LogRhythm's Security Intelligence Platform: SIEM product overview
Expert Karen Scarfone examines LogRhythm's Security Intelligence Platform, a SIEM tool for analyzing collected data.
The LogRhythm Security Intelligence Platform is a security information and event management (SIEM) product for enterprise use. It is used to collect security event log data from software throughout an enterprise, including network security controls, operating systems and user applications. The SIEM tool analyzes the data to identify possible signs of malicious activity so humans or automated processes can stop attacks in progress or help recover from successful attacks. SIEM platforms such as LogRhythm's also generate detailed reports on security events that can be used to document compliance with security regulations, laws and other requirements.
LogRhythm SIEM product versions
LogRhythm's SIEM platform is available in several formats, including an all-in-one bundle or distributed components, and as hardware-based appliances, server-based software and virtual appliances (supported by VMWare ESX, Microsoft Hyper-V and Citrix XenServer). These last three formats -- hardware, virtual and server software -- can be mixed and matched as needed within a single LogRhythm Security Intelligence Platform implementation.
Examples of the major component types are:
- Platform Manager (PM): Supports centralized management and administration for the LogRhythm implementation
- Data Processor (DP): Performs log collection and management
- Data Indexer (DX): Indexes data and metadata
- AI Engine (AI): Provides correlation and analysis capabilities
- All-In-One (XM): Combines the PM, DP, DX and AI components
- Network Monitor (NM): Specializes in deep analysis of network traffic contents
- Data Collector (DC): Collects log data from remote systems and prepares it for secure transfer to the centralized LogRhythm Security Intelligence Platform implementation
Multiple models are available for many of these component types, and Web appliances and storage arrays are also available to further expand an implementation. See here for more information on currently available models.
Additional security capabilities
In addition to providing all the traditional core SIEM functions, LogRhythm's SIEM platform offers a range of advanced security capabilities. First, for organizations that want to improve the accuracy of their SIEM product's threat detection, LogRhythm's Security Intelligence Platform supports the use of Geolocation feeds and threat intelligence feeds through separate subscriptions. Organizations can choose from any of several threat intelligence partners and can use one or more of their feeds with the LogRhythm Security Intelligence Platform.
The platform can also extensively supplement existing endpoint logging and forensic capabilities, including the monitoring and analysis of endpoint events involving file and registry monitoring, process execution, network traffic and user-generated events. The product also offers a range of network forensics capabilities.
Reporting capabilities
The reporting capabilities offered by the LogRhythm SIEM product are more extensive than any other major enterprise SIEM product, with built-in support for over 800 report formats. This built-in support includes reporting for many major security compliance initiatives, including:
- Federal Information Security Management Act of 2014
- Gramm-Leach-Bliley Act
- Health Insurance Portability and Accountability Act
- International Organization for Standardization/International Electrotechnical Commission 27001/27002, Information Security Management
- North American Electric Reliability Corporation Critical Infrastructure Protection
- Payment Card Industry Data Security Standard
- Sarbanes-Oxley Act
Licensing and pricing
Because the components of the platform are available in so many models and combinations, it is outside the scope of this article to explain the possible licensing and pricing arrangements.
LogRhythm SIEM platform overview
The LogRhythm Security Intelligence Platform components can be deployed in various arrangements and architectures to meet the needs of nearly any organization. The product offers the widest range of product formats, security features, and reporting capabilities of any enterprise SIEM product. While this could potentially offer more functionality and capacity than smaller organizations need, most organizations would find the LogRhythm Security Intelligence Platform to meet or exceed all of their SIEM requirements and desired features.