When an organization detects a compromise in their network, speedy incident response can mean the difference between quick containment and a damaging data breach. Organizations that rely solely on manual processes struggle to reduce response times and face higher risk. Companies working to accelerate response times should automate common investigation and response actions.
Unfortunately, automation has been out of reach for most organizations. Developing a homegrown solution is usually cost- prohibitive, and existing commercial options are either inflexible or require extensive and costly customizations.
An effective automation tool must offer:
- Efficient workflows and flexible approval process
- Straightforward integration into the IT environment
- Support for multiple operating systems
- Ability to traverse disparate networks
- Integrated testing
- Minimal cost and complexity
Automated Remediation That Works
SmartResponse™ uniquely enables automated incident response. It also allows semi-automated, approval-based operation so users can review the situation before countermeasures are executed.
LogRhythm reduces the time needed to perform common investigation and mitigation steps, preventing high-risk compromises from snowballing. Examples include triggering a vulnerability scan on a suspect endpoint, and more drastic measures such as quarantining a compromised endpoint or disabling a suspect user account.
Pre-built & Custom Plug-ins
LogRhythm Labs provides customers an extensive library of pre-built SmartResponse actions. LogRhythm also helps users create custom plug-ins using their preferred programming/scripting technology, such as Bash, Java, .NET, Perl, PowerShell or Python. Users can test custom plug-ins with an integrated tool that documents output and identifies errors. These pre-built and custom SmartResponse actions put customers in control.
Users set up SmartResponse actions to be triggered by specific alarms. These alarms can pass data to the SmartResponse action, enabling dynamic, precise execution. Multiple SmartResponse actions can be executed from a single alarm, enabling simultaneous investigation and mitigation actions.
Sophisticated Approval Processes
Users might want to wait for SmartResponse execution until an incident responder or a formal approval chain can verify the actions. With SmartResponse users can implement sophisticated approval scenarios as a pre-condition for execution. LogRhythm also supports more sophisticated approval chains, including multi-party approvals from different groups when cross-organizational approvals are required.
Flexible Execution Options
The LogRhythm SmartResponse Automation Framework supports several action execution options:
- Full Chain Execution: Configure SmartResponse actions to run in a fully automated manner without approvals. This capability speeds compromise containment, neutralizing high-risk threats within seconds.
- One-Click Execution: Execute an action manually. LogRhythm SmartResponse Automation Framework allows single- click, instantaneous execution of responses from within the LogRhythm user interface.
- System Monitor Remote Execution: Initiate actions in remote sites over disparate networks that may not be accessed directly through IP routing. SmartResponse enables this capability with responses that can be delivered to and executed locally on System Monitor agents. SmartResponse remote execution thus enables a truly global, distributed incident response capability.
Full Audit and Accountability
Incident response processes often involve many different people, teams and technologies. With SmartResponse, LogRhythm tracks and logs all activity undertaken to contain and mitigate the compromise. This eliminates the burden to manually capture and consolidate incident response information, including approvals and notifications. Capturing audit trails helps an organization refine its incident response processes, communicate with management, and address any compliance controls.
Make the Most of Existing Investments
LogRhythm SmartResponse Automation Framework allows users to integrate with current and future security technologies easily. It provides broad vendor support, so users can respond across the network, regardless of the security devices, IT infrastructure, networking, system and applications that are deployed.
Incident response teams are empowered with pre-packaged and customizable plug-ins, which can reduce time to respond from days to minutes. SmartResponse use case examples include:
- Endpoint Quarantine: Identify the network port where a suspicious device is located and disable the port/device.
- Suspend Users: If an account compromise is suspected, halt a user’s account access—no matter what device they use.
- Collect Machine Data: In the case of malware, SmartResponse can gather forensic data from the suspect endpoint.
- Suspend Network Access: If data exfiltration is occurring, the incident response team can kill the connection by updating the access control list used by corporate firewalls.
- Kill Processes: If a team detects unknown or blacklisted processes on critical devices, SmartResponse can kill the specific running program.