Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

LogRhythm boosts automation, processing in security platform

by

Howard Solomon - IT World Canada

Improved data processing speed and automation are usually the key capabilities being added to any security product these days, and LogRhythm is the latest to follow the trend.

The company, known for its security information and event management (SIEM) suite, said Thursday these are they key ingredients of the new version 7.2 upgrade to the security intelligence and analytics platform that underlies all of its products.

“One of the big challenges is organizations just don’t have enough security people to throw at the [security] problem, so a goal of ours is how do we automate and make the analysis process as efficient as possible the people you do have are highly effective,” company CTO and co-founder Chris Petersen said in an interview.

The platform enables visibility, data collection and analytics. Improvements include

–Better performance: Up to a 200 per cent increase in performance ingesting data, which the company says critically important to large enterprises such as those exceeding 100,000 messages a second. It could mean reducing the number of rack units supporting LogRhythm applications while supporting the same workloads, Petersen said.

Also, the onboarding data from a variety of enterprise sources is easier. “You can simply point devices to use” – for example a firewall — “and we will intelligently recognize the device, automatically pre-configure it and begin to process that data.” Until now administrators had to do configurations manually;

logrhythm-dashboard

–Support for more data sources: Twenty more metadata fields have been added to the platform’s data structure. Also support has been extended to a total of 785 data sources (including operating systems, applications, and alarm systems in Perth). In addition, there’s more visibility into cloud infrastructure workloads such as Amazon Web Services, Salesforce and others;

–Improvements to the User and Entity Behavioral Analytics (UEBA) module, which analyzes log data on user activity to identify compromised accounts, privilege misuse and data theft. The new module adds improved threat detection algorithms, stronger kill chain corroboration and improved real time dashboards that help admins with threat hunting;

–Improved security automation and orchestration capabilities allowing security teams to move an alarm into a case and add information for investigation. There are 20 new automated actions giving teams automated playbooks for incident response.

LogRythm competes against other SIEM products including IBM QRadar, Hewlett Packard Enterprises’ ArcSight, Splunk, McAfee Enterprise Security Manager and others.

Contact us for more information or to request a demonstration of the product.

 

LogRhythm Finalist in three categories - SC Awards 2017

by

LogRhythm was honoured to be a finalist in two categories in the SC Awards 2017

Best Enterprise Security Solution
This includes tools and services from all product sectors specifically designed to meet the requirements of large enterprises. The winning solution will have been a leading solution during the last two years, having helped to strengthen the IT security industry’s continued evolution. - for their Security Intelligence and Analytics Platform

Check out the complete list

Best Computer Forensic Solution
Products in this category fall into two sub-categories: network and media. The network tools must be exclusively intended for forensic analysis of network events/data. If the product is a SIEM with forensic capabilities, it should be placed in the SIEM category. Media tools cover just about all other non-network forensic tools, including those tools that collect data from media over the network and live forensic tools. This also includes specialized forensic tools that are not intended to analyze network data. - For their Network Monitoring Tool

Check out the complete list

Best SIEM Solution
Security information and event management (SIEM) tools are used to collect, aggregate and correlate log data for unified analysis and reporting. Typically, these tools can take logs from a large number of sources, normalize them and build a database that allows detailed reporting and analysis. While forensic analysis of network events may be a feature of a SIEM, it is not the only feature, nor is it the primary focus of the tool.

Check out the complete list

 

 

The Definitive Guide to Security Intelligence and Analytics

by

By Karen Scarfone

My colleague, Steve Piper, and I just finished writing a free ebook: The Definitive Guide to Security Intelligence and Analytics . In this comprehensive ebook, we cover how you can use security intelligence and analytics technologies to greatly improve detection and to stop threats before damage can be done.

The ebook has three main purposes:

  1. To explain how you and your organization can benefit from adopting and using a security intelligence and analytics platform.
  2. To provide advice on what characteristics to look for when you’re evaluating possible solutions.
  3. To give you tips on deploying a platform solution so you can get the most out of it.

In the ebook, you’ll also learn how to understand attacks and threats, improve detection, streamline response processes, select the right solution, and deploy a solution.

Automating Event Discovery through Security Analytics

One of the most important topics covered by the book is using security analytics techniques to automate the discovery of security events, minimizing the need for human involvement.

Most organizations have enormous volumes of security events to review on a continuous basis, and that can’t be done without heavily relying on automation. Automating security analytics helps organizations to detect malicious activity much more quickly so they can stop it and minimize the damage it would otherwise cause.

A security intelligence and analytics platform uses several types of techniques together for threat detection. One technique is for the platform to establish baselines over time for normal activity and then identify significant changes from those baselines.

Another technique is to use threat intelligence feeds from third parties that capture the characteristics of the latest threats attacking other organizations and individuals around the world.

A final example of a threat detection technique is correlating information from several of the organization’s systems and security controls to identify a security event that traverses all of those places.

Downloading the Ebook

Event discovery automation is just one example of a topic the ebook includes. It covers everything from understanding the basics of the cyberattack lifecycle and threat management to streamlining incident management, threat investigation, and threat mitigation processes. It even outlines the four phases of the security intelligence and analytics platform implementation process, providing insights and recommendations for performing each phase.

Thanks to LogRhythm, The Definitive Guide to Security Intelligence and Analytics ebook is available as a PDF for you to download.

Call centre agents warned about malicious email attachments from potential customers

by

by Howard Solomon - IT World Canada

Contact centre agents should be warned about allowing alleged customers sending them email with attachments after a security vendor discovered a new wave of attacks against three customers including North American hospitality companies, attacks similar to ones from the Eastern European based Carbanak crime group

In a blog posted Monday, Trustwave said it came to that conclusion after investigating incidents.

In one instance an attacker called a customer contact line saying that they were unable to use the online reservation system so wanted to send their information to the agent by email attachment, said the report. The attachment was a malicious Word document that contained an encoded .VBS script capable of stealing system information, desktop screenshots, and to download additional malware. The malware replaced text in a Word document with that of its own, which to the agent looks like a request for information from the hotel for a corporate function.

The malicious VB Script will use macros to search for instances of Microsoft Word running on the system, if found, it will clear the existing text and replace it. “This malware was capable of stealing significant system and network information,” says Trustwave. “It was also used to download several other reconnaissance tools to map out the network.” Downloaded tools have included Nmap, FreeRDP, NCat, NPing, and others.

Beaconing messages are sent out to 179.43.133.34 via standard HTTP GET requests every five minutes, said Trustwave, to let a command and control server know a system has been compromised. “Using this simple methodology allows the beaconing to hide very well within standard corporate network traffic.” However, the report adds, its uniformity of structure also allows analysts to identify it relatively quickly as well.

If not stopped, however, the process downloads malware that executes a new iteration of svchost.exe and injects its malicious code into this running process. This hides the malware within the svchost.exe process. It then searches Kaspersky antivirus processes and terminates them if running on the victim system.

It then downloads kldconfig.exe, kldconfig.plug, and runmem.wi.exe, which Trustwave says are all well-known Carbanak malware tools. Variations of them were used in the banking intrusions in 2015. Additionally, the decrypted code references “anunak_config” which is the encrypted configuration file that it downloads from its control server. The Anunak crime group is generally believed to be synonymous with Carbanak.

“This malware is very multi-functional as it can enable remote desktop, steal local passwords, search user’s email, target IFOBS banking systems (which Carbanak used so effectively in recent banking attacks), or install completely different remote desktop programs, such as VNC or AMMYY … Finally, this malware, like so many others, is designed to target credit card data by scraping memory on Point-of-Sale systems., which is presumably the end goal.”

In short, “the attacker uses social engineering to gain their foothold in the victim network, downloads reconnaissance tools to scan the network and move laterally into the card holder data environment, and then infects systems able to process card transactions.”

“The persistence, professionalism, and pervasiveness of this campaign is at a level rarely seen by Trustwave.” says author Brian Hussey, the company’s director of global incident readiness and response. “The malware used is very multifaceted and still not caught by most (if any) antivirus engines. The social engineering is highly targeted, conducted via direct phone calls by threat actors with excellent English skills. The network reconnaissance and lateral movement is rapid and highly effective. Finally, the data exfiltration methodology is stealthy and efficient.”

Have a question on how to protect yourself - give us a call 866-431-8972.

LogRhythm’s Security Analytics Platform: Product Overview

by

By Dan Sullivan - TechTarget

Expert Dan Sullivan examines LogRhythm’s Security Analytics Platform, a product that leverages big data analytics and machine learning to help protect enterprises.

LogRhythm’s Security Analytics Platform is one of several security applications that leverage big data technologies to help mitigate the risk of targeted, persistent threats. It is part of an emerging class of big data security analytics products that are designed to capture, integrate, analyze and store at higher rates and volumes than found in earlier generation security information and management products.

LogRhythm Security Analytics covers a range of analytics areas across an enterprise attack surface, such as user behavior and network anomalies. The platform is designed to give enterprises a holistic view of potential threats using risk-based analytics. Enterprise customers have the option of customizing analytics rules of the platform or using preset threat detection and compliance modules. The security analytics platform also offers users the ability to search, collect and correlate forensic data in the event of a security incident or data breach.

How it works

The big data security analytics platform incorporates advanced analytics technologies for correlation and pattern recognition, as well as multidimensional analysis across users and endpoints. The platform uses machine learning for advanced threat detection; specifically, LogRhythm’s artificial intelligence engine offers continuous automated analysis of different types of data to correlate and identify potential threats. The AI engine comes with nearly 1,000 preconfigured correlation rule sets as well as GUI for security managers to create and customize their own rules.

LogRhythm Security Analytics also offers a forensics analytics feature. The forensics analytics tool is powered by Elasticsearch, an open source search engine, and is designed to help security managers search through large amounts of data quickly using contextual criteria and full-text terms.

In addition, the platform takes advantage of the LogRhythm Knowledge Base, which is regularly updated with new intelligence and components for integrating with endpoint devices. For example, the knowledge base includes rules for parsing over 600 different types of logs and specialized modules for privileged user monitoring, user and endpoint anomaly detection and web application defenses.

There is substantial support for compliance reporting within the LogRhythm Security Analytics platform, including HIPAA, PCI DSS, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, FISMA, ISO 27001 and NERC-CIP regulations.

The security analytics platform can work in conjunction with the LogRhythm Security Intelligence Platform, which offers both traditional SIEM capabilities as well as threat intelligence services.

Support, cost and deployment

LogRhythm provides a number of customer support options, the two most popular being Standard Support and the premium-level Platinum Support. The standard tier offers access to the LogRhythm support portal and access to user forums as well as technical phone support. Phone support is available from 7am to 6pm MST in this tier. Platinum Support, meanwhile, offers 24/7 phone and email support in addition to other standard-level support options.

The platform can be deployed as high performance appliances or as a software application in a virtual environment. For pricing information, contact the vendor.

Conclusion

The LogRhythm Security Analytics Platfrom provides a consolidation point for endpoint and network event data. Its machine learning capability is an essential feature for detecting anomalous events as they occur as well as for supporting forensic analysis, while its support for compliance reporting across a number of major regulations will appeal to businesses in regulated industries. Businesses looking to consolidate device and network logging and analysis may find a good fit with LogRhythm Security Analytics platform.