Dean Wyatte
Advanced Analytics Senior Engineer

Striking the Balance Between Machine and Human Analysis in Your SIEM Environment

As technology advances, the threat landscape is also advancing. With thousands of touch points in any given network, cyber criminals are effectively exploiting weak points on an almost daily basis. Prevention-centric strategies are no longer efficient for organizations, and they can also expose critical infrastructures to damaging cyber threats.

Organizations are increasingly relying on security platforms to detect and respond to threats quickly and efficiently. With the sheer volume of processes, services and applications running on a corporate network at any given time, security professionals face a difficult task.

For a security analyst, security information and event management (SIEM) platforms can automatically analyze and respond to threats. Human analysis and response is also crucial to keep up with continuously evolving threats and make sense of anomalous network behavior. This post describes several features of the LogRhythm product line that help strike the balance between machine and human analysis in your SIEM environment.

Incessant Evolution of the Threat Landscape Calls for Continuous Writing of New Rules

Between the thousands of touch points mentioned above in any given network and the possibility of zero-day attacks, it is no surprise that the threat landscape is expanding. To keep up with this expanding landscape, you can integrate internal and external threat context into your environment by updating processing rules for operating systems, applications and network devices in order to strengthen the accuracy of real-time machine analytics.

Even for enterprises with a dedicated security team, monitoring the latest security threat trends and understanding the blueprint of evolving attack vectors requires constant monitoring of industry reports and blogs. When a company’s reputation is determined by its ability to stop damaging threats, having the most up-to-date processing rules is imperative.

At LogRhythm, the dedicated LogRhythm Labs team ensures the LogRhythm Security Intelligence Platform can interpret data from virtually any data source by examining live attacks and malware in an advanced threat research lab.

We use this insight to create an arsenal of advanced correlation rules for LogRhythm’s AI Engine. AI Engine delivers automated, continuous analysis and correlation of all activity observed within the environment. With over 900 preconfigured, out-of-the-box correlation rule sets, AI Engine enables organizations to predict, detect and respond to the critical actionable events.

Behavior and Anomaly Detection with Machine Analytics Enables Continuous Learning

When malware infiltrates an organization’s first layer of defense, it can spread quickly throughout an organization, exposing data and weakening security. In some cases, this can happen quicker than analysts and administrators can react.

A successful security initiative must be adaptive to the environment. For example, a SIEM should alert an analyst the first time there is a change connected to users, hosts, applications or devices. The SIEM should also rapidly identify new behavior patterns automatically, saving an analyst from constantly needing to manually adjust rules in order to keep pace with the most recent security threats.

AI Engine’s machine analytics capabilities can be used to white list normal behavior by learning over time what constitutes typical user and machine habits. Proven statistical methods can then be leveraged to determine when events fall outside these established norms and alert analysts of the anomalous behavior. These behavioral models are continuously updated as users and machines change their usage patterns offering increased flexibility over manually crafted rules.

Multi-Dimensional Analytics Empower Customization for an Organization

Just because behavior is flagged as anomalous does not necessarily imply that it is malicious. Anomalies can have benign origins—for example, a user starting a new work assignment or a host running new processes after being repurposed within a network. Anomalous behavior, of course, can also reflect malicious intent, such as when a user’s credentials are compromised and controlled by an attacker.

LogRhythm offers a Holistic Threat Analytics Suite with user, network and endpoint anomaly detection to help differentiate between these different kinds of anomalous behavior. The suite contains multi-dimensional rules developed by LogRhythm Labs experts, continuously integrated with threat intelligence and ongoing security research. When an anomaly is detected, analysts automatically receive detailed data to drill down into. At this time, a security operations team can analyze the change in behavior to gain further insight into the root cause.

Multi-dimensional analytics enable organizations to customize anomaly detection to any combination of attributes. For example, some end users might be interested in detecting operational anomalies such as host failure, characterized by a sudden shift of unexpected activity to a failover server.

Statistical rules can be created model the relevant behavioral attributes so that administrators can be alerted upon this non-threatening yet network-critical behavior.

Although modern SIEM platforms can automate detection and response to threats, it is important to think of these tools as an assistive technology. As discussed in this post, human analysis and rule customization are also important components of a successful security initiative. As a security analyst, finding the right balance between machine and human analysis will prove the best practice for your organization to mitigate threats.