3 min
Incident Detection
Introspective Intelligence: Understanding Detection Techniques
To provide insight into the methods devised by Rapid7, we'll need to revisit the
detection methods implemented across InfoSec products and services and how we
apply data differently. Rapid7 gathers volumes of threat intelligence on a daily
basis - from new penetration testing tools, tactics, and procedures in
Metasploit, vulnerability detections in Nexpose, and user behavior anomalies in
InsightIDR. By continuously generating, refining and applying threat
intelligence, we enable more robust dete
4 min
SIEM
Displace SIEM "Rules" Built for Machines with Custom Alerts Built For Humans
If you've ever been irritated with endpoint detection being a black box and SIEM
[https://www.rapid7.com/solutions/siem.jsp?CS=blog] detection putting the entire
onus on you, don't think you had unreasonable expectations; we have all wondered
why solutions were only built at such extremes. As software has evolved and our
base expectations with it, a lot more people have started to wonder why it
requires so many hours of training just to make solutions do what they are
designed to do. Defining a
3 min
Vulnerability Management
Warning: This blog post contains multiple hoorays! #sorrynotsorry
Hooray for crystalware!
I hit a marketer's milestone on Thursday – my first official award ceremony,
courtesy of the folks at Computing Security Awards
[https://computingsecurityawards.co.uk/], which was held at The Cumberland Hotel
in London. Staying out late on a school night when there's a 16 month old
teething toddler in the house definitely took it's toll the following morning,
but the tiredness was definitely softened by the sweet knowledge that we'd left
the award ceremony brandishing so
3 min
InsightIDR
3 Ways for Generating Reports on WAN Bandwidth Utilization
3 popular ways of getting visibility into WAN bandwidth monitoring, one of the most popular use cases for network traffic analysis.
5 min
InsightIDR
5 Methods For Detecting Ransomware Activity
Recently, ransomware was primarily a consumer problem. However, cybercriminals behind recent ransomware attacks have now shifted their focus to businesses.
5 min
Detection and Response
You Need To Understand Lateral Movement To Detect More Attacks
Thanks to well-structured industry reports like the annual Verizon DBIR,
Kaspersky "Carbanak APT" report, and annual "M-Trends" from FireEye, the
realities of modern attacks are reaching a much broader audience. While a great
deal of successful breaches were not the work of particularly sophisticated
attackers, these reports make it very clear that the techniques once only known
to espionage groups are now mainstream.
Lateral movement technologies have crossed the chasm
I have written before ab
5 min
Incident Response
What Makes SIEMs So Challenging?
I've been at the technical helm for dozens of demonstrations and evaluations of
our incident detection and investigation solution, InsightIDR
[https://www.rapid7.com/products/insightidr/], and I've been running into the
same conversation time and time again: SIEMs aren't working for incident
detection and response. At least, they aren't working without investing a lot
of time, effort, and resources to configure, tune, and maintain a SIEM
deployment. Most organizations don't have the recommende
1 min
Incident Response
SANS Review of Rapid7 UserInsight (now InsightUBA) for User Behavior Analytics and Incident Response
Editor's Note - March 2016: Since this review, UserInsight has now become
InsightUBA. Along with the name change comes a completely redesigned user
interface, continuous endpoint detection, and another intruder trap to reliably
detect attacker behavior outside of logs. We also launched InsightIDR, which
combines the full power of InsightUBA with Endpoint Forensics, Machine Data
Search, and Compliance Reporting into a single solution.
User behavior analytics (UBA) is a new space that is still un
2 min
InsightIDR
Calling Your Bluff: Behavior Analytics in Poker and Incident Detection
As a former – or dormant – professional poker player, I'm seeing a lot of
parallels between poker and incident detection, especially when it comes to
behavior analytics. Detecting a bluff in poker is really not all that different
from detecting an intruder on the network.
New solutions, like Rapid7's InsightIDR
[https://www.rapid7.com/products/insightidr/], incorporate machine learning and
user behavior analytics [https://www.rapid7.com/products/insightidr/] to detect
stealthy attacks. This is
5 min
Incident Detection
What is Incident Detection and Response?
Incident Detection and Response (IDR)
[https://www.rapid7.com/fundamentals/incident-response/], also known as
attack/threat detection and response, is the process of finding intruders in
your infrastructure, retracing their activity, containing the threat, and
removing their foothold. By learning how attackers compromise systems and move
around your network, you can be better equipped to detect and stop attacks
before valuable data is stolen. This blog covers the different components of the
atta
5 min
SIEM
5 Ways Attackers Can Evade a SIEM
I've been in love with the idea of a SIEM
[https://www.rapid7.com/fundamentals/siem/] since I was a system administrator.
My first Real Job™ was helping run a Linux-based network for a public
university. We were open source nuts, and this network was our playground.
Things did not always work as intended. Servers crashed, performance was
occasionally iffy on the fileserver and the network, and we were often
responding to outages.
Of course, we had tools to alert us when outages were going on. I
3 min
InsightIDR
Top 5 Alternatives For SPAN or Mirror Ports
Don’t want to use SPAN ports, but still need a source of network packets? In this blog post we break down the top 5 alternatives for you to consider.
6 min
Incident Detection
Let's talk about metrics...
Today I read an article on metrics and it was interesting. Here's the link to
the original article.
[http://www.darkreading.com/10-ways-to-measure-it-security-program-effectiveness/d/d-id/1319494?_mc=sm_dr_editor_kellyjacksonhiggins]
I am kind of a metrics geek. When done well, a metrics program can be of extreme
value to a security program. However, when done badly, they can cloud your
vision and make it difficult to notice that your radar is off by a few degrees.
The article addressed severa
2 min
InsightIDR
Tracking Web Activity by MAC Address
In this blog post we explore the benefit of tracking web activity by MAC address. Learn more.
3 min
Authentication
Patch CVE-2014-6324 To Avoid A Complete Domain Rebuild When UserInsight Detects Its Exploit
On Tuesday, November 18th, Microsoft released an out-of-band security patch
affecting any Windows domain controllers that are not running in Azure. I have
not yet seen any cute graphics or buzzword names for it, so it will likely be
known as MS14-068, CVE-2014-6324, or "that Kerberos vulnerability that is being
exploited in the wild to completely take over Windows domains" because it rolls
off the tongue a little better.
There is a very informative description of the vulnerability, impact, and