Deployments found: 2

Energie Südbayern (ESB) logo
Rapid7 logo
Germany’s large energy sector is a sizeable target for hackers. Today’s cybercriminals, hacktivists, and state-sponsored operatives have both the motive and the capabilities to strike with attacks designed to steal sensitive operational and customer information, hold organizations to ransom, or disrupt and destroy key control systems. These are just some of the threats that keep Benjamin Nawrath awake at night. Benjamin Nawrath is the information security officer at Southern Bavarian energy provider Energie Suedbayern (ESB), which supplies natural gas and electricity to 120,000 households in the south of Germany. The largest operator of its kind in the region, ESB has around 350 employees, with 14 staff working alongside Benjamin Nawrath in IT.

The compliance burden One of Benjamin Nawrath’s biggest challenges is maintaining compliance with Germany’s IT Security Act (ITSG), which became law in 2015 but applies from July 2017 onward. The law requires all critical infrastructure providers to run an advanced cybersecurity program designed to ensure the availability, integrity, authenticity, and confidentiality of their IT infrastructure. It also demands that organizations regularly provide certification proving their compliance. Failure to do so could result in a fine of hundreds of thousands Euro. With a large and complex environment to monitor (including 2,000 IP addresses), limited IT staff resources, a growing compliance burden, and ever-determined hackers to keep at bay, Benjamin Nawrath needed robust technology solutions to help overcome these major challenges.

Getting the green light
ESB IT had been using Rapid7’s leading vulnerability management solution Nexpose previously, so expanding their portfolio with Rapid7 was a natural choice. To fill the need for an incident detection and response solution, a Proof of Concept (PoC) with Rapid7 InsightIDR was quickly and easily to set up to provide that all-important confirmation of the product’s industry-leading capabilities.
“I needed a solution that had intelligence inside it—not just a technical solution to create rules. I buy the intelligence, not the rules. That’s what Rapid7 really made successful for us in this evaluation,” says Benjamin Nawrath. “Splunk and similar solutions just collect the logs, and I needed to keep track of them myself. But I want to know if something strange or irregular is happening, which InsightIDR tells me. It was the best solution to provide the intelligence I need for a reasonable price.” ESB moved forward with the combination of InsightVM (the evolution of Rapid7 Nexpose) and InsightIDR—both powered by the Rapid7 Insight platform—to offer industry-leading vulnerability management and incident detection and response. Benjamin Nawrath states that both solutions were easy to set up and maintain, and that they provide “one agent to rule them both”—simplifying management and centralizing reporting. ESB has been a keen adopter of cloud services, so there were no roadblocks in terms of delivery. And since it was for security purposes, the monitoring of IP addresses was given the green light by representatives from the German works council.

Accelerating incident response InsightIDR has saved ESB IT time and helped them respond to incidents far more quickly. Unifying SIEM, user behavior analytics (UBA), and endpoint detection and response (EDR), it was designed from the ground up to detect intrusions as early on in the attack chain as possible, leaving nowhere for the bad guys to hide.
“Honestly, I didn’t have any incident response process in place before InsightIDR. I would just get a report from users saying ‘something is not as expected.’ I would then have to dig in and collect logs myself, which took a huge amount of time,” says Benjamin Nawrath. “InsightIDR has really helped me be able to respond to incidents more quickly. It’s really easy to use and the agents provide great insight.” Benjamin Nawrath is leveraging the live dashboard functionality to track failed log-ins by special users.“One of the many good things is, I don’t have to tell InsightIDR what is a service account—it just recognizes it,” he says.
The easy-to-manage portal allows him to keep an eye on any unusually high values, if remote users are logging in from other countries, or any other metrics that might indicate noncompliance. Email alerts complete the picture and are also sent to other members of the IT team, allowing them to respond if anything malicious is found.
Lowering risk with InsightVM With a complex IT environment to monitor, including highly sensitive industrial control systems, Nawrath also needed enterprise-grade vulnerability management tightly integrated into InsightIDR. Rapid7’s InsightVM automatically collects, monitors, and analyzes any vulnerabilities on the corporate network, featuring advanced analytics and reporting to allow users to prioritize and remediate risk. For ESB, success is measured in terms of lowering risk over time, something InsightVM has been great at driving.
“I scan regularly and with user credentials, so I get as much information as I need. We have nearly no false positives, which is great,” says Benjamin Nawrath. “InsightVM also helps us to identify old systems which need to be refreshed, upgraded, or even abandoned. It provides great insight in how I can evaluate the risk. It’s great to see how risk decreases by implementing remediations.” The agents have also helped save time over regular scans, and the benefit of tight integration with InsightIDR has boosted efficiency by enabling highly accurate correlations between incidents and vulnerabilities.

Looking ahead Ultimately, the combined power of InsightIDR and InsightVM has saved Benjamin Nawrath as much as 60% of his and his team’s time. This in turn allows him to spend more time on verifying the vulnerabilities themselves, and to prepare for an upcoming OSCP examination. What’s more, the value of the data generated by Rapid7 has even helped him increase his standing within the organization.
“Upper management isn’t overly involved with security, but with both products I’m able to convince them of the real risks we face. It helps me get more respect for my work,” he says.
“And because the solutions weren’t that expensive there was no problem convincing the management to free up the budget.” As for the future, Benjamin Nawrath plans to extend the capabilities of his investments even further by implementing InsightVM’s Remediation Workflow to delegate tasks to his colleagues. But most importantly, he’s confident the combination of InsightIDR and InsightVM will provide all the reassurance needed to meet its obligations under the IT Security Act—keeping ESB safe, secure, and compliant for the years to come.

... Learn more
Manchester Metropolitan University logo
Rapid7 logo
Manchester Metropolitan University (MMU) is one of the five largest further education institutions in the UK, situated in the country’s most popular student city. With two sites, 38,000 students, and 3,000 staff members to manage, there’s plenty to keep network security engineer Steven Fitzsimmons and his team of three busy. Like their counterparts in the United States and elsewhere in the West, UK universities continue to be a major target for online attackers. Freedom of Information (FoI)-based research released in 2017 revealed that nearly three-quarters (70%) had fallen victim to phishing attacks over the previous 24 months. A separate report later that year claimed data breaches at UK universities had doubled, with sensitive IP and ground-breaking research particularly prized by state-backed snoopers. Ransomware and DDoS outages have also hit many institutions over recent months, and there’s an ever-present risk associated with negligent users. In short, Fitzsimmons and team had a lot of ground to cover, and they needed a way to extend their reach given the resources at hand.

A major undertaking
According to Fitzsimmons, part of the challenge of securing a network of MMU’s size lies in its heterogeneity. His team’s job is to manage and maintain endpoint security and firewalls, monitor for unusual network behavior, protect against external threats, and mitigate risk if any vulnerabilities are discovered. That’s a major undertaking when there are Windows, Linux machines, Macs, desktop, and mobile devices across physical and virtualized infrastructures. After three years with a previous vulnerability management vendor, Fitzsimmons was aware of the rapid advancement of technology in the space and decided to open things up for potential replacements. He spoke to peers at other universities, trawled the online forums, and found Rapid7’s name consistently cropping up as one to watch. Subsequent tests told the MMU team what it needed to know.
“We were looking for things like, how were vulnerabilities displayed? What information did the product tell us? What were the reporting features like?,” he explains. “The more we looked into Rapid7, the more we were impressed with InsightVM. It definitely gave us more than we had with previous solution, so we chose to invest.”

Enter InsightVM InsightVM is Rapid7’s flagship vulnerability management solution designed with modern, dynamic networks in mind to provide powerful analytics, remediation, and automation capabilities. In the face of an evolving threat landscape, InsightVM leverages Rapid7’s extensive vulnerability research, Metasploit exploit knowledge, attacker-based analytics, internet-wide scanning data, and more—surfaced via real-time reporting. Migration to the Rapid7 solution went largely without a hitch. “Sales and support have been really smooth from beginning to end,” says Fitzsimmons. “From our point-of-view, the rules were easy to transport over to InsightVM so there was no downtime as a result of lost scans. Everyone’s had really positive things to say about it.” The MMU network team are particularly impressed with their newfound ability to run discovery and other scans depending on the requirements of the subnet. “Being a university, we’ve got different types of machines here—Windows, Linux, Macs—and a massive network, so we needed something which could gather all that information in one place and we could use it as a central inventory for the assets, and then we can run different scans for each one,” he says. Fitzsimmons is also impressed by the level of granular detail provided about vulnerabilities; for example, if a Metasploit plugin exists, or if proof of concept code is available on ExploitDB, indicating increased exploitability of a vulnerability. And he likes the fact that assets can be filtered by different criteria: for example, by risk or number of vulnerabilities. Overall, InsightVM has provided “great visibility” into the MMU network, allowing the team to drill down into operating systems, software, and services to find out more.

Saving time, reducing risk The MMU network team have also seen their lives made easier by the remediation and reporting functionality in InsightVM. “When we do see vulnerabilities, it’s impressive how it gives us a lot of information. The recommended remediations are really clear and helpful,” says Fitzsimmons. “On other solutions we’ve seen this kind of thing but you sometimes need to translate it for other users to understand. Where patches are required there’s often a direct download link so you don’t have to hunt for it yourself.”
Customizable reports complete the picture, allowing his team to tailor their findings according to the department that needs to view it. Those in charge of web servers may get a different report than teams in charge of unified communications, and so on.

Looking ahead with confidence As MMU grows in confidence with InsightVM there’s even more scope to expand the team’s use of the tool in future. This includes the Remediation Projects feature, which integrates with IT ticketing to help teams track the progress of remediation. Meanwhile, Steven Fitzsimmons and team are continuing to evaluate Rapid7 InsightIDR as their SIEM solution.
... Learn more

The ROI4CIO Deployment Catalog is a database of software, hardware, and IT service implementations. Find implementations by vendor, supplier, user, business tasks, problems, status, filter by the presence of ROI and reference.