LogRhythm’s 4,000 customers are finding success every day while using our platform. We asked some of LogRhythm’s best power users how they solved the specific security problems that were plaguing their teams using the LogRhythm NextGen SIEM Platform. Following are some of their stories.
Catching the Phish with PIE
The Security Challenge
Before joining LogRhythm, I worked on a security team within a healthcare environment faced with the challenge of managing phishing email attacks. We weren’t using standardized methods to report suspicious emails. Instead, we were using one inbox for all security related inquiries including suspicious emails, daily reports, distribution lists, and newsletters.
It was time-consuming for our team to look through every email to determine which ones were phishing related. On top of that, details related to each case were saved in different file formats, stored in multiple locations, with varying levels of detail, making the presentation and layout completely inconsistent. Our lack of consistency and prioritization made detecting, investigating, and documenting phishing threats time consuming and put our organization at risk.
The Solution
LogRhythm’s Phishing Intelligence Engine (PIE) framework, which assists with detecting and responding to phishing attacks, allowed us to reduce our mean time to detect and respond to phishing emails. PIE is an active defense framework built around Office 365 Message Trace Logs that looks for malicious content and dynamically responds to suspicious emails. The most significant advantage of PIE is that it provides the same level of analysis regardless of the email type; all emails go through the same inspection.
With our old process, the team reviewed a report to find for potential phishing threats daily. Using our new method, we only reviewed LogRhythm AIE: Mass E-mail Sender Alarms as they were received. With a consistent and automated method of phishing management in place, we were able to manage a review of all suspicious emails reported efficiently and quickly.
PIE enabled our team to create consistency and organization using LogRhythm’s Case Management. We created a standardized method to report suspicious emails and knew exactly where to find information about a case and the forensic files — no more wasting time hunting down information about a phishing email.
“LogRhythm’s Phishing Intelligence Engine (PIE) framework, which assists with detecting and responding to phishing attacks, allowed us to reduce our mean time to detect and respond to phishing emails.” — Eric Hart
Threat Hunting with Limited Resources
The Security Challenge
When I worked for a software-as-a-service (SaaS) solution offering cybersecurity assessments management, we always strived to help businesses find low-cost or free ways to supplement their existing cybersecurity tools. It was always a challenge to find free network-monitoring tools that would help teams with limited resources effectively threat hunt.
The Solution
My team and I were excited when we heard that LogRhythm provided a free version of its network security monitoring product, LogRhythm NetMon Freemium. We thought NetMon Freemium could help network security analysts — “hunters” as we call them — at small businesses quickly baseline network traffic, identify anomalies, and pursue further investigation. We received permission from a small business client to prototype NetMon Freemium on its internal network and investigate its features, so we had the opportunity to see the tool in action.
The user interface and experience in NetMon Freemium are intuitive and easy to configure. The ability to drill down into a packet, flow, or PCAP within seconds of identifying an anomaly helps a hunter investigate quickly and efficiently and automatic packet capture of (all, if desired) traffic flows distinguishes NetMon Freemium from other tools. Once the tool has been installed and configured for the given business environment, we predicted that a threat hunter would spend half an hour to an hour a day using the dashboards to establish baselines of normal network traffic. Once the hunter is comfortable with the baselines, he or she should be able to quickly spot anomalies during that same half-hour period, and then use the tool to plan and execute further investigations.
Learn more about Lee’s solution here.
“LogRhythm NetMon Freemium is a valuable tool for someone hunting network traffic anomalies in an enterprise’s network — especially because the software is free.” — Jim Lee
Using Data Visualizations to Prove the Return on Investment of Your Security Program
The Security Challenge
Proving the value and the return on investment of our security tools and programs is challenging without metrics to show improvements and communicate your team’s wins. The LogRhythm NextGen SIEM Platform provides an excellent foundation for our team to monitor base metrics in Case Metrics dashboards. Still, we wanted to track specific metrics that would help us justify the need for additional headcount or tools. Custom visualizations for tracking and monitoring trends around alarms, cases, and analyst activities would help us highlight areas of focus to our internal teams, such as security engineering, security operations, and management.
The Solution
Our team used Miscrosoft’s Power BI data visualization tool to pull data from LogRhythm’s SQL database and create custom visualizations. There’s a tremendous amount of potential value within the LogRhythm SQL database that can be used to support your security program initiatives when integrated with visualization tools.
We created custom dashboards to track metrics for testing new alarms in our SIEM, show how much time our team saved using automation, display the current status of our LogRhythm deployment, monitor Case Management metrics, and present the number of alarms triggered vs. triaged in a given period. These visualizations have empowered our operations and management teams — helping them achieve their goals and making it easier for our team to prove our effectiveness, show ROI, and demonstrate the need for investment in our program.
Learn more about how you can set up Rob’s visualizations for your team here.
“There’s a tremendous amount of potential value within the LogRhythm SQL database that can be used to support your security program initiatives.” — Rob Sweeney
To see how other industry experts are solving their business challenges with LogRhythm during our 2020 RhythmWorld Security Conference. Learn more and register here.