1. LogRhythm-Threat Lifecycle Management
August 3, 2017
Data Connectors Indianapolis
Aaron Nichols

2. Modern Cyber Threats-’Noise’
3,930 Breaches in 2015
736 million records were exposed in 2015, compared to 96 million records in 2010
The security industry is facing serious talent and technology shortages
953 Breaches in 2010
Selected Data Breaches
321 Breaches in 2006
Key Talking Points:
Victims of damaging cyber breaches make the news every week – don’t become one of them!
These are just a sampling of breaches– even more are occurring
The rate of breaches continues to go up every year
Not just experienced by large companies
Affects companies of all sizes and industries
Notes:
Bad actors have executed a series of high-profile, damaging data breaches. It seems like there’s someone new on the cover of the WSJ every week. This slide illustrates how much damage is being done.
This graphic represents the number of records exposed (bigger circles were breaches with more exposed records)
Source: World’s Biggest Data Breaches, Information is Beautiful

3. Today’s Threat Environment
Only Advanced Analytics can detect these threats
Threats conclusively recognized at run-time, prevented at the endpoint and perimeter
Detecting a class of threats that can only be detected using a SIEM
Effectively prioritizing threats, separating the signal from the noise
Providing the intelligence required to deliver optimally orchestrated and enabled incident response
However, many threats:
Require a broader view to recognize
Will only emerge over time
Get lost in the noise
Key Talking Points:
With traditional methods, threats get lost in the noise.
“Big Data” analytics can help solve this problem.
“Prioritized threats”
-----
Notes:
Previous slides are about painting a picture of the environment. This slide begins our shift toward presenting a solution. Some things can be blocked and stopped, but only known threats in real-time, or otherwise you get in the way of the business. Analytics is needed to address the threats that get through. We use big data analytics to separate the signal from the noise. This slide also sets up our incident response message.

4. The Cyber Attack Lifecycle
Recon. & Planning
Initial Compromise
Command & Control
Lateral Movement
Target Attainment
Exfiltration, Corruption, Disruption
Modern threats take their time and leverage the holistic attack surface
Key Talking Points:
“Holistic attack surface”
Mission realization
Kill the threat easily
Previous breaches would’ve been avoided if detected early.
Notes:
Goes further on our solution to show that damaging breaches can be avoided because the attack lifecycle takes time.
The lifecycle of a threat begins with reconnaissance. Find their way in by manipulating users, dropping USB keys in parking lot, compromising physical environment, etc. At some point, they will begin to engage with the environment and eventually compromise the system. If that compromise isn’t detected, they will take increasing control over the environment and move laterally toward their target, taking over accounts and systems until they attain their target, where the biggest damage is done: exfiltration, corruption, disruption, etc.
This is how threats work. If we can stop the attacker after the initial compromise, we can prevent the damaging breach.

5. Data Breaches Can Be Avoided
ATTACK
Reconnaissance
Initial
Compromise
Command
& Control
Lateral
Movement
Target
Attainment
• Exfiltration
• Corruption
• Disruption
Early neutralization = minimal damaging cyber incident or data breach
Key Talking Points:
“Holistic attack surface”
Mission realization
Kill the threat easily
Previous breaches would’ve been avoided if detected early.
-----
Notes:
Goes further on our solution to show that damaging breaches can be avoided because the threat lifecycle takes time.
The lifecycle of a threat begins with reconnaissance. Find their way in by manipulating users, dropping USB keys in parking lot, compromising physical environment, etc. At some point, they will begin to engage with the environment and eventually compromise the system. If that compromise isn’t detected, they will take increasing control over the environment and move laterally toward their target, taking over accounts and systems until they attain their target, where the biggest damage is done: exfiltration, corruption, disruption, etc.
This is how threats work. If we can stop the attacker after the initial compromise, we can prevent the damaging breach.

6. Protection Through Faster Detection & Response
Exposed to Threats
Resilient to Threats
High Vulnerability
Low Vulnerability
Months
Days
Hours
Minutes
Weeks
MTTD & MTTR
MEAN TIME TO DETECT (MTTD) The average time it takes to recognize a threat requiring further analysis and response efforts
MEAN TIME TO RESPOND (MTTR)
The average time it takes to respond and ultimately resolve the incident
As organizations improve their ability to quickly detect and respond to threats, the risk of experiencing a damaging breach is greatly reduced
Key Talking Points:
“Mean-time-to-detect” and “Mean-time-to-response”
Reduce risk of damaging cyber incident or data breach
-----
Notes:
What’s the solution? Faster detection and faster response.
We’ve developed a model to assess your current maturity and ability to detect and respond to threats. Help customers measure their overall security posture. Many studies show that MTTD and MTTR are measured in weeks and months, and companies that want to improve need the types of solutions we provide.

7. Obstacles – “100 Competing Priorities”
Alarm Fatigue
Swivel Chair Analysis
Forensic Data Silos
Fragmented Workflow
Lack of Automation
Effective
Threat Lifecycle Management
Addresses these obstacles
Enables faster detection and response to threats
Notes:
Alarm Fatigue – Hundreds / thousands of sensors generating events and alarms leaving security teams struggling to know which to pay attention to.
Swivel Chair Analysis – Absent a trusted, centralized place for risk-based monitoring, analysts have to spend time in a variety of different product UIs investigating alarms - trying to manually piece everything together.
Forensic Data Silos – Absent a consolidated collection of the most commonly needed forensic data, analysts have to work within a variety of different data repositories – the time to investigate increases, and often analysts can’t get to the information they need
Fragmented Workflow – Teams don’t have formal processes or tools that ensure high priority threats are tracked to resolution.  and spreadsheets become inefficient substitutes.  Threats slip through the cracks when early indicators that were caught, become forgotten about because they weren’t tracked to full resolution.
Lack of Automation – Organizations haven’t found ways to effectively automate routine IR actions, requiring teams to perform all activities manually.  This means few investigations can be conducted and a single incident could become all-consuming, whereas other threats/incidents don’t get the attention they deserve. 

8. Threat Lifecycle Management (TLM)
Series of aligned security operations capabilities
Begins with ability to “see” broadly and deeply across IT environment
Ends with ability to quickly mitigate and recover from security incidents
Goal is to reduce mean time to detect (MTTD) and mean time to respond (MTTR), while keeping staffing levels flat
Notes:
Technology is the key enabler to delivering efficient process, that optimally aligns and leverages people

9. End-to-End Threat Lifecycle Management Workflow
TIME TO DETECT
TIME TO RESPOND
Forensic Data Collection
Discover
Qualify
Investigate
Neutralize
Recover
Security event data
Log & machine data
Forensic sensor data
Search analytics
Machine analytics
Assess threat
Determine risk
Is full investigation necessary?
Analyze threat
Determine nature and extent of incident
Implement counter-measures
Mitigate threat & associated risk
Clean up
Report
Review
Adapt
Notes:
The ability to detect and respond to the threat early in the Cyber Attack Lifecycle is the key to protecting your company from large-scale impact because the earlier an attack is detected and mitigated, the less the ultimate cost to your business.
There are 6 phases to Threat Lifecycle Management:
Phase 1: Forensic Threat Collection. Before any threat can be detected, you must be able to see evidence of it within the IT environment. To do this, you need to focus on 3 principle types of data: Security event & alarm data, log and machine data, and forensic sensor data
Once visibility has been established, you now stand a chance at detecting and responding to threats. Discovery of potential threats is accomplished through a blend of search and machine analytics
Discovered threats must then be quickly qualified to assess the potential impact to your business and the urgency of additional investigation and response efforts. The qualification process is manual and time intensive, while also being very time sensitive. An efficient process will allow you to analyze a greater number of alarms with less staff, while also positively affecting overall MTTD and MTTR
Once threats have been qualified, they need to be fully investigated to determine whether a security incident has occurred or is in progress. You’ll need rapid access to forensic data and intelligence on the threat. Automation of routine investigatory tasks and tools that facilitate cross-organizational collaboration, at this stage especially, is ideal for optimally reducing MTTR.
Next, you must implement mitigations to reduce and eventually eliminate risk to the business. For some threats, such as ransomware or compromised privileged users, every second counts. Easily accessible and updated incident response processes and playbooks, coupled with automation, is critically important.
Once the incident has been neutralized and risk to the business is under control, you can start recovery efforts. To recover effectively, it’s important you have access to all forensic information surrounding the investigation and incident response process. This includes ensuring that any changes made during incident response are tracked, audit trail information is captured, and the affected systems are updated and brought back online. In addition, the recovery process should ideally include putting measures in place that leverage the gathered threat intelligence to detect if the threat returns or has left behind a back door.

10. This Approach Is Not Effective
Network Monitoring & Forensics
User & Entity Behavioral Analytics
Log Management
SIEM
Endpoint Monitoring & Forensics
Security Automation & Orchestration
Network Behavioral Analytics
Security Analytics
Notes:
TLM can be realized via a combination of disparate systems
BUT this requires
Complex API-level integrations
Workflow across multiple UIs
Data duplication
Results in inefficiencies across people, process, and technology

11. Forensic Data Collection
Our Approach
Forensic Data Collection
Discover
Qualify
Investigate
Neutralize
Recover
Key Talking Points:
LogRhythm offers all these solutions within a single UI.
Full Threat Lifecycle Management is covered.
End-to-end “workflow”
Effective Workflow = Fast Teams
Notes:
Instead of realizing TLM via a collection of different products, use a single platform, designed to realize TLM as a whole, via products designed to work together and realize OPTIMALLY EFFICIENT WORKFLOW.

12. Top Five LogRhythm Differentiators

13. Forensic Data Collection
Top 5 Differentiators
TIME TO DETECT
TIME TO RESPOND
Forensic Data Collection
Discover
Qualify
Investigate
Neutralize
Recover
1. Machine Data Intelligence (MDI)
2. Precision Search
3. Holistic Threat Detection
4. Risk-Based Monitoring
5. Embedded Security Automation and Orchestration
Notes:
LogRhythm has 5 primary differentiators that set us apart in how we are able to address Threat Lifecycle Management

14. Machine Data Intelligence Fabric
Search Analytics
Machine Analytics
Machine Data Intelligence (MDI) Fabric
Data Collection
Uniform Data Classification
Uniform Data Structure
Time Normalization
Risk Score
User Persona
Host Persona
Geolocation
Flow Direction
…more
Benefits
Serves as IT environment abstraction layer
Enables generic scenario representation
Allows for high-efficacy packaged analytics modules
Data Generation
LogRhythm Network Monitor
Talking Points
MDI: Unrivaled in terms of precision and capabilities
LogRhythm System Monitor

15. Precision Search Powered by Elasticsearch
Structured Search
Unstructured Search
Machine-Assisted Search
Benefits
Quick results
Less “noise”
Investigation automation
Fast and accurate decisions
Talking Points:
Search is powered by Elasticsearch

16. Holistic Threat Detection Powered by AI Engine
User Threats
Log Data
Network Threats
Contextual Data
Endpoint Threats
Benefits
Real-time advanced threat detection
Detection across full attack lifecycle
Easily customizable
Lower false negatives AND false positives

17. Risk-based Monitoring
Threat Score
Risk Score !
56 RISK
68 RISK
97 RISK
Events
Risk-based Prioritization Algorithm
Confidence Score
Weightings
Risk Prioritized Alarms
Benefits
Focuses analysts’ time where it matters most
Faster recognition of threats that need attention
Reduces alarm fatigue
Key Talking Points:
With LogRhythm, you can quickly implement a risk-based monitoring strategy, where analysts time is focused on alarms representing highest relative risk, that less time is spent investigating low risk and/or low value alarms. 
Our approach allows for decreased alarm fatigue via risk-based workload management, where only alarms exceeding a certain risk threshold will be presented to analyst for investigation. 
These keeps the volume of alarms manageable, and teams more motivated/focused.

18. Embedded Security Automation and Orchestration
Case Management
SmartResponse Automation
Benefits
Centralizes security investigations
Faster investigations with single toolset
Efficient, confidential collaboration
Automates workflows and responses
Reduces mean time to respond (MTTR)
Key Talking Points:
Security Automation and Orchestration is a solution set that helps security operations teams collaborate to provide incident response, and seamlessly automates the workflow because all actions are time critical during the investigation period
SAO is a built-in capability of LogRhythm, powered by our Case Management and SmartResponse features - No need to invest in a separate product
Case Management
We built this highly efficient workflow to answer security operation teams top questions:
Is it a qualified threat?
If it is a qualified threat, what is the scope of the threat?
What is the root cause of the threat?
Designed to support group collaboration and tiered operations
Cyber Evidence Locker™ for securing and sharing artifacts such as logs, files and annotations
Real-time investigation feeds and customizable IR dashboards
One-click threat intelligence lookup
Metrics and reports on mean time to detect (MTTD) and mean time to respond (MTTR)
SmartResponse Automation Framework
Simple plug-in architecture with out of the box and customizable actions
Ability to target actions using event data
Automated and approval-based execution options, including support for multi-party approval chains
Ability to implement playbooks by pre-staging SmartResponse actions for specific alarms
LogRhythm allows security operations teams to tee up multiple actions utilizing automation for more efficient workflows. For example, if a firewall allowed traffic and an IDS blocked traffic from the same source than maybe we want to run a vulnerability scan on the host right away to gather more information. It’s possible you might want to add an HCL that blocks that host AP for the meantime or ask for an approval to allow the traffic.
This allows the you to neutralize the threat before it achieves its end goal like network disruption or data exfiltration.

19. Why LogRhythm As Your Strategic TLM Partner
Focus
Innovation
Platform Scalability & Flexibility
Broad Regulatory Compliance
Customer Success
Notes:
Focus
We are on a mission to continue being the platform of choice for TLM.
No other vendor in the market is focused on this problem like we are.
TLM is our focus, it is our business – simply put, we have no other choice than to be the absolute best at it.
Innovation
At the heart of LR is innovation
Our founders are still with the company, still innovating with the same passion they began with
Some recent examples of hard innovation that sets us apart.
2011 – introduced our patented and market leading AI Engine with extensive behavioral profiling
2013 – introduced our network monitoring and forensics product
2014 – introduced our market leading Web UI
2015 – introduced Elasticsearch as our backend
2016 – introduce AI Cloud beta – furthering our lead in the application of Artificial Intelligence & Machine Learning to security analytics.
We’ve consistently outpaced our competitors, many of whom have been consumed by large organizations. They’re slowing down while we’re speeding up. LR is a partner that is innovative and will stay that way in a time when innovation is essential.
Platform Scalability & Flexibility
Whether a mid-sized enterprise, or a Fortune 50, our platform can cost efficiently scale to meet your needs.
Our flexible deployment models allows you to leverage LR as an appliance-based solution, software, virtual, or a combination of all.
Our building-block architecture allows you to quickly and easily add capacity and functionality down the road – no fork lifts required.
Broad Regulatory Compliance
In addition to providing the best platform for TLM, we automate and enable compliance with almost all global regulatory requirements. 
Customer Success
We put our customers first
We are a solution-oriented business – what we build is built to solve your real-world security challenges
We are maniacally focused on driving long-term adoption and success on the LR platform
Our support is in house, our first tier is not a call center, they are trained LR experts that want to and can solve your problem on first contact.  However, if they can’t, engineering is right next door.