LogRhythm Extends Threat Analytics Suite with Endpoint Module
Security intelligence firm LogRhythm is looking to help IT more quickly detect intruders with its latest offering Endpoint Threat Analytics Module. It supplements LogRythm’s current threat analytics modules for network and end user visibility.
A security breach usually occurs in mere minutes, but in most organizations, detecting an intrusion can take days, maybe weeks. LogRhythm aims to help IT more quickly detect intruders with its latest offering Endpoint Threat Analytics Module.
LogRhythm’s Endpoint Threat Analytics Module complements its product line Threat Analytics Modules for users and networks to provide a more holistic view of threats and intrusions across the broad attack surface. Combined, the newly-extended LogRhythm Threat Analytics Suite enables organizations to spot advanced threats by modeling a wide variety of behaviors across the entire IT environment, according to LogRhythm CTO Chris Petersen.
“Advanced threat actors will leverage every possible angle to gain a foothold within their target environment, and they will be successful. The best way organizations can be assured of detecting initial compromises quickly is by having visibility across all possible vectors of entry and points of further attack. To achieve this, organizations must be looking for behavioral shifts across user accounts, the network and endpoints,” Petersen said in a statement.
The multiple-module approach is designed to offer holistic visibility into advanced threat operators when “behavioral shifts” occur as they compromise endpoints, applications and user accounts, he added.
LogRhythm’s Holistic Threat Analytics Suite is comprised of individual analytics modules that can be deployed individually or as a whole:
- Endpoint Threat Analytics Module (the latest addition) tracks forensic data and monitors endpoint activity.
- User Threat Analytics Module provides visibility into user activity and detects compromised accounts and other suspicious user activity, including insider threats.
- Network Threat Analytics Module analyzes network communications activity at an application level.
Together, the three modules leverage LogRhythm’s AI Engine technology that applies machine learning and other machine analytics techniques to log and machine data. When all three modules are deployed, customers can correlate and corroborate advanced threats across the holistic attack surface, realizing additional analytics value and increasing their chance of detection.
Under the Covers of LogRhythm’s Threat Analytics, AI Engine
The Endpoint Threat Analytics module analyzes existing host logs and data collected from LogRhythm’s System Monitors, using a comprehensive collection of advanced behavioral analytics rules for LogRhythm’s AI Engine that detect, prioritize and neutralize threats targeting an organization’s endpoints.
Typical breaches that target endpoints will be detected by the new module, including:
Endpoint manipulation: Once attackers have compromised an endpoint, they will use it as a platform for running software to automate additional malicious activity.
System configuration changes: Attackers facilitate propagation throughout an enterprise network by making configuration changes to endpoints that make it easier to perform malicious activities.
Communication with suspicious IP addresses: Network communication to suspicious IP addresses and IP ranges is an excellent indicator of a malware outbreak or successful breach.
Host firewall highjacking: Malware is frequently designed to covertly open lines of communication with an external destination, such as a command and control system, to create a sustained point of contact for continued malicious behavior.
Malware camouflaging: Custom malware is frequently designed to hide its footprint by not logging process activity or by altering activity logs after the fact.
In addition to detecting malware activity and malicious behavior tied to zero day attacks, the Endpoint Threat Analytics module is able to find unauthorized local accounts, misconfigurations and changes to access privileges suggestive of local account abuse and endpoint compromise.