奥登集团依靠Rapid7 Insight平台安全地扩展其金融服务产品组合

挑战

“我在安全领域工作了12年，致力于信息安全，”赖特说. “I'm concerned with every type of security incident. But I think the ones that scare me the most are phishing 和 human error.赖特希望围绕NIST的网络安全框架建立一个项目:识别, 保护, 检测, 回应, 和恢复. With only a month until the company’s first product launch, 赖特的首要任务是获得探测可疑活动的能力. 他转向了insighttidr - Rapid7易于部署的SIEM(安全信息和事件管理)解决方案，该解决方案具有内置的威胁检测功能.

解决方案

“You can't 回应 和恢复 unless you can 检测,赖特说。. 因此，在奥登开始工作的两周内，赖特开始了insight tidr的POC. He had never used InsightIDR before, 但他对其他SIEM解决方案有着丰富的经验，他知道要让其中一个产品完全部署需要几个月的时间. 他需要一款具有强大的开箱即用检测功能的产品. insighttidr具有用户行为分析和许多其他检测方法, making it the perfect product for Wright’s needs. “我们在POC的第三天和30天的POC结束时开始生产, we were getting real value out of InsightIDR.”

事半功倍

挑战d with building a SOC from scratch with limited headcount, once InsightIDR was up 和 running, 赖特将注意力转向自动化流程，以免员工不堪重负. “I looked at InsightConnect to address the automation challenge. And with it natively being supported in the same Insight platform, 对我们来说，走这条路而不是自己开发或使用不同的自动化平台是很有意义的.” 

奥登能够快速将30多个InsightConnect自动化工作流程投入生产. 结果是, almost two-thirds of 奥登’s weekly alerts are h和led automatically, 而剩下的三分之一则通过自动化和警报浓缩来加速. “在部署InsightConnect之前，我们每周都会收到大约300个警报，我们必须手动处理,赖特解释道。. “With InsightConnect we have automated about 200 of them. We can automatically add context to the remaining 100 alerts, 使我们的三位SOC分析师能够更快速有效地处理它们. It shortens our time to 回应, 和 speed is of essence when there's a compromise or potential compromise.”

其中一个InsightConnect自动化工作流使用Slack来验证用户是否执行了某些操作. If the user says they did them, the investigation is closed. If the user says no, the team moves the investigation forward. 另一个工作流程使用Slack向SOC团队提供预处理漏洞分析以供分析. 自动化任务运行由slack生成的当前关键漏洞报告，该报告可由任何SOC分析师处理. “It automatically kicks off a forensics workflow in Sophos, which we have on all our machines,赖特解释道。. “The workflow unpackages the specific machine’s snapshot, 排序数据, puts it into a human-readable format, then makes the data query-able from Slack for the analysts. 每次运行它，我们都会节省大约8小时的工作时间——我们每周会做3-4次这样的分析. 这是一个巨大的好处.”

“我可以用三个人运行一个24/7的SOC的唯一原因是insighttidr和InsightConnect,赖特说。. “We have a 15-minute SLA on the first touch of a case. Most of the time, we get to first touch in under five minutes.” 

The Benefits of a Comprehensive Platform 

Once Wright had the tools in place to 检测, 回应, 和恢复, 他需要回到NIST网络安全框架的第一部分，并实施解决方案来帮助识别和保护奥登的数据和资产. For this, he turned to InsightVM, Rapid7’s vulnerability management tool. Insight平台的一个关键优势是，在奥登的端点上，InsightVM和insighttidr都可以使用Rapid7 Insight Agent. This meant that deploying InsightVM was fast 和 easy. It didn’t hurt that the Insight Agent is very lightweight. “我讨厌代理，除非它们很轻，不会使机器陷入困境，”赖特说, “和 the Insight Agent is a true thin client.”

使用Insight平台的另一个好处是产品之间交换的数据. “在调查中，漏洞和警报数据可以很容易地联系起来. If we see any anomalous activity, we can immediately check for a relevant vulnerability in InsightVM,赖特解释道。. “We never have to leave our Rapid7 interface. 我们只需点击InsightVM的下拉菜单，看看这种方法是否可行.”

保护云

奥登的IT应用程序部署环境完全基于云(AWS)。, 微软Azure, 和 Google Cloud Platform (GCP). 至关重要的是，奥登的安全计划在所有三个云平台上提供高效和一致的安全控制. 

奥登正在利用insighttidr和InsightVM提供的本地集成来帮助监控他们的云足迹. 他们还使用InsightConnect来减少在多云环境中管理安全所需的跑腿工作. 例如, with assets spread across so many different types of infrastructure, 对于奥登团队来说，理解一个IP地址是内部的还是外部的是一个真正的挑战, nevermind get details on the asset itself 和 where it was located. To solve this challenge, they built an InsightConnect workflow. 现在，团队可以在Slack中输入IP地址，工作流程将通过奥登的基础设施进行搜索，以定位IP地址和相关资产. 一旦找到资产, IP 和 asset details such as IP address type, 资产名称, 资产类型, 位置, 可用性区域, 和 more are provided in a Slack response. 奥登 also has a similar workflow to retrieve firewall rules. 

The native cloud integrations found in InsightIDR 和 InsightVM, along with the dozens of cloud plugins offered by InsightConnect, 使奥登能够无缝地管理其多云环境中的安全性. “This is just one example of where the combination of monitoring, 报警, 自动化结合起来可以消除常见的错误，防止它们将公司暴露在真正的安全事件中，或者要求向监管机构报告,赖特补充道。.

As they continue development of innovative banking services, 奥登依靠Rapid7的Insight平台来提供强大的安全环境. “底线是,赖特总结道。, “is that when 奥登’s business is 10 times bigger, the security team won’t need to be 10 times bigger. Insight平台为我们提供了大量的运营杠杆和可扩展性.”