A certified B Corporation headquartered in Lincoln, Nebraska, Assurity is a mutual life and health insurance provider owned by its policyholders and dedicated to “helping people through difficult times.” The result of three distinct insurance organizations merging, Assurity offers life insurance, disability and critical illness insurance, and voluntary employee benefits to independent brokers throughout the United States. Working within the highly regulated insurance industry, Assurity chose LogRhythm’s NextGen SIEM Platform to help them achieve compliance and keep both their customers’ — and their employees’ — data safe.
The Challenge
Securing a Complex Environment with a Small Team
Insurance companies are subject to stringent government oversight, from regulating licensing models to standardizing policies and product offerings. Assurity follows a brokerage model providing their services to independent brokers nationwide. As such, they’re tasked with adhering to 50 different state insurance laws, making compliance no small feat. Regarding log management, Assurity is required to adhere to the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500). The NYDFS regulation requires companies like Assurity adopt a rigorous cybersecurity program and adhere to strict reporting rules for any breach. It’s likely remaining states will soon adopt some form of the NAIC model regulation, a requirement somewhat based upon the NYDFS.
With a small security team of three, Assurity searched for a SIEM that would serve to both help keep their robust IT environment secure and ensure compliance while removing mundane tasks and empowering their team to do more with few resources. After reviewing the top vendors in the security industry, Assurity chose LogRhythm.
The Solution
Leveraging LogRhythm’s NextGen SIEM with Embedded SOAR for Rapid Detection and Response
Having implemented LogRhythm’s NextGen SIEM and satisfied their compliance efforts, Assurity Life began to find additional value namely in the platform’s SOAR capabilities. Native SOAR capabilities in the platform enable security teams of any size to reduce the number of disparate technologies and necessary steps required to effectively respond to security events.
Integrated case management and task automation provide consistent investigative tools throughout the incident response process; Guided workflows, built-in escalation processes, and case playbooks optimize analyst workload and facilitate efficient threat remediation.
Realizing Rapid Incident Management with LogRhythm’s SmartResponse Automation
SmartResponse provides prepackaged, customizable task automations to reduce the time needed to detect and respond to threats. From quarantining endpoints to suspending users or capturing additional contextual data, SmartResponse actions automate incident response workflows, enabling greater efficiency, and reducing organizational risk.
After attending a LogRhythm-sponsored free training offered by Ultimate Windows Security “Anatomy of a Hack Disrupted: How Out-of-the-Box Rules Caught an Intrusion”, Kelly Murphy, Assurity’s IT Security and Compliance Manager, recognized an opportunity to improve monitoring of their Microsoft Active Directory Domain Administration with analytics and automation. Kelly and his team worked with LogRhythm’s Professional Services to implement a use case leveraging SmartResponse and AI Engine, a fully integrated LogRhythm component that provides support for various threat scenarios.
The goal of the use case is to prevent unauthorized domain accounts from functioning. With the analytics of AI Engine and task automation from SmartResponse, Assurity is able to recognize and automatically mitigate unauthorized account usage:
- AI Engine detects when users are added to the domain admin group or if an account in the domain admin group
is enabled - AI Engine automatically cross checks these accounts against a whitelist of approved accounts
In either case, automated actions from SmartResponse disable the illegitimate account. After being notified of the new account creation by a network manager, Assurity’s security operations adds the account name to the domain admin whitelist so the account can be enabled or re-enabled. This step could also be automated using LogRhythm’s dynamic Lists.
Putting LogRhythm SOAR to the Test
In March 2018, Assurity underwent a security assessment including penetration testing. After numerous failed attempts to compromise Assurity’s system, the pen tester used a known vulnerability to successfully create a new domain account. For a moment, it seemed they had circumvented the domain administration controls Kelly and his team had put in place. However, once the AI Engine rule verified the newly created domain account was not on the whitelist, the SmartResponse fired and automatically enacted countermeasures to quickly disable the illegitimate account.
The automated SmartResponse action prevented the pen tester from creating a fake domain admin account and compromising their IT environment — all without any manual intervention from the security team. The pen tester stated he had yet to see an automated response to that kind of attack before.
“I know the pen tester has set off alarms and warnings while testing for other clients, but he had never seen SmartResponse actions remediate an attack,” said Kelly, “Despite the many tools we had in place before LogRhythm, we are now confident in our decision to make LogRhythm the centerpiece of our security monitoring and remediation efforts.”
Conclusion
Enhanced Security Maturity and Compliance Through Orchestration and Automation
The pen tester’s inability to subvert the automated recognition by AI Engine and immediate SmartResponse action instilled greater confidence for Kelly’s team in their LogRhythm NextGen SIEM Platform. Furthermore, the security assessment allowed the broader organization to see the solution in action.
For Assurity, the domain administration use case has been a catalyst for improving incident response through additional orchestration and automation. Kelly and his team are continuing to build out their whitelist, plan to build more custom AI Engine rules, and would like to devise and implement similar SmartResponse use cases over time.
With LogRhythm, Assurity can demonstrate their adherence to compliance controls in a heavily regulated industry while improving their security posture and reducing their mean time to detect and respond to threats. With the embedded orchestration and automation capabilities LogRhythm provides, Assurity strengthens their skilled yet limited resources while removing mundane tasks and empowering their team to do more with few resources.
To see what LogRhythm SOAR can do for your organization, visit LogRhythm.com today to schedule a demo or just click the button below.