Protecting Your Network with LogRhythm NDR

LogRhythm NDR

Protecting the network is an ongoing challenge for many cybersecurity professionals. At LogRhythm, our goal is to make it easier for you to detect and respond to network security threats quickly and effectively. We are pleased to announce the latest release of LogRhythm NDR (formally MistNet NDR).

Our network detection and response (NDR) solution reduces noise and eliminates blind spots in your environment to surface threats looming in the network. To exceed customer expectations, LogRhythm has worked diligently to enhance our network security software in key areas, which include forensics, detections, integrations, threat hunting, and platform administration.

Uncovering more incident details with PCAP

We know how valuable it is to get every bit of detail possible surrounding an incident or to help with your threat hunting activities. LogRhythm NDR now gives you the ability to pull in more context to help you investigate and hunt better when protecting the network. You can enable packet capture in the UI and download PCAP files for specific Incidents and Cases. This additional level of incident telemetry helps with performing forensic analysis at the packet-level and further empower incident response activities.

PCAP Download Icon in the Incident Details Page.
Figure 1: PCAP Download Icon in the Incident Details Page

Continuously updating and enhancing detection models

Ransomware continues to dominate the headlines and plague many organizations and security teams. It is a primary attack vector for opportunistic threat actors and the tactics, techniques, and procedures continue to evolve. But so does LogRhythm. As part of this release, LogRhythm enhanced LogRhythm NDR analytic capabilities to detect a wider array of ransomware attacks.

Case definition based on IDS Rule or IOC mapped to ransomware
Figure 2: Case definition based on IDS Rule or IOC mapped to ransomware

Alongside the more prevalent threats such as ransomware, sometimes a new threat comes out of nowhere and changes the game. Log4j was that game changer in the industry. Like LogRhythm’s approach to ransomware, we took our existing, out-of-the box detection capabilities for Log4j to next level, and now provide associated outbound LDAP connections tied to Log4j activity to enhance the fidelity of alerting against this threat.

Log4j Timeline View with detection engines
Figure 3: Log4j Timeline View with detection engines

Improving threat hunting with JA3

One of the great benefits of NDR security is its ability to detect suspicious activity hiding in encrypted channels. While we previously captured JA3 fingerprints associated with suspicious activity, we now offer additional context and call more attention to JA3 fingerprints in our Hunt Activity page. You can now view more information on the JA3 in the log files of an incident or notable event on the Hunt Activity page. LogRhythm is now cross-referencing JA3 hash values found in SSL traffic against known malicious JA3 hashes and surfacing results as a JA3 investigation artifact. These artifacts can also be added to Case details in any corresponding Incident.

JA3 artifacts in the Hunt Activity page
Figure 4: JA3 artifacts in the Hunt Activity page

 It’s not always about threats

One of the key value-adds for NDR security is the ability to expose activity that goes against organizational IT policy and general cybersecurity best practices. For security teams, it’s equally important to identify any potentially risky behavior occurring on the network. On that note, in the Hunt Activity page, you can now view policy violation-type alerts for activity such as expired certificates being used on the network, weak ciphers being used in connections, and authentication activity happening in clear text. These enhancements provide additional context to what’s happening in your environment that could represent a risk to your organization.

Policy Alert for Expired Certificate
Figure 5: Policy Alert for Expired Certificate

It’s not only about the network

We realize that protecting the network with NDR is one element to a much larger security ecosystem. Another critical element to nearly every security program is extended detection and response (EDR). We now welcome aboard Cisco Secure Endpoint (formerly AMP) as part of the family of EDR integrations we offer. Along with CrowdStrike, Sentinel One, Carbon Black, Sophos, and Cybereason, LogRhythm can plug into almost any security ecosystem that includes EDR and offer that force multiplier of network and endpoint threat detection.

Simplifying administration

Making our product easier to manage continues to be a primary focus that drives LogRhythm’s evolution and innovation. One way LogRhythm is delivering this is by making whitelisting easier. We now offer support for Classless Inter-Domain Routing (CIDR) notation for customers who wish to whitelist blocks of IP addresses to help reduce manual overhead.

Additionally, LogRhythm has made it easier for customers to keep up with changes in their environment and maintain sound hygiene when it comes to covered network segments. You can now edit or delete a single entry in the Network Table as well as delete multiple entries at once.

At LogRhythm, we empower our customers to quickly reduce the noise, secure their environment, and position them to safely win in the digital age. We achieve this in part through our commitment to continuously deliver value, much of which is based off customer feedback. For this latest LogRhythm NDR, we listened to customer feedback and focused on key areas of value: enhancing detections, forensic capabilities, third-party integrations, and administrative workflows.

For more information about LogRhythm NDR, read our data sheet and check out the latest BrightTalk webinar, “Enhance Your Detection and Response Capabilities with LogRhythm NDR.”