Evaluate your SIEM
Get the guideComplete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.
December 8, 2020
SIEM has traditionally earned itself a bad reputation as an unwieldy and unmanageable tool that really never lived up to its promises. In my presentation during Illuminate, I talked about what Sumo Logic is doing to modernize log analytics and SIEM as a whole.
Today, we see that despite how overall technology is accelerating, security always seems to lag behind. In Sumo Logic, we address this head-on.
In order to better understand the challenge we face, I will break it down into three areas and discuss what we’re doing at Sumo Logic to meet the unique security requirements for cloud and modern technologies.
Nobody could have foreseen the explosion of machine data that we're witnessing today. As technology weaves itself into our businesses and into our lives, the volume of data is just explosive.
"The rate at which we're generating data is rapidly outpacing our ability to analyze it. The trick is to turn these massive data streams from a liability into a strength."
Professor Patrick Wolfe
Executive Director, University College of London Big Data Institute
We are experiencing what I call the data collection law of diminishing returns. This means the more you collect, the more expensive it becomes, and the more difficult it becomes to get value out of that data.
At Sumo Logic, we take the value-driven approach—to leverage the cloud while still being able to justify the business expense.
We do this in two ways.
Defenders are drowning in alerts, many of which are false positives. A lot of times those alerts lack the context of the business and the risk. So even when they are legitimate, analysts have to do a ton of work to understand the impact that each security event might have. And the number of alerts just keeps growing as you modernize your stack.
A modern SIEM should be able to keep pace as you modernize your own applications and infrastructure to the cloud, containers, and microservices. On a minimum, you need to have content that supports all the major cloud service providers. Beyond that, there should be out-of-the-box content to leverage the dozens of services or features within each platform.
Another thing that's worth talking about is, does the solution leverage global intelligence that can only be gleaned from cloud solutions? At Sumo Logic, we've seen alerts across thousands of customers globally, and we can provide insight as to how your security posture fares compared to everyone else. Are the threats that you're seeing rare? We’ve also partnered with CrowdStrike threat intelligence out-of-the-box at no extra cost to users.
From here, there’s still the big issue of alert fatigue. Most analysts are familiar with burnout and swivel chair syndrome. These are serious issues. As aptly put by Bill Crowell, former NSA Deputy Director,
"Cyberdefense is about having an integrated set of tools that work together to prevent attacks, but the industry now has a thousand points of light and no illumination."
We recognize at Sumo Logic that we have to overhaul our approach to correlation and alerting. The fidelity of alerts and insights needs to be incredible, and that’s what we deliver.
Through the Sumo Logic Cloud SIEM platform, we’re able to provide automated alert reduction, high fidelity insights, and context for investigations. How?
An entity in our world is either a user or maybe a system, but your SIEM has to be intelligent enough to be able to aggregate on the entity-level. So that way, as an analyst, when you open up an alert, you're not seeing an individual point of light. You're seeing more of the broader picture of what's happening to a particular entity.
We take the industry framework of the MITRE attack lifecycle and overlay every single signal on what attack stage it lies in. The analyst can instantly see all of the different signals and what states they belong to without having to query and research.
Providing attacker dwell time
We’re also able to provide attacker dwell time. The analyst can look back multiple weeks and Cloud SIEM Enterprise is able to show, at a glance, everything it knows about a system, all of the relevant security events.
Here’s a quick look at the Sumo Logic Cloud SIEM Enterprise platform. I encourage you to reach out for a full demo of it.
There is a huge skill shortage in security and tech in general, and it’s only getting worse as the assets we’re monitoring are getting more and more sophisticated. Tier 1 analysts are expected to come to the table with a lot of new knowledge, with a well-rounded skillset composed of specialized skills. The tools that are in the market to monitor and secure enterprise environments are also becoming more complex.
In one of our studies, we’ve found, "75% of SecOps teams said they need to hire three or more analysts just to address all the alerts that they get daily.”
In our view, all the aforementioned approaches contribute to solving this problem. Once you’ve democratized data and everybody is looking at the same data store with high fidelity alerts and insights, you can get that force multiplier where all of the different team members are leveraging that same data and driving value out of it. What we provide is not just another tool, not another source of alerts that your team doesn’t have the time to triage and address.
Sumo Logic started with a mission to bring traditional log analytics and SIEM into the world of SaaS and cloud computing. Now, almost every major SIEM vendor or log analytics platform has recognized that this is truly where the future lies in order to keep up with log management.
Reduce downtime and move from reactive to proactive monitoring.
Build, run, and secure modern applications and cloud infrastructures.
Start free trial