Rapid7 InsightIDR Review

Users/endpoints focus gives us more understanding of network events, allowing us to see behavior patterns


What is our primary use case?

Centralized SIEM / Intrusion Detection System.

How has it helped my organization?

The focus on users/endpoints gives us so much more understanding of the events going on across the network, allowing us to step back from looking at logs only to see the actual behavior patterns instead.

What is most valuable?

The incident case management is the most valuable feature. Even though there's always something I find I would like to add to that feature, the ability to quickly sort through all the logs, network and endpoint data, etc., and add it to an incident case as part of the investigation, is nice. Having it automatically timeline that additional data into the original incident timeline, and correlate it to other notable events and activities on the network, results in a huge improvement in our overall confidence that we've quickly traced down the right source of an issue.

What needs improvement?

The reporting is the weakest aspect. There needs to be multi-level grouping for events (for example, group by user and destination). Right now, we can do a group by user and a separate table or group by destination. But I'd be more interested in where a person was logging into instead of who was logging in or where he was logging in.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

We have rarely encountered any issues with stability. The primary source of stability issues has been the couple times where there have been lost log messages online. While that's unavoidable, it's definitely not desirable if I happen to have an incident at that time.

What do I think about the scalability of the solution?

We haven't had any issues with scalability yet. (We'll keep trying).

How are customer service and technical support?

Technical support for InsightIDR has been fantastic. We've used Rapid7 for over a year now, and, while support calls happen, it's rarely over something simple that's just not working. Normally we call because of something heavily situational, and the techs have always figured it out.

Which solution did I use previously and why did I switch?

A private ELK stack was used originally. We moved off of it as we wanted to ensure that we were focusing on the security of the company, and not writing log parsing rules all day.

How was the initial setup?

The initial setup was pretty straightforward, but it takes a little bit of a mental leap to understand how it all works together. What's key to remember is that it is user and endpoint centric, and not account centric. That means that, over time, it will start associating user.a on host1 to user.a on host2 and treating them as the same. It could be a little confusing for some companies if they don't use standardized permissions or don't use administrative-only accounts, but for most current user-access mechanisms, it shouldn't lead to any abnormal results.

What's my experience with pricing, setup cost, and licensing?

Licensing is by endpoint and amount of retention time (at least ours is). Default retention was one year, but we are able to push the retention further if needed. There's also a provide-your-own-S3 option for longer retention if you don't want to pay for the additional retention years in your Rapid7 agreement.

Which other solutions did I evaluate?

AlienVault, LogRhythm, Qualys.

What other advice do I have?

Have a plan going forward (Syslog exports, agent-based collection, etc.) and ensure WMI is available if using Windows Servers. It was very easy to set up, but troubleshooting can be "fun" if an endpoint doesn't connect correctly. Don't be shy of support requests. They'd rather you be "that person" that keeps getting support, rather than being the one that ran into an issue and stopped using the product.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Add a Comment
Guest
Sign Up with Email