Review: LogRhythm takes SIEM to the next level

When they were first created, Security Information and Event Manager (SIEM) platforms solved a big problem in cybersecurity: Too many alerts were being generated by multiple defensive tools like firewalls and log analyzers, and information technology teams had to go into each of them individually to check the health of their network. SIEMs collected all of that data in one place.

Today, most SIEMs are overloaded themselves, and just collecting data is no longer such a valuable skill. To be truly useful in today’s threat-rich environment, SIEMs need to analyze threats from multiple angles, help to classify them based on their severity, and provide tools to help mitigate the problem. And a really advanced SIEM would even solve some of those problems automatically, saving time and further reducing all of the security noise that a modern enterprise network generates.

That’s a pretty tall order, but it’s one that LogRhythm was able to effortlessly tackle during this evaluation.

Getting started

LogRhythm offers two core products: LogRhythm Enterprise, which is designed to drop into complex, enterprise environments with a lot of existing security tools, and LogRhythm XM, which is designed for small and medium sized businesses that don’t have a lot of cyber maturity or robust monitoring and defenses. We looked at LogRhythm Enterprise.

LogRhythm considers its product a next-generation SIEM, and has for years been included in the Gartner magic quadrant for that category. While it’s true that there are a lot of very helpful additional features packed into LogRhythm Enterprise, including automation, the main console is immediately recognizable as an SIEM.

John Breeden II

The Enterprise version of LogRhythm contains several layers, including collection, processing, indexing and analytics. But the entire platform can exist as a single appliance, which greatly simplifies installation. The collector layer can additionally deploy agents, though this is not required for most SIEM operations. The platform integrates with just about every other kind of cybersecurity tool, hardware or software, and can be configured to work with unique security devices if required.

While the main interface is both graphical and useful, there is a lot of functionality built into it as well. There is a drop-down menu at the top where alerts are divided up into groups according to either the type of device or program that they come from, or in the case of a compliance violation, the rule that the recorded event is breaking. For example, you can just look at problems coming from the enterprise Office 365 installation, or those that are violating HIPAA statutes.

John Breeden II

The LogRhythm Enterprise dashboard is also role-based, so not everyone who uses it has to be given super-administrator access. For example, if someone is just responsible for firewall management, you can have the program only show them firewall security events when they login, and not the entire enterprise.

John Breeden II

You can pivot from any alert, which is ranked and colored according to severity, to the elements that make it up, meaning you can see the full log files and any other information. If an alert is based on multiple factors, then grabbing all of them for viewing, or for later help with response and cleanup, is extremely intuitive.

LogRhythm also has the ability to automate remediation of alerts, though that is optional, and gets into the SOAR (security automation and orchestration) part of the platform.

The investigation

Diving into a highly scored, bright red alert was a fairly simple process, which we were able to accomplish with minimal effort or training. We first pulled all of the information that LogRhythm collected about the alert. We then clicked on a little suitcase icon to turn the alert into a case – yeah, kind of overly cute, but it works.

The alert was based on an incident of PowerShell running in the testbed. In addition, the person controlling the PowerShell sent code into the possibly-infected machine. LogRhythm captured all of that code, which we were able to select and move to the analyzer. It turns out that the code was actually installing a version of PowerShell Empire, which is used as launching point for a lot of very bad attacks. This was evident from the decoded version of the file in plain text.

John Breeden II

LogRhythm then did all the things that IT workers do when they find suspicious activity or files. It checked with all of the usual threat feeds and virus checking sites and showed us their reports and responses. Since we were confident that this was an attack at this point, we used the integration of LogRhythm with Carbon Black to lock down the endpoint, though LogRhythm can work with almost any endpoint management system. We did have to enter the proper username and password to lock the infected system, which is an additional layer of protection against rogue or turncoat admins. Other protections can also be added if needed, such as permission from a higher authority to take more drastic actions.

Once that was complete, we created a ticket so that those responsible for cleanup could wipe and reinstall the endpoint. But our job was not complete. We then used LogRhythm to search for signs of a similar attack anywhere on the network, either using the same IP addresses or simply the same techniques.

Now finished with the investigation, LogRhythm generated a report that showed everything we did and how long the investigation took, which in our case was 26 minutes – not bad for the most junior of junior analysts who just learned how to use the platform. These metrics could be used to evaluate IT staffers and would be great for training programs or even setting goals like reducing incident response times.

Testing automatic features

For our next test, we used a suspected phishing incident that was reported to the console by a user. The program did most of the same things as we had manually accomplished during our investigation, including checking the contents of the email against repositories and threat feeds. LogRhythm quarantined the email, not just from the original inbox, but from 32 others where it also landed.

The system-generated report showed all these steps and the time it took to perform them. LogRhythm was a bit of a show off here, completing its casework in one minute (it does not record in seconds, so most of its cases will simply show one minute as the timeframe to completion). So it crushed us in terms of time taken to remediate an issue.

Testing UEBA

A few additional modules can be activated to add even more functionality and security to the core Enterprise product. Among the most interesting, and initially kind of scary in a Big Brother sort of way, is LogRhythm UEBA (User and Entity Behavior Analysis), which evaluates users and ranks them based on their risky behaviors. It does this by recording what users normally do and then raising their scores when it finds an anomaly, or a lot of anomalies.

For example, there was one user who normally had a very low risk score but who recently began to climb the charts in a bad way. Looking deeper into the situation, we found that the user in question was experiencing a string of login failures, which was odd since they normally remembered their password. And now they were failing over 50 times in a day. But it was even more odd because LogRhythm recorded them as logged in from two places at the same time. That’s not completely out of the realm of possibility if someone, say, forgets to log out of their terminal at work and then uses the VPN to check their mail from home. But in this case the second login point was in the Middle East, and the home office for that user was located in Colorado.

That was too much of a coincidence. The investigation seemed to suggest that the remote user overseas had hacked into their account and was now able to access it. They had not done anything suspicious yet other than the failed logins, so local cybersecurity platforms had not flagged anything. But the LogRhythm UEBA module caught the anomalies and realized that the activity was well outside of the normal user’s behavior (or in this case, not actually physically possible). Catching activity like that even before something bad happens is about as far to the left of the cyber kill chain as you can get, making the optional module quite useful to the overall package.

The last word

LogRhythm Enterprise is certainly a next-generation platform and almost can’t be called an SIEM given all that it does. It offers a lot of protection and assistance for finding and remediating threats … and sometimes even pre-threat actions. It can allow IT teams to work their magic with as much or as little assistance as they require, or can automate much of the investigative work. It also has tight role-based controls throughout the platform, so that it can never become a security risk itself.

Given the sheer size of enterprise networks today and the constant attacks that they suffer, a tool like LogRhythm Enterprise is certainly needed. It can find and remediate threats, enhance every other security tool, and might just make SIEMs relevant as a keystone of network defense once again.