Posts tagged: 'logrhythm'

The following posts are associated with the tag you have selected. You may subscribe to the RSS feed for this tag to receive future updates relevant to the topic(s) of your interest.

Doing the Impossible: Building your Security Intelligence Maturity

“Start by doing what is necessary, then do what it possible; and suddenly you are doing the impossible.” – St. Francis of Assisi

In my 3+ years as a LogRhythm Professional Services & Security Consultant, I have often found customers with an appetite for security awareness, and the abilities to “look for the big things”, yet unable to satisfy their hunger.

Building the foundation: The security intelligence platform

From a traditional viewpoint, SIEM is typically classified as “Log Management”, but this is only a small portion of an effective SIEM. Log Management itself, is only one facet of true Security Management. In order to achieve a true Security Intelligence Platform, we need to include components such as Server Forensics, Network Forensics and Endpoint Forensics. Bundle up all this data, information, management and analytics and you are getting a much better picture of how SIEM has evolved into Security Analytics.


LogRhythm Security Intelligence Platform

As a precursor to this, if you’ve never heard of LogRhythm’s Security Intelligence Maturity Model, or would like to read up about it, then I recommend reading the whitepaper available here.


Cyber-Threat Lifecycle

Essentially, the model empowers users of the LogRhythm Security Intelligence platform to increase their awareness around the activity in their infrastructure, thus reducing the time taken to identity a potential threat, indicators of a breach or anomalous behaviour in their infrastructure. This resulting insight and visibility, reduces the overall mean time to detect (MTTD) and enhances the security posture of the organisation.


This lowered MTTD allows an organisation to better respond to whatever situation arose and consequently detected. Thus, the MTTR (mean-time-to response) is improved as well, due to the higher level of security intelligence leading to a far more rapid and effective decision making and response process.

Doing what is necessary: Base threat analytics

To address the fundamental requirement of “start by doing what is necessary”, LogRhythm developed a packaged module of rules around Base Threat Analytics using out-of-the-box features and intelligence to set up this foundation for implementation of Security Intelligence.

These rules have been designed to use LogRhythm’s AI Engine to detect correlations across various log sources, grouped into categories such as account anomalies, network anomalies, host anomalies and typical indicators of a compromise. Thus, the Base Threat Analysis suite encapsulates the “necessary” step for Security Intelligence.

From here, organisations need to begin to look at “What is possible?” Once the Base Threat Analytics  module has been successfully implemented, the groundwork has been laid for an effective Security Intelligence posture.

The MTTD will already be greatly reduced, as the enhanced capabilities provided by LogRhythm’s AI Engine are able to effectively correlate and identify security, operational and audit anomalies and scenarios that would be far too time consuming or impossible due to the sheer volume of information required.

Explore the possibilities: Identifying the next step in your security intelligence maturity

So just what is possible? How does an organisation determine a direction from here? Should your security posture be driven by management decisions or perhaps by device and equipment types available to you? What about projects or newer generations and iterations of devices? Should they dictate your next phase in Security Intelligence Maturity?

The truth is, it can often be a combination of all of these factors, as well as a multitude more LogRhythm can help not only with guiding those decisions, but also in ensuring a mapping and planning of the future direction is outlined, enabling you to reach a much higher level of security awareness and intelligence.

The beauty of this is that LogRhythm’s scalable platform is designed that these additional modules and evolutionary phases of the Security Intelligence Maturity Model can be implemented rapidly and effectively on your existing platform. All the building blocks and tools are provided for you, with LogRhythm Professional Services helping you to understand how these fit together and the best ways to implement these tools.

Doing the impossible: Rapidly identifying and responding to threats

Finally, we are now doing the (seemly) impossible. We have managed to implement a Security Intelligence model that has helped to decrease the MTTD from a manual, labour-intensive and slow process to a more rapid, dynamic and intuitive process. This enables you to identify and understand complex scenarios and indicators of threats and breaches within minutes of them occurring.

The result? Because of this increased awareness, your MTTR has also decreased as you have the information needed to make quick, rapid and well-informed decisions on how best to respond to the incidents that have been identified.

Tags: , , , , , ,

0 Comments | Security


IRS Breach: “Criminals Access 100,000 IRS Tax Returns”

IRS_BuildingOn June 3rd, I logged into my computer, opened up the BBC news and clicked to the Tech section. The top headline was “Criminals access 100,000 IRS tax returns.”

My immediate reaction was “so that’s where all the Anthem data went.”

This headline completely underpinned how today’s cyber criminal is becoming more and more sophisticated. It has become a harsh reality that criminals have so many weapons in their arsenal that it is becoming more and more difficult to keep up with them let alone predict their next plan of attack.

In this latest breach, stolen personal data was used to file bogus tax returns and claim $50M in refunds (at least that is the number which the IRS is willing to admit to). In all probability, the personal data, used in the bogus tax filings, was stolen during one or more of the recent high profile breaches reported in the mainstream media: Anthem, Ebay, JP Morgan Chase or one of the many others.

Unfortunately like many high profile breaches, I believe this one too could have been avoided had the IRS been given or, for that matter, requested a list of affected consumer data from earlier breaches. Had they done this, a trigger could have been set up to raise an alarm every time a tax return was filed for someone on the watch list. Additionally, an automatic response could have been set up to alert investigators, such as a follow-up phone call or a verification email, each time an alarm was triggered. These actions would have allowed further investigations to verify or discredit the return. This type of trigger could have easily been set up within a system like LogRhythm.

Furthermore, based off of the information provided by the IRS, it seems that for each one of the bogus tax returns a brand new on-line account was set up with a different email address from the one used for previous tax return filing. Again, a process to detect this type of activity could have easily been incorporated into the trigger I proposed above. All of which could be easily set up within LogRhythm.

Of course with the benefit of hind-sight, it is easy to see how major events like these could have easily be avoided, but someone should have seen this type of attack coming. There needs to be safeguards put in place for when sensitive data is stolen. For example, when a consumer’s credit card is compromised, they are sent a new credit card. However, when a social security number of an American Citizen is stolen, they are not issued a new one, nor are flags put in place to detect future unauthorized usage.

AEast_Political_AttackIf nothing else, as a result of this and other breaches over the last year, we have learned, that cyber crime is now more lucrative than drug crime. There is less risk and greater rewards. Organized crime gangs from Russia, China and other countries around the world are getting better and better at stealing personal data and then either using it or selling it for massive financial gains.

A well-recognized reality in today’s InfoSec community is “They Will Get In.” Therefore, it is what you do once criminals have breached your network and how fast you react that truly determines how devastating or otherwise a breach can be. Organizations face a giant game of chess, where they must act and react, being as predictive as possible.

Determining what data had been stolen during the Anthem breach and others, as well as its possible uses, might have led to the implementation of a system or process designed to prevent what happened at the IRS. Perhaps this latest high profile attack on one of the bastions of American society will provoke some far-reaching and more stringent systems and processes to be implemented. Perhaps not. Time will tell.

Tags: , , , , ,

0 Comments | SecuritySIEM


A Case of the Mondays: How a Routine Visit Discovered a Cyber Attack

Recently, I learned a valuable lesson from what appeared as though it would be a regular Monday. My day started off routinely, but along the way some surprising events unfurled.

I was scheduled to go on-site with a federal customer for a “knowledge transfer” (aka OJT) as a new NOC/SOC team was coming online. When I got there, it started out as a rather typical meeting—get an understanding of the team’s knowledge of LogRhythm, assess their goals, and introduce them to any new features/products available.

Prior research led me to believe that this was an older deployment that had been neglected for some time. I was pleasantly surprised to find out that this was not the case. Rather, it was a rather new XM-6350 running LogRhythm  6.3.3 and the latest KB. Not having to perform a system upgrade was a relief.

However, as I listened to the customers’ requirements and dug into the deployment deeper, I quickly realized that the system was only being used for log collection, and rarely were people logging in or monitoring the data being collected by the XM. I’d say they were using about 30% of the LogRhythm  features and functionality. Moreover, the WebUI wasn’t installed and AIE was disabled.

After a quick install of the WebUI, initialization of AIE, addition of the basic LOW/LOW-LOW rules found in the Post-Install Guide for POCs and setting up the third-party threat feeds (as well as some other customer requested tweaks)—the XM was back in fighting shape!

After a brief conversation, my sales rep and I started to walk the team through a quick demo using the customers XM, Data and WebUI. Within 10 minutes of talking, we happened to click on the Alarms tab, and to our surprise, we found some interesting data.

A few red alarm cards with ratings of 90 appeared denoting “Malware Found.” The team asked “What’s that all about?” We began to pivot drilldown and discovered the systems affected by the malware. Apparently this information was being reported by their Symantec and McAfee systems for quite some time and on the regular.

The NOC/SOC team quickly sprang into action to remedy the issue (albeit they were a bit annoyed). Moments later, we returned to the demo and another alarm fired with a score of 97. The team (almost in unison) said “What now!?”

After a quick drilldown, we discovered that their Fortinet deployment was reporting a breach coming from an “external IP” (outside the U.S.). Being that this was a government customer, we’d just tripped DEFCON-1 (and were called into the manager’s offices to explain the situation). The customer thanked us for helping to spot the external breach and asked us to leave for the day, as they were about to get very busy.

What was the lesson learned? Make sure that you always look under the hood of an existing LogRhythm deployment to verify that the basics have been covered. It’s important to understand what LogRhythm is capable of and how to best leverage the system to your advantage.

As one of the NOC/SOC employees put it, “If we’d been paying attention and using LogRhythm more regularly, we could have caught this sooner. Who knows how long we’ve been under attack.”

A typical Monday, indeed…

Tags: , , , , , , , ,

none | GeneralSecuritySIEM


Domain Privilege Escalation Vulnerability

Privilege Escalating Evil Unicorn

Privilege Escalating Evil Unicorn, credit: Zack Rowland

On Tuesday Microsoft released an emergency update to Windows Server 2003 through 2012 R2 to address a vulnerability that enables an attacker to escalate privileges for any account on a Windows Domain. The vulnerability can be detected in Windows Server 2008 and later by analyzing Windows Event Log ID 4624 and looking for a discrepancy under New Logon between the Security ID and Account Name as shown:



In LogRhythm this is easily detected with a new AI Engine Rule that watches for any differences between the Security ID field, captured into Account and, the Account Name field, captured into Origin Login. This AIE Rule, Account Anomaly: Domain Privilege Escalation, is available with the latest knowledge base update (KB

Advanced Intelligence Engine Parsing Rule

Advanced Intelligence Engine Parsing Rule

While it is most critical to first apply Microsoft’s prescribed patch for this vulnerability, this is a helpful way to easily detect if this vulnerability has been exploited on your Windows domain.


Tags: , , , ,

none | GeneralSecuritySIEM


The LogRhythm Difference

You don’t become the rapidly growing leader in Next Generation Security Intelligence by following the crowd.  You do it through leadership, differentiation and focus.  You do it by doing things the right way, doing the right thing and building for the long term.  Here are just some of the things that help make LogRhythm a leader.

  • Leadership Vision and “best of breed” products
  • Focus
  • Great Customer Service
  • A Winning Team and Culture.

Leadership Vision and “Best of breed” Products

LogRhythm’s vision around building a next generation security intelligence and analytics platform to protect the world from damaging cyber threats has been the focus of the company since its beginnings over 10 years ago.  The completeness and stability of this platform vision has enabled a focus on architecting and building out the platform in the right way.  Instead of copying other approaches, our founders sought to architect a solution that would not only solve the challenges customers had with first generation solutions but also solve the new challenges they would face in the future.  As a result, the company was the first to introduce several fundamental innovations in the space, including:

The first unified platform to fully integrate previously separate components (including Log Management, SIEM, host and network forensics and advanced analytics), providing unprecedented visibility, detection and response capabilities

Multi-dimensional Behavioral Analytics techniques that go well beyond correlation to deliver more effective and precise detection of complex, advanced threats

A User Interface and Experience second to none, leveraging the latest UI technology to deliver a highly productive and engaging user experience

A Wealth of out-of-the-box capabilities that deliver rapid time to value and enable customers to fully leverage the platform for their key use cases

A highly Flexible and Scalable Platform that scales easily from small deployments to large, complex environments processing and analyzing billions of records a day

Integrated Remediation and Incident Response capabilities to take automated remediation action where warranted and provide robust case management capabilities to effectively manage incidents


Part of LogRhythm’s success can also be credited to its focus.   Security Intelligence is all we do.   Our focus on delivering the best in class solution for Security Intelligence and Analytics is empowering and enabling.   Our market is one that values, requires and rewards rapid innovation and the ability to adapt to changing customer needs.   Customers are looking for “best of breed” solutions that can solve real problems and detect high-impact threats in real time.   Unlike competitors who are stretched thin addressing multiple product categories and segments, LogRhythm’s focus ensures it is putting all available resources into solving the growing challenge of detecting and responding to advanced threats.   Customers love our focus and know that our success depends on their success.   As Washington Gladden once said:  “It is better to say:  ‘This one thing I do’ than to say: ‘These forty things I dabble in’”

Great Customer Service

Customer success has long been an intrinsic core of LogRhythm’s culture.   From day 1, our top objective has been around customer satisfaction.  We always felt that if we delivered on that well, everything else would follow more easily.  We have consistently invested in and sought to improve customer support and service with the goal of helping customers realize true value from our platform.  With any complex software solution, there will be a need for support and service.  Customers recognize this and often evaluate the vendor’s support before making a purchase decision.  One reason customers switch to LogRhythm from competitors is due to our reputation for high quality and tenacious customer support as well as their dis-satisfaction with competitors’ approaches.  Our consistently high retention of customers is further evidence of winning customer service.

A Winning Team and Culture

Long term success of any organization depends on great teamwork and a healthy and productive culture.   LogRhythm’s culture is focused on delivering superior customer success and value through innovation, collaboration, creativity, tenacity and great service.  The founders, original vision and core team have been with the company from the beginning and provide a stable foundation that the company has thrived upon.   The culture is nurtured and enhanced by a wonderful group of can-do professionals who are passionate about their purpose and the value they are delivering in the fight against cyber threats.  The focus at LogRhythm is on achieving great things as a team while also understanding the importance of work/life balance and the enjoyment of the journey.

Tags: ,

none | General