What is our primary use case?
I was looking for a behavior analytics solution to help me monitor our users' activity and to notify of any suspicious activity.
InsightIDR was able to meet those needs and even exceed it by providing full SIEM capabilities, even for devices they don’t support directly. Most importantly, I don’t need a team of people dedicated to log collecting and sifting.
How has it helped my organization?
With the full suite of Rapid7 products, I am able to provide effective oversight to the information security program with measurable progress. This is a very difficult thing to measure with the ever-changing threat landscape. Dashboards, including the main screen, provide much-needed information at a glance, without hours of coding and sifting through logs to find it. In case of an actual security incident, I have faith that insightIDR has retained all logs in a secure manner that prevents log tampering as well.
What is most valuable?
InsightIDR’s ability to process millions of transactions per day, and to notify me of the most critical ones, is priceless. InsightIDR has the alerts tuned, and has the ability to quickly drill down to determine the threat level, which is very important to me as a one-person security department.
Another very important part of insightIDR is the ability to collect data from endpoint devices via agent software. With a large remote workforce, this allows visibility into the endpoints that are connected to the internet, but not to the corporate network.
What needs improvement?
I would like the ability to adjust the threshold of certain existing alerts. Currently the only option is to change the notifications or create my own alert.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
I have not encountered any stability issues with the local collector. On the rare occasion that the cloud part of insightIDR is undergoing maintenance or having other issues, I usually receive a notification from Rapid7 before I even notice a problem.
What do I think about the scalability of the solution?
I have not seen any issues with scalability. On average, insightIDR is processing about 60 million events per day from my environment.
How are customer service and technical support?
The technical support folks at Rapid7 are a great bunch of folks. I haven’t had much need to contact them, but when I have they have been extremely professional and will escalate issues and suggestions to developers, if needed.
Which solution did I use previously and why did I switch?
I actually purchased the predecessor, InsightUBA, which quickly changed into the insightIDR that we have today. There was no other previous solution.
How was the initial setup?
Setup was extremely simple. An implementation specialist was assigned to me to help get me started and to learn my environment and challenges.
For the most part, all communications are sent to a log aggregation server. It is as simple as pointing syslogs to that server. For some, such as Active Directory and Exchange, there are plugins that are simple to install on those servers to make sure the appropriate logs are sent.
From InsightIDR, it is as simple as choosing from a list of supported log sources, or you can create a generic log source by specifying a port number. It’s that simple.
What's my experience with pricing, setup cost, and licensing?
Licensing is straightforward. If, for some reason, you don’t meet the minimum licensing requirements, there is a third-party managed service that can help.
Which other solutions did I evaluate?
I did not consider any other options in depth. Most other options I saw required one or more full-time employees to maintain.
What other advice do I have?
In the past I have made several requests and have had the opportunity to work with developers and user-interface specialists to add enhancements to the product. The effort that Rapid7 puts into the user interface, after gaining first-hand use-case information directly from us, the end users, is unprecedented. Even when I worked for much larger companies, I did not see so many suggestions turn into reality.
Be sure to take full advantage of the agents. I have not seen any performance problems on the endpoints, and having this level of information from outside the network is difficult otherwise.