Posts tagged: 'logrhythm'
The following posts are associated with the tag you have selected. You may subscribe to the RSS feed for this tag to receive future updates relevant to the topic(s) of your interest.
http://blog.logrhythm.com/tags/logrhythm/feed
NT & 2000. You’ll need more than a pocketful of posies…
Trust. The internet simply can’t afford it. I’m not talking about notional trust, or any form of technical trust. I’m talking about actual trust. Users of the internet can do without it.
Why the cynicism? Well, you can’t possibly sit pontificating on 21st Century computing without at least skimming over social networking, and before you know it you’re at trust. I was ruminating on such things and it struck me how Web 2.0 and 3.0 have brought trust back to an area of human endeavour where we should be innately mistrustful. Don’t get me wrong. The democratisation of the internet through such channels ranks for me as a crowning achievement of humankind, but let’s not be naive. Your friendly neighbourhood knee cappers, drug runners and extortionists now see the internet as fertile ground for the exploitation of new markets. Further to this, the advent of weaponised, state-sponsored malware like Stuxnet reiterates the fact that none of us are in Kansas anymore.
Social networking – almost all of us do it. Many of us do it online. We now have potentially lifelong connections with school friends, work colleagues and even casual acquaintances. We spin up webs of dozens or even hundreds of people that we ‘presumably’ know and ‘presumably’ trust. Indeed, the recent push on Facebook for everyone to choose https as the mechanism for delivery of social content has not helped. Because now, in combination, you’re in perpetual touch with these people, in an SSL secured environment. What could possibly go wrong? Facebook apps are safe, right? Wrong. In fact, malware originating from social networking channels is the next big attack vector. If your organisation has a liberal policy to social networking in the workplace, then you are potentially asking for trouble.
Unless you have a very sophisticated next generation firewall infrastructure and a culture of continuous education for your users on social networking hygiene in the context of the modern organisation, then things could go very badly awry. Visualise; a piece of malware sent from a trusted friend and confidant of one of your employees hits their Facebook inbox. A couple of clicks, your firewall doesn’t even blink at the traffic whistling across port 443, arriving on the user’s desktop and spinning up a nasty piece of proliferative, zero day malware. No problem, right? Your desktop scanners do heuristics, and the IDS system will pick anything else up.
Well, what about the legacy NT systems, typically performing tasks of quasi-SCADA level criticality? What about the 2000 systems housing legacy applications that are too costly to migrate, but too valuable to retire. Sophisticated modern malware will make a beeline for these systems. So, how can you get an early view of compromises, non-intrusively? How can you make statefully based correlations between changes in behaviour in your legacy systems and possible compromised user credentials? How can you take metrics from all around your infrastructure about the security of your people, your processes and your systems and view them in a normalised, human readable, business meaningful way?
You don’t need a log management solution. You need a REALLY GOOD log management solution.
For further insight on zero day exploits, and how a next generation SIEM will help, see our use case resources on our website.
Tags: log management, logrhythm, malware, siem, zero day exploits
Advanced Correlation for the masses
Today LogRhythm officially released our Advanced Intelligence (AI) Engine – a fully integrated extension of our core solution that performs advanced correlation and pattern recognition. And while the concept isn’t new, we’re pretty sure that once you take a look, you’ll see that the execution is pretty groundbreaking. 
So what is advanced correlation and pattern recognition? In practical terms, it’s being able to automatically identify a sequence of events and recognize a relevant pattern of behavior that will have some sort of impact on another event that will happen as a result. If this were to take place in your brain, it might happen something like this… You walk in the house from the garage and shut the door behind you. Once that’s done, you might expect to see moonlight coming through the next doorway as you make your way up the stairs. So logically if it’s too dark something is wrong. You should automatically realize that the absence of light once you shut the door behind you means that the next door is shut. Typically you would register the correlation between the two and you would know to put your hand out to open the next door. Unless you, like me, are on autopilot by the time you get home from work. Because there are better ways to make that connection than with your forehead.
Unlike your brain, an IT environment is not typically capable of recognizing an important sequence on its own. That’s why solutions exist to analyze event data and let you know when something has or is about to happen that may cause you pain. From a security standpoint that might be five failed login attempt from a single unknown IP followed by a successful login indicating that you may have suffered an external breach.
Tools for doing this have been around for a while, but with limitations. One of them is that they are typically restricted to analyzing a subset of data that has already filtered out significant information before it ever gets to the correlation engine. This narrows the scope of coverage to specific security-oriented use cases and takes away the flexibility to cast a wider net for event sequences that may not be as well defined. AI Engine has removed this limitation by allowing advanced correlation rules to be run against all log data. By doing so we have expanded the scope of what you can do with advanced correlation and pattern recognition to extend well beyond the standard security use cases. An operations example would be when you have a critical process that may start and stop on a regular basis. Operationally this is standard behavior. You don’t need to know every time the process stops or you’ll quickly start ignoring the alerts. But you do need to know when it doesn’t start back up within a certain time frame.
Perhaps the biggest drawback of most advanced correlation tools is their complexity. They may work well within the confines of their preconfigured rules, but adaptability and usability are limited. They’re kind of like a remote control that handles a few functions and operates your television. Your options for adding new features to the remote are limited. If you have the tools, the time and the knowledge, you can take the remote apart and rebuild it to handle your new blue-ray player. Practically speaking you will probably be adding a second remote to your collection or you’ll be waiting for a remote that someone else builds that is capable of working with your tv and blue-ray. Add a receiver for a new sound system and you have a third remote. Now this may not be that bad at home, but imagine you have thousands of heterogeneous devices that you need to control, and limited time to do so. What you really need is one universal remote that handles all of your devices and can be easily programmed to handle what you have now and what you will add in the future. And as new features are added, the remote has to adapt to those as well.
It’s the same thing with pattern recognition. Sure there are specific behavior patterns that you know you have to identify because they are similar for all environments, but over time, that behavior may change. And there are things that you may want to watch for that are less defined but no less important to detect. For those things you need the ability to cast a wider net and once you are able to detect and understand those behavior patterns that are more general, you also need to be able to quickly put a rule in place that will narrow in on specific activities. Without a usable interface, advanced correlation tools lack the flexibility to adapt to what you need in your environment or to keep up with new behavior patterns that are critical to security and operations.
AI Engine is accessed through LogRhythm’s console, with the same consistent look and feel inherent to all LogRhythm tools. A wizard-based interface with a drag-and-drop
GUI for defining advanced correlation makes creating and customizing even complex rules simple to learn and quick to execute. It also correlates against all log data – not just a pre-filtered subset of security events. AI Engine analyzes over 50 different metadata fields and many more sub-fields that provide highly relevant data for analysis and correlation. The metadata fields map to system, network and application information extracted from the logs themselves, but they also include context that is derived from the log information such as direction, impacted entities, the city from which activity originated and more. The extensive metadata from which advanced correlation rules and patterns can be defined, combined with the entirety of all log data against which these rules can be applied, offers unprecedented visibility and context to threats and operational issues that have been blind spots for many organizations until now. At the same time, AI Engine can easily be used to cast a wide net with more general correlation rules, ensuring that significant incidents are captured despite changes in event behavior. Sure AI Engine comes with over 100 rules ready to go out-of-the-box covering a wide range of common use cases, both general and tightly focused. But we’ve also designed it to work for you.
If you want to know more about our AI Engine, we’ll be happy to show you how it works. Just let us know. Or check out Chris Petersen’s video in which he demonstrates AI Engine. You can hear the entire LogRhythm story or simply jump to the chapter on AI Engine. Watch the Demo.
Tags: advanced correlation, log analysis, logrhythm, pattern recognition, siem
A Popup Timer for Log and Event Management?
In the spirit of Thanksgiving, I’m going to try to draw a comparison between cooking a turkey and using a log and event management solution to successfully monitor and manage a network.Cooking a turkey isn’t as simple as throwing it in the oven and setting a timer. Nothing wrecks a Thanksgiving meal harder than a dry and tasteless turkey. Sure, getting a quality turkey is important, but it’s not the only factor. Unless you have absolutely no standards, there’s a lot of preparation involved, culminating with cooking it to the proper temperature.
Doing Thanksgiving right involves a combination of preparation, proper equipment, and timing. A breakdown of any one of these factors can completely derail an otherwise well planned event. When Thanksgiving rolled around last year my oven was failing and I had no idea. Despite brine soaking the turkey overnight, getting up early to preheat the oven and make sure that I had plenty of cooking time, I had no idea that the oven wasn’t working right. That left us with a completely undercooked dinner two hours after we were supposed to eat before I realized that something more significant than miscalculating the time was going on. Had I been alerted that my oven was running 50 degrees cooler than the gauge was displaying, I would have adjusted setting to compensate – problem solved, dinner served.
The same thing is true in IT. Something as simple as sending an email can be derailed by a variety of issues throughout the network – without you having any idea why. Even if the mail server is operating properly, numerous things can go wrong that may escape detection without the proper tools in place. The right tool can proactively alert you to let you know that a critical piece of network equipment has failed and is preventing any outbound communication. Without that notification you might have no idea that none of your organization’s communications are getting to where they’re supposed to go. With proper monitoring and notification you quickly isolate the issue and fix the problem.
So what’s the right method to find out when a critical event takes place, like a router failing or your turkey not reaching the proper temperature? In either case, the simplest way is through an automated alert. Set up a threshold or flag an event, and when the threshold is reached or the event takes place, a notification is sent. With a good Log and Event Management solution, that’s easy enough to accomplish. In LogRhythm you open a wizard, take a few steps to define how and when you want to be notified, and activate the alarm rule. The wizard-based approach has the added benefit of making it easy to add enough detail to an alarm to actually make it meaningful for your exact environment. Then, in the immortal words of Ron Popeil, “Set it and forget it!”
But how do you automate notification with a turkey? Sure, you can watch the clock and hope that the turkey is done when you have cooked it a certain amount of time. But if you’re off by a little, you have to throw it back in after you have started carving, or it is overdone. Either way you’re in danger of a dry turkey. No, the simplest way to know when your turkey is done is to use a brilliant invention known as the pop-up timer. As soon as your turkey reaches the right temperature, it triggers the timer to pop up and let you know that it’s time to eat. How is that like an event-based alert? Simple. A pop-up timer works just like a threshold-based alert. A spring-loaded stick is held into place by a soft metal or plastic that is made to melt at a very specific temperature. As soon as the surrounding area raises the timer’s temperature enough, the metal melts and the spring pops the stick. That’s a lot easier than constantly pulling the turkey out of the oven and checking the temperature to see when the meat is at the right temperature to be considered done.
Yeah, that may have been a stretch, but it was an easy excuse to look up pop-up timers and how they work. Happy Thanksgiving!
Tags: log and event management, log management, logrhythm, networking monitoring
IT Archaeology “Easy Access to Your Archived Logs for Historical Forensics”
I once lost a huge amount of data – the regular stuff such as photos and other useful files. A review of the logs with my SIEM product showed several disk failure messages. Had I only been able to make sense of the logs and known what they meant I could have saved all my data. Of course, while losing some files is inconvenient, what happens when the data that is lost is of a more critical nature, such as the log files that you may need to analyse in the future for forensic purposes or compliance? Now that I have a few more years of SIEM experience and have seen the alternatives, no one else, as far as I have seen, has executed on the concept of using log data for analysis and/or reporting like LogRhythm.
I work with Support and Professional Services at LogRhythm. A typical day at LogRhythm is one where I am reviewing tickets and a call comes in from a customer that goes something like this: “I am investigating an incident that took place 6 months ago. Is there a way I can achieve this with LogRhythm? I have so far tried restoring data from old backups and used SQL queries, command line tools and varying degrees of imagination to try finding some of the data relating to a specific user and systems. I have also logged into my Domain Controllers but they only keep up to a week of data at most.”
Fortunately I’m able to respond with: “Of course you can. Providing that you still have the Log Data available for that time period, you can use the SecondLook feature to recover any log data you want.”
It’s interesting to me that one of LogRhythm’s most useful forensics tool is one of the more ‘unknown’ features to quite a few of our customers. In LogRhythm speak this capability is known as the SecondLook archive restoration wizard, and it makes a huge difference for someone tasked with performing a forensics investigation – like the one I just mentioned.
LogRhythm’s SecondLook wizard allows you to retrieve log data from any archive files, such as those stored directly on your LogRhythm Server, or off the box on a SAN or NAS. It allows you to bring this back to a separate database and make the data available for investigations and reporting. Since the archived data is digitally signed with a cryptographic hash, it can also report if any modification or deletion of data has taken place, maintaining the digital chain-of custody that most of our customers require.
To use SecondLook all you need to configure is a new database instance called the Recovered Archive Database (RADB), which is used for analysis and forensics on data that is no longer kept online.
Then you use the SecondLook wizard to bring back any archived data that matches your search criteria into the RADB. Once it’s there, you can easily run an investigation against this database.
Don’t get me wrong, backups are very important, especially considering my data loss scenario, where a lot more than log data was lost. However, when it comes to making long term log data available for investigation and reporting on what happened several months ago, you can’t beat SecondLook.
Tags: compliance, log management, logrhythm, siem
How many ways can you ask the same question?
I have spent the last couple of weeks reviewing some of the RFPs that LogRhythm has answered to get a better idea of how we can streamline the response process. One of the things that jumped out is the complete lack of consistency from one RFP format to the next. It seems like each company is reinventing the wheel in every shape but round, even though they are all trying to end up in the same place – with a Log Management/SIEM solution that meets their company objectives without destroying their budget.
I realize that it must be difficult putting an RFP together. What do you ask and why? A clear answer is hard to find without asking the question correctly, and after asking how do you score the results of what will most likely be at least a partially subjective response? Each respondent is trying to win your business, which will almost certainly be reflected in their responses. Just as important as asking the question is finding a way to filter out the chaff in the response. This means that you not only have to ask the right question, you also have to have a pretty good understanding of the answer that you expect up front.
This is the same problem that administrators face after the RFP process plays out and a product is selected and implemented. Once the Log Management/SIEM solution is in place, how do you use it to get the information that you need? Or more importantly, how do you take what you know and put it in a format that even your boss can understand? How a question is asked – or how a query is defined – determines what data is returned. If the question isn’t clear then the results won’t be either. Having a solution that helps you clearly ask the question makes getting the right response easier.
Delivering tools that facilitate the query process is one of the things that LogRhythm does exceptionally well. By providing a wizard-based process to run reports and investigations, LogRhythm both speeds up and simplifies the process of extracting relevant information. We also automate the data enrichment process so that the information returned is clearly defined, properly categorized and easy to understand.
As far as streamlining the RFP process for you? Well, we can’t tell you exactly what you need, but we do have a pretty good idea of the questions you want to ask when evaluating Log Management/SIEM solutions. Feel free to ask for a copy of our template.
Tags: log analysis, log management, logrhythm, siem
LogRhythm wins "Innovator of the Year" from SC Magazine. "This is not your father's log manager."