With UserInsight, Rapid7 promises to help organizations flag common, but reoccurring problems such as compromised credentials and risky behavior. In the 2013 Verizon Data Breach Investigations Report, weak or stolen user credentials were used in 76 percent of the network intrusions reported in 2012. In many of those cases, the victim organization had some level of visibility into the behaviors of their users, but not enough per se, to notice when someone was accessing resources outside of their normal pattern.
Delivered via a SaaS model, Rapid7's UserInsight tracks many levels of user-based risk, including shared or reused passwords, opening malicious attachments, following suspicious or malicious links, using unknown or insecure cloud services, or even random events such as a lost mobile device suddenly making an attempt to access the corporate network. All of this information comes from data collection and sorting, as well as a few external threat feeds Weiner told us.
"We are collecting data from various points on the network; things like firewall logs, VPN logs, DHCP logs, DNS logs, but we're also natively integrating with cloud services like Salesforce and Box, so that even if they're off the network we can tell you what's going on with those users," Weiner said.
"There's a lot of manual processing of this data," Weiner added explaining how the various data streams are sorted.
"We do the analytics to determine whether there's been some activity that should be researched, or credentials that have been compromised, and we provide that in an easy to use fashion. We also do some other things because of this, so we can tell you all the cloud services that are running on your network; we can tell you who is using those cloud services; and whether or not theyve been provisioned by the company or not."
Offering an example of UserInsight in action, Weiner mentioned a story that came from a beta customer, shortly after they started using the product. According to the customer, UserInsight was able to flag an employee who had previously registered their corporate email account on a forum that had been compromised. This flag enabled the security team to follow-up with the user quickly, and ensure they had taken the proper steps to protect their forum account as well as their corporate accounts. This example also highlights another aim of UserInsight, quicker incident response and remediation.
More often than not, many organizations are using manual collection and sorting, or a SEIM to get the job done and gain some sort of visibility. But even then, the level of information is often limited. With UserInsight, IP addresses, and associated usernames, as well as various named points of ingress and egress are all included in the reports.
Sign up for Computerworld eNewsletters.