Endpoint Prevention overview
This article contains information that guides you through the different Endpoint Prevention add-ons for your organization.
Available through add-on componments of Rapid7's Insight Agent, Endpoint Prevention is a technology that monitors your assets for different kinds of threats and automatically responds according to a policy that you configure. Each policy has a one-to-one relationship with the group it's attached to and is composed of several prevention engines designed to detect specific types of threats. Your configuration of these policies determines what kind of behavior Endpoint Prevention will monitor, how it will respond when that behavior is detected, and how these events should be prioritized in InsightIDR for your security team. All aspects of your Endpoint Prevention add-on are configurable on a per-organization basis by users with Platform Administrator privileges in the Agent Management experience.
This technology is available to Managed Threat Complete (MTC) Ultimate or Managed Detection and Response (MDR) customers with the Next-Generation Antivirus or Ransomware Prevention as an add-on add-ons.
Endpoint Prevention add-ons add an extra layer of protection to the assets where the Insight Agent is installed, using Rapid7's prevention engines to detect an attack's signature at the time of initial access to your environment. Endpoint Prevention offers endpoint detection and response (EDR) capabilities, by integrating with InsightIDR.
Endpoint Prevention add-ons
Learn more about the add-ons available that provide Endpoint Prevention technology through your Insight Agent.
Next-Generation Antivirus
Monitor and prevent attacks on the endpoint, as well as detect, block, and disinfect assets against malicious files. Next-Generation Antivirus grants access to all Rapid7 prevention engines, including On-Access Scanning (Antivirus). With this offering, Rapid7 acts as your complete antivirus, Endpoint Protection Platform (EPP), and EDR solution.
- Access the Next-Generation Antivirus Quick Start Guide
- Install Next-Generation Antivirus
- Configure Next-Generation Antivirus
Ransomware Prevention
Monitor your assets for evasive and suspicious behavior associated with ransomware attacks, and prevent those attacks from occurring. Ransomware Prevention grants access to all Rapid7 prevention engines, with the exception of On-Access Scanning (Antivirus). This offering allows you to use a third-party antivirus solution alongside Rapid7's Endpoint Prevention technology.
Endpoint Prevention in InsightIDR
The data produced by the Next-Generation Antivirus and Ransomware Prevention add-ons are designed to be viewed in Rapid7's InsightIDR offering. To get an overview of how Endpoint Prevention technology works in InsightIDR, read about investigations and alerts.
Glossary
Familiarize yourself with key terms related to Rapid7's Endpoint Prevention technology.
Glossary
- Insight Agent: Rapid7's data collection, monitoring, and response software that you install on your assets. The data the Insight Agent routinely and silently collects is sent to the Insight Platform for analysis and powers several Insight products, of which, InsightIDR and InsightVM are prominent members.
The Insight Agent itself functions as a package of several independent components which can vary depending on the operating systems you have in your environment, your security goals, and the Rapid7 products you subscribe to. The Endpoint Prevention feature is one of these components and is designed for use with InsightIDR.
- Agent Action: When one of the prevention engines detects a threat, your configuration determines what action the Insight Agent will take on that asset. The Insight Agent can block, disinfect, or quarantine threats, or simply alert on them (known as "Detection Only").
Some Agent Actions are specific to a particular prevention engine and aren't available for others. See how to configure prevention policies for Ransomware Prevention and Next-Generation Antivirus.
- Asset: In Rapid7 terms, an asset is any device on your network, whether physical or virtual, that your business owns and has a security interest in. On-premises desktop workstations, take-home employee laptops, servers, and virtual machines are all examples of assets.
Assets with the Insight Agent installed on them can benefit from Endpoint Prevention technology through the Next-Generation Antivirus and Ransomware Prevention add-ons.
- Exclusion: If you want an Endpoint Prevention add-on to ignore certain asset behavior that would otherwise trigger an Agent Action, you can configure and apply exclusions to meet that use case. You can exclude some behaviors that you consider benign and not worth monitoring, are actually legitimate processes coming from other software you control, or are simply not relevant to your security concerns.
See how to configure exclusions for Ransomware Prevention and Next-Generation Antivirus.
- Prevention Engine: Next-Generation Antivirus and Ransomware Protection add-ons have the ability to detect and respond to threats through use of several prevention engines. Each engine is functionally a category of logical rules or known bad signatures designed to detect specific types of behavior. When such behavior is detected, they respond with an agent action and create an alert tagged with a pre-arranged priority.
See more about the Prevention Engines for Ransomware Prevention and Next-Generation Antivirus.
- Prevention Group: All assets that are visible to the Endpoint Prevention add-on you use are organized together in Prevention Groups. Each of these groups, whether you use the single
DEFAULT
group, or supplement it with additional custom Prevention Groups, has exclusive control of their assets. Prevention Groups are the object to which you attach a Prevention Policy, configure asset grouping, and apply Exclusions.
See more about configuring Prevention Groups for Ransomware Prevention and Next-Generation Antivirus.
Prevention Policy: The configuration of each prevention engine and the selection of the engines you decide to use overall constitute a prevention policy that you attach to a prevention group. Though Rapid7 maintains a default policy that provides baseline protection from threats, you can create custom policies that better suit your Endpoint Prevention goals.
Endpoint Prevention Rule: The logic that a Prevention Engine uses to detect threats is made up of Endpoint Prevention Rules. Each of these Endpoint Prevention Rules is displayed within InsightIDR's Detection Management experience.
Rule Action: Separate from an Agent Action, a Rule Action instructs InsightIDR on how to respond when the conditions of an Endpoint Prevention Rule are triggered. InsightIDR can either create an investigation based on the triggering of the rule, generate an alert, or do nothing.
Rule Priority: When a Prevention Engine responds to a detected threat with an Agent Action, it also tags the detection with a priority level you configure in your Prevention Policy. This designation is called Rule Priority. In the context of InsightIDR, Rule Priority is used to inform your security practitioners of the urgency they should respond to investigations or alerts generated by the rule being triggered.