Introduction to Security Intelligence, Monitoring, and Analytics
Dana Torgerson: Hi, everybody. Welcome to the first session and our Get Started with Sumo Logic Security track of the Modern SOC Summit, presented by Sumo Logic. I'm Dana Torgerson, director of product marketing with Sumo Logic for our security business unit. With me also on the line here is Jason Dunn, product marketing manager at Sumo Logic, and Scott Bauer, a technical marketing manager here with Sumo Logic. A little bit of housekeeping as we go through these sessions throughout the day, regardless if you're in our track or in any of the other two tracks in the Modern SOC Summit this morning, we'll be recording them, but you can also ask any questions that you'd like. Just go into the Q& A button there in your Zoom panel. We'll get to as many of them as we can at the end. But also among the three of us. I'm sure we can address questions as they come through. As for the agenda today, what we would like to talk about is... I'll give an explanation of our security intelligence solutions that we offer here at Sumo Logic. And Jason's going to take it from there and go deeper on the cloud security monitoring analytics solution, explain the features and the functionality. Followed by Scott. Scott Bauer is going to actually then put it to life. He's going to actually show a demonstration of exactly what Jason is describing. So really, in a nutshell, we've got this portfolio now of security solutions. Some of you folks on the line I realize are existing customers and thank you for your support. Other folks I see here, I'm not recognizing some of the names, and that's great. You're in a good spot if you'd like to learn more about how you can go deeper with security. And then across the spectrum of our solutions, whether it's audit and compliance, cloud security and modern analytics, which is the focus for today, but also we have our cloud SIEM solution, and we've got a Getting Started with Cloud SIEM session following this one at 9: 30 AM Pacific led by our partner architect, Paul Bowen. So check that out too, if you'd like to learn more about that. And also on the far right, a new addition to the Sumo family, How to Automate Your Cybersecurity Initiatives Using SOAR. That's a session that's going to close out our summit track here at 11:15 AM Pacific. And that's where Darrio and Andrea we'll go deeper into our Sumo Logic Cloud SOAR solution, which we just acquired, along with the great team from DFLabs right there in Italy. And as you're hearing Jason speak today, going through the different solutions, I want you to understand that as you're progressing and maturing the security operations and modernizing and innovating with Sumo Logic, you're kind of gravitational pulling from left to right, regardless of where you might start with us. Now, all of this is built on a platform, and this platform is... Clearly it's cloud native. I'll take one slide. It's cloud native, and it's actually right there, architected natively in AWS. And it's this solution which allows more than 2, 100 of our customers, many of you here, to be able to use this function across so many different use cases and situations too, all using a single platform, all these use cases. You're getting the economies of scale with our consumption model. Some of you are using credits, other using our tiered data analytics. And this platform with the scale and the elasticity that you need, that we need to deliver it to all of you folks, we're taking in 27 exabytes of data and scanning that monthly. We're looking at more than 800 petabytes of data analyzed every single day. And we have 1. 6 quadrillion events that we scan every single day across our customers worldwide, across all of our items, all of our regions that we have deployed in and that you're using. So with all this capability and with the fact that we're bringing in all the different users, a lot of you I see are security operations, but we have some folks from DevOps, ITOps, DevSecOps, And the thing about this platform is it brings everybody together, pulls folks together to solidify the fact that you can use the same data set, be on the same page, literally, and there's no extra charges, as a lot of you customers know. We're not charging for additional users. That's all just included. You get into the platform. But this platform has so much stuff in it. I really need to stop talking. I need to let Jason get in here and go deeper in our cloud security monitoring and analytics solution. So with that, take it away, Jason.
Jason Dunn: Excellent. Thanks for that quick run through, Dana, of our overarching security intelligence portfolio. So as Dana mentioned, I'm going to kind of... We're going to focus on this second to the left column of cloud security monitoring and analytics for this morning session. And when we think about cloud security monitoring and analytics, it really dovetails in, as Dana suggested, that it really connects in with all of the other pieces of the security intelligence portfolio, and very much is a foundational component of each of those tools, as you think about wanting to really dig into deeper details with queries, alerts, dashboards, which we'll spend some time describing this morning. So we'll actually close out the session today with, as Dana mentioned, with Scott actually getting live in the platform, but I just want to really quickly run through the core of what the challenges are that we solve for, what some of the solutions are that are attached to that, and also give some more backdrop as we describe the core of that piece of the portfolio, and then give Scott the chance to actually... I always call it the fun part of really get to know the platform, see it in person, see it live. So I just want to level set before we dig in here. So as we described cloud security monitoring and analytics, the focus is really... From a feature perspective is going to be on the ability for deep search foundational correlation and alerting. So alerting really is a feature that connects back to search very readily because what you're able to do is really customize a set of searches, assign who is receiving alerts based on the searches when they cross certain thresholds. Secondly, data enrichment visualization. So here we're really describing the dashboard aspect of the solution. And then threat feed integration, outlier detection, global threat benchmarking, all our types of dashboards that can be better utilized in order to take the most advantage of the way in which those dashboards are constructed. So let's take a second to talk through some of the core challenges that we see for our customers that they're really commonly looking to solve for. So the first being real commonly a lack of cloud support, which is to say many platforms do not give you the ability to actively ingest cloud data from a combination of many cloud data sources, and we'll get into more detail around what some of those data sources actually are in more concrete detail in a moment. And then limited visibility really being a core challenge that we see a lot of our customers faced with. It almost connects to the right column and the left column here in the sense that the limited visibility really comes from the lack of types of data sources that can be brought into one platform in order to really generate their correct insights for that use case. And then thirdly would be limited analytics. So many, many analytics platforms are constructed for a very broad set of use cases, or it's kind of handed off as an open source tool with not a lot of specific thought to what that use case will be that's attached to that. So how Sumo Logic actually improves security posture through our cloud security monitoring and analytics offering, and how we connect to those specific challenges, is that firstly Sumo itself is very much a cloud native platform. So we're built on AWS from the start. We are very much able to scale up with our customer needs accordingly. And then secondly, we're able to bring in a very diverse array of types of data, whether that's firewall database, identity access, CDN data, et cetera, and that's inclusive of AWS, GCP, Azure. So there's really a wide array of types of data sources that you're able to then bring in which connects to the increased visibility component here. So as we think about the ability to bring in those data sources, we also can then think of the ability to generate insights against each of those specific data sources. So specifically if you're looking to bring in AWS and GCP data and maybe have a small experiment with an Azure Kubernetes cluster on the side, all three of those could be brought under one roof, which will really give you that kind of overarching umbrella view from one platform. And then thirdly, security focused analytics. So as we described a lot of platforms focus, or I should say have a lack of focus on a very broad set of scenarios, use cases, don't really allow you to dig in to deep details around a particular use case. Whereas Sumo Logic, in addition to core DevOps use cases that some people on the call may be familiar with, security is very much a focus for those use cases. So I'll actually run through quickly prioritization investigation response, and Scott will show you that in a more live setting, as well as to how we tackle those particular use cases. We probably don't have time to get into all of the many details that include the technical aspects of what our architecture is as a platform, but just to give you more of a visual sense of what I've kind of described in the previous slides, essentially, as you think about the various data sources that you can bring in, we really keyed in on this, which is multicloud. But then additionally, it could be an external app or product that you've built for your customers, it could be an internal business application, or it could be on premises data as well. So we want to give a shout out for all the types of data sources that you may be bringing in in order to execute against security monitoring, security analytics goals within your organization. And then that really... Because of that ability to run security monitoring efforts and security analytics requirements under one roof, then you're able to also get the granularity of going to the device level, IP level, network level, database level, et cetera, and really get into the deeper details as you explore. So just to back out a little bit from more of the architectural level. So our cloud security monitoring platform very much was focused on enabling security teams to process, investigate, respond to security incidents actively. Scott will actually be showing live this dashboard here, and we'll get into more detail around how you can get that kind of overarching overview of your data. And some of the core features that really help support the use cases that we described, et cetera, would be out of the box app catalog content, so really not having to build something custom right out the gates, but instead being able to really rely readily on something that is available to you right off the bat. Subqueries, lookup tables, built in feeds to really add that context. CrowdStrike threat intel, built in threat feed to really better understand what your current attack surface are and how you want to actually navigate accordingly based on what threats you're seeing pop up. Raw text searching really allowing you to get into more detail and a lot more details around that as well. As we think about prioritization of threats, we really want to be able to allow our customers to generate actionable security insights, whether you're leveraging on- prem, hybrid, cloud data. It's really about surfacing those most relevant insights. We often say we don't necessarily want our customers to have to live in our dashboards. We want them to be able to pop in as necessary, just get the quick core sense of what you're actually looking to achieve, and then dig into a deeper query or even set up an alert from there so that the alert comes to you rather than you having to go to the dashboard in that place. But in those events where you do see, within the dashboard, something that you want to dig in deeper on, that's where the deep investigations really come into play. So that's going to allow you, essentially, this is the view of what our queries look like. And if and when you drill down from a panel, you then have the opportunity to utilize our native query language. And a lot of really interesting operators within that to go deeper, better understand at the granular message level, and really pivot out on specific IPs, et cetera, based on what you're seeing, what your findings are. And next would be acceleration of response. So as we think about improving overall security posture and accelerating incident response times, Scott will actually give an awesome look a little bit at what this process will look like, but you can start to piece together how you can essentially use all three search alert dashboard in order to really chain together and better understand how you can accelerate response time, and then getting specific with user activity. So here we have a few examples of Azure audit data or Okta data where you're getting a lot more specific and sizing up unexpected anomalies, then pivoting out on specific users. So with that I'm actually going to stop sharing here and turn it over to Scott Bauer, our technical marketing manager, and I think you'll have a lot of fun getting to know the platform. He'll show some really interesting aspects of the platform. Thanks so much.
Scott Bauer: So good morning, everybody, good afternoon, good evening. This is a worldwide event, the joys of COVID, joys of everybody being virtual, so we have a pretty good sized turnout, 50 some odd people wanting to learn more about Sumo and how it can help you provide the tools and the techniques that you need to deal with the problems we're dealing with today with this massive amount of threats coming in, constantly changing and morphing attacks, et cetera, et cetera. So I'm going to be going through several screens that is the portal into Sumo Logic, as well as some of the integrations. So let me go ahead and start my share here. All right. All right, folks. So if you had listened to the keynote we first started off, one of the main topics that we talked about was the days of being everybody in one room looking at a big screen and dealing with the alerts and the events, that is kind of on its end because of the virtual environment where a lot of us are working remotely and most likely will continue over time to do that. So we talked about the application in Sumo and how it has to interact or tie with some of the existing solutions or products or collaboration tools that you have today. So very quickly here, I'm showing a very quick integration with Slack, that could be via a native integration directly out of the solution itself, or if there's no native application, most of them are there, but we can use basic things like webhooks. So we're seeing here, I come in in the morning and I have this alert, my SecOps high priority, wait a minute, what's going on? We all see this. Hopefully just one or two, but reality is you probably have many of these. So this is a very quick alerts saying we had a specific situation going on between two IP addresses, one on the inside, the 192 address on my inside, with some outside IP address, and I need to take care of this. This is most likely a threat or an attack going on. Now I could go down to the bottom here and use some of the automated tools. If I have the ability to reach out to the end point with some of the added tools, added security products you have in your environment, at the end point, I can actually go out there and quarantine it directly from this alert, or I could pivot over to my SecOps to actually look at more information around this attack to see if it's really something I want to actually take a look at. So that's what we're going to do, where to pivot off of Slack, and we're going to move into our portal. So if I go here... Sorry for the side of my head. All right. I'm going to hide the controls so I can see what's going on. There we go. So when you first come into to the portal, many people have a dashboard, a security dashboard. This could be sitting up at your SOC layer. This could be a a big display. Or, in my case, it's my display right here. And I'm not going to go into gory detail about each one of these panels. This demo's really to explain to you the power of how we can integrate with your sources coming in, we can actually manipulate that data and provide, connecting of the dots, of dealing with all of these massive amounts of alerts and metrics coming in, and how I can what's going on. So at a high level, this is a security overview for AWS. This is specific to AWS. We have the same thing for Azure. We have the same thing for GCP. And you can actually customize this if you were in a multi- cloud environment, doing across all of those different instances. Excuse me. So I look real quickly here, on the upper left- hand side, this is a quick heatmap global distribution or geo- mapping of single sign on and non single sign on locations. Now you can just use your imagination, how we can use that type of tool. This is simplistic. Sign on, right. But I could actually tap into where threats are coming from, or maybe failed logins, or those types of threats or those types of metrics in your environment. So this is a very simple one to give you an example of what's going on, but you can go in much deeper if you'd like. So in here we have that type of heat map. We also tie into CrowdStrike with a lot of their background metrics from a security point of view. So in the middle panel here, we have threat intel based on the single sign on, based on those IP addresses, CrowdStrike has basically told our environment, and we've integrated that and said," You know what, we have 120 single sign- on connections coming in that are actually of a high concern. It's a malicious connection coming in." And now as we move to the cloud, our barriers, and you guys all know this, you're probably tired of hearing it, but our borders are gone. Everything's cloud- based. So across the world, I may have malicious attackers or people trying to log in. Another great tool we have is the suspicious login distances. This is kind of a fun one to demo and go through. Actually we're showing here is Damon has logged in twice over the last three hours, and he's logged in from the US, 75.73.16. 32. And then within three hours, he has also logged in from Egypt. Well, wait a minute, time- travel isn't available yet. Star Trek, we don't have teleporters. So this is probably something I'll want to take a look at. Now each one of these panels, each one of these widgets, I could go in and filter with this blue icon, or I can get into the raw data itself and the filter, we're going to go into an example to use that. So if I scroll down, another really cool thing here is the outliers. So when do we know we have an anomaly going on? So when can I visually see, based on what I should be seeing in my environment, when I see a peak or a valley of something strange, that's not part of my normal flow? So we're showing here is the brown khaki looking color is what I should be seeing. And we set that up in a filter. Very, very quick and easy. Actually, a lot of the filters are pre- created in our catalog, and I'll show you how to get into there. But these hot pink looking triangles are actually outliers. And I can select any one of those and dive in deeper. And I'm going to go into that on a workflow of a specific type of attack. When I scroll down a little bit more, we started getting into things like file integrity and malware. Clean, delete, I want to deny access, pass, quarantine. All these feeds coming into the environment. I have one portal that I can actually dive into and figure out from a... When I sit down at my desk, what am I going to tackle in that day? Now where did all this data come from? Now what was mentioned before is what time the value. I know you folks don't have hours and hours of man time or person time to actually integrate all these applications into your environment. So what do we do? We have hundreds of applications that have been integrated into the solution, have been tested, and posted to your availability, so you can actually go in there and use them. So I could go in here and type on... Maybe I have Barracuda as a firewall and they just brought it in from a remote office, and I want to see if I can integrate that quickly into my environment. Well if I go to my catalog and start typing Barracuda, guess what? We have two different applications currently today of NextGen firewall, as well as their web application firewall. So the applications themselves are extremely easy to integrate in your environment. We know you don't have the time and the possible expertise from day one to dive into that, so we provide the crowdsourcing in general to get to that information. So the applications are great, but applications are worthless if you don't have data coming in. And this was talked about several times earlier today, was around all this information coming in, it's a central repository. So I've kind of buried down into my detection lab, but these collectors could be from Kubernetes or basically any source of data with a connector or a collector can funnel the information in here. And the way we tie into this, we're showing your AWS, CloudTrail, We have Carbon Black, Check Point. I'm not going to go through the entire list because we don't have the time. So basically I can do it now is let's get into a specific investigation. So you have a dashboard and this is for unified logging and metrics. Here's my heat map. I should probably burn a little bit deeper into, we don't get the repetition. So there we go. But I have a situation going on right now that's kind of handing off between application. Maybe they were complaining at a certain time around performance and security. DevSecOps, if you want to use that term. So I see this spike going on at this point in time. And this ties back to the Slack that we talked about earlier. So this is actually the other end, the book end of that conversation. So not only do we have a spike on CPU, I also have an outlier for that, aligning with that, around authentication attempts into an availability zone. So if I select that right there, I have these attempts coming in, and you know what, I need take a look what's going on here, because that is huge. That is a much bigger spike than I expected. So if I scroll down a little bit more, we start seeing the anomalies. I can see what's going on here. So here I have an anomaly. And what's going on? Well, that's the IP address of 201.13. 187. So that's an outlier that I need to take a look at. And again, all of this is pulled into the same timeline. So if I scroll down a little bit further, well now I start seeing, based on my firewall and my IDS, what's going on from an application point of view. So on the right- hand side, you see resources linked to data exfiltration for that MITRE ATT& CK type of category, technique, that's going on. And what I'm really concerned about is MySQL. I know in my environment, MySQL is an internal only database, and in that database is just my PCI data. So what the heck is going on here? So if I scroll down a little bit further, I also see in my app over the last week I have a spike going on. So what's going on in that area. So if a scroll down a little bit more, I have an attack going on. So if I look at my specific interface, here's the source IP address that we mentioned before. If I go into my label name itself, I can see here that it is coming in and it's part of Fancy Bear. Now we all like to give cute names, but Fancy Bear is not this cuddly Build- a- Bear type of thing. Fancy Bear is... We all know, it's basically a organized crime going on in Russia. Now if I scroll down a little bit further, I can see that the majority of those types of attacks are coming in from Brazil. So very quickly, I've pivoted from a high level, showing everything, and I've moved down with my outliers and my indicators are compromised, et cetera, to a specific point. Now, what I could do at this juncture is actually go in and block that connection on my firewall, or I could go in and tell my end points to knock down that compromised host of 192. 168.122. So at a high level, this was Firehose, it's a great product. Now what's really cool, if you get into one of our evaluations, if I go to the top, just to close it out, I'm sorry for the white screen out of nowhere, in here we see learn in certification. So hopefully you've taken some of the certification classes here during the session, but if you haven't, you can go in here as part of the trial and do a certification based on any of the products that we have in our portfolio. I know that was a fire hose. I ended three minutes early. I kind of dove in a little bit on the Q&A, but this was our security and monitoring and analytics portal, and hopefully you got some great information, just enough teasers to get to the point where you want to do some more business with us. With that, I hand it back.
Jason Dunn: Awesome. Thanks so much for that, Scott. I hope that it was really helpful for folks to actually get to see the platform up live in these kinds of active use cases. So I think we had some really interesting Q& A come in from Josh McMullin, and Dana and myself chimed in on the chat, but just to quickly speak to a few things, because I think Josh had some follow- up questions around it, which are specifically how... I guess in the broadest sense we can speak to it for the audience here. What does it look like when we are bringing in custom data versus something that is a little bit more off the shelf or designed into our app catalog? So in this specific example know before phisher messages were identified as something Josh wanted to key in on. So just to answer, so Josh had kind of a followup question within the Q& A, which is he asked to basically for recommendations for how he can tune based on what an existing dashboard is that he might be able to use. So in this particular example, because the phishing example, I would say, Josh, you might take a look at ARIA Packet Intelligence, even some of the Palo Alto or AWS firewall dashboards. And just really... I would say don't be afraid to go a little outside the lines, even if there's a dashboard that's built more towards malware, for example. You might be able to just pick and choose even just parts of a query and then tune in iteratively and actually build out that custom content, since you're a little bit starting back at square one because of it being more custom data you're bringing in. But absolutely, I mean, have to shout out to customer success and professional services. Our team would love to work with you and better understand the use case to really fine tune that.
DESCRIPTION
In Today's session from The Modern SOC Summit, you'll hear from Sumo Logic's Jason Dunne, Dana Torgersen, and Scott Bower, focusing on security intelligence, monitoring, and analytics. Dana is the Director of Product Marketing, and he takes us through the security intelligence solutions offered at Sumo Logic. Jason, Product Marketing Manager, will dig deeper into the cloud security monitoring and analytics solution and its features. Scott is a Senior Technical Marketing Manager who brings it all to life and walks us through a platform demo.