Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Logrhythm Adds Visualization, Location And Host Activity To Forensic Capabilities

LogRhythm has upgraded its log management/SIEM product's threat detection capabilities by monitoring system processes and endpoint network connections, as well as adding visualization and geo-location tools to expedite investigation of possible attacks and compromises. Pouring through logs without an automated tool is pure pain for
administrators. LogRhythm's new capabilities help administrators make
the most of their limited time to hunt down and mitigate threats. The
network visualization presents host-to-host activity, relationships
within the enterprise network, inbound/outbound communications, and
allows the investigator to spot potential threats at a glance and then
do a deep dive for details leveraging LogRhythm's data collection,
correlation capabilities and query capabilities.

"Because we're a high-profile organization, we deal with a lot of attacks," said Nick Levay, information security and operations manager for the Center for American Progress, a think-tank based in Washington, D.C. "In particular, APT (advanced persistent threat) is the buzzword of the day, but in my world, it's a very harsh reality. It's the x-ray operator syndrome," Levay said. "I find that when doing analysis--looking at records of logs--I have about 45 minutes of that before my brain starts to turn to jello. So the question is how much you can get done in that 45 minutes, how can you prioritize what you are looking at."
By monitoring process activities, as well as network connection on endpoints, LogRhythm enables investigators to spot anomalous behavior compared to normal server activity, such as connecting to an unauthorized IP address, a normal process stopping for no apparent reason, etc. The network monitoring tracks listening services, inbound and outbound connections to/from a host including local and remote IP addresses and ports, connection state, direction, duration, etc.

Compliance has been the primary driver in the log management/SIEM markets for the last couple of years as organizations struggled with manual log reviews, reporting and audit to meeting regulatory requirements. Automated queries, network and device data correlation and streamlined reporting have become essential capabilities.

With this upgrade, however, LogRhythm places the emphasis squarely on security. "Enterprises are finding they need all the information they can get with security management planning and operations for forensics," said Jon Oltsik, principal analyst for Enterprise Strategy Group. "It may complement compliance, but they're feeling they need that security depth as well."

The geo-location capabilities quickly identify where outside connections are from, including country, region, state and city. This allows organizations to perform broad queries based on connections from suspect areas and pinpoint the source of attacks. (It even can show the location on Google maps, though the value of that feature is not readily apparent--people know how to use Google maps to find St. Petersburg in Russia.)

  • 1