The Race to Deal with New Cyber Threats: An interview with LogRhythm’s Kev Eley

Kev: Machine data is the information generated by digital devices, systems, and processes. This data provides invaluable insight into activity across an organization’s network and can be viewed as the ‘fingerprints’ left behind at the scene of the crime by adversaries looking to sabotage crucial information systems. It is therefore imperative that we collect telemetry from a wide range of sources to uncover malicious activity.One example of the types of data we often advise organizations to collect is abnormal log on activity. We often see threat actors go after the ‘crown jewels’ of an organization by trying to connect to their most critical systems. By assessing log on activity within key systems and servers, we can determine unauthorized log on attempts from geographical and chronological standpoints.

In addition, organizations should pay attention to signals that indicate forms of malware activity. This could include changes to registry settings and operating systems, or files becoming encrypted. These types of log data can also be aligned with security sources, such as firewalls, and combined with rich sources of threat intelligence to give security teams context into the activity happening across their environment.

As threats become more frequent and complex, it’s absolutely crucial that we provide the most effective and efficient solutions to enable our customers to stay ahead. Our self-hosted platform LogRhythm SIEM, and our cloud-native SIEM platform, LogRhythm Axon, are both capable of collecting all of this machine data in a way that's quick to onboard and analyze.

Kev: Technology alone is not the answer to help organizations meet their cybersecurity requirements. It must be implemented alongside great processes, great people, and great teams. An organization’s environment is constantly evolving as old systems are decommissioned, team members leave, or new ones join. To keep pace with constant changes and stay relevant, our solution needs to provide organizations with the capabilities to achieve maximum visibility and threat detection. The first thing we do is work closely with the organization to understand and identify its most integral systems that store sensitive information. These are the systems that would constitute the most significant damage, whether this is financial or reputational, to the business if they were taken offline or breached. These systems vary depending on the nature of the organization, for example, for a healthcare organization this might be patient healthcare records or if you're a manufacturing organization, it might be proprietary designs.

Once we have taken an inventory of the most important systems, we can then provide the organization with guidance and advice on the types of data they need to collect, and the most efficient ways they can carry it out. After we start collecting and harvesting this information, the LogRhythm application can then analyze this data in real time to determine any anomalous activity that's taking place and build out the kill chain based on what we're seeing.
LogRhythm SIEM and Axon both deliver capabilities that help the executive tier of an organization understand what's happening from a cybersecurity standpoint. Rich metrics enable the Chief Information Security Officer (CISO) to describe how they’re managing and mitigating risk within their organization.

Kev: We work with organizations to determine their most critical systems that represent the biggest risk if they were to be compromised. Monitoring these systems is vital to ensure the effective and efficient running of the organization and reduce disruption to its mission-critical activities. The challenge is that the volume of data that these organizations generate can be significant and practically impossible for an individual human to analyze. Given the high volume of logs collected per day at even small organizations, security analysts commonly experience “alarm fatigue”—they receive too many alarms, and those alarms are often not correctly prioritized.

Handling huge volumes of data is where the LogRhythm platform comes into its own. Our analytical capabilities provide organizations with a highly curated list of alarms based on the priority of the event and its significance to the exposed system or user. Security analysts are then presented with a much smaller and more manageable list of high-focus, high-priority alarms. Our risk-based prioritization capabilities grade the severity of risks within the system to direct analysts to where they should focus their attention first. This provides massive efficiency gains in terms of time and resource allocation for the security operations center (SOC) team.

Kev: We collaborate frequently with partners across the globe to bring effective cybersecurity solutions to organizations. Recently, we partnered with The Health Informatics Service (THIS), to transform healthcare security in the UK with LogRhythm Axon. We provided THIS with a flexible, cloud-native security solution that minimized expenses and enhanced its analyst experience. On top of this, we also partnered with cybersecurity powerhouse, Infinigate, to expand access to cybersecurity solutions in Europe. Partnering with Infinigate has allowed us to provide our entire product portfolio to Infinigate’s reseller partners. Our products can now be used to meet the evolving security needs of enterprises throughout the United Kingdom and Ireland and will be available across Germany, Austria, and Switzerland effective in December.

LogRhythm sits at the core of the security operations center (SOC), meaning it can take input from a wide variety of other types of security systems to add value to our clients. Commonly, these are endpoint detection and response systems such as SentinelOne or Crowd Strike. We integrate these systems into our platform, alongside feeds from vulnerability scanners that provide us with indications of any vulnerabilities within a system.

LogRhythm’s products have their own native Network Detection and Response (NDR) capabilities and integrate with threat intelligence platforms. This bidirectional integration is designed to maximize visibility across an organization’s network to identify malicious IP addresses or domains they are being exposed to. Not only do we supply this information, but we also provide guidance back to the organizations to ensure we are providing maximum value to our partners.

Kev: The threat landscape is constantly evolving, and this means our solutions need to keep pace with new threat tactics. LogRhythm’s Labs function and our professional services team are at the forefront of helping customers understand and identify emerging threats to their organizations and creating detection tools to address these threats. We aim to close potential risks through the ongoing engagement and services we provide to our customers. In addition, our unwavering commitment to strengthening our customers’ defenses keeps them firmly ahead of the curve. Our team works hard to release new innovations and enhancements to our products every quarter to ensure they’re ready for emerging cyberthreats. This quarter we delivered our sixth consecutive quarterly release to help bridge skill gaps, cut log source onboarding time, enhance contextualization into threats, and more. The latest release of Axon includes additions such as a new Signal Replay feature that enables security teams to test analytics rules to ensure threat detection is optimized for their environment. LogRhythm SIEM also saw advances in efficiency with the introduction of log collection management to cut onboarding time by 50%.

The predictive capabilities of our products are also helping organizations strengthen their cybersecurity postures. The data-driven insights from LogRhythm SIEM, LogRhythm Axon, and LogRhythm NDR allow organizations to reduce response time by filtering out irrelevant data, significantly improving productivity and enhancing their threat detection capabilities.

Kev: LogRhythm’s website contains plenty of resources for readers to explore. Our resource library contains numerous reports, case studies, and whitepapers including the Definitive Guide to Security Intelligence and Analytics. Our blog also explores the latest insight into the biggest cybersecurity trends and challenges. To find out more about our solutions, readers can access our data sheets through LogRhythm Axon, LogRhythm SIEM, and LogRhythm NDR. Readers can book a demo to learn more about our innovative solutions, and how they can protect themselves against emerging cyberthreats.