With the ever growing demand of new features, storage and processing power, almost every organization is either using the cloud in some form, or in the process of investing in it. The use cases and advantages that cloud offers in the form of scalability and agility are unlimited. Some organizations have their entire application suite running on the cloud. Whereas some organizations merely run their DR on the cloud. Either way, the boundaries of on-prem and on-cloud are diminishing. That's why monitoring the cloud infrastructures in terms of security and speed, is equally important as that of monitoring on-prem infrastructure.
Organizations want 100% uptime, have < 2 seconds response time, and 0 number of breaches for their cloud applications and services. On top of that they are looking to store ANY and ALL logs generated by their applications. This is where Sumo Logic excels. Sumo Logic's unique combination of Continuous Intelligence Platform and Cloud SIEM Enterprise allows organizations to gain end-to-end visibility into their operational and security data.
Through the Sumo Logic’s Continuous Intelligence Platform (CIP), organizations can capture security and privacy data from any number of sources and then Cloud SIEM Enterprise (CSE) identifies patterns of complex and targeted cyber attacks from that large dataset. The power to collect data from a wide variety of sources and the ability to query historical data and apply machine learning algorithms, allows security analysts to hunt threats proactively.
Once this proactive approach to collect and correlate alerts and events data is combined with security automation, orchestration and response, the result is:
Sumo Logic is a cloud analytics and monitoring platform. It provides real-time, out-of-the-box visibility into the technologies that power your applications. Sumo Logic's cloud-native Security Information and Event Management (SIEM) allows analysts to quickly detect Indicators of Compromise (IoCs), accelerate investigation, and run the entire security operations (SecOps) lifecycle. Some of most extraordinary features of Sumo Logic’s Cloud SIEM are :
Now Sumo Logic customers can use SIRP’s Security Orchestration, Automation, and Response capabilities with Sumo Logic CSE to get the best of both worlds. This integration allows analysts to use Sumo Logic’s Cloud SIEM to monitor and detect threats (Signals and Insights) and use SIRP to automate their triage, collaboration, and response.
According to the 2020 Cloud Security Report, 94% of organizations are moderately to extremely concerned about cloud security. Attackers are making use of advanced tactics and techniques to evade defenses. Some of the major challenges are:
Cybersecurity data analytics coupled with security orchestration, automation, and response addresses these challenges. Security teams can feed all their security data to Sumo Logic’s Continuous Intelligence Platform, and from there the CSE generates Signals and Insights which are ingested by SIRP to automate response. Analysts can use SIRP playbooks to automate their artifact triage and response. These playbooks help analysts enrich their investigative data, perform threat hunting activities, gather threat intelligence, and execute endpoint remedial actions.
Sumo Logic CSE has a concept of “Signals” and “Insights”. Signals are a collection of alerts/events, identified through pattern and threat intelligence matching, correlation logic, statistical evaluation, and anomaly detection. The Insights goes one step beyond. The Insights represents the correlated, and prioritized set of signals and other data enrichments. So the first order of business for SIRP is to ingest these Insights along with corresponding signals information and enrichment data. The playbook is set to perform the following actions:
The entire execution and decision flow of the playbook looks something like this:
The actual playbook in SIRP is shown below:
Once the Insight is ingested and the Playbook is executed, the data looks something like this one SIRP:
Consider an example in which Sumo Logic CSE generated an Insight called “Credential Access and Exfiltration”. The Signals data ingested from CSE tells us that an EC2 instance in the AWS environment is behaving in a way that deviates from the established baseline. This EC2 instance has no prior history of sending this much traffic to this remote host.
A possible scenario could be that there are attempts to run AWS API operations from a host outside of EC2, using temporary AWS credentials that were created on an EC2 instance in an organizational AWS account. This could mean that the EC2 instance might be compromised, and the temporary credentials from this instance might have been exfiltrated to a remote host outside of AWS.
After receiving this Insight information from CSE, SIRP automatically executes a playbook based on the predefined rules. The playbook is set to perform the following actions:
The entire execution and decision flow of the playbook looks something like this:
The actual playbook in SIRP is shown below:
Let’s consider another example in which SIRP received an Insight called “Initial Access with Persistence and Port Scan”. The Signals that caused this Insight to be triggered has following information:
This is clearly a high-fidelity alert generated by Sumo Logic CSE in the form Insight. Immediate remedial action and response is of paramount importance. Therefore a Playbook will be executed on SIRP automatically based on the pre-defined rules.
Let’s review how this SIRP playbook is set to function:
The purpose of this simple playbook is twofold:
Once the playbook is executed either manually or automatically, it is set to perform following actions:
Apart from just pushing the Hash to EDR, analysts can also proactively hunt for the hash in the network by initiating scans through EDR. And if that hash is found, then it can be either deleted or the system itself can be isolated.
The entire execution and decision flow of the playbook looks something like this:
Apart from executing actions automatically through playbooks, analysts can also run ad-hoc actions to query Sumo Logic Continuous Intelligence Platform and pull/push data to and from Cloud SIEM Enterprise.
Analysts can send queries to Sumo Logic CIP on the go to get the historical data from the intelligence platform by clicking on the Sumo Logic CIP Source in the Evidence tab, selecting Sumo Logic CIP app and then selecting get_events_for_last_15_minutes action. SIRP will execute the action and query CIP to fetch the relevant records of the source for the last 15 minutes.
Once the action is successfully executed, the results are displayed in the Sumo Logic app container.
Analysts can change the status of the Insight from SIRP by clicking on the Sumo Logic CSE Insight ID in the Evidence tab, selecting the Sumo Logic CSE app and selecting change_status_of_insight action. SIRP will push the change to CSE.
If analysts wish to add a comment against an Insight, they simply check the checkbox called “Sumo Logic CSE” while posting a comment. Similarly, if they wish to pull the latest comments from CSE, they click on the Refresh icon at the top right corner of the Comment tab.
The bones have been cast and the oracles have spoken: data is King, and automation is the Knight!
Sumo Logic is a leader for ingesting, storing, and analyzing cloud data. On the other hand, SIRP is the only risk-based SOAR platform that drives speed to take actions on that data. As the cloud and security data piles up, the pressure to respond to threats becomes immense. Therefore, taking response actions as quickly as possible is extremely important. This is why Sumo Logic and SIRP gels so well together. The combination of the two technologies can help SOC and security leaders to stay ahead of traditional and advanced threats by enabling teams to respond faster.
In a nutshell, the sequence of events look like this:
Some of the key benefits that can be realized out of this integration are: