LogRhythm's Security Intelligence Platform

LogRhythm SIEM 2.0

Protecting against today’s rapidly evolving threat landscape requires broad and deep visibility across the entire IT environment. Threats and risks arrive from many angles and evidence of their existence can be found within existing log and machine data. Deeper, essential visibility is gained through targeted host and network forensic monitoring. When this is applied to multiple, machine automated analytical techniques, threats and risks are exposed like never before.

LogRhythm uniquely combines enterprise-class SIEM, Log Management, File Integrity Monitoring and Machine Analytics, with Host and Network Forensics, in a unified Security Intelligence Platform. The LogRhythm solution provides profound visibility into threats and risks to which organizations are otherwise blind. Designed to help prevent breaches before they happen, LogRhythm accurately detects an extensive range of early indicators of compromise, enabling rapid response and mitigation. The deep visibility and understanding delivered by the LogRhythm Security Intelligence Platform empowers enterprises to secure their networks and comply with regulatory requirements.

A Higher Standard in SIEM & Security Intelligence

LogRhythm delivers a new generation of capabilities when it comes to detecting, defending against, and responding to cyber threats and associated risks. LogRhythm’s Security Intelligence Platform delivers:

  • Next Generation SIEM and Log Management

  • Independent Host Forensics and File Integrity Monitoring

  • Network Forensics with Application ID and Full Packet Capture

  • State-of-the art Machine Analytics

    • Advanced Correlation and Pattern Recognition

    • Multi-dimensional User / Host / Network Behavior Anomaly Detection

  • Rapid, Intelligent Search

  • Large data set analysis via visual analytics, pivot, and drill down

  • Workflow enabled automatic response via LogRhythm’s SmartResponse™

  • Integrated Case Management

Analyzing all available log and machine data and combining it with deep forensic visibility at both the host and network level delivers true visibility. This insight is leveraged by AI Engine, our patented Machine Analytics technology, to deliver automated, continuous analysis of all activity observed within the environment. AI Engine empowers organizations to identify previously undetected threats and risks. The integrated architecture ensures that when threats are detected, customers can quickly access a global view of activity, enabling exceptional security intelligence and rapid response. LogRhythm uniquely provides the actionable intelligence and incident response capabilities required to address today’s most sophisticated cyber threats.

Rapid Time-to-Value and Low TCO

Whether you are protecting a small business network or running a global security operations center (SOC), time-to-value and total cost of ownership matter. LogRhythm’s integrated architecture, combined with our focus on ease-of-use, helps customers quickly leverage powerful capabilities while keeping long-term costs in check. We take pride transforming challenging problems into simple, usable solutions. LogRhythm Labs™ delivers critical out-of-the box capabilities that align customer deployments to meet their business objectives. Automatically delivered and continuously updated with the latest in threat and compliance research, LogRhythm’s extensive Knowledge Base enables customers to quickly arm themselves against emerging threats, while staying current with compliance and audit requirements. The Knowledge Base includes:

  • Log parsing and normalization rules for over 600 unique operating systems, applications, databases, devices, etc.

  • Compliance Automation Suites for a broad range of regulations (PCI, SOX, HIPAA, FISMA, GLBA, ISO27001, DODI 8500.1, NERC-CIP, etc.)

  • Security Analytics Modules

    • Privileged User Monitoring

    • Advanced Persistent Threat (APT)

    • Web Application Defense

    • User / Host / Network Behavior Anomaly Detection

    • And many others...

How LogRhythm's Security Intelligence Platform Works

Input

Intelligence begins with the quality of the source data.  Without a rich and broad set of data, visibility is limited, leading to blind spots that allow activities to go unrecognized.  LogRhythm provides a full set of collection capabilities, as well as extensive independent monitoring, to deliver the most complete set of data for analysis in the industry.

Forensics Data

Forensics Data Collection

LogRhythm delivers comprehensive and secure collection, processing and analysis of all  log and audit data produced within an IT environment, including log data, flow data, event data, machine data and vulnerability data. LogRhythm offers the industry’s greatest breadth of coverage for data sources that includes hundreds of  network devices, security devices, systems, applications, and industry specific devices.

Forensics Data Generation

LogRhythm generates independent forensic data at the host and network level to capture details not available through standard log and audit data. It is critically important to collect these activities from both the host and the network to deliver the visibility necessary to recognize and corroborate highly concerning activities and events

Host Forensics

File Integrity Monitoring
LogRhythm’s System Monitor independently monitors files and directories for real-time detection of activity such as unauthorized or improper user access at the file system level, including modifications, moves or copies, and/or deletions of files.

Data & Process Monitoring
LogRhythm’s System Monitor detects and records process and service activity to identify to alert on important changes in behavior, such as non-whitelisted processes starting up on a secure server, or a critical service stopping and/or failing to restart.

Network Connection Monitoring 
LogRhythm’s System Monitor independently records network connection activity to and from the host, providing a detailed record of all network connections opened and closed on a host to detect critical events, such as the use of unauthorized web or FTP servers or outbound content transfers.

Network Forensics

Layer 7 Traffic Analysis 
LogRhythm’s Network Monitor delivers both application level awareness and rich network session details, for enterprise-wide network visibility. SmartFlow™ delivers a rich set of packet metadata derived from each network session, appropriate to the type of application used.  The high degree of detail available in SmartFlow™, cataloguing every session on the network, provides deep understanding of an application’s network activity in a quickly accessible format.

True Application Identification
LogRhythm’s Network Monitor identifies over 2,000 applications for in-depth analysis by performing deep packet inspection and applying multiple classification methods to determine the true identity of the application.

SmartCapture™ 
LogRhythm’s Network Monitor captures full layer 2 through 7 packet header and payloads from each session for a complete record of network activity.  With a rich set of session details available from SmartFLow™, administrators may choose to retain only sessions of interest based on application type or relevance to specific security events, reducing extensive storage requirements of traditional network forensic solutions.

LogRhythm Analytics

Processing

Applies logical metadata attributes and valuable event context such as time normalization, event identification and categorization, geolocation, risk prioritization, indexing and persistence to all messages collected and/or generated within your IT environment.

Time Normalization
Creates a universal timestamp for all messages, compensating for time offsets between devices and geographically dispersed systems running in differing time zones.

Data Classification  
Automatically associates all messages into logical event types (Security, Audit, Operations) and subcategories (misuse as well as as network segment, operating system, application, device type, criticaliy and organizational entity).

Meta Data Extraction  
Delivers over 70 standard meta-data fields from each log message including Origin IP, Impacted Port, Protocol, Sender, Session, URL, etc. Customers also have the ability to create custom meta-data fields.

Context Infusion  
Infuses relevant context into each message by attributing applicable information to incoming logs and flows such as known origin, impacted host and geolocation.

Risk Prioritization
Dynamically calculates a Risk-Based Priority rating from 1 to 100 for every event leveraging predetermined asset risk and threat levels.

Indexing  
Performs full indexing and storage of collected log messages and all normalized metadata for optimized performance and rapid forensics via a highly optimized proprietary processing engine.

Persistence
A hybrid data storage architecture facilitates real-time analytics and post-incident forensics investigations, as well as meeting the long term storage requirements associated with a myriad of regulatory compliance requirements.



Machine Analysis

Performs advanced analytics on data in motion, including Advanced Correlation, Behavioral & Statistical Baselines, Pattern Recognition, and Whitelist Profiling  able to detect anomalies within your environment.

Advanced Correlation  
Performs real-time correlation on all log data, not just a subset of event logs, across multiple dimensions and between disparate systems for historical and real-time analysis.

Behavioral & Statistical Baselines  
Observe “normal” activity within the IT environment to establish a baseline against which all other activity can be measured so that behavioral and statistical anomalies can be easily exposed.

Pattern Recognition
Applies sequential “if a, then b, then c” pattern to all log data in order to identify threats and conditions that violate the sequence.  

Whitelist Profiling
Automatically generates a whitelist of acceptable or “normal” activity to perform exception-based detect anomalies that could signify suspicious activity.
 

Forensics Analysis

Utilizing LogRhythm’s powerful analytics to search, visualize, and pivot/drill down on data at rest to gain insight into nefarious behavior, potential risks and imminent threats to your organization.

Search
LogRhythm offers a simple, intuitive interface that delivers powerful, “Google-like” search capabilities through a Quick Search toolbar for immediate access to forensic data, as well as a straightforward, wizard-based GUI for performing rapid, sophisticated searches across large volumes of data from any time period.

Visualize
LogRhythm’s interface delivers fully interactive network visualization and relationship mapping as well as long term trending views and fully interactive visual analytics. This delivers exceptional visual correlation capabilities and global event awareness.

Pivot/Drill Down
LogRhythm’s fully interactive dashboards and investigation tools deliver rapid forensics, making it simple to work with large data sets directly on screen with on-the-fly filtering, quick pivot, and fast drill down into the underlying raw data.

Output

Actionable Intelligence

LogRhythm delivers real-time value and insight from data collected with risk prioritized alerts, real time dashboards and reports.

Risk Prioritized Alerts
LogRhythm ensures that the appropriate personnel are alerted when specific asset risk and threat levels are reached based on logical Risk Based Priority protocols.     

 

Real-Time Dashboards
LogRhythm provides out-of-the-box, use-case specific layouts, as well as customizable views for fully interactive visualization and real time analysis into security, compliance and operational events.

 

Reports 
LogRhythm combines the convenience of prepackaged reports with the flexibility of powerful ad hoc reporting for efficient and meaningful data distribution. LogRhythm comes with over 800 pre-defined reports and hundreds of additional templates that can be used to create unlimited custom reports for security, operations and compliance use cases.

Incident Response

Instant response to alarms and notifications via LogRhythm’s SmartResponse™, workflow and case management capabilities for streamlined incident management.

SmartResponse™
Delivers immediate protection from security threats, compliance policy violations and operational issues by providing power to automatically execute any script in response to relevant alarms. An optional, built-in approval process can require up to 3 levels of authorization prior to taking action, providing the option of reviewing the facts first – before the wrong person’s access is removed or a critical application is mistakenly shut down.

Workflow
Integrates incident management capabilities, providing real-time updates on an incident's status (i.e., working, closed, etc.) and displays incidents for which users are responsible, which they can update and annotate as appropriate.  An audit trail of all actions taken by each LogRhythm user is maintained and secured for auditing purposes and out-of-the-box reports provide real-time information on status and response.  

Case Management
Automates and streamline incident response through task management, workflow and collaboration capabilities.