Centralized SIEM / Intrusion Detection System.
Centralized SIEM / Intrusion Detection System.
The focus on users/endpoints gives us so much more understanding of the events going on across the network, allowing us to step back from looking at logs only to see the actual behavior patterns instead.
The incident case management is the most valuable feature. Even though there's always something I find I would like to add to that feature, the ability to quickly sort through all the logs, network and endpoint data, etc., and add it to an incident case as part of the investigation, is nice. Having it automatically timeline that additional data into the original incident timeline, and correlate it to other notable events and activities on the network, results in a huge improvement in our overall confidence that we've quickly traced down the right source of an issue.
The reporting is the weakest aspect. There needs to be multi-level grouping for events (for example, group by user and destination). Right now, we can do a group by user and a separate table or group by destination. But I'd be more interested in where a person was logging into instead of who was logging in or where he was logging in.
We have rarely encountered any issues with stability. The primary source of stability issues has been the couple times where there have been lost log messages online. While that's unavoidable, it's definitely not desirable if I happen to have an incident at that time.
We haven't had any issues with scalability yet. (We'll keep trying).
Technical support for InsightIDR has been fantastic. We've used Rapid7 for over a year now, and, while support calls happen, it's rarely over something simple that's just not working. Normally we call because of something heavily situational, and the techs have always figured it out.
A private ELK stack was used originally. We moved off of it as we wanted to ensure that we were focusing on the security of the company, and not writing log parsing rules all day.
The initial setup was pretty straightforward, but it takes a little bit of a mental leap to understand how it all works together. What's key to remember is that it is user and endpoint centric, and not account centric. That means that, over time, it will start associating user.a on host1 to user.a on host2 and treating them as the same. It could be a little confusing for some companies if they don't use standardized permissions or don't use administrative-only accounts, but for most current user-access mechanisms, it shouldn't lead to any abnormal results.
Licensing is by endpoint and amount of retention time (at least ours is). Default retention was one year, but we are able to push the retention further if needed. There's also a provide-your-own-S3 option for longer retention if you don't want to pay for the additional retention years in your Rapid7 agreement.
AlienVault, LogRhythm, Qualys.
Have a plan going forward (Syslog exports, agent-based collection, etc.) and ensure WMI is available if using Windows Servers. It was very easy to set up, but troubleshooting can be "fun" if an endpoint doesn't connect correctly. Don't be shy of support requests. They'd rather you be "that person" that keeps getting support, rather than being the one that ran into an issue and stopped using the product.