By Greg Foss
We are pleased to announce the release of the LogRhythm Phishing Intelligence Engine (PIE), an integrated application with LogRhythm’s Threat Lifecycle Management (TLM) platform.
LogRhythm’s PIE can help streamline and automate the entire process of tracking, analyzing, and responding to phishing emails. PIE helps fight one of the most commonly used methods for network infiltration—the phishing attack–to give you back valuable work time.
PIE is an open-source PowerShell framework that integrates with the LogRhythm TLM platform to help provide phishing attack detection and response to your organization. Built around Office 365, with the goal of expanding into on premise exchange in the near future, PIE continuously evaluates Message Trace logs for malicious content and dynamically responds as threats are identified or emails are reported.
The PIE framework consists of multiple scripts that are centered around the LogRhythm SIEM and work together to automate detection and response to cyberattacks. These scripts can be used with or without LogRhythm PIE was not built to replace any existing phishing prevention toolsets—its goal is to help fill in your current detection capabilities gaps.
PIE plugs security gaps through a number of unique features and capabilities including:
PIE currently takes advantage of the following API integrations for analysis and project management. Note: Please let us know what tools you’re using, we’re always looking for new ways to improve our detections!
Office 365 Message Trace Logging is at the core of the PIE infrastructure, allowing for the ingestion and dynamic analysis of email as these messages traverse your environment. Integrating this data with LogRhythm allows for quick and easy searching across all email data within your environment, via dashboards and drill-down analyst views.
Once this email data is flowing into your SIEM, you can integrate with the LogRhythm Threat Intelligence Services (TIS) to trigger alarms on known spammers and other malicious events within the data.
However, the data you generate internally is typically the best threat intel for your company. Therefore, every reported phishing attack that crosses a threshold is automatically added to an internal threat list, for alarming and possible blocking in the future.
Now alarms are great and all, but the real meat of the PIE centers around Security Automation and Orchestration (SAO). For every alarm that fires, you can choose to have automated actions take place. This can be anything from quarantining mail from every recipient within the company, to changing credentials, to adding blocks on senders—ensuring that specific user can no longer phish the organization.
To set up these automated actions, you can run LogRhythm’s SmartResponse directly from the LogRhythm dashboard, or you can perform these actions outside of your SIEM altogether, using the O365-Ninja PowerShell script.
Regardless of how you decide to respond to events within your network, you have the option of using either the SmartResponse or the O365-Ninja PowerShell script to create and update LogRhythm cases for every event. This is very useful for tracking metrics, analyzing threat content within a message, and much more.
In fact, the true value of PIE comes from the messages that users report, or odd emails that are detected on the wire, that are then analyzed for malicious content. Below is an example case that is created whenever an email is analyzed by PIE:
In addition to the case that is created within the SIEM, PIE uses a weighted scoring mechanism to determine the risk of the email in question. Assuming the email passes the defined threshold of risk, PIE can act on malicious emails and automatically quarantine the email from all recipients within the company, documenting every step of the process within the LogRhythm case.
PIE will also create a raw case file containing all data related to the phishing attack, including a report containing general data about the email in question. This allows for quick and easy analysis, plus ongoing and persistent storage of all phishing attack cases—helping out significantly with metrics and reporting.
Metrics are tracked over time via tagging within the SIEM to create easy reporting and accountability.
The key to making everything work well together is with end-user reporting and education. To help with this, LogRhythm developed a Microsoft Outlook button that can be integrated with the end-user’s Outlook client.
This button takes the currently viewed email and sends it along to the pre-defined phishing inbox as an attachment, resulting in easy processing and full automation. Even without the button, you can ask your organization to forward emails to a defined phishing inbox as an attachment, and PIE will take care of the rest.
Using the report phishing button, or simply employing phishing reporting protocol, will effectively free up your time. With PIE, you can focus on more interesting and pressing tasks, as opposed to digging through commodity phishing emails and responding to clicked links.
Take a bite out of the PIE and let us know what other integrations you would like to see in the future by commenting below.
Secure Sense is the security provider that cares. We are a team of experts with a passion for IT and protecting your organization is what motivates us daily. If you have questions or want to learn more about how Symantec can improve your organization’s security, our services or just want to chat security please give us a shout. If you’re looking to guest blog, please send an email here.