid7 InsightIDR — or a partnership with the best-in-breed MDR analyst teams out there.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.


Sharpen Your IR Capabilities With Rapid7’s Detection and Response Workshop

You’re tasked with protecting your environment, and you’ve invested significant time and resources into deploying and configuring your tools — but how do you know if the security controls you’ve put into place are effective? The challenge continues to grow as attacker tactics, techniques, and procedures (TTPs) constantly evolve. In today's landscape, a security breach is nearly inevitable.

Amid an ever-changing threat landscape, do you have confidence your tools are able to immediately detect threats when they occur? And more importantly, does your team know how to effectively respond to stop the attack, and do it fast?

While we don’t have a crystal ball to offer, we can help make sure your detection and response plan holds up against a breach.

Say hello to Rapid7’s newest incident response service: the Detection and Response Workshop.

Put your safeguards to the test with a guided attack simulation

The Detection and Response Workshop is a guided exercise led by Rapid7’s digital forensics and incident response (DFIR) experts to confirm that your team can quickly detect threats and evaluate your response procedures against a simulated attack within your environment.

This workshop isn’t a Tabletop Exercise (TTX), an IR Planning engagement, or a Purple Team exercise. We'll pit your organization's defenders against the latest attack campaigns, within the tools they use on a daily basis, to test your ability to respond when an incident happens under live conditions, without your company’s reputation at stake.

Each Workshop simulation is tailored to your specific needs and mapped to the MITRE ATT&CK Framework. Throughout the Workshop, our experts make recommendations to help strengthen your program – from existing configurations of tools, products, and devices to analysis processes and documentation.

The workshop itself is hands-on and doesn’t require current use of a Rapid7 product. Any security team can utilize this new service to understand what TTPs an adversary may use against them and make sure their program detects and responds accordingly.

Your team will leave the multi-day workshop feeling confident that you have an understanding of where and how to strengthen your existing IR process and detection and response program. You’ll receive a detailed report of the workshop, including our written assessment and recommendations to build resilience into your response program.

Rapid7 Incident Response consulting services

Security is the core of our business, and IR plays a huge role in the security landscape. Our team of DFIR experts — the same experts that respond to incidents for all 1,200+ of our MDR customers — have decades of experience under their belt that they utilize to analyze your security fit-up from all angles. Our team is complete with experts in threat analysis, forensics, and malware analysis, as well as a deep understanding of industry-leading technologies.

Knowing where your program stands is a crucial part of enhancing it, and our IR team has built specialized services to help your team build resiliency at each stage in the process. We now offer a full Incident Response Service Curriculum, allowing teams to engage in a single course for their IR goals or register for the entire curriculum.

From planning to full attack simulations, your team can level up its skills with tailored guidance and coaching through each course:

  • Course 101: Incident Response Program Development
  • Course 201: Tabletop Exercise (TTX)
  • Course 301: Detection & Response Workshop
  • Course 401: Purple Team Exercise

No matter what stage your team is in building your incident response program, our experts are able to help analyze and provide recommendations for improvement.

The Detection & Response Workshop is available now for all security teams. To learn more, talk to a Rapid7 sales representative by filling out this form today.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.