logrhythmlogrhythm– ––– log & event management, file ... · pdf...

LogRhythmLogRhythmLogRhythmLogRhythm––––

Log & Event Management, File integrity Log & Event Management, File integrity Log & Event Management, File integrity Log & Event Management, File integrity

Monitoring, Endpoint Monitoring & Control in Monitoring, Endpoint Monitoring & Control in Monitoring, Endpoint Monitoring & Control in Monitoring, Endpoint Monitoring & Control in

one integrated solutionone integrated solutionone integrated solutionone integrated solution

1. Introduction

Every organization is unique but with millions of logs to capture, analyze, and store daily, all

companies face similar challenges in utilizing log data efficiently to help solve complex

business challenges.

Recent regulations governing specific industries and publicly traded companies have instituted

standards for securing networks, systems, and data. Most organizations today face regulatory

requirements around secure log data collection, retention, review and reporting for both audit

and security purposes. Whatever the driver – PCI DSS, Sarbanes Oxley, HIPAA, FISMA, NERC

or GLBA – organizations in a wide array of industries face a huge challenge meeting these

requirements easily, efficiently, and affordably. A common thread throughout all regulations is

a requirement to periodically review log data for the purpose of detecting intrusion, misuse,

and fraud. Most regulations also require the implementation of intrusion detection systems,

incident response procedures, and periodic reporting. Meeting these requirements can be time

intensive and costly.

Typically organizations acquire and managed separate products for log management, event

management, file integrity monitoring and endpoint monitoring & control.

With logs accounting for up to 25% of an enterprise's total data, organizations are under the

gun to effectively manage and review the millions of logs generated on their networks every

day.

LogRhythm's turnkey solutions provide companies of all sizes easier and more affordable ways

to automate log management for compliance. LogRhythm offers organizations the convenience

and value of best-in-class log & event management, near real-time File Integrity Monitoring &

Endpoint Monitoring & Control in one solution.

By deploying LogRhythm, companies can immediately address and automate specific log data

review, storage and retention requirements. LogRhythm’s Security Event Management

capabilities provide a single centralized view of all security activity. LogRhythm’s automated

analysis engines automate the process of detecting and alerting on suspicious activity.

LogRhythm’s powerful forensic capabilities streamline the incident analysis & response process.

For regulatory reporting requirements, LogRhythm includes one-click pre-packaged reports.

Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint

Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution

Confidential of 35

2. LogRhythm-One Integrated Solution

LogRhythm is an enterprise-class application that seamlessly combines Log & Event

Management, File Integrity Monitoring, and Endpoint Monitoring & Control into a single

integrated solution.

There is a wealth of information that can be derived from log data whether it originates in

applications, databases, servers, network devices or endpoint systems. By automating the

collection, organization, analysis, archiving and reporting of all log data, LogRhythm enables

organizations to easily meet specific requirements, whether driven by internal best practices,

or one of many compliance regulations. LogRhythm delivers valuable, timely and actionable

insights into security, availability, performance and audit-related issues in real-time.

By fully integrating functionality that is traditionally associated with Security Information and

Event Management (SIEM) with File Integrity Monitoring and Endpoint Monitoring & Control,

the collective value of all functions grows substantially.

For example, security personnel can be notified in near real-time when sensitive files are

changed, deleted, etc., and the activities can be traced back to an individual user. These

capabilities allow organizations to meet additional regulatory compliance requirements, such as

PCI DSS 11.5 and 12.9 requirements, without purchasing a separate product.

Similarly if an employee were attempting to move high sensitive data from his/her laptop to a

removable media device, LogRhythm would log the activity in near real time, report it and if

the event mapped to a predefined alarming rule, the system could automatically send an alert

to the specific staff responsible for addressing potential data leakage incidents. Some

organizations may even choose to leverage LogRhythm’s Endpoint Monitoring & Control to

block movement of data to removable media altogether.

LogRhythm’s comprehensive solution empowers customers to centralize, simplify and

strengthen their compliance, security and IT operations posture. LogRhythm’s integrated

solution consists of:

• Log & Event Management:

o Automatically centralize & archive ALL logs

o Real-time event monitoring & alerting

o Powerful analytics & trending

o Automated reporting

o Real-time correlation & forensic investigations

o High-performance, scalable & easy-to-use



Confidential of 35

• File Integrity Monitoring:

o Monitors ALL types of files in near real-time

o Provides “user-aware” context to file changes

o Automated alerting on changes to critical files

o Fine-grain controls & filters

o Out-of-the-box policies provided for O/S & common applications

• Endpoint Monitoring & Control:

o Prevents the movement of data to & from removable media

o Extends Monitoring of data use to desktops/laptops

o Independently audits & logs the transfer of data to and from a variety of

removable devices

o Alerts & reports on inappropriate data transfers

Figure 1 LogRhythm, one integrated solution



Confidential of 35

3. LogRhythm’s features

3.1. LogRhythm’s Log & Event Management

Historically, log management and event management have been viewed by most as two

distinct functions that operated independently, and were usually purchased and managed

separately. However, at LogRhythm we have always believed that for any organization to fully

tap the potential value and insight of log data, the two functions must be delivered as one,

integrated solution. As such, from version 1.0 the LogRhythm solution has provided

log management, log analysis, event management, and reporting in a single fully

integrated system.

3.1.1. Describing the Log Management feature

Comprehensive Log Data Collection and Management

Being able to collect log data from across an enterprise regardless of their source, present the

logs in a uniform and consistent manner and manage the state, location and efficient access to

those logs is an essential element to any comprehensive Log Management and Analysis

solution. The LogRhythm solution was designed to address core log management needs,

including:

• The ability to collect any type of log data regardless of source

• The ability to collect log data with or without installing an agent on the log source

device, system or application.

• The ability to “normalize” any type of log data for more effective reporting and analysis

• The ability to “scale-down” for small deployments and “scale-up” for extremely large

environments

• An open architecture allowing direct and secure access to log data via third-party

analysis and reporting tools

• A role-based security model providing user accountability and access control

• Automated archiving for secure long term retention

• Wizard-based retrieval of any archived logs in seconds

Cross-platform Log Collection

Today’s IT operations require many technologies: routers, firewalls, switches, file servers and

applications to name a few. LogRhythm has been designed to collect from them all through

intelligent use of agent-less and agent-based techniques.



Confidential of 35

• Windows Event Logs: Agent-less or Agent-based

LogRhythm can collect all types of Windows Event Logs with or without the use of an

agent. LogRhythm collects Event logs via secure TCP transmission. Many Windows-

based applications write their logs to the Application Event Log or a custom Event Log.

Examples of supported log sources that can be collected by LogRhythm in real time

include:

• Windows System Event Log

• Windows Security Event Log

• Windows Application Event Log

• Microsoft Exchange Server application logs

• Microsoft SQL Server application logs

• Windows based ERP and CRM systems application logs

• Syslog

Many log sources, including most network devices (e.g. routers, switches, firewalls)

transmit logs via Syslog. LogRhythm includes an integrated Syslog server for receiving

and processing these messages. Simply point any syslog generating device to

LogRhythm and it will automatically begin collecting and processing those logs.

• Flat File Logs



Confidential of 35

LogRhythm can collect logs written to any ASCII-based text file. Whether it is a

commercial system or homegrown application, LogRhythm can collect and manage

them. Examples of supported log sources using this method include:

• Web servers logs (e.g. Apache, IIS)

• Linux system logs

• Windows ISA server logs

• DNS and DHCP server logs

• Host based intrusion detection/prevention systems

• Homegrown application logs

• Exchange message tracking logs

Universal Database Log Collection and Management

Since so much sensitive information resides in databases, it is important to monitor and track

access and activity surrounding important databases. The actual and reputational cost of a

theft of customer records can be very large. The actual and reputational cost of a theft of

customer records can be very large. LogRhythm helps by collecting and analyzing, alerting and

reporting on logs from all ODBC-compliant databases including Oracle, Microsoft SQL Server,

IBM DB2, Informix, MySQL and others. It also captures data from custom audit logs and

applications that run on the database. This capability enables customer to use LogRhythm for

real-time database monitoring to guard against insider and outsider threats.

Agent-less and Agent-based collection

While most log sources can be collected by LogRhythm via agent-less methods, LogRhythm

also offers powerful, low profile agent technology for situations where they make sense.

Whether they are used for real-time flat file log collection or to aggregate and forward logs

from remote site, LogRhythm agents are the perfect complement to any deployment.

LogRhythm agent features include:

• Collection of any flat-file ASCII text log in real time (e.g. web server and application

logs)

• Transmission over secure TCP



Confidential of 35

• Ability to aggregate and forward logs from multiple sources from any remote site (e.g.

retail store, branch location).

• Optional encryption during transmission

• Ability to schedule transmission if needed (e.g. due to bandwidth constraints)

• File-integrity monitoring

• Collection load-balancing for distributed deployments

Scalable Log Centralization

LogRhythm is architected to scale easily and incrementally as your needs grow. Whether you

need to collect 10 million or more than 1 billion logs per day, LogRhythm can handle it. With

LogRhythm, you simply deploy the capacity you need when you need it, preserving your initial

investment along the way. Deployments can start with a single, turnkey appliance and grow

easily by adding incremental log manager appliances as needs expand. With LogRhythm’s

“building blocks” distributed architecture, you can access and analyze logs throughout your

deployment with ease.

Log Archiving and Retrieval

Many businesses have compliance requirements to preserve historic log data and be able to

provide it in its original form for legal or investigative purposes. Collecting, maintaining and

recovering historic log data can be expensive and difficult.

LogRhythm completely automates the process of archiving and restoring log data. LogRhythm

automatically archives unaltered log data to “sealed” self-describing files that are saved,

organized and tracked by the system. Archive files can be saved on LogRhythm appliances or

any network storage device you choose. LogRhythm uses a SHA-1 hash and compresses the

logs in a non-proprietary format to protect log integrity. Compression typically results in a

95% reduction in storage requirements and associated cost. Archive files also include

'bookkeeping' information such as where and when the log data originated and other key

characteristics.

Recovering historic logs is a snap. The Archive Restoration Wizard makes it easy to restore

based on specific filtering criteria like date, user, system, etc. Hit start and LogRhythm takes

care of the rest. Once restored, log data can be analyzed using standard LogRhythm analysis

tools. What could have been weeks worth of effort becomes minutes with LogRhythm.



Confidential of 35

Activity Auditing

For compliance verification, users’ and administrators’ actions within LogRhythm are logged.

LogRhythm user activity reports provide powerful proof that LogRhythm is actively used to

analyze log data for compliance purposes.

3.1.2. Describing the Log Analysis feature

Would it be valuable for you to be able to discover which users outside of a trusted user

community had accessed a file server that stores highly sensitive information? What about

knowing what systems had been affected by a zero day exploit and prioritize them based upon

the asset value of the impacted hosts? How about being able to automically be alerted when

transactions in your financials application exceed a certain dollar amount? LogRhythm's

comprehensive log analysis engine can cull this level of insight from millions or even hundreds

of millions of logs in real time.

Automated Log Analysis

While some log entries can be extremely interesting and relevant to daily operations, many

can also be extremely uninteresting, at least in the short term. Still, it is important to collect

and manage all logs to ensure you don’t miss anything and can find what you need when you

need it. With manual or homegrown solutions, you would be searching for the proverbial

needle in the haystack. With LogRhythm, search, forensic analysis, trending and alerting are

simple. LogRhythm processes and normalizes logs to make it easy to identify and find

anything. LogRhythm’s intuitive and powerful analysis tools make any kind of analysis a

breeze.



Confidential of 35

Log Normalization

LogRhythm automates the process of finding interesting log entries via a powerful and

customizable log identification engine. When a log is identified, it is "normalized" for analysis

and reporting purposes. The log is assigned a "common name" and classified as either

security, operations, or audit related. Additional reporting information is parsed from the text

of the log such as IP addresses, UDP/TCP port numbers and logins.

An important aspect of log normalization is time synchronization. In many IT operations,

systems are spread across time-zones and system clocks aren't synchronized to a single

source. For this reason, LogRhythm automatically synchronizes the timestamps of all log

entries to a single 'normal time' for reporting and analysis purposes. This is extremely

valuable in analyzing log data across distributed systems where time of occurrence is

important. If one log was written at 3:00 PM EST and across the country, another log was

written at 12:00 PM PST, within LogRhythm they both occurred at the same time.

Figure 2 LogRhythm users have on-demand access to normalized data, prioritized events and

correlated information along with supporting raw log data all delivered in a single window for

compliance assurance, forensic analysis and root-cause investigations.



Confidential of 35

Risk-based Prioritization

LogRhythm automatically prioritizes each event based on its impact to your business'

operations. It’s risk-based prioritization calculates a 100 point priority based on the:

• Type of event

• Likelihood event is a false alarm

• The threat rating of the host causing the event (e.g., remote attacker), and

• The risk rating of the server on which the event occurred

LogRhythm's risk-based priority helps ensure the most important events are identified and

acted upon.

The impact of an event varies by business and within a business, by system. For instance, a

router link failure might not be immediately critical for an ISP with redundant routers.

However, for a branch office with a single router, business is impacted until fixed. A server

reboot is uninteresting if seen on a user workstation but when seen from an ERP server that

has 99.999% uptime requirements, is extremely interesting.

Event Forwarding

Identified log entries having the most immediate operational relevance are forwarded to the

Event Manager. This typically includes security events, audit failures, warnings and errors.

Event forwarding rules work “out of the box.” You also have the ability to tailor those rules to

your liking and create your own rules. The function of intelligently forwarding a subset of logs

provides the first layer of data reduction.

Log activity for specific filename patterns, IP addresses, hosts or users can also be monitored

easily. When security policies are violated, LogRhythm can automatically alert designated

individuals via e-mail, pager, existing management applications and the LogRhythm console.

Because only the most important log entries are forwarded as events, users are extremely

efficient with time they spend using the LogRhythm solution. Instead of having to weed

through numerous irrelevant log entries, the most important logs are automatically identified

for them.

LogRhythm features contextual event forwarding, which enables real-time identification and

alerting of anomalies within application, database and network activity. For example,

LogRhythm can be used to pinpoint specific exceptions such as transactions greater than a

specified dollar amount in a financial application, including when it occurred, who was

responsible, and which account was modified.



Confidential of 35

User-Driven Log Analysis

Once logs are collected, classified, normalized, prioritized, stored and correlated, some rise to

the level of an “event”. The LogRhythm Event Management function applies the real-time

monitoring, alerting, incident management and response appropriate for specific events.

Some events warrant a deeper investigation beyond the events themselves to include other

related log data. For these situations LogRhythm offers a comprehensive set of investigative

capabilities ranging from high-level trending and visualization to monitoring in real time the

activities associated with a specific user, system, device or information asset.

LogMart

The LogRhythm LogMart tool incorporates a powerful set of visualization, data trending and

search capabilities. LogMart aggregates millions of logs in a single graphical view, which can

expose exceptions in security, compliance and operations over short or long periods of time.

The powerful user-configurable charting and filtering capabilities enable users to quickly switch

from viewing months or even years worth of log trend data to drilling down to individual logs

exposing the root cause of a security breach or operational problem.

Figure 3 Visualize days, months or even year’s worth of log data for powerful trending, anomaly

detection and analysis in a single screen. Accelerate root cause discovery via on-the-fly filtering

and drill-down features.



Confidential of 35

Investigator and Search

The LogRhythm Investigator is a powerful investigation tool used for searching and viewing

specific sets of logs and events, such as those associated with a specific user, set of users,

specific IP address or range, impacted hosts, impacted applications, date and time, and

more. An easy to use wizard guides users through the selection of criteria for their specific

investigation. Once defined, investigation criteria can be saved and used again. Investigations

can include events, log metadata, raw log data or any combination thereof.

LogRhythm also offers comprehensive search capabilities to meet the unique needs of a variety

of users. Whether you're an investigator looking for all activity associated for a specific user,

an IT operations manager seeking to understand performance trends for a particular server or

an auditor looking for a list of individuals outside of a trusted user community that accessed a

highly sensitive file server over the last 90 days, LogRhythm's quick search function can serve

up unique and highly valuable information derived from millions of logs quickly and easily.

Figure 4 LogRhythm’s easy-to-use wizard empowers users to quickly and efficiently search

through events, normalized logs and even raw log data from millions of logs over any period of

time, all from a single screen. Searches can range from simple key word and Boolean searches

to using multiple criteria including user and host names, IP addresses, dates and times, log

and/or event types, asset value etc.



Confidential of 35

3.1.3. Describing the Event Management feature

LogRhythm’s Event Management function combines real-time monitoring and alerting with

comprehensive incident management and response. LogRhythm’s Personal Dashboards

present event information in the most useful and effective manner to meet the specific needs

of individual users. The dashboard also acts as a portal to a suite of highly effective

investigative and reporting tools including the LogRhythm Investigator and LogMart.

Real-time Monitoring

Because LogRhythm collects and analyzes logs in real-time, logs deemed to be events are

immediately forwarded as such and are escalated according to their level of criticality. Event

information is delivered in real time to the personal dashboards of those users predefined as

authorized viewers for those classifications of events. Through the personal dashboard users

can monitor events in real time and quickly review and drill down as appropriate. LogRhythm

dashboards can be easily customized by and for each user. As a result, every user sees and

can analyze the information that is most relevant to them and their role.

Figure 5 LogRhythm’s Personal Dashboard provides users with real-time visibility into

Compliance/Audit, Security and Operations related events and alerts as well as access to raw

log data for millions of logs in a single screen. From the dashboard users can perform numerous

activities including launching investigations, customizing alerts and drilling down into



Confidential of 35

normalized and raw log data, all while maintaining user audit tracking for compliance and

reporting purposes.

Role-based Alerting

LogRhythm can easily be configured to send alerts on critical events or combinations of events

to an individual or groups of individuals based upon user roles, asset values of impacted

systems or applications, or a variety of other factors related to ensuring the right alerts reach

the right people at the right time.

Figure 6 LogRhythm’s customizable personal dashboard allows users of differing functional

roles to receive actionable alerts in real time on events that are meaningful and applicable to

their specific job function or responsibility. This role-based alerting function can deliver alerts

via the dashboard or via numerous other mechanisms including SMTP and SNMP.

Incident Management & Response

The LogRhythm solution includes comprehensive incident management capabilities. Incidents

(alarms) are viewed and managed via the real-time personal dashboard. Every action taken

on an alarm is documented (who was notified, when it was analyzed, work that was done, etc.)

as part of the alarm history. A comprehensive set of reports provides a full history of incident



Confidential of 35

management activity and response. Whether your requirements for tracking incident

management activities are driven by compliance mandates or internal best practices, the

LogRhythm incident management functions will deliver on your reporting, tracking and audit

needs.

3.1.4. Describing the Intelligent IT Search feature

Logs are the digital fingerprints for virtually all network, system and application activity.

Whether you’re searching for the root cause of a system failure or performance issue, looking

for present or potential threats, conducting an IT investigation or satisfying an eDiscovery

request from Legal or HR, chances are you’ll be searching through log data.

For IT professionals, the question isn’t whether or not you’ll be searching log data, the

question is how quickly can you find the information you’re looking for, if at all. Will it take

days, weeks or months, or can you find it with a few clicks of the mouse? The answer depends

on 4 things:

• Is your log data collected centrally from all log sources and stored in an intelligent

indexed format?

• How well has your log data been enriched and prepared for Intelligent search?

• How intuitive and quick is the search process?

• How meaningful and insightful are the search results?

Traditional approaches to log search require users to know precisely what they are looking for,

and to create, then refine search terms to locate events that map to their query. LogRhythm

processes logs and tags them using a rich and granular three tier classification model that

enables users to perform intelligent IT search. This capability assesses the impact of events in

multiple dimensions to extract meaning from what would otherwise appear to be just isolated

logs.

By adding this additional intelligence to raw logs, LogRhythm enables IT organizations to

quickly identify internal and external threats, operations issues and compliance violations.

Additionally, Intelligent IT Search simplifies and accelerates forensic investigations and

eDiscovery responses.



Confidential of 35

Figure 7 Search results can be viewed in textual or 3-D graphical presentation for rapid

identification of anomalies and quick drill down for investigations

Adding Intelligence to Raw Logs

LogRhythm enriches logs with the following information to generate query results that provide

intelligence, not simply data:

• Universal time stamp for every log: Essential for accurate correlation and

contextualization, especially when conducting forensic analysis of events that span

multiple geographies.

• Three Tier Classification System

o Security: Compromise, Attack, Denial of Service, etc.

o Operations: Critical Event, System Error, Warning, etc.

o Audit: Admin Account Creation, Failed Authentication, etc.

• Prioritization of Events - 100 point risk model prioritizes events based on what

happened, what systems or applications were impacted, what users were involved, etc.

• User and Host Contextualization – Differentiates origin from impacted users and hosts.

Enables security teams to rapidly identify exposure, impacted users and systems,

determine the origin of threats and the direction of the activity. For example, a large

file transfer (10 MB) from a sensitive internal database (SAP) to an external IP address

(in Romania).



Confidential of 35

Utility Tool Chest for Intelligent IT Search

Once log data is enriched, LogRhythm’s broad suite of search utilities empowers users to

rapidly investigate, view, correlate and visualize logs in a variety of ways to meet specific

search objectives. The Intelligent Search Utilities include:

• Wizard-based Search - Easily create complex search criteria across normalized,

classified and contextualized data

• Real-time Search- Apply search criteria to log data as it is generated in real time via

LogRhythm Tail. Configure alerts to be sent whenever conditions with specified search

criteria occur in the future.

• Visualization - Present millions of logs in 3-D graphical representation to discover

anomalies and analyze trends

• One-click Correlation - Rapidly refine search with a single click on related data

• Quick Search Tool Bar - Provides rapid search initiation directly from any screen

Figure 8 The LogRhythm Quick Search Toolbar enables users to launch a search quickly from

any screen in the LogRhythm console based upon a variety of attributes such as email address,

port, user, host, event type, time frame, etc. In this sample use case we’re searching for all

Quick Search Toolbar



Confidential of 35

audit-related activity that a terminated administrator (Trent Heisler) performed during the 7

days prior to his termination

Investigator and Search

The LogRhythm Investigator is a powerful investigation tool used for searching and viewing

specific sets of logs and events, such as those associated with a specific user, set of users,

specific IP address or range, impacted hosts, impacted applications, date and time, and

more. An easy to use wizard guides users through the selection of criteria for their specific

investigation. Once defined, investigation criteria can be saved and used again. Investigations

can include events, log metadata, raw log data or any combination thereof.

LogRhythm also offers comprehensive search capabilities to meet the unique needs of a variety

of users. Whether you're an investigator looking for all activity associated for a specific user,

an IT operations manager seeking to understand performance trends for a particular server or

an auditor looking for a list of individuals outside of a trusted user community that accessed a

highly sensitive file server over the last 90 days, LogRhythm's quick search function can serve

up unique and highly valuable information derived from millions of logs quickly and easily.

Figure 9 LogRhythm’s easy-to-use wizard empowers users to quickly and efficiently search

through events, normalized logs and even raw log data from millions of logs over any period of

time, all from a single screen. Searches can range from simple key word and Boolean

searches to using multiple criteria including user and host names, IP addresses,

dates and times, log and/or event types, asset value etc.



Confidential of 35

3.2. LogRhythm’s File Integrity Monitoring

LogRhythm provides comprehensive file integrity monitoring that is fully integrated with

enterprise-class log & event management as well as endpoint monitoring & control. This

integrated approach enables LogRhythm customers to simplify and strengthen their security,

audit and compliance posture.

Fully Integrated with Log & Event Management & Endpoint Monitoring & Control

• Provides additional PCI Compliance with the most complex elements of the DSS

• Central & policy-based configuration and administration

• User activity monitoring syncs user context to file

changes/deletions/additions/permission changes, etc. (e.g., at time of change: who was

logged in, for how long, what else did they do, etc.)

Monitors All Types of Files in Near-real Time

• Including: executables, configuration files, content files, log and audit files, web files,

database files, etc.

• Configurable frequency of scanning and reporting (e.g., scan every minute for password

files, scan daily for general business files, etc.)

Fine-grain Controls and Filters

• Ensures only applicable files/folders are monitored as often as required

Out-of-the-box Policies Provided for O/S and Common Applications

• Supported on Windows, Unix and Linux systems

3.3. LogRhythm’s Endpoint Monitoring & Control

LogRhythm Endpoint Monitoring & Control tracks, alerts on, logs, and audits all movement of

data to removable media ports and can optionally block data transfers on selected machines

and devices.

These capabilities monitor USB ports, RAM drives, and CD/DVD drives on Microsoft Windows

systems. Administrators can centrally configure and manage policies for their entire

organization from the LogRhythm console.

Since these capabilities are integrated with log data, LogRhythm can link activity to responsible

users, establish audit trails, and meet a broader set of regulatory compliance requirements.



Confidential of 35

Endpoint Monitoring & Control

• Prevents the movement of data to & from endpoint devices

• Independently audits & logs the transfer of data to & from a variety of removable

devices including:

o USB thumb/hard drives

o Memory cards and

o CD/DVD drives

• Allows for the optional ejection of USB devices on a universal or per system basis

Alerts & reports on inappropriate data transfers (e.g. support employee termination

procedures & internal audit requirements by investigating the transfer of data)

• Available in Windows System Monitor

3.4. LogRhythm’s Advanced Reporting

LogRhythm offers a comprehensive set of reporting capabilities ranging from pre-packaged

compliance reports to custom and on-the-fly reporting to meet the unique requirements of

individual customers and situations. Every LogRhythm solution comes with our full suite of

automated compliance reports for SOX, PCI, FISMA, GLBA, HIPAA, NERC CIP and more.

Customers can schedule the creation and delivery of these reports to meet their specific

compliance requirements. LogRhythm also provides many other useful reports out of the box.

Also, any search or investigation results can be quickly turned into a report on-the-fly using

one of LogRhythm’s many report templates. Users can also create and save custom reports.

In short, LogRhythm provides virtually unlimited reporting capabilities.



Confidential of 35

4. LogRhythm automates compliance

Most organizations today face regulatory requirements around secure log data collection,

retention, review and reporting for both audit and security purposes. Whatever the driver –

PCI DSS, Sarbanes Oxley, HIPAA, FISMA, NERC or GLBA – organizations in a wide array of

industries face a huge challenge meeting these requirements easily, efficiently, and affordably.

With logs accounting for up to 25% of an enterprise's total data, organizations are under the

gun to effectively manage and review the millions of logs generated on their networks every

day.

LogRhythm's turnkey solutions provide companies of all sizes easier and more affordable ways

to automate log management for compliance.

Affected Industries Matrix

The following chart lists the regulations affecting specific industries.

LogRhythm Compliance Checklist

The following chart lists the compliance areas addressed by LogRhythm within each regulation.



Confidential of 35

LogRhythm’s compliance features cover the areas of periodic log review, log data

centralization, safeguarding, archiving and destruction, file integrity monitoring, intrusion

detection and reporting. The explanation of LogRhythm’s compliance areas follows:

• Periodic Log review: Periodic log review consists of reviewing audit, system, and

application logs on a regular basis for the purpose of detecting unauthorized activity

and assessing the general health of systems and applications. LogRhythm significantly

reduces the log review effort by automatically identifying high interest log events and

detecting suspicious activity via rules and anomaly based log data analysis engines.

• Log data centralization and safeguarding: Log data centralizing and safeguarding

consists of moving or copying log data to a centralized data store. The central data

store can provide a secondary copy of log data and secure the log data from

unauthorized access and modification. It also provides of analyzing log data across

multiple systems simultaneously. LogRhythm provides agent and agent-less cross-

platform log collection and secure log data centralization.

• Log data archiving and destruction: Log data archiving and destruction is the

process of permanently destroying (deleting) log data or preparing log data for long

term storage. Many standards require log data to be stored for months or even years

before it can be destroyed. LogRhythm automates the process of destroying and

archiving log data.

• File Integrity Monitoring: File integrity monitoring consists of monitoring the files on

a system for read access, modification, deletion, and changes to access control

settings. File integrity monitoring is typically accomplished via software that periodically



Confidential of 35

checks systems for changes to sensitive files (e.g., password files, configuration files,

programs). Monitoring the integrity of files is required by many standards for the

purpose of detecting unauthorized changes to a system or its data. LogRhythm agents

have built-in file integrity monitoring capabilities.

• Intrusion detection: Intrusion detection is the process of detecting intrusions into the

network, systems, and applications whether the intruder is an external hacker or a

disgruntled employee. Intrusion detection typically involves deploying network and

host-based intrusion detection systems as well as reviewing the security logs of

network devices, systems, and applications. LogRhythm can integrate with existing

intrusion detection systems or be deployed with low-cost open source solutions such as

Snort to create a much more effective multi-layer intrusion detection solution.

• Incident response: Incident response is the process of responding to and resolving an

incident whether the incident be an intrusion or the failure of a critical financial system

(e.g., general ledger application). Many standards require that formal incident response

procedures be put in place and that tools exist for expediting and tracking the incident

response process. LogRhythm provides advanced analysis and reporting tools to

support and expedite the incident response process.

• Reporting: Reporting is the process of producing periodic reports on the integrity and

security of the network, systems, and data. Reporting is required by many standards

for the purpose of providing executives, managers, auditors, and other compliance

related personnel a formal, written account of activity. LogRhythm automates the

reporting process via its included reports and can be easily extended to meet custom

reporting requirements.



Confidential of 35

5. LogRhythm and PCI Compliance

The collection, management, and analysis of log data are integral to meeting PCI audit

requirements. IT environments include many heterogeneous devices, systems, and

applications that all report log data. Millions of individual log entries can be generated daily, if

not hourly. The task of simply assembling this information can be overwhelming in itself. The

additional requirements of analyzing and reporting on log data render manual processes or

homegrown remedies inadequate and costly.

LogRhythm has extensive experience in helping organizations improve their overall security

and compliance posture while reducing costs. Log collection, archive, and recovery are fully-

automated across the entire IT infrastructure. LogRhythm automatically performs log data

categorization, identification, and normalization to facilitate easy analysis and reporting.

LogRhythm’s best-of-breed log management capabilities enable automatic identification of the

most critical events and notification of relevant personnel through its powerful Alarming

capabilities.

LogRhythm provides out-of-the-box PCI compliance. As part of the PCI Compliance Package,

enterprise assets are categorized according to Network Security, Cardholder Data, Vulnerability

Management, Access Control, Network Monitoring and Testing, and Information Security

Policy.

To ensure compliance with PCI requirements, information systems are monitored in real-time.

Investigations, Reports and Alarm Rules are provided, allowing for immediate notification and

analysis of conditions that impact the integrity of the organization’s cardholder data. Areas of

non-compliance can be identified in real time. Additional Investigations, Reports and Alarm

Rules are provided as part of LogRhythm’s standard Knowledge Base to further augment the

usefulness of the log data. Reports can be generated as needed by the PCI Security Assessor

and scheduled to run at pre-determined intervals.

The table below explains how LogRhythm and the PCI Compliance Package address the six

sections of the standard:



Confidential of 35

Below, it is outlined how LogRhythm directly meets requirements of the PCI sections.

LogRhythm’s Compliance Support on PCI DSS requirements

1. Install and maintain a firewall configuration to protect data

LogRhythm collects logs from firewall devices to ensure and validate compliance.

Compliance Requirements How LogRhythm Supports Compliance

1.1.5 Documentation and business

justification for use of all services,

protocols, and ports allowed, including

LogRhythm provides monitoring and

investigations to perform testing

procedures 1.1.5a and 1.1.5b by showing



Confidential of 35

documentation of security features

implemented for those protocols

considered to be insecure

the use of protocols in the network

environment. Testing requires verification

that all used services, protocols and ports

have a business need.

Example Investigations:

• Network Service Summary • Network Connection Summary

1.1.6 Periodic review of firewall/router rule

sets

Reporting facilitates easy and independent

review of firewall and router operation.

Reports can be generated that shows

actual traffic allowed and denied by

firewall and router rule sets. PCI requires

verification at least every six months.



1.2.1 Restrict inbound and outbound traffic to

that which is necessary for the

cardholder data environment.

Verification that inbound and outbound

traffic is properly controlled (limited

and/or denied) for the cardholder data

environment. LogRhythm detects and

alerts on inbound internet activity within

the cardholder data environment,

providing verification of proper and the

presence of improper network activities.

1.2.2 Verify that router configuration files are

secure and synchronized.

LogRhythm identifies synchronization

events and can be used to verify the

proper functioning of routers, firewalls, or

other collaborative network devices.

Reports provide a consolidated review of

internal/external activity and threats.

Example Reports: • Firewall And Router Policy

Synchronization

1.3.2 Limit inbound Internet traffic to IP

addresses within the DMZ.

LogRhythm detects and alerts on inbound

and outbound internet activity not

restricted to the DMZ, identifying non-

compliant network traffic or attempts to

access services inside the DMZ that are

not approved for Internet accessibility.



1.3.3 Do not allow any direct routes inbound

or outbound for traffic between the

Internet and the cardholder data

environment

LogRhythm can detect and alert on

activity where internal addresses are not

passed from the Internet into the DMZ.


• Network Service Summary

• Network Connection Summary

1.3.5 Restrict outbound traffic from the

cardholder data

LogRhythm detects and alerts on any

outbound activity not necessary for the



Confidential of 35

environment to the Internet such that

outbound traffic can only access IP addresses within the DMZ.

payment card environment. Any accesses

to IP addresses to unauthorized networks

can be quickly identified.



2. Do not use vendor-supplied defaults for system passwords and other security

parameters

LogRhythm monitors the network for indications of improper behavior and signs of

weak security configuration.


2.1 Always change vendor-supplied defaults

before installing a system on the

network—for example, include

passwords, simple network

management protocol (SNMP)

community strings, and elimination of

unnecessary accounts.

LogRhythm can alarm on detected use of

default passwords or known default

accounts that should not be used in a

secure deployment.

Example Alarms:

• Alarm On Default Account Usage • Alarm On Anonymous Or Guest Account

Usage

2.3 Encrypt all non-console administrative

access. Use technologies such as SSH,

VPN, or SSL/TLS for web based

management and other non-console

administrative access.

LogRhythm provides a record of all

services used and can alarm on the use of

non-encrypted protocols.


• Network Service Summary

• Network Connection Summary

• Use Of Non-Encrypted Protocols

3. Protect stored cardholder data

LogRhythm provides monitoring of changes in the cardholder environment and can

alarm on changes to security critical resources.


3.6.7 Prevention of unauthorized substitution

of cryptographic keys

LogRhythm may alarm on actions that

affect specific files or objects, including

cryptographic keys. The details of who,

when and where a key was altered will be

available in real-time to the custodian(s).

Example Reports:

• File Integrity Monitoring Activity

4. Encrypt transmission of cardholder data across open, public networks



Confidential of 35

LogRhythm monitors network use to ensure that only the proper protocols are being

used in the cardholder data environment.


4.1 Use strong cryptography and security

protocols such as SSL/TLS or IPSEC to

safeguard sensitive cardholder data

during transmission over open public

networks.

LogRhythm records which protocols are

being used in the cardholder data

environment, showing when any

unauthorized protocols or unencrypted

services are used. In addition, LogRhythm

is capable of alarming on conditions where

a system observes unencrypted

information passed when expecting only

encrypted traffic.



4.1.1 Ensure wireless networks transmitting

cardholder data or connected to the

cardholder data environment, use

industry best practices (for example,

IEEE 802.11i) to implement strong

encryption for authentication and

transmission.

LogRhythm can observe and report on

detected wireless networks, identifying

wireless access points that communicate

with the cardholder data environment.

Example Reports: • Wireless Access Points

5. Use and regularly update anti-virus software or programs

LogRhythm collects and can alarm on detected malware and compromises in the

cardholder data environment.


5.2 Ensure that all anti-virus mechanisms

are current, actively running, and

capable of generating audit logs

LogRhythm detects and alerts on any

error conditions originating from anti-virus

applications, when the services are

started and stopped, as well as identifies

when new signatures are installed.

Alarming can be configured to inform the

custodian(s) of when any malware is

detected inside the cardholder data

environment.

Example Reports:

• Malware Detected

• Anti-Virus Signature Update Report

Example Alarms: • Alarm On Malware

6. Develop and maintain secure systems and applications



Confidential of 35


6.1 Ensure that all system components and

software have the latest vendor-

supplied security patches installed.

Install critical security patches within

one month of release.

LogRhythm can track and report on when

patches are installed on devices, showing

which systems have had matching within

the past month, or any other time frame

as dictated by organizational policy.

Example Reports: • Patches Applied

6.3 Develop software applications in

accordance with PCI DSS (for example,

secure authentication and logging) and

based on industry best practices, and

incorporate information security

throughout the software development

life cycle.

LogRhythm provides intelligence for the

logging that custom written software

needs to be effective. By providing an

intelligence system for logs to be sent to,

rules can be created to provide proper

alarming, reporting, and enhancement to

the abilities of any custom application to

be used in the cardholder data

environment.

6.3.3 Separation of duties between

development/test and production

environments.

LogRhythm can report on communications

between production and development

environments to ensure separation.

6.5 Develop all web applications (internal

and external, and including web

administrative access to application)

based on secure coding guidelines such

as the Open Web Application Security

Project Guide. Cover prevention of

common coding vulnerabilities in

software development processes.

Vulnerabilities outlined in section 6.5 can

be detected by real-time examination

tools or by using compatible vulnerability

scanning systems. Attempts to attack the

web applications, such as by a cross-site

scripting vulnerability (XSS), can be

alarmed on in real-time by LogRhythm.

Example Reports: • Vulnerabilities Detected

6.6 For public-facing web applications,

address new threats and vulnerabilities

on an ongoing basis and ensure these

applications are protected against

known attacks by either of the following

methods:

• Reviewing public-facing web

applications via manual or automated

application vulnerability security

assessment tools or methods, at least

annually and after any changes

• Installing a web-application firewall in

front of public-facing web applications

LogRhythm can address either solution by

working in conjunction with web exploit

sensitive systems, such as Intrusion

Detection Systems, Web-Application

Firewalls, Stateful Inspection Firewalls,

Web Servers, and other log sources to

analyze detected potential abuses as well

as provide a way to investigate suspected

breaches.

Example Reports:

• Suspicious Activity by User

• Top Targeted Hosts

• Suspicious Activity by Host

• Top Targeted Applications • Top Suspicious Users • Vulnerabilities

Detected



Confidential of 35

7. Restrict access to cardholder data by business need to know

LogRhythm monitors access privilege assignments and suspicious data accesses.


7.1 Limit access to system components and

cardholder data to only those individuals

whose job requires such access.

Access to cardholder data can be

monitored by the custodian(s) of the data

in real-time by collecting access control

system data. Account creation, privilege

assignment and revocation, and object

access can be validated using LogRhythm.

Example Reports:

• Host Authentication Summary

• Disabled Accounts Summary • Applications Accessed by user

• Removed Account Summary

8. Assign a unique ID to each person with computer access

LogRhythm helps identify shared account usage in the network, including unobvious

accounts with more than one user.


8.1 Assign all users a unique ID before

allowing them to access system

components or cardholder data.

Account creation can be monitored

through reporting and investigations of

logs pertaining to the creation and

modification of accounts. Accounts that

have more than one user may be

identified through investigations of

frequent and/or suspicious login activities.

Example Reports:

• Account Creation Activity

• Account Modification Activity

10. Track and monitor all access to network resources and cardholder data

LogRhythm automates collection, centralization and monitoring of logs from servers,

applications, security and other devices, significantly reducing the cost of

compliance.


10.2 Implement automated audit trails for all

system components to reconstruct PCI

Standard specified events.

LogRhythm’s core capabilities are

centralization and proper management of

log data that comprises the majority of

the audit trail. Reports can be produced to

show all audit activity from account



Confidential of 35

creation, through account activity, to

account removal. Support for reporting on

log data from custom applications

containing portions of the audit trail is

easily achieved using LogRhythm’s built in

rule building tools.

Example Reports:


• User Authentication Summary

• User Access Summary • Account Modification

10.2.2 Implement automated audit trails for all

system components to reconstruct all

actions taken by any individual with root

or administrative privileges.

LogRhythm collects all account

management activities. LogRhythm

reports ensures policy adherence by

providing easy and standard review of all

account management activity.

Example Reports:


• Account Modification Activity

• User Access Summary • Host Access Granted & Revoked

10.2.4 Implement automated audit trails for all

system components to reconstruct all

invalid logical access attempts.

LogRhythm identifies failed access and

authentication attempts for enterprise

networked devices. LogRhythm automates

the process of identifying high-risk activity

and prioritizes based on asset risk. High-

risk activity can be monitored in real-time

or alerted on. LogRhythm reports provide

easy and standard review of

inappropriate, unusual, and suspicious

activity.

Example Reports:

• Disabled Accounts Summary

• Removed Account Summary

• Audit Exceptions Event Summary

• User Object Access Summary

• Failed Host Access By User • Failed Application Access By User

10.3 Record user identification, type of

event, date and time for each audit trail

entry.

LogRhythm timestamps and classifies

each event received to match this

requirement, as well as extract useful

information such as user identification, IP

addresses and host names, objects

accessed, vendor message ids, amounts

affected (bytes, monetary values,

quantities, durations), affected

applications and other details useful for

forensic investigation of the audit logs.

10.4 Synchronize all critical system clocks

and times

Many environments cannot synchronize

system clocks to a single time standard,



Confidential of 35

so LogRhythm independently synchronizes

the timestamps of all collected log entries,

ensuring that all log data is time-stamped

to a standard time regardless of the time

zone and clock settings of the logging

hosts.

10.5.1 Limit viewing of audit trails to those

with a job-related need

LogRhythm includes discretionary access

controls allowing you to restrict the

viewing of audit logs to individuals based

on their role and Need-To-Know.

10.5.2 Protect audit trail files from

unauthorized modifications

Using LogRhythm helps ensure audit trail

are protected from unauthorized

modification.

LogRhythm collects logs immediately after

they are generated and stores them in a

secure repository. LogRhythm servers

utilize access controls at the operating

system and application level to ensure

that log data cannot be modified or

deleted.

10.5.3 Promptly back-up audit trail files to a

centralized log server or media that is

difficult to alter

LogRhythm automatically collects audit

trails and stores them in a central and

secure repository. When a log is collected,

it is stored in a database for analysis and

reporting and a copy is written to an

archive file. The archive copy of the log

also serves as a backup. Archive files can

be written to SAN, NAS, or other central

location providing for additional

redundancy. Segregation can be

performed by allowing only log traffic to

pass through LogRhythm via firewall, filter

control on a router, or configuring the

LogRhythm appliance’s firewall to reject

unanticipated connections.

10.5.4 Write logs for external-facing

technologies onto a log server on the

internal LAN.

LogRhythm can securely collect logs from

the entire IT infrastructure including

external facing technologies for storage on

an internal LAN Network where a

LogRhythm appliance resides.

10.5.5 Use file-integrity monitoring or change-

detection software on logs to ensure

that existing log data cannot be

changed without generating alerts

(although new data being added should

not cause an alert).

LogRhythm includes an integrated file

integrity monitoring capability that

ensures our collection infrastructure is not

tampered with. Additionally, LogRhythm

servers utilize access controls at the

operating system and application level to

ensure log data cannot be modified or

deleted. Alerts are customizable to



Confidential of 35

prevent or allow alarms on a case by-

case basis, including not causing an alert

with new data being added.

10.6 Review logs for all system components

at least daily. Log reviews must include

those servers that perform security

functions like intrusion-detection system

(IDS) and authentication, authorization,

and accounting protocol

LogRhythm supplies a one stop repository

from which to review log data from across

the entire IT infrastructure. Reports can

be generated and distributed on

automatically on a daily basis. LogRhythm

provides an audit trail of who did what

within LogRhythm and a report which can

be provided to show proof of log data

review.

Example Reports: • LogRhythm Usage Auditing

10.7 Retain audit trail history for at least one

year, with a minimum of three months

immediately available for analysis (for

example, online, archived, or restorable

from back-up).

An audit history usually covers a period

of at least one year, with a minimum of

3 months available online

LogRhythm completely automates the

process of retaining your audit trail.

LogRhythm creates archive files of all

collected log entries. These files are

organized in a directory structure by day

making it easy to store, backup, and

destroy log archives based on your policy.

11. Regularly test security systems and processes

LogRhythm can collect logs from intrusion detection/prevention systems and has

integrated file integrity monitoring capabilities. The collection of IDS/IPS logs helps

to ensure and validate compliance. LogRhythm’s file integrity monitoring capabilities

can be used to directly meet requirement 11.5.


11.4 Use network intrusion detection

systems, host based intrusion detection

systems, and/or intrusion prevention

systems to monitor all network traffic

and alert personnel to suspected

compromises. Keep all intrusion

detection and prevention engines up to

date.

LogRhythm collects logs from network and

host based IDS/IPS systems. Its risk-

based prioritization and alerting reduce

the time and cost associated with

monitoring and responding to IDS/IPS

alerts. The Personal Dashboard feature

can be used to monitor intrusion related

activity in real-time. A powerful

Investigator tool makes forensic search

easy and efficient. LogRhythm combined

with IDS/IPS is an extremely powerful tool

in identifying and responding to intrusion

related activity efficiently and accurately.

Example Reports:

• Successful/Failed Host Access by User

• Successful/Failed Application Access by

User

• Successful/Failed File Access by User



Confidential of 35

• Top Attackers

• Multiple Authentication Failures • Suspicious Activity By User and Host

11.5 Deploy file integrity monitoring to alert

personnel to unauthorized modification

of critical system or content files, and

perform critical file comparisons at least

daily (or more frequently if the process

can be automated).

LogRhythm agents include an integrated

file integrity monitoring capability which

can be used to detect and alert on the

following for any file or directory: Reads;

Modifications; Deletions; Permission

Changes. This capability is completely

automated. How often files are scanned is

configurable. Files can be scanned at user

defined frequencies such as every 5

minutes or once a night.

Example Reports:

• File Integrity Monitoring Activity

12. Maintain a policy that addresses information security for employees and

contractors

LogRhythm provides centralized intelligence that can support the organizational

security policy, including incident handling and response. Because policies are

flexible, LogRhythm is ready to expand beyond the cardholder data environment to

provide support to other areas of the organization that need its critical services.


12.9 Implement an incident response plan.

Be prepared to respond immediately to

a system breach.

LogRhythm provides a centralized

management system capable of alarming,

reporting and investigating security

breaches to the network. LogRhythm

supports an incident response plan by

providing the real-time enterprise

detection intelligence to address issues

quickly to prevent damage and exposure.

Example Alarms:

• Alarm On Attack

• Alarm On Compromise • Alarm On Malware

logrhythmlogrhythm– ––– log & event management, file ... · pdf...

Documents