logrhythmlogrhythm– ––– log & event management, file ... · pdf...
TRANSCRIPT
LogRhythmLogRhythmLogRhythmLogRhythm––––
Log & Event Management, File integrity Log & Event Management, File integrity Log & Event Management, File integrity Log & Event Management, File integrity
Monitoring, Endpoint Monitoring & Control in Monitoring, Endpoint Monitoring & Control in Monitoring, Endpoint Monitoring & Control in Monitoring, Endpoint Monitoring & Control in
one integrated solutionone integrated solutionone integrated solutionone integrated solution
1. Introduction
Every organization is unique but with millions of logs to capture, analyze, and store daily, all
companies face similar challenges in utilizing log data efficiently to help solve complex
business challenges.
Recent regulations governing specific industries and publicly traded companies have instituted
standards for securing networks, systems, and data. Most organizations today face regulatory
requirements around secure log data collection, retention, review and reporting for both audit
and security purposes. Whatever the driver – PCI DSS, Sarbanes Oxley, HIPAA, FISMA, NERC
or GLBA – organizations in a wide array of industries face a huge challenge meeting these
requirements easily, efficiently, and affordably. A common thread throughout all regulations is
a requirement to periodically review log data for the purpose of detecting intrusion, misuse,
and fraud. Most regulations also require the implementation of intrusion detection systems,
incident response procedures, and periodic reporting. Meeting these requirements can be time
intensive and costly.
Typically organizations acquire and managed separate products for log management, event
management, file integrity monitoring and endpoint monitoring & control.
With logs accounting for up to 25% of an enterprise's total data, organizations are under the
gun to effectively manage and review the millions of logs generated on their networks every
day.
LogRhythm's turnkey solutions provide companies of all sizes easier and more affordable ways
to automate log management for compliance. LogRhythm offers organizations the convenience
and value of best-in-class log & event management, near real-time File Integrity Monitoring &
Endpoint Monitoring & Control in one solution.
By deploying LogRhythm, companies can immediately address and automate specific log data
review, storage and retention requirements. LogRhythm’s Security Event Management
capabilities provide a single centralized view of all security activity. LogRhythm’s automated
analysis engines automate the process of detecting and alerting on suspicious activity.
LogRhythm’s powerful forensic capabilities streamline the incident analysis & response process.
For regulatory reporting requirements, LogRhythm includes one-click pre-packaged reports.
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 3 of 35
2. LogRhythm-One Integrated Solution
LogRhythm is an enterprise-class application that seamlessly combines Log & Event
Management, File Integrity Monitoring, and Endpoint Monitoring & Control into a single
integrated solution.
There is a wealth of information that can be derived from log data whether it originates in
applications, databases, servers, network devices or endpoint systems. By automating the
collection, organization, analysis, archiving and reporting of all log data, LogRhythm enables
organizations to easily meet specific requirements, whether driven by internal best practices,
or one of many compliance regulations. LogRhythm delivers valuable, timely and actionable
insights into security, availability, performance and audit-related issues in real-time.
By fully integrating functionality that is traditionally associated with Security Information and
Event Management (SIEM) with File Integrity Monitoring and Endpoint Monitoring & Control,
the collective value of all functions grows substantially.
For example, security personnel can be notified in near real-time when sensitive files are
changed, deleted, etc., and the activities can be traced back to an individual user. These
capabilities allow organizations to meet additional regulatory compliance requirements, such as
PCI DSS 11.5 and 12.9 requirements, without purchasing a separate product.
Similarly if an employee were attempting to move high sensitive data from his/her laptop to a
removable media device, LogRhythm would log the activity in near real time, report it and if
the event mapped to a predefined alarming rule, the system could automatically send an alert
to the specific staff responsible for addressing potential data leakage incidents. Some
organizations may even choose to leverage LogRhythm’s Endpoint Monitoring & Control to
block movement of data to removable media altogether.
LogRhythm’s comprehensive solution empowers customers to centralize, simplify and
strengthen their compliance, security and IT operations posture. LogRhythm’s integrated
solution consists of:
• Log & Event Management:
o Automatically centralize & archive ALL logs
o Real-time event monitoring & alerting
o Powerful analytics & trending
o Automated reporting
o Real-time correlation & forensic investigations
o High-performance, scalable & easy-to-use
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 4 of 35
• File Integrity Monitoring:
o Monitors ALL types of files in near real-time
o Provides “user-aware” context to file changes
o Automated alerting on changes to critical files
o Fine-grain controls & filters
o Out-of-the-box policies provided for O/S & common applications
• Endpoint Monitoring & Control:
o Prevents the movement of data to & from removable media
o Extends Monitoring of data use to desktops/laptops
o Independently audits & logs the transfer of data to and from a variety of
removable devices
o Alerts & reports on inappropriate data transfers
Figure 1 LogRhythm, one integrated solution
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 5 of 35
3. LogRhythm’s features
3.1. LogRhythm’s Log & Event Management
Historically, log management and event management have been viewed by most as two
distinct functions that operated independently, and were usually purchased and managed
separately. However, at LogRhythm we have always believed that for any organization to fully
tap the potential value and insight of log data, the two functions must be delivered as one,
integrated solution. As such, from version 1.0 the LogRhythm solution has provided
log management, log analysis, event management, and reporting in a single fully
integrated system.
3.1.1. Describing the Log Management feature
Comprehensive Log Data Collection and Management
Being able to collect log data from across an enterprise regardless of their source, present the
logs in a uniform and consistent manner and manage the state, location and efficient access to
those logs is an essential element to any comprehensive Log Management and Analysis
solution. The LogRhythm solution was designed to address core log management needs,
including:
• The ability to collect any type of log data regardless of source
• The ability to collect log data with or without installing an agent on the log source
device, system or application.
• The ability to “normalize” any type of log data for more effective reporting and analysis
• The ability to “scale-down” for small deployments and “scale-up” for extremely large
environments
• An open architecture allowing direct and secure access to log data via third-party
analysis and reporting tools
• A role-based security model providing user accountability and access control
• Automated archiving for secure long term retention
• Wizard-based retrieval of any archived logs in seconds
Cross-platform Log Collection
Today’s IT operations require many technologies: routers, firewalls, switches, file servers and
applications to name a few. LogRhythm has been designed to collect from them all through
intelligent use of agent-less and agent-based techniques.
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 6 of 35
• Windows Event Logs: Agent-less or Agent-based
LogRhythm can collect all types of Windows Event Logs with or without the use of an
agent. LogRhythm collects Event logs via secure TCP transmission. Many Windows-
based applications write their logs to the Application Event Log or a custom Event Log.
Examples of supported log sources that can be collected by LogRhythm in real time
include:
• Windows System Event Log
• Windows Security Event Log
• Windows Application Event Log
• Microsoft Exchange Server application logs
• Microsoft SQL Server application logs
• Windows based ERP and CRM systems application logs
• Syslog
Many log sources, including most network devices (e.g. routers, switches, firewalls)
transmit logs via Syslog. LogRhythm includes an integrated Syslog server for receiving
and processing these messages. Simply point any syslog generating device to
LogRhythm and it will automatically begin collecting and processing those logs.
• Flat File Logs
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 7 of 35
LogRhythm can collect logs written to any ASCII-based text file. Whether it is a
commercial system or homegrown application, LogRhythm can collect and manage
them. Examples of supported log sources using this method include:
• Web servers logs (e.g. Apache, IIS)
• Linux system logs
• Windows ISA server logs
• DNS and DHCP server logs
• Host based intrusion detection/prevention systems
• Homegrown application logs
• Exchange message tracking logs
Universal Database Log Collection and Management
Since so much sensitive information resides in databases, it is important to monitor and track
access and activity surrounding important databases. The actual and reputational cost of a
theft of customer records can be very large. The actual and reputational cost of a theft of
customer records can be very large. LogRhythm helps by collecting and analyzing, alerting and
reporting on logs from all ODBC-compliant databases including Oracle, Microsoft SQL Server,
IBM DB2, Informix, MySQL and others. It also captures data from custom audit logs and
applications that run on the database. This capability enables customer to use LogRhythm for
real-time database monitoring to guard against insider and outsider threats.
Agent-less and Agent-based collection
While most log sources can be collected by LogRhythm via agent-less methods, LogRhythm
also offers powerful, low profile agent technology for situations where they make sense.
Whether they are used for real-time flat file log collection or to aggregate and forward logs
from remote site, LogRhythm agents are the perfect complement to any deployment.
LogRhythm agent features include:
• Collection of any flat-file ASCII text log in real time (e.g. web server and application
logs)
• Transmission over secure TCP
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 8 of 35
• Ability to aggregate and forward logs from multiple sources from any remote site (e.g.
retail store, branch location).
• Optional encryption during transmission
• Ability to schedule transmission if needed (e.g. due to bandwidth constraints)
• File-integrity monitoring
• Collection load-balancing for distributed deployments
Scalable Log Centralization
LogRhythm is architected to scale easily and incrementally as your needs grow. Whether you
need to collect 10 million or more than 1 billion logs per day, LogRhythm can handle it. With
LogRhythm, you simply deploy the capacity you need when you need it, preserving your initial
investment along the way. Deployments can start with a single, turnkey appliance and grow
easily by adding incremental log manager appliances as needs expand. With LogRhythm’s
“building blocks” distributed architecture, you can access and analyze logs throughout your
deployment with ease.
Log Archiving and Retrieval
Many businesses have compliance requirements to preserve historic log data and be able to
provide it in its original form for legal or investigative purposes. Collecting, maintaining and
recovering historic log data can be expensive and difficult.
LogRhythm completely automates the process of archiving and restoring log data. LogRhythm
automatically archives unaltered log data to “sealed” self-describing files that are saved,
organized and tracked by the system. Archive files can be saved on LogRhythm appliances or
any network storage device you choose. LogRhythm uses a SHA-1 hash and compresses the
logs in a non-proprietary format to protect log integrity. Compression typically results in a
95% reduction in storage requirements and associated cost. Archive files also include
'bookkeeping' information such as where and when the log data originated and other key
characteristics.
Recovering historic logs is a snap. The Archive Restoration Wizard makes it easy to restore
based on specific filtering criteria like date, user, system, etc. Hit start and LogRhythm takes
care of the rest. Once restored, log data can be analyzed using standard LogRhythm analysis
tools. What could have been weeks worth of effort becomes minutes with LogRhythm.
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 9 of 35
Activity Auditing
For compliance verification, users’ and administrators’ actions within LogRhythm are logged.
LogRhythm user activity reports provide powerful proof that LogRhythm is actively used to
analyze log data for compliance purposes.
3.1.2. Describing the Log Analysis feature
Would it be valuable for you to be able to discover which users outside of a trusted user
community had accessed a file server that stores highly sensitive information? What about
knowing what systems had been affected by a zero day exploit and prioritize them based upon
the asset value of the impacted hosts? How about being able to automically be alerted when
transactions in your financials application exceed a certain dollar amount? LogRhythm's
comprehensive log analysis engine can cull this level of insight from millions or even hundreds
of millions of logs in real time.
Automated Log Analysis
While some log entries can be extremely interesting and relevant to daily operations, many
can also be extremely uninteresting, at least in the short term. Still, it is important to collect
and manage all logs to ensure you don’t miss anything and can find what you need when you
need it. With manual or homegrown solutions, you would be searching for the proverbial
needle in the haystack. With LogRhythm, search, forensic analysis, trending and alerting are
simple. LogRhythm processes and normalizes logs to make it easy to identify and find
anything. LogRhythm’s intuitive and powerful analysis tools make any kind of analysis a
breeze.
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 10 of 35
Log Normalization
LogRhythm automates the process of finding interesting log entries via a powerful and
customizable log identification engine. When a log is identified, it is "normalized" for analysis
and reporting purposes. The log is assigned a "common name" and classified as either
security, operations, or audit related. Additional reporting information is parsed from the text
of the log such as IP addresses, UDP/TCP port numbers and logins.
An important aspect of log normalization is time synchronization. In many IT operations,
systems are spread across time-zones and system clocks aren't synchronized to a single
source. For this reason, LogRhythm automatically synchronizes the timestamps of all log
entries to a single 'normal time' for reporting and analysis purposes. This is extremely
valuable in analyzing log data across distributed systems where time of occurrence is
important. If one log was written at 3:00 PM EST and across the country, another log was
written at 12:00 PM PST, within LogRhythm they both occurred at the same time.
Figure 2 LogRhythm users have on-demand access to normalized data, prioritized events and
correlated information along with supporting raw log data all delivered in a single window for
compliance assurance, forensic analysis and root-cause investigations.
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 11 of 35
Risk-based Prioritization
LogRhythm automatically prioritizes each event based on its impact to your business'
operations. It’s risk-based prioritization calculates a 100 point priority based on the:
• Type of event
• Likelihood event is a false alarm
• The threat rating of the host causing the event (e.g., remote attacker), and
• The risk rating of the server on which the event occurred
LogRhythm's risk-based priority helps ensure the most important events are identified and
acted upon.
The impact of an event varies by business and within a business, by system. For instance, a
router link failure might not be immediately critical for an ISP with redundant routers.
However, for a branch office with a single router, business is impacted until fixed. A server
reboot is uninteresting if seen on a user workstation but when seen from an ERP server that
has 99.999% uptime requirements, is extremely interesting.
Event Forwarding
Identified log entries having the most immediate operational relevance are forwarded to the
Event Manager. This typically includes security events, audit failures, warnings and errors.
Event forwarding rules work “out of the box.” You also have the ability to tailor those rules to
your liking and create your own rules. The function of intelligently forwarding a subset of logs
provides the first layer of data reduction.
Log activity for specific filename patterns, IP addresses, hosts or users can also be monitored
easily. When security policies are violated, LogRhythm can automatically alert designated
individuals via e-mail, pager, existing management applications and the LogRhythm console.
Because only the most important log entries are forwarded as events, users are extremely
efficient with time they spend using the LogRhythm solution. Instead of having to weed
through numerous irrelevant log entries, the most important logs are automatically identified
for them.
LogRhythm features contextual event forwarding, which enables real-time identification and
alerting of anomalies within application, database and network activity. For example,
LogRhythm can be used to pinpoint specific exceptions such as transactions greater than a
specified dollar amount in a financial application, including when it occurred, who was
responsible, and which account was modified.
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 12 of 35
User-Driven Log Analysis
Once logs are collected, classified, normalized, prioritized, stored and correlated, some rise to
the level of an “event”. The LogRhythm Event Management function applies the real-time
monitoring, alerting, incident management and response appropriate for specific events.
Some events warrant a deeper investigation beyond the events themselves to include other
related log data. For these situations LogRhythm offers a comprehensive set of investigative
capabilities ranging from high-level trending and visualization to monitoring in real time the
activities associated with a specific user, system, device or information asset.
LogMart
The LogRhythm LogMart tool incorporates a powerful set of visualization, data trending and
search capabilities. LogMart aggregates millions of logs in a single graphical view, which can
expose exceptions in security, compliance and operations over short or long periods of time.
The powerful user-configurable charting and filtering capabilities enable users to quickly switch
from viewing months or even years worth of log trend data to drilling down to individual logs
exposing the root cause of a security breach or operational problem.
Figure 3 Visualize days, months or even year’s worth of log data for powerful trending, anomaly
detection and analysis in a single screen. Accelerate root cause discovery via on-the-fly filtering
and drill-down features.
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 13 of 35
Investigator and Search
The LogRhythm Investigator is a powerful investigation tool used for searching and viewing
specific sets of logs and events, such as those associated with a specific user, set of users,
specific IP address or range, impacted hosts, impacted applications, date and time, and
more. An easy to use wizard guides users through the selection of criteria for their specific
investigation. Once defined, investigation criteria can be saved and used again. Investigations
can include events, log metadata, raw log data or any combination thereof.
LogRhythm also offers comprehensive search capabilities to meet the unique needs of a variety
of users. Whether you're an investigator looking for all activity associated for a specific user,
an IT operations manager seeking to understand performance trends for a particular server or
an auditor looking for a list of individuals outside of a trusted user community that accessed a
highly sensitive file server over the last 90 days, LogRhythm's quick search function can serve
up unique and highly valuable information derived from millions of logs quickly and easily.
Figure 4 LogRhythm’s easy-to-use wizard empowers users to quickly and efficiently search
through events, normalized logs and even raw log data from millions of logs over any period of
time, all from a single screen. Searches can range from simple key word and Boolean searches
to using multiple criteria including user and host names, IP addresses, dates and times, log
and/or event types, asset value etc.
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 14 of 35
3.1.3. Describing the Event Management feature
LogRhythm’s Event Management function combines real-time monitoring and alerting with
comprehensive incident management and response. LogRhythm’s Personal Dashboards
present event information in the most useful and effective manner to meet the specific needs
of individual users. The dashboard also acts as a portal to a suite of highly effective
investigative and reporting tools including the LogRhythm Investigator and LogMart.
Real-time Monitoring
Because LogRhythm collects and analyzes logs in real-time, logs deemed to be events are
immediately forwarded as such and are escalated according to their level of criticality. Event
information is delivered in real time to the personal dashboards of those users predefined as
authorized viewers for those classifications of events. Through the personal dashboard users
can monitor events in real time and quickly review and drill down as appropriate. LogRhythm
dashboards can be easily customized by and for each user. As a result, every user sees and
can analyze the information that is most relevant to them and their role.
Figure 5 LogRhythm’s Personal Dashboard provides users with real-time visibility into
Compliance/Audit, Security and Operations related events and alerts as well as access to raw
log data for millions of logs in a single screen. From the dashboard users can perform numerous
activities including launching investigations, customizing alerts and drilling down into
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 15 of 35
normalized and raw log data, all while maintaining user audit tracking for compliance and
reporting purposes.
Role-based Alerting
LogRhythm can easily be configured to send alerts on critical events or combinations of events
to an individual or groups of individuals based upon user roles, asset values of impacted
systems or applications, or a variety of other factors related to ensuring the right alerts reach
the right people at the right time.
Figure 6 LogRhythm’s customizable personal dashboard allows users of differing functional
roles to receive actionable alerts in real time on events that are meaningful and applicable to
their specific job function or responsibility. This role-based alerting function can deliver alerts
via the dashboard or via numerous other mechanisms including SMTP and SNMP.
Incident Management & Response
The LogRhythm solution includes comprehensive incident management capabilities. Incidents
(alarms) are viewed and managed via the real-time personal dashboard. Every action taken
on an alarm is documented (who was notified, when it was analyzed, work that was done, etc.)
as part of the alarm history. A comprehensive set of reports provides a full history of incident
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 16 of 35
management activity and response. Whether your requirements for tracking incident
management activities are driven by compliance mandates or internal best practices, the
LogRhythm incident management functions will deliver on your reporting, tracking and audit
needs.
3.1.4. Describing the Intelligent IT Search feature
Logs are the digital fingerprints for virtually all network, system and application activity.
Whether you’re searching for the root cause of a system failure or performance issue, looking
for present or potential threats, conducting an IT investigation or satisfying an eDiscovery
request from Legal or HR, chances are you’ll be searching through log data.
For IT professionals, the question isn’t whether or not you’ll be searching log data, the
question is how quickly can you find the information you’re looking for, if at all. Will it take
days, weeks or months, or can you find it with a few clicks of the mouse? The answer depends
on 4 things:
• Is your log data collected centrally from all log sources and stored in an intelligent
indexed format?
• How well has your log data been enriched and prepared for Intelligent search?
• How intuitive and quick is the search process?
• How meaningful and insightful are the search results?
Traditional approaches to log search require users to know precisely what they are looking for,
and to create, then refine search terms to locate events that map to their query. LogRhythm
processes logs and tags them using a rich and granular three tier classification model that
enables users to perform intelligent IT search. This capability assesses the impact of events in
multiple dimensions to extract meaning from what would otherwise appear to be just isolated
logs.
By adding this additional intelligence to raw logs, LogRhythm enables IT organizations to
quickly identify internal and external threats, operations issues and compliance violations.
Additionally, Intelligent IT Search simplifies and accelerates forensic investigations and
eDiscovery responses.
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 17 of 35
Figure 7 Search results can be viewed in textual or 3-D graphical presentation for rapid
identification of anomalies and quick drill down for investigations
Adding Intelligence to Raw Logs
LogRhythm enriches logs with the following information to generate query results that provide
intelligence, not simply data:
• Universal time stamp for every log: Essential for accurate correlation and
contextualization, especially when conducting forensic analysis of events that span
multiple geographies.
• Three Tier Classification System
o Security: Compromise, Attack, Denial of Service, etc.
o Operations: Critical Event, System Error, Warning, etc.
o Audit: Admin Account Creation, Failed Authentication, etc.
• Prioritization of Events - 100 point risk model prioritizes events based on what
happened, what systems or applications were impacted, what users were involved, etc.
• User and Host Contextualization – Differentiates origin from impacted users and hosts.
Enables security teams to rapidly identify exposure, impacted users and systems,
determine the origin of threats and the direction of the activity. For example, a large
file transfer (10 MB) from a sensitive internal database (SAP) to an external IP address
(in Romania).
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 18 of 35
Utility Tool Chest for Intelligent IT Search
Once log data is enriched, LogRhythm’s broad suite of search utilities empowers users to
rapidly investigate, view, correlate and visualize logs in a variety of ways to meet specific
search objectives. The Intelligent Search Utilities include:
• Wizard-based Search - Easily create complex search criteria across normalized,
classified and contextualized data
• Real-time Search- Apply search criteria to log data as it is generated in real time via
LogRhythm Tail. Configure alerts to be sent whenever conditions with specified search
criteria occur in the future.
• Visualization - Present millions of logs in 3-D graphical representation to discover
anomalies and analyze trends
• One-click Correlation - Rapidly refine search with a single click on related data
• Quick Search Tool Bar - Provides rapid search initiation directly from any screen
Figure 8 The LogRhythm Quick Search Toolbar enables users to launch a search quickly from
any screen in the LogRhythm console based upon a variety of attributes such as email address,
port, user, host, event type, time frame, etc. In this sample use case we’re searching for all
Quick Search Toolbar
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 19 of 35
audit-related activity that a terminated administrator (Trent Heisler) performed during the 7
days prior to his termination
Investigator and Search
The LogRhythm Investigator is a powerful investigation tool used for searching and viewing
specific sets of logs and events, such as those associated with a specific user, set of users,
specific IP address or range, impacted hosts, impacted applications, date and time, and
more. An easy to use wizard guides users through the selection of criteria for their specific
investigation. Once defined, investigation criteria can be saved and used again. Investigations
can include events, log metadata, raw log data or any combination thereof.
LogRhythm also offers comprehensive search capabilities to meet the unique needs of a variety
of users. Whether you're an investigator looking for all activity associated for a specific user,
an IT operations manager seeking to understand performance trends for a particular server or
an auditor looking for a list of individuals outside of a trusted user community that accessed a
highly sensitive file server over the last 90 days, LogRhythm's quick search function can serve
up unique and highly valuable information derived from millions of logs quickly and easily.
Figure 9 LogRhythm’s easy-to-use wizard empowers users to quickly and efficiently search
through events, normalized logs and even raw log data from millions of logs over any period of
time, all from a single screen. Searches can range from simple key word and Boolean
searches to using multiple criteria including user and host names, IP addresses,
dates and times, log and/or event types, asset value etc.
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 20 of 35
3.2. LogRhythm’s File Integrity Monitoring
LogRhythm provides comprehensive file integrity monitoring that is fully integrated with
enterprise-class log & event management as well as endpoint monitoring & control. This
integrated approach enables LogRhythm customers to simplify and strengthen their security,
audit and compliance posture.
Fully Integrated with Log & Event Management & Endpoint Monitoring & Control
• Provides additional PCI Compliance with the most complex elements of the DSS
• Central & policy-based configuration and administration
• User activity monitoring syncs user context to file
changes/deletions/additions/permission changes, etc. (e.g., at time of change: who was
logged in, for how long, what else did they do, etc.)
Monitors All Types of Files in Near-real Time
• Including: executables, configuration files, content files, log and audit files, web files,
database files, etc.
• Configurable frequency of scanning and reporting (e.g., scan every minute for password
files, scan daily for general business files, etc.)
Fine-grain Controls and Filters
• Ensures only applicable files/folders are monitored as often as required
Out-of-the-box Policies Provided for O/S and Common Applications
• Supported on Windows, Unix and Linux systems
3.3. LogRhythm’s Endpoint Monitoring & Control
LogRhythm Endpoint Monitoring & Control tracks, alerts on, logs, and audits all movement of
data to removable media ports and can optionally block data transfers on selected machines
and devices.
These capabilities monitor USB ports, RAM drives, and CD/DVD drives on Microsoft Windows
systems. Administrators can centrally configure and manage policies for their entire
organization from the LogRhythm console.
Since these capabilities are integrated with log data, LogRhythm can link activity to responsible
users, establish audit trails, and meet a broader set of regulatory compliance requirements.
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 21 of 35
Endpoint Monitoring & Control
• Prevents the movement of data to & from endpoint devices
• Independently audits & logs the transfer of data to & from a variety of removable
devices including:
o USB thumb/hard drives
o Memory cards and
o CD/DVD drives
• Allows for the optional ejection of USB devices on a universal or per system basis
Alerts & reports on inappropriate data transfers (e.g. support employee termination
procedures & internal audit requirements by investigating the transfer of data)
• Available in Windows System Monitor
3.4. LogRhythm’s Advanced Reporting
LogRhythm offers a comprehensive set of reporting capabilities ranging from pre-packaged
compliance reports to custom and on-the-fly reporting to meet the unique requirements of
individual customers and situations. Every LogRhythm solution comes with our full suite of
automated compliance reports for SOX, PCI, FISMA, GLBA, HIPAA, NERC CIP and more.
Customers can schedule the creation and delivery of these reports to meet their specific
compliance requirements. LogRhythm also provides many other useful reports out of the box.
Also, any search or investigation results can be quickly turned into a report on-the-fly using
one of LogRhythm’s many report templates. Users can also create and save custom reports.
In short, LogRhythm provides virtually unlimited reporting capabilities.
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 22 of 35
4. LogRhythm automates compliance
Most organizations today face regulatory requirements around secure log data collection,
retention, review and reporting for both audit and security purposes. Whatever the driver –
PCI DSS, Sarbanes Oxley, HIPAA, FISMA, NERC or GLBA – organizations in a wide array of
industries face a huge challenge meeting these requirements easily, efficiently, and affordably.
With logs accounting for up to 25% of an enterprise's total data, organizations are under the
gun to effectively manage and review the millions of logs generated on their networks every
day.
LogRhythm's turnkey solutions provide companies of all sizes easier and more affordable ways
to automate log management for compliance.
Affected Industries Matrix
The following chart lists the regulations affecting specific industries.
LogRhythm Compliance Checklist
The following chart lists the compliance areas addressed by LogRhythm within each regulation.
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 23 of 35
LogRhythm’s compliance features cover the areas of periodic log review, log data
centralization, safeguarding, archiving and destruction, file integrity monitoring, intrusion
detection and reporting. The explanation of LogRhythm’s compliance areas follows:
• Periodic Log review: Periodic log review consists of reviewing audit, system, and
application logs on a regular basis for the purpose of detecting unauthorized activity
and assessing the general health of systems and applications. LogRhythm significantly
reduces the log review effort by automatically identifying high interest log events and
detecting suspicious activity via rules and anomaly based log data analysis engines.
• Log data centralization and safeguarding: Log data centralizing and safeguarding
consists of moving or copying log data to a centralized data store. The central data
store can provide a secondary copy of log data and secure the log data from
unauthorized access and modification. It also provides of analyzing log data across
multiple systems simultaneously. LogRhythm provides agent and agent-less cross-
platform log collection and secure log data centralization.
• Log data archiving and destruction: Log data archiving and destruction is the
process of permanently destroying (deleting) log data or preparing log data for long
term storage. Many standards require log data to be stored for months or even years
before it can be destroyed. LogRhythm automates the process of destroying and
archiving log data.
• File Integrity Monitoring: File integrity monitoring consists of monitoring the files on
a system for read access, modification, deletion, and changes to access control
settings. File integrity monitoring is typically accomplished via software that periodically
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 24 of 35
checks systems for changes to sensitive files (e.g., password files, configuration files,
programs). Monitoring the integrity of files is required by many standards for the
purpose of detecting unauthorized changes to a system or its data. LogRhythm agents
have built-in file integrity monitoring capabilities.
• Intrusion detection: Intrusion detection is the process of detecting intrusions into the
network, systems, and applications whether the intruder is an external hacker or a
disgruntled employee. Intrusion detection typically involves deploying network and
host-based intrusion detection systems as well as reviewing the security logs of
network devices, systems, and applications. LogRhythm can integrate with existing
intrusion detection systems or be deployed with low-cost open source solutions such as
Snort to create a much more effective multi-layer intrusion detection solution.
• Incident response: Incident response is the process of responding to and resolving an
incident whether the incident be an intrusion or the failure of a critical financial system
(e.g., general ledger application). Many standards require that formal incident response
procedures be put in place and that tools exist for expediting and tracking the incident
response process. LogRhythm provides advanced analysis and reporting tools to
support and expedite the incident response process.
• Reporting: Reporting is the process of producing periodic reports on the integrity and
security of the network, systems, and data. Reporting is required by many standards
for the purpose of providing executives, managers, auditors, and other compliance
related personnel a formal, written account of activity. LogRhythm automates the
reporting process via its included reports and can be easily extended to meet custom
reporting requirements.
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 25 of 35
5. LogRhythm and PCI Compliance
The collection, management, and analysis of log data are integral to meeting PCI audit
requirements. IT environments include many heterogeneous devices, systems, and
applications that all report log data. Millions of individual log entries can be generated daily, if
not hourly. The task of simply assembling this information can be overwhelming in itself. The
additional requirements of analyzing and reporting on log data render manual processes or
homegrown remedies inadequate and costly.
LogRhythm has extensive experience in helping organizations improve their overall security
and compliance posture while reducing costs. Log collection, archive, and recovery are fully-
automated across the entire IT infrastructure. LogRhythm automatically performs log data
categorization, identification, and normalization to facilitate easy analysis and reporting.
LogRhythm’s best-of-breed log management capabilities enable automatic identification of the
most critical events and notification of relevant personnel through its powerful Alarming
capabilities.
LogRhythm provides out-of-the-box PCI compliance. As part of the PCI Compliance Package,
enterprise assets are categorized according to Network Security, Cardholder Data, Vulnerability
Management, Access Control, Network Monitoring and Testing, and Information Security
Policy.
To ensure compliance with PCI requirements, information systems are monitored in real-time.
Investigations, Reports and Alarm Rules are provided, allowing for immediate notification and
analysis of conditions that impact the integrity of the organization’s cardholder data. Areas of
non-compliance can be identified in real time. Additional Investigations, Reports and Alarm
Rules are provided as part of LogRhythm’s standard Knowledge Base to further augment the
usefulness of the log data. Reports can be generated as needed by the PCI Security Assessor
and scheduled to run at pre-determined intervals.
The table below explains how LogRhythm and the PCI Compliance Package address the six
sections of the standard:
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 26 of 35
Below, it is outlined how LogRhythm directly meets requirements of the PCI sections.
LogRhythm’s Compliance Support on PCI DSS requirements
1. Install and maintain a firewall configuration to protect data
LogRhythm collects logs from firewall devices to ensure and validate compliance.
Compliance Requirements How LogRhythm Supports Compliance
1.1.5 Documentation and business
justification for use of all services,
protocols, and ports allowed, including
LogRhythm provides monitoring and
investigations to perform testing
procedures 1.1.5a and 1.1.5b by showing
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 27 of 35
documentation of security features
implemented for those protocols
considered to be insecure
the use of protocols in the network
environment. Testing requires verification
that all used services, protocols and ports
have a business need.
Example Investigations:
• Network Service Summary • Network Connection Summary
1.1.6 Periodic review of firewall/router rule
sets
Reporting facilitates easy and independent
review of firewall and router operation.
Reports can be generated that shows
actual traffic allowed and denied by
firewall and router rule sets. PCI requires
verification at least every six months.
Example Investigations:
• Network Service Summary • Network Connection Summary
1.2.1 Restrict inbound and outbound traffic to
that which is necessary for the
cardholder data environment.
Verification that inbound and outbound
traffic is properly controlled (limited
and/or denied) for the cardholder data
environment. LogRhythm detects and
alerts on inbound internet activity within
the cardholder data environment,
providing verification of proper and the
presence of improper network activities.
1.2.2 Verify that router configuration files are
secure and synchronized.
LogRhythm identifies synchronization
events and can be used to verify the
proper functioning of routers, firewalls, or
other collaborative network devices.
Reports provide a consolidated review of
internal/external activity and threats.
Example Reports: • Firewall And Router Policy
Synchronization
1.3.2 Limit inbound Internet traffic to IP
addresses within the DMZ.
LogRhythm detects and alerts on inbound
and outbound internet activity not
restricted to the DMZ, identifying non-
compliant network traffic or attempts to
access services inside the DMZ that are
not approved for Internet accessibility.
Example Investigations:
• Network Service Summary • Network Connection Summary
1.3.3 Do not allow any direct routes inbound
or outbound for traffic between the
Internet and the cardholder data
environment
LogRhythm can detect and alert on
activity where internal addresses are not
passed from the Internet into the DMZ.
Example Investigations:
• Network Service Summary
• Network Connection Summary
1.3.5 Restrict outbound traffic from the
cardholder data
LogRhythm detects and alerts on any
outbound activity not necessary for the
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 28 of 35
environment to the Internet such that
outbound traffic can only access IP addresses within the DMZ.
payment card environment. Any accesses
to IP addresses to unauthorized networks
can be quickly identified.
Example Investigations:
• Network Service Summary • Network Connection Summary
2. Do not use vendor-supplied defaults for system passwords and other security
parameters
LogRhythm monitors the network for indications of improper behavior and signs of
weak security configuration.
Compliance Requirements How LogRhythm Supports Compliance
2.1 Always change vendor-supplied defaults
before installing a system on the
network—for example, include
passwords, simple network
management protocol (SNMP)
community strings, and elimination of
unnecessary accounts.
LogRhythm can alarm on detected use of
default passwords or known default
accounts that should not be used in a
secure deployment.
Example Alarms:
• Alarm On Default Account Usage • Alarm On Anonymous Or Guest Account
Usage
2.3 Encrypt all non-console administrative
access. Use technologies such as SSH,
VPN, or SSL/TLS for web based
management and other non-console
administrative access.
LogRhythm provides a record of all
services used and can alarm on the use of
non-encrypted protocols.
Example Investigations:
• Network Service Summary
• Network Connection Summary
• Use Of Non-Encrypted Protocols
3. Protect stored cardholder data
LogRhythm provides monitoring of changes in the cardholder environment and can
alarm on changes to security critical resources.
Compliance Requirements How LogRhythm Supports Compliance
3.6.7 Prevention of unauthorized substitution
of cryptographic keys
LogRhythm may alarm on actions that
affect specific files or objects, including
cryptographic keys. The details of who,
when and where a key was altered will be
available in real-time to the custodian(s).
Example Reports:
• File Integrity Monitoring Activity
4. Encrypt transmission of cardholder data across open, public networks
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 29 of 35
LogRhythm monitors network use to ensure that only the proper protocols are being
used in the cardholder data environment.
Compliance Requirements How LogRhythm Supports Compliance
4.1 Use strong cryptography and security
protocols such as SSL/TLS or IPSEC to
safeguard sensitive cardholder data
during transmission over open public
networks.
LogRhythm records which protocols are
being used in the cardholder data
environment, showing when any
unauthorized protocols or unencrypted
services are used. In addition, LogRhythm
is capable of alarming on conditions where
a system observes unencrypted
information passed when expecting only
encrypted traffic.
Example Investigations:
• Network Service Summary • Network Connection Summary
4.1.1 Ensure wireless networks transmitting
cardholder data or connected to the
cardholder data environment, use
industry best practices (for example,
IEEE 802.11i) to implement strong
encryption for authentication and
transmission.
LogRhythm can observe and report on
detected wireless networks, identifying
wireless access points that communicate
with the cardholder data environment.
Example Reports: • Wireless Access Points
5. Use and regularly update anti-virus software or programs
LogRhythm collects and can alarm on detected malware and compromises in the
cardholder data environment.
Compliance Requirements How LogRhythm Supports Compliance
5.2 Ensure that all anti-virus mechanisms
are current, actively running, and
capable of generating audit logs
LogRhythm detects and alerts on any
error conditions originating from anti-virus
applications, when the services are
started and stopped, as well as identifies
when new signatures are installed.
Alarming can be configured to inform the
custodian(s) of when any malware is
detected inside the cardholder data
environment.
Example Reports:
• Malware Detected
• Anti-Virus Signature Update Report
Example Alarms: • Alarm On Malware
6. Develop and maintain secure systems and applications
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 30 of 35
Compliance Requirements How LogRhythm Supports Compliance
6.1 Ensure that all system components and
software have the latest vendor-
supplied security patches installed.
Install critical security patches within
one month of release.
LogRhythm can track and report on when
patches are installed on devices, showing
which systems have had matching within
the past month, or any other time frame
as dictated by organizational policy.
Example Reports: • Patches Applied
6.3 Develop software applications in
accordance with PCI DSS (for example,
secure authentication and logging) and
based on industry best practices, and
incorporate information security
throughout the software development
life cycle.
LogRhythm provides intelligence for the
logging that custom written software
needs to be effective. By providing an
intelligence system for logs to be sent to,
rules can be created to provide proper
alarming, reporting, and enhancement to
the abilities of any custom application to
be used in the cardholder data
environment.
6.3.3 Separation of duties between
development/test and production
environments.
LogRhythm can report on communications
between production and development
environments to ensure separation.
6.5 Develop all web applications (internal
and external, and including web
administrative access to application)
based on secure coding guidelines such
as the Open Web Application Security
Project Guide. Cover prevention of
common coding vulnerabilities in
software development processes.
Vulnerabilities outlined in section 6.5 can
be detected by real-time examination
tools or by using compatible vulnerability
scanning systems. Attempts to attack the
web applications, such as by a cross-site
scripting vulnerability (XSS), can be
alarmed on in real-time by LogRhythm.
Example Reports: • Vulnerabilities Detected
6.6 For public-facing web applications,
address new threats and vulnerabilities
on an ongoing basis and ensure these
applications are protected against
known attacks by either of the following
methods:
• Reviewing public-facing web
applications via manual or automated
application vulnerability security
assessment tools or methods, at least
annually and after any changes
• Installing a web-application firewall in
front of public-facing web applications
LogRhythm can address either solution by
working in conjunction with web exploit
sensitive systems, such as Intrusion
Detection Systems, Web-Application
Firewalls, Stateful Inspection Firewalls,
Web Servers, and other log sources to
analyze detected potential abuses as well
as provide a way to investigate suspected
breaches.
Example Reports:
• Suspicious Activity by User
• Top Targeted Hosts
• Suspicious Activity by Host
• Top Targeted Applications • Top Suspicious Users • Vulnerabilities
Detected
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 31 of 35
7. Restrict access to cardholder data by business need to know
LogRhythm monitors access privilege assignments and suspicious data accesses.
Compliance Requirements How LogRhythm Supports Compliance
7.1 Limit access to system components and
cardholder data to only those individuals
whose job requires such access.
Access to cardholder data can be
monitored by the custodian(s) of the data
in real-time by collecting access control
system data. Account creation, privilege
assignment and revocation, and object
access can be validated using LogRhythm.
Example Reports:
• Host Authentication Summary
• Disabled Accounts Summary • Applications Accessed by user
• Removed Account Summary
8. Assign a unique ID to each person with computer access
LogRhythm helps identify shared account usage in the network, including unobvious
accounts with more than one user.
Compliance Requirements How LogRhythm Supports Compliance
8.1 Assign all users a unique ID before
allowing them to access system
components or cardholder data.
Account creation can be monitored
through reporting and investigations of
logs pertaining to the creation and
modification of accounts. Accounts that
have more than one user may be
identified through investigations of
frequent and/or suspicious login activities.
Example Reports:
• Account Creation Activity
• Account Modification Activity
10. Track and monitor all access to network resources and cardholder data
LogRhythm automates collection, centralization and monitoring of logs from servers,
applications, security and other devices, significantly reducing the cost of
compliance.
Compliance Requirements How LogRhythm Supports Compliance
10.2 Implement automated audit trails for all
system components to reconstruct PCI
Standard specified events.
LogRhythm’s core capabilities are
centralization and proper management of
log data that comprises the majority of
the audit trail. Reports can be produced to
show all audit activity from account
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 32 of 35
creation, through account activity, to
account removal. Support for reporting on
log data from custom applications
containing portions of the audit trail is
easily achieved using LogRhythm’s built in
rule building tools.
Example Reports:
• Account Creation Activity
• User Authentication Summary
• User Access Summary • Account Modification
10.2.2 Implement automated audit trails for all
system components to reconstruct all
actions taken by any individual with root
or administrative privileges.
LogRhythm collects all account
management activities. LogRhythm
reports ensures policy adherence by
providing easy and standard review of all
account management activity.
Example Reports:
• Account Creation Activity
• Account Modification Activity
• User Access Summary • Host Access Granted & Revoked
10.2.4 Implement automated audit trails for all
system components to reconstruct all
invalid logical access attempts.
LogRhythm identifies failed access and
authentication attempts for enterprise
networked devices. LogRhythm automates
the process of identifying high-risk activity
and prioritizes based on asset risk. High-
risk activity can be monitored in real-time
or alerted on. LogRhythm reports provide
easy and standard review of
inappropriate, unusual, and suspicious
activity.
Example Reports:
• Disabled Accounts Summary
• Removed Account Summary
• Audit Exceptions Event Summary
• User Object Access Summary
• Failed Host Access By User • Failed Application Access By User
10.3 Record user identification, type of
event, date and time for each audit trail
entry.
LogRhythm timestamps and classifies
each event received to match this
requirement, as well as extract useful
information such as user identification, IP
addresses and host names, objects
accessed, vendor message ids, amounts
affected (bytes, monetary values,
quantities, durations), affected
applications and other details useful for
forensic investigation of the audit logs.
10.4 Synchronize all critical system clocks
and times
Many environments cannot synchronize
system clocks to a single time standard,
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 33 of 35
so LogRhythm independently synchronizes
the timestamps of all collected log entries,
ensuring that all log data is time-stamped
to a standard time regardless of the time
zone and clock settings of the logging
hosts.
10.5.1 Limit viewing of audit trails to those
with a job-related need
LogRhythm includes discretionary access
controls allowing you to restrict the
viewing of audit logs to individuals based
on their role and Need-To-Know.
10.5.2 Protect audit trail files from
unauthorized modifications
Using LogRhythm helps ensure audit trail
are protected from unauthorized
modification.
LogRhythm collects logs immediately after
they are generated and stores them in a
secure repository. LogRhythm servers
utilize access controls at the operating
system and application level to ensure
that log data cannot be modified or
deleted.
10.5.3 Promptly back-up audit trail files to a
centralized log server or media that is
difficult to alter
LogRhythm automatically collects audit
trails and stores them in a central and
secure repository. When a log is collected,
it is stored in a database for analysis and
reporting and a copy is written to an
archive file. The archive copy of the log
also serves as a backup. Archive files can
be written to SAN, NAS, or other central
location providing for additional
redundancy. Segregation can be
performed by allowing only log traffic to
pass through LogRhythm via firewall, filter
control on a router, or configuring the
LogRhythm appliance’s firewall to reject
unanticipated connections.
10.5.4 Write logs for external-facing
technologies onto a log server on the
internal LAN.
LogRhythm can securely collect logs from
the entire IT infrastructure including
external facing technologies for storage on
an internal LAN Network where a
LogRhythm appliance resides.
10.5.5 Use file-integrity monitoring or change-
detection software on logs to ensure
that existing log data cannot be
changed without generating alerts
(although new data being added should
not cause an alert).
LogRhythm includes an integrated file
integrity monitoring capability that
ensures our collection infrastructure is not
tampered with. Additionally, LogRhythm
servers utilize access controls at the
operating system and application level to
ensure log data cannot be modified or
deleted. Alerts are customizable to
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 34 of 35
prevent or allow alarms on a case by-
case basis, including not causing an alert
with new data being added.
10.6 Review logs for all system components
at least daily. Log reviews must include
those servers that perform security
functions like intrusion-detection system
(IDS) and authentication, authorization,
and accounting protocol
LogRhythm supplies a one stop repository
from which to review log data from across
the entire IT infrastructure. Reports can
be generated and distributed on
automatically on a daily basis. LogRhythm
provides an audit trail of who did what
within LogRhythm and a report which can
be provided to show proof of log data
review.
Example Reports: • LogRhythm Usage Auditing
10.7 Retain audit trail history for at least one
year, with a minimum of three months
immediately available for analysis (for
example, online, archived, or restorable
from back-up).
An audit history usually covers a period
of at least one year, with a minimum of
3 months available online
LogRhythm completely automates the
process of retaining your audit trail.
LogRhythm creates archive files of all
collected log entries. These files are
organized in a directory structure by day
making it easy to store, backup, and
destroy log archives based on your policy.
11. Regularly test security systems and processes
LogRhythm can collect logs from intrusion detection/prevention systems and has
integrated file integrity monitoring capabilities. The collection of IDS/IPS logs helps
to ensure and validate compliance. LogRhythm’s file integrity monitoring capabilities
can be used to directly meet requirement 11.5.
Compliance Requirements How LogRhythm Supports Compliance
11.4 Use network intrusion detection
systems, host based intrusion detection
systems, and/or intrusion prevention
systems to monitor all network traffic
and alert personnel to suspected
compromises. Keep all intrusion
detection and prevention engines up to
date.
LogRhythm collects logs from network and
host based IDS/IPS systems. Its risk-
based prioritization and alerting reduce
the time and cost associated with
monitoring and responding to IDS/IPS
alerts. The Personal Dashboard feature
can be used to monitor intrusion related
activity in real-time. A powerful
Investigator tool makes forensic search
easy and efficient. LogRhythm combined
with IDS/IPS is an extremely powerful tool
in identifying and responding to intrusion
related activity efficiently and accurately.
Example Reports:
• Successful/Failed Host Access by User
• Successful/Failed Application Access by
User
• Successful/Failed File Access by User
Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint Log & Event Management, File integrity Monitoring, Endpoint
Monitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solutionMonitoring & Control in one integrated solution
Confidential Page 35 of 35
• Top Attackers
• Multiple Authentication Failures • Suspicious Activity By User and Host
11.5 Deploy file integrity monitoring to alert
personnel to unauthorized modification
of critical system or content files, and
perform critical file comparisons at least
daily (or more frequently if the process
can be automated).
LogRhythm agents include an integrated
file integrity monitoring capability which
can be used to detect and alert on the
following for any file or directory: Reads;
Modifications; Deletions; Permission
Changes. This capability is completely
automated. How often files are scanned is
configurable. Files can be scanned at user
defined frequencies such as every 5
minutes or once a night.
Example Reports:
• File Integrity Monitoring Activity
12. Maintain a policy that addresses information security for employees and
contractors
LogRhythm provides centralized intelligence that can support the organizational
security policy, including incident handling and response. Because policies are
flexible, LogRhythm is ready to expand beyond the cardholder data environment to
provide support to other areas of the organization that need its critical services.
Compliance Requirements How LogRhythm Supports Compliance
12.9 Implement an incident response plan.
Be prepared to respond immediately to
a system breach.
LogRhythm provides a centralized
management system capable of alarming,
reporting and investigating security
breaches to the network. LogRhythm
supports an incident response plan by
providing the real-time enterprise
detection intelligence to address issues
quickly to prevent damage and exposure.
Example Alarms:
• Alarm On Attack
• Alarm On Compromise • Alarm On Malware