Assurity Elevates Security Maturity and Achieves Compliance

A certified B Corporation headquartered in Lincoln, Nebraska, Assurity is a mutual life and health insurance provider owned by its policyholders and dedicated to “helping people through difficult times.” The result of three distinct insurance organizations merging, Assurity offers life insurance, disability and critical illness insurance, and voluntary employee benefits to independent brokers throughout the United States. Working within the highly regulated insurance industry, Assurity chose the LogRhythm SIEM platform to help them achieve compliance and keep both their customers’—and their employees’—data safe.

The Challenge

Leveraging LogRhythm SIEM with Embedded SOAR for Rapid Detection and Response

Insurance companies are subject to stringent government oversight, from regulating licensing models to standardizing policies and product offerings. Assurity follows a brokerage model providing their services to independent brokers nationwide.

As such, they’re tasked with adhering to 50 different state insurance laws, making compliance no small feat. Regarding log management, Assurity is required to adhere to the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (23 NYCRR 500). The NYDFS regulation requires companies like Assurity adopt a rigorous cybersecurity program and adhere to strict reporting rules for any breach. It’s likely remaining states will soon adopt some form of the NAIC model regulation, a requirement somewhat based upon the NYDFS.

With a small security team of three, Assurity searched for a SIEM that would serve to both help keep their robust IT environment secure and ensure compliance while removing mundane tasks and empowering their team to do more with few resources. After reviewing the top vendors in the security industry, Assurity chose LogRhythm.

“We sent RFPs to three of the top SIEM solutions in the Gartner Magic Quadrant. Two solutions were very close in our final evaluation, but the reference calls for each solution made the difference. Because we have a small support staff, a solution with powerful incident response processes and automation combined with quality support services was very important to us.”

• Kelly Murphy

  IT security and Compliance Manager | Assurity

The Solution

Leveraging LogRhythm SIEM with Embedded SOAR for Rapid Detection and Response

Having implemented LogRhythm SIEM and satisfied their compliance efforts, Assurity Life began to find additional value namely in the platform’s SOAR capabilities. Native SOAR capabilities in the platform enable security teams of any size to reduce the number of disparate technologies and necessary steps required to effectively respond to security events.

Integrated case management and task automation provide consistent investigative tools throughout the incident response process; Guided workflows, built-in escalation processes, and case playbooks optimize analyst workload and facilitate efficient threat remediation.

Realizing Rapid Incident Management with LogRhythm SmartResponseTM Automation

SmartResponse provides prepackaged, customizable task automations to reduce the time needed to detect and respond to threats. From quarantining endpoints to suspending users or capturing additional contextual data, SmartResponse actions automate incident response workflows, enabling greater efficiency, and reducing organizational risk.

After attending a LogRhythm-sponsored free training offered by Ultimate Windows Security “Anatomy of a Hack Disrupted: How Out-of-the-Box Rules Caught an Intrusion”, Kelly Murphy, Assurity’s IT Security and Compliance Manager, recognized an opportunity to improve monitoring of their Microsoft Active Directory Domain Administration with analytics and automation. Kelly and his team worked with our professional services team to implement a use case leveraging SmartResponse and AI Engine, a fully integrated LogRhythm SIEM component that provides support or various threat scenarios.

The goal of the use case is to prevent unauthorized domain accounts from functioning. With the analytics of AI Engine and task automation from SmartResponse, Assurity is
able to recognize and automatically mitigate unauthorized account usage:

• AI Engine automatically cross checks these accounts against a whitelist of approved accounts In either case, automated actions from SmartResponse disable the illegitimate account. After being notified of the new account creation by a network manager, Assurity’s SecOps adds the account name to the domain admin whitelist so the account can be enabled or re-enabled. This step could also be automated using LogRhythm SIEM dynamic lists.
• AI Engine detects when users are added to the domain admin group or if an account in the domain admin group is enabled

Putting LogRhythm SOAR to the Test

In March 2018, Assurity underwent a security assessment including penetration testing. After numerous failed attempts to compromise Assurity’s system, the pen
tester used a known vulnerability to successfully create a new domain account. For a moment, it seemed they had circumvented the domain administration controls Kelly and his team had put in place. However, once the AI Engine recognized the unauthorized account, SmartResponse fired and automatically enacted countermeasures to quickly disable the illegitimate account.

“I know the pen tester has set off alarms and warnings while testing for other clients, but he had never seen SmartResponse actions remediate an attack,” said Kelly, “Despite the many tools we had in place before LogRhythm, we are now confident in our decision to make LogRhythm the centerpiece of our security monitoring and remediation efforts.”

Conclusion

Enhanced Security Maturity and Compliance Through Orchestration and Automation

The pen tester’s inability to subvert the automated recognition by AI Engine and immediate SmartResponse action instilled greater confidence for Kelly’s team in their LogRhythm SIEM platform. Furthermore, the security assessment allowed the broader organization to see the solution in action.

For Assurity, the domain administration use case has been a catalyst for improving incident response through additional orchestration and automation. Kelly and his team are continuing to build out their whitelist, plan to build more custom AI Engine rules, and would like to devise and implement similar SmartResponse use cases over time.

With LogRhythm SIEM, Assurity can demonstrate their adherence to compliance controls in a heavily regulated industry while improving their security posture and reducing their mean time to detect and respond to threats. With the embedded orchestration and automation capabilities LogRhythm SIEM provides, Assurity strengthens their skilled yet limited resources while removing mundane tasks and empowering their team to do more with few resources.

website: www.assurity.com