Logrhythm Adds Visualization, Location And Host Activity To Forensic Capabilities

LogRhythm has upgraded its log management/SIEM product's threat detection capabilities by monitoring system processes and endpoint network connections, as well as adding visualization and geo-location tools to expedite investigation of possible attacks and compromises. Pouring through logs without an automated tool is pure pain for administrators. LogRhythm's new capabilities help administrators make the most of their limited time to hunt down and mitigate threats. The network visualization presents host-to-host activity, relationships within the enterprise network, inbound/outbound communications, and allows the investigator to spot potential threats at a glance and then do a deep dive for details leveraging LogRhythm's data collection, correlation capabilities and query capabilities.

"Because we're a high-profile organization, we deal with a lot of attacks," said Nick Levay, information security and operations manager for the Center for American Progress, a think-tank based in Washington, D.C. "In particular, APT (advanced persistent threat) is the buzzword of the day, but in my world, it's a very harsh reality. It's the x-ray operator syndrome," Levay said. "I find that when doing analysis--looking at records of logs--I have about 45 minutes of that before my brain starts to turn to jello. So the question is how much you can get done in that 45 minutes, how can you prioritize what you are looking at."
 
By monitoring process activities, as well as network connection on endpoints, LogRhythm enables investigators to spot anomalous behavior compared to normal server activity, such as connecting to an unauthorized IP address, a normal process stopping for no apparent reason, etc. The network monitoring tracks listening services, inbound and outbound connections to/from a host including local and remote IP addresses and ports, connection state, direction, duration, etc.

Compliance has been the primary driver in the log management/SIEM markets for the last couple of years as organizations struggled with manual log reviews, reporting and audit to meeting regulatory requirements. Automated queries, network and device data correlation and streamlined reporting have become essential capabilities.

With this upgrade, however, LogRhythm places the emphasis squarely on security. "Enterprises are finding they need all the information they can get with security management planning and operations for forensics," said Jon Oltsik, principal analyst for Enterprise Strategy Group. "It may complement compliance, but they're feeling they need that security depth as well."

The geo-location capabilities quickly identify where outside connections are from, including country, region, state and city. This allows organizations to perform broad queries based on connections from suspect areas and pinpoint the source of attacks. (It even can show the location on Google maps, though the value of that feature is not readily apparent--people know how to use Google maps to find St. Petersburg in Russia.)"If I'm looking at 20,000 authentication records,  I want to start narrowing them down, so I'll filter out the ones from the immediate D.C. area," said Levay. "Then I'll see, oh my god, look at all these things from China. Did we have anyone in China at the time those accounts were being logged into?"

The cumulative value of the new features is to add new data from log sources to identify security issues quickly and efficiently. "Enterprises don't have the luxury of having security analysts poking through raw logs anymore," said Oltsik. It's not a research project; it's your business."