Review: LogicHub expertly automates security

It’s no secret to anyone working in cybersecurity these days that threats are overwhelming. Even an organization with enough funding to hire multiple security analysts could very easily be overwhelmed by alert fatigue within their security operations center, or simply not be able to respond to critical threats in time to prevent serous network compromises. And yet, hiring more people can only go so far, not to mention being prohibitively expensive.

The silver bullet to this crisis has always been the prospect of automating cybersecurity, letting our machines police themselves, respond to threats and fix problems on their own. And for low-level attacks like typical computer viruses or exploits used against common vulnerabilities, we have that. Our firewalls, antimalware scanners, traffic sensors, security information and event managers (SIEMs), and most everything else does a good job at that. But asking a computer to detect and counter an advanced persistent threat, or to find an attacker who has already bypassed every other defense and is hiding inside a network, is extremely difficult.

Over the years a few tools have been created that use technology like machine learning or techniques like comparing ongoing traffic patterns with historical ones to try and spot the most advanced threats. A couple of them even ship with the ability to automatically respond to any threats they encounter, though it’s almost always an optional feature because people don’t trust automation.

In fact, even when a high degree of success is demonstrated, security automation is still almost never trusted within an enterprise. One of the biggest reasons for that is the inability of the technology to explain how it arrives at decisions. The technology exists inside a mysterious black box that somehow magically fixes problems. At least that is how it looks to those on the outside, meaning everyone other than the engineering team at the company offering the security product. And, really, does anyone want to trust their network security, the lifeblood of their company, to a magical box that they don’t fully understand?

Truth be told, when we started our evaluation of LogicHub, we expected another one of those mysterious black boxes. What we discovered was so much better.

LogicHub provides automation-worthy cybersecurity with high success rates while also completely showing how their system thinks and solves problems. And customers are invited to tweak and change that logic if they think that they can get better results within their environment. Automation is, of course, still optional, but after spending a little time with LogicHub, we believe most security professionals should feel comfortable activating it for many functions. Even for organizations that insist on human oversight, the amount of work and the number of hours that LogicHub can save is significant.

The LogicHub platform isn’t like other security appliances in that it doesn’t go out and collect traffic on its own, install agents on machines, or anything like that. In fact, it’s dependent on whatever existing security infrastructure is already installed in an enterprise, and it is designed to connect to almost any cybersecurity device or platform. It ingests the information coming from those other devices, evaluates it, ranks it, checks with other sources, and generally performs very much like a human analyst, only one who works at machine speeds and never tires. It can even take actions based on its evaluations, though only if allowed to do so.

LogicHub can be installed either on-prem or provided as a service. Pricing is a tiered model based on the number of playbooks, which can be thought of in general terms as tasks or skills, that the platform is asked to perform or employ for an organization.

Playing by the book

Playbooks are the not-so-secret sauce that makes LogicHub work. While LogicHub has a powerful decision engine, that power can only be directed by loading a playbook (quite a few come with the platform by default). When visualized, playbooks look like flowcharts where each block represents one element in the platform’s decision-making process. They are easy to read and even color coded. For example, purple blocks represent scoring tasks while blue blocks are for actions like querying a threat feed for information.

CSO

Each playbook details how LogicHub approaches a specific cybersecurity problem, and each block, or step, along that decision-making process is extremely detailed. For example, in one module used to determine if anyone is misusing a GitHub repository, one block in the flow chart shows how a factor such as the number of URLs individuals are using to access the site is weighted by LogicHub. If someone accesses the repository from three different URLs, which could be a work computer and then a laptop and smartphone, that is considered normal and given a score of five. But another user who has visited the same repository from more than 60 URLs in a single day might be given a 10, which is the highest bad number on the scale for that particular module.

Then, in another block of the same playbook, LogicHub looks at how many libraries each user is accessing when they visit. Still another examines access times compared with a historical record. There can be hundreds of factors that go into a decision, but they all generally lead towards the end of the flow chart, where LogicHub calculates everything that it has learned and makes a determination. It can then recommend an action to a human security team member, complete with a detailed report on why it believes that such an action is necessary, along with accompanying evidence. Or, it can be tasked with taking an action on its own, sending along a report to justify what it has done. Finally, it might decide to take no action at all, but to continue to monitor the situation.

Each of the decision points on those flowcharts are fully transparent to administrators. And all are editable. Perhaps there is a reason why some users might have to access GitHub from multiple URLs. That’s fine. The logic used in that playbook can be tweaked, perhaps raising the threshold whereby those users are given higher so-called bad points in that block. Or that block can be eliminated from the flowchart all together. By the same token, new decision points and factors can also be added. In this way, platform administrators can change the way LogicHub thinks, easily tweaking how it ultimately acts. It’s almost no different from talking with a human analysist and asking them to modify their behavior.

CSO

Testing LogicHub

It was really interesting to see behind the curtain with a machine learning engine. When broken down like that, it truly resembles more of an old-school expert system, which is easy to understand because each step in the decision-making process is defined. For a company to let everyone see exactly how their technology works is remarkable. And it’s even more impressive that users can actually tweak the program logic themselves, or even create new playbooks and task LogicHub with new cybersecurity roles.

With all that said, the true test for LogicHub was how well it performed. As mentioned earlier, the base product comes with many playbooks ready to go. We evaluated several of them in our test network.

One of the most useful playbooks that we tested was designed to help with alert triage. Even though individual devices like SIEMs or advanced firewalls generally try to triage their alerts, only rarely sending critical ones to security personnel, analysts can still become quickly overloaded, especially at large enterprises. LogicHub can help with adding a second layer of triage.

CSO

In our testing, LogicHub was able to investigate hundreds of security alerts from other devices and whittle them down to just a handful that represented a clear and active threat. When those were selected from the main dashboard, LogicHub again explained why it felt that those particular alerts were the most critical. To arrive at its decision, the platform showed that it queried threat feeds and assigned values based on the history of the URLs involved in the threat. It also examined user normal behavior and compared it with what the SIEM was seeing. It investigated what commands the suspicious user or program was executing, how much traffic was entering and exiting the network, and many other factors. If a human wanted to take that alert and investigate or even threat hunt, then much of the heavy lifting would have already been performed by LogicHub.

CSO

Probably more importantly, LogicHub made a recommendation about what should be done, in this case using other network tools to isolate the compromised user and machines. A human analysist who agreed with that assessment could push one button to take the recommended action, which was already queued up and ready to go. And if LogicHub has permission, it can take the same action on its own, stopping the threat within seconds of starting (and completing) its investigation.

The bottom line

The LogicHub platform has the potential to be a huge game changer and disrupter in cybersecurity. It’s not only highly effective at diagnosing and countering threats, but it does so in a completely transparent way that is fully configurable and editable by users. It’s like hiring a high-level cybersecurity analysist and tasking them with assisting everybody else on the security team as well as taking independent actions, all while working constantly at machine speed.

CSO

Organizations looking for a way to reduce or eliminate alert fatigue, increase their threat hunting capabilities, or speed up their incident response times would find that a new virtual analyst from LogicHub would be a great addition to their cybersecurity team.