Sumo Logic ahead of the packRead article
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.
The following blog is a collaborative piece from Sumo Logic and AWS. Special thanks to all three co-authors Anoop Sunke, AWS partner solutions architect, Graham Watts, senior sales engineer at Sumo Logic and Mike Reinhart, director of product marketing for cloud security and compliance at Sumo Logic for their joint contributions and expert technical insight.
Organizations are increasingly moving workloads, applications and infrastructure to Amazon Web Services (AWS) to leverage the cost, scale and agility the cloud has to offer. Moving to the cloud has become an imperative in order to keep pace with their competitors who are already taking similar steps. However, these same organizations are all finding that their legacy security and networking tools have many gaps in their abilities to provide the necessary visibility and control they need to manage regulatory and risk management requirements in these modern environments. The reality is that these legacy systems were not designed for the unique needs of the cloud.
Sumo Logic was founded by security industry veterans, who saw these growing gaps, and the need to provide visibility and control to facilitate migration to AWS and the cloud. Sumo Logic was “born” in the cloud (AWS), and provides a cloud-native solution for security analytics and visibility across the entire AWS cloud, and other public, private and hybrid cloud service platforms. Log data from cloud elements can easily be collected across these common cloud infrastructures, and the full stack of the modern applications that are running on them. Insights include continuous real-time intelligence, with actionable context such as user activity, platform configuration changes, and detailed historical audit data for demonstrating compliance with common regulatory standards, such as Payment Card Industry (PCI) security standards.
The team at AWS saw similar needs to provide their customers with the ability to assess the security posture of their AWS instances to facilitate a smooth transition to the cloud. And at the annual AWS re:Invent Cloud conference in Las Vegas this past November, they announced the release of Amazon GuardDuty. Amazon GuardDuty is a managed threat detection service that continuously monitors for malicious or unauthorized behavior to help you protect your AWS accounts and workloads. It monitors for activity such as unusual API calls or potentially unauthorized deployments that indicate a possible account compromise. GuardDuty also detects potentially compromised instances or reconnaissance by attackers.
Reason #1: Real-time dashboard for GuardDuty Findings
The Sumo Logic GuardDuty dashboards provide AWS customers with pre-configured, user-friendly and customizable dashboards that ingest GuardDuty data and layers on rich graphical reporting to allow users to rapidly, and visually depict the GuardDuty “findings” — data — ranked by severity levels (high, medium and low).This allows users to simply click on any of the identified events and automatically be routed to their AWS environment in order to take any necessary actions for remediation.
Reason #2: Search and analyze findings including cross-account support
One key function to Sumo Logic’s GuardDuty integration is the ability to filter across AWS accounts, regions, VPCs, subnets, etc. with one easy dashboard filter. This example shows how to filter for any GuardDuty Findings related to resources with a tag of “corp” (all of your corporate assets):
Reason #3: Correlate GuardDuty Findings with more data sources
In addition, Sumo Logic allows GuardDuty Findings to be investigated in the context of all elements and resources in the AWS environment, and other third-party tools, including full stack visibility into application and infrastructure logs, along with Application and Elastic Load Balancer (ALB/ELB) performance details over time.
Reason #4: Apply Crowdstrike Threat Intelligence to other logs for free
Another benefit of centralizing all of your machine data in Sumo Logic is that any logs not analyzed by GuardDuty (VPC flow, Route53 DNS query and CloudTrail logs) can be scanned by the Crowdstrike Integrated Threat Intelligence feed. This Threat Intelligence feed is built into Sumo Logic and is provided to any Sumo Logic customer at no cost. Common data types that Sumo Logic customers scan for threats are:
Reason #5: Use LogReduce and LogCompare on findings to narrow down threats
First, GuardDuty will detect malicious behavior across your VPCs and users of AWS, then customers can use Sumo Logic’s patented LogReduce and LogCompare to search for a malicious IP address and investigate how it has traversed their environment. For example, if you detect a threat using Sumo Logic’s GuardDuty integration, you might then investigate this threat in the context of all of your data to find that someone has exfiltrated sensitive files via file sharing or storage system logs.
Reason #6: Automated threat response with Sumo Logic alerts
After detecting a threat, it’s a best practice to automate responses to your security events. You can also take advantage of our new AWS Lambda Webhook or a Script Action to take programmatic actions in response to alerts and outages. For example, when Outlier notices a spike in connections from a user, IP, or country, Lambda Webhooks can automatically adjust your Network Access Control List to block this traffic.
Reason #7: Leverage features on future Sumo Logic roadmap
Leverage GuardDuty and other sources of security and event findings to accelerate a comprehensive end-to-end threat investigation and resolution.
Sumo Logic’s SIEM solution provides real-time actionable visibility using Amazon GuardDuty findings and when combined with additional log sources and broader context, allows security and IT teams to get full stack visibility for quicker threat detection and response. SumoLogic Cloud SIEM helps customers operationalize Amazon GuardDuty best practices across multiple AWS accounts.
Sign up for Sumo Logic instantly and for free: http://www.sumologic.com/product/sumo-logic-free/
Watch the Sumo Logic product overview video: http://sumolo.gs/18SQCQ0
Q: Why should I continue to send Sumo CloudTrail and VPC flow logs?
Amazon GuardDuty is a great tool for threat detection, but customers rely on Sumo Logic for:
Q: I already use GuardDuty and our app runs 100 percent in AWS, why do I need Sumo Logic for security?
Q: I have a hybrid environment and 50 percent of our applications run in AWS. GuardDuty works well so why should I use Sumo Logic for security?
Reduce downtime and move from reactive to proactive monitoring.
Build, run, and secure modern applications and cloud infrastructures.Start free trial