All SANS LogRhythm Review - Speed and Scalability Matter
LogRhythm US

SANS LogRhythm Review - Speed and Scalability Matter

Review Environment LogRhythm’s latest Threat Lifecycle Management Platform includes many new and enhanced features and behind-the-scenes improvements, primarily focused on reducing detection and response time for security operations and investigations. LogRhythm’s data aggregation and query engine now uses Elasticsearch, which is a highly scalable indexing and querying layer. Native language search and contextual searching are available from most locations in the interface as well. We focused on scalability and performance in this review, as well as host-based policies and configuration capabilities that are new in the platform. In this review, SANS focused specifically on: • Ease of use • Scalability and performance across large, distributed data sets • Host-based policies and configuration capabilities • Rapid searching, analysis and incident correlation • Case management tools that can help security operations teams operate more effectively Components The following components were included in the LogRhythm deployment (numbers in parentheses indicate quantity configured within the review environment): • Platform Manager (1)—Centrally manages alarms, notifications, and case and security incident management. Enables real-time dashboards, SmartResponse actions and reporting. • Data Collector—Provides local and remote agentless collection of machine data. • System Monitor Agent—Monitors endpoints for file integrity, user activity, network communications, and applications and processes. Our testbed used the agents for Linux systems; AIX, HP-UX, Solaris and Windows are also supported. • Network Monitor—Performs deep packet inspection of network traffic for application identification, extraction of searchable metadata, full packet capture and deep packet analytics. • Data Processor (5 sets of 4)—Processes data from Data Collectors, System Monitors and Network Monitors. Extracts and enriches metadata, enabling machine- and search-based analytics. Data Processors scale vertically and horizontally.4 4 SANS ANALYST PROGRAM L ogRhythm introduced an updated data processor in the Fall of 2017, DP 7470. While SANS has not tested this, LogRhythm reports that this new processor reduces the data processor components by 25% to five sets of three components. 2 Speed and Scalability Matter: Review of LogRhythm 7 SIEM and Analytics Platform Review Environment (CONTINUED) • A  I Engine (5)—Performs real-time, stream-based analysis of contextualized machine and forensic data, and generates risk-prioritized alarms using a broad set of algorithmic techniques. AI Engine nodes scale vertically and horizontally with a unique scaling model to preserve centralized analysis. • D  ata Indexer (5 sets of 10)—Uses an Elasticsearch back end to store copies of both original unstructured machine data and contextualized, structured metadata to enable search-based analytics. Data Indexers support clustering for greater scalability, performance and availability.5 The environment was configured with the following parameters and capacity considerations: • 300,000 MPS aggregate collection load (25.8 billion messages per day) • 130,000 unique log sources • 100 percent of data processed within the distributed architecture • 100 percent of data analyzed in real time by analytics layer, with no data queued • 100 percent of data rapidly searchable • 100 percent of data available, persistent and archived These were the objectives and environment for our review. However, substantially higher scalability is available with further hardware investment. A diagram of the environment is shown in Figure 1. Figure 1. LogRhythm Test Environment Architecture 5 SANS ANALYST PROGRAM L ogRhythm introduced an updated data indexer in the Fall of 2017, DX7500. While SANS has not reviewed the updated data indexer, LogRhythm reports that this new configuration reduces the data indexer components by 50% to five sets of five. 3 Speed and Scalability Matter: Review of LogRhythm 7 SIEM and Analytics Platform
Please complete the form to gain access to this content
Access Now

Related Resources

LogRhythm US
Forrester Security Analytics Platform Wave Report ...
Read more
LogRhythm US
Mis-behaving: the Evolution of the Insider Threat ...
Read more
LogRhythm US
LogRhythm UEBA Overview 2018
Read more
LogRhythm US
SANS Reviews LogRhythm CloudAI for UEBA
Read more
LogRhythm US
2018 Cybersecurity: Perceptions and Practices Benc...
Read more
LogRhythm US
Gartner Market Guide for UEBA (2018)
Read more
LogRhythm US
How to Deploy a SIEM Successfully by Gartner
Read more
LogRhythm US
Automation Suite for NIST 800-53 Compliance
Read more
LogRhythm US
Gartner Names LogRhythm a leader in 2017 Magic Qua...
Read more
LogRhythm US
LogRhythm How to Build a SOC With Limited Resource...
Read more
LogRhythm US
Forrester Wave: Security Analytics Platforms, Q1 2...
Read more
LogRhythm US
UBM Building and Instrumenting the Next Generation...
Read more
LogRhythm US
LogRhythm Security Intelligence and Analytics in t...
Read more
LogRhythm US
LogRhythm Ransomware Infographic 2016*
Read more
LogRhythm US
UWS | Anatomy of a Hack Disrupt Whitepaper 2016
Read more
LogRhythm US
Security Current CISOs Investigate User Behavior A...
Read more
LogRhythm US
CyberEdge Defense Report Whitepaper 2016*
Read more
LogRhythm US
LogRhythm OilRig Malware Campaign Whitepaper 2017
Read more
LogRhythm US
LogRhythm Ransomware Threat Whitepaper 2016
Read more
LogRhythm US
LogRhythm Threat Lifecycle Management Whitepaper 2...
Read more
Load more