Sumo Logic ahead of the packRead article
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.
Security teams regularly ask me about the different types of log sources and security information they should be sent to their SIEM platform to get the most value out of SIEM features. The driver for these conversations is often because the customers have been locked into a SIEM solution where they have to pay more for consumption. More log data equals more money, so enterprises have to make a difficult choice about what log sources and data are the most important. This often leads to blind spots from a logging perspective and requires that your analysts pivot to other tools and consoles to get any additional context and detail they can during an investigation.
While I understand the business model that drives this approach, as a security practitioner I’ve always hated this trade-off. I have yet to see an organization that is logging all the data sources they would like -or logging all the sources into a single place to help them with security incident investigations, incident response or threat hunting. They can’t keep returning to the well to get more budget every time they blow through the event data limits. Thus their SIEM tool has a limited view of suspicious activity or what is actually happening in the environment. This lack of security data reduces the value of the SIEM software for detecting a security threat or cyber threats.
At Sumo Logic, we have a pricing model to optimize the costs around your data, including flexible data tiers. Data is what helps you do your job and, ultimately what keeps your company safe. It gives context to what may have happened beyond a single or individual alert and can help you pull out new insights that may not have been previously possible.
Several data types make sense to prioritize across the board. Many of these are common sense, but some of these may not be centralized to one location in your enterprise today:
1. Firewall logs – Firewall logs are a great source of detailed flow information. However, with many next-generation firewalls, you also get rich data on application types, threats, malware, C2 and more.
It’s important not to limit this data to just your perimeter firewalls. If you have firewalls between your user segment and your data center or even micro-segmentation inside the data center, send all these logs to your SIEM system. Where your end users connect is critical information from a threat analysis perspective for detecting possible insider threats.
2. Proxy/web filtering logs – Your NG Firewall may already include this data, but if you use a separate proxy or web filtering solution, these logs should absolutely be sent to your SIEM too. The IP, domain, and URL information is important and can give you information on connections to known-bad locations. And if you can also capture the User-Agent string, then you should. This can give the threat hunter insight into what might be happening. There are countless stories about finding major breaches and issues by monitoring the various user-agent strings in an environment and investigating the anomalous or uncommon ones you find.
3. Other network security products – Some may already be covered with a next-generation firewall, but you may have standalone systems. Logs from tools like Network IPS/IDS, Network DLP, Sandboxes, and even router NetFlow data are all rich intelligence sources for the SOC analyst.
4. Network sensors – Many of our customers have network sensors that sit on TAP or SPAN ports and do deep packet inspections on internal north/south and east/west traffic. These sensors will give deeper metadata around the traffic flows than a traditional NetFlow solution would. They can see things like SMB writes and deletes, HTTP header information, user-agent strings, and many other specifics. This additional detail is very interesting when looking for anomalous activity that could indicate things like lateral movement. These sensors can help you track down events you wouldn’t have seen otherwise.
5. Windows authentication and AD info – As we all know, users move around and often get new IPs. If this happens during a security event, it can be challenging to pick the trail back up and connect the dots. By tracking user authentication information, disparate record types across various IPs can be combined to paint a better picture of the entire activity around the event. In addition, tying a user to the events can help answer the questions about if this user should be accessing these resources. And it makes it easier to track that device down if needed for manual intervention or cleaning.
6. Endpoint security solutions – Endpoint information is helpful on multiple fronts:
7. Threat intelligence – More and more organizations are bringing threat intelligence into their SIEM solutions, which can help dramatically when investigating an individual SIEM alert. There are many free threat intelligence lists, so at a minimum, bring a few of these data sources in. Even better would be subscribing to one of the many paid feeds. These paid feeds tend to be better maintained with better details and more accurate information. Threat intel hits in your device logs could indicate malware that got past your endpoint solution or some other cyber security breach.
All enterprises are unique and, as such, when looking for what logs to add next, try to think about what’s important to your company – what is it that you do that no one else can and start from there. This might mean certain application log types (user authentication), web server logs (various error types, etc), or many others. Often, these new log sources are determined when working on actual alerts. Do you wish the alert had more context around it instead of you having to reach out to another console? Then let’s add that context and data.
Don't let blind spots be your weak spot. Learn how Sumo Logic's Cloud SIEM and log analytics can broaden your visibility and speed up incident investigations.
Reduce downtime and move from reactive to proactive monitoring.
Build, run, and secure modern applications and cloud infrastructures.Start free trial
In the continually evolving digital landscape, the importance of effective and efficient logging cannot be overstated. When we journey into the realm of Linux, this rings particularly true. Today, we'll delve into why Linux logging is vital, the challenges customers commonly encounter with it, and how Sumo Logic has emerged as a market leader in providing unparalleled SIEM solutions.
Moving to the cloud offers more than economics, it comes with unique security challenges that on-premises solutions cannot address. Cloud Infrastructure Security for AWS from Sumo Logic brings cloud-native security analytics to AWS cloud environments in minutes. Curated workflows, out-of-the-box dashboards and ML-driven security insights help security personnel easily monitor, detect, and quickly respond to threats that could be lurking in their AWS infrastructure.