The new safety net from LogRhythm
LogRhythm demystifies IT security with intelligent monitoring, response
Protecting against today’s rapidly evolving threat landscape requires broader and deeper visibility across the entire IT environment. Security intelligence is thus becoming increasingly crucial in enabling targeted host and network forensic monitoring.
LogRhythm has emerged as one of the leaders in security intelligence with a platform that is designed to help customers identify threats before they have a big impact on the network, according to Ross Brewer, vice president and managing director, International Markets at LogRhythm. This helps in reducing the mean time to detection and ultimately help organisations reduce their mean time to response.
The kill chain of the typical advanced threat, Brewer explains, will begin with some initial reconnaissance activity before proceeding to the preliminary compromise. After that, the malware starts to disseminate into the network and set up a command and control, ending up with the final stage of expropriation of data. “What LogRhythm is focused on is helping organisations identify that initial activity so we can mitigate that risk,” says Brewer. “If we can identify the first infection of the malware or the initial installation of remote control software or key logger, then we can stop the rest of the kill chain. This will prevent any expropriation of data and the subsequent loss of intellectual property,” Brewer adds.
LogRhythm goes beyond intelligence though, Brewer says and is involved in the remediation process as well. “We have the ability to communicate with other technologies to offer the complete security solution. With Active Directory for instance, LogRhythm may not remove a user from a group, but will tell Active Directory to do it; or we don’t stop a firewall connection-we tell the firewall to do it, and so on,” Brewer says.
LogRhythm, Brewer explains, communicates with 700 different technologies, retrieving information from them to figure out the threats facing the particular organisation. Through SmartResponse, LogRhythm offers intelligent, process-driven capabilities that give organisations the power to automatically take action and respond to any alarm, Brewer adds.
The modern intelligence security platform comprises of a number of traditional capabilities such SIEM, Log Management, Host Forensics, Network Forensics, Vulnerability Intelligence, Threat Intelligence and Advanced Analytics and ultimately, Incident Response as well as the workflow that goes around that, explains Brewer. “If you look at IT infrastructure, there’s a lot of siloed data; so the firewall, IPS intrusion prevention system and the endpoint will all be seeing bad activity. All this is simply noise,” explains Brewer. “Our expertise is in being able to see the whole environment. We combine all those technologies and so we are able to identify threats that are common across many technologies and therefore qualify those that are more critical and needing of response,” says Brewer.
Just having a SIEM or having Log Management is not enough anymore and organisations today need full network, host and user visibility in addition to the machine analytics to pull it all together, filter the signal from the noise that organisations should respond to, Brewer adds.
Modern threats call for modern prevention capabilities. “20/20 prevention is futile today,” says Brewer. “Too much investments have gone into firewalls and perimeter protection in the last 40 years and not enough into monitoring and response. Gartner however that believes over the next six years, budgets will move from 10 % for monitoring and response investment in 2013 to 60%,” Brewer adds.
With this in mind, Brewer warns organisations sorely focused on building a wall around the network to protect their environment. “It’s been proven that advanced threats and latest malware can get past anti-virus solutions and firewalls. The next focus is for IT managers to start taking responsibility and control of their network. They need to look at it and respond to and mitigate against these specific risks that are common today,” says Brewer.
Signature-based security solutions are also increasingly proving inadequate in an era of zero-day attacks. “When we are talking to security technologies such as SourceFire or Symantec, we support all the methodologies that customers are using today. However as LogRhythm, we don’t need signatures and the analytics that we do consider behaviours. Typically this involves identifying administrator behaviours and looking at the systems they use on a regular basis and if they change their patterns of behaviour, we would be able to recognise that without having signatures for them,” Brewer says.
With Mobility and BYOD now the rule rather than the exception in many organisations, the traditional perimeter security set-up just won’t do, says Brewer. “You just cannot put a container around an iPhone as people move and do business on the move. You need to look at user behaviour and patterns as mobility is here to stay and organisations need to change their whole ethos.” And mobility for LogRhythm is not only on the detection side but also on the response side enabling the admin to respond to security issues on the move using their mobile devices, explains Brewer.