Network & Process Monitoring
In today’s globally distributed enterprises, it’s critical to know what’s happening throughout the entire IT environment and be able to tie it all together. The challenge is finding a way to correlate event data that is consistently recorded with activities that may not be regularly logged, such as processes starting and stopping or network connections being established.
LogRhythm delivers independent awareness and unprecedented insight into what’s happening on your network, from routers and switches to host systems and endpoint devices–both inside and outside the network. Automated data enrichment adds event-specific network context, such as Source IP and Impacted Host. LogRhythm also factors in network-aware risk-level information with event and asset-specific risk ratings, providing a comprehensive and globally aware view of the entire IT environment.
Network Connection and Process Monitoring deliver rapid insight into critical events by providing access to detailed event information at the endpoint, above and beyond what is available in standard log data.
Process Monitor
Challenge
Enterprise IT systems have a constant flow of processes starting and stopping, but they are inconsistently logged, making them difficult to monitor without an independent record of the event. The sheer volume of activities makes identifying failing or rogue processes.
Solution
LogRhythm’s Host Activity Monitoring creates an independent log of all processes and adds valuable context, including process name, user or account that owns the process, and process start time and duration.
Benefit
LogRhythm can automatically alert on non white-listed processes when they are started on controlled servers and devices. Additional visualization tools can be used to map all locations within the environment where that same process is running for rapid forensic and root cause analysis.
Network Connection Monitor
Challenge
Access to host-level detail surrounding network behavior is a critical component of real time monitoring and forensic analysis. This can be limited in an enterprise environment due to a lack of connection-specific log data or limited access to flow data.
Solution
LogRhythm’s Host Activity Monitoring creates an independent log with relevant detail such as ID port, communication direction, the process that opened the connection and users that are logged in.
Benefit
LogRhythm can alert on suspect behavior and blacklisted activities, such as unauthorized hosts running web servers or ftp services running on confidential file servers. Actual in-use services can also be reverse-engineered to help establish tighter access control lists.
Secure, Reliable Communication
Challenge
Gathering accurate endpoint data from remote devices like Point-of-Sale systems is particularly challenging for IT organizations. Problems range from limited bandwidth, unencrypted and unreliable UDP transport, to managing individual collection mechanisms on each device.
Solution
In addition to independent, detailed logging of network connections and processes, LogRhythm’s centrally encryption, 10:1 compression, reliable TCP transportation and spooling capabilities during dropped connections.
Benefit
LogRhythm’s agents provide additional independent security and compliance controls at the endpoint with fully integrated File Integrity Monitoring and protection against unauthorized removable media usage via Data Loss Defender.
Protecting your organization from advanced threats, compliance violations and operational issues is an ongoing process. It requires broad visibility, continuous monitoring, automated behavioral analytics, advanced threat detection, intelligent countermeasure capabilities, and ongoing adaptation to new and evolving issues and threats. A key component of that process is having the ability to correlate what’s happening at the endpoint level to event data throughout the network. LogRhythm delivers extended visibility and protection via fully integrated Endpoint Monitoring and Forensics .
LogRhythm’s Endpoint Threat Analytics module helps organizations quickly detect and respond to the threats targeting their endpoints and discover when compromised devices are being used for malicious activity by attackers. The Endpoint Threat Analytics module includes a sophisticated set of advanced behavioral analytics rules and out-of-the-box alarms that deliver a holistic picture of threats targeting the endpoint.
Protecting your organization from advanced threats
Independent Process Monitor
Detects and records process and service activity that may not otherwise be reported. This can identify and alert on important behavior like endpoints running blacklisted processes (peer-to-peer clients, etc.), critical processes stopping or any non-approved process starting up.
Windows Registry Monitor
Monitors the Windows Registry for additions, modifications, deletions, permission (ACL) changes, and ownership changes. This visibility provides greater insight into changes or manipulations of Windows operating systems, like the addition of new startup processes, to detect advanced threats and compromised endpoints.
Network Connection Monitor
Independently records network connection activity to and from the endpoint, providing a detailed, independent log of all network connections opened and closed on a endpoint. It detects and alarms on critical events on the endpoint like activity from unauthorized web or FTP servers.
Accurate Data Loss Defender
Monitors and prevents data transfers to and from removable media like CD/DVD-RW devices and USB drives. Data Loss Defender logs, alerts on, and audits all data transfers to removable media ports and can optionally block transfers on selected machines and devices.
User Activity Monitor
Logs any user or process that authenticates to an endpoint. This independently records an audit trial that can be used to either supplement local auditing systems or to validate that system logs have not been modified on the endpoint.
If you would like more information on LogRhythm, contact us today!