Rapid7's InsightIDR
Rapid7's InsightIDR

Name: InsightIDR

Company: Rapid7

Description: Integrated detection and response tool that makes strong use of deception technology.

Price: Dependent on the number

URL: https://www. rapid7.com/products/insightidr


Rapid7 InsightIDR is a detection and response tool that uses deception technology to answer a couple of important questions: “Is the enterprise compromised, and, if so, how do I respond?” In response, Rapid7 takes three major steps: detect, unify and prioritize. It is in the detection phase that Rapid7 employs deception technology along with user behavior analysis.

InsightIDR is “honey”-centric deploying honeypots, honey users, honey credentials, and honey files. Understanding how to deploy these honey elements requires a deep knowledge and understanding of attacker TTPs. Rapid7 has significant access to these data through its experience with Metasploit, the Heisenberg Project and Project Sonar. The Heisenberg Project, a global collection of honeypots, gathers attack data from all over the world.  Understanding these data allows Rapid7 to create traps that can collect attacks without alerting the attacker.

Project Sonar is a global scanning effort that, along with Metasploit, informs of typical vulnerabilities that are being exploited successfully, allowing Rapid7 to bait its traps with subtle vulnerabilities while helping the enterprise owner patch against attacks.  Adding sophisticated user behavior analytics to the deception network permits predictive behavior that will draw the attacker into the deception and away from real assets.

Strictly speaking InsightIDR is not a deception network. It is an advanced and highly integrated detection and response tool that leverages deception in its detection suite. The deception piece of the network is effective when taken with advanced behavior analytics. Each piece of InsightIDR enhances and supports each other piece resulting in an effective detection/response tool.

A unique feature of InsightIDR is the concept of notable behaviors. Notable behaviors help identify genuine risks.  And, they neck down the firehose of ongoing events, many of which would result in false positives or information only if traced. For example, on the test network we examined over a period of time there were 206 million events processed, but only 1,343 of them over the same period were notable events.  

Still, we want to know which users are exhibiting risky behavior, which user accounts may have been compromised, etc.  InsightIDR provides all that information with excellent drill-down to get to details on the behavior of an individual user over a period of time selected.  We also can see all of accounts the user accessed and any other important behaviors that may help form a conclusion.

The deception network provides a timeline function that shows the history of a specific attacker's interaction with a honeypot. The forensic trail in this case is quite good.  Each step exhibits the timeline event and the supporting evidence. Evidence gathered during an investigation is enriched to provide more supporting details and expand context.

The InsightIDR portion of the Rapid7 website is clean and contains lots of information with a lot regarding support plans but, again, the focus is on Rapid7 shops as opposed to single InsightIDR users.  However, InsightIDR users can get support with several options.

 – Peter Stephenson, technology editor