Seth Goldhammer
Sr. Director of Product Marketing

SANS Institute Validates LogRhythm’s Ability to Scale Above 300K MPS

The Importance of Security Analytics for Threat Prevention

Many organizations are beginning to realize that they must use security analytics to recognize threats that bypass their preventative technologies. Unfortunately, despite the promise of a silver bullet, security analytics alone is not the answer. Ultimately, the effectiveness and quality of analytics is highly dependent upon the cleanliness, type, and variety of data.

How Rapid Data Processing and Machine Analytics Play a Role

Understanding the importance of quality data, LogRhythm has invested decades of effort into a cost-effective architecture designed to scale across all tiers of data collection, processing, indexing, and machine-based analytics.

As such, we are very proud that the SANS Institute has validated our ability to deliver a solution that ingests high volumes of data, performs rapid data processing and machine analytics, and allows concurrent search, dashboarding, and report generation across a full data set.

SANS Reviews LogRhythm 7.2’s Ability to Process High Data Volume and Effectively Prevent Threats

The SANS report Speed and Scalability Matter: Review of LogRhythm 7 SIEM and Analytics Platform put our solution to the test with 130,000 log sources and 26 billion logs received daily (300,000 MPS). Just as important, the review delves into how LogRhythm consumes high volumes of data while enabling analysts to meet security objectives: effective machine analytics, rapid search, and security automation and orchestration (SAO).

SANS goes on to validate that LogRhythm’s solution not only collects a high volume of data effectively, but it does so without sacrificing highly critical capabilities for effectively performing threat lifecycle management. Throughout SANS’ testing, LogRhythm processed, perform machine analytics on, indexed (including full log text search), and persisted 100 percent of the data.

During testing, SANS enabled two sets of out-of-the-box machine analytics content:

  • The LogRhythm Core Threat Detection Module
  • The LogRhythm Top 20 CIS Critical Security Controls Module

Both of these modules effectively recognized threat conditions in real time. Scalability is achieved due in part to our unique architecture.

This architecture creates parallel paths, with a real-time stream fed to AI Engine for performing in-memory data analysis and a second stream to our Elasticsearch-based indexing layer available for immediate search. Our persistence tier then leverages a multi-node cluster both to increase concurrent search speed via parallel processing and to improve resiliency, with no data loss, even with a full node failure. The result enables LogRhythm to perform both search and machine analytics without resource contention, creating better economies of scale for both operations.

By evaluating a full use case from end-to-end, SANS observed several things:

  • LogRhythm recognizes activities and provides a risk priority ranking based off an organization’s unique profile
  • Upon detection, case management features capturing alarms and subsequent search results for streamlined collaboration
  • SmartResponse automated playbook actions take the manual process out of mitigating a threat

To read SANS’ findings on LogRhythm’s enterprise-grade platform, download the full report.

Download Full Report