Endpoint Security Analytics with Sumo Logic and Carbon Black

As the threat landscape continues to expand, having end-to-end visibility across your modern application stack and cloud infrastructures is crucial. Customers cannot afford to have blind spots in their environment and that includes data being ingested from third-party tools.

With the industry continuing to move toward a platform approach, the ability to integrate data across vendors and centralize all of it so that development, security and operations teams can communicate clearly is not only a differentiator, but is also crucial for understanding threats across the new modern IT landscape.

Today, we are excited to announce that Sumo Logic and Carbon Black are collaborating on a technical integration that will help joint customers use Sumo Logic to correlate, validate and investigate Carbon Black Response and Defense alerts into their overall security incident investigation process. Carbon Black Response and Defense are industry leading products that have deep visibility into threats and indicators of compromise (IOCs) on the endpoint. Those capabilities combined with Sumo Logic’s cloud-native machine data and security analytics platform empower enterprises to identify and remediate the root cause behind new security threats.

With the new Sumo Logic app for Carbon Black, you can:

• Use Sumo Logic’s machine learning capabilities to automatically detect spikes in the number of endpoint alerts and detected threats.
• Use Sumo Logic as a single pane of glass to determine context while prioritizing alerts across your organization.
• Correlate alerts from endpoints with all other activity in Sumo Logic to get complete visibility into the root cause and determine the best way to take care of these going forward.

Collection and App installation

Sumo Logic collects Carbon Black event data via standard Carbon Black tools such as its event forwarder for Carbon Black Response events and Syslog connector for Carbon Black Defense events.

Once you have configured your log sources, the Sumo Logic apps can be installed. Navigate to the Apps Catalog in your Sumo Logic instance and add the “Carbon Black” app to your library after providing references to sources configured in the previous step.

For details on the app installation and configuration, please refer to the documentation for Carbon Black Response event forwarder and Carbon Black Defense connector and Sumo Logic help.

Once the data flows in, Sumo Logic provides a rich set of dashboards. Let's go ahead and take a look at how some of these can be used.

Filtering and Analyzing CB Defense Alerts

The Carbon Black Defense - Threat Intelligence dashboard provides details on the threats on your network, including the number of threats, their severity, and threat outliers. The panels also show details on the top devices affected by threats, recent threats, and a rating score of threats.

The Threats panel highlights the total number of threats reported by CB Defense.

To determine more details about the reported threats, click on the above number to directly drill-down to the navigate to the “Threat Intelligence Dashboard”. To view Critical threats only you can apply the Severity dashboard filter:

After applying this filter, you will be able to see the most critical and recent threats in the “Most Recent Threats” panel with additional details such device, user, threat score etc. To understand more about the threat you can click on the alert URL that will directly take you to the incident in CB Defense that will allow you to take corrective action as shown below:

Detecting Anomalous Behavior

In the Threat Outlier panel of the Carbon Black - Defense - Threat Intelligence dashboard, Sumo Logic can automatically determined an unusually high number of threats reported in a given time period as shown below. This is done via the Sumo Logic outlier operator that tracks the moving average and standard deviation of the number of threats reported by Carbon Black Defense. An outlier is identified based on a specified threshold of standard deviations around the expected value. If a data point is outside the threshold, it is considered to be an outlier. This capability is useful in determining unusual or anomalous behavior with threats.

Prioritizing alerts with CB Response

The Carbon Black Response - Overview dashboard provides a high-level view of the state of your network infrastructure and systems. The panels highlight detected threats, hosts, top feeds and IOC’s, top processes, top watchlists, and alert trends.

The Top IOC’s panel provides details of the top indicators of compromise.

Drilling down takes us to “Carbon Black - Response - Indicators of Compromise” Dashboard.

This dashboard gives a detailed view of all the IOC’s. The panel “Top Malicious Addresses” highlights the malicious address locations.

Drilling into the search that powers this panel, will give you a list of malicious IP addresses as shown below, which can then be correlated with IP addresses detected by other security devices to determine if attacks are coming in from multiple sources.

Correlating Alerts from CB Response and CB Defense with other Security Devices

The Carbon Black Response and Defense alerts can be easily correlated with data from other security devices which helps in identifying root cause of the issues affecting devices in your infrastructure.

The Carbon Black Defense - Overview dashboard provides a high-level view of the state of your endpoint security, showing the number of detected threats, alerts, indicators of compromise, devices, users, and groups. The panels also highlight alert trends, top users, indicators, devices, applications, and reasons.

The Devices panel focuses on the devices in the infrastructure. Drilling down, the Defense - Devices dashboard is displayed, this dashboard provides a high-level view of the devices on your network, including the number of devices, geographic locations, and operating systems. The panels also show information on device groups, incidents, alert severity, and target priority.

You can review the devices generating the most number of alerts via the “Alerts by Device” panel, with which you can now correlate endpoint alerts with operating system logs to get a complete picture of all activity associated with the endpoint and determine the after-effects of an endpoint alert.

Get Started Now!

The Sumo Logic platform with its new App for Carbon Black provides a complete security analytics solution by allowing you to correlate, validate and investigate Carbon Black endpoint alerts along with alerts from other security tools to identify and remediate the root causes of new security threats.

To get started check out the Sumo Logic Carbon Black app help doc. If you don’t yet have a Sumo Logic account, you can sign up for a free trial today.

We’ll be at RSA this week in San Francisco, so stop by our booth (#2145) in Moscone South to get a demo on our current security analytics capabilities, or to learn more about the benefits our new integration with Carbon Black provides to customers, and visit www.carbonblack.com to learn more about our partnership.

Additional Resources

For more great security and DevSecOps-focused reads, check out the Sumo Logic blog.

Download the 2018 State of Modern Applications & DevSecOps in the Cloud report to get the latest data-driven insights, best practices, and year-over-year trends of how our 1,600+ customers are building and managing their modern applications and cloud infrastructures.

To learn about our new Cloud SIEM solution, check out this blog.