What is our primary use case?
It is used to maintain our security posture by monitoring inside our network for behavior likely to be conducive with elements of the kill chain.
I was an early adopter of the product. I have seen it get better over time, making use of the data and methodologies used by the industry standard and Rapid7 Metasploit community.
How has it helped my organization?
We were able to identify criminals attempting to login from China and put a stop on their IP locations.
What is most valuable?
- Intelligent alerting to avoid the common problem of alert fatigue associated with traditional SIEMs.
- Great coverage of all systems within our network from endpoint to firewall.
- Integration with threat modeling from the Metasploit and InsightIDR repositories.
- Enables the use of honey pots, honey users, and honey files to monitor for suspicious patterns.
It gives all the advantages of a SIEM. However, using clever AI, it looks for patterns of behavior rather than just flooding me with all the alerts.
What needs improvement?
Although the solution has been improving continually in the time I have been using it, there could be areas of improvement.
The one thing that springs to mind is easier API integration with ITSMs. We are evaluating a new ITSM and I would like to have InsightIDR create a ticket when an attack is identified, and the ticket would be closed in InsightIDR when the ITSM resolution is completed. This would take out the "single point of failure" we currently have, if the email recipient is somehow absent, in recording the risk appetite for the incident and the actions taken to mitigate or not.
For how long have I used the solution?
Three to five years.
What do I think about the stability of the solution?
None at all. Even as an early adopter, there were no significant issues with stability. Due to the continual improvement, I do not recall the last issue that I had with the system.
What do I think about the scalability of the solution?
We are only a small PLC with 300 staff over six sites and two continents, so scalability has never been a major concern. However, the InsightIDR system looks to be scalable, if required.
How are customer service and technical support?
Technical support is excellent both technically, timely, and professional throughout any incident or enhancement request.
Which solution did I use previously and why did I switch?
This was our first look at a security as a single entity. After creating a threat register, we were able to mitigate over two-thirds of the threats with this one product.
How was the initial setup?
It is very simple. It is a case of requesting a trial from Rapid7, then connecting the relevant logging devices, such as our AD servers or DNS servers to it and sitting back.
Obviously, there is more to it than that, but that is the principle.
What's my experience with pricing, setup cost, and licensing?
I am sure that there are cheaper products out there, but none that meet so many of our needs whilst maintaining stability and usability.
Which other solutions did I evaluate?
At the time, there was no other product that came close to InsightIDR feature set coupled with Rapid7's world leading security position producing other products, such as Metasploit and Nexpose (InsiteVR), which we also use.
What other advice do I have?
Use it. The setup is minimal, but the payback is phenomenal.