Rapid7’s Incident Detection and Response and Vulnerability Management solutions, InsightIDR and Nexpose, now integrate to provide visibility and security detection across assets and the users behind them. Combining the pair provides massive time savings and simplifies incident investigations by highlighting risk across your network ecosystem without writing queries or digging through logs.
Nexpose proactively identifies & prioritizes weak points on your network, while InsightIDR helps find unknown threats with user behavior analytics, prioritizes where to look with SIEM capabilities, and combines endpoint detection and visibility to leave attackers with nowhere to hide. Let’s look at three specific benefits: (1) putting a "face" to your vulnerabilities, (2) automatically placing vulnerable assets under greater scrutiny, and (3) flagging users that use actively exploitable assets.
User Context for Your Vulnerabilities
InsightIDR integrates with your existing network & security infrastructure to create a baseline of your users’ activity. By correlating all activity to the users behind them, you’re alerted of attacks notoriously hard to detect, such as compromised credentials and lateral movement.
When InsightIDR ingests the results of your Nexpose vulnerability scans, vulnerabilities are added to each user’s profile. When you search by employee name, asset, or IP address, you get a complete look at their user behavior:
How this saves you time:
- See who is affected by what vulnerability – this helps you get buy-in to remediate a vulnerability by putting a face and context on a vulnerability. (“The CFO has this vulnerability on their laptop – let's prioritize remediation.”)
- Have instant context on the user(s) behind an asset, so you accelerate incident investigations and can see if the attacker laterally moved beyond that endpoint.
- Proactively reduce your exposed attack surface, by verifying key players are not vulnerable.
Automatic Security Detection for Critical Assets
In Nexpose, you can dynamically tag assets as critical. For example, they may be in the IP range of the DMZ or contain a particular software package/service unique to domain controllers. Combined with InsightIDR, that context extends to the users that access these assets.
When InsightIDR ingests scan results, assets tagged as critical are labeled in InsightIDR as Restricted Assets. This integration helps you automatically place vulnerable assets under greater detection scrutiny.
Some examples of alerts for Restricted Assets:
- First authentication from an unfamiliar source asset: InsightIDR doesn't just alert on the IP address, but whenever possible, shows the exact users involved.
- An unauthorized user attempts to log-in: This can include a contractor or compromised employee attempting to access a financial server.
- A unique or malicious process hash is run on the asset: A single Insight Agent deployed on your endpoints performs both vulnerability scanning and endpoint detection. Our vision is to reliably find intruders earlier in the attack chain, which includes identifying every process running on your endpoints. We run these process hashes against the wisdom of 50 virus scanners to identify malicious processes, as well as identify unique processes for further investigation.
- Lateral movement (both local and domain): Once inside your organization’s network, intruders typically run a network scan to identify high-value assets. They then laterally move across the network, leaving behind backdoors & stealing higher privilege credentials.
- Endpoint log deletion: After compromising an asset, attackers look to delete system logs in order to hide their tracks. This is a high-confidence indicator of compromise.
- Anomalous admin activity, including privilege escalation: Once gaining access to an asset or endpoint, attackers use privilege escalation exploits to gain admin access, allowing them to dump creds or attempt pass-the-hash. We identify and alert on anomalous admin activity across your ecosystem.
Identifying Users that Use Exploitable Assets
Many Nexpose customers purchase Metasploit Pro to validate their vulnerabilities and test if assets can be actively exploited in the wild. As an extension of the critical asset functionality above, customers that own all three products can automatically tag assets that are exploited by Metasploit as critical, and thus mark these as restricted assets in InsightIDR. This ensures that assets which are easy to breach are placed under higher scrutiny until the exploitable vulnerabilities are patched.
Configuring the InsightIDR-Nexpose Integration
If you have InsightIDR & Nexpose, setting up the Event Source is easy.
1. In Nexpose, setup a Global Admin.
2. In InsightIDR, on the top right Data Collection tab -> Setup Event Source -> Add Event Source.
3. Add the information about the Nexpose Console (Server IP & Port).
4. Add the credentials of the newly created Global Admin.
And you’re all set! If you have any questions, reach out to your Customer Success Manager or Support. Don’t have InsightIDR and want to learn how the technology relentlessly hunts threats? Check out an on-demand 20 minute demo here.
Nathan Palanov contributed to this post.