LogRhythm

v7 Positioning and Benefits

Train & Thrive
8/7/2015

COMPANY
COMPANY CONFIDENTIAL
CONFIDENTIAL

LogRhythm 7 Focus
Customer Needs

LogRhythm 7 Innovation

Enterprise Scalability:
New back-end technologies at the log data layer increase
Consume and analyze ever
indexing rates, search performance, and provide full data
increasing volumes of data
replication via clustering
efficiently and reliably, fully
Independent scalability at data processing and indexing tiers
utilizing invested hardware for the
deliver improved performance and active/active massive scale
solution
deployments
General user interface enhancements supporting optimal
workflows when administering very large deployments (e.g.,
100K+ log sources).
System Monitor administration and configuration
enhancements, delivering low TCO for large agent
deployments (e.g., 100K+ agents).
Search: Simpler search
experience to enable greater
forensic efficiency when hunting
for and qualifying threats

Introduction of a big data search engine technology to deliver

machine data search at a massive scale
Combination of structured and unstructured search
capabilities, in a powerful, streamlined search builder for
search precision

Powering the Next Gen SOC:

More
optimized
work flows from a
COMPANY
CONFIDENTIAL

New UI visualizations and enhanced alarm risk-based

prioritization for more quickly identifying qualified threats

Enterprise Scalability

COMPANY CONFIDENTIAL

Innovation Increases Global Enterprise Scalability

Key Innovations
Significant indexing
performance improvements
Clustering & Active/Active HA
Retained feature parity across
UI and archive restoration
Independent scaling of
processing and indexing layers
Appliance-line refresh to best
take advantage of scalability
options
COMPANY CONFIDENTIAL

Customer Impact
More efficiently delivers 100% indexed
solutions to ensure all data available
in rapid access search
Greater search performance and costeffective deployment resiliency
No loss of features and full access to
historical archive data
Superior architecture for massive
scale deployments more resilient,
more efficient.
Optimal benefit of LogRhythm 7
software architecture and inherent
hardware-based performance
improvements.

LogRhythm 7 Highly Scalable Component

Architecture
Data Collector
Active/Passive HA
Horizontal
scalability
Load balancing

Collection

Security
Devices

Network
Devices
Applications,
Databases &
Servers
IndustrySpecific Devices
(SCADA, POS,
etc.)

COMPANY CONFIDENTIAL

System
Monitor &
Network
Monitor
Horizontal & vertical
scalability
Local caching

Generation
Unlogged
Endpoint
Activity
Unlogged
Network
Activity

Data Processor

Data Indexer

AI Engine

Active/Active HA
Horizontal & vertical
scalability
Max Processing Rate
up to 15,000 MPS
per node

Active/Active HA
Clustered scalability
Expandable storage
Max Indexing Rate
up
to 10,000 MPS per
node

Active/Passive HA
Horizontal & vertical
scalability
Max Processing
Rate up to 75,000
MPS per node

Processing

Persistence

Machine
Analytics

Platform
Manager
Active/Passive HA
Vertical scalability
Expandable storage

Managemen
t

LogRhythm 7 Data Indexer Clustering

Provides Increased Search Performance and Enables Higher
Concurrent Use

Clustered Architecture

DC
DP

1 3
2 5

DX Cluster

COMPANY CONFIDENTIAL

3 1
4 6

Processed data is sent to the cluster

Data is stored uniformly across the
nodes of the cluster
Data is also replicated across the
cluster
Search takes advantage of parallel
processing and multiple locations of
data
Providing faster searches and
5
supporting
2
more concurrent users
6 4

LogRhythm 7 Data Indexer Clustering

Ensures Continued Accessibility

Clustered Architecture

If a cluster loses a node, data is still

available for search

DC
DP

1 3
2 5

DX Cluster

COMPANY CONFIDENTIAL

3 1
4 6

5 2
6 4

LogRhythm 7 Data Indexer: Advanced software architecture

EMDB

Processor

Web
Web and
and
Client
Client
Console(s)
Console(s)

Dispatch

Columbo

Elasticsearch

Hermes

Local
Local
Browser
Browser
(for
(for now)
now)

Gomaintai
n

Grafana

COMPANY CONFIDENTIAL

Inside an
Indexer

Carpent
er

Config
Server

Confi
g
Files

Heart
Throb

Micro-services are small and

single-purposed:
Enables faster development
Facilitates scale of
development
Improves code quality
Use of GoLang for highly
performant services

Vitals

InfluxDB

Results in more a resilient and

fault tolerant data indexing
tier with higher performance

Precision Search

COMPANY CONFIDENTIAL

Innovation in Search-Based Analytics for Search Precision

Innovation
Ability to uniquely search across both
structured and unstructured data
sets, leveraging ingrained machine
device intelligence for over 750
different systems, devices, and
applications along with key word
search

Impact
Search precision to deliver targeted,
relevant results, reducing time
spent on analysis and search result
filtering
For example:
All logs categorized by LogRhythm as
Account Modify
Where Jacob.Franklins is the logged in
user
And the log includes the phrase
0120000340AB

Re-use of LogRhythms leading

contextualization search experience

No re-training or re-tooling
requiring, allowing teams to easily
take advantage of search precision
without ramp up time or reeducation.

Raw message text is prepared for

Tokenization prepares log messages

for key word search with highly

COMPANY CONFIDENTIAL

Preparing Data for Search and Machine-based Analytics

Raw Log
Data

Data
Processo
r

Data
Collector
Normalized Date + Raw
Log Data

Log Data +
Contextualized
MetaData

COMPANY CONFIDENTIAL

Signed Log

Contextualiz
ed MetaData

Archives

AI Engine

Data
Indexer

Preparing Data for Search-based Analytics

Message Text

CharFilter
s
Tokenizer

Data
Process
or

Token
Filters
Analyzer
Contextualiz
ed Fields

Elasticsearch

Data Indexer
Raw message text is processed
through a series filters, enabling
quick performing key word searches

COMPANY CONFIDENTIAL

Resulting in a powerful
search experience for
precise, targeted search
results giving greater
efficiency to analysts
work flow

Powering the Next Gen SOC

COMPANY CONFIDENTIAL

Reducing time to detect qualified threats

Benefits
Quicker detection and
qualification of threats; supporting
the full end to end work flows of
the Power User in the Web
Console
Reduce Signal to Noise to enable
analysts to allocate time on the
most pressing threats

COMPANY CONFIDENTIAL

Innovations
Threat Map: real-time
geolocation threat display
Enhanced Risk-based Monitoring
& Analysis
Improved Risk Based Prioritization
(RBP)
List expiring values
Misc. Customer-driven Analytics
Enhancements

Dashboard Widget
A single view of the customers threat
landscape

COMPANY CONFIDENTIAL

Case & Security Incident Management Enhancements

COMPANY CONFIDENTIAL

Innovations

Impact

Evidence pinning

Highlight key evidence to enable

collaborators to be more effective and
engaged more quickly in the investigation

Case association

Ensure related activities are all associated

together to ensure full scope is understood
and do not fall through the cracks

Case tags

Tagging enables better optics to trends and

commonalities, enabling operational workflow
and visibility to business risk
- More efficient organization and workflow
- Improved searchability of cases and
incidents
- Helps ensure analysts & managers have
instant access to the most relevant

Making SmartResponse More Available and Actionable

Key Innovation

Impact

Remote
SmartResponse
Execution

Extends SmartResponse action execution down to the host,

allowing for actions to take place where the activities are being
recognized. For example
Disable local accounts
Terminate or re-enable services and processes
Interface with branch firewall to terminate covert
communication channel

Manual Remote
Execution

Actions can be queued or immediately initiated, allowing

analysts to take immediate action on observed activities
reducing time and effort

Multiple Actions
Per Alarm

Extends the power of SmartResponseTM by automating multiple

investigatory and/or remediation steps associated with a
threat.

COMPANY CONFIDENTIAL

For example, after recognizing multiple behavioral changes from the

same host
1. Immediately perform a forensic memory dump of the host no
approvals required

Preventing Malware Propagation with Endpoint Lockdown

LogRhythm Labs-developed SmartResponseTM Plugin takes advantage of new
remote SmartResponseTM Execution capability
Captures exhaustive forensic data
Disables the endpoint while preserving state

Allows analysts to take action and extend investigation to understand

intention and root cause of recognized malware or compromise

Each section contains detail endpoint forensics captured from the system

Sample Report from Endpoint Lockdown Plugin

COMPANY CONFIDENTIAL

COMPANY CONFIDENTIAL

Reduce the complexity of

managing large scale
environments

COMPANY CONFIDENTIAL

Improved System Monitor Agent Management reduces Overhead and enables increased scaling

Policy-Based Management

#2 Assign
to agents
#1 Build Your Template

COMPANY CONFIDENTIAL

Simplified System Monitor Patch Management

System Monitor Auto Upgrade

Central management of SW
versioning
Allows a security team to manage
the patch process, eliminating the Easier, more efficient and
need for outside groups to
lower management costs
perform updates
enable larger system monitor
deployments
Enables larger agent
deployments, by removing the
need for 3rd parties to
maintain/upgrade versions
COMPANY CONFIDENTIAL

Simplified System Monitor Log Source Admin

Advanced filter bar enables more targeted loading of Agents

and Log sources, when counts are in the hundreds of
thousands:
Fast access to objects of interest in large environments
Easier targeted administration via batch actions

COMPANY CONFIDENTIAL