SANS Reviews LogRhythm CloudAI for UEBA

scanning activity and other unusual behaviors that immediately deviate from the user’s “normal” day-to-day behaviors. • Admin abuse and misuse. Privileged user activity should be monitored closely in all cases, but when an admin account is compromised or involved in malicious activity, defenders need to know as soon as possible to prevent significant damage. Again, knowing common admin behaviors is critical to identifying unusual patterns or activities that could indicate a compromise has occurred. • Insider threat. In cases where a trusted employee performs malicious activities within the organization, security teams may find it difficult to identify questionable actions when users are able to access resources, successfully authenticate, etc. Detecting these types of scenarios relies heavily on advanced user behavior analytics to identify unusual patterns of activity over longer periods of time. Review Environment We explored a demo environment set up by the LogRhythm team that included a wide variety of users and data from a mock organization we named Mobius Enterprises. Along with the risk scoring and alerting that LogRhythm natively offers, several new monitoring capabilities are now available, including user distribution (general user information) and top anomalous users (those exhibiting unusual activity), as shown in Figure 1. Figure 1. LogRhythm CloudAI User Monitoring Dashboard User activity is now being incorporated into event analysis and alerting, with risky behavior being scored and reported appropriately in the dashboard. What’s in an Identity? Before drilling into the demo environment, we wanted to understand what information LogRhythm collects to create the concept of an identity. LogRhythm processes user information by taking in extensive information about a user’s behavior over time— not just individual events, but everything about the user’s identity (attributes, events, behaviors on the network, etc.)—and then analyzing it with machine learning. Analyzed data includes logon/logoff times, locations, systems in use, applications used and accessed during a normal work day, times of day that are common for the user to An identity is made up of all the behaviors associated with an individual person accessing network resources. perform work-related activities and much more. LogRhythm’s Machine Data Intelligence Fabric (MDIF) uses advanced machine learning to sort and categorize relevant threat data, making user behavior analytics much more efficient. CloudAI has a highly sophisticated behavior analysis engine that looks at things such as the system of origin, destination SANS Analyst Program | Managing User Risk: A Review of LogRhythm CloudAI for User and Entity Behavior Analytics 3 host, geolocation, time of day, specific activity and more. LogRhythm’s threat modeling also continually “learns” and improves the data analysis, improving accuracy over time. An example of some of these key indicators is shown in Figure 2. By integrating into user directory services such as Active Directory and providing a user-based view into environmental activity, CloudAI deepens LogRhythm’s UEBA approach Figure 2. View of Anomalous User Activity and Scores and incorporates machine learning concepts to extend LogRhythm’s analytics. Further, it makes case management and other activities easier by bringing all these tools into the same interface. CloudAI also generates threat scores based on user activity, which helps reduce false positives through better filtering of user activities against log data and intelligence. Risky Behaviors, Not Just Events The LogRhythm CloudAI tool set integrated seamlessly into LogRhythm’s dashboard. As with dashboards we experienced during previous reviews of LogRhythm products,1 this dashboard is simple to navigate and incorporates a number of easy-to-use scoring and reporting tools that can be used to alert security operations center (SOC) staff to unusual activity in the environment. Integrated Workflow CloudAI natively aligns with case management and investigation tools. In other words, the same alerting and event dashboards can be used to create cases, add evidence and assign tasks to analysts. The CloudAI dashboard itself, while very similar in look and feel to other LogRhythm dashboards, also includes specific information about users, as well as “watch lists” for specific types of users in Figure 3. A Customizable CloudAI Dashboard the environment, threat events related to those users and overall risk scores pertaining to user activity (see Figure 3). 1 “ Speed and Scalability Matter: Review of LogRhythm 7 SIEM and Analytics Platform,” April 2017, www.sans.org/reading-room/whitepapers/analyst/speed-scalability-matter-review-logrhythm-7-siem-analytics-platform-37727 SANS Analyst Program | Managing User Risk: A Review of LogRhythm CloudAI for User and Entity Behavior Analytics 4
Please complete the form to gain access to this content