Product Updates – Page 2 – CyberSecurity Confabulation

What’s New in InsightIDR: Q2 2022 in Review

Posted 3 years ago by Margaret Wei

This Q2 2022 recap post takes a look at some of the latest investments we've made to InsightIDR to drive detection and response forward for your organization.

New interactive HTML reports

InsightIDR's new HTML reports incorporate the interactive features you know and love from our dashboards delivered straight to your inbox. The HTML report file is sent as an email attachment and allows you to scroll through tables, drill in and out of cards, and sort tables in the same way you would explore dashboards.

Increased visibility into malware activity

Traditional intrusion detection systems (IDS) can be noisy. Rapid7's Threat Intelligence and Detection Engineering (TIDE) team has carefully analyzed thousands of IDS events to curate a list of only the most critical and actionable events. We've recently expanded our library to include over 4,500 curated IDS detection rules to help customers detect activity associated with thousands of common pieces of malware.

Catch data exfiltration attempts with Anomalous Data Transfer

Anomalous Data Transfer (ADT) is a new Attacker Behavior Analytics (ABA) detection rule that uses the Insight Network Sensor to identify large transfers of data sent by assets on a network. ADT outputs data exfiltration alerts which make it easier for you to monitor transfer activity and identify unusual behavior to stay ahead of threats. These new detections are available for select InsightIDR packages — see more details here in our documentation.

Build stronger integrations and quickly triage investigations with new InsightIDR APIs

Investigation management APIs

Our new APIs allow you to extract more extensive data from within your investigation and use it to integrate with third-party tools, or build automation workflows to help you save time analyzing and closing investigations. View our documentation to learn more.

Update one or more Investigation fields through a single API call
Retrieve a sortable list of Investigations
Search Investigations
Create a Manual Investigation

User, accounts, and asset APIs

We are excited to release new APIs to allow you to programmatically interface with InsightIDR users, accounts, local accounts, and assets. You can use these APIs to configure new automations that further contextualize alerts generated by InsightIDR or third-party tools and help you to create more actionable views of alert data.

Relative Activity: A new way to analyze detection rules

We've introduced a new score called Relative Activity to ABA detection rules that analyzes how often the Rule Logic matches data in your environment based on certain parameters. The Relative Activity score is calculated over a rolling 24-hour period and can help you:

Identify detection rules that might cause frequent investigations or notable events if switched on
Determine which rules may benefit from tuning, either by changing the Rule Action or adding exceptions

Log Search improvements

Enrich Log Search results with new Quick Actions: Earlier this year InsightIDR and InsightConnect teamed up to create Quick Actions, a new feature that provides instant automation within InsightIDR to reduce time to respond to investigations, all with the click of a button. We've recently released new Quick Actions to enable pre-configured actions within InsightIDR's Log Search for InsightIDR Ultimate and InsightIDR legacy customers. Quick Actions are available for select InsightIDR packages, see more details here in our documentation.

Use AWS S3 as a collection method for custom logs: Now customers have the choice to use either Cisco Umbrella or AWS S3 as a collection method when setting up custom logs. Alongside this update, we've also refactored the data source to make it more resilient and effective.

A growing library of actionable detections

In Q2, we added 290 new ABA detection rules to InsightIDR. See them in-product or visit the Detection Library for actionable descriptions and recommendations.

Stay tuned!

As always, we're continuing to work on exciting product enhancements and releases throughout the year. Keep an eye on our blog and release notes as we continue to highlight the latest in detection and response at Rapid7.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

DFIR Without Limits: Moving Beyond the “Sucker’s Choice” of Today’s Breach Response Services

Posted 3 years ago by Warwick Webb

Three-quarters of CEOs and their boards believe a major breach is “inevitable.” And those closest to the action? Like CISOs? They’re nearly unanimous.

Gartner is right there, too. Their 2021 Market Guide for Digital Forensics and Incident Response (DFIR) Services recommends you “operate under the assumption that security breaches will occur, the only variable factors being the timing, the severity, and the response requirements.”

When that breach happens, you’ll most likely need help. For Rapid7 MDR customers, we’re there for you when you need us, period. Our belief is that, if a breach is inevitable, then a logical, transparent, collaborative, and effective approach to response should be, too.

I’m not just talking about the table-stakes “response” to everyday security threats. I’m talking about digital forensics and world-class incident response for any incident – no matter if it’s a minor breach like a phishing email with an attached maldoc or a major targeted breach involving multiple endpoints compromised by an advanced attacker.

Protecting your environment is our shared responsibility. As long as you are willing and able to partner with us during and after the Incident Response process, we are here for you. Rapid7 does the DFIR heavy lift. You cooperate to eradicate the threat and work to improve your security posture as a result.

Unfortunately, that’s not how all of the market sees it.

How vendors typically provide DFIR

Some managed detection and response (MDR) vendors or managed security services providers (MSSPs) do understand that there’s an R in MDR. Typically, they’ll do a cursory investigation, validation and – if you’re lucky – some form of basic or automated response.

For most, that’s where the R stops. If they can’t handle an emergency breach response situation (or if you’re on your own without any DFIR on staff), you’ll wind up hiring a third-party incident response (IR) consulting service. This will be a service you’ve found, or one that’s required by your cyber insurance provider. Perhaps you planned ahead and pre-purchased an hourly IR retainer.

Either way, how you pay for IR determines your customer experience during “response.” It’s a model designed to maximize provider profits, not your outcomes.

At a glance

	IR Consulting Services	IR Included in Managed Services
Scope	Unbounded	Limited to managed services in-scope environments
Time Limit	Capped by number of hours or number of incidents	Capped by number of hours or number of incidents
Expertise	Senior IR Consultants	Capped by number of hours or number of incidents
24x7 IR	No	Yes
Tooling	Often will deploy a separate tooling stack, without easy access to historical data	Existing tooling, utilizing historical data but potentially lacking in forensic capability
Time to Respond	Slower (limited by legal documents, SLAs, lack of familiarity in the customer environment, time for tool deployment)	Faster (24x7, uses existing tools, multiple analysts)
Pricing Model	Proactively purchased as a retainer or reactively on an hourly basis	Included in purchase, up to an arbitrarily defined limit

There’s a good reason DFIR experts are reserved for expensive consulting services engagements. They’re a rare breed.

Most MDR teams can’t afford to staff the same DFIR experts that answer the Breach Response hotline. Security vendors price, package, and deliver these services in a way to reserve their more experienced (and expensive) experts for IR consulting.

Either you purchase Managed Services and expensive IR consulting hours (and play intermediary between these two separate teams), or you settle for "Incident Response lite" from your Managed Services SOC team.

If this seems like a “lesser of two evils” approach with two unappealing options, it is.

The future of incident response has arrived

Over a year ago, Rapid7 merged our Incident Response Consulting Team with our MDR SOC to ensure all MDR customers receive the same high-caliber DFIR expertise as a core capability of our service – no Breach Response hotlines or retainer hours needed.

This single, integrated team of Detection and Response experts started working together to execute on our response mission: early detection and rapid, highly effective investigation, containment, and eradication of threats.

Our SOC analysts are experts on alert triage, tuning, and threat hunting. They have the most up-to-date knowledge of attackers’ current tactics, techniques, and procedures and are extremely well-versed in attacker behavior, isolating malicious activity and stopping it in its tracks. When a minor incident is detected, our SOC analysts begin incident investigation – root cause analysis, malware reverse engineering, malicous code deobfuscation, and more – and response immediately. If the scope becomes large and complex, we (literally) swivel our chair to tap our IR reinforcements on the shoulder.

Senior IR consultants are seasoned DFIR practitioners. They’re also the experts leading the response to major breaches, directing investigation, containment, and eradication activities while clearly communicating with stakeholders on the status, scope, and impact of the incident.

Both teams benefit. The managed services SOC team has access to a world class Incident Response team. And the expert incident response consultants have a global team of (also world class) security analysts trained to assist with forensic investigation and response around the clock (including monitoring the compromised environment for new attacker activity).

Most importantly, our MDR customers benefit. This reimagining of how we work together delivers seamless, effective incident response for all. When every second counts, an organization cannot afford the limited response of most MDR providers, or the delay and confusion that comes with engaging a separate IR vendor.

Grab a coffee, it’s major breach story time

Here’s a real-life example of how our integrated approach works.

In early January, a new MDR client was finishing the onboarding process by installing the Insight Agent on their devices. Almost immediately upon agent installation, the MDR team noticed critical alerts flowing into InsightIDR (our unified SIEM and XDR solution).

Our SOC analysts dug in and realized this wasn’t a typical attack. The detections indicated a potential major incident, consistent with attacker behavior for ransomware. SOC analysts immediately used Active Response to quarantine the affected assets and initiated our incident response process.

The investigation transitioned to the IR team within minutes, and a senior IR consultant (from the same team responsible for leading breach response for Rapid7’s off-the-street or retainer customers) took ownership of the incident response engagement.

After assessing the early information provided by the SOC, the IR consultant identified the highest-priority investigation and response actions, taking on some of these tasks directly and assigning other tasks to additional IR consultants and SOC analysts. The objective: teamwork and speed.

The SOC worked around the clock together with the IR team to search these systems and identify traces of malicious activity. The team used already-deployed tools, such as InsightIDR and Velociraptor (Rapid7’s open-source DFIR tool).

This major incident was remediated and closed within three days of the initial alert, stopping the installation of ransomware within the customer’s environment and cutting out days and even weeks of back-and-forth between the customer, the MDR SOC team, and a third-party Breach Response team.

Now, no limits and a customer experience you’ll love

The results speak for themselves. Not only does the embedded IR model enable each team to reach beyond its traditional boundaries, it brings faster and smoother outcomes to our customers.

And now we’re taking this a step further.

Previously, our MDR services included up to two “uncapped” (no limit on IR team time and resources) Remote Incident Response engagements per year. While this was more than enough for most customers (and highly unusual for an MDR provider), we realized that imposing any arbitrary limits on DFIR put unnecessary constraints on delivering on our core mission.

For this reason, we have removed the Remote Incident Response limits from our MDR service across all tiers. Rapid7 will now respond to ALL incidents within our MDR customers' in-scope environments, regardless of incident scope and complexity, and bring all the necessary resources to bear to effectively investigate, contain and eradicate these threats.

Making these DFIR engagements – often reserved for breach response retainer customers – part of the core MDR service (not just providing basic response or including hours for a retainer) just raised the “best practices” bar for the industry.

It’s not quite unlimited, but it’s close. The way we see it, we’ll assist with the hard parts of DFIR, while you partner with us to eradicate the threat and implement corrective actions. That partnership is key: Implementing required remediation, mitigation, and corrective actions will help to reduce the likelihood of incident recurrence and improve your overall security posture.

After all, that's what MDR is all about.

P.S.: If you’re a security analyst or incident responder, we’re hiring!

In addition to providing world-class breach response services to our MDR customers, this new approach makes Rapid7 a great place to work and develop new skills.

Our SOC analysts develop their breach response expertise by working shoulder-to-shoulder with our Incident Response team. And our IR team focuses on doing what they love – not filling out time cards and stressing over their “utilization” as consultants, but leading the response to complex, high-impact breaches and being there for our customers when they need us the most. Plus, with the support and backing of a global SOC, our IR team can actually sleep at night!

Despite the worldwide cybersecurity skills crisis and The Great Resignation sweeping the industry, Rapid7’s MDR team grew by 30% last year with only 5% voluntary analyst turnover – in line with our last three years.

Part of this exceptionally low turnover is due to:

Investment in continuing education, diversity, and employee retention benefits
A robust training program, clear career progression, the opportunity to level up skills by teaming with IR mentors, and flexibility for extra-curricular “passion project” work (to automate processes and improve aspects of MDR services)
Competitive pay, and a focus on making sure analysts are doing work they enjoy day in and day out with a healthy work-life balance (there’s no such thing as a “night shift” since we use a follow-the-sun SOC model)

If you’re a Security Analyst or Incident Responder looking for a new challenge, come join our herd. I think Jeremiah Dewey, VP of Rapid7’s Managed Services, said it best:

“Work doesn't have to be a soul-sucking, boring march to each Friday. You can follow your passion, have fun in what you're doing, and be successful in growing your career and growing as a human being.”

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Velociraptor Version 0.6.4: Dead Disk Forensics and Better Path Handling Let You Dig Deeper

Posted 3 years ago by Carlos Canto

Rapid7 is pleased to announce the release of Velociraptor version 0.6.4 – an advanced, open-source digital forensics and incident response (DFIR) tool that enhances visibility into your organization’s endpoints. This release has been in development and testing for several months now and has a lot of new features and improvements.

The main focus of this release is in improving path handling in VQL to allow for more efficient path manipulation. This leads to the ability to analyze dead disk images, which depends on accurate path handling.

Path handling

A path is a simple concept – it’s a string similar to /bin/ls that can be used to pass to an OS API and have it operate on the file in the filesystem (e.g. read/write it).

However, it turns out that paths are much more complex than they first seem. For one thing, paths have an OS-dependent separator (usually / or \). Some filesystems support path separators inside a filename too! To read about the details, check out Paths and Filesystem Accessors, but one of the most interesting things with the new handling is that stacking filesystem accessors is now possible. For example, it’s possible to open a docx file inside a zip file inside an ntfs drive inside a partition.

Dead disk analysis

Velociraptor offers top-notch forensic analysis capability, but it’s been primarily used as a live response agent. Many users have asked if Velociraptor can be used on dead disk images. Although dead disk images are rarely used in practice, sometimes we do encounter these in the field (e.g. in cloud investigations).

Previously, Velociraptor couldn’t be used easily on dead disk images without having to carefully tailor and modify each artifact. In the 0.6.4 release, we now have the ability to emulate a live client from dead disk images. We can use this feature to run the exact same VQL artifacts that we normally do on live systems, but against a dead disk image. If you’d like to read more about this new feature, check out Dead Disk Forensics.

Resource control

When collecting artifacts from endpoints, we need to be mindful of the overall load that collection will cost on endpoints. For performance-sensitive servers, our collection can cause operational disruption. For example, running a yara scan over the entire disk would utilize a lot of IO operations and may use a lot of CPU resources. Velociraptor will then compete for these resources with the legitimate server functionality and may cause degraded performance.

Previously, Velociraptor had a setting called Ops Per Second, which could be used to run the collection “low and slow” by limiting the rate at which notional “ops” were utilized. In reality, this setting was only ever used for Yara scans because it was hard to calculate an appropriate setting: Notional ops didn’t correspond to anything measurable like CPU utilization.

In 0.6.4, we’ve implemented a feedback-based throttler that can control VQL queries to a target average CPU utilization. Since CPU utilization is easy to measure, it’s a more meaningful control. The throttler actively measures the Velociraptor process’s CPU utilization, and when the simple moving average (SMA) rises above the limit, the query is paused until the SMA drops below the limit.

The above screenshot shows the latest resource controls dialog. You can now set a target CPU utilization between 0 and 100%. The image below shows how that looks in the Windows task manager.

By reducing the allowed CPU utilization, Velociraptor will be slowed down, so collections will take longer. You may need to increase the collection timeout to correspond with the extra time it takes.

Note that the CPU limit refers to a percentage of the total CPU resources available on the endpoint. So for example, if the endpoint is a 2 core cloud instance a 50% utilization refers to 1 full core. But on a 32 core server, a 50% utilization is allowed to use 16 cores!

IOPS limits

On some cloud resources, IO operations per second (IOPS) are more important than CPU loading since cloud platforms tend to rate limit IOPS. So if Velociraptor uses many IOPS (e.g. in Yara scanning), it may affect the legitimate workload.

Velociraptor now offers limits on IOPS which may be useful for some scenarios. See for example here and here for a discussion of these limits.

The offline collector resource controls

Many people use the Velociraptor offline collector to collect artifacts from endpoints that they’re unable to install a proper client/server architecture on. In previous versions, there was no resource control or time limit imposed on the offline collector, because it was assumed that it would be used interactively by a user.

However, experience shows that many users use automated tools to push the offline collector to the endpoint (e.g. an EDR or another endpoint agent), and therefore it would be useful to provide resource controls and timeouts to control Velociraptor acquisitions. The below screenshot shows the new resource control page in the offline collector wizard.

GUI changes

Version 0.6.4 brings a lot of useful GUI improvements.

Notebook suggestions

Notebooks are an excellent tool for post processing and analyzing the collected results from various artifacts. Most of the time, similar post processing queries are used for the same artifacts, so it makes sense to allow notebook templates to be defined in the artifact definition. In this release, you can define an optional suggestion in the artifact yaml to allow a user to include certain cells when needed.

The following screenshot shows the default suggestion for all hunt notebooks: Hunt Progress. This cell queries all clients in a hunt and shows the ones with errors, running and completed.

Multiple OAuth2 authenticators

Velociraptor has always had SSO support to allow strong two-factor authentication for access to the GUI. Previously, however, Velociraptor only supported one OAuth2 provider at a time. Users had to choose between Google, Github, Azure, or OIDC (e.g. Okta) for the authentication provider.

This limitation is problematic for some organizations that need to share access to the Velociraptor console with third parties (e.g. consultants need to provide read-only access to customers).

In 0.6.4, Velociraptor can be configured to support multiple SSO providers at the same time. So an organization can provide access through Okta for their own team members at the same time as Azure or Google for their customers.

The Velociraptor knowledge base

Velociraptor is a very powerful tool. Its flexibility means that it can do things that you might have never realized it can! For a while now, we’ve been thinking about ways to make this knowledge more discoverable and easily available.

Many people ask questions on the Discord channel and learn new capabilities in Velociraptor. We want to try a similar format to help people discover what Velociraptor can do.

The Velociraptor Knowledge Base is a new area on the documentation site that allows anyone to submit small (1-2 paragraphs) tips about how to do a particular task. Knowledge base tips are phrased as questions to help people search for them. Provided tips and solutions are short, but they may refer users to more detailed information.

If you learned something about Velociraptor that you didn’t know before and would like to share your experience to make the next user’s journey a little bit easier, please feel free to contribute a small note to the knowledge base.

Importing previous artifacts

Updating the VQL path handling in 0.6.4 introduces a new column called OSPath (replacing the old FullPath column), which wasn’t present in previous versions. While we attempt to ensure that older artifacts should continue to work on 0.6.4 clients, it’s possible that the new VQL artifacts built into 0.6.4 won’t work correctly on older versions.

To make migration easier, 0.6.4 comes built in with the Server.Import.PreviousReleases artifact. This server artifact will load all the artifacts from a previous release into the server, allowing you to use those older versions with older clients.

Try it out!

If you’re interested in the new features, take Velociraptor for a spin by downloading it from our release page. It’s available for free on GitHub under an open source license.

As always, please file bugs on the GitHub issue tracker or submit questions to our mailing list by emailing velociraptor-discuss@googlegroups.com. You can also chat with us directly on our discord server.

Learn more about Velociraptor by visiting any of our web and social media channels below:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

What’s New in InsightVM and Nexpose: Q1 2022 in Review

Posted 3 years ago by Roshnee Mistry Shah

The world of cybersecurity never has a dull moment. While we are still recovering from the aftermath of Log4Shell, the recent ContiLeaks exposed multiple vulnerabilities that have been exploited by the Conti ransomware group. It’s critical for your team to identify the risk posed by such vulnerabilities and implement necessary remediation measures. As you will see, the product updates our vulnerability management (VM) team has made to InsightVM and Nexpose in the last quarter will empower you to stay in charge — not the vulnerabilities.

But that’s not all we’ve improved on. We’ve increased the scope of vulnerabilities tracked by incorporating CISA’s known exploited vulnerabilities (KEV) in the Threat Feed, usability enhancements, targeted reporting and scanning, and Log4Shell mitigation checks. And we’ve released our annual Vulnerability Intelligence Report to help you make sense of the vulns that impacted us last year and understand the trends that we will all be facing this year. Our team also offers practical guidance to help the security teams better protect themselves.

Let’s dive into the key feature releases and updates on the vulnerability management front for Q1 2022.

CISA’s KEV list: Detect, prioritize, and meet regulatory compliance

[InsightVM] ContiLeaks Helpful Query to easily detect ContiLeaks vulns and ensure compliance

CISA’s KEV catalog is part of the agency’s binding operative directive that has reporting requirements for federal agencies and civilian contractors. The recent ContiLeaks revealed over 30 vulns that are now a part of CISA’s KEV. While users could always build a query in IVM to identify these vulns, doing so is time-consuming and can be prone to error. The ContiLeaks Helpful Query takes out the manual effort and lets customers easily locate 30+ ContiLeaks vulnerabilities in their environments. When the query is loaded into our Specific Vulnerability Dashboard template, it can give an at-a-glance view of the company’s risk posture as it relates to the Conti threat. In addition to helping customers identify the exploited vulnerabilities in their environment, the update will also help them stay within the bounds of CISA’s operative directive.

[InsightVM] Threat feed dashboard now includes CISA’s KEV catalog

While we are on the topic of CISA, you will be excited to learn that we have expanded the scope of vulnerabilities tracked to incorporate CISA’s KEV catalog in the InsightVM Threat Feed Dashboard, including the Assets With Actively Targeted Vulnerabilities card and the Most Common Actively Targeted Vulnerabilities card. The CISA inclusion makes it easy to see how exposed your organization is to active threats and inform prioritization decisions around remediation efforts.

We have also added a new “CISA KEV (known exploited vulnerability)” vulnerability category to allow for more targeted scanning (i.e. scanning the environment for CISA KEV entries only). You can also use the CISA KEV category to filter scan reports.

Improvements to credentials

[Insight VM and Nexpose] A new credential type to support scanning Oracle Databases by Service Name

InsightVM and Nexpose customers have always been able to scan Oracle databases using SIDs (system identifiers) but were previously unable to provide a Service Name in the credential. This meant a gap in visibility for Oracle databases that could only be accessed via their Service Name. We were not happy with this limitation. Now, you now configure Oracle Database scans to specify a Service Name instead of an SID (you can still use the SID, if you want!) when authenticating. You now have the visibility into a wider range of deployment configurations of Oracle Database and the ability to configure scan using Service Name or SID.

[Insight VM and Nexpose] Automatic Scan Assistant credentials generation

Last year, we introduced Scan Assistant, which alleviates the credential management (for Scan Engine) burden on vulnerability management teams. For the Scan Assistant to communicate with the Scan Engine, it requires digital certificates to be manually created and deployed on both the target assets and the Nexpose / IVM Security Console. Manually creating the public / private key pair is a complex and error-prone process.

With this update, we are taking some more burden off the vulnerability management teams. You can now use the Shared Credentials management UI to automatically generate Scan Assistant credentials. This not only reduces the technical expertise and time required to manage Scan Assistant credentials but also makes for a user-friendly experience for you.

Learn more in our recent blog post on passwordless scanning.

[Insight VM and Nexpose] Log4Shell mitigation checks

The product improvements list would be incomplete without an update on Log4Shell.

If you are vulnerable to Log4Shell, you can edit the JAR files on a system to take out the vulnerable code and thus not get exploited. However, it is difficult to keep a check on this manually. This update adds that extra capability to not only look at the version of Log4j that was present in your environment but also check if it has been mitigated — i.e., if the vulnerable code is removed.

Authenticated scans and Agent-based assessments can now determine whether the JNDILookup class removal mitigation for Log4Shell has been applied to Log4j JAR files on Windows systems. This will reduce the number of reports of the vulnerability on systems that are not exploitable. We also added an Obsolete Software vulnerability check for Log4j 1.x, which will let you find obsolete versions of Log4j in your environment.

Stay in charge

As always, we hope these updates will make it easier for you to stay ahead of vulnerabilities.

It almost felt like the quarter might end on a calm note, but then the world of cybersecurity never has a dull moment. The end of the quarter saw Spring4Shell, another zero-day vulnerability in the Spring Core module of Spring Framework. Learn more about Rapid7 response to this vulnerability and how we are working around the clock to help our customers protect their own environments from Spring4Shell.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Let’s Dance: InsightAppSec and tCell Bring New DevSecOps Improvements in Q1

Posted 3 years ago by Nate Crampton

To the left, to the left, to the right, right — the CI/CD Pipeline is on the move.

Let's Dance: InsightAppSec and tCell Bring New DevSecOps Improvements in Q1

DevSecOps is all about adding security across the application lifecycle. A popular approach to application security is to shift left, which means moving security earlier in the software development lifecycle (SDLC). This makes sense: If you find a critical security bug in production, it costs a lot more to resolve it than if you found it in development.

In Q1 2022, we've continued to invest in improvements to InsightAppSec and tCell that help organizations shift left and automate security testing prior to production deployment. And at the same time, we've made other enhancements to make your life easier. Oh… and we added new attacks and blocking rules for Spring4Shell.

Shifting app security testing left in the CI/CD pipeline

Your development teams are innovating and releasing features and new experiences faster than ever before. Manual testing can no longer keep up with the speed of innovation. Taking a DevSecOps approach means baking security across the application lifecycle and includes shifting left whenever possible.

Dynamic application security testing (DAST) solutions simulate attacks just like the attackers, and they're known for their accuracy and coverage across a wide range of technologies. However, traditional DAST solutions have struggled to work with modern applications and software development methodologies.

Since the launch of InsightAppSec — Rapid7's industry leading cloud-native DAST — we've focused on providing coverage of modern applications, as well as being able to integrate as far left as the build process.

“Our app developers don't need to come to me, they don't need to come to our team, they don't need to send emails. They don't need to go through any formalities. When they commit code, the scan happens automatically. And, we created the metrics. So, if they see high-rated vulnerabilities they cannot push to production. The code will get blocked and they have to remediate it."

- Midhun Kumar, Head of Infrastructure and Cloud Operations, Pearl Data Direct

Building on the success of our Jenkins Plugin, Atlassian Bamboo Plugin, and Azure DevOps CI/CD integrations, we recently added native GitHub Actions and GitLab CI/CD integrations into InsightAppSec.

GitHub

GitHub Actions allows development teams to automate software workflows. With our new InsightAppSec Scan Action for GitHub, you can easily pull down the repo and add it to your DevOps pipelines. As part of your actions, you can trigger the InsightAppSec scan and have the results passed back into GitHub actions. If you want, you can add scan gating to prevent vulnerable code from being deployed to production.

This is available for no additional cost in the GitHub Marketplace.

GitLab

GitLab CI/CD can automatically build, test, deploy, and monitor your applications. With our new InsightAppSec Scan Job, you can add a Docker command in your pipeline to trigger a scan. The results are sent back, and you can add scan gating to prevent vulnerable code from being deployed to production.

The feature is available for no additional cost, and we have resources to help you learn how to setup the GitLab integration.

Spring4Shell testing and protection

CVE-2022-22965, a zero-day vulnerability announced on April 1st, is no April Fools' Day joke. While it's not as dreadful as Log4Shell, it should still be patched, and there are reports of the Spring4Shell flaw being used to install the Mirai Botnet malware.

To help our customers secure their applications and understand their risk from Spring4Shell, Rapid7 released new capabilities, including:

New RCE Attack Module for Spring4Shell (InsightAppSec)
New Block Rule for Spring4Shell (tCell)
New Detection of CVE-2022-22965 in running applications (tCell)

Other enhancements

InsightAppSec comes with the ability to create custom dashboards to quickly view and get insights on the risk and status of your program. Relying on feedback from customers, we recently added the ability to create dashboards based on certain apps or groups of apps. This allows you to quickly view risk in context of what matters.

Customers often like to manage their applications at scale, and one of the easiest ways to do that is via the tCell API. Significant feature enhancements include App Firewall event and block rules, OS commands, Local Files, suspicious actors, and more have all been added or updated. Check out our API documentation.

Rapid7's application security portfolio can help you shift left as well as shift right, depending on your needs and the status of your program. You can integrate InsightAppSec DAST into your CI/CD pipelines before deployment to production. And with tCell, you can add web application and API protection for your production environments.

Stay tuned for all we have in store in Q2!

Additional reading

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

What’s New in InsightIDR: Q1 2022 in Review

Posted 3 years ago by Margaret Wei

Introducing new InsightIDR capabilities to accelerate your detection and response program

What's New in InsightIDR: Q1 2022 in Review

When we talk to customers and security professionals about what they need more of in their security operations center (SOC), there is one consistent theme: time. InsightIDR — Rapid7's leading cloud SIEM and XDR — helps teams cut through the noise and accelerate their detection and response, without sacrificing comprehensive coverage across modern environments and advanced attacks. This Q1 2022 recap post digs into some of the latest investments we've made to drive tangible time savings for customers, while still leveling up your detection and response program with InsightIDR.

New InsightIDR Detections powered by Threat Command by Rapid7's TIP Threat Library

Following Rapid7's 2021 acquisition of IntSights and their leading external threat intelligence solution, Threat Command, we are excited to provide InsightIDR customers with new built-in threat intelligence via Threat Command's threat intelligence platform (TIP).

We have integrated Threat Command's TIP ThreatLibrary into InsightIDR, bringing its threat intelligence content into our detection library to ensure Rapid7 InsightIDR and Managed Detection and Response (MDR) customers have the most up-to-date and comprehensive detection coverage, more visibility into new IOCs, and continued strength around signal-to-noise.

Using the combined threat intelligence research teams across Rapid7 Threat Command and our services organization, this content will be maintained and updated across the platform – ensuring our customers get real-time protection from evolving threats.

InsightIDR delivers superior signal-to-noise in latest MITRE Engenuity ATT&CK evaluation

We're excited to share that InsightIDR has successfully completed the 2022 MITRE Engenuity ATT&CK Evaluation, which focused on how adversaries abuse data encryption for exploitation and/or ransomware. This evaluation tested InsightIDR's EDR capabilities (powered by our native endpoint agent, the Insight Agent) and our ability to detect these advanced attacks. A few key takeaways and result highlights:

InsightIDR demonstrated solid visibility across the cyber kill chain – with visibility across 18 of the 19 phases covered across both simulations.
Consistently identified threats early, with alerts firing in the first phase – Initial Compromise – for both the Wizard Spider and Sandworm attacks.
Showcased our commitment to signal-to-noise – with targeted and focused detections across each phase of the attack (versus firing loads of alerts for every minute substep).

As our customers know, EDR is just one component of the detection coverage unlocked with InsightIDR. While beyond the scope of this evaluation, beyond endpoint coverage, InsightIDR delivers defense in depth across users and log activity, network, and cloud. Learn more about InsightIDR's MITRE evaluation results in our recent blog post.

Investigate in seconds with Quick Actions powered by InsightConnect

InsightIDR and InsightConnect teamed up to create Quick Actions, a new feature that provides instant automation within InsightIDR to reduce time to respond to investigations, all with the click of a button.

Quick Actions are pre-configured automation actions that customers can run within their InsightIDR instance to get the answers they need fast and make the investigative process more efficient, and there's no configuration required. Some Quick Actions use cases include:

Threat hunting within log search. Use the "Look Up File Hash with Threat Crowd" quick action to learn more about a hash within an endpoint log. If the output of the quick action finds the file hash is malicious, you can choose to investigate further.
More context around alerts in Investigations. Use the "Look Up Domain with WHOIS" quick action to receive more context around an IP associated with an alert in an investigation.

More customizability with AWS GuardDuty detection rules

We now have over 100 new AWS GuardDuty Attacker Behavior Analytics (ABA) detection rules to provide significantly more customization and tuning ability for customers compared to our previous singular third-party AWS GuardDuty UBA detection rule. With these new ABA alerts, it's possible to set rule actions, tune rule priorities, or add an exception on each individual GuardDuty detection rule.

New pre-built CIS control dashboards and overall dashboard improvements

We're continually expanding our pre-built dashboard library to allow users to easily visualize their data within the context of common frameworks.

The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. We know CIS is one of the most common security frameworks our customers consider, so we've recently added 3 new CIS control dashboards that cover CIS Control 5: Account Management, CIS Control 9: Email and Web Browser Protections, and CIS Control 10: Malware Defenses.

We also continue to make changes and additions to our overall Dashboard capabilities. Within the card builder, we've added the ability to:

Change chart colors
Add a chart caption
Swap between linear and logarithmic scale for charts
Add data labels on top of dashboard charts

Continuous improvements to Investigation Management

Another area we are continuously making improvements in is Investigation Management. A huge part of this ongoing development is customer feedback, and over the last quarter, we've made some additions to the experience based on just that. We've added:

New filters for alert type, MITRE ATT&CK tactic, and investigation type to provide more options when it comes to tailoring the list view of investigations
The new "notes count" feature, which allows customers to save time and track the status of an ongoing collaboration within an investigation
Improvements to the bulk-close feature within Investigation Management, and new progress banners so you can easily track the status of each bulk-close request

Other updates

New CATO Networks event source can now be configured to send InsightIDR WAN firewall and internet firewall data.
Log Search Syntax Highlighting applies different colors and formatting to the distinct components of a LEQL query (such as the search logic and values) to improve overall readability and provide an easy way to identify potential errors within queries.
New curated IDS Rules powered by the Insight Network Sensor help you detect activity associated with thousands of common pieces of malware.
Insight Network Sensor management page updates make it easier to deploy and maintain your fleet of Network Sensors. We've rebuilt the sensor management page to better surface critical configuration statuses, diagnostic information, and links to support documentation.

Stay tuned!

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.