LogRhythm 7 Review: Reducing Detection and Response Times€¦ · Case I: Data Exfiltrating to...
Transcript of LogRhythm 7 Review: Reducing Detection and Response Times€¦ · Case I: Data Exfiltrating to...
A SANS Product ReviewWritten by Dave Shackleford
December 2015
Sponsored by LogRhythm
LogRhythm 7 Review: Reducing Detection and Response Times
©2015 SANS™ Institute
Although we have made progress in the use of analytics and intelligence, the latest
SANS Security Analytics survey shows 26 percent of respondents feel they still can’t
understand and baseline normal behavior in their IT environments, with a majority citing
a lack of people and dedicated resources as an impediment.1 Security teams also said
they can’t find people with the right skill sets to manage SIEM and analytics tools, which
are notoriously complex. In light of these findings, the SANS Analyst Program’s team
recently reviewed LogRhythm 7, the company’s latest release, with an eye toward ease
of use, rapid analysis and incident correlation, as well as strong case management tools
that can help security operations teams operate more effectively.
LogRhythm’s new security intelligence platform sports a number of new and enhanced
features, and behind-the-scenes improvements designed to reduce the time it takes
to detect and accurately respond to threats in the enterprise. Most important is the
addition of Elasticsearch as LogRhythm’s data aggregation and query engine. This
web-based query interface is much more intuitive (the entire LogRhythm interface
is now a web user interface [UI] in the browser) and includes native language search
and contextual searching from most anywhere in the interface as well as numerous
UI improvements in the interface itself. We didn’t explicitly assess scalability and
performance in this review, but we noted that the platform has expanded support for
numerous types of system and network event and data collectors.
For this review, we explored in depth the features pertaining to active detection and
response activities. We found the dashboards to be much more intuitive than previous
versions, with new scoring and prioritization of events and a new Threat Activity Map
feature that shows the origin of events, allowing us to quickly drill down and see activity
in real time. The new version also facilitates the process of creating incident cases,
attaching evidence, and automating many actions across systems with the LogRhythm
SmartResponse™ functionality.
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times1
Introduction
1 2015 Analytics and Intelligence Survey, www.sans.org/reading-room/whitepapers/analyst/2015-analytics-intelligence-survey-36432
Exploring the LogRhythm User Interface
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times2
The first thing we assessed in our review was the LogRhythm interface. The new web
UI is streamlined, with easy-to-read dashboards and a simple configuration utility for
creating new dashboards and adding widgets that display data quickly. Figure 1 shows
one of the dashboards provided by LogRhythm for security analysts.
Figure 1. Security Analyst Dashboard
In this dashboard, we enabled widgets for top alarms in the past 30 days, top directions
of traffic and events, top applications seen, top impacted systems, top users, and top
countries of origin, among other categories. This interface can easily be modified with
new widgets by clicking the Add Widget button in the top menu of the UI. The Search
interface (in the upper right-hand section of the main UI for all dashboards) allows
analysts to quickly assess all LogRhythm data sources and aggregate data for patterns
and information pertaining to investigations. As a simple example, we searched for all
log activity within the past 24 hours where the events included the word failure. The
query is shown in Figure 2.
Figure 2. A Simple Query on the Word Failure
Exploring the LogRhythm User Interface (CONTINUED)
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times3
The results of our query came back quickly in a new window (see Figure 3) showing the
top events that match the query, as well as classifications, users and more.
Figure 3. Query Results for the Word Failure in Log Events
In drilling down into the types of events returned, you can see that the primary
categories are authentication events, general error messages and failures in accessing
objects. You can continue to drill down into these events to see the relation to users,
timestamps and origin of the events, as well as affected hosts and systems. This kind of
rapid assessment enables discovery of brute-force password-guessing attacks, illicit use
of credentials within the environment by insiders, or attackers on compromised systems.
We found the interface to be intuitive and simple to navigate, whether viewing
dashboards (where many security operations center analysts spend a good deal of time),
monitoring alarms (a dynamic dashboard of risk-rated events), creating and editing
incident cases, or querying for events and correlation relationships.
This review of LogRhythm 7 was primarily centered on use cases that emulate real-world
scenarios. In the first case, we looked into a scenario where some unusual network traffic
was seen communicating with China, possibly a country we don’t do any business with.
Unusual traffic and activity related to domains and countries that aren’t typical business
or trade partners should be investigated as soon as possible, ideally to prevent actual
data exfiltration from happening at all. Many data breaches start with compromised
systems that “phone home” to attackers, making detection of such command-and-
control traffic a priority.
Finding the Source
In the first simulated attack—again, involving data exfiltration to China—we started with
a new LogRhythm dashboard widget called the Threat Activity Map, which shows some
unusual events related to China, as seen in Figure 4.
Figure 4. Threat Activity Map with Unusual China Activity
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times4
Case I: Data Exfiltrating to China
Case I: Data Exfiltrating to China (CONTINUED)
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times5
One of LogRhythm’s greatest strengths has always been its flexible and “clickable”
interface, and the Threat Activity Map is no exception. Within seconds, we drilled down
into the unusual China-related events by double-clicking the small orange globe
representing affected systems in the region, bringing us to the detail screen shown in
Figure 5.
Figure 5. Details of Unusual Chinese Events
In looking at the events flagged in this example, one of them is a “protocol mismatch”
that appears to be IRC data being tunneled over DNS traffic on port 53. IRC is a common
channel used to export sensitive data, so we investigated further.
Collecting Evidence
We used LogRhythm 7 to automatically capture the offending traffic and download a
packet capture (PCAP) file associated with the events, as seen in Figure 6.
Figure 6. Downloading Suspicious Traffic as a PCAP File
The ability to automatically trigger evidence collection like this is a major boon to
security analysts who need to investigate faster and in more depth. We opened the PCAP
with both Wireshark and tcpdump to review the traffic, something any security analyst
could easily do in a short period of time.
Case I: Data Exfiltrating to China (CONTINUED)
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times6
Case I: Data Exfiltrating to China (CONTINUED)
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times7
Managing Incidents
Among the great new features in LogRhythm 7 are the enhanced case management
tools. You can open a new case with any detected events or incidents, add status
information, rank by priority (1 is the highest), indicate whether you believe it’s an
incident or merely event data, and add a due date and description. See Figure 7.
Figure 7. New Incident Case for Chinese IRC Traffic
After opening a case, we could add evidence such as logs and files, as shown in Figure 8.
Figure 8. Adding the Detected IRC in DNS Events to the Case
The PCAP we downloaded could easily be added as a file to send over to network
forensics team members, and any of the noted events within the LogRhythm 7
dashboard could be added as logs to the case as well.
Case I: Data Exfiltrating to China (CONTINUED)
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times8
Tagging and Categorizing
After defining a case with PCAP evidence and log events from the LogRhythm 7
dashboard, you can add tags to help identify and categorize the case more accurately.
Tagging cases with specific strings can help you not only report on them later, but also
share them with other analysts and relate cases to others if needed or desired. See
Figure 9.
Figure 9. Adding Tags to the Case
We added the tags “china,” “data exfiltration,” and “suspicious traffic” to the newly created
case. The process of opening the ticket and populating it took only a few minutes,
thereby meeting the need for rapid and efficient monitoring, detection, and response
activities as identified in the SANS Analytics and Intelligence Survey.
To wrap up this case, there are a number of actions we could take. We could block all
traffic to China, or create new alerts for any traffic seen to and from China that get
priority from the incident response team. We could also automate some of this activity
or choose to have any alerts related to China automatically added to this case or others.
The second incident monitoring and response use case we pursued was focused on
insider threat. The insider in this case tried to use false accounts and stealth to gain illicit
access to sensitive documents and then attempted to exfiltrate the documents to a
cloud-based storage environment.
We investigated by following suspicious account activity, including the creation or use
of a temporary account, privilege escalation, and an abnormal pattern of file access with
abnormal origin of the access.
Automated Alarms
The anomalous account behavior was revealed in the Alarms dashboard, where we
could sort through many event types quickly. We saw the event and risk priorities rapidly
changing and sorting themselves based on the parameters we provided. We sorted by
Entity types in the LogRhythm testbed (LogWorld HQ) and listed all alarms in descending
order of risk, as seen in Figure 10.
Figure 10. Sorting Alarms by Risk
In LogRhythm 7, the risk-based prioritization of events has been optimized, allowing
for dynamic monitoring of the most critical risks, or really any types of events and risks
noted in the environment.
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times9
Case II: Insider Threat
Case II: Insider Threat (CONTINUED)
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times10
Smart Response
Some alarms can also have multiple types of SmartResponse™ plugins activated. SmartResponse™ plugins allow security teams to create triggered actions that can occur automatically, after a specified time period or when other related events are noted, or after a review and approval process.
While reviewing our alarms, we came across one that seemed to indicate unusual account behavior and files being accessed based on pre-populated SmartResponse™ policies. An automatic SmartResponse™ rule triggered immediately when the event occurred, adding the alarm to a predefined list. These SmartResponse™ activities are shown in the alarm detail pane in Figure 11.
Figure 11. Alarm SmartResponse™ Actions
It noted two additional actions that were pending or required approval: disabling a local Windows account in use, and locking down and quarantining the offending host.
Case II: Insider Threat (CONTINUED)
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times11
Ranking Risk
We then investigated some of the “high risk” alarms we had sorted on earlier. We kicked
off this process by selecting the high-risk alarm titled “Corroborated Account Anomalies”
(the highest, in fact, with a score of 100) and clicking the drill-down icon. This action
showed us the “common events” we could use to identify the behavioral triggers that
created the alarm, as seen in Figure 12.
Figure 12. Alarm Drill-down for Common Events
These events are correlated with LogRhythm to provide an aggregate risk score, and we
reviewed the individual logs that are combined to create the alarm.
Case II: Insider Threat (CONTINUED)
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times12
Removing the Threat Actor
As this alarm was related to account activity, we noted that there were specific events
for creation or use of a temporary account and privilege escalation, and an abnormal
pattern of file access and origin of the access. All of these events were related to a single
user account (steven.jacobs). We highlighted the temporary user event and then added
the user account to a “Suspicious Users” list that can be monitored, as shown in Figure 13.
Figure 13. Adding a User to a Monitoring List
+ Add 1 Value to 0 Lists
Value: steven.jacobs
List
Sus
Suspicious UsersTop Common Domains Using...WADM : Suspicious URL Chara...
Desc...
Type Here
Adds u...Which...This Us...
Type Here
UserGeneral VaGeneral Va
Type
Field: User [Origin]
Lists
Field: User [Origin]
Case II: Insider Threat (CONTINUED)
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times13
As a final step, we used the innovative Pivot capability to create an immediate
contextualized search within the investigation from the existing alarm(s) we were
investigating. This feature, shown in Figure 14, helped us quickly locate additional
related data based on one or more fields (hosts, users, etc.).
Figure 14. Pivoting to Correlate More Event Data for Unified Search
This step allowed us to create a much more unified search that included the original file
access and monitoring events, the user ID noted in the events, and information about
the origin or affected hosts involved in the event—all at the same time. See Figure 15.
Figure 15. File Access Logs
Automated Threat Detection in Practice (CONTINUED)
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times14
This image gives a much more complete picture of the entire case, with more than 30
unique log events showing a user (carl.wilson) created a new account (steven.jacobs),
added the new account to a Finance group, used the account to access financial files,
connected to Dropbox, and finally deleted the account. See Figure 16.
Figure 16. Complete Event Sequence
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times15
Associating the Two Cases
All of these logs can be added to a case with tags added, and then the case can be reviewed against other tagged cases to find similarities.
For example, with the “data exfiltration” tag assigned, we could also see the IRC traffic from the China-related case that we tagged similarly, indicating it could be connected to our insider abuse case. We chose to associate it by clicking “Select a Case” in the lower right of the case pane and choosing those with similar tags, as shown in Figure 17.
Figure 17. Associating a Related Case
After the cases have been associated with one another, a team of security analysts may be able to collaborate more effectively and detect a larger campaign or other attack activity in the environment.
Combined and tied to all its elements, this use case illustrates a number of capabilities in the new version of LogRhythm:
• Sifts through alarms that are prioritized based on risk.
• Quickly assigns or modifies SmartResponse™ actions associated with particular alarms or alerts.
• Performs rapid deep dives into details associated with specific events and alarms, particularly groups of related events that lead to a higher risk score.
• Pivots from a set of events to associate other relationships (users, systems, etc.) in different events, thus rapidly correlating more data for review and investigation.
• Adds all data, events and evidence to tagged cases, which can then be associated
with related cases, if they exist.
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times16
Conclusion
The new LogRhythm platform was a pleasure to use and offers some significant
benefits to security operations teams and analysts who need a unified platform for
event aggregation, monitoring, threat detection, risk analysis and incident response
management. The workflow assistance, including the system’s ability to reuse previously
discovered types of incidents during searches, was extremely helpful from a time-
reduction standpoint as well as for improving visibility across related events that may
not seem related.
The capability to drill down into detailed data sets quickly, add evidence to cases and
assign them, and quickly correlate disparate event data into one unified investigation
may help solve some of the major issues noted by security teams in the SANS 2015
Security Analytics and Intelligence Survey.
Security professionals need an integrated set of tools that are easier to use, provide
greater visibility across the ever-expanding attack surface, and apply big data analytics
to detect patterns of concerning behavior faster. Such capabilities will help prevent
attacks from taking hold, reduce time of exposure and minimize risk. LogRhythm 7 lives
up to that promise, enabling security operations teams to hit the ground running.
Dave Shackleford, a SANS analyst, instructor, course author, GIAC technical director and member of
the board of directors for the SANS Technology Institute, is the founder and principal consultant with
Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory
compliance, and network architecture and engineering. A VMware vExpert, Dave has extensive
experience designing and configuring secure virtualized infrastructures. He previously worked as chief
security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead
the Atlanta chapter of the Cloud Security Alliance.
SANS ANALYST PROGRAMLogRhythm 7 Review: Reducing Detection and Response Times17
About the Author
Sponsor
SANS would like to thank this paper’s sponsor: