Fireside Chat on Modern SOC Security

Speaker 1: I can't really see what's going on inside my Asher and Google cloud environments.

Speaker 2: I need access to real- time alerts.

Speaker 3: It can be challenging keeping track of the many threats that my company needs to be aware of at any given moment.

Speaker 4: Constant updates and regulations make it tricky to stay ahead of my team's compliance requirements.

Speaker 3: My team absolutely needs to step up from the manual processes to truly automating our response to threats to address security threats.

Speaker 5: Our biggest concern on a daily basis is the possibility of unknown vulnerabilities.

Speaker 4: We want to secure every aspect of our technical environment, but really want to get to the use case level to stay focused.

Speaker 1: I simply cannot hire enough security analysts that have the skills and experience we need.

Speaker 6: We are utilizing far too many tools. And our system has become too complex.

Speaker 8: Our team is so small that I really wish I could lean on a security platform as an additional technical resource to help fill in the gaps.

Speaker 2: Whether threat hunting or responding to incidents, I have to have the right query and associated operators ready to go during a critical security event.

Speaker 5: Is there a better way?

Speaker 4: There must be a better way.

Speaker 6: How do I do this?

Speaker 2: Please welcome, General Manager and VP of security, Greg Martin.

Greg Martin: Hello everybody. My name is Greg Martin. I'm the GM of Security Business here at Sumo Logic. And I just want to welcome everyone to The Modern SOC Summit. This is a really exciting jam packed two days. We hope that you got a lot of content yesterday. And in today's session, we have three really exciting tracks for you. We have a leadership track. We have a getting started track for folks that are new to this journey of Modern SOC. We have a track for existing Sumo customers. So really, something for everyone, regardless of where you are in your journey of building a modern security operations, we have something for you prepared this week. So really excited to have you and welcome. So this keynote is really exciting for me because we're welcoming Byron Acohido, who is a Pulitzer prize winning cybersecurity journalist. He's been covering cyber for a long time. I've gotten to know Byron, he's very passionate about security operations and some of the changes that are happening in the space. So this should be a really fun conversation. Welcome, Byron.

Byron Acohido: Yeah. Thanks Greg. I'm looking forward to a great conversation because I want to stick a straw in your brain and fill in all the gaps on what's going on with SOCs. I've write about everything, but I've written some about security operation centers, obviously they have a big place in taking care of cyber risk at large enterprises, but now is an especially dynamic time for enterprises with cloud migration and so forth. And the attack surfaces seems to be as big as ever, but not just that, the threat actors seem to be taking full advantage. I mean, we just came off of RSA and lots of talk about solar winds and colonial pipeline. So yeah, let's just jump right into it. I mean, could you frame what's going on in SOCs? I mean, that's a big question but, there's a transition going on, right. From trying to protect on premises to trying to deal with the cloud.

Greg Martin: That's right. Byron, this is a subject that I'm personally very passionate about. I spent almost my entire career in the SOC space, whether it was a building one of the first SOCs at NASA 15 years ago when we did things very differently, to today. And I love this concept of a modern SOC, because it really frames the changes that are happening in the industry, what we have to do to invest in our people, our processes, and our technology, to keep up with the evolving threats. And something I'm very excited to talk to you about, and those are great examples of just how the threat landscape has changed, right? We have these ransomware attackers shutting down our gas pipeline, we have nation state attackers running extremely sophisticated supply chain of attacks, compromising hundreds and hundreds of global corporations as well as government entities. So it's really been an incredible time and there's a lot of folks out there, both in the industry and outside of the industry, wondering why are we not doing our jobs good enough? Why are we not succeeding? And so this is a really fascinating topic and I'm excited to dig in with you.

Byron Acohido: Yeah, well, part of my job is asking simple questions that I'm wondering about. So let's just start with sort of a basic baseline here in terms of SOCs, my understanding of them, very non- technical is that they look at the data logs, basically, coming in from the sims, and everything else having to do with the data center in terms of web gateways, firewalls, intrusion detection systems. And then the struggle has been that there's so much information coming in. There's not enough analysts. The analysts are having to do really rudimentary tasks and can't get to the good stuff. Well, that's shifted, that was maybe 5, 3, 4 years ago. Automation has been coming on board. But now the whole thing has changed, right? Take us from that point, from the sort of legacy role of the SOC to what is the role today, given dev ops and cloud migration.

Greg Martin: That's a good question Byron. So when we started in this industry, we looked at security operations in a very different way, primarily because the threat surface, meaning the assets that we had to attack, was all under our control. We had our own data centers, we controlled the network in points. So we saw the traffic and you could monitor it with things like IDs, intrusion detection, both incoming traffic and external traffic. And that's changed very dramatically. Not only has the surface of the network expanded with cloud and just the amount of data and assets that we have online, more things to attack, right? We call those the threat vectors. That surface has increased very, very dramatically over the past decade in an order of a magnitude, really. The amount of data and systems that we have online, combined with the fact that we no longer have full control over these assets. We're moving very, very rapidly to these cloud- based systems, SAS based systems like Salesforce, like Amazon, AWS, GCP, and Azure, and so on. So the way that we did things traditionally for security monitoring, detection, response, and prevention, has to change with the change in IT infrastructure. And in many ways, the shift of the cloud is great for businesses, but security has been a bit of a lag here.

Byron Acohido: Yeah. Although let's not skip an important step here in the progression. I mean, it's not like the cyber security industry and the companies have been stagnant, or completely ignoring the problem. I mean, the last couple of RSAs, maybe three or four years, orchestration and automation store has become a big thing. The playbooks. So there's been advances made along the way, but where we are today is even more scaled up move to cloud migration, partly because of COVID- 19 and what we're doing there, right? Remote work and so forth. So let's talk about that. Let's zero in on what's going on right now, in terms of all the stuff moving to the cloud, and where does the SOC fit in trying to ingest, and make good sense out of that activity?

Greg Martin: No, that's a great point, Byron. I mean, the SOCs of the past, they worked because we could literally put a handful of human analysts in a room and stare at these giant monitors and see every cyber attack that hit an organization on any given day. But with this explosion of data, the move to the cloud, the increase in the number of attacks, the sophistication of the attacks, security operations is just really not a human scale problem anymore. So what does that mean? It means that there's too many attacks, that we can literally have an analyst go through all of them on any given day. It used to be hundreds a day. Now it's hundreds of thousands of attacks per day for a large organization. So what do we do about that? We have to change our process. We have to change how we use our people, and we have to change the technologies that we use to enable those people. So that's what we define as the modern SOC. So how do we change those processes to be able to keep up with both the frequency and the sophistication of the attacks today? And it requires a totally different set of tools. And you mentioned automation, automation is key to this journey. We've got to get folks out of the manual triage of cyber attacks, start leaning on our automation. Sumo is a big player in this area, and start allowing you all the intelligence to start help us focusing on what are the attacks that are really most meaningful to our SOC. So we can really help give that advantage back to the defenders, the security analysts, and really that's what we focused on with our products over the last few years, and driving innovation. And I think that as organizations are going through modernizing the SOC looking at, okay, how do I change my monitoring technologies to adapt to cloud security, adapt to SAS based technologies, whether it's Gmail, or office 365, or Salesforce, those are all critical business systems that need protection as well, too. So having the right tools in place, having the right monitoring technologies and having the right processes for your people. Once COVID happened, this whole idea of having a SOC operating the same places has all blown away. And I think this has been a positive development for maturing this concept of the modern SOC. I've been talking for a couple of years about the modern SOC now lives on slack. And really why is that? Because we need to reach out and bring folks together over diverse areas of geographic territory. If we don't have enough SOC analysts to hire, there's a shortage in cybersecurity talent, why not a company in the bay area hire an analyst in Ohio, and have them working together virtually, building automation, building bots to help them do their investigation and response work. These are all kind of the core concepts of what modern SOCs are doing today.

Byron Acohido: I wonder if we could unpack a little bit of what you just covered there, then maybe go back to a real sort of basic question here. I can visualize in my mind's eye what you described, the legacy SOC and how it functioned, with a guy sitting at a screen, or a team of people trying to make sense out of too much information. Could you help maybe convey an illustration of how ingestion needs to happen, and is happening in modern SOCs today, with all the various things you need to pull in that are... All the activity that's happening outside the data center out there on the edge? It's all about the edge now, right?

Greg Martin: Yeah. Well, the easiest way to describe it, Byron, is that the way we used to collect the data and telemetry to monitor cybersecurity in the past when we had security operations, was all there on premise in your data center, and that's the biggest change. So now in a cloud centric world and a SAS centric world, we have to have the right technologies like Sumo's cloud SIM to be able to bring in the cloud data sources natively, and the way that we collect those are very different than the way that we did in the past. In the past, we used SIS log as the primary transport of that log data to monitor. So we're bringing in alerts from different systems. We brought it over SIS log. Now you have to have API connections that can interface directly with these cloud providers, those API sometimes change. And this is why you really need to focus on partnering with the right technologies that can actually acquire that data natively, bring them in, and make sense of that data. And a lot of these organizations are not just focused on using one cloud provider. You can imagine that they're going to have instances of Microsoft's Azure cloud, as well as maybe some Google, and of course, AWS, the leader in the space. So having that hybrid collection ability is really important. As organizations are building out their vision for a modern SOC, getting the data, having visibility on the threats is the most important step.

Byron Acohido: Yeah. So I just got a vision in my head, it's instead of traffic coming into my gateways, it's traffic flying all around the place in inaudible, and then getting out to this through API set, crosstalk. So you have to have a smart API strategy and smart API technology, it seems.

Greg Martin: Absolutely. The way of the past was very narrow network centric. We'd have our inline IDS or intrusion detection devices set up, then monitor the ingress and egress of the network. And we really don't have the access to do that anymore in these cloud environments. So you have to have the right capabilities to get the visibility and they have to understand the technologies of today. So it has to understand these Docker containers, the Kubernetes environments, and understand the security of them. It has to understand the security controls, and things like S3 buckets, because as the businesses have shifted to cloud- based technologies for their applications and their IT environments, so have the attackers. They've gotten much more advanced in their way to automate attacks on cloud infrastructure, and in some cases we've seen attackers find cloud infrastructures, and attack them, that companies didn't even know they had up and running. And this is a very common story that unfortunately we hear all the time. So understanding your environment, monitoring it, getting that telemetry. And again, it's changed in the way that we get it, now moving to the API techniques. So having all those right tools and bring them to bear, and then having the automation to make sense of it, is a core paradigm in a modern SOC.

Byron Acohido: Yeah. So we've talked about two things, and I can visualize it now with getting the telemetry by very smart, advanced use of APIs, and then whatever the telemetry is telling you, having very smart systems to orchestrate and to automate sort of the low level responses, so you can free up your few human analysts to focus on good stuff. So another part of that I'm wondering about, and I know it's happening, but maybe you can explain how this is happening, is how do you bring the good frameworks that are developing? One of them is zero trust network access, that's come along in the last couple of years, and seems to have gotten a hold. And there's some other new frameworks coming along that are all, I think the common denominator is that they're edge focused, or cloud focused frameworks for doing this. How does that fold in, how do you pull in the framework side, and the policies, right? The policies on who gets access, how much privilege, that kind of thing.

Greg Martin: Absolutely. So I think that this is really going to define a lot of the process of security operations in the future. When we talk about the modern SOC, it's not just the technologies and how we get the data, it's also about what are the vulnerabilities, where are the threat vectors, where is the new security posture in this new cloud centric world. Zero trust is a really good example of that. I think that cloud actually brings more security to an environment, is inherently more secure, but the controls, and policies, and what you have to monitor has changed a lot. So it doesn't mean that the threats will go away. Obviously, organizations move in the cloud, they're getting compromised, their S3 buckets are exposed, and they're having these data leakage events, we read about that in the news all the time. So even though I do believe that moving to a zero trust where everybody's authenticated, and connecting in the cloud, and accessing their services, I think that's the right way to go, it's going to make us more secure in the long run. Especially with COVID, everyone's working from home now, and connecting from any type of device, we have to move to this newer type of network infrastructure, and a security access policy. So now really the idea is how do we monitor this new environment? How do we make that shift from monitoring our old on- prem assets, which many organizations are still going to continue to have to do in their SOC for maybe years to come. And then also start bringing this new cloud centric world into their profile, and building this together. So as you know Byron, the majority of large organizations, and some small ones as well, are you going to still have some legacy data center assets that they have to monitor. So the new modern SOC is going to be hybrid, right. And it needs to understand the nuances, and have to understand the different controls and processes for monitoring these two different types of environments.

Byron Acohido: Yeah. So, I mean, I'm gathering from what you said, and this is kind of what I was asking you is, so these new frameworks and the policies, that is a role for the modern SOC? That is going to happen as part of this in addition to-

Greg Martin: I think the modern SOC has to adapt to it, right? So the SOC doesn't typically set the policies of the organization. The CSO usually, and most organizations are setting security policy, and the SOC is then monitoring and enforcing it, right?

Byron Acohido: That's what I mean, monitoring and enforcing it.

Greg Martin: And really that's the job, is for the SOC to monitor, enforce, and reduce the risks. So part of their job is to detect the bad guys once they get into the network. So understanding all these concepts, having the right monitoring tools in place, and the right processes to be able to respond to it, whether it's an attack on their on- premise data center, and their legacy apps, or some of their new apps that are running in cloud workloads, it's just as important, because the attackers, they don't really discriminate. They're going to go after the weakest link. And when they go after acmebank. com, they're going to attack that site. And they're not really going to distinguish is that running in the cloud, is that running on premise? Once the attacker knows they're going to shift their techniques and tactics to be more successful based on what type of deployment it is, whether it's in the cloud or not. So within the cloud, they're going to start probing for misconfigurations, open S3 buckets, and you really need to be pulling the right information, and you need to have security controls that understand those types of systems, and those types of vulnerabilities. And this is something that a lot of organizations are starting to wake up to, and understand, okay, so we need one SOC that has the right technology and training for their analysts to watch the threat vector across both my on- premise workloads and my cloud workloads. And quite frankly, that's one of the reasons Sumo's cloud SIM has been so successful, is because it gives one pane of view to view that attack, that goes across and sometimes spans both on- premise as well as cloud workloads.

Byron Acohido: So, yeah, you've mentioned a couple of times here cloud versus on- premise, and I've heard this discussed elsewhere and it seems to ring true that yeah, we're moving to cloud, and cloud security, and edge is all important, and then we got to go there, but it's not going to be a lift and shift. I mean, they've got, there's hundreds of billions spent on web gateway firewalls, on intrusion detection. It's not going to go away overnight, and people aren't going to move 100% into the cloud anytime soon, even though it's happening.

Greg Martin: Yeah. I mean, it's moving fast. I think COVID has really accelerated this. So I think that when organizations are looking to invest in new security technologies, they're not buying on- premise appliances anymore. It just doesn't make sense. They're looking at what can I invest in to protect my organization for the next five years, for the next 10 years? And picking cloud and SAS based security solutions, really is a way that they can kind of secure that bet in the future. So I think it makes a lot of sense. And you mentioned zero trust before, and how organizations are getting more savvy, so even though there's been a lot of compromises in the news, the security industry has not been asleep at the wheel. We've been working very hard, and in some ways secured our organizations and networks very, very well in some areas, which has forced a shift in the attackers that focus on other attack vectors. And that's why you've seen a rise in ransomware. That's why you've seen a rise in some of these attacks, like the supply chain attack that you mentioned in the solar winds incident. This is really... Organizations as they're shifting their ITs are getting better in cybersecurity in some areas, the attackers are going to shift their attacks to focus on the weakest link. So this is really something that the modern SOC, and the concept of how do I build and mature my SOC program to defend me from, not the threats of yesterday, but the threats of tomorrow. It's not just about bringing in automation to reduce the alert volume, it's about understanding and having visibility to the threats that we're going to continue to face in the coming years, right. Sometimes it's from our trusted partners.

Byron Acohido: Yeah. So let me ask you a question in closing here, that maybe kind of ties us all together a little bit. So I'll throw a statement out at you if, as a principal, if I as an enterprise, agree that there's a role for a modern SOC that can do all these things we're talking about, and if I pursue that with due diligence, and do what makes sense and take advantage of everything that can help me, that compliance will take care of itself? Because we haven't talked about that at all, but there are pressures coming from the compliance side of things, in terms of privacy regulations, industry regulations, there's going to be more supply chain regulations, et cetera.

Greg Martin: That's a complicated crosstalk. obviously, here's why compliance is important. I think that when you look at cyber security, the exciting part is, okay, the bad guys are coming in. We want to keep them out. We want to prevent them, but we all know that it's never going to be a hundred percent possible to stop a breach a hundred percent. So we have to focus on a couple of areas. One is being compliant to make sure and prove, especially in public company environments, prove to our shareholders that we're taking all the steps necessary to monitor and secure our data. So we have to prove that, and compliance is one way to do that. The other is, if we can't always a hundred percent of the time prevent the attacker from getting in, how do we reduce our mean time to detect, and our time to respond, so we can find that attacker, respond to it, and get them out of the network and secure the data that they're after, before a breach happens. Really that's become the name of the game. This is the job of the modern SOC. So I said some maybe controversial things about how things are changing with the people and automation and it's SOC is no longer a human scale tasks, but let me say something a little less controversial. I believe that humans in our lifetime, Byron, are going to be the number one defense for any cybersecurity attack. We're not going to have any AI that's going to take over and wipe this problem out for us, right? We got humans on the other side attacking us. Humans are going to be the best defense. So really what we have to do is arm them with the best policy, the best process, the best technology for them to do their job. And that's what we're focused here on at Sumo, and building our security operations center technology, with cloud SIM, and cloud SOAR, and really investing in the future and enabling organizations that are embracing this concept of the modern SOC and helping them achieve that. So again, it's all about making our defenders successful. It's not an easy job, the attackers are sophisticated.

Byron Acohido: Yeah. It's a never ending job, but it is encouraging that the SOCs continue to evolve. The security operation center continue to evolve. You guys are at the forefront of that.

Greg Martin: Well, it gives us both some job security, right?

Byron Acohido: It does. But you did say one thing that I agree with, is that the defenders are making incremental and material progress year in and year out. It's just, those don't make very good headlines. The attacks make the better story.

Greg Martin: That's absolutely right, and that's what we're here for at Sumo, is helping organizations make those incremental steps to maturing their organization. And we appreciate you guys joining in. I think we're almost at time here, but I just want to say we're really excited for the content that we prepared today, and for everyone to learn a little bit more about modern SOC, and what some organizations are doing, both customers at Sumo, and folks looking at Sumo, and just anyone out there that either is looking at building a SOC from scratch, or has a SOC today and sees this problem and wants to figure out how do I build a modern SOC. So we hope you enjoy this event. Thanks so much, Byron. We really appreciate you.

Byron Acohido: Yeah. Thanks for spending the time and sharing with me. Appreciate it.