Rapid7 has been in the vulnerability game for a long time and they certainly are a respected player. They have been well-known for Nexpose and, of course, they now have Metasploit. What many of us didn't see coming - although we should have - was that they would get into the active detection game. The reason that we should have seen this coming is that Rapid7 also has a solid next-generation analytics platform, and bolting tools that need that sort of analysis power is sort of a no-brainer. So they did and one of the results is UserInsight.
Saying that this is just an active detection tool is sort of like saying that the Queen Mary is a boat. UserInsight is a combination of a lot of capabilities including detection of change in behavior of key accounts, such as service accounts, honeypots (and honey users), user impersonation and several other capabilities.
The main dashboard displays a lot of information, all clustered around a map that shows ingress locations to the enterprise. There are the expected alert counts as well as not-so-expected top risky users and watchlists. You also will see trending and recent notable behaviours. Of course, all of these come with good drill-down.
One very interesting and unique statistic is Honey User Authentication attempts. A honey user - regardless of what it sounds like - is a fake user that behaves as a real user. These "users" can take on roles and privileges that can lure intruders into attempting to compromise the accounts.
At a glance
Price Depends on user count and organisation size.
What it does Active breach detection.
What we liked Focus on important breach points to rapidly reveal what is happening on the network.
UserInsight's legacy is clear in some very useful areas. It long has been a maxim that the first place to start tracing an intrusion is the known vulnerabilities in the network. One of the most vulnerable of these is the non-expiring password. UserInsight looks for these and calls them out with details that can help administrators delete unused accounts or watch used ones carefully. Everything that the tool does is done with balance. For example, it has a very low tolerance for changes in service accounts - they are not supposed to change often if at all - and a very high tolerance for changes in administrator accounts that change regularly.
Administrator accounts are watched very carefully for abuse and can be disabled if necessary. Another challenge is the collation of on-premises accounts and cloud accounts, especially where there are different accounts for the same user and even more particularly when that user has administrator rights. The tool watches accounts that are shared - such as kiosk accounts in an office where several workers share an account.
Since endpoints are monitored and logged, insider or malicious impersonation attacks can be detected. All of UserInsight's data is correlated and reported on the Incident Report page and, of course you can drill down in that as well. The idea is to create as many hurdles as possible for the intruder to overcome and watch everything he does very carefully, performing analytics as the intruder progresses through the kill chain. For example, phishing attacks can be detected by watching Exchange behaviours.
As with most threat hunting tools, UserInsight is concerned by lateral movement through the network since this is, generally, abnormal behaviour and should set off some red flags. In addition, local and domain credential attacks may be preludes - if successful - to lateral movement and user impersonation. This is a SaaS product with on-premises collectors. It integrates, as one would expect from Rapid7, with a huge number of other products, software and services. In fact, this is the largest and most complete list we've seen.
Support is typical of Rapid7 with its standard and super support options, and the website is as good as one would expect of an experienced technology company. In addition to the typical support offerings, there is a quick-start service that can help you get up and running rapidly. This service extends the "get up and get running" phase to doing things such as one-hour monthly calls with a strategic services consultant that optimise your return on the product.
In addition to the integrations with third-party tools, UserInsight integrates with the Rapid7 suite so that data from several Rapid7 tools can be aggregated and analysed. We liked this one for its creativity and use of some functionality we didn't expect and, of course, there is the solid Rapid7 legacy behind it. Pricing is based on number of users being monitored and the size of the organisation.