Achieve SIEM Solution Success with Rapid7

YOUR GARTNER REPORT COMPANION GUIDE

INTRODUCTION

If you want to unify your data, reliably detect attacks, and identify risk across your

organization, you need a Security Information and Event Management (SIEM) solution.

However, centralizing all of your security and network data, and then analyzing that data

in an impactful way, can be a long, laborious process.

Gartner has certainly heard their share of deployment failures, and shared their findings

in the report, “Overcoming Common Causes for SIEM Solution Deployment Failures.”

Analysts Mitchell Schneider, Kelly M. Kavanagh, and Toby Bussa note, “We frequently

speak to clients who are purchasing their second or third SIEM solution, after finding that

their incumbent solution does not meet their expectations.”

It doesn’t have to be this way. At Rapid7, we took the deployment failure stories

we heard from customers and built our SIEM offering to take advantage of cloud

infrastructure, pre-built detections, and our continued research on the attacker. The

result? Detection of stealthy attacks, prioritized incident investigations, and fewer data

management headaches.

Gartner has identified six challenges, listed below, as the main causes behind failed

deployments. For each point, we’ve summarized Gartner’s recommendation and followed

it with Rapid7’s approach, which leverages InsightIDR, our modern SIEM that’s designed

for fail-safe deployments.

1. Failing to Plan Before Buying2. Failing to Define Scope3. Unrealistic Scoping4. Monitoring Noise5. Lacking Sufficient Context6. Lacking Resources

1. Failing to Plan Before Buying

At the risk of stating the obvious, it’s vital to define goals and requirements before embarking on a SIEM evaluation. If you don’t know your primary goals, the scope of integrations needed, or more importantly, what types of tools and features your team can adequately support, you might be preparing to buy a really expensive dust collector.

The Gartner Take: Use a “formalized planning approach.” This includes a core project team with clear, defined responsibilities, desired use cases, and where the data is expected to come from. Of course, selecting the right technology and vendor is an important step.

How Rapid7 Can Help:

One size doesn’t fit all. Each customer network is different—some are scattered across the globe, with branch offices and

traveling employees. Universities have huge influxes of transient, student users; other security teams need to oversee the

acquisition of multiple companies each quarter.

We’re happy to dig deep into your business objectives, available resources, and existing technology to find the best fit.

Here are some questions to consider:

• Are you augmenting an existing SIEM, or do you want to rip-and-replace?

While Rapid7 InsightIDR is capable of bringing SIEM, user behavior analytics (UBA), and endpoint detection and

response (EDR) capabilities to your raw log sources, the InsightIDR help messaging and the product consulting team

can ensure data collection directly from the source or from another log aggregator.

Want to bring UBA and better detection to your existing SIEM? We can help. Want a longer term plan of how you

might transition over? We’ll walk you through it.

• Are you building an incident detection and response program, or would you prefer a managed offering?

Rapid7 maintains a Security Operations Center (SOC) that monitors over a hundred organizations 24 hours a day,

7 days a week. Should you want an extension of your security team, our Managed Detection and Response (MDR)

offering brings the expertise of our analysts to you as a tight-knit service that upends the traditional, often ineffective

MSSP model—they’re like your own personal cyber guardians. Best of all, with MDR, you get full access to the

InsightIDR technology for visibility and reporting.

• Are you worried about what your team will do when incidents occur?

The Rapid7 Services team is a critical source of intelligence into how to implement and test an effective incident

response plan. We offer a Program Development service, which can work alongside your team to build the right plan

for your organization, as well as hands-on exercises, such as Tabletop Exercises and Breach Readiness Assessments, to

make sure your team is ready when it counts.

2. Failing to Define Scope

As eloquently stated on page 4 of the Gartner report, “no scope, no hope.” Planning properly will get you started on outlining your full set of requirements, and therefore your scope. With so many options for SIEM vendors and deployment setups, it’s vital to map out desired use cases and what will constitute project success. Planning and patience is paramount here.

The Gartner Take:

The primary drivers behind SIEM projects are compliance and threat management. Threat management includes monitoring users, network security devices (firewalls, IDS/IPS, security and audit logs from servers), and taking action on threat intelligence. Niche use cases include retail point of sale (POS) monitoring, operational technology (OT) monitoring, or honeypot monitoring (deception technology).

How Rapid7 Can Help:

Defining your project scope is important, both for internal planning, and to share with us, so we can help you plan for success. What types of data do you want to centralize, and what use cases do you want to solve? Are there timeframes for when new assets need to send data to the SIEM, or certain metrics that need to be reported for compliance or board meetings?

For each attacker behavior, we’ve identified the data required to detect it. However, not all signs of the attacker are found in existing network logs. That’s why InsightIDR also comes standard with deception technology in the form of four intruder traps. These traps create an illusion for attackers—showing them something they want—to make it easier to detect when they’re going after it. All four traps (honeypots, honey users, honey credentials, and honey files) are quick to setup and feed into the detection and investigation workflows in InsightIDR.

On our InsightIDR Interactive Product Tour, we’ve listed the top ways customers are using their data today. Feel free to jump in and explore them for yourself.

3. Unrealistic Scoping

In other words, don’t let your eyes get bigger than your stomach. This is super important in traditional SIEM deployments, where your cost is directly correlated to the amount of data you plan to ingest and the number of use cases you need to build for.

Gartner Recommends:

Consider an initial roadmap of five to seven use cases. Ensure that your required data sources can actually output logs for ingestion by the SIEM.

How Rapid7 Can Help:

When current customers have shared previous pain with a SIEM, it’s not just with deployment challenges. Top complaints include prohibitively expensive data volume costs, and the maintenance work required to “keep the lights on” tuning the SIEM.

With the cloud architecture behind InsightIDR, you don’t need to worry about purchasing and provisioning hardware, or data management. Your data is securely stored on the Insight platform, and you benefit from fast log search and continually released detections. Setting up new data sources is easy and various collection methods are supported for the trickier ones.

Best of all, our pricing model doesn’t penalize you for sending important data to the Insight platform. No need to weigh the value of sending one data set to the Insight platform versus another.

4. Monitoring Noise

Data, data, and more data. Bring on the data! This is a great mindset to have, if your SIEM makes it easy for you to make sense of that data. Unfortunately, traditional SIEM tools are not built to be big data analytics platforms; instead, they become merely a data dumping ground. This pain has already sparked the rise of user and entity behavior analytics (UEBA) tools, which are designed to turn data into actionable information. You could purchase a UEBA tool as a point solution to integrate with your SIEM, or you could investigate a tool such as Rapid7 InsightIDR, which natively combines the powers of SIEM and UEBA.

Gartner Recommends:

Employ “Output-Driven” SIEM. Central Log Management (CLM) should be implemented first in front of the SIEM solution. This is an easy win and helps corral project scope creep. Selectively choose the data to ingest in order to scale cost-effectively.

How Rapid7 Can Help:

With InsightIDR, you don’t need to start with just log centralization. Once you configure your foundational data sources, every event will be enriched with user and asset context. With our pre-built detections that span across the attack chain, you’ll be automatically alerted on stealthy attacker behavior and risk across your organization.

5. Lacking Sufficient Context

Context is King. Your SIEM and integrated tools will only be as useful as the data that is feeding in. When conducting incident investigations, getting insight into the full story is vital.

Gartner Recommends:

Follow a formal use case implementation process. Identify initial use cases, figure out the data required to achieve it, build out the SIEM content required, define operational processes … and test it. Easy, right?

How Rapid7 Can Help:

Getting the right data to help complete incident investigations is challenging on a few fronts. First, it requires data manipulation expertise (i.e. getting the SIEM to show you the data you want). Then, it requires incident response knowledge to assess whether the flagged behavior or alert is indeed “bad”. To top it off, security analysts still have to jump between siloed solutions or raw log sources to get the context needed to make a decision.

With the user behavior analytics core in InsightIDR, network activity is automatically attributed to the users and assets behind it. As this occurs, notable behaviors are identified and presented as context during investigations, plus every user’s and asset’s typical behavior is available for additional context with a button click.

During deployment, you don’t need to worry about adding the right data sources. We’ll tell you exactly what needs to be sent—this includes coverage for common gaps like endpoint and cloud services—and even add some additional event sources via the included deception technology. If you’re a more experienced user, you’ll appreciate that any event source on your network can be ingested for log centralization, search, and data visualization. InsightIDR takes any structured log data, in any format. We also support Threat Intelligence feeds and curate our own Managed Detection and Response intel that’s shared with the InsightIDR community.

6. Lacking Resources

Traditional SIEMs don’t run themselves. You need to have multiple people with the right skillsets to manage the SIEM day-to-day, monitor and investigate incidents, and optimize your overall deployment. This is explained in Gartner’s Run - Watch - Tune model shown below.

Gartner Recommends:

Limit the scope of the project (CLM), or engage an external service provider (MDR). Why? SIEM maintenance and performing incident response are two distinct skillsets. “While some airplane mechanics may be able to fly a plane, you would probably prefer a fighter pilot to fly it into combat if the need ever arose.” Same concept here!

“Managed Detection and Response (MDR) vendors may provide their own technology to the customer’s environment, and delivered as-a-service. There is no need for the customer to purchase a commercial SIEM, as the security functions are delivered via shared services from the MDR service provider’s remote SOC.”

-Gartner Overcoming Common Causes for SIEM Solution Deployment Failures,

Mitchell Schneider, Kelly M. Kavanagh, Toby Bussa, 30 May 2017

How Rapid7 Can Help:

We uniquely offer both the SIEM technology and a Managed Detection and Response service; there is no need to work with an additional third party. Note that if you choose MDR, that includes access to InsightIDR for compliance, reporting, and additional investigative needs.

Unlike the above diagram, InsightIDR doesn’t require you to dedicate multiple staff members to Run-Watch-Tune in order to get answers. For more on what customers think about InsightIDR, check out the peer-submitted reviews available on Gartner Peer Insights: https://www.gartner.com/reviews/market/security-information-event-management/vendor/rapid7?pid=9665

ABOUT INSIGHTIDR

InsightIDR is your solution for incident detection and response. By bringing the best SIEM,

UBA, and EDR capabilities to the table, you can unify all of your existing network and

security data. This allows you to reliably detect stealthy attacks, and identify risk across

your environment.

Learn more and explore interactive customer use cases at www.rapid7.com/products/

insightidr/.

ABOUT RAPID7

With Rapid7, technology professionals gain the clarity, command, and confidence to

safely drive innovation and protect against risk. We make it simple to collect operational

data across systems, eliminating blind spots and unlocking the information required to

securely develop, operate, and manage today’s sophisticated applications and services.

Our analytics and science transform your data into key insights so you can quickly predict,

deter, detect, and remediate attacks and obstacles to productivity. Armed with Rapid7,

technology professionals finally gain the insights needed to safely move their business

forward. To learn more about Rapid7, visit www.rapid7.com.

Contact us to learn more about Rapid7 InsightIDR:

www.rapid7.com/contact+1–866–7RAPID7 (Toll Free) +1–617–247–1717sales@rapid7.com