Brooks Relies On Rapid7 SOAR Solution to Automate Their Security Program

Challenge

Brooks is growing rapidly which means a growing list of potential vulnerabilities. “We grew from a company doing $500 million in sales to $1 billion in a short amount of time,” explains Ryan Fried, 高级安全工程师.. 我们已经发展到近1800名员工. 这给我们的网站带来了更多的点击量和更多的合作伙伴, 这意味着更多的安全事件, more phishing emails, 潜在的风险更大.” Even with three analysts, the security team was running fast to stay one step ahead of the alerts. 

Solution

Ryan实现了InsightConnect, Rapid7的安全编排, automation and response (SOAR) solution to accelerate their traditionally manual, time-intensive incident response and vulnerability management processes. InsightConnect has helped the security team meet the challenges head on. “InsightConnect帮助我们扩大规模. It doesn’t really care how many integrated systems there are,” states Ryan.

瑞安·弗里德是布鲁克斯公司的高级安全工程师. He is part of a five-person security staff of two engineers and three analysts. Ryan的团队与多个业务部门紧密集成. “我们很早就植入了安全措施, as well as our security management tactics such as network segmentation, security automation, 防火墙与网络安全, 在其他任何事情中. We like to build things to help our security analysts do their job.”

瑞安指出，布鲁克斯之前没有使用SOAR的经验. “We did a POC with another SOAR product but it was super convoluted.” That’s when Ryan, 谁在以前的公司使用过Rapid7 InsightConnect, 我建议布鲁克斯考虑一下这种产品. “We did the POC to prove the value and went with Rapid7 InsightConnect.” 

增加分析师参与度

Ryan takes a proactive approach to SOAR noting that traditional SOAR solutions, “focus on no hands on, 自动化来减少fte. 我的感觉完全相反. I’ve been able to build a ton of enrichment workflows with InsightConnect so that our Teams channel becomes our central command. I think in terms of the number of tabs our analysts need to have open in their browser, I’ve reduced it from 10 to 20 to just one or two when it comes to an incident investigation. I give them a super repeatable process that works the same for every analysis.” 

InsightConnect节省了分析师的时间, but even more importantly to Ryan is that InsightConnect has increased analyst engagement and made their jobs easier. “现在他们可以做自己真正想做的事情了. They’re not spending 60 minutes looking at a phishing email or 20 to 30 minutes blocking URLs.而且，Ryan指出，InsightConnect省去了繁重的工作. “When we block a URL, or domain, or IP address, 我们需要封锁三四个不同的地方. If we use InsightConnect workflows, it’ll be blocked in the right places, every single time. 这种一致性是巨大的.”

全天候覆盖和更快的响应时间

InsightConnect确实提高了他们的响应覆盖率. “Previously, we were a nine to five, Monday through Friday kind of shop. 我们没有寻呼之类的东西. With InsightConnect we’ve become a 24/7 shop - without expanding our staff. Now we have three to four different alert types and we predefined which alerts we should be woken up for in the middle of the night. 如果没有InsightConnect，我们不可能做到这一点.”

Ryan也看到了改进的响应时间, especially in critical situations like potential ransomware attacks. “We’ve taken our paging system and integrated it, leveraging InsightConnect, with our alerts. Now our analysts only are getting woken up in the middle of the night when it really matters, 所以我们的响应时间非常快. If it’s ransomware, our analyst can isolate the host directly from their phone instead of waiting 20 minutes for the computer to boot up and log in. That is so critical. 这对我们来说是一个巨大的价值.” 

预构建工作流库

With InsightConnect, Ryan can quickly find and build a myriad of workflows leveraging the work of others.“我喜欢InsightConnect的原因之一是，如果我被难住了, 我可以在Rapid7扩展库中找到一个工作流. 如果这不是我需要的工作流程, I can import it, see how it was done, 然后将其应用到我自己的工作流程中.” As Ryan explains, 每个工作流通常与前一个工作流具有可比性, 所以他可以很快地添加多个工作流. Looking ahead, the Brooks team will begin working with the Active Directory team to use InsightConnect to automate user account termination. 

“In security, a third of your job is proving it’s not your fault when stuff breaks,” continues Ryan. “I have workflows that look at configuration logs for the tools I own, such as firewalls, 它显示了过去24小时内所有的配置变化. With that I would know if I made the change or if a teammate made it. With InsightConnect, it is much faster to prove it’s not your fault. 我们用过很多不同的方式. 我们所做的很多工作都是通过团队进行特别的工作流程. That’s new. 我们从中发现了很多价值.”

Ryan believes InsightConnect has helped his security team deal effectively with the company’s surging growth. “随着我们的发展，我们正在采用额外的安全工具. As we add more IT and security systems, we integrate them into InsightConnect. 如果我们有这些不同的安全工具, that’s more time we would need to spend on different consoles and bouncing from one to the other. But a new security tool that’s API capable doesn’t add more complexity, 只是更多可用的功能. Having the automation benefits of InsightConnect is almost like working with an operating system. You just plug in the next app and it integrates with other users and systems,” Ryan says.

节省人力，最大化分析人员的时间

For Ryan, the time-saving benefit of InsightConnect automation is clear and compelling. “就指标和查看仪表板而言, InsightConnect无疑节省了分析师的时间. I’d estimate it is saving us about 11 days or 88 hours of manpower each month, 只是基于我们运行的工作流程. InsightConnect还减少了响应和解决的时间, which helps mitigate any threats that do make their way into the company.” 

“If you took InsightConnect away from our analysts, that would be demoralizing,” continues Ryan. “他们将不得不重新进行手动流程. InsightConnect帮助我们更有效地扩展团队. As we get more events and add new businesses and more processes, InsightConnect helps us keep up. 我们刚刚有了一个新的分析师，他说, “I’ve never seen anything like this before [referring to the level of existing automation]. His job’s been easier because he doesn’t have to learn where to get all the information. And, 现在他有了一个频道，可以显示他可以使用的所有命令, 而且他不需要到处登录. 安全流程无论如何都是一致的.