Posts tagged: 'logrhythm'

The following posts are associated with the tag you have selected. You may subscribe to the RSS feed for this tag to receive future updates relevant to the topic(s) of your interest.

Domain Privilege Escalation Vulnerability

Privilege Escalating Evil Unicorn

Privilege Escalating Evil Unicorn, credit: Zack Rowland

On Tuesday Microsoft released an emergency update to Windows Server 2003 through 2012 R2 to address a vulnerability that enables an attacker to escalate privileges for any account on a Windows Domain. The vulnerability can be detected in Windows Server 2008 and later by analyzing Windows Event Log ID 4624 and looking for a discrepancy under New Logon between the Security ID and Account Name as shown:



In LogRhythm this is easily detected with a new AI Engine Rule that watches for any differences between the Security ID field, captured into Account and, the Account Name field, captured into Origin Login. This AIE Rule, Account Anomaly: Domain Privilege Escalation, is available with the latest knowledge base update (KB

Advanced Intelligence Engine Parsing Rule

Advanced Intelligence Engine Parsing Rule

While it is most critical to first apply Microsoft’s prescribed patch for this vulnerability, this is a helpful way to easily detect if this vulnerability has been exploited on your Windows domain.


Tags: , , , ,

none | GeneralSecuritySIEM


The LogRhythm Difference

You don’t become the rapidly growing leader in Next Generation Security Intelligence by following the crowd.  You do it through leadership, differentiation and focus.  You do it by doing things the right way, doing the right thing and building for the long term.  Here are just some of the things that help make LogRhythm a leader.

  • Leadership Vision and “best of breed” products
  • Focus
  • Great Customer Service
  • A Winning Team and Culture.

Leadership Vision and “Best of breed” Products

LogRhythm’s vision around building a next generation security intelligence and analytics platform to protect the world from damaging cyber threats has been the focus of the company since its beginnings over 10 years ago.  The completeness and stability of this platform vision has enabled a focus on architecting and building out the platform in the right way.  Instead of copying other approaches, our founders sought to architect a solution that would not only solve the challenges customers had with first generation solutions but also solve the new challenges they would face in the future.  As a result, the company was the first to introduce several fundamental innovations in the space, including:

The first unified platform to fully integrate previously separate components (including Log Management, SIEM, host and network forensics and advanced analytics), providing unprecedented visibility, detection and response capabilities

Multi-dimensional Behavioral Analytics techniques that go well beyond correlation to deliver more effective and precise detection of complex, advanced threats

A User Interface and Experience second to none, leveraging the latest UI technology to deliver a highly productive and engaging user experience

A Wealth of out-of-the-box capabilities that deliver rapid time to value and enable customers to fully leverage the platform for their key use cases

A highly Flexible and Scalable Platform that scales easily from small deployments to large, complex environments processing and analyzing billions of records a day

Integrated Remediation and Incident Response capabilities to take automated remediation action where warranted and provide robust case management capabilities to effectively manage incidents


Part of LogRhythm’s success can also be credited to its focus.   Security Intelligence is all we do.   Our focus on delivering the best in class solution for Security Intelligence and Analytics is empowering and enabling.   Our market is one that values, requires and rewards rapid innovation and the ability to adapt to changing customer needs.   Customers are looking for “best of breed” solutions that can solve real problems and detect high-impact threats in real time.   Unlike competitors who are stretched thin addressing multiple product categories and segments, LogRhythm’s focus ensures it is putting all available resources into solving the growing challenge of detecting and responding to advanced threats.   Customers love our focus and know that our success depends on their success.   As Washington Gladden once said:  “It is better to say:  ‘This one thing I do’ than to say: ‘These forty things I dabble in’”

Great Customer Service

Customer success has long been an intrinsic core of LogRhythm’s culture.   From day 1, our top objective has been around customer satisfaction.  We always felt that if we delivered on that well, everything else would follow more easily.  We have consistently invested in and sought to improve customer support and service with the goal of helping customers realize true value from our platform.  With any complex software solution, there will be a need for support and service.  Customers recognize this and often evaluate the vendor’s support before making a purchase decision.  One reason customers switch to LogRhythm from competitors is due to our reputation for high quality and tenacious customer support as well as their dis-satisfaction with competitors’ approaches.  Our consistently high retention of customers is further evidence of winning customer service.

A Winning Team and Culture

Long term success of any organization depends on great teamwork and a healthy and productive culture.   LogRhythm’s culture is focused on delivering superior customer success and value through innovation, collaboration, creativity, tenacity and great service.  The founders, original vision and core team have been with the company from the beginning and provide a stable foundation that the company has thrived upon.   The culture is nurtured and enhanced by a wonderful group of can-do professionals who are passionate about their purpose and the value they are delivering in the fight against cyber threats.  The focus at LogRhythm is on achieving great things as a team while also understanding the importance of work/life balance and the enjoyment of the journey.

Tags: ,

none | General


Last week, when Ajay sent an email to the company about the upcoming Tube to Work Day in Boulder, my first reaction was, “Is this for real?”  This was quickly followed by “What a crazy, unique, yet awesome idea that … Continue reading

Tags: , ,

none | Uncategorized


Closing the backdoor…

Closing the backdoor…

Today Mikko Hypponen from F-Secure announced they had retrieved and analyzed the excel file used to create a backdoor into RSA.

The attacker used a phishing attempt to send an excel file loaded with an embedded flash object to a recipient inside RSA.   Once opened, the excel file used an advanced 0-day exploit executed by the embedded Flash object to create backdoor that allows full remote access to the infected workstation.

Certainly this brings up the obvious warnings of not opening strange attachments, etc.  However, the reality is that spear phishing attempts work.  This wasn’t even a case of a highly sophisticated spear phishing attack (you can see the original email on Mikki’s blog entry listed above).   Examples of successful spear phishing, like the IMF breach and the Epsilon breach, highlight that we should not only continue to educate end users to recognize the red flags and the dangers of opening attachments, but be prepared for the inevitable human mistake.

If a user falls prey to a phishing attempt, and a 0-day exploit evades our endpoint security, what can we do?

  • In this case, the backdoor opened connections to servers at that have been used in previous espionage attacks.  Using an IP reputation list could have detected the initial connection and actions could have been taken to stop it.
  • What if they hadn’t used a known IP address?  If you can detect the IP address geo-location, you can see the location is Venezuela.  Using geo-location could have detected irregular data traffic being sent to a uncommon destination.
  • Or what if the location wasn’t interesting?  Once the backdoor was established, having a mechanism to recognize which user accounts access files on the workstation could have identified abuse the system or other accounts.
  • Maybe the user accounts had permission to the files.  In that case it was the sequence of access to the files after the new connection to an unknown location had been created that could have registered that an attack was occurring.

While it’s important to continually educate our end users on attacks they can help prevent, as security professionals we must have safeguards for when mistakes are made.  Although the attacks themselves may not be sophisticated, they can still bypass many of our traditional security solutions.  However, with behavior analysis and pattern recognition we should be able to detect and prevent these types of breaches.


Tags: , , , , , , , , , ,

0 Comments | Digital ForensicsIT OptimizationSecuritySIEM


Social Engineering Security Analysts

I just attended a briefing at Black Hat where Julia Wolf presented a topic titled “The Rustock Botnet Takedown.”  During the presentation some very interesting details and examples were given that described some of the ways the botnets operated to blend in with legitimate network traffic.  One that stood out to me was that the payloads that compromised machines downloaded were in password-protected RAR files with names such as “mybackup13.rar.”  In addition, the command and control servers (C&C) were placed in smaller cities within the United States, such as Kansas City or Scranton, PA.  In addition, instead of sending out spam directly over SMTP, which is easily detectable (look for any non-SMTP servers sending out traffic on port 25), some of the botnets discussed would utilize a web-based e-mail service, such as hotmail, allowing the spamming to look like a normal user accessing their hotmail account.  When a security analyst sees a RAR file named the way described above being downloaded from a US-based server, the analyst might consider it legitimate traffic.  Even if there is a little suspicion and the analyst decides to investigate the RAR file itself, it will be password protected.  The analyst is likely to look at the name of the RAR file, taking into consideration that a backup is something a user is likely to password protect, and decide not to investigate further.  After a compromise, as the zombie starts to spam, it will also look simply like a user accessing their hotmail account, something many security analysts are likely to not consider malicious in nature.  This all sort of reminds me of the premise behind social engineering.  The malware is being designed in a way that when looked at from several different angles, paints a picture for a security analyst that there is no actual threat, and in some cases each additional piece re-enforces a belief that things are okay.

So, how can these issues be addressed?  It’s unreasonable to assume a security analyst can investigate every time a hotmail server is hit, or any time a password protected file is downloaded.  Some automated correlation and/or alarming is in order.  One approach might be to simply alarm on any after-hours web-based e-mail access.  Another might be to build a correlation rule that looks for an indication of an exploit on the end point (process crashing for instance), followed very shortly by a new connection originating from the same host (from perimeter log data or flow data).  A threshold can be set to be around the average size of the payloads that are downloaded before the alarm fires, further limiting false-positives.  To look for a possible outbreak, one can take a baseline of average hotmail activity by determine about how many unique internal hosts access hotmail each day, then build an alarm that looks for a higher number of unique hosts hitting hotmail.

Overall the “Rustock Botnet Takedown” presentation was very interesting, and really got my wheels turning on how to detect this activity using correlation on enterprise log-data.  I’m looking forward to attending more sessions tomorrow, and will be blogging on other topics I find interesting.

Tags: , , , , , , ,

0 Comments | ComplianceDigital ForensicsGeneralIT OptimizationSecuritySIEM