A Day in the Life of an Analyst | LogRhythm Demo

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

Oh hello my name is Seth gold tamer and I'm the director of product management here at logarithm excited to be able to present to you today a full intend workflow of logarithm and we're going to highlight new innovations that have been brought to market with logarithm seven through the threat lifecycle management workflow we're going to show how a analyst kind of a day in the life of an analyst would use a logarithm you know an analyst has different entry points to how they might use logarithm and we're going to show three how they could use the dashboard to start off this workflow or searching with maybe a daily hunting or searching exercise that an analyst might perform or through the review of our alarms and I've highlighted here different logarithm seven innovations that we'll be showing in our demonstration no matter which entry point the analyst starts will then show how they could quickly qualify that particular threat and then move into the investigative phase to understand full scope and root cause ultimately helping to mitigate that threat now I'm going to turn to our web-based UI and talk a little bit more about that UI as we begin our demonstration here we are at logarithms web UI this is an html5 application meaning that there are no plugins and it needed to install in order to be able to use this particular web interface it's also been completely optimized for touch meaning that I can run through this full demonstration whether I'm on my laptop whether I'm on a and mobile device like my iPad maybe I'm a large touch screen TV in a sock so in fact we can have multiple dashboards that we can create and these are very customizable and we'll show that for different types of form factors and different ways that we want to present the information given different users who may be participating in this particular deployment so we'll talk a bit more about dashboards we'll also talk about our risk-based prioritize alarms as we walk through this demonstration and then we'll also talk about cases in our ability to show cases whether for an analyst in different ways that we can customize a dashboard of case workflow or perhaps for stock manager one of the things that our customers have really appreciated one all of our dashboards are live meaning that this is I can obviously real-time data is being fed into these dashboards as well as I can double click into anything that is of interest to me another thing that our customers have really appreciated is ability to just very quickly get to the underlying log data so by clicking on that log viewer that this analyst grid pops up where I have the ability now to view all of that underlying log data that is comprised of the visualizations on top what's interesting about logarithm when the ways that we can be optimized for mobile devices as we're keeping a very low footprint on the browser itself on the client itself we do that through technologies that we're leveraging to stream data to the browser as needed so you'll notice that as I'm scrolling down and I have hundreds of thousands of activities that are being represented here I can scroll through all of those activities yet you can see that it's streaming that data as I need to as I scroll even though I'm only seen a partial set of information on my screen I still have the ability to - full - filter against the full data set if I am looking for particular types of activities perhaps I wanna you know look at a particular type of common event I want to now prior to sort by the prioritization that's been applied to those particular types of events so I can do these types of activities very quickly against the full data set while still keeping a very low footprint on the client-side as I said in the beginning there are going to be three different workflows we're going to show how an analyst could kind of start you know that that work flow and it first is by just viewing information on the dashboard again this is a live dashboard meaning I can drill down into any particular activity here that may be of interest this is a customizable dashboard meaning I can choose from any of the widgets we have a growing library of widgets our customers can choose from to be able to represent information as as meaningful as possible to different types of users of the system where we can actually even edit these which is in place what type of information we want even adding more advanced types of filters to to to these widgets now one of the widgets we introduced in logarithm 7 is our threat activity map this provides a obviously we're plotting the actual activities that have occurred within this environment against this map with the ability to you know hover over drill down and see you know particular details about these activities and that could give us a better indication of activities that could be of concern for example while we do some business in Asia we do not do business in China so these particular activities that I'm seen in China that could be concerning and I have an ability to just by double clicking I can run a drill down on that you notice that when I drill down and you'll see this in other searches throughout the demonstration that these searches run as a task at the bottom that allows me to as that search is being performed I can still interact with the user interface I could start other tasks so I'm not my work is not slowed down as I'm you know trying to get to to additional information so let's go ahead and look at the results and this is going to bring us to our analyze tab and you'll see this analyze tab quite a few times throughout this demonstration here we're looking at all of that traffic that we saw that was you know from I should say all the activities that occurred at that particular location in China I can see here that is actually a lot of flow data that's actually been that's actually been recognized by logarithms network monitor we're also seeing a deep packet analytics rule that has fired so deep packet analytics is a an ability to create customized rules within Network Monitor that can look deep within a packet and really customize whether I'm going to generate an alarm from that it could be also to perhaps trigger packet captures so be more selective in terms of what packet should be captured in a session based in such a based packet capture and so I see that that does deep packet deep packet analytics rule has fired for a protocol mismatch and again we have that access to that underlying log data we can click on this log data on row again we can get all the information that Network Monitor forwarded from this so we can see here that we have IRC traffic into China that would be very concerning I can also immediately get to the packet capture and I can actually download that that packet capture from immediately from from the system that packet capture is actually being hosted in the network monitor solution if I you know this be very concerning I could create a new case you know IRC traffic from China and so now we're introducing our case management capability case management gives us an ability to capture all of this information you save that perhaps I want to add in these logs so I've got Network Monitor you know traffic and DPA rules I also have the ability to add in the packet capture this gives me an ability as an analyst to have a single place where I now have all of this information suspicious traffic and now I'm tagging my case so tagging is a new feature that was introduced in logarithm 7 gives me an ability to add tags to all my cases where I can then search against those tags also create dashboards that are filtering against those tags have better visibility to the types of occurrences you know concerning activities that are turning within my my environment I the ability to even create new tags so this gives us a good representation of this particular case where we could continue to look at this you know good other concerning things that we saw here not only was this IRC traffic it was iris-t traffic that occurred over port 53 that's why the deep packet analytics rule fired was that we had IRC traffic over a DNS what would normally be a DNS port and that's what that particular rule was looking for so here's one way that we can begin a workflow and now we have a lot of information about what's happened what hosts were involved to get even what user was involved on that host to get to a resolution of what we want to do with this IRC traffic that occurred we even have some of the you know actually because IRC is sent in clear text we even have some of the information about this IRC chat it looks like there was a user Karl here that was involved alright so I'm going to shift gears now and talk about another way that we can access the system through search now search is such a fundamental aspect of this type of technology to be able to get into the data very quickly get to information that is going to be helpful in terms of making an assessment logarithm provides an ability to both search against the full message text just with keyword search can Google like search but also take advantage of all of our contextualized structured data fields what this gives an ability is to have the right criteria to get to very quickly a set of information that is going to be impactful to give an example of that you know if I were to work for the words you know finance and you and I want to add to that perhaps not only finance the word confidential forecast strategy etc I'm looking for terms that you know these would be on highly confidential type of documents I can run that search however that that is going that's a very broad search that search could bring back a lot of innocuous activity not just you know concerning activity it would take a lot of time as an analyst to really review you know of these activities which are the activities that I would want to actually look at a little bit more closely you know to determine is that a legitimate you know access for that type of content I bet if we come up with a more precise search we could get more quickly into an impactful assessment of information so perhaps if I wanted to look for not just the log message contained you know finance and confidential etc but I want to also add that this was a successful access so I'm going to look for how logarithm has classified that particular log logarithm has over 750 different has support for over 750 different devices applications and systems where our logarithm labs team has built pre created processing rules to help derive more meaningful information in contextualized structured data from those log messages that gives me the ability to now utilize both the unstructured search against log data as well as the use of our structured data where I can now have a much more precise search I'm now looking for users on a watch list that watchlist is being populated automatically through AI engine roles as well as manually we can add users to this watchlist so they've done something suspicious already and they successfully have touched a object that now has these keywords finance confidential etc this provides a much more meaningful search where now we're getting to a much more impactful set of information that allows me to you know now understand of those users have accessed in financial confidential strategies records these are users that I am concerned about so I can see here I do have from our file integrity monitoring this is our endpoint monitoring solution we have seen users on the financial server who actually were in our watch list so this would be you know and I can see here to the user is Steven Jacobs so now we very quickly we're able to get to a concerning set of information and again I can create a case that can capture this so watch you know watchlist user accessing compliance and I can add in logs etc just like we saw before looks like I've got Steven Jacobs XO scene records and again I can tag this maybe this is an insider threat or an account takeover I could tag this by maybe the name Steven Jacobs so I have to you know bility to kind of capture all the pertaining information about this case as well as any other logs and alarms that it might now want to associate to this case so this is a second way that we can begin our workflow through the use of precision search now the last way that I'm going to show in this demonstration that we can begin this workflow is from our alarms page great so our on the alarm step what we see here is a representation of all the alarms that have fired and we can see predominantly the risk-based score that's been associated to those alarms now as an analyst what I might look at our all-new alarms for a particular entity entity is a logical segmentation of the network this call Sobe this aligns to our data segmentation so it's four MSS PS this could be individual customers for example and you can see here other filtering abilities as well as sorting abilities that I have to insert by risk sort by date so that as an analyst I can come in very quickly start getting to those high-risk activities in use my time as effectively as it possible based on those activities that represent alarm you'll see in the inspector tab I have more information that can be used to help me understand more about why this alarm fired as well you see here that you know there are alarms that have associated Smart Response actions so smart response is ability to tee up actions aligned to that type of activity that's been observed that was captured in that alarm so here in the inspector tab if I collapse the data look at just the smart response actions in multiple smart response actions which is new and logarithm seven gives them the ability to have multiple actions teed up or automated you know automatically trigger as a result of this particular alarm for example in this case when we had an abnormal files were accessed we might immediately add this user to a watch list so that that was an action didn't require approvers and can immediately fire we have other activities here such as we want to disable that account because we're concerned about that abnormal file access perhaps this is an activity we do on a security analyst to review before they approve that action and we can even have perhaps we want to just quarantine the device take it off of the network by disabling its network interfaces perhaps this is something that not only security but a network administrator needs to be involved with that approval process so we can have multiple types of actions all teed up ready to go or automatically firing as a result of this particular activity that's been observed through our Smart Response capability now I'm going to look at this this particular alarm which is the the corroborated alarm but it's corroborated what that means is it's actually seeing multiple activities that have all been triggered either from the same user from the same host from the same kind of data sensitive data in this case it's a corroborated account anomaly so it's been look it's it's seen multiple anomalies three or more unique behavioral anomalies from the same user and this happens to be Stephen Jacobs who we're already familiar with in fact our our precision search we've already seen this abnormal files that were accessed that was captured in an alarm we can also see here that DPA protocol mismatch that was an alarm that was that activity that we saw from the drill down off of the dashboard from that threat activity map where we saw that action from from China so that's also represented here with a risk score here in our alarms page from the arms page none of you have the ability to see information I can then drill down to the underlying logs also have the ability to associate these logs into into cases since we've already created a case about Steven Jacobs we can now add this alarm into our case we've already created about this particular user and now let's drill down to that underlying set of information so here are all of the particular activities that have been anomalous for this account Steven Jacobs we see again that financial server that's represented here and like we can on any screen wave access to the to these underlying logs now what I want to do is pivot my search about Steven Jacobs as part of this investigation if you notice as I click on the row in this analyst grid there are gears here what that gives me the ability to do is now I can click on a gear and I get options I can add you know I can add Steven Jacobs to a watchlist or to other lists as well and I can add Steven Jacobs to a search so I'm going to use online work for Steven Jacobs weather who is the logged in user or the account and I'm going to search now I'm going to I'm going to create a broader search with with that particular criteria I'm also going to add the financial server whether that was the origination or the impacted host I'm going to add that to my search what I gives me the ability to do is now look at this I can now add more search criteria if I wanted I'm actually going to edit this maybe I don't want all of the following I want any of the following anything about Steven Jacobs anything within the financial server my activities here you know these were not you know these have just been really just within the last few minutes so I can actually reduce my search criteria you know within hours or you know maybe just even within the last 15 minutes so I now have again a precise search to now go for and look for everything Steven Jacobs everything about this financial server aligned to the investigation that I'm performing and it can pull up those results now very quickly now what can I see here first I want to sort this I actually want to see kind of time and start you know in the last 15 minutes 12:03 to twelve eleven what I can see here well this is interesting what we're seeing is it looks like Carl Wilson actually granted access to Steven Jacobs and then Steven Jacobs access to financial service and then we can see Carl Wilson deleted Steven Jacobs so this looks like a temporary account that was created and then we also see access to a web access and we can see here that this web access was to Dropbox so certainly some concerning activities here that are occurring with Carl Wilson using the account Steven Jacobs and again you know with our case here we can add all these logs Carl Wilson creating creating the account so we've now got to a root cause of this particular system in fact if I remember the you know I could go back to the case for our about China that China traffic also mentioned Carl so I think we have a couple activities here that are now associated together in fact we can that IRC traffic we can pull that in as an Associated case to Steven Jacobs that associate by associating these cases together and now have the ability to really get to the the superset of of information on where and I'm going to go to the case itself I can add collaborators to this case perhaps escalating it to the tier two team um I can even assign different owners as is callate this perhaps I want to review back that information that I've pulled in perhaps pinned certain evidence as being more interesting Carl Wilson creating the account that is definitely kind of a pivotal set of information about this case so I can pin that to the top and then I can get back to that IRC traffic from China again to review that information such as the pcaps or the logs themselves to evaluate you know was that Carl that they were referencing in that in that message that we saw so I hope you've seen throughout whether we've started on the dashboard we started through precision search or we started from an alarm a full workflow where we were able to very quickly get to the evidence in collected evidence into a case where we could coordinate that case with other analysts where we could use smart response to automate actions that would help us to more quickly get to information or mitigation countermeasures that we want to take and that allows us more organized and expedient fashion to detect and resolve the the concerning activities and the most concerning activities given the ability to see the overall risk of those activities to the organization on this case dashboard we're able to and again this is customizable where we can then view the case workflows or even see live information as it's being added into a case to keep us well informed as to the way to status of particular sets of concerns or trends of the types of activities that we're seeing within the environment I hope that this has been an informative session to learn much more about logarithm and see some of the new innovations and how those could be used as part of this workflow that came in with logarithm seven I want to thank you again for your time you

Info

Channel: LogRhythm

Views: 102,504

Rating: 4.9104476 out of 5

Keywords: LogRhythm, Log Rhythm, SIEM, security analytics, network security, log management, file integrity monitoring, Log Management, Security Intelligence, Information Security, SIEM Security, Demo, LogRhythm 7

Id: 9TRqZuZqtKY

Channel Id: undefined

Length: 24min 55sec (1495 seconds)

Published: Thu Dec 22 2016