Every Security Incident has a Story | #mac | #macos | #macsecurity


You have lots of security tools at your disposal, but do they help you visualize your data to identify threats or quickly resolve security incidents? Do you know what your data is telling you?

LogRhythm uses security information and event management (SIEM) data in a way that other security vendors don’t. To help streamline your analyst experience, LogRhythm recently released our latest software capabilities, LogRhythm 7.7, to consolidate security insights, data, and events into a single view.

At LogRhythm, we focus on all the data that’s both learned and observed. We blend statistical analytics with machine learning and behavioral analytics to help you see the complete security story. Other companies gather data from a limited set of sources or rely exclusively on machine learning or signature-based detections to alert analysts of a potential security incident.

LogRhythm builds a security story with your data. With LogRhythm, your team can access data from a rich set of sources, giving you contextual information even if you or your colleagues don’t have direct access to the data source. For example, you can use SmartResponse™ automation plugins to access information in your HR system by configuring an API key, enabling you to access contextual information about the user without logging directly into the system.

With all the data your system ingests, how do you make sense of it all? The LogRhythm SIEM makes it easy. While other SIEM solutions require you to have extensive knowledge of the underlying data structure, LogRhythm’s patented Machine Data Intelligence (MDI) Fabric removes those constraints. The MDI framework provides data enrichment and normalization with unique, rich metadata and contextual information to explain relationships between users and hosts and how they are interacting.

MDI Fabric helps you access extracted metadata from the source data to understand the context and simplifies the search workflow. LogRhythm parses host information and maintains the context of the metadata, such as which host is the source and which is the destination. This helps you quickly tell difference and build analytics rules using that context . For example, you can understand the user context for a threat actor and target. With MDI Fabric, you can create a temporary account usage rule where if two usernames exist in a log, you can understand which is the threat actor and which was the actual created account.

Other benefits of MDI Fabric offering are its classification and common event taxonomy. All messages are assigned a simple text meaning, which enables you to search or build analytics rules using a common language. When combined with our curated security narrative, MDI Fabric gives you a complete picture of your data, allowing you to make better decisions, reduce organizational risk, and resolve security incidents faster.

To make informed decisions about your response, you need contextual data that provides background information and helps you determine if a true threat exists.

Being alerted to an alarm is the first step. You also need actionable information to triage and resolve the event. LogRhythm’s SmartResponse automation plugins support you through this process — from qualification, to triage, to remediation.

Our contextual SmartResponse plugins give you the details you need to qualify a threat and enable you to initiate remediation actions such as blocking, blacklisting, and isolating. For example, you might receive an alarm and are notified of impacted users’ email addresses, but you are missing the users’ full names, titles, and departments. You can configure LogRhythm SmartResponse to automatically query Active Directory or another IAM solution and include this information in your alarm details. This helps you easily identify users, contact the affected parties, and quarantine users to stop the threat from spreading.

With LogRhythm, you have contextual information to make the right decision to speed your mean time to detect and respond to threats.

Any time an alarm fires, time is of the essence for you to investigate and respond. Rather than waste precious time toggling between different screens in your dashboard, LogRhythm 7.7 helps you streamline security incident investigation and response by providing a single view to explore user and host data and sequence events. Our latest software release offers a visual experience that helps you tell a security story about users or hosts using all data in the LogRhythm NextGen SIEM Platform.

Create a Security Narrative with Detail Page

LogRhythm’s Detail Page creates a security narrative for user- and host-related events to make sense of your data. Detail Page populates basic contextual information with TrueIdentity™ and TrueHost. LogRhythm TrueIdentity associates multiple account identifiers and account types to a single identity construct. Meanwhile, TrueHost associates multiple host identifiers, such as IP address, hostname, and MAC address, to the same host to give you a more complete understanding of activities from that host.

Figure 1. LogRhythm’s Detail Page creates a security narrative that brings together log and activity data, contextual information, and unique insights into a single view

There are a number of ways to access Detail Page.  From the Web Console, you can select values in TopX widgets. The ‘View Details’ button will appear in the Inspector.

View security incident details in the LogRhythm Inspector

Figure 2. The “View Details” button appears in the Inspector via a widget search

Alternatively, you can access the Detail Page from the Mega Grid. By clicking on the user or host origin, you will see the IP address and the Detail Page button. When you click on the “View Details” button, you can perform a search on a user or host, and a task appears to give you access to the Detail Page.

Security Incident alarm details in LogRhythm Detail Page

Figure 3. Access the Detail Page from the Mega Grid

Finally, you can also use the Alarm card to access the Detail Page. By clicking on one of the alarms in the Inspector view, you will see event data in the Inspector and the host or user origin with the ‘View Detail’ button.

Security Incident alarm details from LogRhythm Alarm card

Figure 4. Access the Detail Page from an Alarm card

For a closer look at Detail Page in action, click here to see a demo video.

Timeline View

Within Detail Page, we’ve included a Timeline View widget which presents user or host activity in chronological order. The Timeline View includes the risk-based prioritization (RGP) score of the log, the classification, the time the log occurred and a contextual information about the log activity.  With filtering and drill-down capabilities, this feature gives you a complete view into user or host activity, with multiple ways to display the data and quickly make decisions.

Click here to see the Timeline View widget demo video.

LogRhythm Timeline View

Figure 5: Timeline View shows you a sequence of events to give you a complete picture of user and host activity

Node-Link Graph

Detail Page also includes the Node-Link Graph widget, which offers a visual representation that shows how hosts and users connect to each other within the data. With the Node-Link Graph widget, you can easily filter data and quickly identify activity and relationships of interest. Node-Link Graph is available on dashboards, search results pages, and on the Detail Page.

Click here to see the Node-Link Graph video demo.

To keep your organization safe, LogRhythm is constantly innovating. We’re always making enhancements to our user workflow to adapt to your changing needs and those of your security analysts. Following the release of LogRhythm 7.7, we’re more focused than ever on improving your security and the analyst workflow.

Download LogRhythm 7.7 from Community and stay tune for future updates about the LogRhythm NextGen SIEM Platform.

The post Every Security Incident has a Story appeared first on LogRhythm.

*** This is a Security Bloggers Network syndicated blog from LogRhythm authored by Angela Romero. Read the original post at: https://logrhythm.com/blog/every-security-incident-has-a-story/



Original Source link

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Your email address will not be published. Required fields are marked *

1 + = 4