This page outlines important terms related to Managed Detection and Response (MDR).
The following is a glossary of MDR-related terminology.
Suspicious event triggered in InsightIDR by one or more correlated event sources.
After Security Operations Center (SOC) investigation and validation, it will be determined how pressing of an issue the alert is. High criticality alerts should be addressed immediately.
MDR SOC team leverages Threat Intelligence gathered from third-party sources and through engagements with MDR and Incident Response customers to enhance our detections for MDR customers.
Also known as Cyberattack is any attempt to expose, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an asset. Attack Campaigns may be limited to single assets or single businesses, or it may be coordinated across many assets and businesses.
Attacker Behavior Analytics (ABA)
Attacker Behavior Analytics (ABA) are alerts generated by attacker tactics, techniques, and procedures commonly used.
MDR provides a Findings Report with a complete timeline of events and discoveries so the customer can learn each step of the process of the attack.
After deployment, Rapid7 MDR will ensure there is no malicious activity in the customer’s network or evidence of previous compromise(s). This report contains any detected active or historic compromises, potential avenues for future breaches, and prioritized remediation and mitigation recommendations.
Actions that can be performed by the customer via InsightIDR (or found through a link in the Findings Report) to contain or disrupt the current attacker. Examples are locking an asset and disabling a user.
The Customer Advisor (“CA”) is each customer’s main point-of-contact for the Rapid7 MDR service. This named resource works with the customer’s team as a strategic security partner—from initial technology deployment through incident remediation and ongoing security consultation—to shepherd each customer organization’s security maturity.
The ways in which Rapid7 MDR is able to find attackers in the customer environment.
Endpoint Detection and Response (EDR)
Endpoint Detection and Response (EDR) tools are used by MDR to enhance the logs and information collected during incident investigation to gain a clearer picture of the attack.
Event Sources are informational log sources used by InsightIDR and the MDR team to generate detections.
Deep investigative work done by the MDR SOC analysts
Customers enter into Full Service when the Insight Agent is deployed to over 80% of in-scope endpoints. This includes Threat Hunting and the Compromise Assessment.
Manual triage by the MDR SOC Pod based on alerts generated from our detections.
The software that powers the MDR service is purchased on a subscription basis and is centrally hosted such that the customer must purchase access to the Insight Agent and InsightIDR software through MDR in order for the service to operate properly.
If the customer is not able to deploy to 80% of your endpoints by completion of Deployment Days, the customer will be placed into Limited Service by the MDR SOC team. In this phase, the MDR SOC will monitor alerts from the current connected event sources and deployed agents; however, it is necessary for the customer to deploy the agents to the rest of their in-scope environment. The scope of the Limited Service is restricted to only endpoints with Insight Agents. Limited Service completes when the Insight Agent is deployed to 80% of the in-scope environment and the customer is moved to Full Service.
Informational sources that are used to correlate actions and alerts inside of InsightIDR. These are not the same as event sources.
Logically separated environment
The organization’s IT infrastructure may have one or more logically separated environments. For example, an organization may have an Internet-facing production data center that is separate from their corporate IT end-user environment. Or they may have multiple subsidiaries with logically separate IT infrastructure. In these situations, Rapid7 recommends that an organization deploy our MDR service to all of their environments for the two reasons. The first reason is that attackers often move laterally within an organization from one environment to another, and without a full deployment to all environments, we may be unable to detect or respond to the full scope of an attack. The second reason is that if traffic/activity from ‘out of scope’ environments is logged by ‘in scope environments’, this causes additional detection and response work for the MDR SOC that the customer is not licensed for. However, Rapid7 MDR will consider monitoring for 'logically separated environments' as long as these meet the following criteria:
Remote Incident Response
A technical process handled by the Managed Services SOC to scope the severity of a compromise. All investigation activity is conducted remotely and is limited to examination of data obtainable by the InsightIDR agent and platform. Remote Incident Response engagements are not time bound and expire at the end of each contract year.
Detections based off of specific attacker or code patterns
The customer’s environment will be assigned to one of our SOC Pods staffed by our world-class analysts. These analysts are assembled in Pods to ensure each customer receives continuous 24x7x365 monitoring coverage for real-time alert investigation and incident response. Each SOC Pod will investigate alerts generated for their specific customer clusters.
Process to proactively search for cyber threats in the environment, manually done by the SOC analysts.
Threat Intelligence Team
Supports the MDR SOC and CAs with threat analysis and new detections. Our Rapid7 Threat Intelligence team of researchers identifies new attacker trends across the global threat landscape and uses these findings to create in-product detection mechanisms for new vulnerabilities, exploits, and attack campaigns.
User Behavior Analytics (UBA)
User Behavior Analytics (UBA) detections are triggered when a user exhibits a deviation from normal user activity within the customer’s environment.
Rapid7 MDR SOC performing initial triage and investigation to determine with a high degree of confidence that the event is non-benign and requires a communication to the customer.
Rapid7 Cloud Technology Architecture and Capabilities
The following is a list of the Rapid7 cloud technology that is used with MDR.
Responsible for all log management, data processing, enrichment, and storage of customer data. Each customer instance on the Insight cloud is isolated from other instances.
Rapid7’s purpose-built cloud SIEM for incident detection and response combines real-time threat intelligence insights with a deep understanding of the customer’s environment and sophisticated behavior analytics to identify threats
Customer Service Portal
Rapid7’s purpose built portal to deliver MDR content such as Findings and Service related Reports to the customer.
Threat Intelligence Engine
Primary Rapid7-developed intelligence paired with additional third-party sources to enrich attack detection and response processes in near real time.
Customer-Deployed Software and Configuration
The following is a list of the software that MDR customers deploy.
Powers the Insight cloud and allows Rapid7 analysts to collect data for identifying malicious activity on the customer’s endpoints for system-level visibility, real-time detection analysis, and endpoint investigation and hunting. We recommend deploying the Insight Agent on all endpoints, but require deployment to a minimum of 80% of licensed assets - defined as workstations, desktops, and servers - using the customer’s existing software management processes in order to deliver service. Rapid7 assigns deployment resources to work with the customer for the initial deployment of the Rapid7 MDR technology stack and ensure the customer’s event sources are configured for optimal service.
Collectors receive log data and agent data from the customer’s environment. All collected data is compressed and encrypted before being forwarded to the Insight cloud. The customer is responsible for provisioning Collectors as described in the Rapid7 InsightIDR documentation. The Collectors must meet the recommended hardware specifications. The customer is also responsible for keeping the Collector operating system patched and up-to-date.
Rapid7’s purpose-built cloud SIEM for incident detection and response combines real-time threat intelligence insights with a deep understanding of the customer’s environment and sophisticated behavior analytics to identify threats. Customer’s can also establish custom alerts in InsightIDR; however, Rapid7 will be unable to act on these custom alerts beyond the monitoring that MDR typically covers. Additionally, the customer’s team should not modify or close out alerts within InsightIDR without contacting the Customer Advisor prior to closing out these alerts to ensure the Rapid7 MDR team maintains complete visibility.
Deception Technology (optional)
Honeypots, honey users, honey credentials, and honey files designed to identify malicious behaviors using fake assets, users, credentials in memory, or files.
File Integrity Monitoring (optional)
Alerts generated for changes to operating systems and application software files to identify if tampering or fraud has occurred. Rapid7 MDR does not alert on File Integrity Monitoring alerts, but these are available to the customer to investigate from their instance of InsightIDR.
Insight Orchestrator (Automation)
Automation in InsightIDR allows the customer to add enrichment to open investigations or to take action when alerted to possible malicious behavior. The customer is responsible for provisioning, configuring, and activating an Orchestrator system to use automation functionality. Rapid7 will assist with the configuration, activation, and use of the Orchestrator. Rapid7 will not take any actions on the customer’s behalf to quarantine assets, stop processes, disable accounts, de-provision users, or any type of action that is available as part of the InsightIDR Automation and Orchestration suite.