How Clorox leverages Cloud SIEM across security operations, threat hunting, and IT Ops

During Sumo Logic’s Illuminate user conference, Heath Hendrickson, senior security architect at the Clorox company, and Gary Conner, senior threat protection lead, presented how they are leveraging Sumo Logic across security operations, threat hunting, IT operations, and more.

About Clorox

Clorox is a $6 billion global consumer packaged goods (CPG) company that has operations in 25+ countries, approximately 8,800 employees across 83+ sites, with 33 manufacturing plants globally.

Their computing environment is composed of approximately 1400 to 1500 Windows servers, ranging everywhere from 2003 all the way up to 2019. They run about 300 Linux servers in the environment with direct internet access at each of their locations, with a firewall at each of those sites. They have about 7,500 PCs, mostly laptops—predominantly Windows—with about 200 max in the environment.

Looking for a modern SIEM

Coming from a managed security provider (MSSP) with SIEM as part of their service, Clorox wanted to look for a modern SIEM that could more flexibly meet their needs and requirements. They evaluated leading providers in the cloud SIEM space and undertook a 30+ day proof of concept with those vendors using live production data.

Moving away from MSSP, they learned a lot of lessons about what they didn't want in a SIEM and what they were really looking for. After putting the same exact data into different platforms for a true head-to-head comparison, they selected Sumo Logic’s Cloud SIEM Enterprise solution, ingesting approximately 250 gigabytes per day. It's geared for 12 months of data storage, and they also subscribed to Sumo Logic’s Special Operations service.

Choosing Sumo Logic

Getting their data into a platform—whether it was next-gen antivirus, their EDR solution, single sign on, firewall logs, server logs, cloud services logs, web proxy logs—wasn’t the difficult part. Conner said what’s important to them was what they could do with that data. “Just because you have the data doesn't mean you understand the data,” Connor shared.

As the senior threat protection lead at Clorox, Connor shared three areas where Sumo Logic delivered value for their organization.

Alert reduction - Event correlation across time and technologies

With event correlation, insights pull data across multiple days, multiple systems. For example, if a file has been downloaded from their web service or web proxy to a user system, and the user opens the file two days later, all that data can be seen on Sumo Logic correlated to each other.

With their MSSP vendor, everything was single-event driven. There was no correlation. They would see an alert for every event—whether it was a false positive or a real one.

Their previous Network Threat Detection (NTD) platform scores suspicious logs two-fold—a preliminary score and the actual post-processing final score. The initial default rules set were based on the initial score—they once had an initial rule that generated about 2500 insights in just around an hour.

[Read More: Threat Hunting]

Moving to Sumo, Connor’s team worked with Sumo Logic Spec Ops to tune the SIEM and prototype rules. They added additional data from threat intelligence sources—screening for good sources that delivered valuable intelligence, reducing the noise their team had to deal with, and enriching insights. The process helped their team tune insights down to a manageable, realistic volume.

Anomaly detection

They’ve also seen a lot of insights that have been based on anomaly detection, not just an alert from typical malware and known threats. An alert could be based on a rule firing because of a sequence of events that led up to something that looks really, really suspicious, like PowerShell calling a command prompt to run a script that's using Base64 encoding to hide itself. These are the types of things that they were finding—things that normally you would miss if you don't have the right structure and the right tools and the right processes to detect them.

Dashboards and reporting features

As their team worked through and configured the SIEM, the team at Clorox was also feeding Sumo Logic with multiple dashboards and multiple technologies from their stack. Leveraging Sumo Logic’s dashboards and reporting features, their focus was putting together a single threat management dashboard that had all the threat information that they were interested in—whether it was from their next-gen anti-virus, web proxy, their NTD solution, and all other technologies. The top-level elements in the threat management dashboard allowed them to go deeper into individual things—for instance, web proxy and next-gen anti virus—so their team could bring context into the alerts they’re getting.

> We’ve also used Sumo Logic dashboards to find the needles in the haystacks. I say haystacks, because it's not just one haystack. That'd be too easy. Everything's its own individual little haystack.

• Gary Conner, Senior Threat Protection Lead, The Clorox Company

Beyond security

As they implemented Sumo, the Clorox team saw value beyond security. They built custom dashboards for management and operations, among other things.

As for the dashboards built for management, the monthly view presents what's happening across specific technologies that executive management would want to see. This has saved them an enormous amount of time because it eliminates putting together and formatting reports month-to-month. With Sumo, the managers can go to the dashboards, click on a button, and get the data they want—and it's real-time data. Managers can also look at historical data and see what has been going on on a daily, weekly, monthly basis, as well as the improvements made over specific periods.

Custom dashboards, searches, and queries in the system allowed them to have better overall visibility—without having to build rules for each specific thing. The team was able to pull custom metrics into the system through log-to-metrics conversions to be able to get ideas on latency of a firewall, or if a system was dropping packets as they do ping tests. Some dashboards and metrics had to be customized and added as they’re not out-of-the box--but because Sumo Logic had that ability as a platform, it was quick and easy.

COVID-19 and IT operations

The team at Clorox started their PoC with Sumo Logic in February, right as COVID-19 started hitting and everyone was going remote. A question that had to be answered was, “How well is our remote access environment doing?” With their production data already in Sumo Logic, Heath was able to put together a quick dashboard using their firewall and VPN firewall data—something operations and executive management can use to get a quick view on how many people are on their system and how they’re using it. With the dashboards and custom metrics, they were able to anticipate problems, create queries that they can pass on to service desk personnel so they can find information and address issues quickly.

Value out-of-the-box and ‘outside the box’

The Clorox team saw immense value now that they’re able to take their data and use it to gain real insights and put context to the alerts they’re getting. With the flexibility and capabilities present in the Sumo Logic platform, they’re able to see and do things that weren’t possible in the MSSP.

While both Heath and Gary are from the security side of Clorox, they made sure to think outside the box and engage their operational colleagues to look into the platform, use it, and help themselves with the data. Their advice for people in operations is to do the same and share the platform with people from the security side, as they’re sure to find a lot of value in Sumo Logic, especially with the Cloud SIEM Enterprise and continuous intelligence platform components combined.