Last updated at Wed, 05 Apr 2023 19:23:29 GMT
Using the right managed detection and response (MDR) solution can help defend against threats and is a valuable tool in your IT security stack. Tony Hamil, a customer of Rapid7’s MDR services, understands the benefit of combining MDR with a security orchestration, automation, and response (SOAR) tool to improve how his team leverages automation and customized alerts.
Recently, Tony talked with us about how InsightConnect, Rapid7’s SOAR solution, enhances and goes beyond the capabilities of the MDR SOC. Here are some highlights of the interview:
How Rapid7 Managed Detection and Response works with SOAR
We use the MDR SOC with InsightConnect to develop several triggers and responses so that if certain attributes happen, the SOC and I know to take action. They don’t have to send a report, and they don’t have to say, “Hey, you should do this.” I just click on the response, and it isolates a system or disables a user. It’s already integrated with InsightConnect, so I know what’s going to work. We get all of that based off of the logic that’s built into the alerts.
Customized alerts
Since we do have the SOC, it’s going to cover all the outstanding stuff that Rapid7 already does. But there are still quite a few things that I need to have done that are particular to my environment, which is where the custom events come in.
We have a tool with Varonis, and we have all these other different tools in our stack. We're pulling it all in, and it’s good data for the SOC. But for myself, I need to be able to pull that into my SOAR solution. On my whiteboard, I actually had this huge complex system of stuff I was going to have to do within SOAR to make this work. But once I found out about Alert Triggers, it significantly reduced my work load and really simplified things for me.
Time savings and efficiency
We have Proofpoint TAP threat protection. I’m pushing those logs to the SOC, but not much is happening with it. But if I can take a specific item based off of its score, reputation, and whatever else we defined, it triggers an investigation and alert that pushes to InsightConnect, and then we enrich it with all the data that we can pull from every source that we can find. Then I can assign that to my exchange manager to look at.
Best of all, he doesn’t have to look up what's going on in the headers, where the IP comes from, whether it’s blacklisted, if it tried to do a URL redirect, or if it had malicious attachments. Instead, it’s already there for him. You just saved him a couple of hours of trying to look this up manually.
The value of customization
Customization definitely makes it a lot more compelling, because one of the biggest issues that most security teams face is alert fatigue. Everybody gets alerts for this and that, left and right.
The ability to actually do all that logic on the backend in InsightIDR and have it push only the relevant alerts to those business units or the IT managers or the engineers that need them really does help the business case. Especially if you had looked at MDR, one of the things people are going to say is, "Okay, I've got a SOC watching me, and you're going to tell me when something's bad, but what if this is spreading fast? I need to be locked down ASAP." You could say, "Well, with our SOAR product, we can implement things based off of what your current needs are, and if a certain set of criteria is met, we will kick that off and we will stop it immediately."
The Rapid7 advantage
One of the biggest problems I had with our previous SIEM several years ago was not only did it not give us very good information, it did nothing for us. Rapid7 is head and heels above most SIEMs I've seen when it comes to delivering that information, and a lot of people enjoy that. But I think a lot of people want to take it to the next step, which is all about automation. It's all about getting that stuff knocked out and locked down as fast as possible with as few obviously false positives as possible.
See for yourself
If your IT organization is looking to benefit from the same level of automation as Tony and his team, InsightConnect could be a great fit. InsightConnect helps accelerate and streamline time-intensive processes by connecting your tools together, so that each tool is used to its maximum potential. Supercharge your operations with automation that creates efficiency without sacrificing control.