Connect: Linkedin Youtube Blog
Support Portal Partner Portal

Big Data Security Analytics

LogRhythm has combined enterprise-wide advanced correlation and pattern recognition with automated behavioral and statistical analysis to deliver the industry’s first Multi-dimensional Big Data Analytics capabilities. By combining advanced statistical and heuristic analysis with behavioral whitelisting, LogRhythm enables organizations to automate the process of learning what constitutes “normal” behavior on any combination of attributes tied to users, hosts, applications, or devices.  Integrating these capabilities with advanced correlation and pattern recognition eliminates three significant problems for users of 1st generation SIEMs – the inability to accurately define what constitutes “normal” activity, a deluge of false positives that limits the ability to identify and understand meaningful events, and the uncertainty due to false negatives.

Why “Multi-Dimensional” Analytics

Organizations today face threats and breaches from so many different attack vectors and potential entry points that traditional security tools are no longer enough to defend the network. Even first generation SIEM solutions lack the comprehensive analysis and informational reach to adequately detect and prevent advanced attacks.  LogRhythm’s SIEM 2.0 solution delivers Multi-Dimensional Big Data Security Analytics by collecting a complete set of data throughout the environment, processing and analyzing relevant information from multiple dimensions to deliver accurate, real-time threat management.  These dimensions include:



Multi-Dimensional Big Data Analytics in Action

An advanced attack will frequently employ multiple attack vectors in order to successfully breach your network.  While individual stages of an attack may trigger an event in traditional SIEM solutions, they typically lack the ability to tie them together over time.  Many of these events are incorrectly lumped in with lower priority events and subsequently and incorrectly classified as false positives. This results in an organization’s inability to truly understand which events merit the highest risk ratings, and how they may be a component of a more sophisticated attack.  The following is an example of how LogRhythm not only identifies individual events that are suspicious, but is able to correlate them over time and against multiple dimensions to detect and ultimately prevent and advanced attack and subsequent breach.



The LogRhythm Response

LogRhythm has now identified multiple threat vectors and has sent several alarms indicating a rapidly progressing breach attempt.  As each new dimension to the attack is factored into the detection and analysis process, the risk level is automatically revised upward to match the growing threat. LogRhythm’s SmartResponse™ also delivers the means to actively combat breach attempts. In this particular instance, out-of-the-box plugins can by enabled to limit or halt the breach attempt during multiple stages of the attack. It can:

1.    Disable the suspiciously behaving account until the behavior can be investigated
2.    Automatically kill any non-whitelisted process
3.    Terminate any network connection made to any blacklisted IP address.

At this point, the breach is contained and a more detailed forensic investigation can begin.


 

Multi-Dimensional Analytics

User and Identity Data

User behavior is a critical component of advanced threat and breach detection. It requires knowledge of the specific details tied to a user’s identity, understanding acceptable vs. suspicious behavior, having the ability to monitor user access and a myriad of other user-specific activities. LogRhythm collects and analyzes user data from multiple sources, from data contained directly within the logs to comprehensive identity information derived from integration with Active Directory and 3rd party Identity and Access Management solutions, delivering comprehensive understanding and awareness of user activity.

Network Data

The detail about how information is being exchanged is another critical component of protecting the enterprise.  Knowing what data is flowing where provides a clearer picture of an event to better understand when an attack has been successful and a breach has occurred. LogRhythm incorporates network-specific data from throughout the enterprise, analyzing everything from communication direction, traffic volume and information detail contained in network flow data to independently monitored network connections on individual hosts. 

Host Data

The end target of most breaches is an application or specific data residing on a host. Understanding what is happening at this individual host level is critical in prevent breaches.  LogRhythm protects in multiple ways by analyzing host level log and event data as well as independently monitoring file integrity and host activity, recording process and service activity, network connections, removable media, and watching who is doing what to files and directories. LogRhythm’s behavioral analysis automatically establishes whitelists of acceptable or “normal” behavior on a host, delivering the ability to detect in real time when suspicious activity takes place, such as an unknown process starting or an unauthorized network connection is opened up.

Application Data

A common entry point for a breach is at the application layer, using multiple entry points to exploit vulnerabilities.  This can include activities ranging from installing custom software that is designed to attack security gaps to either passively spy on the system or actively perform command and control operations. Other application threat vectors include using compromised or stolen credentials to engage in seemingly legitimate behavior. LogRhythm monitors and analyzes application logs for suspicious behavior tied to common activities like user access, transaction volume, and application errors, and correlates it against other data to identify suspicious behavior patterns that indicate an attack is underway or a that breach may have occurred.

Internal Context

Every environment is different, so understanding the context surrounding an event is a critical requirement for reducing the volume of false positives and avoiding false negatives.  LogRhythm incorporates multiple data sources to add relevant internal context and event detail, such as vulnerability data, asset classification, business entity, and other data collected from sources such as Content Management Systems(CMS), Identity and Access Management (IAM) solutions and other 3rd party analysis tools. This information is automatically incorporated into events and alarms, providing the detail necessary to understand the true relevance and severity of an incident and to more effectively manage risk.

External Context

Effective network security combines multiple tools and information sources for a strategic approach to protecting against breaches and advanced threats. This includes tapping external data feeds for current insight into multiple threat vectors. LogRhythm collects and analyzes information from numerous sources, including IP reputation services, threat intelligence feeds, geolocation services and other 3rd party sources.  This allows organizations to respond quickly to external threats based on accurate information and comprehensive event context.

 

Advanced Attack Process

A Breach Begins

LogRhythm automatically detects authentication activity as suspicious by adding geolocation context and correlating against a known behavioral whitelist of acceptable login locations. LogRhythm also knows when a particular user requires a higher level of scrutiny, such as a privileged user with admin rights, by incorporating identity data from various sources, including Active Directory, LDAP and 3rd party Identity and Access Management solutions.  Suspicious behavior by those users generates a higher Risk Based Priority rating for event escalation.

A Target is Acquired

Once the user account is flagged, he is automatically added to a watch list of suspicious accounts that is leveraged by multiple high-priority alarms to provide a more accurate response. In this case, an alarm is sent out when that user accesses a classified network segment and an additional, higher priority alarm is generated when that same user accesses a confidential file being monitored by LogRhythm’s fully integrated file integrity monitoring. The potentially breached host can then be automatically added to a list of targeted devices to be leveraged by additional alarms.

A Tool is Deployed

LogRhythm’s automated behavioral profiling capabilities have already created a whitelist of known and acceptable processes on all hosts operating within the Classified network segment.  When a non-whitelisted process starts up on a host that has appeared on a targeted device list, a high priority alarm is generated signaling a potential attempt to exfiltrate sensitive data.

A Back Door is Opened

Another high priority alarm is generated when the same targeted host then opens up a non-whitelisted network connection.  The alarm provides further context indicating an extreme risk rating by matching the destination IP against a blacklist generated by an external IP reputation list.

A Breach Occurs

The attack culminates with LogRhythm’s statistical profiling detecting a sudden and abnormal increase in outbound data volume from the classified environment. This indicates with a high degree of probability that a breach has occurred.