LogRhythm SmartResponse

LogRhythm delivers immediate protection from security threats, compliance policy violations and operational issues with SmartResponse™. Intelligent, process-driven capabilities give organizations the power to automatically take action and respond to any alarm. SmartResponse™ delivers immediate action on real-world issues, such as when suspicious behavior patterns are detected, specific internal or compliance-driven policies are violated, or critical performance thresholds are crossed. LogRhythm ensures that responses are based on accurate information by performing real-time analysis on all log data, helping to minimize false positives as well as the delays associated with manual intervention.

Automated Remediation That Works for You

Many organizations find that implementing automated remediation creates more risk than it is designed to prevent. One of the problems is that it is typically an all-or-nothing process, meaning any enabled action will be taken without providing an option for external validation. Because of the number of variables tied to an individual event and the risks associated with incorrectly interrupting critical operations, most organizations are justifiably reluctant to employ automated remediation beyond that tied to the most mundane use cases.

LogRhythm’s SmartResponse™ was specifically designed so that any action can be easily configured to meet important organizational policies and to provide assurances that each response is the correct action to take. It comes with an optional, built-in approval process that can require up to 3 levels of authorization prior to taking action. That gives organizations the option of reviewing the facts first – before the wrong person’s access is removed or a critical application is mistakenly shut down. And if that particular remediation is determined to be the correct course of action, the response is already queued up for immediate execution at the click of a button.

How It Works

A simple, plug-in based GUI allows administrators to import any script-based response, which can then be activated by any advanced correlation or event-based alarm. LogRhythm’s SmartResponse™ includes:

  • Optional requirements for up to three levels of authorization
  • Targeted responses to exact alarm parameters, such as:
    • Suspicious IP addresses to block
    • Specific rogue users to quarantine
    • Individual processes to start or stop
    • Over 50 unique fields for maximum precision
  • Incident Response Management with:
    • Current remediation status
    • Alarm recipient tracking
    • Authorization path auditing
  • One-click testing for script validation

SmartResponse in Action

LogRhythm Labs provides out-of-the-box access to practical scripts designed to address common organizational issues related to security, compliance and operations. SmartResponse™ can execute any script that a user can create, with optional safeguards to require up to three levels of authorization before performing any action. Examples include:

Advanced Threat Detection & Response (External)

Malware frequently attempts to access an environment by logging in to multiple servers, moving from one target to the next until access is granted.

LogRhythm’s automated behavioral profiling creates whitelists of acceptable activity on any host. Alarms are dynamically updated to respond to any behavioral anomaly, such as a connection attempt from a non-whitelisted location.

SmartResponse™ can pull the attacking IP Address directly from an alarm and add it directly to a firewall ACL, instantly terminating potentially dangerous access to your network.

Advanced Threat Detection & Response (Internal)

Systems administrators have the ability to access and modify systems and create accounts with escalated privileges, allowing them to engage in a broad range of malicious activity while avoiding detection.

LogRhythm can notify when any newaccount with escalated privileges is created, or if suspicious modifications have been made to accounts accessing critical systems.

SmartResponse™ can automatically suspend or remove newly added or recently modified privileged accounts until the activity has been verified as legitimate..

Compliance Automation & Assurance

Many compliance regulations require strict access controls to confidential data, such as protected health information (PHI) or customer credit card accounts.

LogRhythm’s alarms can leverage dynamically updating whitelists of which users are authorized to access critical assets or specific files, detecting and alerting in real-time when an access policy is violated.

SmartResponse™ can immediately remove any user guilty of an access violation from the network until the incident can be investigated, actively enforcing policy and protecting critical assets.

Operational Intelligence & Optimization

Detecting when all aspects of a server have restarted properly after routine maintenance is challenging – particularly in large enterprises with a large number of distributed hosts.

LogRhythm can independently detect when a critical process stops and/or fails to restart following a specific event, such as a reboot.

SmartResponse™ can restart individual processes, pulling all relevant information, such as the process name and impacted host, directly from the alarm.