Posts tagged: 'log analysis'
The following posts are associated with the tag you have selected. You may subscribe to the RSS feed for this tag to receive future updates relevant to the topic(s) of your interest.
http://blog.logrhythm.com/tags/log-analysis/feed
Advanced Correlation for the masses
Today LogRhythm officially released our Advanced Intelligence (AI) Engine – a fully integrated extension of our core solution that performs advanced correlation and pattern recognition. And while the concept isn’t new, we’re pretty sure that once you take a look, you’ll see that the execution is pretty groundbreaking. 
So what is advanced correlation and pattern recognition? In practical terms, it’s being able to automatically identify a sequence of events and recognize a relevant pattern of behavior that will have some sort of impact on another event that will happen as a result. If this were to take place in your brain, it might happen something like this… You walk in the house from the garage and shut the door behind you. Once that’s done, you might expect to see moonlight coming through the next doorway as you make your way up the stairs. So logically if it’s too dark something is wrong. You should automatically realize that the absence of light once you shut the door behind you means that the next door is shut. Typically you would register the correlation between the two and you would know to put your hand out to open the next door. Unless you, like me, are on autopilot by the time you get home from work. Because there are better ways to make that connection than with your forehead.
Unlike your brain, an IT environment is not typically capable of recognizing an important sequence on its own. That’s why solutions exist to analyze event data and let you know when something has or is about to happen that may cause you pain. From a security standpoint that might be five failed login attempt from a single unknown IP followed by a successful login indicating that you may have suffered an external breach.
Tools for doing this have been around for a while, but with limitations. One of them is that they are typically restricted to analyzing a subset of data that has already filtered out significant information before it ever gets to the correlation engine. This narrows the scope of coverage to specific security-oriented use cases and takes away the flexibility to cast a wider net for event sequences that may not be as well defined. AI Engine has removed this limitation by allowing advanced correlation rules to be run against all log data. By doing so we have expanded the scope of what you can do with advanced correlation and pattern recognition to extend well beyond the standard security use cases. An operations example would be when you have a critical process that may start and stop on a regular basis. Operationally this is standard behavior. You don’t need to know every time the process stops or you’ll quickly start ignoring the alerts. But you do need to know when it doesn’t start back up within a certain time frame.
Perhaps the biggest drawback of most advanced correlation tools is their complexity. They may work well within the confines of their preconfigured rules, but adaptability and usability are limited. They’re kind of like a remote control that handles a few functions and operates your television. Your options for adding new features to the remote are limited. If you have the tools, the time and the knowledge, you can take the remote apart and rebuild it to handle your new blue-ray player. Practically speaking you will probably be adding a second remote to your collection or you’ll be waiting for a remote that someone else builds that is capable of working with your tv and blue-ray. Add a receiver for a new sound system and you have a third remote. Now this may not be that bad at home, but imagine you have thousands of heterogeneous devices that you need to control, and limited time to do so. What you really need is one universal remote that handles all of your devices and can be easily programmed to handle what you have now and what you will add in the future. And as new features are added, the remote has to adapt to those as well.
It’s the same thing with pattern recognition. Sure there are specific behavior patterns that you know you have to identify because they are similar for all environments, but over time, that behavior may change. And there are things that you may want to watch for that are less defined but no less important to detect. For those things you need the ability to cast a wider net and once you are able to detect and understand those behavior patterns that are more general, you also need to be able to quickly put a rule in place that will narrow in on specific activities. Without a usable interface, advanced correlation tools lack the flexibility to adapt to what you need in your environment or to keep up with new behavior patterns that are critical to security and operations.
AI Engine is accessed through LogRhythm’s console, with the same consistent look and feel inherent to all LogRhythm tools. A wizard-based interface with a drag-and-drop
GUI for defining advanced correlation makes creating and customizing even complex rules simple to learn and quick to execute. It also correlates against all log data – not just a pre-filtered subset of security events. AI Engine analyzes over 50 different metadata fields and many more sub-fields that provide highly relevant data for analysis and correlation. The metadata fields map to system, network and application information extracted from the logs themselves, but they also include context that is derived from the log information such as direction, impacted entities, the city from which activity originated and more. The extensive metadata from which advanced correlation rules and patterns can be defined, combined with the entirety of all log data against which these rules can be applied, offers unprecedented visibility and context to threats and operational issues that have been blind spots for many organizations until now. At the same time, AI Engine can easily be used to cast a wide net with more general correlation rules, ensuring that significant incidents are captured despite changes in event behavior. Sure AI Engine comes with over 100 rules ready to go out-of-the-box covering a wide range of common use cases, both general and tightly focused. But we’ve also designed it to work for you.
If you want to know more about our AI Engine, we’ll be happy to show you how it works. Just let us know. Or check out Chris Petersen’s video in which he demonstrates AI Engine. You can hear the entire LogRhythm story or simply jump to the chapter on AI Engine. Watch the Demo.
Tags: advanced correlation, log analysis, logrhythm, pattern recognition, siem
How many ways can you ask the same question?
I have spent the last couple of weeks reviewing some of the RFPs that LogRhythm has answered to get a better idea of how we can streamline the response process. One of the things that jumped out is the complete lack of consistency from one RFP format to the next. It seems like each company is reinventing the wheel in every shape but round, even though they are all trying to end up in the same place – with a Log Management/SIEM solution that meets their company objectives without destroying their budget.
I realize that it must be difficult putting an RFP together. What do you ask and why? A clear answer is hard to find without asking the question correctly, and after asking how do you score the results of what will most likely be at least a partially subjective response? Each respondent is trying to win your business, which will almost certainly be reflected in their responses. Just as important as asking the question is finding a way to filter out the chaff in the response. This means that you not only have to ask the right question, you also have to have a pretty good understanding of the answer that you expect up front.
This is the same problem that administrators face after the RFP process plays out and a product is selected and implemented. Once the Log Management/SIEM solution is in place, how do you use it to get the information that you need? Or more importantly, how do you take what you know and put it in a format that even your boss can understand? How a question is asked – or how a query is defined – determines what data is returned. If the question isn’t clear then the results won’t be either. Having a solution that helps you clearly ask the question makes getting the right response easier.
Delivering tools that facilitate the query process is one of the things that LogRhythm does exceptionally well. By providing a wizard-based process to run reports and investigations, LogRhythm both speeds up and simplifies the process of extracting relevant information. We also automate the data enrichment process so that the information returned is clearly defined, properly categorized and easy to understand.
As far as streamlining the RFP process for you? Well, we can’t tell you exactly what you need, but we do have a pretty good idea of the questions you want to ask when evaluating Log Management/SIEM solutions. Feel free to ask for a copy of our template.
Tags: log analysis, log management, logrhythm, siem
From Bangkok Dangerous to SIEM 2.0
If you like watching movies, you probably remember a movie from a couple of years ago called Bangkok Dangerous, starring Nicolas Cage. I am not here to review this movie (although many think this is one of Nicholas Cage’s worst movies) but I would like to take this opportunity to look at the current Bangkok situation and the Thailand’s Government regulations on Log Management.
If you have been following international news coverage of Thailand closely, you know that the “Red Shirt” protestors have been crippling the Thai capital with protests for the past few months. In fact, Bangkok really is dangerous now and the Thai Government is taking an increasingly harder stance as the clashes with demonstrators continue.
On the other hand, this danger does not extend into the information technology world. The Thai government is one of the few in South East Asia to publish a doctrine like the Computer Crime Act (CCA) B.E.2550, first written in 2007 and enforced as a law in July of 2008. Basically, the CCA addresses issues such as illegal access (hacking or cracking), attacking computer systems using sniffers, malicious codes, viruses, Trojan horses, Worms or spamming, spyware/adware or denial of service.
The law also imposes a strict requirement that certain entities will maintain the logs for at least 90 days of traffic
data by users of that entity’s network. However, the CCA utilizes language that is somewhat broad on the Log Management area. This has led many organizations to look for a wide range of products, from basic “freeware” tools to sophisticated, enterprise Log Management solutions to fulfill the requirement.
LogRhythm has been in the market since 2002 and has consistently maintained that standalone, simple Log Management tools are not the best option for an enterprise, despite the initial low cost. We strongly recommend that organizations look for an integrated Log Management & SIEM (Security Information & Event Management) solution. Basic Log Management tools limit their capabilities to collecting, storing and protecting log data. Unfortunately they are frequently lacking in proactive, automated analytics that tell you what is going on in real-time, which means that you need to manually analyze or search all logs to understand the whole picture. A combined Log Management & SIEM solution provides log analysis, real-time monitoring and correlation capabilities. This enable enterprises to easily comply with log data retention regulations while simultaneously gaining valuable, timely and actionable insights into security, availability, performance and audit issues within their infrastructure.
Some may question why an organization needs to buy an integrated Log Management & SIEM solution in the first place. It is true that you can buy a simple log management tool as a quick start. But you will eventually find that it has insufficient capabilities and will need to buy additional tools. These will not only increase your capital investment but also increase the complexity and future maintenance cost leading to other questions needing to be answered. Does the new vendor’s SIEM work with my existing Log Management solution? How long will it take to configure both solutions so that they can work together seamlessly?
As a matter of fact, the Thai government also realizes the deficiency of the original CCA and plans to add the additional requirements of log analysis, correlation and real-time monitoring later this year. So organizations with a legacy log management solution will now need to look for a new tool to fulfill these additional requirements. For those organizations taking a long term approach, by choosing an integrated Log Management & SIEM solution now means no headaches filling the gap later. As an example of next generation Log Management & SIEM 2.0, solutions like LogRhythm provide better real time monitoring, network awareness and IT forensics than ever before.
By the way, “Bangkok Dangerous” was directed by the Pang bothers (Oxide and Danny), famous dual directors in Hong Kong, and is a remake of movie of the same title from 1999. In fact many people call this new movie “Bangkok Dangerous 2.0″.
Tags: log analysis, log management, real time monitoring, siem
LogRhythm wins "Innovator of the Year" from SC Magazine. "This is not your father's log manager."