Getting Started with Cloud SIEM
This session from The Modern SOC Summit with Paul Bowen focuses on Sumo Logic's Cloud SIEM. Paul is the Channel Technical Security Manager at Sumo Logic. Today, he shows us the benefits of Sumo Logic's Cloud SIEM and how it differentiates itself from other SIEMs. Then Paul does a demo of Sumo Logic's Platform, where he show's the different dashboards and, finally, how you can utilize Sumo's SIEM.
Paul BowenChannel Technical Security Manager, Sumo Logic
Paul Bowen: And to begin with everyone, my name is Paul Bowen. I'm a technical channel manager at Sumo in security. I began my career in IT about 25 years ago as a global security manager at Estee Lauder. Then I worked at ArcSight for almost 10 years, Securonix for a few years. Mandiant, and FortiSIEM, doing SIEM or cloud- based SIEM for the last 15 to 20 years of my career. I'm here to walk you through Sumo's cloud SIEM today, and I'm going to turn off my camera now that I've introduced myself and I'm going to get started. At any time, I have Jason here with me, you can pop questions into the chat and he will do his best to answer them. If not, he'll post them to me and I'll take care of them. So, today we're going to be talking about cloud SIEM with Sumo Logic, and we're going to do a cloud SIEM demo. So, Sumo's cloud SIEM is a platform that offers a lot of advantages over an on- prem based SIEM to manage your SOC. In fact, the Sumo cloud SIEM platform was part of the Sumo cloud SOC. Some of the advantages that we offer are A, a rapid time to value with quick deployment out of the box because of our cloud native architecture. We don't have a large on- prem presence, and one of the many advantages of being a born and built in the cloud platform is where traditional SIEMs have been ported from on- prem to in the cloud, Sumo only ever was in the cloud. So you have to, with many of the legacy cloud SIEMs, you have to provision your entire infrastructure upfront. With Sumo, you could decide to say," I only want to bring in a hundred gigs of logs a day," depending on the size of your organization. If for a couple of days, you double, triple, 10X that, it's no problem. The infrastructure will automatically scale and then at the end of that surge, let's say you're being attacked and that you've figured it out, and you've mitigated the attack, the Sumo storage will again shrink back down to what you originally contracted for, and you won't have to pay to have four terabytes of storage every day. You'll just have to pay for the days when you had a lot of extra storage over a 30 day average. Our cloud native architecture gives us that scalability, where we can scale up and scale down dynamically with no intervention from our engineers or your engineers. We give you a single collaborative platform and that's for DevOps, SecOps, IT ops, compliance, and also correlation. Sumo is a large scale data lake and the idea behind it is allowing you to put all your data in a single place with the redundancy and protection of the Amazon cloud. And then we modernize your SecOp workflow because we have a full workflow built into the Cloud SIEM Enterprise that allows you to take tickets from inception or cradle to grave, and along the way, adding insights and adding data into that, to make it easier for you to repeat. Plus, with our powerful search engine, you could search a day, a week, a month, three months on a single IP or username and find out everything they did over that timeframe. So it enables your SecOps operators to work much faster over longer periods of time. We also support all clouds. While we are built in Amazon, we will take G Suite and Azure data happily. We have correlation rules for both those platforms, and of course AWS, and we have something called automated insights in our Cloud SIEM Enterprise. Your traditional SIEM gives you an alert, with Sumo Cloud SIEM Enterprise, we give you an insight. An insight, and I'm going to explain in detail when I go into the demo in just one more slide, an insight is based on something we call adaptive signal clustering algorithms that create entities and track them over weeks, not just a few hours. We put all those alerts, which we call signals, together to create this insight once it hits an activity threshold. This means that it's like a tier two analyst is sitting behind a tier one analyst saying," You need to gather all this data to create your case." With us, we automatically gather all that data and generate them as insights, so your analyst can focus just on the insights. Now, as I said before, Sumo Logic Security Intelligence Solution is a platform, it's where you put all your data and where we cover all the different verticals that you would expect in a modern SOC. We have our audit and compliance in our Sumo. We also have cloud security monitoring and analytics, and each of these has a different area of expertise. We've added, over two years ago, a cloud SIEM component to add correlation and those next generation insights that we're going to examine today. And finally, we've introduced a cloud SOAR. So the idea is whether it's compliance, whether it's Kubernetes, whether it's cloud, whether it's correlation and whether it's remediation, you can take an incident from cradle to grave and actually take an action and track your remediation all in one single platform. That's the idea behind Sumo. We're a modern SOC, we're a cloud- based SOC, and we have many attestations to prove our security in and out of the cloud. So I'm not going to go to the last slide because that's the slide that tells you how to get in touch with us. I'm going to switch over now and go right into the demonstration. So, this demonstration is going to start with some of the Sumo dashboards that current Sumo users know and love. If you've never used Sumo, you'll get to see a good introduction into the variety of data we offer, and the variety of compliance options and security options that are built into the platform. Everything I'm going to show you today is pre- built content, so you don't have to build any of this yourself or hire expensive professional services to build it. The first is our global intelligence service for guard duty. This dashboard allows you to ascertain how your company is doing against Sumo's other thousands of companies in the cloud. What we've done is we've taken it and shown you that compared to the rest of our customers, where your security posture sits. Now, this is anonymous, no one can see your data, you can see their data, but we average this out for you. If I were to look at this, my company versus the baseline of all of Sumo's other customers, I can see that as far as high severity alerts go, I'm very low. As far as medium severity alerts go, I'm slightly above average. Again, with low severity alerts, I'm slightly above average and I actually get to see that most of them are recon and then the rest are pretty low. So the idea behind this dashboard is to give you immediate situational awareness of your cloud. This is a built- in dashboard. We also have a security insights dashboard, which has everything you'd expect to see in your traditional SIEM SOC dashboards. It shows you failed logging counts. The sources that it's coming from, the outliers, how confident we are that things are malicious, where everything is happening in the globe. Again, I'm going to say this on each dashboard, they're built in, they're out of the box. You don't have to do anything special except give us the data for us to produce these analytics for you. Moving along to Kubernetes, we have a dashboard built, again, for Kubernetes where you can see the status of all your clusters, your namespaces and your deployments. So the idea is, with one quick glance, you can see the health of all your pods, all your namespaces and all your clusters, and right out of the box it's one of our hundreds of apps that comes with Sumo. There's no extra charge for these apps. You just click on them and install them into your SUMO SOC. Finally, before we go to the actual SOC component, I wanted to show you that we have a DevSecOps dashboard for your Jenkins and your NGINX and all the different types of threats that are out there. Again, you can monitor this any way you choose. If I scroll up, here's the Jenkins. I had it hidden, sorry about that. But the idea is your average build duration, your log levels over time, everything is here, your ELB requests by location, for you to quickly understand what's happening in your environment. The idea behind all these dashboards is just to make it easy for you to do your job and to monitor your company. Well, we here to talk about Cloud SIEM Enterprise, Sumo's correlation engine in the cloud, and this is our Cloud SIEM Enterprise dashboard. What this dashboard does is it tells you your security on all your devices on your network. We start with our record count, and again, Sumo is a data lake, so all your roll logs going to the Sumo data lake. Once we get all those roll logs into the data lake, we're going to go a process called normalization and enrichment. Just like a traditional SIEM, we enrich the data with geolocation and DNS and all the things you would expect, but we also add entropy rankings, dynamic DNS, and DGA rankings for every website in your environment. At the same time, taking that unstructured data and structuring it so that it can go into the correlation engine's processing. The idea is you come from tens of millions of records to a hundreds of thousands of signals. Now, signals are when one of our 600 pre- built rules matches one of those normalized structured data schema records now. The idea is when it triggers, it creates an entity and an entity is key for us to generate the insights that you'll see next. I want you to see that those insights are 108 over seven days, but we'll go into detail how this happens. So when a signal is generated, an entity is created, which could be a username or a host name, or an IP address, or a inaudible address, or a Mac address, or any field in our database can be construed as an entity. We track it that entity by default for 14 days, and are looking for an activity score. To give you a practical example, I, Paul Bowen, log in on the first, after being out for three weeks, and I forget my password three times. This triggers a correlation rule, giving me two points of activity on that threshold of 12. The next thing that happens is I remember my password. So now, after three failed logins, another default rule says I got my password right on the fourth time, giving me four points of activity towards my 14 day entity window. The entity window is adjustable as is the threshold. Then on Wednesday, I click a phishing link. Now I get four more points of activity and now over three days, I have eight points of activity. On Friday, I actually download some malware giving me another three points of activity. So, now I'm up to 11 points of activity over five days. But before the malware does anything, I shut down my laptop and go home. I come in on Monday and my laptop starts to beacon, giving me another three points, giving me an activity threshold of now 14, which is above the default threshold of 12 and I generate an insight which has, using our adaptive signal clustering, put firewall data, phishing tool data, OS log data, all into one insight for me. So when my analyst goes to that insight, they immediately have all of the signals that were generated on that entity over the time period it took them to create the insight. That's where we take that next step in our evolution. Your traditional SIEM generates tons of signals, in fact, too many signals, but with 108 insights over seven days, that's barely 14 insights a day. We're going to show you how insight can be remediated in under 30 minutes using our system. So, one analyst could clear all the insights in one day and instead of continuously falling behind as is a SIEM's most prevalent problem, and becoming exhausted, another problem with SIEM, we eliminate analyst fatigue, and we eliminate the eventuality where you need to hire more and more people just to catch up, not even keep up with the number of security alerts you're getting. So, that's the top row of this dashboard. And then in the bottom here, we have the insight count. We're going to dig into an insight in a second. Then we have the rules that fired and the records or the roll logs that caused those rules to fire and the status. Fortunately, we don't have any red insights, which means we don't have any high level insights, but I'm going to now drill down into an insight right from here. I click on this insight and now it takes me right into the Sumo dashboard. Just let me make this full screen, oh, it was full screen. So I just want to point out a few things about this insight. It's got a name and the name is derived from the signals that fired. The signals that fired, like initial access and persistence, are added to the name, so you know on the MITRE ATT& CK framework, exactly what this insight is all about. It's about persistence with initial access. If you know MITRE, you know that's fairly dangerous and we have five signals involved and on top of all the other enrichment, we add more enrichment. We have a server that can actually go out and if you have a CrowdStrike account, it will pull the CrowdStrike data. It'll do an NS lookup, it'll do a username lookup and add all this information as enrichments right into the signal. Those are added enrichments. The default enrichments, I'm going to go into in a second and they're right here. So, as we look down these signals, we see a vulnerability reported and we have zero severity rules that just fire so you know something happened. It's all about the entity that got generated when the first rule fired. So we know that this entity has a vulnerability, so we just want you to be aware. Then we have tap, Proofpoint said there was efficient email click for four points of activity. Then we have checkpoint threat emulation, and I'm going to drill into each of these signals in a second, for three points, giving me seven points of activity. As I scroll down, I get a threat and tell hit for another three, that's 10 and finally CrowdStrike detection summary event for five. So, now I have 15 points and that's why this insight was created, why it fired. Across the top, you get a history of when all of these took place. If this wasn't demo data, this would be spaced out over 14 days, but it is demo data, and this is what I call the hundred foot view. We're looking at the system from a very high level view, and we're able to now drill down into each of these, but just from this, you can get a feel of what the system did. It clustered together all of these different signals, all of these different MITRE ATT& CK tactics and techniques based on this entity. Now I'm going to try it the Proofpoint, because that's the first one with any severity. Here we're at what I call the 10 foot view because we can still go deeper, but let's start right here. The first thing we want to do is, by gathering all those insights together, we eliminate the need for your analyst to log into all those systems. We eliminate the need for your analyst to have the credentials and know how to run the query, and we eliminate the need for your analyst to have the experience to know that they had to be gathered together in the first place. So right then and there, we're eliminating much of the work that investigations require. If Ponemon says it's two hours to do an investigation, by eliminating four queries, constructing them, logging them and executing them, we've knocked at least 75 minutes off of that two hours. So, now we're down to 45 minutes or less. And what we do after that is we tell your analyst what fields we think they should be focusing on, with what we call favorite fields. So this is just our security analysts who've built the system, telling your analysts where they need to focus. But let's drill down a little bit and you can see the URL they clicked on. You can see the Alexa ranking of the website. You can see the entropy. If you're familiar or not familiar with entropy, it's a very simple formula. It runs from one to five, and the closer you get to five, the more random the URL is, and the more dangerous it becomes, or the higher the entropy is. We get the URL entropy on the root domain and we also get, is it dynamic DNS? No, we don't think so, but it is a fairly random URL. We also give you the ability to take context actions. What I mean by a context action is I could search the Sumo database and show me everybody who clicked on this URL, today, for the last week, for the last three months if I wanted to, right from inside the system. So we're still at what I would call now the 10 foot view. This is where we add in even all the fields that we don't directly map. The ones with the stars can be added to favorite fields and the idea is we tell you the vendor, we tell you that it was a targeted attack protection. It was a click, the click was permitted, and we tell you that the threat was phishing. So right at the top, your analysts can look at this and say," Okay, Proofpoint, it says this is a phishing exploit." Great. So I can say," Maybe I want to get a little more view of the details." I can go and show all the data that we have. If I'm someone like myself who likes to look at a roll log, I can click on the roll log and it'll take the system a minute to come back with the roll log. But the idea is this is the floor, the deepest view you can get. The idea is we have a ton of information for you to look at right here. So, that's our first signal and already we think maybe there's something we need to do. So I'm going to move on to the next signal. And in this next signal, we'll see that this is a checkpoint threat emulation. The rule is right here. The logic is right here. The entity is the same again. The tactic is here, it's listed. When we get to here, we now can see that the destinations are there, the ingest source, the checkpoint, the right cloud. It gives us the MD five hash. It gives us the file name and the type of malware right here. Again, this is the 10 foot view, not the basement just yet. But one of the other things I could do is say,"You know what? For a context action, does VirusTotal think this is a dangerous file?" The system will go out and execute a VirusTotal query and it'll come back in a minute with the information from VirusTotal as to whether or not that's a dangerous file. So we can just keep clicking through and again, a lot more information than we need, but all the details are right here if you want to go even deeper. So you can just keep going deeper and deeper into the system, and let me see if VirusTotal... they're not being very friendly today. We'll try and refresh... oh, there we go. So VirusTotal has said that 40 of the 66 vendors flagged this file is malicious, that they work with. So now that you know that you know that, your first two signals are legitimate. Proofpoint said it's a phishing and the file that you downloaded, you've been told that it's malicious. So you get the file name again and the type and everything else. So then we can go one more signal further, or even two more signals further. Here we see that CrowdStrike has told us that this is a dangerous hash. When we scroll down here again, it's the same file name, the same file hash. We get the lists that matched in CrowdStrike, and you can upload your own match lists for threat and tell. As we scroll down, we get all the information now, at least in my opinion, to start making a decision. This is the actual Trojan name that was in there. This is the antivirus engine that detected it first. This is where it was put. All the information you need to now make a decision. If we go to the last signal as part of our decision- making process, we say," Okay, still from CrowdStrike, there's just a lot more of the same data," but this is just a summary from CrowdStrike of everything. So at this point I could say to myself," I'm fairly confident I want to take an action." And my action could be," Well, I want to email it to myself." So I'm emailing it and now it's going to show up in my inbox. But another action I can take is to say," Maybe put it into one of the SOARs." And as I mentioned, Sumo has their own SOAR, and that'll be integrated into the system in the very near future, but this is a test system. Or you can put it into Teams or the Slack, PagerDuty, ServiceNow and manage it that way. We also have a status, it's in progress. I'm going to move it to... maybe I can move it to closed if I wanted to. I have to tell why it was closed, it was resolved. I'm going to automatically assign the insight to me because inaudible unassigned. So I'll put in an additional comment, closed due to reworking of inaudible rules, whatever I want here and I close the insight. Now you see that it's been assigned to me and I can update the tactics and techniques to active scanning, or acquire infrastructure. Then I can put extra notes in here. So now, if I go to the Sumo overview of my Cloud SIEM Enterprise dashboard, I come back here and this is the heads- up display. You can launch it either from in here, like I did, or if your analyst wants to start in here, they can. Basically these are the records and signals that we saw in the other dashboard and the insights, this is the meantime to detection, response and remediation. This wavy form is the records, which were roll logs. These bars are the signals. Here we'll see that as the insights are tracked, they can look at the triangles and see exactly what status the insights are in, or they can just look here and immediately get the situational awareness of where your dashboard is and everything you need. I can just quickly click on one of my insights here. Now you see that we have a Kanban work board that we can adjust these tiles to have different names if we want to use the built- in ticketing system in the cloud SIEM. So I know I went through a lot of data quickly. I don't know, Jason, are there any questions? Is there anything that I didn't cover that you think I missed?
Jason: Yeah, no, that was awesome, Paul. Thanks so much for running through the cloud SIEM platform and talking through the specifics here. So there actually haven't been any Q and A that have come in, so I don't know if... We can either just stay on mute for a few minutes, see if folks do have questions that come to them, or if you did have an additional sidebar feature that you wanted to quickly show, that would also be an option, but we're coming up on time. We typically are keeping it to 25 minutes and then five minutes for Q and A. So we could just stay on mute and see if folks have questions, or as I said, if you want to show one more thing, we have a few minutes.
Paul Bowen: Yeah, I'll start you on something, if questions come up... I always like to highlight the entities because in the entities, you get to see some very interesting things. If I were to look for a specific and... inaudible if I were to look at a specific entity, I can see for the last 13 months, every signal related to that entity. Because this entity is an active directory user, we comb the active directory. That was a question. And we get all their group information. So let's take a look. I can't see the questions, can you see them?
Jason: Yeah, I can see it. So I'll read it off to you, Paul. So the question from Gilberto Esparza is, the main SOC dashboard that was shown, is that a dashboard built on Sumo Core? That was the question.
Paul Bowen: Yes, this dashboard is built on Sumo Core and can be shared. It just hasn't been put into an app yet, but it's absolutely shareable to any customer. It's built on Sumo core and it's fed by the Cloud SIEM Enterprises data.
Jason: Cool. So yeah, hopefully that was helpful in clarifying the relationship basically, between Sumo Logic Core platform, which we covered in the previous session. So Gilberto, I don't know if you were on for that session, but there would be some dots that you can connect now from what our technical marketing manager, Scott Bauer had just shown, versus what you're seeing Paul showing. Then it's an interesting feedback loop because of course, Paul is also showing ways in which the cloud SIEM data is routed back into Sumo Core platform as well.
Paul Bowen: Correct. My contact information is down here, I encourage everybody to take the survey, let us know what I did well, what I didn't do well in here. If I missed something, if I went too quickly, or if I didn't go technical enough, or if it was educational, you can let us know that too. But again, you can contact sales or you can contact me directly if you have questions you didn't want to ask during the session and I'll be happy to follow up.
Jason: Cool. It looks like we had one more question come in from the chat. So are you able to see that one Paul, or I could read it off to you if not?
Paul Bowen: I just have to end the slide show, it's... When it ends, I should be able-
Jason: If you want to keep it open, I can just read it out.
Paul Bowen: Okay.
Jason: Does that work? Cool. So the question from Adrian Chow is what are the basic fundamental logs that need to be collected, or absolute minimal systems to have to protect your environment? So Proofpoint for email, firewall, active directory, server logs, endpoint logs, as a question, that's what Adrian was curious about. So, I mean, I can also field that too, but Paul, do you want to chime in on, I guess-
Paul Bowen: Oh sure.
Jason: ...what your top three or top eight lists, whichever makes the most sense?
Paul Bowen: Absolutely. So what I generally do is everything you've covered is pretty much essential. I like to also get a network sensor going, so that I have Bro Zeek logs but firewalls, OS logs, IDS logs, AV logs, and endpoint logs are really the key. If you're using the proxy, obviously we'll want the proxy logs, but what you would call your traditional perimeter defenses are first and then your secondary internal defenses, like a Bro Zeek sensor, syslog from all your switches and routers of course, but that is just all part of your network device traffic.