Floating to Work

Well, I guess it was more like riding the rapids to work in the “express” lane. On July 14th, about 200 people “commuted” to work by tubing down Boulder Creek in the annual Tube to Work Day, an event that is growing rapidly. That was 5 times the number that did it last year.

Team LogRhythm provided a strong contingent with 80 tubers, blowing away our world record last year of 12 for the most “tube to workers” from the same company! Most of the guys had a shirt and tie, likely the only time they wore it this year. This is Boulder, of course. :)


Without a doubt, it’s one of the most fun, exhilarating and wacky things you’ll ever do. The river was running fast and cold with lots of fun rapids. There was actually “traffic” on this commute. It was a bit like bumper tubes at times, but everyone was helpful and would lend a hand to anyone stuck—an awesome community spirit all around.

We all got out at Broadway for a breakfast break of bagels (shaped like tubes of course), muffins and coffee, sponsored by LogRhythm. Then, most of the LogRhythm team got back in to complete the commute to our offices right off the creek at Pearl East Circle. We had work to do, of course, helping customers defend their networks from cyber criminals!

There were some bumps and bruises and one colleague who needed 9 stitches after a branch got the better of him. He’s healing well and planning to be back next year with a paddle to ward off the evil branches. Almost everyone flipped at some point and tailbones abruptly introduced themselves to rocks periodically. Other casualties included a few wedding bands lost as fingers shrank in the cold water. Fortunately, at my age, my fingers have gotten fat enough that my wedding band wasn’t going anywhere. :)

I did, however, make the bonehead move of taking my cell phone with me in a Zip-lock bag and forgot to double bag it this year. Last year, I wanted the ability to call if anyone got hurt. With all the people this year, that wasn’t necessary. In the end, Apple was thrilled to see me and provide me a replacement.

It was all worth it and so much more. Thanks to Jeff Kagan and his buddies for starting this awesome event years ago. I’m looking forward to TTWD 2016 already and lots more traffic!


0 Comments | General


Leading the Pack

It’s always great to get validation from the experts. In just the last week, Gartner recognized LogRhythm as a Leader in its SIEM Magic Quadrant for the fourth year in a row, and the Info-Tech Research Group gave the LogRhythm Security Intelligence and Analytics platform their highest rating in their 2015 SIEM vendor landscape—ahead of competitors like HP, IBM, Intel and Splunk. We were designated as a Champion in 4 out of 5 use cases.

Gartner Magic Quadrant Leader

Gartner Magic Quadrant Leader.

Info-Tech Research Group Vendor Landscape, 2015.

These two groups research the market, products and customers extensively to arrive at their recommendations. This recognition comes on the heels of winning several other awards over the last year and is a testament to the innovation, creativity, support and dedication coming out of Team LogRhythm every day.

As a result of their efforts, our end-to-end Threat Lifecycle Management approach is making a difference by helping organizations detect and neutralize damaging cyber threats.

Read the full Gartner 2015 SIEM Magic Quadrant Report.

Read the Info-Tech Research Group 2015 SIEM Vendor Landscape Report.

Tags: ,

none | SIEM


Info-Tech Research Group Designates LogRhythm as a “Champion” in 2015 SIEM Vendor Landscape Report

Last week, Info-Tech Research Group released their 2015 SIEM Vendor Landscape Report. The report evaluated ten SIEM vendors on overall product attributes, capabilities and market performance, as well as ranked them on their ability to address specific use case scenarios. This report is a valuable device in helping IT and security managers:

  • Identify which SIEM solution is best for their organization
  • Evaluate vendor tools through a Vendor Shortlist Tool
  • Assess vendors in various use case scenarios
  • Complete the selection process
  • Create an implementation plan

The report discusses the origin of SIEMs and the evolution of the market. Info-Tech Research Group notes, “As the market evolves, capabilities that were once cutting edge become default and new functionality becomes differentiating. Basic forensic analysis capabilities have become a Table Stakes capability and should no longer be used to differentiate solutions. Instead focus on advanced detection methods and usability to get the best fit for your requirements.”

Vendor Evaluation

So what are the table stakes? Info-Tech Research Group defines them in the below graphic. Note that the table stakes represent the minimum standard for product evaluation.

Figure 1. Table Stakes (Info-Tech Research Group 2015 SIEM Vendor Landscape Report p. 6)


Info-Tech Research Group also outlines advanced features that allow for product differentiation in the report. These included:

  • Threat Intelligence Feed
  • Incident Management and Remediation
  • Full Security Threat Visibility
  • Scalability and Network Performance

Vendor Scoring

Info-Tech Research Group scored vendors on both Product Evaluation Features and Vendor Evaluation Features (as seen below).

Figure 2. Scoring Methodology (Info-Tech Research Group 2015 SIEM Vendor Landscape Report p.9)

Info-Tech Research Group also introduced their ValueScore™ analysis. They define ValueScore as so: “Each use-case scenario also includes a Value Index that identifies the Value Score for a vendor relative to their price point. This additional framework is meant to help price-conscious enterprises identify vendors who provide the best “bang for the buck.”

Use Case Scenarios

In their report, Info-Tech Research Group provided five use cases in which to evaluate vendors. These were chosen based on market research and client demand. They included:

  • Threat Management
  • Compliance Management
  • Management of Security Events
  • SIEM Small Deployments
  • Risk Management

LogRhythm Evaluation

In this evaluation, LogRhythm received the rating of “Champion” in four of five SIEM use cases and “Best Overall Value” in all five SIEM use cases. According to Info-Tech Research Group, “LogRhythm offers the most feature-rich product with the ability to adapt to trends.”

About the Report

Info-Tech Research Group Vendor Landscape reports recognize outstanding vendors in the technology marketplace.

Info-Tech Research Group’s SIEM Vendor Landscape Report is one of the most comprehensive assessments of SIEM offerings available in the market. Having LogRhythm’s security intelligence and analytics platform being recognized by an independent analyst firm is great validation of our vision and execution. It highlights our ongoing commitment to innovation to help our customers continuously improve their ability to detect, respond to and neutralize cyber threats before they cause damage.

Access the 2015 Info-Tech Research Group SIEM Vendor Landscape to see the complete vendor scores.

Tags: , , , ,

0 Comments | SecuritySIEM


“IT Helpdesk” Email to Jimdo Phishing

Over the last few days, we have been identifying another new phishing attack attempting to steal domain credentials. This particular example is isolated around the jimdo.com web hosting service. If you are not familiar with Jimdo, they essentially allow anyone to create their own free website within the Jimdo domain. Jimdo HQ is in Hamburg, with other locations around the globe, including the US.

Like any web hosting service, fighting against malicious use of its services is a constant battle. The example identified below was reported to Jimdo on July 7th. Unfortunately, with Jimdo, reported malicious websites are rarely taken down in addition to being “the easy way to create your own (phishing) website”.

The Bait:

User receives the following phishing email. The sender address is nothing noteworthy in this particular example. Typical for such emails to come from spoofed or hijacked email accounts, both personal and corporate.

Phishing Email

Clicking the “Click Here” link, the victim navigates to the site hxxp://hoe447jkjdl.jimdo.com that happens to provide an amusing result, as seen below.




VirusTotal scan can be found HERE.

Chrome has already classified the site as phishing and provides its user base the following warning:



Spotting the Phishing Attempt:

The site is clearly attempting to steal domain credentials from unaware users. While the site looks formatted rather well, Jimdo requires a banner at the bottom of their free pages that are easy to spot.


In terms of training users to identify such phishing attempts, this is a great example. Focusing user training on spotting those malicious “red flags” is a beneficial way to limit their risk to the organization. Such flags can focus around sender address, URLs, and possible attachments. While many attacker techniques commonly spoof or hide such flags (email spoofing, URL redirecting, etc.), it is still a great place to start educating your users.

An Update from Jimdo
LogRhythm began to receive communication from Jimdo’s “Abuse Assassin,” Peter Rudek on July 29th, with the following official response on July 30th. While the Jimdo team was unable to share specifics on their defense, they have provided this information about their anti-abuse practices and incident response process.

“- We’re sourcing moderation and Threat Intelligence Providers
– The data we collected over the years allows us to develop in-house-tools suited to the patterns the attackers are using on our system.
– As these suspects are changing their patterns fast, that’s where our manual- (i.e. human intelligence) kicks in to analyze the change and adjust our automated-systems accordingly

Comparing our auto-elimination-count with the alerts we receive via various channels (blacklist-aggregators, anti-malware-companies, certs, copyright-holders and individuals) I’d say we have approx 80% recognition-rate. After an alert is received it shouldn’t take more than 20min to very few hours (depends on the time of day + the load) to have that site taken down.”

Tags: , , ,

none | GeneralSecurity


4 Steps to Assessing Risk

In a recent survey, Security Spending and Preparedness in the Financial Sector, SANS polled various organizations within this sector to better understand their outlook on risks facing the organization. As a result, SANS made some suggestions that align with the Financial Institutions Examination Council (FFIEC) in regards to critical steps in performing a risk assessment. In this post, I’ll discuss each step in more consideration, provide some tips and tricks and also review some other considerations not outlined by SANS or FFIEC. Remember, it’s best to validate any audit considerations with your internal or external audit body.

Ongoing data collection

When we discuss ongoing data collection relating to the organization’s environment and threats facing the environment, a key aspect is the frequency for which data is collected and assessments are performed. Most compliance mandates, at a minimum, require an annual risk assessment to be performed against the organization’s environment (both electronic and physical), business processes and third-party interactions.

However, consider that the organization’s environment and threats facing the organization are ever changing. As changes occur, whether a new risk facing the industry or new systems or processes being brought into scope, the organization must implement these new risk vectors into the risk assessment and update as they become live in their environment. Waiting for the annual risk assessment is not sufficient as this presents a period where controls are not implemented to mitigate new risks.

Similar to annual risk assessment requirements in most compliance mandates, organizations traditionally must perform an annual vulnerability assessment that includes penetration testing of both the physical environment and overall network. Very much like the risk assessment as changes or new systems come into play, the organization should apply vulnerability testing and validation, accordingly.

Vulnerability assessments can provide valuable data relating to risk exposure, but must be communicated up to the audit committee, executive board of directors, and management to prioritize remediation efforts.

Traditionally performed by an internal audit body, periodic walkthroughs are a vital component in understanding business processes and how the employees interact with those business processes or involved systems. Regardless of your industry, you must always consider the human risk factors. The organization can implement high-end security solutions, such as next-generation firewalls or controls, but as soon as a human risk factor is exploited, all mitigation efforts could be bypassed or made ineffective. Walkthroughs should be performed at least annually or as needed for new business processes, personnel, or systems being brought into scope. Always consider human risk factors!

Risk analysis regarding the potential impact of the risks

The importance of communicating findings as a result of audits, vulnerability assessments and other methods of data collection is vital for mitigating risks to reduce the overall impact. Most mitigation efforts or control implementation requires budget and resource allocation. To gain traction and momentum in these remediation efforts to reduce impact, audit committees, boards of directors and management must be kept in the loop. The objective is to provide them with the knowledge and data (results) to make educated and strategic decisions for remediation efforts.

These executive level groups can assist the organization in prioritizing remediation efforts to address those vulnerabilities that could have significant and detrimental impacts to the organization. Don’t stop at the initial communication. Periodic updates and status updates on remediation objectives should be given at least quarterly, if not more frequently.

When discussing the impacts of a given risk, organizations tend to focus specifically on related financial service compliance impacts. However; organizations must also take into consideration impacts beyond compliance such as reputation, trust, accountability, clean-up efforts, business continuity and so forth. Take a step back from specific compliance requirements and look at overall impacts to the organization.

Prioritization of controls and mitigating actions

There is no exact science to prioritization of controls or mitigation actions, but it is important for the organization to perform due diligence to understand how these relate to the organization. As a potential starting point, the organization must:

  1. Identify the risks facing the industry and organization specifically
  2. Determine the likelihood or probability of that risk being exploited
  3. Evaluate the impact both financially and other non-compliance related impacts such as business continuity

Keep in mind that impact can expand beyond financial reporting and should include public image (accountability & trust), other compliance implications, business continuity, remediation and clean up (such as Incident Response within PCI-DSS).

Again, work with the audit committee, board of directors and management to prioritize controls and determine which objectives are undertaken first. Provide details, research and findings to allow these individuals to make an educated decision on prioritization. Walk them through the above formula to confirm assigned values for the three components.

This should bring to light those high-risk items for which mitigating action should be applied. As mentioned before, it always helps to have backing from the higher-ups. As an internal audit or IT security function, it is the responsibility to provide the higher-ups with enough detail, research and evidence to make informed and calculated decisions when it comes to mitigating risks.

Ongoing monitoring of risk-mitigation activities

Establish an internal audit department that monitors the health of compliance programs. IT security or the compliance department should leverage internal audit assessments in conjunction with risk assessments to ensure identified control gaps are addressed or risk rating reduced to an acceptable level. Internal audit assessments can be focused on at-risk controls to ensure mitigation activities are operating effectively. As the organization’s environment and threat landscape continuously change, ongoing monitoring of risk and controls contribute to an adaptive compliance or security program.

An organization may have specific risk assessment requirements within GLBA, SOX and PCI-DSS, but risk assessments expand beyond these financial service compliance mandates into other industries and compliance areas. Risk assessments allow an organization to better understand their environment and consider threat vectors facing the organization.

Again, it’s important to use available resources as mentioned above (vulnerability assessments, audit findings, etc.), as well as publication of common vulnerabilities and exposures that could be facing the industry and organization specifically. Incorporate into risk assessments accordingly.

Other considerations

Educate and involve the audit committee, board of directors and management

Implementing controls can be a big task for any organization to pursue and adhere to.  Success is driven from the top and it is vital to have the audit committee, board of directors and management involved throughout the process. These parties can serve as the champion of this objective and promote it throughout the organization. Further, these parties can provide guidance and determine risk tolerance to ensure efforts align with business objectives.

Take a step back from a specific compliance mandate to see the overall picture

Look at commonalities between various compliance mandates for which the organization must adhere to:

  • Continuously manage risks (this is a fundamental component and starting point of most compliance mandates)
  • Determine material events (SOX,GLBA, PCI-DSS)
  • Protect customer data (GLBA, HIPAA, PCI-DSS)
  • Build trust and accountability (consideration in most compliance mandates)
  • Provide detailed, adaptive audit and forensic trails (consideration in most compliance mandates)
  • Enable cyber security compliance (NIST Cybersecurity Framework)

Consider third-party management and risk ownership

You cannot outsource risk ownership. For example, suppose a bank is breached by way of third-party processing. Consider the stakeholders and customers of that bank. Legally, the breach may affect the guilty third party (and this party may be bound by contractual agreements as a responsible party), but what the customers and stakeholders fall back to his that the bank did not meet their expectations. Trust and accountability are lost. The overall impact of such a breach can be detrimental to the public image of a financial institution in which people entrust their life savings and finances.

In order to validate third-party controls, use Service Organization Controls (SOC 1 & SOC 2). You’ll find that SOC 2 is a more in-depth control set for assessment. That being said, go beyond just looking at the report. Discuss findings, determine the impacts of the findings/control failures to the organization’s environment and discuss IR between the third-party and the organization.

Next, examine the change control and incident response between third-party processes or personnel that interact with the organization’s environment (e.g., business processes, interfaces, third-party account/access provisioning, etc.).

It’s important to note that you should use these compliance requirements as guidelines—not an end-all-be-all. Consider looking into NIST Cyber Security Framework (CSF) for additional cyber-related security controls guidance that may not be covered by existing compliance mandates the organization is adhering to. Core compliance programs are beginning to incorporate cyber-based risks, but they still maintain their primary focus.

In conclusion

Risk assessments must involve parties within your company to determine acceptable risk levels and where mitigation efforts should focus. Risk facing your industry or organization will continue to change, and with that, your organization must periodically reassess risks.

Implementing mitigating controls is not enough. There should be ongoing assessments to determine the operating effectiveness of controls and to identify any control gaps. With any compliance mandate, the first step of assessing risk is a fundamental and cost-effective approach to implementing controls.

For more information, download “Security Spending and Preparedness in the Financial Sector: A SANS Survey.”

Tags: , , , , , ,

0 Comments | Compliance