Optimizing Cloud Visibility and Security with Amazon GuardDuty and Sumo Logic

The following blog is a collaborative piece from Sumo Logic and AWS. Special thanks to all three co-authors Anoop Sunke, AWS partner solutions architect, Graham Watts, senior sales engineer at Sumo Logic and Mike Reinhart, director of product marketing for cloud security and compliance at Sumo Logic for their joint contributions and expert technical insight.

Legacy security and networking technologies continue to impede visibility

Organizations are increasingly moving workloads, applications and infrastructure to Amazon Web Services (AWS) to leverage the cost, scale and agility the cloud has to offer. Moving to the cloud has become an imperative in order to keep pace with their competitors who are already taking similar steps. However, these same organizations are all finding that their legacy security and networking tools have many gaps in their abilities to provide the necessary visibility and control they need to manage regulatory and risk management requirements in these modern environments. The reality is that these legacy systems were not designed for the unique needs of the cloud.

Sumo Logic and Amazon GuardDuty to the rescue

Sumo Logic was founded by security industry veterans, who saw these growing gaps, and the need to provide visibility and control to facilitate migration to AWS and the cloud. Sumo Logic was “born” in the cloud (AWS), and provides a cloud-native solution for security analytics and visibility across the entire AWS cloud, and other public, private and hybrid cloud service platforms. Log data from cloud elements can easily be collected across these common cloud infrastructures, and the full stack of the modern applications that are running on them. Insights include continuous real-time intelligence, with actionable context such as user activity, platform configuration changes, and detailed historical audit data for demonstrating compliance with common regulatory standards, such as Payment Card Industry (PCI) security standards.

Sumo Logic App for Amazon GuardDuty

The team at AWS saw similar needs to provide their customers with the ability to assess the security posture of their AWS instances to facilitate a smooth transition to the cloud. And at the annual AWS re:Invent Cloud conference in Las Vegas this past November, they announced the release of Amazon GuardDuty. Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. It monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise. GuardDuty also detects potentially compromised instances or reconnaissance by attackers.

Amazon GuardDuty Findings in AWS Console

Seven reasons to use Sumo Logic with Amazon GuardDuty

Reason #1: Real-time dashboard for GuardDuty Findings
The Sumo Logic GuardDuty dashboards provide AWS customers with pre-configured, user-friendly and customizable dashboards that ingest GuardDuty data and layers on rich graphical reporting to allow users to rapidly, and visually depict the GuardDuty “findings” — data — ranked by severity levels (high, medium and low).This allows users to simply click on any of the identified events and automatically be routed to their AWS environment in order to take any necessary actions for remediation.

Filtering by Tags in Sumo Logic App for Amazon GuardDuty

Reason #2: Search and analyze findings including cross-account support
One key function to Sumo Logic’s GuardDuty integration is the ability to filter across AWS accounts, regions, VPCs, subnets, etc. with one easy dashboard filter. This example shows how to filter for any GuardDuty Findings related to resources with a tag of “corp” (all of your corporate assets):

Reason #3: Correlate GuardDuty Findings with more data sources
In addition, Sumo Logic allows GuardDuty Findings to be investigated in the context of all elements and resources in the AWS environment, and other third-party tools, including full stack visibility into application and infrastructure logs, along with Application and Elastic Load Balancer (ALB/ELB) performance details over time.

Reference Architecture for Sumo Logic Data Sources

Reason #4: Apply Crowdstrike Threat Intelligence to other logs for free
Another benefit of centralizing all of your machine data in Sumo Logic is that any logs not analyzed by GuardDuty (VPC flow, Route53 DNS query and CloudTrail logs) can be scanned by the Crowdstrike Integrated Threat Intelligence feed. This Threat Intelligence feed is built into Sumo Logic and is provided to any Sumo Logic customer at no cost. Common data types that Sumo Logic customers scan for threats are:

• Application logs about their product or service
• Operating System logs (Linux OS logs, Windows Events, etc.)
• SSO tools (OneLogin, Okta, etc.)
• Third party tools (Office365, GSuite, etc.)
• Other non-AWS environments (hybrid and multi-cloud)

Reason #5: Use LogReduce and LogCompare on findings to narrow down threats
First, GuardDuty will detect malicious behavior across your VPCs and users of AWS, then customers can use Sumo Logic’s patented LogReduce and LogCompare to search for a malicious IP address and investigate how it has traversed their environment. For example, if you detect a threat using Sumo Logic’s GuardDuty integration, you might then investigate this threat in the context of all of your data to find that someone has exfiltrated sensitive files via file sharing or storage system logs.

Reason #6: Automated threat response with Sumo Logic alerts
After detecting a threat, it’s a best practice to automate responses to your security events. You can also take advantage of our new AWS Lambda Webhook or a Script Action to take programmatic actions in response to alerts and outages. For example, when Outlier notices a spike in connections from a user, IP, or country, Lambda Webhooks can automatically adjust your Network Access Control List to block this traffic.

Sumo Logic AWS Lambda Webhook

Reason #7: Leverage features on future Sumo Logic roadmap
Leverage GuardDuty and other sources of security and event findings to accelerate a comprehensive end-to-end threat investigation and resolution. 

Sumo Logic’s SIEM solution provides real-time actionable visibility using Amazon GuardDuty findings and when combined with additional log sources and broader context, allows security and IT teams to get full stack visibility for quicker threat detection and response. SumoLogic Cloud SIEM helps customers operationalize Amazon GuardDuty best practices across multiple AWS accounts.

Sign up for Sumo Logic instantly and for free: http://www.sumologic.com/product/sumo-logic-free/

Watch the Sumo Logic product overview video: http://sumolo.gs/18SQCQ0

FAQ

Q: Why should I continue to send Sumo CloudTrail and VPC flow logs?
Amazon GuardDuty is a great tool for threat detection, but customers rely on Sumo Logic for:

• Auditing/compliance, including determining which actions employees took before a breach, and creating/deleting access keys, changing security groups, and so on.
• Troubleshooting networking issues/outages (VPC flow logs)
• Identifying accidental misconfigurations, such as human error
  

Q: I already use GuardDuty and our app runs 100 percent in AWS, why do I need Sumo Logic for security?

• Guard Duty currently supports CloudTrail, VPC flow, and DNS query logs in AWS. Sumo Logic allows you to complement this by applying threat intel to all app logs
• Sumo Logic also allows you to apply threat intel to third-party tools like Office365, GSuite and SSO tools like Okta and OneLogin.
• Users can scan other AWS sources for security monitoring, including ELB, ALB, and CloudFront, among others.

Q: I have a hybrid environment and 50 percent of our applications run in AWS. GuardDuty works well so why should I use Sumo Logic for security?

• The added benefit of Sumo Logic is that it allows you to troubleshoot threats with context, all in one platform and across multiple cloud vendors such as AWS, Azure and GCP, on-premises systems and third-party tools.
• Sumo Logic also allows you to see the history of an indicator across months or years as well as find an IP threat with GuardDuty > LogReduce on IP address across your entire stack.