LogRhythm's Security Intelligence Platform

LogRhythm SIEM 2.0

Protecting against today’s rapidly evolving threat landscape requires broad and deep visibility across the entire IT environment. Threats and risks arrive from many angles and evidence of their existence can be found within existing log and machine data. Deeper, essential visibility is gained through targeted host and network forensic monitoring. When this is applied to multiple, machine automated analytical techniques, threats and risks are exposed like never before.

LogRhythm uniquely combines enterprise-class SIEM, Log Management, File Integrity Monitoring and Machine Analytics, with Host and Network Forensics, in a unified Security Intelligence Platform. The LogRhythm solution provides profound visibility into threats and risks to which organizations are otherwise blind. Designed to help prevent breaches before they happen, LogRhythm accurately detects an extensive range of early indicators of compromise, enabling rapid response and mitigation. The deep visibility and understanding delivered by the LogRhythm Security Intelligence Platform empowers enterprises to secure their networks and comply with regulatory requirements.

A Higher Standard in SIEM & Security Intelligence

LogRhythm delivers a new generation of capabilities when it comes to detecting, defending against, and responding to cyber threats and associated risks. LogRhythm’s Security Intelligence Platform delivers:

  • Next Generation SIEM and Log Management
  • Independent Host Forensics and File Integrity Monitoring
  • Network Forensics with Application ID and Full Packet Capture
  • State-of-the art Machine Analytics
    • Advanced Correlation and Pattern Recognition
    • Multi-dimensional User / Host / Network Behavior Anomaly Detection
  • Rapid, Intelligent Search
  • Large data set analysis via visual analytics, pivot, and drill down
  • Workflow enabled automatic response via LogRhythm’s SmartResponse™
  • Integrated Case Management

Analyzing all available log and machine data and combining it with deep forensic visibility at both the host and network level delivers true visibility. This insight is leveraged by AI Engine, our patented Machine Analytics technology, to deliver automated, continuous analysis of all activity observed within the environment. AI Engine empowers organizations to identify previously undetected threats and risks. The integrated architecture ensures that when threats are detected, customers can quickly access a global view of activity, enabling exceptional security intelligence and rapid response. LogRhythm uniquely provides the actionable intelligence and incident response capabilities required to address today’s most sophisticated cyber threats.

Rapid Time-to-Value and Low TCO

Whether you are protecting a small business network or running a global security operations center (SOC), time-to-value and total cost of ownership matter. LogRhythm’s integrated architecture, combined with our focus on ease-of-use, helps customers quickly leverage powerful capabilities while keeping long-term costs in check. We take pride transforming challenging problems into simple, usable solutions. LogRhythm Labs™ delivers critical out-of-the box capabilities that align customer deployments to meet their business objectives. Automatically delivered and continuously updated with the latest in threat and compliance research, LogRhythm’s extensive Knowledge Base enables customers to quickly arm themselves against emerging threats, while staying current with compliance and audit requirements. The Knowledge Base includes:

  • Log parsing and normalization rules for over 600 unique operating systems, applications, databases, devices, etc.
  • Compliance Automation Suites for a broad range of regulations (PCI, SOX, HIPAA, FISMA, GLBA, ISO27001, DODI 8500.1, NERC-CIP, etc.)

  • Security Analytics Modules

    • Privileged User Monitoring

    • Advanced Persistent Threat (APT)

    • Web Application Defense

    • User / Host / Network Behavior Anomaly Detection

    • And many others...

How LogRhythm's Security Intelligence Platform Works

Input

Intelligence begins with the quality of the source data.  Without a rich and broad set of data, visibility is limited, leading to blind spots that allow activities to go unrecognized.  LogRhythm provides a full set of collection capabilities, as well as extensive independent monitoring, to deliver the most complete set of data for analysis in the industry.

Forensics Data

Forensics Data Collection

LogRhythm delivers comprehensive and secure collection, processing and analysis of all  log and audit data produced within an IT environment, including log data, flow data, event data, machine data and vulnerability data. LogRhythm offers the industry’s greatest breadth of coverage for data sources that includes hundreds of  network devices, security devices, systems, applications, and industry specific devices.

Forensics Data Generation

LogRhythm generates independent forensic data at the host and network level to capture details not available through standard log and audit data. It is critically important to collect these activities from both the host and the network to deliver the visibility necessary to recognize and corroborate highly concerning activities and events

Host Forensics

File Integrity Monitoring
LogRhythm’s System Monitor independently monitors files and directories for real-time detection of activity such as unauthorized or improper user access at the file system level, including modifications, moves or copies, and/or deletions of files.

Data & Process Monitoring
LogRhythm’s System Monitor detects and records process and service activity to identify to alert on important changes in behavior, such as non-whitelisted processes starting up on a secure server, or a critical service stopping and/or failing to restart.

Network Connection Monitoring 
LogRhythm’s System Monitor independently records network connection activity to and from the host, providing a detailed record of all network connections opened and closed on a host to detect critical events, such as the use of unauthorized web or FTP servers or outbound content transfers.

Network Forensics

Layer 7 Traffic Analysis 
LogRhythm’s Network Monitor delivers both application level awareness and rich network session details, for enterprise-wide network visibility. SmartFlow™ delivers a rich set of packet metadata derived from each network session, appropriate to the type of application used.  The high degree of detail available in SmartFlow™, cataloguing every session on the network, provides deep understanding of an application’s network activity in a quickly accessible format.

True Application Identification
LogRhythm’s Network Monitor identifies over 2,000 applications for in-depth analysis by performing deep packet inspection and applying multiple classification methods to determine the true identity of the application.

SmartCapture™ 
LogRhythm’s Network Monitor captures full layer 2 through 7 packet header and payloads from each session for a complete record of network activity.  With a rich set of session details available from SmartFLow™, administrators may choose to retain only sessions of interest based on application type or relevance to specific security events, reducing extensive storage requirements of traditional network forensic solutions.

LogRhythm Analytics

Processing

LogRhythm automatically processes source data for analysis, including parsing logical metadata attributes and adding valuable context information such as time normalization, event identification and categorization, geolocation, and risk prioritization.  LogRhythm utilizes a unique two tiered persistence model to record all messages collected and/or generated within your IT environment for both real-time machine analytics and forensic search.

Time Normalization
Understanding activities in relation to each other is critically important.  Through patented technology, LogRhythm creates a universal timestamp for all messages, compensating for time offsets between devices and geographically dispersed systems running in differing time zones.

Data Classification  
LogRhythm classifies all processed data in a consistent and user friendly manner by assigning logical event types (Security, Audit, Operations) and sub-types (e.g., brute force attack, failed login, error).  This “universal descriptor language” ideally conditions data for both machine and user analytics.

Meta Data Extraction  
LogRhythm extracts data into an extensive array of standard meta-data fields.  Example fields from log messages include: user credentials, IP addresses, ports, protocol, sender, file, URL, etc. Customers also have the ability to create custom meta-data fields.

Context Infusion  
LogRhythm Infuses relevant context into each message by attributing important information to incoming logs and flows such as source threat rating, target risk rating, vulnerability status, and geolocation data.

Risk Prioritization
LogRhythm dynamically calculates a Risk-Based Priority rating from 1 to 100 for every event leveraging various risk and threat attributes associated with involved actors combined with the risk of the event itself. 

Indexing  
LogRhythm performs full indexing and storage of collected log messages and associated metadata for optimized performance and rapid forensics via a highly efficient, patented processing engine.

Persistence 
LogRhythm utilizes a highly optimized data storage architecture that facilitates real-time analytics and post-incident forensics investigations, as well as meeting the long term storage requirements associated with a myriad of regulatory compliance requirements.

Machine Analysis

LogRhythm automatically processes source data for analysis, including parsing logical metadata attributes and adding valuable context information such as time normalization, event identification and categorization, geolocation, and risk prioritization.  LogRhythm utilizes a unique two tiered persistence model to record all messages collected and/or generated within your IT environment for both real-time machine analytics and forensic search.

Time Normalization
Understanding activities in relation to each other is critically important.  Through patented technology, LogRhythm creates a universal timestamp for all messages, compensating for time offsets between devices and geographically dispersed systems running in differing time zones.

Data Classification  
LogRhythm classifies all processed data in a consistent and user friendly manner by assigning logical event types (Security, Audit, Operations) and sub-types (e.g., brute force attack, failed login, error).  This “universal descriptor language” ideally conditions data for both machine and user analytics.

Meta Data Extraction  
LogRhythm extracts data into an extensive array of standard meta-data fields.  Example fields from log messages include: user credentials, IP addresses, ports, protocol, sender, file, URL, etc. Customers also have the ability to create custom meta-data fields.

Context Infusion  
LogRhythm Infuses relevant context into each message by attributing important information to incoming logs and flows such as source threat rating, target risk rating, vulnerability status, and geolocation data.

Risk Prioritization
LogRhythm dynamically calculates a Risk-Based Priority rating from 1 to 100 for every event leveraging various risk and threat attributes associated with involved actors combined with the risk of the event itself. 

Indexing  
LogRhythm performs full indexing and storage of collected log messages and associated metadata for optimized performance and rapid forensics via a highly efficient, patented processing engine.

Persistence 
LogRhythm utilizes a highly optimized data storage architecture that facilitates real-time analytics and post-incident forensics investigations, as well as meeting the long term storage requirements associated with a myriad of regulatory compliance requirements.

Forensics Analysis

LogRhythm delivers powerful analytics to search, visualize, pivot and drill down through forensic data to gain insight into nefarious behavior, potential risks and imminent threats to your organization.

Search
LogRhythm offers a simple, intuitive interface that delivers powerful, “Google-like” search capabilities through a Quick Search toolbar for immediate access to forensic data, as well as a straightforward, wizard-based GUI for performing rapid, sophisticated searches across large volumes of data from any time period.

Visualize
LogRhythm’s interface delivers fully interactive network visualization and relationship mapping as well as long term trending views and fully interactive visual analytics. This delivers exceptional visual correlation capabilities and global event awareness.

Pivot/Drill Down
LogRhythm’s fully interactive dashboards and investigation tools deliver rapid forensics, making it simple to work with large data sets directly on screen with on-the-fly filtering, quick pivot, and fast drill down into the underlying raw data.

Output

Actionable Intelligence

LogRhythm delivers real-time value and insight from data collected with risk prioritized alerts, real time dashboards and reports.

Risk Prioritized Alerts
LogRhythm ensures that the appropriate personnel are alerted when specific asset risk and threat levels are reached based on logical Risk Based Priority protocols.     

Real-Time Dashboards 
LogRhythm provides out-of-the-box, use-case specific layouts, as well as customizable views for fully interactive visualization and real time analysis into security, compliance and operational events.

Reports 
LogRhythm combines the convenience of prepackaged reports with the flexibility of powerful ad hoc reporting for efficient and meaningful data distribution. LogRhythm comes with over 800 pre-defined reports and hundreds of additional templates that can be used to create unlimited custom reports for security, operations and compliance use cases.

Incident Response

LogRhythm delivers real-time value and insight from data collected with risk prioritized alerts, real time dashboards and reports.

Risk Prioritized Alerts
LogRhythm ensures that the appropriate personnel are alerted when specific asset risk and threat levels are reached based on logical Risk Based Priority protocols.     

Real-Time Dashboards 
LogRhythm provides out-of-the-box, use-case specific layouts, as well as customizable views for fully interactive visualization and real time analysis into security, compliance and operational events.

Reports 
LogRhythm combines the convenience of prepackaged reports with the flexibility of powerful ad hoc reporting for efficient and meaningful data distribution. LogRhythm comes with over 800 pre-defined reports and hundreds of additional templates that can be used to create unlimited custom reports for security, operations and compliance use cases.