InsightIDR Overview

Rapid7’s InsightIDR is your security center for incident detection and response, authentication monitoring, and endpoint visibility. InsightIDR helps you identify unauthorized access from external and internal threats, and highlights the suspicious activity so you don’t have to weed through thousands of data streams.

InsightIDR combines the full power of endpoint forensics, log search, and sophisticated dashboards into a single solution. It is a Software as a Service (SaaS) tool that collects data from your existing network security tools, authentication logs and endpoint devices and aggregates the data at an on-premise collector.

The Collector gathers your logs and transmits them securely to AWS, where customer databases and the web interface are hosted. Rapid7 then runs analytics on this data to correlate users, accounts, authentications, alerts, and privileges, to provide you with insight into the behavior of each user in your environment, while also looking for known indicators of compromise.

You will need to have dedicated Collectors on-premise to collect event/log data. These Collectors can also be used to collect endpoint data if desired, although they do not collect endpoint data in real-time.

For real-time endpoint data collection, you should also plan to install the Insight Agent on your asset(s).

Why Use InsightIDR?

Unify your data into a single security view

Track the network resources your users are working on, the devices they are using, and even the cloud services they are visiting. Every piece of information in your network is normalized and attributed to users, so you know exactly where traffic and data originates from, which user it belongs to, and exactly when it all occurred.

Analyze raw logs, endpoint data, and network traffic

InsightIDR collects data streams from every possible place, and brings them together in one convenient place for you to analyze. Sift through raw logs, visualize your endpoint data, or organize your network traffic via users.

Receive alerts for suspicious activity

Whether or not suspicious activity is happening on your network, InsightIDR sets up traps to alert you of security gaps, so you can cover all your bases.

Prioritize events

Because all of your traffic and data is normalized, InsightIDR will automatically prioritize network events and bring the notable ones to your attention – so you know when to pay attention, and when to investigate. InsightIDR keeps you from wasting time and allows you to focus on notable events.

Investigate events

In the event of a breach, security teams have a more complete picture of not just what was involved, but who was responsible, when the event happened, and where the intruder is headed next.

How Does InsightIDR Work?

InsightIDR is used by various Ops departments at companies large and small, but an Information Security team uses InsightIDR in their everyday work lives to keep their network safe. But just how do they do that?

In Action

While at work, an email alert notifies them of suspicious behavior. Logging into InsightIDR, they immediately select the Alerts tab and then move to Investigate Alerts. After confirming the alert number from the email, they'll select the Incident for further details and scan the activity collected in the incident - when did it happen? What user was present? What was the suspicious activity? This process of Information Discovery will lead the InfoSec team to select Evidence to find out just who the user is, if the user owns the asset, and the issues that need to be fixed.

Even if it's undetermined - the user is placed on a Watchlist for heightened monitoring while the team performs Out of Band verification, or checking with other Ops teams on the activity and asset of the user to figure out if it was malicious or not. InfoSec will perform custom log searches, browse through the firewall activity, comb through IP encounters, and make contextual decisions about what the user was doing with the available information.

Incident Response

Many times, the incidents are "false positives," meaning they were a false alarm. But in the case where malicious activity or malware has occurred on an asset, the InfoSec team can wipe the asset completely - leaving it a blank slate. This allows them to reinstall a clean Operating System, to start over from scratch. In extreme cases, sometimes an asset will have to be destroyed entirely if it is beyond repair.