Sumo Logic and SIRP - Beyond Traditional Cloud Security Monitoring and Incident Response

Synthesis of Security Analytics Data and Automated Incident Response

 

With the ever growing demand of new features, storage and processing power, almost every organization is either using the cloud in some form, or in the process of investing in it. The use cases and advantages that cloud offers in the form of scalability and agility are unlimited.  Some organizations have their entire application suite running on the cloud. Whereas some organizations merely run their DR on the cloud. Either way, the boundaries of on-prem and on-cloud are diminishing. That's why monitoring the cloud infrastructures in terms of security and speed, is equally important as that of monitoring on-prem infrastructure.

Organizations want 100% uptime, have < 2 seconds response time, and 0 number of breaches for their cloud applications and services. On top of that they are looking to store ANY and ALL logs generated by their applications. This is where Sumo Logic excels. Sumo Logic's unique combination of Continuous Intelligence Platform and Cloud SIEM Enterprise allows organizations to gain end-to-end visibility into their operational and security data.

Through the Sumo Logic’s Continuous Intelligence Platform (CIP), organizations can capture security and privacy data from any number of sources and then Cloud SIEM Enterprise (CSE) identifies patterns of complex and targeted cyber attacks  from that large dataset. The power to collect data from a wide variety of sources and the ability to query historical data and apply machine learning algorithms, allows security analysts to hunt threats proactively. 

Once this proactive approach to collect and correlate alerts and events data is combined with security automation, orchestration and response, the result is:

  • Unparalleled threat intelligence and enrichment
  • On-demand or Automatic execution of actions through Playbooks
  • End-to-end case management
  • Faster response times
  • Support for more and better use cases
  • One-click Insights (events) triage
  • Streamlined collaboration and workflows

Sumo Logic is a cloud analytics and monitoring platform. It provides real-time, out-of-the-box visibility into  the technologies that power your applications. Sumo Logic's cloud-native Security Information and Event Management (SIEM) allows analysts to quickly detect Indicators of Compromise (IoCs), accelerate investigation, and run the entire security operations (SecOps) lifecycle. Some of most extraordinary features of Sumo Logic’s Cloud SIEM are :

  • Ability to process massive amounts of data: 200+ petabytes of data analyzed, 20 million searches performed. Every day!
  • Unified Platform: A single integrated solution for developers, security, operations and LOB teams.
  • ML-powered Engine: Identify, investigate, and resolve issues faster with machine learning.
  • OOTB Monitoring for all Major Cloud Platforms: Cloud security monitoring for AWS, Azure, GCP & number of SaaS apps.
  • Integrated threat intelligence: Detect Indicator of Compromise

Now Sumo Logic customers can use SIRP’s Security Orchestration, Automation, and Response capabilities with Sumo Logic CSE to get the best of both worlds. This integration allows analysts to use Sumo Logic’s Cloud SIEM to monitor and detect threats (Signals and Insights) and use SIRP to automate their triage, collaboration, and response.

Integration Features

  • Run an effective incident response cycle using Sumo Logic CIP and CSE combined with SIRP risk-based SOAR capabilities.
  • Proactively hunt for threats by running Sumo Logic’s CIP custom search queries through SIRP either in real-time or as a playbook action.
  • Leverage several other SIRP integrations to enrich Sumo Logic’s security data and coordinate response across security functions.
  • Acquire on-demand or automatic triage of machines for further investigation and forensic analysis.

Challenge

According to the 2020 Cloud Security Report, 94% of organizations are moderately to extremely concerned about cloud security. Attackers are making use of advanced tactics and techniques to evade defenses. Some of the major challenges are:

  • Data Breach
  • Insecure APIs and Interfaces
  • Limited Visibility
  • Insider Threat
  • Account Hijacking
  • Insufficient Identity, Credential, Access and Key Management

Solution

Cybersecurity data analytics coupled with security orchestration, automation, and response addresses these challenges. Security teams can feed all their security data to Sumo Logic’s Continuous Intelligence Platform, and from there the CSE generates Signals and Insights which are ingested by SIRP to automate response. Analysts can use SIRP playbooks to automate their artifact triage and response. These playbooks help analysts enrich their investigative data, perform threat hunting activities, gather threat intelligence, and execute endpoint remedial actions.

Use Case 1: Ingest Insights and Get Enrichment and Signal Details

Sumo Logic CSE has a concept of “Signals” and “Insights”. Signals are a collection of alerts/events, identified through pattern and threat intelligence matching, correlation logic, statistical evaluation, and anomaly detection. The Insights goes one step beyond. The Insights represents the correlated, and prioritized set of signals and other data enrichments. So the first order of business for SIRP is to ingest these Insights along with corresponding signals information and enrichment data. The playbook is set to perform the following actions:

  • Get the Signals which triggered the Insight
  • Get details of the Rule which triggered the Signals
  • Get the enrichment data associated with the Insight

The entire execution and decision flow of the playbook looks something like this:


The actual playbook in SIRP is shown below:



Once the Insight is ingested and the Playbook is executed, the data looks something like this one SIRP:



Use Case 2: Credential Access and Exfiltration

Consider an example in which Sumo Logic CSE generated an Insight called “Credential Access and Exfiltration”. The Signals data ingested from CSE tells us that an EC2 instance in the AWS environment is behaving in a way that deviates from the established baseline. This EC2 instance has no prior history of sending this much traffic to this remote host.

A possible scenario could be that there are attempts to run AWS API operations from a host outside of EC2, using temporary AWS credentials that were created on an EC2 instance in an organizational AWS account. This could mean that the EC2 instance might be compromised, and the temporary credentials from this instance might have been exfiltrated to a remote host outside of AWS. 

After receiving this Insight information from CSE, SIRP automatically executes a playbook based on the predefined rules. The playbook is set to perform the following actions:

  • Get EC2 instance details from AWS
  • Get EC2 Security Group details from AWS
  • Check if the EC2 instance belongs to a Privileged Security Group. If the EC2 belongs to a privileged security group, then:
  • Check the response of the asset custodian. If custodian says that the action is NOT legitimate, then:
    • Stop the EC2 instance
    • Create snapshot of the EC2 instance
    • Change Disposition to “Incident”
    • Change Priority to “High”
    • Assign investigative tasks to Analysts
  • Else (if the EC2 does not belong to any Privileged Security Group):
    • Change alert Priority to “Medium”
    • Change Disposition to “Investigation”
    • Assign investigative tasks to Analysts

The entire execution and decision flow of the playbook looks something like this:



The actual playbook in SIRP is shown below:


Use Case 3: Malicious File Investigation and Response

Let’s consider another example in which SIRP received an Insight called “Initial Access with Persistence and Port Scan”. The Signals that caused this Insight to be triggered has following information:

  • Proofpoint TAP detected a user clicking on a phishing link in an email. This rule only includes messages where Proofpoint considers the phishing link still active. Records indicating the link was permitted will have a higher signal score compared to those automatically blocked by Proofpoint.
  • This rule looks for a host scanning other SMB hosts for specific commands similar to WannaCry
  • Check Point Threat Emulation Malicious File Allowed


This is clearly a high-fidelity alert generated by Sumo Logic CSE in the form Insight. Immediate remedial action and response is of paramount importance. Therefore a Playbook will be executed on SIRP automatically based on the pre-defined rules.

Let’s review how this SIRP playbook is set to function:



The purpose of this simple playbook is twofold:

  1. Check if the file is malicious
  2. If it is malicious then Initiate response actions 

Once the playbook is executed either manually or automatically, it is set to perform following actions:

  • Get user details from Microsoft Active Directory
  • Get user’s group details from Active Directory
  • Submit File for analysis to EDR
  • Check the file scan results returned from Lastline. IF the reported “score” is greater than 5, then:
    • Push the file Hash to EDR
    • Disable the User on Microsoft Active Directory
    • Quarantine the machine
    • Send email notifications to relevant parties
    • Change Disposition to “Incident”
    • Assign tasks to Analysts
  • ELSE IF the reported “score” from EDR is less than or equal to 5, then
  • Get Hash reputation from VirusTotal
  • Check IF the reported score is greater than or equal to 5. If Yes, then:
    • Push the file Hash to EDR
    • Disable the User on Microsoft Active Directory
    • Quarantine the machine
    • Send email notifications to relevant parties
    • Change Disposition to “Incident”
    • Assign tasks to Analysts
  • ELSE:
    • Change Priority to “Medium”
    • Change Disposition to “Investigation”
    • Assign investigative tasks to Analysts

Apart from just pushing the Hash to EDR, analysts can also proactively hunt for the hash in the network by initiating scans through EDR. And if that hash is found, then it can be either deleted or the system itself can be isolated. 

The entire execution and decision flow of the playbook looks something like this:



Misc. On-Demand Actions

Apart from executing actions automatically through playbooks, analysts can also run ad-hoc actions to query Sumo Logic Continuous Intelligence Platform and pull/push data to and from Cloud SIEM Enterprise.



Query Continuous Intelligence Platform

Analysts can send queries to Sumo Logic CIP on the go to get the historical data from the intelligence platform by clicking on the Sumo Logic CIP Source  in the Evidence tab, selecting Sumo Logic CIP app and then selecting get_events_for_last_15_minutes action. SIRP will execute the action and query CIP to fetch the relevant records of the source for the last 15 minutes.


Once the action is successfully executed, the results are displayed in the Sumo Logic app container.




Change Insight Status on Cloud SIEM Enterprise

Analysts can change the status of the Insight from SIRP by clicking on the Sumo Logic CSE Insight ID in the Evidence tab, selecting the Sumo Logic CSE app and selecting change_status_of_insight action. SIRP will push the change to CSE.




Add Comments to Insight

If analysts wish to add a comment against an Insight, they simply check the checkbox called “Sumo Logic CSE” while posting a comment. Similarly, if they wish to pull the latest comments from CSE, they click on the Refresh icon at the top right corner of the Comment tab.


Benefits

The bones have been cast and the oracles have spoken: data is King, and automation is the Knight!




Sumo Logic is a leader for ingesting, storing, and analyzing cloud data. On the other hand, SIRP is the only risk-based SOAR platform that drives speed to take actions on that data. As the cloud and security data piles up, the pressure to respond to threats becomes immense. Therefore, taking response actions as quickly as possible is extremely important. This is why Sumo Logic and SIRP gels so well together. The combination of the two technologies can help SOC and security leaders to stay ahead of traditional and advanced threats by enabling teams to respond faster. 

In a nutshell, the sequence of events look like this:

  1. Sumo Logic’s Continuous Intelligence Platform gathers data and provides intelligence and analytics. 
  2. The Cloud SIEM Enterprise takes the data, applies machine learning to generate high-fidelity data (Signals and Insights). 
  3. SIRP takes Signals and Insights, enriches the artifacts, executes playbooks, and allows teams to run detailed case management.

Some of the key benefits that can be realized out of this integration are:

  • Proactive monitoring and response by leveraging best of both products i.e. data analytics of Sumo Logic and automation capabilities of SIRP.
  • Utilization of Sumo Logic’s machine learning capabilities
  • Reduced MTTD and MTTR through streamlined orchestration and automation
  • Automatic execution of response actions using 80+ ootb integrations.
  • Correlate the data ingested from different security technologies as well as organizational risks, asset importance, threat intelligence, and vulnerabilities.
 
Start free trial