Part two and part three of this blog series gave a detailed look at Log360’s in-depth auditing capabilities, while part one explained how easy the product is to set up and use. But SIEM is about more than just auditing; as we’ll see in today’s blog post, it also helps you secure your network from internal and external attacks through its advanced security capabilities.
Real-time threat intelligence
Threat intelligence helps you secure your network from various types of threats, including malware, phishing and spam, advanced persistent threats, communications from callback servers, and botnet attacks.
Log360 contains a built-in threat intelligence processor that automatically retrieves the latest threat feeds from trusted open sources like AlienVault OTX and Hail a TAXII, and scans your network continuously for signs of malicious activities. This feature is preconfigured and starts monitoring your network for threats the moment you add log sources. Log360 also enables you to add custom STIX/TAXII-based threat feeds and seamlessly integrate them within your threat intelligence program.
Using the search module, you can trace any threat actor’s path through your network in seconds. You can even reduce false positives by setting up correlation-based threat alerts that send notifications only when a threat actor’s actions are confirmed as suspicious activity.
Machine-learning-powered user and entity behavior analytics (UEBA)
While auditing your logs and identifying events of concern is primarily a reactive strategy, machine learning helps you become proactive by enabling you to identify elements of risk in your network. UEBA works by baselining user and entity behavior, measuring it against past activities, and raising an alarm if this behavior deviates from normal patterns.
Log360’s UEBA module harnesses your network logs to constantly monitor and profile your users and network entities, such as Windows and SQL servers, firewalls, and other network devices. It logs every deviation based on time, pattern, or count, and automatically assigns a risk score to each user and entity. This helps you determine the threat they pose to your network.
The UEBA dashboard gives you a concise summary of the risks posed by each user and entity, and their history of abnormal activities. The risk score enables you to prioritize which threats to focus on first; you can create a watch list of users and entities based on their risk scores, and receive alerts for all their suspicious activities. UEBA also helps you corroborate threats by identifying potential indicators of compromise in your network.
Apart from basic database and file auditing features, Log360 also provides advanced auditing reports and data discovery features.
The column integrity monitoring feature enables you to watch critical database columns and track all changes made to them, along with old and new values. This helps preserve column integrity and revert your database to a stable state in case of an erroneous or unauthorized change.
The data discovery feature scans your network and uses automated policies to help you find personally identifiable information (PII) in your network’s files, folders, or shares. You can track all changes made to this data, and analyze access and modification trends. This helps you secure sensitive data and adhere to compliance mandates like the GDPR, which requires you to track this type of data throughout your network at all times.
Advanced event correlation
Auditing network events from each log source in isolation provides many advantages, and helps discover patterns that can give you valuable insights. Since logs from multiple sources are provided in different formats, reviewing them isn’t always easy.
Event correlation is a powerful technique that helps connect the dots between related logs, and identifies suspicious patterns of activity based on predefined correlation rules. Log360’s correlation module comes with more than 30 predefined correlation rules that help you identify several types of attacks, including those generated from malware downloads, cryptomining, and worm activity. The aggregated correlation reports give you a detailed timeline of all events leading up to a security incident and facilitate speedy forensic investigations.
Apart from the detection methods outlined above, Log360 also helps you manage incidents efficiently. Proper incident management helps resolve occurrences much more quickly and cuts costs in the process.
One of the ways Log360 does this is by including a built-in ticketing module that enables you to manually or automatically assign incident tickets to their respective owners. You can then track the incident status through to its resolution. The module also allows you to maintain a database of past incidents that you can easily refer to.
Additionally, many organizations use separate help desk software. To save you from a lot of manual overhead and ensure no incidents are missed, Log360 enables you to automatically forward security incidents to external help desk software including ServiceDesk Plus, ServiceNow, Jira Service Desk, Zendesk, Kayako, and BMC Remedy Service Desk.
With all of these advanced security features, Log360 goes above and beyond to detect suspicious incidents in your network, and help you investigate and manage them with ease.