Most IT systems generate log files and hidden within them could be the answer to some enterprise IT security issues. Security information and event management (SIEM)
The LogRhythm release comes as enterprises continue face both external and internal security threats and are ramping up effort to secure their infrastructure in response. The new release provides new capabilities for monitoring processes and network connection on endpoints as well as providing the ability to correlate that data with geographical location information.
“There are common log sources on a network, whether it’s collected for compliance reasons or so a SIEM can find security events in the log data,” Mike Reagan, vice president of marketing and business development at LogRhythm, told InternetNews.com. “What we’re doing in our latest release extends our reach of data collection to the host and network layer pulling in data that is not normally collected in a central log management application.”
Reagan explained that LogRhythm is now adding a process monitoring function that looks at any process that is running on a host. The host could be a server or it could be a desktop or laptop computer. He added that he process monitoring function requires that the LogRythm system monitoring agent is installed on the host.
“When the agent is running, LogRhythm will automatically and independently audit all process activity on the host and report all of that information back to the central log manager, where it is analyzed,” Reagan said. “If activity meets certain criteria, it can trigger an alert.”
An analysis of the log data can also be correlated to identify what else was going on with the network at the time the alert was triggered. As such, Reagan noted that the system can provide greater visibility into security events and vulnerabilities.
Reagan added that in addition to monitoring processes, the LogRhythm system is now also able to monitor host network connections as well. He explained that one scenario where network connection monitoring could be useful is if an internal server is supposed to be restricted to internal users but somehow generates an outbound connection. The LogRhythm system also provides a management console, enabling administrators to set policies as well.
Correlation between existing logs from hosts and the LogRhythm agent’s process and network connection capabilities provides further visibility. Reagan noted that the LogRhythm system is able to normalize data as it comes in to provide a degree of log event correlation across multiple sets of log data.
A new geolocation capability in the latest LogRhythm release provides users with a visualization mapping tool for network and host events. Reagan explained that the system will now visually map log data, which may help in exposing relationships between events.
“With the ongoing evolution of threats out there, I think there is continuing evolution of using all log data to understand what’s not normal in an enterprise,” Reagan said.