“少用工具,多用工具”:KinderCare通过Rapid7避免了工具的泛滥,实现了投资回报率的最大化,提高了效率
关于KinderCare
KinderCare is the nation’s leading Early Childhood education company. 自1969年开业以来, Kindercare has built a network of community-based center, 雇主赞助的项目和课前和课后网站,以满足家长的需求. 幼儿园有超过2个,在美国40个州和哥伦比亚特区的000个地点开设了这所学校,并采用了一套专有的课程,目标是为所有能力和背景的孩子创造优异的成绩. Kindercare builds a foundation of a lifetime love of learning in children, by building confidence in children, 不可动摇的自尊, 我们的孩子们在走向世界的第一步和每一步都能带着这种信念. Byron Anderson is the Senior Information Security Engineer at KinderCare. His job is to protect the data of the Kindercare families, 孩子们, 和 employees that Kindercare supports.
挑战
Anderson came into his role two years ago. 加入幼托之初, 他继承了几个用于管理组织安全态势的不同平台. He discovered that coverage was not complete, integration of platforms was lacking, 幼儿园所有基础设施的全面安全可见性缺失. 在深入审查之后,很明显,重新架构和更改安全平台对于创建易于管理和可支持的安全基础设施是必要的,该基础设施将提供必要的可见性.
事半功倍
One of Andersons guiding philosophies is “use less tools more”. Anderson believes that if you pick strong tools 和 use them to their maximum capability you will get more value out of your investments 和 need less tools; this also helps to avoid tool sprawl. After doing a review of several different platforms 和 tools, Anderson 和 team choose the Rapid7 了解平台 to move forward with. 他们认为Rapid7平台最符合安德森的理念,它也将为KinderCare提供一个快速实现价值的时间.
“Rapid7 has such tight ecosystem. 你不需要几十种工具,每种工具你只使用了20%。. “如果你得到了非常好的工具,并且使用了99%,你就不需要那么多工具! There’s so much out-of-the-box content pre-built into Rapid7.”
从其他系统轻松收集数据并迅速将其转化为环境中正在发生的行为所带来的直接价值,使安德森很容易说服公司做出改变. Within six months his team was able to phase out several of the old tools.
快进到满满一盘
今天, KinderCare utilizes Rapid7’s 管理检测和响应 (MDR) service, 以及InsightVM, InsightConnect, 和InsightAppSec. They didn’t intend to necessarily go “all in” with the Rapid7 ecosystem; however, Anderson concedes that the benefits of utilizing the ecosystem just made sense.
- MDR: “We added MDR because we wanted 24/7 coverage,” shared Anderson. “我不得不替换我们现有的解决方案,因为它不能100%满足我们的需求. We felt that with Rapid7 MDR Service, 利用他们自己的insighttidr, 我们会得到更高的值, 我们是对的.”
所以即使幼儿园计划只使用MDR一年, they opted to renew their contract – with enthusiasm. “We were hoping that after a year, we would have the ability to provide better 24/7 coverage ourselves. 但我们决定保留MDR,因为我们对它非常满意,”他透露. “The folks on the MDR team have been so phenomenal to work with. 他们帮了很大的忙. So, we decided we want to maintain the 24/7 coverage.”
- InsightIDR: Anderson may be a fan of MDR, 但是insighttidr——为MDR服务提供动力的底层SIEM解决方案——才是他的核心所在. 如果MDR客户不愿意,他们不必在insighttidr中动手, but Anderson appreciates the “h和 on” approach.
“InsightIDR is my bread 和 butter,” he chuckled, likening it to a one-stop shop. “这是我们唯一的一块玻璃. 它连接到你能想到的每一个数据源——不同的域控制器, 我们的AWS和Azure业务, 我们的端点保护系统, 我们的电子邮件安全平台, 一切. We want to consolidate 和 concentrate 一切 as much as possible.”
安德森随后分享了他是如何在insighttidr中创建一系列仪表板的,这些仪表板提供了他所有不同工具和服务的“概览”——一种他每天早上运行的健康检查.
“我喜欢Rapid7总是策划新的检测和更新他们的平台. It saves me having to do that work. They have so many alerts for InsightIDR that we use. 我可以自己创建,但Rapid7已经在这方面做得很好了。. 然后他估计,对于99%或更多的警报,他相信Rapid7不仅可以创建警报,还可以改进警报.
- InsightVM: KinderCare使用InsightVM来支持他们的漏洞管理程序. 他们进行定期扫描,并使用InsightVM的报告来帮助确定补丁的优先级. “任何时候,我们看到的关键漏洞可能与补丁无关,而是与配置有关, we work with the appropriate teams,他解释道,“我们正在创建一个完整的项目,这在我刚开始的时候是不存在的。.”
Anderson loves that they have a full picture of their vulnerabilities, 和 that you can report on them in a way that’s useful. “InsightVM创建的修复报告侧重于修复任务,而不是漏洞日志列表. We can easily h和 these reports off to other teams without overwhelming them. 之前,我们只有CSV或Excel的漏洞列表,没有任何修复的细节,这将很快压倒其他团队,最终导致什么也没做.”
- InsightConnect: As part of their package with InsightIDR 和 InsightVM; KinderCare also received InsightConnect, the Rapid7 Security 编制 Automation 和 Response (SOAR) package. Anderson和他的团队已经开始利用InsightConnect将他们的Rapid7平台与他们使用的其他工具(如Slack和ServiceNow)集成在一起,以创建自动化的工作流,从而节省了过去需要手动完成的任务的时间.
最喜欢的功能
When pressed for one of his favorite features, 安德森毫不犹豫地引起了人们对insighttidr功能——日志搜索的关注. “Log queries in InsightIDR are phenomenal, especially thanks to the latest features that have been added. 它使调查事物和执行这些查询的速度变得如此容易,”他笑着说. “When I had to do that in our old platform, I would literally set it to run a query 和 then go get a cup of coffee. Sometimes it would take me hours to investigate simple things. insighttidr是闪电般的速度. It really minimizes the amount of time I spend doing this, because I can access 和 work with the data so quickly.”
Another thing Anderson leverages often is Investigations, something he h和les a h和ful of every single day. “I love the way it has the investigations all self-contained. You can add additional data to them, you can put notes in them. 这使得我们可以很容易地在一个地方进行管理,”他分享道. “我们不需要将所有内容发送到外部票务系统,并通过该系统进行管理. It’s all self-contained within the product, which is great.”
智慧之语
结束我们的谈话, Anderson provided some advice for people who are looking for a threat analytics platform or looking for a SIEM that they can get more value out of; “I’ve worked with a lot of different products that operate in the SIEM or security information event management space. Rapid7所做的是独一无二的. InsightIDR is already built to do exactly what you need it to do,” he opined. “所有的检测逻辑都是内置的,它让一切变得简单. I highly recommend you try it out.”
Gain a complete, end-to-end SOC without the overhead
