LogRhythm Advances NextGen SIEM Security Platform With SOAR Features

LogRhythm is adding case playbooks and enhanced response and Security Operations Center metrics to its NextGen SIEM platform.

LogRhythm NextGen SIEM

Some organizations might think of Security Information and Event Management (SIEM) technology as only being concerned with log collection for security, but that's not what LogRhythm's NextGen SIEM system is all about.

LogRhythm announced its 7.4 release on Oct. 30, enhancing the company's NextGen SIEM platform with advanced Security Orchestration, Automation and Response (SOAR) capabilities. Among the new features in the LogRhythm update are case playbooks for organizing a workflow for security events. Automated response actions have also been added to the platform as well as Security Operations Center (SOC) metrics.

"In the 7.4 release we've furthered our feature set for SOAR with the introduction of more formalized procedural playbooks that bring along a specific set of tasks and procedures for common types of issues, such as a ransomware and phishing," Chris Petersen, co-founder and chief product and technology officer at LogRhythm, told eWEEK. "These playbooks can be pulled into the investigation, and then all the procedures, tasks and deadlines come along with it automatically to ensure a highly consistent response by the security operations team."

The LogRhythm 7.4 update also integrates additional automated response auctions into the platform. LogRhythm has a framework called Smart Response, which enables different plugins that can provide remediation and response actions. Plugins include threat intelligence lookups as well as remediation actions such as disabling accounts, quarantining endpoints and killing sessions.

"We keep adding plugins into this framework that allow us to integrate with a wide variety of third-party technologies," Petersen said. "We've added about 45 additional automated actions to our library."

Metrics are also getting a boost in the new update. Petersen said that there are now deeper metrics in the platform that enable organizations to measure the time to triage and qualify security alarms, as well as how much time it takes to investigate threats.

"Our goal here is to really arm the CISO or SOC manager with very detailed intelligence into their security operations team with metrics where they can understand where they are trending in terms of ability to detect and respond to threats," he said.

Thoma Bravo

This has been an eventful year for LogRhythm, which was acquired by private equity firm Thoma Bravo on July 2. 

Peterson said that since the acquisition, there has not been a whole lot of change at LogRhythm in terms of day-to-day operations. He did note that the Thoma Bravo team brings management experience that is helpful for accelerating and growing the LogRhythm business

"Thoma Bravo brings a lot of expertise to the management team to  just help us continue to realize the goals of the business and the mission of the company," Peterson said. "Which is to be a platform leader in next-gen SIEM."

SIEM vs SOAR

While the SIEM market was once only about log files, Peterson said that the traditional view of SIEM is very narrow in terms of what is actually needed by organizations.

"The fundamental and purpose for SIEM in the first place was to enable the detection and response to threats," Peterson said. "The fundamental mission of SIEM is to correlate data, identify the right alarms and get teams to respond."

Peterson added that in the modern era getting teams to respond faster involves orchestration and automation of as many actions as possible. The move to integrate SOAR capabilities into SIEM is seen by Peterson as an evolution of what SIEM should provide.

"One of the challenges with SOAR being a separate technology that is put on top of a legacy SIEM is you have two different pieces of software that need to be integrated through APIs and need to have some kind of a integrated workflow," he explained. 

Having two separate technologies, rather than integrating SOAR into SIEM, slows down the process and introduces additional complexity, according to Peterson. The LogRhythm model has a unified user interface that enables a user to move through the SIEM components with correlation and analytics and then move directly into remediation execution actions.

"You're not having to pivot between two different pieces of software to execute a workflow that really needs to be done cohesively," Petersen said. "Fundamentally, what we're trying to achieve here is speed of throughput and speed through the SOC."

Looking forward, Petersen said that LogRhythm will be looking to apply additional machine learning capabilities into the platform for behavioral profiling and predictive analytics.

"Next year you'll see us make more announcements around SOAR and around our UEBA [User and Entity Behavior Analytics) product as well," Petersen said. "We will be talking about a new product that is focused more on the network detection side of things."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.