LogRhythm SIEM Pattern Recognition Engine Uncovers Security Threats

AI Engine users have immediate access to all relevant forensic data

February 10, 2011

5 Min Read


BOULDER, Colo., Feb. 8, 2011 - LogRhythm, the company that makes log data useful, today announced the LogRhythm Advanced Intelligence (AI) Engine for its integrated SIEM 2.0 (security information & event management) platform which transforms the creation of complex pattern recognition policies into a simple drag and drop operation. The AI Engine enables organizations, without writing any scripts, to detect sophisticated intrusions, fraud, insider threats, zero-day attacks, advanced persistent threats (APT) and other suspicious activity that would otherwise go unnoticed. AI Engine goes beyond simple correlation and provides advanced pattern recognition capabilities that identify related events, statistical deviations, and behavioral abnormalities within all log data, rather than just a pre-filtered subset of security events. AI Engine users also have immediate access to all relevant forensic data enabling rapid investigations and remediation.

"LogRhythm has removed the two biggest barriers to making pattern recognition within log and SIEM data really work -- they've made it incredibly easy to create and modify sophisticated rules and apply those rules against all log data," said Chuck Daye, Senior Vice President and MIS Administrator at The First National Bank and Trust Company, Chickasha, Oklahoma. "With a broad library of rule sets available out-of-the-box and highly intuitive GUI, AI Engine will enable us to gain much broader visibility to threats and risks in our datacenter, branches, and even ATM locations."

Real-Time Pattern Recognition across Log and SIEM Data

Organizations are increasingly being targeted by surgical and sophisticated attacks. According to the Verizon/Secret Service 2010 Data Breach Investigations Report 54% of all breaches involved modified or custom malware. Since custom attacks cannot be detected with traditional signature-based security solutions, a more comprehensive approach to identifying threats is necessary. To make the invisible visible across the largest IT networks, the LogRhythm AI Engine goes beyond basic correlation and performs pattern recognition on all log and SIEM data in real-time. Traditional SIEM 1.0 products only correlate on the 1-5% of logs deemed to be security events at the time of capture.

The ability of AI Engine to perform pattern recognition enables LogRhythm to identify threats and conditions that do not follow a sequential "if a, then b, then c" pattern, and would not be detected by traditional correlation rules. Leveraging LogRhythm's universal time stamping function, AI Engine's TrueTimeT feature ensures pattern recognition and correlation on all logs is based upon the actual time of occurrence rather than the time of collection or analysis, thus minimizing false positives and avoiding false negatives.

Complex Rules: No Scripting, No Problem

To create or modify advanced pattern recognition rules extremely quickly and easily, AI Engine features a highly intuitive graphical user interface that uses point and click, drag and drop operations rather than complex scripting. The AI Engine provides a building block work flow palette for creating pattern recognition policies, a large library of pre-defined immediately usable rules, a common event language of English terms and over 50 intuitive metadata fields to further define policies. For the first time, creating, modifying and managing complex rules is simple. The AI Engine provides the flexibility to create very granular rules for detecting specific patterns, exceptions or conditions, and the ability to apply more general rules for broader visibility.

"Until now, building correlation rules in SIEM products has effectively required a PhD in scripting languages and a very precise understanding of the activity, condition or exception you were looking for," said Chris Petersen, co-founder and CTO of LogRhythm. "We designed the LogRhythm AI Engine to harness hybrid analysis techniques applied across all log data to deliver next generation pattern recognition capabilities, including complex correlation. We focused on delivering what is inherently sophisticated via an easy-to-use, wizard-based rule builder that empowers our customers with new levels of visibility into intrusions, insider threats, and network abuse that would likely go unnoticed by first generation SIEM products."

Detect and Protect Against Stealthiest Attacks

AI Engine performs pattern recognition on multiple variables and contextual information, enabling organizations to detect and protect against sophisticated attacks that fly under the radar of traditional security solutions. Some examples include:

. Same account being used to login from two different countries nearly simultaneously . Data leaving the network destined for a rogue nation . Non-email servers sending thousands of SMTP messages to hosts across the world (i.e. a botnet infestation sending spam) . Observing the exact same error message on more than 100 different servers . A user downloading a statistically large number of account records from a CRM database

Pricing and Availability

The LogRhythm AI Engine is in beta and will be available next month. LogRhythm AI Engine appliances support up to 1 billion logs per day. The AI Engine is also available in a software form factor that can be deployed in VM environments including VMWare, Microsoft and Citrix. The AI Engine integrates seamlessly with any existing LogRhythm deployment. Entry-level pricing starts at $6,000.

About LogRhythm

LogRhythm, the leader in log management and SIEM 2.0, delivers log and security event management, file integrity monitoring, and network and user monitoring in a single integrated solution. LogRhythm empowers organizations to comply with regulations, secure their networks, and optimize IT operations. The company received the coveted "Recommended" 5-star designation from SC Labs and has received SC Magazine's Innovator of the Year Award, Readers Trust Award for "Best SIEM" solution and the "Best Buy" designation for Digital Forensics. It is a winner of the 2010 Red Herring 100 Award and was placed by Gartner Inc. in the visionaries quadrant of the Security Information and Event Management (SIEM) Magic Quadrant report for 2010. LogRhythm is privately held and based in Boulder, Colorado with European Headquarters in Maidenhead, England, and Asia Pacific operations in Hong Kong. For more information visit: www.logrhythm.com.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights