MDR Deployment Tasks
This page outlines the deployment tasks for Managed Detection and Response (MDR).
Required Deployment Tasks
The following tasks are required for MDR deployment.
1. Set Up the Insight Collectors in the local or cloud infrastructure
InsightIDR requires the customer to configure at least one on-premise Insight Collector in either the local or cloud infrastructure to be used for the collection of log and endpoint data. Depending on the size of the customer organization, it may be required to configure more than one Collector. All of the Collectors must meet the minimum hardware and operating system specifications as documented in Rapid7’s InsightIDR product documentation. All of the Collectors must also be able to communicate directly with Rapid7’s Insight platform. The customer is responsible for the provisioning and maintenance of the Insight Collectors. During deployment, Rapid7 will assist with the configuration and troubleshooting of issues related to the customer’s Collectors.
2. Install Insight Agents
The Rapid7 Insight Agent is used to collect endpoint data into InsightIDR for visibility and protection of these devices. The Insight Agent is downloadable software that is then installed onto supported assets. The customer is responsible for downloading and installing the Insight Agent onto all of the customer endpoints -- including all workstations, laptops, and servers -- using the customer’s preferred packaging and installation software. The Insight Agent must be able to communicate directly with a Collector or to the Rapid7 platform. The customer should whitelist the Insight Agent in any technology that will interfere with its ability to operate including malware/endpoint detection software, antivirus software, SSL encryption/decryption tools, SSL inspection products, etc. The customer can use the Agent Management page in InsightIDR to view installed agents that are communicating with the Rapid7 platform. If there is an issue with deploying the agent, Rapid7 can provide assistance with downloading the Insight Agent and with issues with installation and functionality issues.
3. Add in Required event sources to InsightIDR
Customers must add the required event sources to InsightIDR in order for the Rapid7 team to perform user attribution and environment detections for the MDR service. The required event sources are Active Directory, Dynamic Host Protocol (DHCP), and Lightweight Directory Access Protocol (LDAP). The customer is responsible for adding these required event sources to InsightIDR, monitoring the health of these event sources, and fixing any issues that arise with them in a timely manner. Any configuration changes required to customer-owned technology or to InsightIDR event sources that touch customer-owned technology must be done by the customer. During the deployment, Rapid7 will assist with the configuration of all required event sources and with verifying full functionality of the InsightIDR product. In addition, if any event sources are not functional, Rapid7 will assist with determining the cause of the issues and will provide guidance on fixing them.
4. Configure Settings Page in InsightIDR
During the deployment, Rapid7 will discuss these settings with the customer and make recommendations regarding the configuration of the items that are relevant to the customer’s organization. The customer is responsible for configuring these items and for providing Rapid7 with the information needed to advise the customer on the best use of the product.
Optional Deployment Tasks
The following are additional deployment tasks for MDR.
5. Add Recommended Event Sources to InsightIDR
In addition to the required event sources, the customer should add all recommended event sources to InsightIDR. The recommended event sources are Domain Name Service (DNS), Firewall, Web Proxy, Virtual Private Network (VPN), and Cloud Services. As with the required event sources, the customer is responsible for identifying the relevant event sources types for their organization, configuring logging on the customer’s devices, and adding in the event sources into InsightIDR. Any configuration changes required to customer-owned technology or to InsightIDR event sources that touch customer-owned technology must be done by the customer. During the deployment, Rapid7 will assist the customer with the configuration of relevant event sources and with verifying full functionality of the InsightIDR product. The customer is responsible for monitoring the health of these event sources and fixing any issues that arise with them in a timely manner.
6. Add in Generic or Custom Event Sources to InsightIDR
InsightIDR provides the ability to collect log data that is not used as part of any of its behavior or forensic analytics. The configuration of these generic or custom event sources is optional and at the customer’s discretion so long as the collection of this data does not interfere with, inhibit, or impede the functionality of the required and recommended event sources. During deployment, Rapid7 will assist the customer with the configuration of event sources in InsightIDR (including guidance on using the Custom Parsing Tool) and basic troubleshooting guidance for custom and generic event sources. Rapid7 will not provide any custom integration, parsing, software development, or the configuration of any of these event source or collection of data other than the use of the InsightIDR named event sources. However, additional professional services time can be purchased if desired to assist with custom collection or integrations.
7. Configure Additional Event Sources
In addition to the required and recommended event sources, InsightIDR also provides the customer the ability to collect additional events, event sources, and data types. The customer may add these devices to InsightIDR for the customer’s own use for the customer’s Custom alerts, Dashboards, Investigations, or Reports as long as the collection of this data does not interfere with or inhibit the collection of any recommended event sources.
8. Configure Dashboards in InsightIDR
If the customer wishes to use Dashboards, the customer must configure them by either adding cards from a pre-configuring library available in the product or by building the customer’s own cards. The Rapid7 MDR team does not use the Dashboards, but can assist the customer in this configuration and can provide recommendations on best practices.
9. Configure Orchestration and Automation
Select automation workflows can be leveraged directly from InsightIDR. Some of these workflows leverage the Rapid7 Insight Agent and others require the customer to provision and configure a separate server called a Rapid7 Orchestrator. Additional automation workflows can be configured by purchasing Rapid7 InsightConnect. Next, depending on the customer’s workflow, the customer configures connections to be used for automation. The customer is responsible for the provisioning and configuration of the Orchestrator. The customer is also responsible for configuring the automation workflows and testing them to verify functionality. Rapid7 will not use any workflows or take actions on the customer’s behalf but will assist the customer with the configuration of the built-in workflows and with understanding how to use them during an Investigation.
10. Configure Additional Settings
InsightIDR can also support optional settings configuration such as Single Sign On or Multi-Factor Authentication, Restricted Assets, adding users to the product Watchlist, and changing which accounts are marked as Service Accounts. Rapid7 will discuss these relevant settings and assist the customer with the configuration of them.
11. Configure Deception Traps
InsightIDR has four deception traps that can be configured to gain additional visibility into user behavior. Rapid7 recommends the addition of a Honeypot to each major network segment in the customer’s organization, as well as the other traps. During the deployment, Rapid7 will assist with the configuration of these deception technologies.
12. Set Up File Monitoring
InsightIDR supports two options for File Monitoring: File Integrity Monitoring or File Access Activity Monitoring. During deployment, Rapid7 will assist the customer with the configuration of either or both of these features during the deployment if needed; however, these detections are not monitored by the MDR service and are not used in investigations.