RhythmWorld 2023

Sysmon for Windows has been incorporated into the MITRE ATT&CK module for some time, however, Sysmon for Linux is now available as an Open Source option. One of the reasons for Sysmon’s popularity is that it allows you to keep a log with detailed information about the creation and termination of processes, network connections, and file manipulations. This session explores key features of Sysmon for Linux and how to use Sysmon for Linux with LogRhythm for threat detection.

Attend this session to learn:

• How to install and onboard Sysmon for Linux
• Use cases for using the logs
• Best practices for using Sysmon for Linux

Join the LogRhythm UX team as we look toward the future of LogRhythm Axon, LogRhythm’s cloud native Security Operations Platform. Learn more about our soon-to-be-released, cutting-edge threat investigation platform built from the ground up.

In this session, we’ll share demos of our current work in progress and ideas for product features.

Attend this session to learn:

• What LogRhythm Axon is and how it differs from other security vendors
• Key use cases Axon will solve
• How Axon will change the way teams approach cybersecurity

With the shift of primarily working away from the office over the past couple of years, attackers have taken advantage of workers with fake emails about benefits, the pandemic, job offers, etc. All in an effort to successfully phish end users and obtain their credentials and or to access their systems and data. In this talk, we will be discussing some of the more novel approaches attackers have taken to phish users, how the SOC has repositioned itself to secure the new work environments, and detection techniques you can use in your environment.

In this session, we will focus on SOC tools, technologies and techniques in the detection of novel phishes being used to lure users.

Attend this session to learn:

• How attackers adapt to change quickly
• How the SOC adapted quickly too
• Techniques you can use in your environment to detect novel phishes

With the massive volume of data produced by modern security controls and other technology, understanding context is critical to making informed and timely decisions. Translating the incoming data to a common language is at the core of what LogRhythm does in the current SIEM solution and is being expanded under the LogRhythm Axon Security Operations Platform. In this session, learn how we are approaching the translations in today’s solution and how we are improving it with LogRhythm Axon.

Attend this session to learn:

• A brief overview of LogRhythm’s current data schema
• How the LogRhythm Axon data schema was designed
• An overview of the LogRhythm Axon data schema and its hierarchy
• How your teams can leverage the LogRhythm Axon data schema

Cyberattacks are becoming more sophisticated, targeted, and widespread. The evolution of traditional security boundaries toward a landscape that is cloud-centered has left the old way of detecting and responding to threats over the network inadequate. Security teams are now faced with defending more ubiquitous ground, at a larger scale, against savvier adversaries.

Please join this session for a discussion about the burgeoning technology within cybersecurity known as Network Detection & Response, the value that it can help bring to security teams, and some insights into where this technology is headed. You’ll hear from Derek Watkins, Director of Product Management at LogRhythm and a 20-year cybersecurity veteran.

Attend this session to learn:

• The evolution from network traffic analysis to detection and response
• NDR’s role in the overall modern security ecosystem
• Use-cases and security outcomes
• Where the technology is headed from here

We’ve all heard about Zero Trust for years, yet the strategy has been slow to gain traction. Thanks to the growing adoption of Cloud services and the enormous changes in working patterns, including hybrid as well as fully remote work, Zero Trust is gaining momentum. As both data and users have moved outside the traditional security perimeter, it’s time for security strategies to evolve.

It’s no longer a question of why you need Zero Trust, but how soon can you adopt the strategy. LogRhythm Chief Security Officer Andrew Hollister will discuss the importance Zero Trust. He’ll also reveal best practices to adopt this security architecture to ensure success.

Attend this session and you will learn:

• The advantages and disadvantages of implementing Zero Trust
• Organizational changes needed to implement a Zero Trust strategy
• Key obstacles to avoid when exploring Zero Trust

The Policy Builder tool in LogRhythm Axon is a new method for creating message processing policies. It is designed to remove the barriers of Regular Expressions and make it easier and faster to create and apply Message Processing Policies. Join this session for an overview of Policy Builder, as well as learn several examples of its use.

Attend this session to learn:

• The fundamental components of Policy Builder
• The different processors available within Policy Builder
• How to create Message Processing Policies using real sample data

As technology evolves in the security industry, we must construe how SIEM has evolved to a security operations platform. SIEM solves threat detection and response cases through the collection of logs and applies threat detection models. While still useful and important for security operations centers, the market is changing and demanding a move to an overarching security operations platform. Join Mike Villavicencio, LogRhythm’s Channel Sales Engineer.

Attend this session to learn:

• The evolution of SIEM and its transformation to security operations
• How LogRhythm is redefining its vision for the future
• What matters most to security professionals and end users of SIEM technologies

Today there are many different resources that outline how to manage TrueIdentity records and performing record mergers. Many of these resources are exceedingly difficult to perform or do not take advantage of API enhancements that were introduced in LogRhythm 7.5. Through using LogRhythm.Tools and LogRhythm’s 7.5+ Merge Identity API Endpoint, there are now much more efficient methods of performing identity merges. We will show how to use LogRhythm.Tools to easily combine disparate but related TrueIdentity records into a single identity record. This enhancement aligns with improving the analysts capability for more effective in performing user targeted investigations and further enriches our UEBA capabilities.

You will hear from Adam Shackleford, Principal Professional Services Consultant and Eric Hart, Manager, Subscription Services who manages LogRhythm.Tools.

Attend this session to learn:

• Understand how TrueIdentity helps a SOC/analyst review user information
• How to use LogRhythm.Tools to easily combine accounts into a single identity

OT infrastructures are a bit different than IT. Supervisory control and data acquisition (SCADA) is a system of software and hardware elements that allows industrial organizations to control industrial processes locally or at remote locations, monitor, gather, and process real-time data, directly interact with devices such as sensors, valves, pumps, motors, and more through human-machine interface (HMI) software, and record events into a log file. This session explores how to utilize LogRhythm products to expedite threat hunting in these complicated environments.

Attend this session to learn:

• Review options to monitor SCADA environments
• Use cases for utilizing LogRhythm SIEM and LogRhythm NDR to monitor SCADA
• Expediting threat hunting with the open standards that LogRhythm SIEM and LogRhythm NDR provide

Data Science (DS) and Machine Learning (ML) are currently hot topics in cybersecurity, but applying these new technologies effectively is no simple task. In this session, we will uncover the types of data available and how the complexity of the threat landscape requires both domain and technical (DS and ML) expertise to make a proper selection of models that deliver added value to the product.

Attend this session to learn:

• Background information about data science and machine learning
• Why these new technologies are important today
• How data science and machine learning can enhance your cybersecurity journey

Attacks made against Telcos and ISPs have steadily risen and is not only impacting IT Infrastructure but is also rapidly sneaking through OT infrastructure. As the Telecommunications industry becomes the backbone of all infrastructure, the protection of Telecommunication Asset and Infra is becoming more critical. Attend this session to learn the current trend of attacks in the Telco industry and the challenges on protecting the complex infrastructure of IT and OT. We will address common use cases and scenarios in protecting IT and OT infrastructure and the strategy required to address attack against complex infrastructure of IT and OT.

Attend this session to learn:

• Common Telecommunications (Telco) Infrastructure
• Threats against Telecommunications (Telco) Infrastructure
• Use Cases and Scenarios on the Telecommunications (Telco) Industry
• Examples of Best Practices on tools to monitor for these risks

In today’s world, phishing attacks are at an all-time high. The potential for a phish message to wreak havoc on a company continues to grow. In this session, we will discuss how an open-source addition to the LogRhythm platform gives our customers the ability to automate and accelerate the evaluation of e-mails that have been submitted for review utilizing LogRhythm PIE (Phishing Intelligence Engine). This assists the SOC or security personnel by transforming a reported e-mail into consolidated and relevant data points with the sole purpose of determining if a message is benign or malicious.

You will hear from Adam Shackleford, Principal Professional Services Consultant and Eric Hart, Manager, Subscription Services who manages PIE.

Attend this session to learn:

• Understand the current project status and general information on why you would want to leverage PIE.
• How to install LogRhythm PIE and the underlying LogRhythm.Tools components.
• How to use LogRhythm PIE to evaluate reported phish messages
• How to use LogRhythm PIE to easily create a LogRhythm case and add the pertinent data determined by PIE to this case, thus cutting out much of an analyst’s review time.

Statistics on cyber warfare reveal that about 11% of all cyberattacks are espionage-related. In this session, we will give an overview of the state of cyber warfare and how LogRhythm Threat Research reverse engineer malware for your benefit.

Attend this session to learn:

• Overall risk evaluations
• How White House directives can assist your operation
• Help users turn threat reports into detections

LogRhythm NDR is a powerful platform that monitors real-time threat detections across endpoints, data centers, and the cloud. Securing your network against advanced persistent threats (APTs) requires greater visibility to detect actors and their actions so that you can reduce your response time. As threats increase, real-time network detection and response (NDR) solutions are more critical than ever.

With built in MITRE ATT&CK engine, integrations with cloud technologies and TensorMist-AI, the platform can provide great visibility to your SOC Team, however with the added expertise of the LogRhythm Analytic Co-Pilot team, we can provide quicker time to value on your investment.

The Co-Pilot team works with customers on a weekly basis to assist with tasks from configuration to threat hunting. In this presentation we will go over how Co-Pilot can help you and your team get the most from your LogRhythm NDR deployment and some key takeaways on how to tune your setup.

Attend this session to learn:

• Introduction to the Analytic Co-Pilot Team
• Overview of LogRhythm NDR
• What happens on Analytic Co-Pilot Sessions
• Integrations with LogRhythm SIEM and other third-party platforms

As a growing point of entry for an attack, users are a difficult vector to monitor and secure. To confront the tidal wave of attacks, you need to hone your attention on users by harnessing the power of user and entity behavior analytics (UEBA).

An effective security program monitors and correlates endpoint, network, and user activity to provide comprehensive visibility into an environment. Focusing on your users’ activities gives you an important vantage point to identify threats before they become damaging breaches. Theft, misuse, and exploitation of user accounts are fundamental tactics used by attackers in each phase of the cyberattack lifecycle.

Attend this session to learn:

• What is UEBA
• Why do you need UEBA
• How do you use UEBA

When an incident occurs, network traffic does not lie. If the workload is on-prem, containerized, virtualized or just “in the cloud,” we want to effectively monitor and capture traffic to identify incidents as they occur. The limitations of port mirroring in the cloud means we must think creatively to successfully monitor cloud assets. In this session, you will learn techniques to monitor cloud traffic.

Attend this session to learn:

• Gigamon’s solution to capture network traffic in the cloud
• LogRhythm’s ability to process traffic to determine IOAs and actionable incidents such as domain-generation algorithm and data exfiltration
• How LogRhythm NDR can help detect and respond to incidents

Detection of ransomware usually comes in the form of an attacker notifying the company that their files have been encrypted and are being held for ransom. This session will cover our newly created MITRE ATT&CK: Ransomware module and how it can be leveraged to detect ransomware techniques in your environment.

This presentation will focus on the MITRE ATT&CK techniques primarily observed in ransomware operations. A demonstration of ransomware being used in a test environment will be shown along with detection of the ransomware.

Attend this session to learn:

• Awareness of the MITRE ATT&CK Ransomware module
• What MITRE ATT&CK techniques are important to detect ransomware
• How you can run a ransomware simulation in your test environment

SSH chaining, which is identified in MITRE ATT&CK Technique T1572:Protocol Tunneling, is a method to move laterally, from one system to another. This method of lateral movement is difficult to detect. In this talk, we will demonstrate SSH chaining, auditing that needs to be in place and how MITRE ATT&CK Technique T1572 will detect this activity.

In this presentation, we will demonstrate SSH chaining in a demo. We will also demonstrate what can be done as an attacker, and how to detect an attacker abusing SSH to move laterally through an environment.

Attend this session to learn:

• What SSH Chaining is, and how it is used by an attacker
• MITRE ATT&CK Technique T1572:Protocol Tunneling
• How to use the MITRE ATT&CK T172:Protocol Tunneling AIE rule to detect SSH Chaining

Equipped with LogRhythm’s REST APIs, customers and partners can build custom integrations with other software, fulfill new use cases, and automate mundane administrative tasks. In this presentation, you will learn what APIs are available and how to get started using them.

In this session you will learn:

• An overview of APIs basics
• A summary of available LogRhythm APIs
• A review of tools to get you started with using LogRhythm APIs

Organizations have relied on point solutions in security monitoring for too long without thinking about the “why.” This presentation will focus on the SOC Visibility Triad and how Getronics and LogRhythm leverage it to improve an organization’s approach to Security Monitoring.

Attend this session to learn:

• Real world examples (such as Intersnak)
• Explanation of three LogRhythm core technologies and how their overlapping visibility can help
• Leveraging specific LogRhythm SIEM and LogRhythm NDR toolsets