LogRhythm’s ongoing integration of SOAR automatic and response technology into their SIEM has led to a SOAR adoption rate over 30 times what Gartner had projected would be the industry average for standalone SOAR products by 2018.

Next-gen SIEM vendor LogRhythm has released the 7.4 version of their software. The emphasis is on the integration of Security Orchestration, Automation and Response (SOAR) technology into their SIEM, with new capabilities being added through new Case Playbooks, SmartResponse automation actions and SOC metrics.

“The company was started about 15 years ago, and its’ mission from the outset was to reinvent what SIEM should be,” said Chris Petersen, co-founder and chief product and technology officer at LogRhythm. “What has differentiated us is a focus on more broad-based machine data analytics, in order to centralize more security data. We are able to better see advanced threats that have evaded more traditional firewall and endpoint layers, or which emerges from within,  through our Big Data analytics approach.”

The 7.4 version of the LogRhythm software continues the focus from past releases on integrating advanced SOAR capabilities.

“Some companies have separate SOAR products, but we have always believed that a next-gen SIEM product should provide them,” Petersen said. “Once we can better detect threats, SOAR lets us accelerate the response, by automating as much of that workflow as possible so that manual repetitive tasks can be done through software. 7.4 is the latest set of innovations that integrate SOAR features. We have been investing in SOAR and embedding  it natively into our workflow, to produce a single integrated workflow. As a result, we are seeing a much higher adoption rate of SOAR adoption in our SIEM than analysts have predicted for the market as a whole.”

LogRhythm says that a recent survey of its customers found that 33 per cent of them have adopted the company’s SOAR capabilities, contrasting that with Gartner’s estimate that standalone SOAR products in 2018 would be adopted by less than one percent of security organizations with five or more security professionals, an adoption rate expected to reach only 15 per cent by 2020.

“We are seeing this high adoption rate because we have elegantly integrated SOAR capabilities into our platform,” Petersen said. “SOAR as a separate platform only makes sense if you have a legacy SIEM you want to keep that does not have SOAR, and are looking for something to bolt on, or if you are a large company with multiple different SIEMs. Customers really want SOAR delivered as part of a broader platform, which is why we are seeing smaller SOAR vendors being OEMed or acquired.”

The 7.4 software release integrates three new elements of SOAR technology, all of which build on top of the prior feature set. They are case playbooks, new automated response actions, and new SOC metrics.

“The Case Playbooks are entirely new in 7.4,” Petersen said. “We let customers’ security teams create playbooks with procedures tasks or timelines that can be added to an incident, in order to make sure a much more prescriptive set of actions can be taken, even for a threat type which has not been seen before.” The playbooks incorporate institutional process methodology, senior analyst knowledge and best practices. Out-of-the-box playbooks are provided, which can be easily customized.

“We have also added about 50 new SmartResponse automation actions, which build on top of existing actions, to perform repetitive tasks like changing a password or quarantining a device,” Petersen said.  LogRhythm’s Community site hosts a growing library of SmartResponse plugins which provide over 100 automated and semi-automated actions, including actions developed by LogRhythm Labs, by the LogRhythm user community and in partnership with LogRhythm’s Technology Alliance Partners. Other new automations include triggering vulnerability scans, conducting URL link analysis, performing memory dumps, disabling users and adding IPs/FQDNs to blacklists.

“Today, we can automate about 80 per cent of all actions, but there is still a lot of work in that 20 per cent, so we will continue to develop more out of the box innovations for those,” Petersen said.

The other addition is new SOC metrics.

“We have had SOC metrics before, but now we have introduced new ones which build on the old, as well as some new things which we didn’t have previously,” Petersen said. “They let the SOC manager better understand the difference between threats and false positives.”

Petersen also provided a glimpse of LogRhythm’s road map for next year.

“In 2019, we will continue to innovate the application of AI to our product both at the analytics layer and the SOAR layer,” he said. “We will continue to see innovations around our UEBA [User and Entity Behavior Analytics] offering. We will also provide deeper analytics to assess user-borne threats, and new capabilities around network detection and response. We will also keep innovating in SOAR, with more automated actions. We will also evolve our playbooks, and there will be more in the realm of collaboration.”

LogRhythm sells primarily through channel partners.

“We are very much a channel company,” Petersen said. “90 per cent of our business is channel, and we are invested very heavily in it. We are looking to partner with large global Sis, and strong regional and boutique partners with a higher level of consultancy expertise.”