LogRhythm, a company focused on security intelligence, has introduced a new product that automates the process of responding to advanced network-borne threats. By combining and automating data collection, management, workflow and analytics, LogRhythm Network Detect and Response (NDR) can help organizations detect and respond to threats faster. Companies—especially those with small cybersecurity staffs, can use LogRhythm NDR for data exfiltration, identifying desktops compromised by custom malware, and examination of privileged user permissions.
NDR’s use of automation is one key to achieving the goals LogRhythm set out. Liam Mayron, cybersecurity and technical product leader, said NDR automates the three pillars of its solution: threat detection, threat investigation, and response. On the detection side, alerts can be generated automatically, based on user-defined criteria. The solution also has an automated analysis engine, addressing the investigation pillar. For the response, there is a range of automated actions that can be taken in response to one alarm, multiple alarms or corroborated pieces of evidence, depending on how is configured.
In addition to being a full SIEM, the solution also makes good use of SOAR (Security Orchestration and Automation) to provide guided, customizable playbooks tracking, documenting, and enforcing defined workflows; case management for end-to-end collaboration and management of alerts, evidence, and escalations; flexible, scriptable responses supporting dozens of vendor’s technologies; and metrics to measure and improving SOC responsiveness.
“We think SOAR has a big impact on the use cases for NDR,” Mayron said. “It's one thing to be able to detect these threats, and another to investigate them. But you have to close the loop, and you have to do it in an efficient way that saves your SOC's resources. And we really think SOAR is a very important part of that.”
Security analytics is the other part of LogRhythm’s “secret sauce”. The technology provides a toolkit of centralized analytics for full-spectrum threat detection including indicator of compromise (OIC) signature based inspection; tactics, techniques, and procedures (TTP) scenario-based modeling and behavior analysis.
The centralized analytics engine can examine across sensors and sources. It also can bring in external content as well as content that LogRhythm provides. “This lets you do things like corroborate alarms,” Mayron explains. “You may have one activity like access to a resource that shouldn't be accessed, or an attempt to access it. Maybe by itself, it could be an accident, but if it's corroborated with other signs of a compromise. Maybe a large file transfer originating from the same user, that probably merits investigating.”
LogRhythm NDR also can automatically identify and categorize traffic for more than 3,300 applications using deep packet inspection, and recognize 19 SCADA protocols.
“In real-time, we can generate metadata for all security-related network metadata—both basic things like IP addresses or domains, and more interesting things like certificate information, the application that's actually being used, the family of applications being used,” Mayron said. “We can tell if it’s a VPN, a peer-to-peer application, whether it has access to your database. So right on the sensor, you can manipulate and gain insight from this metadata.”
Mayron noted that the product is easy to use, and includes access to LogRhythm’s full SIEM capabilities, which allows organizations to grow with the solution. “For example, if you want to add sources in addition to network traffic sources, you can, and then you can correlate those alerts from those other sources, and grow with it that way.”