IT systems generate lots of log data, but how do you correlate and makes sense of it all?
Security Information and Event Manager (SIEM) vendor LogRhythm has added a new approach to understanding log data with a new Advanced Intelligence (AI) Engine. The goal of AI Engine is to find patterns in the logs that can help identify security events and hacks that otherwise would not be discovered.
Trent Heisler, director of technical services at LogRhythm, explained to InternetNews.com that prior to the AI Engine, there was no real easy way to get to the forensic information directly relevant to a security event. He added that it was also difficult to be able to spawn additional investigations around the event.
"What AI Engine does is it gives us visibility by analyzing all log data, it's not a subset," Heisler said. "A lot of times some of what may first seem to be benign traffic, is really not."https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Heisler noted that, in his view, one of the reasons why SIEM technology has not been widely adopted is complexity. He added that users need to know exactly what they're looking for in order to fully benefit from an SIEM deployment. The goal with AI Engine is to move beyond those challenges.
"It's not just the attributes that come out of the raw log message itself, there is also derived context that LogRhythm puts on top," Heisler said. "We're adding enrichment outside of the raw log data, for analysis and AI Engine is able to play off that."
With the AI Engine, an alarm can now be set up to scan for behaviors across an enterprise. As an example, a brute force authentication failure against any device in the enterprise can now be detected and alarmed.
"AI Engine launches with 100 out of the box alarms," Heisler said. "One of the things that is nice from a user experience perspective is how to take the out of the box alarms and apply them to different assets within an enterprise."
Users can set alarms just to target PCI-DSS compliance. The AI Engine works as a layer on top of LogRhythm SIEM product.
"There is a software component for LogRhythm called the Mediator Server and it handles all the heavy lifting of log processing for LogRhythm," Heisler said. "What AI Engine does is it plugs into Mediator Server which then redirects the processed logs to AI Engine."
Heisler stressed that visibility is key when it comes to having a successfully log analysis technology.
The enhanced LogRhythm solution enters a market for SIEM solutions that is highly competitive with rivals like LogLogic offering their own new technologies to better gather and make sense of log data.
Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.