Detecting today’s advanced threats requires greater visibility and understanding of network activity. However, the sheer volume of processes, services and applications running on a corporate network at any given time makes it difficult for network admins and IT professionals to distinguish abnormal or suspicious network activity from routine or ordinary system use.
Additionally, once an attack has penetrated the network, many security tools are unable to provide the level of detail needed for forensic investigation to understand root cause, let alone coordinate actions for remediation.
LogRhythm’s Network Behavior Anomaly Detection Security Analytics Suite is an integral part of the ControlScan Log Monitoring and Management Service, providing the capabilities needed to detect network abnormalities in real-time.
By capturing data generated by perimeter security devices such as IDS/IPS solutions, vulnerability scanners, next-gen firewalls and identity access management systems and combining it with other machine and flow data, the suite is able to establish a behavioral baseline of normal network activity.
The suite can then detect when network activity deviates from a baseline of activity or represents a known high-risk activity as captured by ControlScan’s pre-built analytical rules. The suite is continually updated with the latest research on emerging network threats to help customers strengthen network security. ControlScan also simultaneously works to regularly update individual customers’ rules accordingly.
Identifying Inappropriate Network Behavior: Network traffic is modeled, allowing for the immediate recognition of anomalous network activity, inappropriate applications,or applications using unusual ports.
Preventing Data Exfiltration: An Advanced Intelligence (AI) Engine rule triggers an alarm anytime a suspiciously large outbound data transfer is observed. Additionally, the suite can identify the destination application, allowing users to assess legitimacy of the data transfer.
Recognizing Hidden Malware: Protocols are accurately identified without relying solely on ports, thereby exposing any communication patterns that could indicate botnet callbacks to the Command and Control server.