When an organization detects a compromise in their network, speedy incident response can mean the difference between quick containment and a damaging data breach. Organizations that rely solely on manual processes struggle to reduce response times and face higher risk. Companies working to accelerate response times should automate common investigation and response actions.
Unfortunately, automation has been out of reach for most organizations. Developing a homegrown solution is usually cost- prohibitive, and existing commercial options are either inflexible or require extensive and costly customizations.
An effective automation tool must offer:
SmartResponse™ uniquely enables automated incident response. It also allows semi-automated, approval-based operation so users can review the situation before countermeasures are executed.
LogRhythm reduces the time needed to perform common investigation and mitigation steps, preventing high-risk compromises from snowballing. Examples include triggering a vulnerability scan on a suspect endpoint, and more drastic measures such as quarantining a compromised endpoint or disabling a suspect user account.
LogRhythm Labs provides customers an extensive library of pre-built SmartResponse actions. LogRhythm also helps users create custom plug-ins using their preferred programming/scripting technology, such as Bash, Java, .NET, Perl, PowerShell or Python. Users can test custom plug-ins with an integrated tool that documents output and identifies errors. These pre-built and custom SmartResponse actions put customers in control.
Users set up SmartResponse actions to be triggered by specific alarms. These alarms can pass data to the SmartResponse action, enabling dynamic, precise execution. Multiple SmartResponse actions can be executed from a single alarm, enabling simultaneous investigation and mitigation actions.
Users might want to wait for SmartResponse execution until an incident responder or a formal approval chain can verify the actions. With SmartResponse users can implement sophisticated approval scenarios as a pre-condition for execution. LogRhythm also supports more sophisticated approval chains, including multi-party approvals from different groups when cross-organizational approvals are required.
The LogRhythm SmartResponse Automation Framework supports several action execution options:
Incident response processes often involve many different people, teams and technologies. With SmartResponse, LogRhythm tracks and logs all activity undertaken to contain and mitigate the compromise. This eliminates the burden to manually capture and consolidate incident response information, including approvals and notifications. Capturing audit trails helps an organization refine its incident response processes, communicate with management, and address any compliance controls.
LogRhythm SmartResponse Automation Framework allows users to integrate with current and future security technologies easily. It provides broad vendor support, so users can respond across the network, regardless of the security devices, IT infrastructure, networking, system and applications that are deployed.
Incident response teams are empowered with pre-packaged and customizable plug-ins, which can reduce time to respond from days to minutes. SmartResponse use case examples include: