LogRhythm 7 Review: Reducing Detection and Response Times€¦ · Case I: Data Exfiltrating to...

A SANS Product ReviewWritten by Dave Shackleford

December 2015

Sponsored by LogRhythm

LogRhythm 7 Review: Reducing Detection and Response Times

©2015 SANS™ Institute

Although we have made progress in the use of analytics and intelligence, the latest

SANS Security Analytics survey shows 26 percent of respondents feel they still can’t

understand and baseline normal behavior in their IT environments, with a majority citing

a lack of people and dedicated resources as an impediment.1 Security teams also said

they can’t find people with the right skill sets to manage SIEM and analytics tools, which

are notoriously complex. In light of these findings, the SANS Analyst Program’s team

recently reviewed LogRhythm 7, the company’s latest release, with an eye toward ease

of use, rapid analysis and incident correlation, as well as strong case management tools

that can help security operations teams operate more effectively.

LogRhythm’s new security intelligence platform sports a number of new and enhanced

features, and behind-the-scenes improvements designed to reduce the time it takes

to detect and accurately respond to threats in the enterprise. Most important is the

addition of Elasticsearch as LogRhythm’s data aggregation and query engine. This

web-based query interface is much more intuitive (the entire LogRhythm interface

is now a web user interface [UI] in the browser) and includes native language search

and contextual searching from most anywhere in the interface as well as numerous

UI improvements in the interface itself. We didn’t explicitly assess scalability and

performance in this review, but we noted that the platform has expanded support for

numerous types of system and network event and data collectors.

For this review, we explored in depth the features pertaining to active detection and

response activities. We found the dashboards to be much more intuitive than previous

versions, with new scoring and prioritization of events and a new Threat Activity Map

feature that shows the origin of events, allowing us to quickly drill down and see activity

in real time. The new version also facilitates the process of creating incident cases,

attaching evidence, and automating many actions across systems with the LogRhythm

SmartResponse™ functionality.

SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times1

Introduction

1 2015 Analytics and Intelligence Survey, www.sans.org/reading-room/whitepapers/analyst/2015-analytics-intelligence-survey-36432

Exploring the LogRhythm User Interface


The first thing we assessed in our review was the LogRhythm interface. The new web

UI is streamlined, with easy-to-read dashboards and a simple configuration utility for

creating new dashboards and adding widgets that display data quickly. Figure 1 shows

one of the dashboards provided by LogRhythm for security analysts.

Figure 1. Security Analyst Dashboard

In this dashboard, we enabled widgets for top alarms in the past 30 days, top directions

of traffic and events, top applications seen, top impacted systems, top users, and top

countries of origin, among other categories. This interface can easily be modified with

new widgets by clicking the Add Widget button in the top menu of the UI. The Search

interface (in the upper right-hand section of the main UI for all dashboards) allows

analysts to quickly assess all LogRhythm data sources and aggregate data for patterns

and information pertaining to investigations. As a simple example, we searched for all

log activity within the past 24 hours where the events included the word failure. The

query is shown in Figure 2.

Figure 2. A Simple Query on the Word Failure

Exploring the LogRhythm User Interface (CONTINUED)


The results of our query came back quickly in a new window (see Figure 3) showing the

top events that match the query, as well as classifications, users and more.

Figure 3. Query Results for the Word Failure in Log Events

In drilling down into the types of events returned, you can see that the primary

categories are authentication events, general error messages and failures in accessing

objects. You can continue to drill down into these events to see the relation to users,

timestamps and origin of the events, as well as affected hosts and systems. This kind of

rapid assessment enables discovery of brute-force password-guessing attacks, illicit use

of credentials within the environment by insiders, or attackers on compromised systems.

We found the interface to be intuitive and simple to navigate, whether viewing

dashboards (where many security operations center analysts spend a good deal of time),

monitoring alarms (a dynamic dashboard of risk-rated events), creating and editing

incident cases, or querying for events and correlation relationships.

This review of LogRhythm 7 was primarily centered on use cases that emulate real-world

scenarios. In the first case, we looked into a scenario where some unusual network traffic

was seen communicating with China, possibly a country we don’t do any business with.

Unusual traffic and activity related to domains and countries that aren’t typical business

or trade partners should be investigated as soon as possible, ideally to prevent actual

data exfiltration from happening at all. Many data breaches start with compromised

systems that “phone home” to attackers, making detection of such command-and-

control traffic a priority.

Finding the Source

In the first simulated attack—again, involving data exfiltration to China—we started with

a new LogRhythm dashboard widget called the Threat Activity Map, which shows some

unusual events related to China, as seen in Figure 4.

Figure 4. Threat Activity Map with Unusual China Activity


Case I: Data Exfiltrating to China

Case I: Data Exfiltrating to China (CONTINUED)


One of LogRhythm’s greatest strengths has always been its flexible and “clickable”

interface, and the Threat Activity Map is no exception. Within seconds, we drilled down

into the unusual China-related events by double-clicking the small orange globe

representing affected systems in the region, bringing us to the detail screen shown in

Figure 5.

Figure 5. Details of Unusual Chinese Events

In looking at the events flagged in this example, one of them is a “protocol mismatch”

that appears to be IRC data being tunneled over DNS traffic on port 53. IRC is a common

channel used to export sensitive data, so we investigated further.

Collecting Evidence

We used LogRhythm 7 to automatically capture the offending traffic and download a

packet capture (PCAP) file associated with the events, as seen in Figure 6.

Figure 6. Downloading Suspicious Traffic as a PCAP File

The ability to automatically trigger evidence collection like this is a major boon to

security analysts who need to investigate faster and in more depth. We opened the PCAP

with both Wireshark and tcpdump to review the traffic, something any security analyst

could easily do in a short period of time.





Managing Incidents

Among the great new features in LogRhythm 7 are the enhanced case management

tools. You can open a new case with any detected events or incidents, add status

information, rank by priority (1 is the highest), indicate whether you believe it’s an

incident or merely event data, and add a due date and description. See Figure 7.

Figure 7. New Incident Case for Chinese IRC Traffic

After opening a case, we could add evidence such as logs and files, as shown in Figure 8.

Figure 8. Adding the Detected IRC in DNS Events to the Case

The PCAP we downloaded could easily be added as a file to send over to network

forensics team members, and any of the noted events within the LogRhythm 7

dashboard could be added as logs to the case as well.



Tagging and Categorizing

After defining a case with PCAP evidence and log events from the LogRhythm 7

dashboard, you can add tags to help identify and categorize the case more accurately.

Tagging cases with specific strings can help you not only report on them later, but also

share them with other analysts and relate cases to others if needed or desired. See

Figure 9.

Figure 9. Adding Tags to the Case

We added the tags “china,” “data exfiltration,” and “suspicious traffic” to the newly created

case. The process of opening the ticket and populating it took only a few minutes,

thereby meeting the need for rapid and efficient monitoring, detection, and response

activities as identified in the SANS Analytics and Intelligence Survey.

To wrap up this case, there are a number of actions we could take. We could block all

traffic to China, or create new alerts for any traffic seen to and from China that get

priority from the incident response team. We could also automate some of this activity

or choose to have any alerts related to China automatically added to this case or others.

The second incident monitoring and response use case we pursued was focused on

insider threat. The insider in this case tried to use false accounts and stealth to gain illicit

access to sensitive documents and then attempted to exfiltrate the documents to a

cloud-based storage environment.

We investigated by following suspicious account activity, including the creation or use

of a temporary account, privilege escalation, and an abnormal pattern of file access with

abnormal origin of the access.

Automated Alarms

The anomalous account behavior was revealed in the Alarms dashboard, where we

could sort through many event types quickly. We saw the event and risk priorities rapidly

changing and sorting themselves based on the parameters we provided. We sorted by

Entity types in the LogRhythm testbed (LogWorld HQ) and listed all alarms in descending

order of risk, as seen in Figure 10.

Figure 10. Sorting Alarms by Risk

In LogRhythm 7, the risk-based prioritization of events has been optimized, allowing

for dynamic monitoring of the most critical risks, or really any types of events and risks

noted in the environment.


Case II: Insider Threat

Case II: Insider Threat (CONTINUED)


Smart Response

Some alarms can also have multiple types of SmartResponse™ plugins activated. SmartResponse™ plugins allow security teams to create triggered actions that can occur automatically, after a specified time period or when other related events are noted, or after a review and approval process.

While reviewing our alarms, we came across one that seemed to indicate unusual account behavior and files being accessed based on pre-populated SmartResponse™ policies. An automatic SmartResponse™ rule triggered immediately when the event occurred, adding the alarm to a predefined list. These SmartResponse™ activities are shown in the alarm detail pane in Figure 11.

Figure 11. Alarm SmartResponse™ Actions

It noted two additional actions that were pending or required approval: disabling a local Windows account in use, and locking down and quarantining the offending host.



Ranking Risk

We then investigated some of the “high risk” alarms we had sorted on earlier. We kicked

off this process by selecting the high-risk alarm titled “Corroborated Account Anomalies”

(the highest, in fact, with a score of 100) and clicking the drill-down icon. This action

showed us the “common events” we could use to identify the behavioral triggers that

created the alarm, as seen in Figure 12.

Figure 12. Alarm Drill-down for Common Events

These events are correlated with LogRhythm to provide an aggregate risk score, and we

reviewed the individual logs that are combined to create the alarm.



Removing the Threat Actor

As this alarm was related to account activity, we noted that there were specific events

for creation or use of a temporary account and privilege escalation, and an abnormal

pattern of file access and origin of the access. All of these events were related to a single

user account (steven.jacobs). We highlighted the temporary user event and then added

the user account to a “Suspicious Users” list that can be monitored, as shown in Figure 13.

Figure 13. Adding a User to a Monitoring List

+ Add 1 Value to 0 Lists

Value: steven.jacobs

List

Sus

Suspicious UsersTop Common Domains Using...WADM : Suspicious URL Chara...

Desc...

Type Here

Adds u...Which...This Us...

Type Here

UserGeneral VaGeneral Va

Type

Field: User [Origin]

Lists

Field: User [Origin]



As a final step, we used the innovative Pivot capability to create an immediate

contextualized search within the investigation from the existing alarm(s) we were

investigating. This feature, shown in Figure 14, helped us quickly locate additional

related data based on one or more fields (hosts, users, etc.).

Figure 14. Pivoting to Correlate More Event Data for Unified Search

This step allowed us to create a much more unified search that included the original file

access and monitoring events, the user ID noted in the events, and information about

the origin or affected hosts involved in the event—all at the same time. See Figure 15.

Figure 15. File Access Logs

Automated Threat Detection in Practice (CONTINUED)


This image gives a much more complete picture of the entire case, with more than 30

unique log events showing a user (carl.wilson) created a new account (steven.jacobs),

added the new account to a Finance group, used the account to access financial files,

connected to Dropbox, and finally deleted the account. See Figure 16.

Figure 16. Complete Event Sequence


Associating the Two Cases

All of these logs can be added to a case with tags added, and then the case can be reviewed against other tagged cases to find similarities.

For example, with the “data exfiltration” tag assigned, we could also see the IRC traffic from the China-related case that we tagged similarly, indicating it could be connected to our insider abuse case. We chose to associate it by clicking “Select a Case” in the lower right of the case pane and choosing those with similar tags, as shown in Figure 17.

Figure 17. Associating a Related Case

After the cases have been associated with one another, a team of security analysts may be able to collaborate more effectively and detect a larger campaign or other attack activity in the environment.

Combined and tied to all its elements, this use case illustrates a number of capabilities in the new version of LogRhythm:

• Sifts through alarms that are prioritized based on risk.

• Quickly assigns or modifies SmartResponse™ actions associated with particular alarms or alerts.

• Performs rapid deep dives into details associated with specific events and alarms, particularly groups of related events that lead to a higher risk score.

• Pivots from a set of events to associate other relationships (users, systems, etc.) in different events, thus rapidly correlating more data for review and investigation.

• Adds all data, events and evidence to tagged cases, which can then be associated

with related cases, if they exist.


Conclusion

The new LogRhythm platform was a pleasure to use and offers some significant

benefits to security operations teams and analysts who need a unified platform for

event aggregation, monitoring, threat detection, risk analysis and incident response

management. The workflow assistance, including the system’s ability to reuse previously

discovered types of incidents during searches, was extremely helpful from a time-

reduction standpoint as well as for improving visibility across related events that may

not seem related.

The capability to drill down into detailed data sets quickly, add evidence to cases and

assign them, and quickly correlate disparate event data into one unified investigation

may help solve some of the major issues noted by security teams in the SANS 2015

Security Analytics and Intelligence Survey.

Security professionals need an integrated set of tools that are easier to use, provide

greater visibility across the ever-expanding attack surface, and apply big data analytics

to detect patterns of concerning behavior faster. Such capabilities will help prevent

attacks from taking hold, reduce time of exposure and minimize risk. LogRhythm 7 lives

up to that promise, enabling security operations teams to hit the ground running.

Dave Shackleford, a SANS analyst, instructor, course author, GIAC technical director and member of

the board of directors for the SANS Technology Institute, is the founder and principal consultant with

Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory

compliance, and network architecture and engineering. A VMware vExpert, Dave has extensive

experience designing and configuring secure virtualized infrastructures. He previously worked as chief

security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead

the Atlanta chapter of the Cloud Security Alliance.


About the Author

Sponsor

SANS would like to thank this paper’s sponsor:

LogRhythm 7 Review: Reducing Detection and Response Times€¦ · Case I: Data Exfiltrating to...

Documents

Transcript of LogRhythm 7 Review: Reducing Detection and Response Times€¦ · Case I: Data Exfiltrating to...