Infotechcrowd

Review Environment LogRhythm’s latest Threat Lifecycle Management Platform includes many new and enhanced features and behind-the-scenes improvements, primarily focused on reducing detection and response time for security operations and investigations. LogRhythm’s data aggregation and query engine now uses Elasticsearch, which is a highly scalable indexing and querying layer. Native language search and contextual searching are available from most locations in the interface as well. We focused on scalability and performance in this review, as well as host-based policies and configuration capabilities that are new in the platform. In this review, SANS focused specifically on: • Ease of use • Scalability and performance across large, distributed data sets • Host-based policies and configuration capabilities • Rapid searching, analysis and incident correlation • Case management tools that can help security operations teams operate more effectively Components The following components were included in the LogRhythm deployment (numbers in parentheses indicate quantity configured within the review environment): • Platform Manager (1)—Centrally manages alarms, notifications, and case and security incident management. Enables real-time dashboards, SmartResponse actions and reporting. • Data Collector—Provides local and remote agentless collection of machine data. • System Monitor Agent—Monitors endpoints for file integrity, user activity, network communications, and applications and processes. Our testbed used the agents for Linux systems; AIX, HP-UX, Solaris and Windows are also supported. • Network Monitor—Performs deep packet inspection of network traffic for application identification, extraction of searchable metadata, full packet capture and deep packet analytics. • Data Processor (5 sets of 4)—Processes data from Data Collectors, System Monitors and Network Monitors. Extracts and enriches metadata, enabling machine- and search-based analytics. Data Processors scale vertically and horizontally.4 4 SANS ANALYST PROGRAM L ogRhythm introduced an updated data processor in the Fall of 2017, DP 7470. While SANS has not tested this, LogRhythm reports that this new processor reduces the data processor components by 25% to five sets of three components. 2 Speed and Scalability Matter: Review of LogRhythm 7 SIEM and Analytics Platform Review Environment (CONTINUED) • A I Engine (5)—Performs real-time, stream-based analysis of contextualized machine and forensic data, and generates risk-prioritized alarms using a broad set of algorithmic techniques. AI Engine nodes scale vertically and horizontally with a unique scaling model to preserve centralized analysis. • D ata Indexer (5 sets of 10)—Uses an Elasticsearch back end to store copies of both original unstructured machine data and contextualized, structured metadata to enable search-based analytics. Data Indexers support clustering for greater scalability, performance and availability.5 The environment was configured with the following parameters and capacity considerations: • 300,000 MPS aggregate collection load (25.8 billion messages per day) • 130,000 unique log sources • 100 percent of data processed within the distributed architecture • 100 percent of data analyzed in real time by analytics layer, with no data queued • 100 percent of data rapidly searchable • 100 percent of data available, persistent and archived These were the objectives and environment for our review. However, substantially higher scalability is available with further hardware investment. A diagram of the environment is shown in Figure 1. Figure 1. LogRhythm Test Environment Architecture 5 SANS ANALYST PROGRAM L ogRhythm introduced an updated data indexer in the Fall of 2017, DX7500. While SANS has not reviewed the updated data indexer, LogRhythm reports that this new configuration reduces the data indexer components by 50% to five sets of five. 3 Speed and Scalability Matter: Review of LogRhythm 7 SIEM and Analytics Platform

SANS LogRhythm Review - Speed and Scalability Matter

Please complete the form to gain access to this content

Related Resources

Forrester Security Analytics Platform Wave Report 2018

Mis-behaving: the Evolution of the Insider Threat (WEBCAST)

LogRhythm UEBA Overview 2018

SANS Reviews LogRhythm CloudAI for UEBA

2018 Cybersecurity: Perceptions and Practices Benchmark Survey

Gartner Market Guide for UEBA (2018)

How to Deploy a SIEM Successfully by Gartner

Automation Suite for NIST 800-53 Compliance

Gartner Names LogRhythm a leader in 2017 Magic Quadrant for Security Information and Event Management (SIEM)

LogRhythm How to Build a SOC With Limited Resources White Paper 2017

Forrester Wave: Security Analytics Platforms, Q1 2017 Analyst Report

UBM Building and Instrumenting the Next Generation SOC Webinar 2016

LogRhythm Security Intelligence and Analytics in the Public Sector Whitepaper 2016

LogRhythm Ransomware Infographic 2016*

UWS | Anatomy of a Hack Disrupt Whitepaper 2016

Security Current CISOs Investigate User Behavior Analytics Whitepaper 2016

CyberEdge Defense Report Whitepaper 2016*

LogRhythm OilRig Malware Campaign Whitepaper 2017

LogRhythm Ransomware Threat Whitepaper 2016

LogRhythm Threat Lifecycle Management Whitepaper 2016*