User and Identity Data
User behavior is a critical component of advanced threat and breach detection. It requires knowledge of the specific details tied to a user’s identity, understanding acceptable vs. suspicious behavior, having the ability to monitor user access and a myriad of other user-specific activities. LogRhythm collects and analyzes user data from multiple sources, from data contained directly within the logs to comprehensive identity information derived from integration with Active Directory and 3rd party Identity and Access Management solutions, delivering comprehensive understanding and awareness of user activity.
The detail about how information is being exchanged is another critical component of protecting the enterprise. Knowing what data is flowing where provides a clearer picture of an event to better understand when an attack has been successful and a breach has occurred. LogRhythm incorporates network-specific data from throughout the enterprise, analyzing everything from communication direction, traffic volume and information detail contained in network flow data to independently monitored network connections on individual hosts.
The end target of most breaches is an application or specific data residing on a host. Understanding what is happening at this individual host level is critical in prevent breaches. LogRhythm protects in multiple ways by analyzing host level log and event data as well as independently monitoring file integrity and host activity, recording process and service activity, network connections, removable media, and watching who is doing what to files and directories. LogRhythm’s behavioral analysis automatically establishes whitelists of acceptable or “normal” behavior on a host, delivering the ability to detect in real time when suspicious activity takes place, such as an unknown process starting or an unauthorized network connection is opened up.
A common entry point for a breach is at the application layer, using multiple entry points to exploit vulnerabilities. This can include activities ranging from installing custom software that is designed to attack security gaps to either passively spy on the system or actively perform command and control operations. Other application threat vectors include using compromised or stolen credentials to engage in seemingly legitimate behavior. LogRhythm monitors and analyzes application logs for suspicious behavior tied to common activities like user access, transaction volume, and application errors, and correlates it against other data to identify suspicious behavior patterns that indicate an attack is underway or a that breach may have occurred.
Every environment is different, so understanding the context surrounding an event is a critical requirement for reducing the volume of false positives and avoiding false negatives. LogRhythm incorporates multiple data sources to add relevant internal context and event detail, such as vulnerability data, asset classification, business entity, and other data collected from sources such as Content Management Systems(CMS), Identity and Access Management (IAM) solutions and other 3rd party analysis tools. This information is automatically incorporated into events and alarms, providing the detail necessary to understand the true relevance and severity of an incident and to more effectively manage risk.
Effective network security combines multiple tools and information sources for a strategic approach to protecting against breaches and advanced threats. This includes tapping external data feeds for current insight into multiple threat vectors. LogRhythm collects and analyzes information from numerous sources, including IP reputation services, threat intelligence feeds, geolocation services and other 3rd party sources. This allows organizations to respond quickly to external threats based on accurate information and comprehensive event context.