Building your modern cloud SIEM

SIEM has traditionally earned itself a bad reputation as an unwieldy and unmanageable tool that really never lived up to its promises. In my presentation during Illuminate, I talked about what Sumo Logic is doing to modernize log analytics and SIEM as a whole.

Today, we see that despite how overall technology is accelerating, security always seems to lag behind. In Sumo Logic, we address this head-on.

In order to better understand the challenge we face, I will break it down into three areas and discuss what we’re doing at Sumo Logic to meet the unique security requirements for cloud and modern technologies.

Data problem

Nobody could have foreseen the explosion of machine data that we're witnessing today. As technology weaves itself into our businesses and into our lives, the volume of data is just explosive.

"The rate at which we're generating data is rapidly outpacing our ability to analyze it. The trick is to turn these massive data streams from a liability into a strength."

Professor Patrick Wolfe
Executive Director, University College of London Big Data Institute

We are experiencing what I call the data collection law of diminishing returns. This means the more you collect, the more expensive it becomes, and the more difficult it becomes to get value out of that data.

How we’re addressing the data problem

At Sumo Logic, we take the value-driven approach—to leverage the cloud while still being able to justify the business expense.

We do this in two ways.

1. Democratization of data
   
   We make sure that this data store that you're paying to bring in is cross- functional, meaning that all of the different system owners and the stakeholders have easy access to this data. The more people that are using and getting intelligence out of this data, the more valuable it becomes.
   
2. Disruptive price model
   
   Not all data is created equal, so we believe you shouldn't have to pay the same for debug logs as compliance logs, as security logs, as operational logs. We are flexible with you in the way that data is stored—whether it be allowing you to just use credits for the different data types or maybe store it differently at a much different price point.
   
   We also leverage the economies of scale that come with cloud, and we believe in passing those savings on to you. The goal is to facilitate the move from the CapEx to the OpEx model, which is a more efficient way to operate when it comes to data.

Alert problem

Defenders are drowning in alerts, many of which are false positives. A lot of times those alerts lack the context of the business and the risk. So even when they are legitimate, analysts have to do a ton of work to understand the impact that each security event might have. And the number of alerts just keeps growing as you modernize your stack.

How we’re addressing the alert problem

A modern SIEM should be able to keep pace as you modernize your own applications and infrastructure to the cloud, containers, and microservices. On a minimum, you need to have content that supports all the major cloud service providers. Beyond that, there should be out-of-the-box content to leverage the dozens of services or features within each platform.

Another thing that's worth talking about is, does the solution leverage global intelligence that can only be gleaned from cloud solutions? At Sumo Logic, we've seen alerts across thousands of customers globally, and we can provide insight as to how your security posture fares compared to everyone else. Are the threats that you're seeing rare? We’ve also partnered with CrowdStrike threat intelligence out-of-the-box at no extra cost to users.

From here, there’s still the big issue of alert fatigue. Most analysts are familiar with burnout and swivel chair syndrome. These are serious issues. As aptly put by Bill Crowell, former NSA Deputy Director,

"Cyberdefense is about having an integrated set of tools that work together to prevent attacks, but the industry now has a thousand points of light and no illumination."

We recognize at Sumo Logic that we have to overhaul our approach to correlation and alerting. The fidelity of alerts and insights needs to be incredible, and that’s what we deliver.

Through the Sumo Logic Cloud SIEM Enterprise platform, we’re able to provide automated alert reduction, high fidelity insights, and context for investigations. How?

Taking an entity-centric view

An entity in our world is either a user or maybe a system, but your SIEM has to be intelligent enough to be able to aggregate on the entity-level. So that way, as an analyst, when you open up an alert, you're not seeing an individual point of light. You're seeing more of the broader picture of what's happening to a particular entity.

Overlaying signals over MITRE attack stages

We take the industry framework of the MITRE attack lifecycle and overlay every single signal on what attack stage it lies in. The analyst can instantly see all of the different signals and what states they belong to without having to query and research.

Providing attacker dwell time

We’re also able to provide attacker dwell time. The analyst can look back multiple weeks and Cloud SIEM Enterprise is able to show, at a glance, everything it knows about a system, all of the relevant security events.

Here’s a quick look at the Sumo Logic Cloud SIEM Enterprise platform. I encourage you to reach out for a full demo of it.

Human problem

There is a huge skill shortage in security and tech in general, and it’s only getting worse as the assets we’re monitoring are getting more and more sophisticated. Tier 1 analysts are expected to come to the table with a lot of new knowledge, with a well-rounded skillset composed of specialized skills. The tools that are in the market to monitor and secure enterprise environments are also becoming more complex.

In one of our studies, we’ve found, "75% of SecOps teams said they need to hire three or more analysts just to address all the alerts that they get daily.”

In our view, all the aforementioned approaches contribute to solving this problem. Once you’ve democratized data and everybody is looking at the same data store with high fidelity alerts and insights, you can get that force multiplier where all of the different team members are leveraging that same data and driving value out of it. What we provide is not just another tool, not another source of alerts that your team doesn’t have the time to triage and address.

Sumo Logic started with a mission to bring traditional log analytics and SIEM into the world of SaaS and cloud computing. Now, almost every major SIEM vendor or log analytics platform has recognized that this is truly where the future lies in order to keep up with log management.