LogRhythm Security

Orchestration, Automation, and

Response (SOAR) Overview
 Why Security Orgs Want SOAR

• Need to reduce mean time to detect,

respond, and remediate
• Need to manage alerts and incident
investigations with a consistent and
collaborative workflow
• Need to enhance staff productivity
• Need to adhere to compliance
mandates
• Need to measure and manage SOC
efficacy

©LogRhythm 2018. All rights reserved. Company Confidential 2

 SOAR Embedded in Our NextGen SIEM Platform

Forensic Data Discover Qualify Investigate Neutralize Recover

Collection
Security Orchestration, Automation, and Response
(SOAR)

UEBA
Security Analytics
powered by LogRhythm CloudAI and AI Engine
NTBA

Data Collection Enterprise Log Management

MDI Fabric

Enterprise Security Data Lake

Endpoint Monitoring powered by Elasticsearch

Network Monitoring

©LogRhythm 2018. All rights reserved. Company Confidential 3

 High Interest in SOAR

44%
67%
63% 70%
37%
25%
1%

38% 33%

Case Management SmartResponse

Adopted Want to Adopt

LogRhythm Customer Adoption Survey, July 2018

©LogRhythm 2018. All rights reserved. Company Confidential 4

 Case and Incident Management Workflow

©LogRhythm 2018. All rights reserved. Company Confidential 5

Step One: Quick Alarm Triage
 The Right Starting Point

• High efficacy events and alarms

• Alarms organized by risk level

• Aligned with guided workflow

• Differentiate between high and

low risk threats and harmless
anomalies

• Optimize false negative risk

versus false positive load

©LogRhythm 2018. All rights reserved. Company Confidential 7

Step Two: Threat Context
 Power Incident Investigation with Internal Business Context

Perform contextual lookups from

within the UI, including custom
lookups via SmartResponse

AD Sync enables quick

access to user details
LogRhythm can access
contextual information from
almost any internal data source,
expediting incident investigation

Access information on Whois,

Trace, Ping, and more

Quickly access and

preserve host details

©LogRhythm 2018. All rights reserved. Company Confidential 9

 Streamline Investigation with 3rd Party Threat Intelligence

Standards-Based Commercial Partners Open-source Providers

• Abuse.ch
• AlienVault
• HailATaxi
• Malware Domain
• PhishTank
• SANS-ISC
• SpamHaus
• TOR Network

The LogRhythm NextGen SIEM Platform expertly handles threat intel feeds,
enabling quicker detection and investigation of high-impact threats.
©LogRhythm 2018. All rights reserved. Company Confidential 10
Step Three: Investigation
 Case Management Playbooks
• Provide set of Add multiple playbooks
procedures for incident to a Case to scale and
management accelerate incident
investigation and
response
• Enable less skilled
analysts to handle
routine incidents in a Add playbooks to a
predictable way Case for consistent,
productive, and
accurate
• LogRhythm Labs investigation
published pre-built
Playbooks list steps
playbooks for common to contain a threat for
threat types a repeatable
workflow available to
the whole team
• Customers can develop
content
©LogRhythm 2018. All rights reserved. Company Confidential 12
 Effectively Prioritize Tasks with the Procedures Widget

©LogRhythm 2017. All rights reserved. Company Confidential 13

 Monitor team efficacy
overall and by different
Case Monitoring threat types to highlight
View case trends by type
and priority to better
trends and measure understand organizational
SOC efficiency risk and resource planning

Track open
incidents to
monitor progress Monitor live feeds
and accurately for greater visibility
prioritize cases for into current
greater efficiency investigations

©LogRhythm 2018. All rights reserved. Company Confidential 14

Step Four: Mitigation
 SmartResponse Automation to Streamline Data Gathering,
Neutralization, and Remediation
SmartResponse Execution Options
• Simple and flexible plugin architecture
- Extensive library developed by Labs
- Community-provided plugins by partners
and customers

• SmartResponse actions from LogRhythm

SysMon let distributed enterprises:
- Execute local actions
- Execute central or remote actions

• Implement playbooks by pre-staging actions for

specific alarms

• Trigger one or many actions with Alarms

- Investigate appropriate actions based on
observed activity

©LogRhythm 2018. All rights reserved. Company Confidential 16

 SmartResponse Use Case Examples

Countermeasure & Mitigation Contextualization

✓ Block an IP address, port, or URL at the ✓ Upload and scan a file to Cisco
network perimeter ThreatGrid or VirusTotal to see if it
✓ Initiate a forensic dump on a contains malware
compromised endpoint ✓ Query a threat intelligence provider for
detailed information on external entities
✓ End a host process or service
✓ Take a host offline by disabling its NIC ✓ Perform a lookup to a CSV file

✓ Log off a user ✓ Look up an email address on

HaveIBeenPwned to see if associated
✓ Re-set a user’s AD password credentials have been compromised
✓ Manage users or groups in AD

©LogRhythm 2018. All rights reserved. Company Confidential 17

 Remediate at Scale with SmartResponse Automation

Growing set of community-developed actions

©LogRhythm 2018. All rights reserved. Company Confidential 18

Step Five: Continuous
Improvement
 Measuring SOC Effectiveness

• Measure key workflow actions to

analyze SOC performance

• Data visualizations show

operational efficacy over time

• Filter by Case Tags to analyze

efficiency by incident type

• Access Case metrics data via REST

API to analyze Security Operations
with 3rd party tools (e.g., Tableau)

©LogRhythm 2018. All rights reserved. Company Confidential 20

Thank You