CCTM IA Claims Document (ICD) LogRhythm - CESG

CCTM IA CLAIMS DOCUMENT (ICD) 

LogRhythm 

LogRhythm 

version 5.1.3 

VENDOR DETAILS TEST LABORATORY DETAILS 

LogRhythm Inc. SiVenture 

Siena Court 

The Broadway 

Maidenhead 

Berkshire 

SL6 1NJ 

Unit 6 

Cordwallis Park 

Clivemont Road 

Maidenhead 

Berkshire 

SL6 7BU 

Telephone Number: +44 (0) 1628 509 070 Telephone Number: +44 (0)1628 651 366 

Email: malcolm.skinner@logrhythm.com Email: simon.milford@siventure.com 

Website: www.logrhythm.com Website: www.siventure.com 

CERTIFICATE DETAILS 

CCTM Certificate Number 2011/06/0098 

CCTM Awarded on 09 June 2011 

CCTM Award Expires on 08 June 2012 

ICD Issue Date 09 June 2011

CCTM ICD LogRhythm v5.1.3 

TABLE OF CONTENTS 

1 INTRODUCTION ..........................................................................3 

1.1 Background ............................................................................3 

1.2 Objectives...............................................................................3 

1.3 Purpose of Document.............................................................3 

1.4 Structure .................................................................................3 

2 IS PRODUCT/SERVICE DESCRIPTION .....................................4 

2.1 Product/Service Identification .................................................4 

2.2 Product/Service Overview ......................................................4 

2.3 Usage assumptions ................................................................8 

3 CCTM CLAIMS FOR THE IS PRODUCT OR SERVICE ............10 

3.1 Claims Statements................................................................10 

3.2 Existing assurance certificates .............................................12 

24 May 2011 Version 1-0 Page 2 of 14


1 INTRODUCTION 

1.1 Background 

This document outlines the IA claims, for CCTM Claims Testing, made by 

LogRhythm Inc. in regard to the suitability of LogRhythm for use by the 

UK Public Sector for Protective Monitoring. LogRhythm is a platform that 

seamlessly combines Log Management & SIEM 2.0, File Integrity 

Monitoring, and Network & User Monitoring into a single integrated 

solution. It is highly reliable and cost-effective, and can scale to fit the 

needs of any enterprise. With LogRhythm, you can invest in a single 

solution to address requirements and challenges throughout your 

organisation, whether they are related to compliance, security or IT 

operations. LogRhythm is deployed with an integral report package 

developed specifically to address the needs of the UK Public Sector for 

compliance with CESG's Good Practice Guide 13 (GPG 13). 

1.2 Objectives 

1.2.1 The objectives of this ICD are to provide: 

• a product overview, detailing the functionality and security 

architecture of LogRhythm; 

• identification of the assets to be protected and the threats to 

these assets; 

• a description of the expected operational environment, 

organisational security policies and environmental security 

requirements; 

• the security claims for LogRhythm. 

1.3 Purpose of Document 

1.3.1 This document is the ICD for LogRhythm 

1.3.2 This ICD is the baseline document for the CCTM Claims Test of 

LogRhythm. 

1.4 Structure 

The structure of this ICD is as follows: 

• Section 1 (this section) contains the introductory material. 

• Section 2 contains the description of functionality of LogRhythm and 

all the information related to the security of this product. 

• Section 3 details the security functionality claims that are being made. 



2 IS PRODUCT DESCRIPTION 

2.1 Product Identification 

Product Name: LogRhythm 

Version: 5.1.3 

Log Manager, Event Manager: 

Operating System Version 

Windows Server 2003 64bit 

Console: 



Windows Vista 32bit 

System Monitor Agent: 



Windows Vista 64bit 

Linux kernel 2.6 Ubuntu 9 32 bit 

2.2 Product/Service Overview 

2.2.1 Security architecture 

A LogRhythm deployment consists of three components, the 

Event Manager (EM), Log Manager (LM), and System Monitor 

Agent. 

The Event Manager is a Windows Server system running SQL 

Server and the LogRhythm Alarming and Response Manager 

(ARM) service. There is only one EM per deployment. The EM is 

sent logs that are determined to be important or interesting, called 

Events, which it maintains. The ARM is a windows service 

responsible for processing alarm rules and taking the appropriate 

response, such as sending e-mails to people on a notification list. 

The Log Manager is a Windows Server system running SQL 

Server and a single server process, the LogRhythm Mediator 

Server. There can be one or many LMs in a deployment. In 

medium to large deployments Log Managers should be dedicated 

systems, however in small deployments a Log Manager can 

coexist on the same system as the Event Manager. The Mediator 

Server takes in log messages, processes them against rules which 



identify the log message and determine if it will be forwarded to 

the EM as an Event. 

LogRhythm System Monitor Agents collect and forward log data to 

Log Managers. They can be configured to collect log data in a 

wide variety of formats and include a Syslog server and a Netflow 

server. LMs usually have an Agent running on them. Agents are 

also deployed on hosts that are to be monitored, where they can 

also collect log data from flat files and perform File Integrity 

Monitoring. Windows Agents include a Data Loss Defender (DLD) 

feature to monitor, log and protect against external data device 

connections. 

There is one Graphical User Interface, known as the LogRhythm 

Console, through which users interact with the deployment. A user 

can be assigned one of three roles: Global Admin, Global Analyst, 

or Restricted Analyst. A Global Admin is a system administrator 

and has full control of the deployment using the Deployment 

Manager function of the Console. A Global Analyst has no access 

to Deployment Manager and has read-only access to log sources, 

allowing them to perform investigations and generate reports. A 

Restricted Analyst has no access to Deployment Manager and has 

read-only access to specific log sources, determined by a Global 

Admin, allowing them to perform investigations and generate 

reports using the data from those log sources only. 



LogRhythm can be purchased as a software-only solution, but is 

more typically purchased as a turn-key solution installed on one or 

more LogRhythm Appliances. A LogRhythm Appliance is a server 

designed and offered by LogRhythm which is delivered with the 

system and LogRhythm components pre-installed. Appliances are 

available in EM, LM, XM (EM+LM), and SLF (Agent-only log 

collection machine) configurations; they are also offered in a 

number of sizes to meet varying collection-volume needs. 

2.2.2 Hardware requirements 


Processor 2 x E5540 Xeon Processor, 2.53GHz 8M 

Cache, 5.86 GT/s QPI, TurboHT 

Disk Space 970GB 

Memory 24GB 

Console: 

Disk Space 300MB available 

Memory 1GB (Administration) 

2GB (Analysis & Reporting) 


Processor 1GHz or better (minimal) 

2GHz or better (optimal) 

Memory 1GB or more (minimal) 

2GB or more (optimal) 

Disk Space 10MB for installation 

~5GB for temporary log data storage 

2.2.3 Software requirements 


SQL Server 2005-SP3 

Console: 

Microsoft .NET Framework 3.5 

Microsoft Data Access Components (MDAC) 


Microsoft .NET Framework 3.5 SP1 



2.2.4 Out of Scope 

The cryptographic algorithms used in IS Products are not tested 

under the CCTM Scheme. The LogRhythm checksum option for 

archives uses the SHA1 hashing algorithm provided by Windows. 

While SSL protection for communications between Agents and 

Log Managers, is claimed in CS_transit, it uses algorithms 

provided by the underlying operating system, which means that 

the use of SSL protection is within the scope of testing but the 

algorithms used are out of scope. If the underlying system is FIPS 

enabled the LogRhythm component will be operating in a FIPS 

compliant mode of operation. 

If a FIPS compliant mode of operation is a requirement then 

clients must take steps to satisfy themselves that the services 

providing the relevant encryption are covered by a valid FIPS 

certificate. 

The testing for this ICD has been conducted using a LogRhythm 

Appliance which is a dedicated Windows Server, running the Log 

Manager and Event Manager together in a configuration identified 

as an XM appliance. 

Although the individual components can also be distributed across 

multiple appliances for volume, performance or resilience 

purposes they have not been tested in such configurations for this 

ICD. 

LogRhythm is also available as a software-only installation to run 

on server(s) under Microsoft Windows Server 2003 32bit or 64bit, 

but that installation option has not been tested for this ICD. 

Similarly the Console can be installed on a PC running: 

Microsoft Windows XP 32bit, 

Microsoft Windows Vista 32bit or 64bit, 

Microsoft Windows Server 2003 32bit or 64bit; 

but for this ICD has only been tested on the platforms listed in 2.1 

above. 

The System Monitor Agent is available for a range of Windows, 

Unix and Linux platforms, including: 

Microsoft Windows XP 32bit, 

Microsoft Windows Vista 32bit or 64bit, 

Microsoft Windows Server 2003 32bit or 64bit; 

Solaris Sparc 8,9,10; 

Solaris x86 10; 

AIX 5.2, 5.3, 6.1; 

HP-UX 11i v1, v2, v3 - PA-RISC; 

HP-UX 11i v2, v3 - Itanium; 

Linux kernel 2.4 Red Hat Enterprise 9 32bit, 

Linux kernel 2.6 CentOS 5.1 32bit, 

Linux kernel 2.6 Debian 5.0.3 32 bit, 

Linux kernel 2.6 Red Hat Enterprise 5 32 bit, 



Linux kernel 2.6 SUSE Linux Enterprise 9 64bit, 

Linux kernel 2.6 Ubuntu 9 – 32bit, 

Linux kernel 2.6 Ubuntu 10 – 32bit; 

but has only been tested for this ICD on the platforms listed in 2.1 

above. 

The installation includes a variety of standard report packages 

designed to meet the requirements for compliance with various 

regulations and guidelines including GPG 13, GCSX, PCI and 

ISO27000. These report packages are out of scope of the testing 

in this ICD. 

The CCTM is aimed primarily at IS Products and Services to meet 

IA requirements at Government Impact Levels 1 and 2, therefore 

use of LogRhythm to meet IA requirements at higher Impact 

Levels is outside the scope of this ICD. 

2.3 Usage assumptions 

2.3.1 Assets 

LogRhythm protects the logs created by applications, servers, 

systems and other devices within an organisation by collecting 

them from the various sources around the organisation and 

archiving them centrally with consistent timestamps and 

checksums to protect integrity. 

By consolidating and aggregating log data from across the 

organisation and providing real-time and trend analysis, 

LogRhythm enables an organisation's security personnel to 

identify events or activity that needs to be investigated, thus 

facilitating the protection of both physical and information assets 

within the organisation. 

2.3.2 Threat scenario 

Threats to assets which are countered are: 

• Tampering with log data to disguise or hide events and 

activity that would provide forensic evidence; 

• Attacks against an organisation's network, systems or 

information assets which may otherwise be undetected. 

2.3.2.1 Expected operational environment 

LogRhythm can be used in any environment where log 

data is produced and needs to be analysed and stored. It 

collects logs from virtually any source and turns raw log 

data into useful and actionable information. 

LogRhythm offers turnkey Log Management/SIEM 

solutions for businesses of all sizes. The highperformance 

appliance line incorporates a highly flexible 

and scalable architecture that provides for a wide range of 

deployment options, from the single all-in-one appliance 

tested in this ICD to multi-tier enterprise-wide solutions. 



2.3.2.2 Organisational security policies 

The use of LogRhythm to protect logs relies upon the 

deployment of organisational security policies to ensure 

that security relevant events and activities are monitored 

and logged, and that those logs are securely delivered to 

the LogRhythm Log Manager. 

2.3.2.3 Security requirements on the environment 

Procedures should be in place to control physical and 

logical access to the LogRhythm Log Manager(s), Event 

Manager and Console(s). 

The Event Manager is a Windows server running SQL 

Server 2005 and must be deployed accordingly in a 

secure internal network. 

Log Managers should also be deployed in a secure 

internal network, although some may be operated in a 

DMZ if Agents will be used to collect log data from remote 

sites across a public network. The Log Manager is a 

Windows server running SQL Server 2005 and must be 

protected with strict access controls placed on devices 

that can connect to its database. 

Communications to a Log Manager in a DMZ or un-trusted 

network from the Event Manager should be protected 

using an IPSec policy between the Event Manager and 

the Log Manager. 


network from Consoles should be protected using an 

IPSec policy between the Console and the Log Manager. 


network from a System Monitor Agent should be protected 

using an IPSec policy between the System Monitor Agent 

and the Log Manager. Alternatively System Monitor 

Agents can be configured to protect log data transmitted 

to a Log Manager using SSL. 

If log data will be transmitted across an un-trusted 

network, the communications should be protected using 

an IPSec policy. 



3 CCTM CLAIMS FOR THE IS PRODUCT OR SERVICE 

3.1 Claims Statements 

Unique 

Reference 

Claims Statements 

CS_admin Only a user assigned the Global Admin role has access to the 

administrative functions of the LogRhythm Console 

The LogRhythm Console provides the Graphical User Interface for users. 

Only users that have been assigned the Global Admin role can use the 

Deployment Manager functions of the Console, which is the only means 

of configuration and management of the components of the LogRhythm 

deployment, log sources, users, and alarm recipients. 

CS_analyst User access is controlled, with ability to restrict an individual 

analyst's access to specific log sources 

An administrator assigns roles to users. Only a user that has been 

specifically assigned a role can use the LogRhythm Console to access 

the deployment. An analyst may be assigned a Global Analyst role 

enabling them to use the LogRhythm Console in order to perform 

investigations and generate reports using data from any available log 

source. Alternatively an analyst may be assigned a Restricted Analyst 

role enabling them to use the Console to perform investigations and 

generate reports using only data from log sources specifically made 

available to them by the administrator. 

CS_logs Collect log data from multiple log sources 

The System Monitor Agent can collect log data from multiple log sources. 

It can collect flat files from the host, and includes a Syslog server 

enabling remote log sources to deliver log data directly to the Agent. 

The Syslog server is purely a receiver and has no control over the 

application or device creating and delivering the Syslog entries; equally 

the application or device creating the Syslog entries has no control over 

the Syslog server in the System Monitor Agent. 

CS_logsW Collect log data from multiple log sources on a Windows host 

The Windows System Monitor Agent can also collect log data from 

multiple log sources using additional mechanisms. It can collect 

Windows Event Logs from the host and from remote systems; log 

collection from a database using UDLA; and includes a Netflow server 

enabling devices to deliver Netflow records to the Agent. 

CS_host Monitor and log activity on a host 

The System Monitor Agent can monitor processes, user activity, and 

network connections on a host. 

CS_FIM File Integrity Monitoring 

The System Monitor Agent can monitor file access, modifications, or 

deletions, and directory modifications on a host. 



Unique 

Reference 


CS_DLDmon Monitor and log use of external data devices on a Windows host 

The Data Loss Defender (DLD) feature of the Windows System Monitor 

Agent can monitor and log connection and disconnection of external 

USB data devices to the host, as well as transmissions of files to an 

external storage device. 

CS_DLDprot Protect against external data device connections on a Windows 

host 

The Data Loss Defender (DLD) feature of the Windows System Monitor 

Agent can protect against external USB data device connections by 

ejecting specified devices upon detection. 

CS_transit Protect collected data in transit using SSL 

Where data being sent by the System Monitor Agent to the Log Manager 

is required to be protected whilst in transit (for example logs being sent 

from a remote location across a public network), the communications can 

be protected using SSL. 

NOTE: communications between or with LogRhythm components 

outside a secure internal network should be protected using IPSec 

policies as described in section 2.3 above. 

CS_heartbeat Warn when Agent is not functioning 

A heartbeat signal is sent from each Agent to the Log Manager. If the 

heartbeat is late by a specified period a Warning event is generated. 

CS_timestamp Ensure all logs have accurate timestamps 

LogRhythm collects logs with their own provided time stamps, but takes 

the added step of including a UTC-validated, independent time stamp 

that offsets time differentials, such as differing time zones or internal 

server clock variations. This ensures all logs have accurate timestamps 

without compromising the integrity of the original log data. 

CS_checksum Archive logs with a checksum to assure integrity 

LogRhythm preserves raw log data in its original form, archiving logs with 

a checksum applied so that chain of custody can be maintained and 

tampering can be detected. 

CS_realtime Real-time monitoring 

The Console's Dashboard overview of the organisation's deployment 

presents a summary that includes details about the status of log sources, 

such as time of last log collection and last heartbeat received. 

CS_analysis Centralised analysis and investigation 

The Console enables centralised analysis and investigation of data from 

across an organisation for both immediate and historical analysis. 

Identifying the type of log for each log source enables aggregation, 

consolidation, and analysis. Built-in support is included for log types 

from a wide variety of security devices, network devices, access control 

systems, workstations, servers, operating systems, applications and 

databases. In addition rule building technology enables support for 

custom log formats from otherwise unsupported devices. 



Unique 

Reference 


CS_alerts Automated alerts 

The Event Manager's Alarming and Reporting Manager (ARM) service 

applies definable rules to determine if an event should trigger an alarm. 

Alarm notifications can be tuned to throttle multiple messages within a 

customisable time period, as well as establishing thresholds before 

alarms will be triggered. Alarm notifications are sent to specified 

recipients via email and/or SNMP traps. The alarm notifications can be 

configured to contain all or part of the associated log message(s). Alarm 

notifications can also be forwarded to McAfee ePolicy Orchestrator. 

CS_reports Reports can be scheduled or run on demand to analyse data 

according to pre-defined or custom criteria 

Analysts can define a custom report or use a pre-defined report. Predefined 

reports include packages of standard reports that are included in 

the deployment at installation, as well as custom reports that have been 

previously defined by analysts in the organisation. . 

CS_sanitised Sanitised reports can be produced 

Provides multiple report formats that can omit sensitive data but still 

retain the same search criteria as detailed reports, enabling sanitised 

reports to be distributed. 

3.2 Existing assurance certificates 

None 



ANNEX A GLOSSARY OF TERMS 

Agent System Monitor Agent, collects log data and forwards it to a Log 

Manager (see section 2.2.1 for details) 

Appliance A turn-key LogRhythm Server available in various configurations and 

sizes (see section 2.2.1 for details) 

ARM Alarming and Response Manager (see section 2.2.1 for details) 

DLD Data Loss Defender, Agent feature to monitor (dis)connection of 

external data devices to the host 

EM Event Manager (see section 2.2.1 for details) 

GCSX Government Connect Secure Extranet 

GPG 13 CESG Good Practice Guide 13 

LM Log Manager (see section 2.2.1 for details) 

Netflow Network protocol for collecting IP traffic information 

PCI Payment Card Industry 

SIEM Security Information and Event Management 

SLF An Appliance configured as an Agent-only log collection machine (see 

section 2.2.1 for details) 

SMTP Simple Mail Transfer Protocol used for email 

SNMP Simple Network Management Protocol used for managing network 

devices and delivering device status and event information 

SSL Secure Sockets Layer, protocol for communications security 

Syslog A standard for logging program messages 

TCP Transmission Control Protocol (part of the Internet Protocol suite) 

UDLA Universal Database Log Adapter 

UDP User Datagram Protocol (part of the Internet Protocol suite) 

UTC Coordinated Universal Time 

XM An Appliance configured as both EM and LM (see section 2.2.1 for 

details) 



ANNEX B MARKETING STATEMENT TO BE USED (IF THE CLAIM IS 

SUCCESSFUL) 

LogRhythm provides a Log Management, Log Analysis and SIEM 2.0 solution 

that helps organisations comply with regulations, and provides information to 

help them to secure their networks and optimise IT operations. As a platform 

for Protective Monitoring using centralised architecture, users can: 

• securely collect log data from a multitude of sources; 

• monitor in real time - user activity, processes, applications, devices 

and network connections across an enterprise; 

• enhance data loss prevention capabilities utilising Data Loss 

Defender; 

• ensure accurate timestamp and integrity of collected logs; 

• create role-based Admin accounts; 

• monitor directories and files for access, modifications and deletions, 

ensuring integrity of key assets; 

• run out-of-the-box or customised reports to be saved into a repository, 

shared via email, or imported into other applications; 

• automatically alert authorised operators on events that trigger an 

alarm, based on pre-defined thresholds. 

For items which are out of scope please refer to section 2.2.4 of the ICD. 


Filename: LLGT-CD-0001 v1-0 FINAL 2.doc 

Directory: C:\Documents and Settings\pmason\Local 

Settings\Temporary Internet Files\OLK274A 

Template: \\piacheadm01\officetemplatesv1\Normal.dot 

Title: [Insert Test Laboratory logo here] 

Subject: 

Author: buckp 

Keywords: 

Comments: 

Creation Date: 07/06/2011 2:58 PM 

Change Number: 2 

Last Saved On: 07/06/2011 2:58 PM 

Last Saved By: User 

Total Editing Time: 5 Minutes 

Last Printed On: 07/06/2011 4:27 PM 

As of Last Complete Printing 

Number of Pages: 14 

Number of Words: 3,350 (approx.) 

Number of Characters: 19,099 (approx.)

CCTM IA Claims Document (ICD) LogRhythm - CESG

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?