蓝谷学区与Rapid7合作，授权他们的新安全团队

Challenge

In August of 2019 Blue Valley was the target of a successful ransomware attack and after mitigating the attack immediately undertook a top to bottom security assessment of its vast application and network infrastructure. Cybersecurity engineer Evan Nichols was Blue Valley’s first cybersecurity engineer and is the department’s resident expert. In this article, Evan highlights the key security challenges the school district faces.

Ransomware 

Ransomware attacks will always be at the top of the security team’s threat list, notes Nichols. “我们最大的持续威胁是网络钓鱼的入口点. The perception is that public school districts have shoestring budgets and lack manpower and cybercriminals bank on that. Our district was targeted in 2019 because we are one of the largest districts in the state and it was just days prior to the start of school.”

Visibility

“归根结底就是能够得到1分,000-foot view on things with only a small team of people to look at what we’re pulling in,” explains Nichols. “The biggest challenge is avoiding things like alert fatigue and making sure we get pertinent data to district administration immediately.”

Staffing

Nichols also acknowledges that many school districts are not able to make the level of investment in staffing and software that is needed to deal with the demands of today’s cybersecurity environment. “A lot of public K-12 environments don’t have the manpower to do what is required to run a full-blown security stack. Or they may rely on open-source tools that require a lot of attention; but that also requires staffing hours and expertise which a lot of school districts don’t have.”

Solution

Nichols的第一步是实现Rapid7 Insight Platform, 包括用于检测和响应的insighttidr, InsightVM用于漏洞管理，InsightConnect用于自动化. “我选择了Rapid7 Insight Platform，因为它的尺寸合适，适合我们,” states Nichols. “我们正在处理大量的数据，但我们没有很多温暖的身体. 我们没有很多受过SOC分析师或工程师培训的人. 我们需要Rapid7平台为我们做很多繁重的工作.” 

“We started with detection, because you don’t know what else you’re going to need until you assess. 而且，我们能够在不到一周的时间内启动并运行Rapid7 insighttidr. 在我们的环境中部署它非常容易和快速.” Blue Valley also usesInsightVM to scan data center assets as part of its goal of shifting to a zero-trust model. “InsightVM让我们能够充满信心地实现这一目标."

Today, Blue Valley Schools has three professionals continuously training in all things cybersecurity , a lean, 但是非常高效的安全团队. The Rapid7 Insight Platform is providing them with the big-picture and deep visibility they need to oversee and protect their challenging environment. “The Insight Platform is good at drawing to the surface the data that we want to see,” Nichols says. “我不需要搜索很远就能看到发生了什么. That’s because the searches in InsightDR are really easy to navigate and tailor around our environment. 此外，保存和回调查询也很容易.”

“我们对每件事都进行了一点点监控. insighttidr的基本来源完全是一回事, 并为insighttidr提供的用户行为检测分析模型提供信息. On top of that, we have tons of custom parsing and log event sources that we’re able to do a lot faster than we would be able to with other products. A lot of the upfront legwork was already done by Rapid7 because Rapid7 cares about the same security and IT event sources that we do.” 

"Rapid7 came prepared with the answer to our manpower problem by way of InsightConnect,” continues Nichols. “It really helps with our manpower shortage problem because you can throw all of your alerts into a central workflow system. 在此之前，我们很难采取大规模的行动和应对. lnsightConnect has empowered us to do a lot of our incident response in an automated way. And by us, I really mean me. 因为一开始我是唯一一个处理事件响应的人.”

Rapid7的简单设置给尼科尔斯和他的团队留下了深刻的印象. “insighttidr和InsightConnect之间真的很棒. 你可以把任何东西带到桌子上，这很好. 它真的很容易设置和运行. 我们有一个用于网络流量分析的思科产品. It consumes all of the flow data and we generate alarms and behavior threshold alerts out of it. Then we pump that into InsightIDR and we’re able to respond more automatically by leveraging InsightConnect.” 

The Benefits

“When we looked at other cloud security solutions with comparable breadth and depth, 我们的价格很快就会超出预算. 有了Rapid7平台，我们就能物有所值地获得很多功能. The other platforms would have been too complex for our small team to operate on a daily basis. The only other option would’ve been to do it all ourselves with open source software. Which would have meant a lot of on-premises storage and systems, which equals a lot of costs. 然后你必须考虑人力资本来管理它. 这是你必须监督的整个环境. Those are things that steered us in the direction of InsightIDR and the broader Insight Platform.”

Going with Rapid7 has helped the Blue Valley Schools team manage their workflows more effectively. “We can rest and sleep easily between the time we leave the office until we return the next day because we have tailor-made workflows to account for things in our environment that would otherwise keep us awake at night. 我们知道我们需要一种方法来收集所有的事件. 我们之所以选择insighttidr，是因为它对总事件或数据存储没有上限.”

“Rapid7帮助我们实现了所有目标. 我们有足够的能见度. 我们已经调整了所有的检测分析和数据源. 我对Rapid7很有信心。”Nichols总结道.