Top Instructors Share Their Expertise ONLINE at SANS - Special Offers Available NOW!


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

Why Insider Actions Matter: SANS Review of LogRhythm CloudAI for User and Entity Behavior Analytics

  • Tuesday, February 27, 2018 at 1:00 PM EST (2018-02-27 18:00:00 UTC)
  • Mark Settle, Samir Jain, Dave Shackleford


  • LogRhythm

You can now attend the webcast using your mobile device!



Insider actions, whether on purpose or accidental, cause the majority of breaches reported by respondents to multiple SANS surveys (including this one) conducted in 2017. Yet these same responses also indicate that user activities, including those performed through breached credentials, are often not analyzed in threat management lifecycles.

When threats occur, understaffed security operations centers usually lack easy access to contextual information, including:

  • Baselined user behavior
  • How users authenticate
  • Machine-to-machine connections
  • Whitelisted workstations and applications

This lack of visibility is a key problem that LogRhythm's CloudAI technology-applied to user and entity behavior analytics (UEBA)-was built to solve. Using supervised and unsupervised learning, CloudAI establishes baselines then monitors user behavior, automatically scoring user actions as harmless, risky or malicious based on multiple criteria.

In this webcast, senior SANS instructor and analyst Dave Shackleford will discuss his experience reviewing LogRhythm CloudAI as he runs through various use cases, such as insider threat, account compromise and admin abuse.

Learn how LogRhythm CloudAI:

  • Detects user activities indicative of threats or compromises
  • Scores user activities and provides recommendations or takes automated actions
  • Supports threat hunting and incident response capabilities
  • Improves the machine learning experience through supervised and unsupervised learning
  • Register for this webcast and receive early access to the associated whitepaper report developed by Dave Shackleford.

View the associated whitepaper here.

Speaker Bios

Dave Shackleford

Dave Shackleford, a SANS analyst, senior instructor, course author, GIAC technical director and member of the board of directors for the SANS Technology Institute, is the founder and principal consultant with Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. A VMware vExpert, Dave has extensive experience designing and configuring secure virtualized infrastructures. He previously worked as chief security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead the Atlanta chapter of the Cloud Security Alliance.

Samir Jain

Samir Jain is a Senior Product Manager, Security Analytics at LogRhythm. He operates at LogRhythm with a focus on Security Analytics and UEBA, and provides over 18 years of track record innovating and delivering world class enterprise solutions from concept to market launch. Prior to LogRhythm he worked at Avaya for 16 years in Product Management.

Mark Settle

Mark Settle is the Product Marketing Team Manager at LogRhythm. As team lead, he and his team work alongside our Product Management and Development teams to bring LogRhythm products and solutions market through market research, producing positioning, marketing content, and training material. Prior to LogRhythm he led corporate marketing for Zayo Group.

Need Help? Visit our FAQ page or email

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.