Item: Rapid7 InsightConnect
Rating: 7
Author: holt archer

Use Cases and Deployment Scope

We used rapid7 insight connect to connect our vuln management platform, insight M, to our Jira and Slack for ticket/project creation and notifications. I found both of the integrations as pre-built modules that I could customize for our environment so was able to get them up and working quickly and effectively. This enabled me to replicate and improve ticketing and alerting workflows that I had previously built in Tenable's Security Center platform by allowing for interaction with the vuln management tool from Slack. Now our devs and sysadmins could pull up device or application vuln info from Slack and would be notified via slack of changes to any devices or apps they owned, assuming they were being scanned by the vuln management tool.

Pros and Cons

Offers pre-built integrations with multiple common alerting tools
Offers pre-built workflows for multiple common tools
Easy to create custom workflows and integrations

Sometimes too point and clicky
Cost is high
Workflows often require users from several teams to work on various tools

Most Important Features

Integration
Automation
Ease of use

Return on Investment

The automation and integration we set up in the dev cycle helped us provide evidence in audits
The automation and integration we set up in the dev cycle helped us fix vulns in our software prior to implementation thus increasing our security
Automations save massive time and headache's between infosec and devs

Alternatives Considered

Snyk, Splunk SOAR (Security Orchestration, Automation and Response) (formerly Phantom), Sensu, by Sumo Logic and SonarQube

Our needs and use of Rapid7 IC was strickly SOAR so products like Snyk would be something to integrate and build automation with, the same with Sonar Cube but we never got the chance to do so. Splunk SOAR is something we are using now at a more global level, so a Jira ticket will kick off a vuln scan as well as a code scan, one example. We evaluated Sensu but since our SIEM is Splunk it made more sense to go that way. It was our observation that other products that are dedicated SOAR have more integrations and more powerful workflows that can span your entire enterprise. That is not to say that IC can't span your enterprise but as you can imagine it is very Rapid7 centric, so if you have Rapid7 VM, IDR, and AppSec this could be a VERY powerful SOAR. On the other hand, if you don't have a large Rapid7 footprint your SOAR implementation with IC may be very limited.

Key Insights

Do you think Rapid7 InsightConnect delivers good value for the price?

Yes

Are you happy with Rapid7 InsightConnect's feature set?

Yes

Did Rapid7 InsightConnect live up to sales and marketing promises?

Yes

Did implementation of Rapid7 InsightConnect go as expected?

Yes

Would you buy Rapid7 InsightConnect again?

Yes

Other Software Used

Splunk Enterprise Security (ES), CrowdStrike Falcon Endpoint Protection, Splunk SOAR (Security Orchestration, Automation and Response) (formerly Phantom)

Likelihood to Recommend

It is well suited to accelerating the dev/sec/ops cycle because it integrates with all the tools we used there including Jenkins, Jira, and Slack, so that when a build kicked off from a project in Jira we could have the build scanned as it went through Jenkins either via a slack or Jira task. The scan would produce a report that we would customize and drop into Jira and any findings could also be sent to Slack. Infosec would also be notified and we worked with the dev team to make a policy that any highs or criticals would need to be remediated prior to advancing the code to prod. Where it could be better is putting an automated gate on the Jenkins build, which it may be able to do but we didn't figure out before our time with the product ended.

Rapid7 Insight Connect is powerful if you are a Rapid7 shop

Overall Satisfaction with Rapid7 InsightConnect