Rapid7 Introduces “Active Response” for End-to-End Detection and Response

We know your cybersecurity team is facing unprecedented challenges, including new and complex attacks that exploit your remote workforce and deliver malicious payloads (which, despite your best defenses, can bypass proactive security controls).

Managed Detection and Response (MDR) providers offer additional resources and expertise, taking on the brunt of security operations and giving you an advantage in the fight to protect your organization. Many providers focus on creating best-of-breed detections to spot known and unknown threats.

But when it comes to the “Response” element, not all methods are created equal.

For example, consider fighting a fire. To put out a small fire, you could respond using a fire extinguisher. But that same response method would be useless to stop a wildfire from spreading; you’d need a strategy to suppress the blaze using a control line and air support.

The same goes for your detection and response plan. Only focusing response on the endpoints to halt the propagation of malicious activity across user devices is like using a garden hose to respond to a multi-alarm fire. Maybe it would slow the flames, but it’s rare that it’ll be successful at putting it out.

Too often, MDR providers will recommend actions and strategies that index on containing a single element of the threat but not responding to the actual attack. In fact, our MDR team’s Findings Reports showed that 96% of incidents included end user compromise, with three out of every four incidents involving compromised user credentials. So, an effective response must use a strategy to cut an attacker off from both the endpoint and user accounts! Without containing threats on both the endpoint and user levels, your MDR provider is just delaying the next alert, not stopping the attacker.

That’s why we’re excited to announce the launch of our new Active Response capability as a part of our MDR Elite service. Only Rapid7 MDR with Active Response can reduce attacker dwell time and save your team time and money with unrivaled response capabilities on both endpoint and user threats.

With MDR Elite with Active Response, our team of SOC experts provide 24×7 end-to-end detection and response to immediately limit an attacker’s ability to execute, giving you and your team peace of mind that Rapid7 will take action to protect your business and return the time normally spent investigating and responding to threats back to your analysts.

A superior response method

Our approach is unique from other MDR providers in the market because our SOC team leverages Rapid7’s team of experts, combined with our industry-leading SOAR solution, InsightConnect, to respond using advanced workflows after validating true incidents. This means that only Rapid7 MDR with Active Response can:

• Provide 24×7 end-to-end detection and response. No more frantic “drop everything and respond now” moments. Have peace of mind knowing that Rapid7’s MDR experts will take action for you at any time, day or night. Our team will monitor threats, validate them, and take on the initial countermeasures to paralyze the attacker for you.
• Launch on-premises and remote user and host containment. Active Response will react as early in the kill chain as possible by containing compromised endpoints or user accounts. Taking action to respond within minutes of finding a threat will prevent malware propagation, cut off lateral movement, or stop data exfiltration attempts.
• Set configurations and guidelines for any response action. You can create containment guardrails to prohibit response actions to critical servers, users, or devices. This way, we won’t treat a typical user the same as your Domain Controller.
• Allow you flexibility to collaborate with MDR responders, or let our experts handle it all. You’ll have the option to be hands-off or to collaborate with our team in order to accelerate or cancel containment actions via Slack on your mobile or desktop devices. You can be as hands-off or hands-on as you prefer for each incident.
• Keep you in the loop with consistent communication and notifications. We’ll send real-time updates on actions happening through a variety of communication platforms, including Slack, phone, email, or text. Every action is then recorded within the InsightIDR investigation so you’ll have an audit trail and one centralized source of truth.
• Give you the freedom to eradicate threats and recovery on your terms. Once Active Response kicks in, your only job is to take the remediation and mitigation actions we recommend in your Findings Report. From there, you can bring the endpoint or user back into production by sending a Slack message. It’s that easy.
• Prevent analyst burnout. No one gets into InfoSec because they want to look at alerts all day. Give your team something more important to do besides refreshing their inbox in anticipation of a Findings Report and waiting around to respond to threats. Let our MDR team become a force multiplier for your security program and free up your analysts to provide more value to your business.

Rapid7 Active Response eliminates automated containment risks

Back in 2015, Gartner published a blog stating there are two types of automated response, the good and the evil, where the latter could potentially disrupt or cause damage in the IT environment. In it, Gartner actually warns against automating containment. Five years later, and this sentiment still holds true.

Unlike other providers that leverage immature technologies to perform generic containment based on automated rules or blanket actions to cut network traffic to and from devices (the “evil” automations Gartner mentions), our Active Response service only executes actions on validated threats and gives your team the flexibility to configure or cancel responses. This allows us to remove the headaches of false-positive quarantines, containing assets that comprise the business or cause more work for your team to correct the action down the line.

These other service providers may suggest using up-front consultations to overcome fears of automating the wrong actions or ensure alignment with your goals, but this method could end up with two undesired outcomes:

• No-action scenario: Action deemed out of context for automation, and you (the customer) must take action instead.
• Worst-case scenario:  Automation action taken, with negative impact (see below)

While the best-case scenario is that the correct automation action is taken with no disruption to the business, it only takes one bad automated containment action to cause significant damage or headaches!

Let’s dig deeper into this: There are at least seven key consequences to the typical automated containment model, even based on true indicators. (P.S. We made sure to account for these security and business risks when designing the Active Response service):

Security risks

• Security Risk No. 1: Assets are contained, but user accounts are still compromised. For example, a phishing attack provides the attacker with user credentials, so isolating an endpoint doesn’t prevent the attacker from using credentials on another machine.
• Security Risk No. 2: Premature containment causes the SOC to lose valuable attack context. For example, if you immediately take automated action to contain a low-level threat, your team loses all tracking ability to see the trends or what the attacker did before you cut the attacker off; thus, you lose the ability to see what actions the attacker used to target you, where your weak points are, etc.
• Security Risk No. 3: Attackers begin to use automated containment to their advantage. For example, an attacker realizes that accounts and assets are locked immediately after they are spotted, so they purposefully trip wires to lock out accounts and debilitate a company’s ability to operate.

Business risks

• Business Risk No 1: Asset is contained so a critical user is unable to perform their job/locked out of their account. For example, a CEO goes on a business trip to China for the first time, and the time difference means that her 3 a.m. login looks anomalous. The CEO is now locked out of her device until someone wakes up to an angry message saying she cannot access their machine, email, Slack, etc. and needs help.
• Business Risk No. 2: Asset contained so users cannot perform function. For example, a public company’s Deal Desk resource can’t book deals at EoQ or close the books on the last day of the month.
• Business Risk No. 3: A critical server is contained, taking it offline. For example, an e-commerce retailer is now down because the payments server is taken offline, and anyone who tries to check out their cart can’t process the order.
• Business Risk No. 4: Network communications between user and other business partners shut off. For example, a Business Process Outsourcing (BPO) provider gets blocked, so your business can’t connect to your outsourced customer service team, or a business partner that’s part of your supply chain is cut off from processing a rushed order.

Like Gartner, we believe that it causes more harm to take automated actions using AI-based rules or shutting off network traffic rather than taking the right containment action on your endpoint or user accounts based on the collective experience of our SOC experts.

Ultimately, Rapid7 MDR’s team is highly effective because our actions are executed after thorough human review, granting customers the flexibility to align our service to their specific environment. Our team takes action on only valid threats, and we give the option for the customer to stay in control.

Let Rapid7 MDR with Active Response handle threats for you

Whether it’s a suspicious authentication while you’re buried in other security initiatives or an attacker executing malicious documents at 3 a.m., you can be confident that Rapid7 MDR is watching and responding to attacks in your environment.

If you’re an MDR Elite customer, reach out to your MDR Customer Advisor today to learn more and start utilizing Active Response to help you respond to attacks faster and free analysts to provide more value. Stay tuned for additional containment and response workflows launching in the near future.