奥登 Group Relies on the Rapid7 了解平台 to Securely Exp和 Its Financial 服务 Product Portfolio

挑战

“I've been working in security for 12 years, dedicated to InfoSec,赖特说。. “我对各种类型的安全事件都很担心. 但我认为最让我害怕的是网络钓鱼和人为错误.” Wright wanted to build a program around the NIST cybersecurity framework: identify, 保护, 检测, 回应, 和恢复. 离公司的第一款产品发布只有一个月了, Wright’s priority was obtaining the ability to 检测 suspicious activity. He turned to InsightIDR - Rapid7’s easy to deploy SIEM (Security Information 和 Event Management) solution that features built-in threat 检测ion.

解决方案

“除非你能察觉到，否则你无法做出反应和恢复，”赖特说. So, within two weeks of starting at 奥登, Wright began a POC of InsightIDR. 他以前从未使用过insighttidr, but he had extensive experience with other SIEM solutions 和 he knew that it would take months to get to a point where one of those products would be fully deployed. He needed a product that had powerful out of the box 检测ion capabilities. InsightIDR features User Behavior Analytics 和 a number of other 检测ion methodologies, 使它成为赖特需要的完美产品. “We were in production by day three of the POC 和 by the end of a 30-day POC, 我们从insighttidr中获得了真正的价值.”

事半功倍

在人手有限的情况下从零开始构建SOC的挑战, 一旦insighttidr启动并运行, Wright turned his attention to automating processes to keep his staff from being overwhelmed. “我希望通过InsightConnect来解决自动化挑战. 它在同一个Insight平台上得到原生支持, it really made sense for us to go that route instead of rolling our own or using a different automation platform.” 

奥登 was able to quickly get more than 30 InsightConnect automation workflows into production. 结果是, 奥登几乎三分之二的每周警报都是自动处理的, while the remaining one-third are accelerated with automation 和 alert enrichment. “Before deploying InsightConnect we were getting about 300 alerts every week that we had to address manually,赖特解释道。. “通过InsightConnect，我们已经自动化了大约200个. 我们可以自动为剩下的100个警报添加上下文, enabling our three SOC analysts to h和le them more quickly 和 efficiently. 它缩短了我们的反应时间, 当存在妥协或潜在妥协时，速度是至关重要的.”

One of the InsightConnect automation workflows uses Slack to validate whether a user performed certain actions. 如果用户说是他们做的，调查就结束了. 如果用户拒绝，团队将继续进行调查. Another workflow uses Slack to present pre-processed vulnerability analysis to the SOC team for analysis. The automation task runs a Slack-generated report of current critical vulnerabilities that can be h和led by any of the SOC analysts. “它会自动启动Sophos的取证工作流程, 我们所有的机器上都有吗,赖特解释道。. 该工作流解包特定机器的快照, 排序数据, 将其转换为人类可读的格式, 然后让分析师可以从Slack上查询数据. This saves about eight hours of work every time we run it – 和 we do this sort of analysis 3-4 times per week. 这是一个巨大的好处.”

“The only reason I can run a 24/7 SOC with three people is because of InsightIDR 和 InsightConnect,赖特说。. “在第一次接触案件时，我们有15分钟的SLA. 大多数情况下，我们在五分钟内就能第一次接触.” 

综合平台的好处 

一旦赖特有了检测的工具, 回应, 和恢复, he needed to go back to the first part of the NIST cybersecurity framework 和 implement solutions to help identify 和 保护 奥登’s data 和 assets. 为此，他求助于Rapid7的漏洞管理工具InsightVM. One key benefit of the Insight platform is that the Rapid7 Insight Agent is used by both InsightVM 和 InsightIDR on 奥登’s endpoints. 这意味着部署InsightVM既快速又容易. Insight Agent的重量很轻，这并没有什么坏处. “I hate agents unless they’re lightweight 和 don’t bog down the machine” says Wright, Insight Agent是一个真正的瘦客户端.”

Another benefit of using the Insight platform is the data that’s exchanged between products. “脆弱性 和 报警 data can be connected easily in an investigation. 如果我们发现任何异常活动, 我们可以立即检查InsightVM中的相关漏洞,赖特解释道。. “我们从不需要离开我们的Rapid7界面. We just click the drop-down into InsightVM 和 see if the approach is exploitable.”

保护云

奥登’s IT application deployment environment is completely cloud-based across (AWS), 微软Azure, 和谷歌云平台(GCP). It is critical that 奥登’s security program provides highly effective 和 consistent security controls across all three cloud platforms. 

奥登 is leveraging the native integrations offered by InsightIDR 和 InsightVM to help monitor their cloud footprint. They’re also using InsightConnect to cut down on the legwork that would otherwise be required to manage security across their multi-cloud environment. 例如, 资产分布在许多不同类型的基础设施中, it was a real challenge for the 奥登 team to underst和 if an IP address was internal or external, 别管资产本身的细节和它的位置了. 为了解决这一挑战，他们构建了一个InsightConnect工作流. Now the team can enter an IP address into Slack 和 the workflow will search through 奥登’s infrastructure to locate the IP address 和 associated asset. 一旦找到资产, IP和资产的详细信息，如IP地址类型, 资产名称, 资产类型, 位置, 可用性区域, 在Slack的回复中提供了更多. 奥登也有一个类似的工作流来检索防火墙规则. 

在insighttidr和InsightVM中发现的本地云集成, 以及InsightConnect提供的数十个云插件, make it possible for 奥登 to seamlessly manage security across their multi-cloud environment. “这只是监测结合的一个例子, 报警, 和 automation combines to eliminate common mistakes before they can expose the company to a true security incident or require a report to their regulator,赖特补充道。.

随着他们不断发展创新的银行服务, 奥登 is relying on Rapid7’s Insight platform to provide a robust security environment. “底线是,赖特总结道。, 奥登的生意是现在的十倍, 安全团队不需要增加10倍. The Insight platform provides us with a lot of operating leverage 和 scalability.”