In two interviews with LogRhythm, we explored how they can add a layer of security to a corporate network, industrial network or even a cloud solution. LogRhythm is an advanced SIEM solution that is capable of real-time analysis based on a basic set of rules, data, machine learning and behavioral learning. In doing so, it monitors the security of the network, as it were.
According to Sander Bakker, Sales Manager Northern Europe, LogRhythm has a holistic approach in which it mainly looks at the users, endpoints and the network. As much data as possible is collected from these three sources for analysis purposes. This includes integrations with firewall or server monitoring tools, but also system monitoring where logs are collected to monitor files, for example. The monitoring also relates to, for example, USB ports and networks. All these logs are sent to a central system in the network. The software from LogRhythm is present in this central system. This can be a virtual machine (VM) in the network or an appliance. If the network is linked to the cloud, the VM can also be implemented there.
Users are clustered and monitored in groups
As soon as the data arrives on the server, the analysis starts immediately. LogRhythm has a standard set of rules that are updated every week. These rules are actually the first to be released on the data because if there are known problems or dangers, they can be tackled immediately. In addition, the data is used for long-term analyses of user groups, something that Bakker calls peer-group deviations. Users in the network are monitored, and their behavior is mapped out. Users who perform the same role are clustered in a group and analyzed accordingly. If one of the users suddenly shows deviant behavior, the system can report this to the IT administrator. The latter can then check whether this is desirable or undesirable behavior.
Users, endpoint and network traffic
According to Bakker, a good analysis always consists of data from three sources. By extracting data from users, endpoints and network traffic, it is quite likely that problems for the company can be detected at an early stage. Monitoring network traffic is still a challenge for LogRhythm. The company has developed a solution that is capable of monitoring network traffic. This can be done by means of a software solution or an appliance. This solution can do deep packet inspection and recognize as many as 3300 applications on the basis of the data that passes by. At the moment, LogRhythm is not yet able to independently analyze encrypted network traffic. For this, the customer needs to use a firewall of, for example, Palo Alto Networks or Barracuda Networks. LogRhythm can then plug into the logs of these firewall solutions. More and more network traffic is nowadays encrypted as standard, which means that you simply need such an advanced firewall for good analysis.
If network traffic is analyzed by LogRhythm, they are able to recognize 3300 applications. This allows changes to be picked up quickly. The investment in an external appliance can, therefore, certainly be interesting if the network needs to be monitored externally.
In addition to IT, also OT-environments monitor
In addition to the standard computer networks, LogRhythm can also monitor OT environments. These include industrial networks such as SCADA/ICS and protocols such as Modbus, dnp3, enip, opcua, s7comm and a few others. This means that the product is not only limited to the standard computer networks.
For these networks, monitoring is a bit more challenging. The systems that are connected to such a network can be analyzed less. For example, it is impossible to install endpoints on them. Network monitoring is therefore very important in these OT networks, as it is often the only source of possible problems.
Detecting and acting on problems faster
Bakker states that the ultimate goal of a LogRhythm solution is to create an effective security posture, which allows for faster threat detection and faster business action. There is a huge shortage of good security people, so the more tasks a good SIEM solution can take care of, the better. There is also a focus on making processes and analyses even more efficient.
One of the most important ways to achieve this is by supporting more data sources that can provide information about the safety of the network, the endpoints or even the users. Currently, LogRhythm 830 supports various sources. In addition, there are almost 1,000 standard rules that can automatically detect a threat and respond automatically when necessary.
Bakker says about this:
“Most SIEM’s come without rules/use cases, and you have to create them yourself, or there is a limited number. LogRhythm has more than double the number of its competitors. This is one of the distinguishing features. This is a reason why a LogRhythm implementation is done very quickly and what other vendors take months and sometimes longer to implement because all rules, use cases have to be built.”
These rules are updated weekly with the latest dangers. We didn’t like this much, because sometimes there are direct dangers for many companies, like WannaCry. Bakker says that LogRhythm Labs can also provide an update immediately and push if necessary. In practice, this is rarely necessary, and one week is really sufficient.
About six years ago, LogRhythm started with smart response, i.e. the automatic response to incidents. Nowadays, risks are more and more urgent, and it is sometimes not possible to just warn and wait and see what the IT administrator wants to do with them. Sometimes action needs to be taken immediately, if the company’s fileserver is infected with ransomware, for example. The longer you wait, the greater the damage.
Smart response has a number of standard scripts, in which a company can indicate how in some situations automatic action can be taken: for example, blocking user accounts, stopping certain processes, closing a port on a firewall or even taking an entire server offline.
LogRhythm has developed more than 100 such script/plugins, but the development of these scripts is now mainly in the hands of the community. Plug-ins that are built by the community can then be shared within the Community portal of LogRhythm. Bakker can’t say exactly how many are available. However, he does state that a company can use the scripting language to write any automatic solution that it wants. All kinds of connections with external appliances and software packages are possible in order to realize solutions. Think of switches, firewalls and virus scanners.
We believe that Smart Response will become the most important feature of LogRhythm in the future, as more and more companies are finding it difficult to get the right CISO and security experts on board. The more advanced a solution is, and the more it can solve independently, the better it is. Also, the urgency of security problems will increase rather than decrease in the future. Damage must be prevented at all times. Ultimately, companies would prefer to assess each situation individually in order to prevent false positives (when normal behavior is considered malicious). The only fact is that this time is often not there and the manpower is no longer there for it.
At LogRhythm, they are positive about Smart Response, but at the moment, there is no urgency to develop and make more scripts available from within the company. They mainly leave this to the community, a missed opportunity if you ask us.
LogRhythm chooses network monitoring as a product
Recently, the company has chosen to offer more than just a SIEM solution. It has decided to offer network monitoring separately. LogRhythm has noticed that some customers already have a SIEM, but do not yet have network monitoring. Some companies are not ready to replace their SIEM. That’s why LogRhythm now offers network monitoring on a stand-alone basis. In addition, the customer determines per GB how much data needs to be analyzed.
Customers can purchase an appliance with 1GB, 5GB or 10GB connection. They can also choose to install the software themselves on a server or VM. LogRhythm’s Netmon application then runs on its own hardware.
In many cases, the network monitor can also work together with competitors’ SIEM solutions, so the power can still be combined. Of course, LogRhythm hopes to sell the total package.
Playbooks and case management are important
Bakker argues that the possibilities within LogRhythm to create Playbooks and do case management are also essential to tackle problems quickly. The knowledge within large companies is often divided. There are security analysts with a wide range of knowledge, but there are also juniors who have yet to learn something. If a junior detects a problem but doesn’t know how to solve it, a Playbook can provide the solution. The senior staff member explains how certain problems can be solved, after which it is simply a matter of following a step-by-step plan. The same goes for case management. If users complain about problems, it is nice that certain tasks can be handled by the ‘normal’ helpdesk. Normally everything would be done by the security team.
Cloud support is another point of attention
LogRhythm already supports the monitoring of certain cloud services and IaaS platforms, but there is room for improvement as far as we are concerned. For example, LogRhythm can monitor a few things, but cannot correct them and take action. Monitoring SaaS solutions from Cisco, Okta, Office 365, Qualys and Salesforce, for example, is no problem. It can also map out certain logs of IaaS platforms. According to Bakker, there is support for Event Hub in Azure, and within AWS there is support for logs of Cloudtrail, CloudWatch Alarms, CloudWatch Logs, Configuration Event and Server Access Events. For this, support is built-in for various AWS APIs.
What is becoming increasingly important within companies are automatic solutions, which is something that LogRhythm still has a point of attention. If it now detects a possible incident based on AWS and Azure logs, it can only send a warning to the administrator. It would be better if it could also take immediate action by modifying a firewall configuration. This kind of support is still missing. Something that, as far as we are concerned, is extremely necessary as more and more companies are moving to the cloud. Whether it’s only cloud, multi-cloud or hybrid cloud: you also want to be able to provide that environment with an extra automated security layer.
All in all, LogRhythm really does offer added value with its security solution, although it is still mainly focused on an on-premise environment. The first steps towards the cloud have been taken, but as far as we’re concerned, it’s time to get on with it. Bakker states that the customer is free to program this himself via Smart Response. The only question is whether customers are willing to do so or whether they should opt for a different cloud monitoring tool. In the end, this market is rapidly maturing as well, and both Barracuda Networks and Check Point Security are responding to this need. They are working on cloud monitoring that can also take immediate action based on policy rules. However, LogRhythm’s experience in this area is much greater, and they should now make use of it.