Rapid7 UserInsight Technical Overview by E-SPIN

Detect, Investigate, Scrutinize and Contain with Rapid7 UserInsight

Rapid7’s UserInsight is designed to monitor user activity and detect compromised credentials across internal systems, outward-facing services (e.g., web or VPN access) and cloud providers, while identifying vulnerable assets and monitoring risky accounts.

This is done by creating a baseline of known trafc patterns, geolocation and other user information, monitoring the local network, and keeping an eye on company accounts with cloud providers such as Google Apps, Amazon Web Services (AWS), Salesforce and Box. The goal is to identify attacks before a data compromise occurs and to sound an alert if a successful compromise is detected, while providing contextual information about users, devices and access behaviors so you can make informed decisions on how to act.

UserInsight is a cloud-based network security monitoring service hosted by Rapid7 that uses server and site redundancy to ensure that no single failure can bring its service down. Organizations subscribing to UserInsight (its pricing is based on user count) place one or more collectors on their networks that report to Rapid7’s monitoring
service.

Organizations with simple networks can often get by with a single collector; organizations managing multiple network segments (e.g., branch locations) are most likely to use multiple collectors. The Rapid7 service also collects data from cloud service providers, aggregates it into a dashboard that shows current activity for the subscriber—
both internally and in the cloud—and sends out alerts when an actual compromise has been detected. Figure 1 shows the dashboard from Rapid7’s demo environment.

If UserInsight detects an administrative or service login coming from outside the organization, it can note that as an incident and send an alert to designated email addresses. Although it’s common in many organizations for administrators to log in from outside the network, the best practice is to log in under a less-privileged account and then elevate privileges only as much as needed to complete administrative tasks.

These rule-based alerts are preconfgured in the monitoring service to generate alerts when there is a serious incident and avoid excessive alerting; the rules can be disabled in the portal.

Rapid7 also collects information about any cloud services the organization uses. Many cloud services—including Google Apps, AWS, NetSuite and Salesforce.com—are supported; new ones are being added as demand justifes. The on-premises collector connected to the customer network comes into play here; it pulls the relevant audit logs—rather than relying on an agent in the cloud—to address cases where rules on the provider’s end restrict such access to devices on the customer’s internal network.

This video is about Rapid7 UserInsight Technical Overview by E-SPIN that will give you more information regarding this product.

For those who can not join us for the session, please see the summary and highlight clip for the event.

E-SPIN recently run a Rapid7 UserInsight what’s new session cover what new for new user and existing users.

If you have any inquiry or questions, feel free to contact E-SPIN for solution, product and project requirements.