IDR/XDR - ANSWER What is Siem
- Security information event management
- Combination of log management
- Correlation and real-time analytics
- Alerts and reporting
Challenges - ANSWER Deploying: Can deploy faster and they are constantly
evolving due to research, 900 prebuilt detections
Maintaining
Visibility into logs and data
Containing/investigating
Call out rapid7 keeps logs for 13 months vs other vendors only keep logs for 6
months (why this is an issue) - attack replay
How it works - ANSWER 1. gathers logs from your endpoints, cloud, network
data, user activity, and tech partners and funnels them into our universal data
collector (And we go beyond endpoint)
2. Funnels through firewall and lands in the cloud where the siem lives
3. Once an alert is received your team will either decide to move forward in
either containing/quarentining this threat or following through with the ticket
system
4. If this threat is a false positive it can be recorded as so
Detection methods: - ANSWER Threat intelligence
Endpoint detection
User behavior analytics
Deception technology
Netflow analysis
Rapid7 steps in to support along the way by - ANSWER - Identifying alerts
early in the attack chain
- Reducing false pos
- Giving recommendations response actions
- Security information event management
- Combination of log management
- Correlation and real-time analytics
- Alerts and reporting
Challenges - ANSWER Deploying: Can deploy faster and they are constantly
evolving due to research, 900 prebuilt detections
Maintaining
Visibility into logs and data
Containing/investigating
Call out rapid7 keeps logs for 13 months vs other vendors only keep logs for 6
months (why this is an issue) - attack replay
How it works - ANSWER 1. gathers logs from your endpoints, cloud, network
data, user activity, and tech partners and funnels them into our universal data
collector (And we go beyond endpoint)
2. Funnels through firewall and lands in the cloud where the siem lives
3. Once an alert is received your team will either decide to move forward in
either containing/quarentining this threat or following through with the ticket
system
4. If this threat is a false positive it can be recorded as so
Detection methods: - ANSWER Threat intelligence
Endpoint detection
User behavior analytics
Deception technology
Netflow analysis
Rapid7 steps in to support along the way by - ANSWER - Identifying alerts
early in the attack chain
- Reducing false pos
- Giving recommendations response actions
