LogRhythm exposes patterns and exceptions that would otherwise go undetected

24 June 2010

To help organisations detect and mitigate threats from inside and outside the firewall, LogRhythm now monitors system processes and network connections on endpoints, provides Geolocation of hosts, and maps relationships through network visualization. This global view of network activity adds context to logs and security events to expose patterns and exceptions that would otherwise go undetected.

“In order to detect sophisticated threats including targeted attacks and abuse by privileged users, SIEM/Log Management platforms need to extend visibility, awareness and forensic context to activity throughout the enterprise,” said Jon Oltsik, senior principal analyst for IT analyst and business strategy firm Enterprise Strategy Group.

“LogRhythm continues to be one of the pace setters in this regard by delivering innovations in host and network-level awareness, Geolocation mapping for logs and events and new visualization techniques that yield intelligence and insight from log data, not just random pieces of a puzzle. The new enhancements to the LogRhythm platform reveal the bigger picture by exposing patterns and relationships concealed in countless security records and events.”

Logging Process and Connection Activity

To enable organisations to gain 360 degree visibility of network and host activity for security and compliance management, LogRhythm has added process and connection monitoring to fill information gaps that are not addressed by standard logging. LogRhythm Process Monitor provides independent monitoring of processes running on a host, including the process name and ID, who started it, when it was started, stopped, duration, etc.

LogRhythm Connection Monitor logs all network activity such as listening services, inbound connections, and outbound connections to/from a host including local and remote IP addresses and ports, connection state, direction, duration, and more. Whether it’s a rogue peer-to-peer client running on a laptop or an unauthorised SMTP server on the network, LogRhythm’s enhanced System Monitor agent will provide the visibility and awareness necessary to take appropriate action. These capabilities, combined with LogRhythm’s existing file integrity monitoring and endpoint monitoring & control, provide comprehensive forensic data collection of activity on networks and hosts.

Geolocation Pinpoints The “Where”

For organisations that want to combine location information with relationship mapping between hosts associated with internal, inbound or outbound activity, LogRhythm now provides Geolocation data for both logs and security events – an industry first. This capability enables security teams to know where an activity originated, its destination and the impacted hosts, in order to detect potential attacks and data leaks. For example, using white or black lists, administrators can easily create alerts to generate alarms when data is transferred outside the country, or to unfriendly countries, regions, etc., or when VPN connections originate from unauthorised locations. When combined with LogRhythm’s new network visualization capabilities, Geolocation quickly reveals behaviours, patterns and trends that warrant investigation and/or require corrective action to mitigate security threats.

“From day one, LogRhythm has been focused on helping customers fill the ‘visibility gaps’ on their networks. While logs provide tremendous value on their own, they often don’t provide the complete story,” said Chris Petersen, co-founder and CTO of LogRhythm. “This new version of LogRhythm expands our ability to independently monitor and capture critical forensic information. By providing a more complete picture of activity occurring across the enterprise, LogRhythm makes it easier to detect sophisticated intrusions, insider threats, compliance violations, and operational problems that would otherwise be overlooked or discovered only after the damage was done.”

Visualization Maps Network Activity-Relationships

To reveal hidden threats, trends, security violations, and more, LogRhythm provides a powerful new network visualization tool that maps host-to-host activity, relationships within the enterprise network, and inbound/outbound communications. By rolling together logs, security events, connection monitoring data, and Geolocation information, LogRhythm provides an eye-in-the-sky perspective of activity that spans endpoints as well as network traffic. At a glance, security administrators can quickly identify where suspicious activity is occurring, the scope of the risk or impact, and its origins from inside and outside the enterprise.

Some examples include:
* Pinpointing the source of remote authentications and their frequency
* Detecting if a compromised host has connected to or attacked another internal host
* Knowing if hosts containing sensitive data have connected to hosts residing outside authorised operating locations (i.e., rogue nations, competitors, etc.)

Expanded Fault Tolerance Delivers On Business Continuity Demands

To complement its existing fault tolerance capabilities, LogRhythm has added a new line of High Availability (HA) appliances to its LRX lineup. These HA solutions meet the growing demand for business continuity assurance of enterprise Log Management/SIEM processes. They provide full data and system replication and unattended failover to deliver enterprise-level reliability for LogRhythm’s Log Management and SIEM 2.0 solutions.

Pricing and Availability

The new version of LogRhythm is available immediately from LogRhythm and its business partners worldwide. Pricing starts at £18,500.

Print version | email this to a friend Email to a friend | View other articles