意大利大学通过Rapid7 insight tidr获得整体风险的“全景”视图

Challenge

Gaetano Pisano, 巴勒莫大学(Universita’degli Studi di Palermo)的网络和安全管理员知道用一个小团队监控一个大环境是什么感觉, from IT to security. 负责整个大学数十万的资产, their domain includes monitoring a transient, tricky class of devices to manage–student assets. 皮萨诺的团队需要在一个安全的地方收集和保存日志，以满足合规要求, and to answer questions based on the data in those logs.

Solution

巴勒莫大学(Universita’degli Studi di Palermo)已经转向了insighttidr的云计算能力, Rapid7’s incident detection and response solution, and InsightVM, Rapid7领先的漏洞管理解决方案expose的演变. Now, he and his team are able to monitor hundreds of thousands of assets, 获得他们所有弱点和整体风险的“全景”. 部署insighttidr后，他们不再需要查询单个syslog服务器来查找答案.

Gaetano Pisano, 西西里岛巴勒莫大学的网络和安全管理员, Italy, 知道用一个小团队监控一个大环境是什么感觉. To help him do his job effectively, he’s turned to the cloud-based power of InsightIDR, Rapid7’s incident detection and response solution, and InsightVM, Rapid7领先的漏洞管理解决方案expose的演变. Now, he and his team are able to monitor hundreds of thousands of assets, 获得他们所有弱点和整体风险的“全景”. In this Q&A, he discusses his program’s success in more detail.

我们有超过42,000名学生和3,600名员工(教授和其他人). It is part of the 10 largest universities in Italy. We rank 6th among the 10 for a variety of factors, such as: the services offered to students, the paid scholarships, the facilities available, the computerization and digital services offered, and the degree of “internationalization.”

Who is on your security team, and what are you responsible for?

GAETANO: We have 3 people: 2 IT guys and 1 IT/security. We’re using InsightVM and InsightIDR. 这是一个典型的情况，一个小团队负责从It到安全的所有事情.

Tell us about the environment you’re monitoring.

盖塔诺:我们负责整个大学的数十万资产. 这还包括监控一种暂时的、棘手的设备来管理:我们学生的资产.

漏洞管理和事件响应如何适合您的业务和安全策略?

GAETANO:我们希望能够使用一个查询跨多个服务进行搜索. In the past, we had to query each single server separately. 我们还想要一个所有漏洞的“全景”，以及对整体风险和暴露服务的可见性. 我喜欢能够使用Rapid7 Project Sonar数据来确认哪些大学资产真正暴露在外部互联网上.

What security challenges was the University facing? What problems were you trying to solve?

我们需要收集和保存我们的日志在一个安全的地方，以满足要求, and we wanted to answer questions with that data. 部署insighttidr后，我们不再需要查询单个syslog服务器来查找答案. 我们还需要对一系列操作系统的灵活可见性, ranging from Windows, Mac and Linux to iOS, Android, and Windows phones.

Why did you choose Rapid7?

盖太诺:我们在网上一个叫“网络图书馆”的黑客论坛(http://www)上听说过你.cybrary.it/forums/). 然后，我们发现Nexpose和insighttidr易于使用和配置.

What tools were you using before Rapid7?

GAETANO: Before InsightIDR, we were using Snort and AlienVault. Before Nexpose we were using OpenVas (open source).

在购买insight tidr之前，您是如何调查事件的?

GAETANO:我们之前使用的产品是Snort和AlienVault OSSIM. 使用日志条目查询语言(LEQL)在insighttidr中搜索日志比使用AlienVault更容易和直观. insighttidr提供了统计数据/查询，而AlienVault没有, and comes with a lot more out-of-the-box value.

insighttidr将大学日志数据集中在安全的云架构中. 你对insighttidr让你访问数据的方式满意吗.e. log search, dashboards, and insight into user behavior)?

加埃塔诺:我们对搜索的速度、仪表板的质量和清晰度感到非常满意. 仪表板非常直观——我喜欢它们简洁，只包含我想要的信息.

How does InsightIDR fit into your SIEM strategy?

我们使用InsightIDR进行集中的日志管理、搜索和数据可视化. 然后，我们可以监控一般活动，以及用户端点上的流量峰值. 在确定这些异常之后，我们可以决定是否值得调查. One day while investigating a traffic peak, 我们发现一台受SYN泛洪攻击影响的机器是由一台受损设备发起的.

What kind of incidents has InsightIDR detected so far?

GAETANO:该产品检测到恶意软件流量、渗透和持久性. It detected SYN flooding on one occasion, 总的来说，它提供了调查活动高峰和个性化查询的能力，以检查像WannaCry这样的东西, for example.

Are there any product-specific anecdotes you’d like to share?

GAETANO: Yes! 有一天，我们的备用站点因为高温瘫痪了(我们在西西里岛), Italy), 但多亏了insighttidr，以及它将我们的数据集中在安全的云架构中，我们在日志存储方面没有任何问题.

您如何总结insight tidr对您的组织的好处?

GAETANO:它允许我们通过网络关联和查询来自数据源的日志. 我们喜欢insighttidr以低廉的价格将我们的日志安全地存储在云中. The product is easy to use, and out of the box, comes with many behavior detections, queries, and dashboards.

What’s next for the University of Palermo and Rapid7?

GAETANO: In the future, 我们将把来自入侵检测系统(IDS)的威胁情报添加到insightdr中, 并将研究使用所包含的Insight Agent进行端点数据收集和检测. 此外，我们刚刚从expose转向InsightVM，这给我们留下了深刻的印象. 这个新版本的仪表盘和细节工作真的让我们大吃一惊.