Our mission is to create a force multiplier for SOC teams and security analysts so they can reduce the time to verdict or judgment while triaging new Insights. At Sumo Logic, we take a different approach than other SIEM solutions. We don’t just create alerts and leave the analyst to gather other artifacts to gain context. We associate and group alerts, or what we call Signals, to an Entity (IP, User, Hostname, etc...). When our adaptive Signal clustering algorithms determine the Signals have exceeded a severity level we create the Insight. Our Insight Engine substantially decreases the number of alerts the analyst needs to triage. Additionally, the Insight Engine enables our Cloud SIEM to detect advanced threats, low & slow attacks, and higher speed direct threats. Additionally, the Insight Engine provides a powerful view back in time, evaluating all Signals associated with an Entity for the last 30 days.
Recently, we released another feature to allow analysts to scale and prioritize the Insight triage process. Global Intelligence for Security Insights is now available within our Cloud SIEM solution. For each Insight created we assign a Global Confidence score. This score is derived from a machine learning model that analyzes the composition of Signals associated with Insights globally across our installed base. When a customer closes an Insight as a true or false positive the model analyzes the underlying Signals and is able to determine if a subset of those Signals represents malicious behavior over time. The model works on global data that is crowdsourced and anonymized as well as customer-specific content or rules. A higher Confidence score reflects what the model believes may be a true positive. The range of scores is between 0 and 100 with increments of 5. The model continually learns and retrains itself so analysts have another method to prioritize the triage of inbound Insights.
Below is an example of how the feature is supported in the Cloud SIEM user interface:
In the Insight List or Kanban views Analysts are able to sort on the Global Confidence score among other attributes like Severity.
Here’s a quick overview of this unique new capability:
- If you’re already a Cloud SIEM customer (or interested) you can read more about this feature in our product documentation.
- Don’t have Sumo Logic Cloud SIEM but you’re already a Sumo Logic customer? Contact your sales representative or authorized Sumo Logic reseller to find out how you can upgrade to our complete Cloud SIEM solution.
- Didn’t know Sumo Logic offers a complete, cloud-native SaaS SIEM to help modernize your security operations? Get with the program or check out this quick highlight reel.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.