Log files can be an effective source of data for identifying security threats. What you do once you’ve identified those threats from log files is where a new release from security information and event management (SIEM) vendor LogRhythm comes into play.
The LogRhythm 6.0 platform adds the concept of automated remediation for security events, providing users with actions to help minimize risk.
“We’re seeing more customers needing to leverage SIEM to remediate high-risk events,” Chris Petersen, CTO and founder of LogRhythm told InternetNews.com. “Most mature organizations have a lot of data in their network that is not being leveraged properly.”
The automated remediation feature in LogRhythm 6.0 is called SmartRemediation and includes a policy based approach for change management. Petersen noted that one of the big challenges with having automated remediation in the past has been false positives. No organization wants to make changes that they don’t have to make.
In order to reduce the false positives, Petersen noted that the SIEM system leverages their AI Engine which can help to accurately identify high-risk events.
From a change management perspective, the SmartRemediation system has a workflow approval process for changes. The process enables the system to be set up for immediate remediation, or it can be setup up based on a policy for approvals from IT and business owners. The whole system provides auditing around the approval process to help identify who approved what and when.
The way SmartRediation works with other network assets is by way of a plug-in architecture. Petersen explained that LogRhythm has a plug-in for Microsoft’s ActiveDirectory to manage or disable a user account,the system can also kill a network process. He added that going forward the plan is to provide integration with more systems to provide other actions to other components of network and systems architecture.
In addition to the pre-built plugins, Petersen said that the customers can also build their own plugins.
“It’s very open and flexible in terms of what actions you want to initiate,” Petersen said. “If there is an action you can perform that can take the output of an AI Engine event and do something, then you can do it.”