MDR Terms

This page outlines important terms related to Managed Detection and Response (MDR).

MDR Terminology

The following is a glossary of MDR-related terminology.

Term

Description

Alert

Suspicious event triggered in InsightIDR by one or more correlated event sources.

Alert Criticality

After Security Operations Center (SOC) investigation and validation, it will be determined how pressing of an issue the alert is. High criticality alerts should be addressed immediately.

Alert Tuning

MDR SOC team leverages Threat Intelligence gathered from third-party sources and through engagements with MDR and Incident Response customers to enhance our detections for MDR customers.

Attack Campaign

Also known as Cyberattack is any attempt to expose, alter, disable, destroy, steal or gain unauthorized access to or make unauthorized use of an asset. Attack Campaigns may be limited to single assets or single businesses, or it may be coordinated across many assets and businesses.

Attacker Behavior Analytics (ABA)

Attacker Behavior Analytics (ABA) are alerts generated by attacker tactics, techniques, and procedures commonly used.

Attack Storyboarding

MDR provides a Findings Report with a complete timeline of events and discoveries so the customer can learn each step of the process of the attack.

Compromise Assessment

After deployment, Rapid7 MDR will ensure there is no malicious activity in the customer’s network or evidence of previous compromise(s). This report contains any detected active or historic compromises, potential avenues for future breaches, and prioritized remediation and mitigation recommendations.

Containment Actions

Actions that can be performed by the customer via InsightIDR (or found through a link in the Findings Report) to contain or disrupt the current attacker. Examples are locking an asset and disabling a user.

Customer Advisor

The Customer Advisor (“CA”) is each customer’s main point-of-contact for the Rapid7 MDR service. This named resource works with the customer’s team as a strategic security partner—from initial technology deployment through incident remediation and ongoing security consultation—to shepherd each customer organization’s security maturity.

Detection Methodologies

The ways in which Rapid7 MDR is able to find attackers in the customer environment.

Endpoint Detection and Response (EDR)

Endpoint Detection and Response (EDR) tools are used by MDR to enhance the logs and information collected during incident investigation to gain a clearer picture of the attack.

Event Source

Event Sources are informational log sources used by InsightIDR and the MDR team to generate detections.

Forensic Analysis

Deep investigative work done by the MDR SOC analysts

Full Service

Customers enter into Full Service when the Insight Agent is deployed to over 80% of in-scope endpoints. This includes Threat Hunting and the Compromise Assessment.

Investigation

Manual triage by the MDR SOC Pod based on alerts generated from our detections.

License

The software that powers the MDR service is purchased on a subscription basis and is centrally hosted such that the customer must purchase access to the Insight Agent and InsightIDR software through MDR in order for the service to operate properly.

Limited Service

If the customer is not able to deploy to 80% of your endpoints by completion of Deployment Days, the customer will be placed into Limited Service by the MDR SOC team. In this phase, the MDR SOC will monitor alerts from the current connected event sources and deployed agents; however, it is necessary for the customer to deploy the agents to the rest of their in-scope environment. The scope of the Limited Service is restricted to only endpoints with Insight Agents. Limited Service completes when the Insight Agent is deployed to 80% of the in-scope environment and the customer is moved to Full Service.

Log Source

Informational sources that are used to correlate actions and alerts inside of InsightIDR. These are not the same as event sources.

Logically separated environment

The organization’s IT infrastructure may have one or more logically separated environments. For example, an organization may have an Internet-facing production data center that is separate from their corporate IT end-user environment. Or they may have multiple subsidiaries with logically separate IT infrastructure. In these situations, Rapid7 recommends that an organization deploy our MDR service to all of their environments for the two reasons. The first reason is that attackers often move laterally within an organization from one environment to another, and without a full deployment to all environments, we may be unable to detect or respond to the full scope of an attack. The second reason is that if traffic/activity from ‘out of scope’ environments is logged by ‘in scope environments’, this causes additional detection and response work for the MDR SOC that the customer is not licensed for. However, Rapid7 MDR will consider monitoring for 'logically separated environments' as long as these meet the following criteria:
* Environments have their own authentication and access control infrastructure. Specifically, their own Windows domain.
* Environments are on a network that are logically segmented from the in-scope environments.
* Environments serve a distinctly different purpose than other environments. For example, a production data center (versus a corporate IT end user network).
* Environments have their own Internet egress points.

Remote Incident Response

A technical process handled by the Managed Services SOC to scope the severity of a compromise. All investigation activity is conducted remotely and is limited to examination of data obtainable by the InsightIDR agent and platform. Remote Incident Response engagements are not time bound and expire at the end of each contract year.

Signatures

Detections based off of specific attacker or code patterns

SOC Pod

The customer’s environment will be assigned to one of our SOC Pods staffed by our world-class analysts. These analysts are assembled in Pods to ensure each customer receives continuous 24x7x365 monitoring coverage for real-time alert investigation and incident response. Each SOC Pod will investigate alerts generated for their specific customer clusters.

Threat Hunting

Process to proactively search for cyber threats in the environment, manually done by the SOC analysts.

Threat Intelligence Team

Supports the MDR SOC and CAs with threat analysis and new detections. Our Rapid7 Threat Intelligence team of researchers identifies new attacker trends across the global threat landscape and uses these findings to create in-product detection mechanisms for new vulnerabilities, exploits, and attack campaigns.

User Behavior Analytics (UBA)

User Behavior Analytics (UBA) detections are triggered when a user exhibits a deviation from normal user activity within the customer’s environment.

Validation

Rapid7 MDR SOC performing initial triage and investigation to determine with a high degree of confidence that the event is non-benign and requires a communication to the customer.

Rapid7 Cloud Technology Architecture and Capabilities

The following is a list of the Rapid7 cloud technology that is used with MDR.

Technology

Description

Insight Cloud

Responsible for all log management, data processing, enrichment, and storage of customer data. Each customer instance on the Insight cloud is isolated from other instances.

InsightIDR

Rapid7’s purpose-built cloud SIEM for incident detection and response combines real-time threat intelligence insights with a deep understanding of the customer’s environment and sophisticated behavior analytics to identify threats

Customer Service Portal

Rapid7’s purpose built portal to deliver MDR content such as Findings and Service related Reports to the customer.

Threat Intelligence Engine

Primary Rapid7-developed intelligence paired with additional third-party sources to enrich attack detection and response processes in near real time.

Customer-Deployed Software and Configuration

The following is a list of the software that MDR customers deploy.

Technology

Description

Insight Agent

Powers the Insight cloud and allows Rapid7 analysts to collect data for identifying malicious activity on the customer’s endpoints for system-level visibility, real-time detection analysis, and endpoint investigation and hunting. We recommend deploying the Insight Agent on all endpoints, but require deployment to a minimum of 80% of licensed assets - defined as workstations, desktops, and servers - using the customer’s existing software management processes in order to deliver service. Rapid7 assigns deployment resources to work with the customer for the initial deployment of the Rapid7 MDR technology stack and ensure the customer’s event sources are configured for optimal service.

Insight Collector

Collectors receive log data and agent data from the customer’s environment. All collected data is compressed and encrypted before being forwarded to the Insight cloud. The customer is responsible for provisioning Collectors as described in the Rapid7 InsightIDR documentation. The Collectors must meet the recommended hardware specifications. The customer is also responsible for keeping the Collector operating system patched and up-to-date.

InsightIDR

Rapid7’s purpose-built cloud SIEM for incident detection and response combines real-time threat intelligence insights with a deep understanding of the customer’s environment and sophisticated behavior analytics to identify threats. Customer’s can also establish custom alerts in InsightIDR; however, Rapid7 will be unable to act on these custom alerts beyond the monitoring that MDR typically covers. Additionally, the customer’s team should not modify or close out alerts within InsightIDR without contacting the Customer Advisor prior to closing out these alerts to ensure the Rapid7 MDR team maintains complete visibility.

Deception Technology (optional)

Honeypots, honey users, honey credentials, and honey files designed to identify malicious behaviors using fake assets, users, credentials in memory, or files.

File Integrity Monitoring (optional)

Alerts generated for changes to operating systems and application software files to identify if tampering or fraud has occurred. Rapid7 MDR does not alert on File Integrity Monitoring alerts, but these are available to the customer to investigate from their instance of InsightIDR.

Insight Orchestrator (Automation)

Automation in InsightIDR allows the customer to add enrichment to open investigations or to take action when alerted to possible malicious behavior. The customer is responsible for provisioning, configuring, and activating an Orchestrator system to use automation functionality. Rapid7 will assist with the configuration, activation, and use of the Orchestrator. Rapid7 will not take any actions on the customer’s behalf to quarantine assets, stop processes, disable accounts, de-provision users, or any type of action that is available as part of the InsightIDR Automation and Orchestration suite.