Blog - page 9

Detecting New Network Services with Behavioral Analytics

By utilizing network data generated by Network Monitor, the LogRhythm Security Intelligence and Analytics platform can whitelist normal network behavior and can generate an alert when a new network service is detected. But in order to gather the complete picture you also need user and endpoint visibility. This brings us back full circle to the importance of holistic analytics. I’ll discuss a real world example showing how holistic analytics can help you detect new network services and potentially avoid a similar incident.

Read More

Automation and Integration through Critical Security Controls

Automated security intelligence is required to meet most, if not all, of the CIS Critical Security Controls. In it's latest spotlight paper, SANS reviews how automated security intelligence can help your organization's security operations strategy align with the CIS Critical Security Controls to detect and respond swiftly to cyber threats.

Read More

How to Build a Miniature Network Monitor Device

LogRhythm’s Network Monitor is a powerful forensics tool that allows organizations to capture, analyze, and alert on network data. Traditionally, NetMon is deployed on a blade server within an organization’s data center. However, there are many situations where a smaller, more tactical device is the optimal solution. To demonstrate how to easily deploy NetMon we decided to show you how to build a miniature device.

Read More

In the Wake of the Yahoo Breach: What to Do if Your Account Was Compromised

On September 22nd, 2016, Yahoo confirmed that they were victim to a state-sponsored attack that compromised 500 million user accounts. According to Yahoo, "The account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (the vast majority with bcrypt) and in some cases, encrypted or unencrypted security questions and answers." Yahoo is recommending users change their passwords and review their accounts for suspicious activity.

Read More

Gathering Evidence Through Network Monitoring

In this field, we know that gathering evidence is critical to identifying the attack vector, understanding how to stop the attack quickly, and moving ongoing investigations further. One of the best ways to gather forensic evidence is through network monitoring.

Read More

Temporal Chain Normalization: The Unsung Hero of Event Correlation

When it comes to correlation capabilities, LogRhythm has you covered. With AI Engine you can perform a variety of activities, from observing a single activity to applying advanced behavior rules across multiple dimensions (entities, devices, log sources, metadata, etc.). In addition to some of the more obvious capabilities, I’m here to tell you about one not so known feature of AI Engine called Temporal Chain Normalization (TCN).

Read More

LogRhythm Challenge: Black Hat 2016

For the LogRhythm Challenge at Black Hat USA this year, we wanted to give participants the opportunity to use several different analytic skills in their attempt to beat the challenge. The goal of the challenge was to identify exfiltrated data from Swish Inc., a fictional video streaming company who was recently exposed as having data leaked to a public file sharing site. We’ll tell you how to find each of the hidden flags within the PCAP.

Read More

DPA-Powered Dashboards

With the proliferation of top-level domains, threat actors are using all sorts of DNS tricks to entice people to engage with malicious sites or to mask malicious traffic in the noise of normal traffic. So how do you sort through the noise to find abnormal top-level domains (TLDs)?

Read More

SIEM’s Total Cost of Ownership

A Security Information & Event Management (SIEM) platform is an essential tool for managing risk in today’s highly digitized world. And not just essential; our perspective is that a SIEM is the central nervous system for security analysts in combing through alerts, conducting investigations, devising and implementing well-grounded countermeasures, and supporting forensics. As choice abounds in SIEM platforms, there needs to be a blueprint for making an optimal selection. We believe that this blueprint should be one based on Total Cost Ownership (TCO) as TCO modelling takes a balanced approach in weighing objectives and costs.

Read More

A Practical Approach to Effective Security Analytics

When discussing effective approaches to the problem of security analytics, I think it is first important to start with a clear definition of the goal of security analytics. The ultimate goal of security analytics is to deliver technology solutions that assist human security analysts in detecting, responding to and mitigating cyber threats. This simple statement hides an area of technological endeavor that is simultaneously fascinating, important and complex. While a full exploration of the many facets of security analytics is beyond the scope of this post, it is useful to discuss a high-level and general approach to security analytics to simplify the complex problem statement into more digestible pieces.

Read More