Kick off the New Year with SANS Security East 2017 in New Orleans (January 9-14)

Thought Leaders

Table of Contents

Chris Petersen, Chief Technology Officer, LogRhythm

Stephen Northcutt - March 13th, 2009

Thought Leader Chris Petersen LogRhythm Chris Petersen is the CTO of LogRhythm, a log analysis company. He has done a lot of work in log management and has agreed to be interviewed by the securitylab, we certainly thank him for his time.

Chris, let's talk about your background so we can have a better understanding of where you are coming from. I understand that you worked at Price Waterhouse (pre-Coopers) and also Ernst & Young. Can you share a bit about the types of work you did there and also some of your insights about the security community?

I began my career as a financial and then EDP auditor with Price Waterhouse. I spent my first couple of years there doing general controls reviews and application control reviews. I found I had a knack for developing software when I developed an MS Access tool for automating Oracle and Sybase database security assessments. After a couple of years at PW I found out they had a "tiger team" doing pen tests. I found this fascinating and moved into the information assurance practice. There I performed typical IA work, pen tests, vulnerabilty assessments, security architecture reviews, etc. Once again, I found I had a knack for software when asked to develop an application that could automate and differentiate the delivery of enterprise security architectures. This software, called the Enterprise Security Architecture System, got the attention of Ernst & Young who came after my boss, myself and the other individual involved in the project.

At Ernst & Young, I was part of the National Security Practice. My role was to develop software we could roll out across the globe to differentiate E&Y service offerings and provide additional lines of review. I worked with many people that were, and still are, industry leaders in information security to develop state of the art service methodologies and associated software solutions. Of course this being the late 90’s, we also developed a portal called eSecurityOnline. I architected and led the engineering team that brought this to market.

These combined experiences gave me well rounded exposure to information assurance and network security. That exposure, coupled with my EDP/IT audit experience, gave me unique insight into how technology applicable control structures support financial audit and regulatory compliance requirements. I was also getting pretty good at developing software.

Thank you very much Chris. Then you went to Counterpane where we understand you had a lead role in developing the managed services, you must have learned a lot about the log management business there. How long were you there?

I joined Counterpane as the twelfth employee and found myself surrounded by industry leaders and luminaries, it was pretty awesome. My role was to lead the Network Intelligence group. That group helped design and architect the back-end system called SOCRATES that would translate log data collected in the field into useful intelligence. Essentially we were building our own SIEM. This role gave me tremendous insight into the challenges associated with converting massive amounts of log data into useful information. Both from an analysis and a general system scalability standpoint. In 2001, the air was out of the bubble and the resources and attention to our specific initiative at Counterpane were waning. It was at this time I first started thinking about starting my own company and building a better solution on my own. However, instead, I decided to acquire some desired skills and joined Enterasys Networks in a product marketing role working with a leader in the field of intrusion detection, Ron Gula.

How did Counterpane recruit talent to analyze the log data? The reason I ask is that there always seems to be a shortage of capable analysts and I suspect as Data Loss Prevention (DLP) gains more of a foothold, this will get worse, there just aren't that many people that choose to be adept with regular expressions?

This is a key challenge of any MSSP business operation and why we need technology to continue evolving in intrusion/threat detection capability and accuracy. For an MSSP, a key business metric is the number of customers that a single 24/7 SOC chair can support. If it costs $300-500K a year to put someone in that seat 24/7, they need to support a lot of customers. This means they need accurate front-end sensors, combined with a very good back-end analysis engine, to do most of the heavy lifting for them. This is why at LogRhythm, automated analysis techniques and capabilities will continue to be a leading area of innovation and investment.

OK, we just have to ask, can you give us a good "working for Bruce Schneier" story?

Mostly it was just exciting and motivating to be working alongside him and the other industry leaders at Counterpane at the time. I felt fortunate to be in their company and learned a lot.

I assume that while you were working in industry you felt something was missing from the log management industry segment. Can you share what you felt needed to be added, fixed, or improved?

When Phil and I started LogRhythm, it wasn’t so much what was missing from Log Management, it was what was missing from SIEM. Log Management was missing from SIEM. For me, the desired solution was, and is, one in which I can collect a wide variety of forensic information that is automatically analyzed and converted into high-quality events. The key difference being that the forensic data layer is available to pull from on demand. A correlated event is nice but when all the logs that created it or logs from the system where the event occurred are not available, it makes analysis a whole lot less effective for your average security analyst or system administrator. I wanted both, high-quality events with forensic data on demand when needed. This is why from the outset we architected a solution that can do both log and event management in a single integrated solution.

Can you share three things that distinguish LogRhythm from the rest of the log management industry?

  • Single integrated solution for log and event management.
  • Our search and analysis capabilities. I believe we simply do more with the log data we collect. This enables a level of search and analysis beyond competing solutions.
  • Overall ease of use and deployment.

I understand Eric Fitzgerald of Microsoft coined a term, "skinny events". The idea is that a program, Sendmail for instance, detects an event such as an attempted relay and reports it as a log event, but Sendmail doesn't collect any additional information about the event, it simply reports the data it has at hand. In order to do analysis, a lot of additional information is helpful. Some people call it referential data, it might include vulnerability scan information about the IP address that attempted the relay, any historical information for that address, and so on. Can you give us some specifics about what LogRhythm does to supply us with this referential data?

For every log we receive, we prepare a variety of meta data and contextual data. For instance, we’ll prepare and contextualize origin (i.e., attacker) and impacted host (i.e., target), origin and impacted user, the affected application, and the direction of the log (i.e., external, outbound, internal). When analyzing logs, you are able to glean additional information on hosts, users, ports, and applications. Logs can also be correlated against vulnerabilities and other known system state information.

Of all the additional data, perhaps the most important piece is the identity, or believed identity of the person behind the activity that has caused a log event to be generated. What tools does LogRhythm give us to tie identity to activity?

First we always prepare meta data on and contextualize user information in the log. We will determine, present and distinguish the origin user (initiated activity) from impacted user (affected by activity). In addition, we have a feature called User Activity Monitor which independently monitors user and process logon/logoff activity. This information can be correlated against other logs to identify the "who".

Can you share a war story of someone who was fired or, even better, convicted, because of data flagged by LogRhythm? It is OK to keep the name of the company secret unless this was a major news event.

We know of multiple instances where LogRhythm has been used in support of criminal investigations. Given the nature of these incidents, that is about all that has been shared with us.

Now that you are the big boss, do you still have time to be involved in product development? What are you working on now that you can share?

Fortunately, I had the insight to realize I didn’t want to be a CEO, that is not the work I enjoy. Therefore, I have focused on the CTO role and, as such, focus my time and energy on directing the product strategy and engineering organization. I am still very much hands-on to ensure we continue to deliver powerful software that is easy to use and delivers true value to customers. We will be announcing LogRhythm 5.0 very soon. Lots of exciting new capabilities are being introduced, especially in regards to what I call "independent auditing" at the end-point.

What are your insights in the whole Data Loss Prevention ( DLP ) industry segment? Many organizations have backed away from Vontu because of the expense and you are starting to see a lot of other vendors either adding DLP functionality or re-branding depending on whom you talk with. Yet, tools are starting to add a new stream of events that must be managed and responded to. Where is the DLP market segment going?

I can’t say I’m a DLP expert, so I'm hesitant to provide authoritative opinions in this area. However, I think the end-use case of preventing data loss will begin to be delivered by other solutions such as LogRhythm. We will be introducing DLP relevant functionality in our 5.0 release.

If your best friend was selected as the new CISO of a large organization and the previous CISO had a team that was looking at log management for PCI compliance purposes and they were recommending TriGeo, what would you tell your friend?

Buy LogRhythm. TriGeo, like other SEM vendors, was designed for the correlation use case and, as such, was never architected to deliver on the log management need, especially scalability. Most have bolted on something and call it log management, but I question the integration, quality, and usefulness if log management and analysis is a key decision driver.

Thank you for that; not to put you on the spot, but let's do it again. If your best friend were selected as the new CISO of a large organization and the previous CISO had a team that was looking at log management for PCI compliance purposes and they were recommending Splunk, what would you tell your friend? (By the way, if you are wondering why I picked these particular products, when I typed "Log Rhythm" into Google, paid ads from these two vendors appeared. That is probably a trademark violation, guys and I have the page saved.)

Again, I’d have to say buy LogRhythm. While I understand Splunk has some nice searching capabilities, log management from a compliance standpoint is really not their strong suit. Their background and focus has been log data search for IT. The last time I looked, they don’t do much in terms of data normalization. Compliance needs require more structured and contextualized data for effective analysis and reporting. This is one of our strengths.

One of the traditions of the securitylab is to give our guests a shot at a bully pulpit, a chance to share what is on your heart for any security related topic, what would you like to share with our audience?

Products that simply take a backup of a directory or database containing log messages aren’t log management solutions. If you are concerned with compliance requirements as they pertain to being able to safeguard and recover logs, make sure the solution you choose has a purpose-built infrastructure designed for the long term organization, safeguarding, and retrieval of log data. A couple of years ago we were competing against vendors who said, "we do log management", just backup your Oracle tablespace. A year later, they introduced a log management product.

If my organization recently purchased LogRhythm and a day after it was delivered heard that a HIPAA compliance audit was scheduled for next week, what are three things you would tell me to do with your product?

  1. Deploy LogRhythm
  2. Configure collection of HIPAA relevant servers and devices
  3. Enable HIPAA reporting package for scheduled report generation and distribution
We have had situations where customers had a similar timeframe and were able to accomplish the above very quickly and help them pass their audit.

Log and Event management is a rapidly growing segment of the industry; what do you see in the future, can you share your vision with us?

I believe log and event management to be a core data center technology of the future. This platform supports many uses, Security Event Management being one. Day-to-day system/network incident response support is another. I believe there is still much progress to be made when it comes to analyzing logs for the purpose of identifying threats, intrusions, and general IT issues that organizations are blind to today. This will be much of the focus for log and event management into the future.

Last question, can you tell us just a bit about yourself, what do you do when you are not in front of a computer?

I’m actually not much of a computer guy when not working. My own time is spent with my wife and our son, who will turn 10 months in March. I enjoy the outdoors and have come to appreciate how much more difficult a hike can be with an extra 20 pounds on your back. Of course, being from and living in Colorado, I enjoy the outdoor lifestyle. I’m more of a summer sport enthusiast with mountain biking and tennis consuming most of my spare sporting time. During the winter, I do enjoy my reign as King of Ping Pong at LogRhythm (we have a ping pong table in the engineering area.*smile* I do enjoy reading and have recently been getting back into Sci Fi. The one computer-related hobby I have been working on is setting up a media server that allows me to stream my lossless audio file collection to my PS3. It is amazing how passionate people can be towards the lossless codec of their choice. And I thought network security could get contentious.