Pricing Login
Platform
Platform overview

SaaS analytics platform for reliable and secure cloud-native applications

More information about platform overview
Multi-cloud

Accelerate cloud migration and optimize infrastructure reliability on any cloud

More information about multi-cloud
Security
Observability
Solutions
Powerful integrations
Kubernetes GitHub AWS Blue Apache MongoDB PagerDuty AWS Lambda Google Kubernetes Engine Microsoft Azure
Comprehensive compliance
  • SOC 2 Type II
  • PCI-DSS
  • FedRAMP®
Customers
Customer stories

Trusted by thousands of customers globally.

More about customer stories
Featured Customer Stories

Pokémon delivers safe gaming to hundreds of millions of users.

Read Pokemon's case study

Data tiering saves Infor $1 million in one year

Read Infor's case study

Monitor and secure 10,000 clouds

Read Hashicorp's case study
Customers by industry:
Browse all
Pricing
Docs
Resources
Resource center

Browse our library of ebooks, briefs, reports, case studies, webinars & more.

More resources
Featured
Helpful Resources
2022 Gartner® Magic Quadrant™ for APM and Observability

Download report

More
More
2022 Gartner® Magic Quadrant™ for SIEM

Download report

More
More
2022 SOAR market guide

Read article

More
More
What is reliability management?

Watch video

More
More
New & Notable
Comply with the CERT-In Directions 2022

Read article

More
More
The ultimate race condition: Securing open source infrastructure

Read article

More
More
Scale automation for secure and reliable applications

Download paper

More
More
Log management: the key to reliable and secure applications

Read the guide

More
More
Training
Blogs
Featured
Eight best practices for a successful cloud migration

Strategy best practices

More
More
DevSecOps and log analysis

Improving application security

More
More
SIEM vs SOAR

Modern SOC tools

More
More
Too many tools?

IT tool consolidation best practices

More
More
View all blogs
Browse by Topic
2022 Gartner® Magic Quadrant™ SIEM

Get the report

More
Webinars
Featured
Sumo Logic quick start webinar

Get started with Sumo Logic

More
More
2022 Global SRE Pulse survey

What’s the state of SRE?

More
More
DOIF: Legacy to cloud-native architectures

What is truly cloud-native?

More
More
The role of automation in SOC response plan

The future of cybersecurity

More
More
View all webinars
Browse by Topic
2022 Gartner® Magic Quadrant™ SIEM

Get the report

More
Guides & reports
Featured
The state of SRE 2022

Download infographic

More
More
Why reliability management matters

Download paper

More
More
A buyer’s guide to observability

Download guide

More
More
Log management: the key to reliable and secure applications

Read the guide

More
More
SOAR: the everything guide to SOAR, tools and solutions

Read the guide

More
More
View all guides & reports
Browse by Topic
2022 Gartner® Magic Quadrant™ SIEM

Get the report

More
Demos & videos
Featured
Unified cloud-native platform vs Splunk

How many tools do you use?

More
More
Demo: AWS observability

Accelerating troubleshooting

More
More
What is reliability management?

SLO, SLI, SLA: Beyond alphabet soup

More
More
Demo: 3 am troubleshooting for an on-call engineer

Step-by-step process

More
More
View all demos & videos
Browse by Topic
2022 Gartner® Magic Quadrant™ SIEM

Get the report

More
Company
Support Contact us Start free trial
Contact us Support Start free trial
Back to blog results

January 13, 2022 By Sumo Logic

Monitoring your AWS environment for vulnerabilities and threat detection

Managing the security of your Amazon Web Services (AWS) environment requires constant vigilance. Your strategy should include identifying potential threats to your environment and proactively monitoring for vulnerabilities and system weaknesses that malicious actors might exploit. In a complex environment—such as your AWS account with a multitude of services, coupled with various architectures and applications—the ideal solution should be both comprehensive and straightforward.

On this page, we’re going to explore some of the security intelligence services available from Sumo Logic and discuss how they can help you stay ahead of potential threats to your environment. We’ll cover what each service does, how you can make the most of it, and where to find more information. Finally, we’ll introduce you to some of the security dashboards Sumo Logic provides for its users. Security dashboards provide an easy way to observe the health and security of all your systems and provide your security teams with real-time data they can use to make critical business and security decisions.

Getting started with Sumo Logic

If you’re new to Sumo Logic, you should know that it’s a platform that extends beyond security management and threat intelligence services. Sumo Logic supports cloud monitoring and log management as well. The platform provides a centralized platform that can aggregate data from multiple sources. It provides tools and dashboards to view and analyze data and provide users with a holistic view of their entire cloud ecosystem.

If you’re interested to see how Sumo Logic can help you monitor, troubleshoot, and secure your cloud environment, check out a 30-day free trial.

Let’s explore some of the sources you can integrate with your Sumo Logic account, as well as how to connect and begin gathering data from those sources for AWS monitoring.

Bringing cloud metrics into Sumo Logic

Connecting your AWS account data

At the time of writing, Sumo Logic supports integrations with over thirty of Amazon’s most popular AWS services. Most of these services are connected to Sumo Logic using a hosted collector. Typically this involves creating a new role within your AWS account, using AWS Identity and Access Management (IAM) with read-only permissions to the services from which you need to collect data. The Sumo Logic documentation includes step-by-step instructions and even CloudFormation templates to ensure this process is as straightforward as possible.

Once the process is complete, the relevant AWS data will be available as a source within your Sumo Logic account. The next step is to install the appropriate app and connect it to the data source. You’ll immediately have access to a variety of preconfigured, handy dashboards that you can use to view data, troubleshoot problems, and identify anomalies.

Collecting machine metrics

In addition to AWS services, your AWS environment might also include a variety of virtual machines and containers. Sumo Logic uses installed collectors to gather such metrics as network activity, CPU usage, memory usage, and storage access. Sumo Logic supports these collectors on Windows, Linux, and Docker, among other systems.

You can manually install the collector. In dynamic and scalable environments, including the collector as part of your base image ensures that all new machines and containers can report their metrics to your Sumo Logic account. As with the AWS data sources above, once configured, you’ll have access to the metrics from a data source within your Sumo Logic account, following which you can install the relevant App and immediately view your data through a variety of preconfigured dashboards.

Gathering application data

Last, but by no means least, are your applications. Most cloud applications execute with a web server environment. Some of the more popular servers include Apache, Tomcat, and various flavors of NGINX. You can find a listing of all supported web servers here.

Web servers typically support log management and metric reporting as core functionality. You can add the appropriate configuration to direct those logs and metrics to your Sumo Logic account, referencing the Sumo Logic documentation.

Once you have configured the web server as a data source, this data too will become available as a source within your Sumo Logic account. Many of the existing security applications and dashboards within Sumo Logic will aggregate this data with other data points from your environment and give you a well-rounded view of the state of security within your environment.

Connecting your security tools to Sumo Logic

Sumo Logic provides integrations with many of the most popular and advanced security monitoring tools around. From Akamai Security Events and Barracuda WAF to Carbon Black, Twistlock, and Zscaler. You can find a complete list of supported security and threat detection products and platforms that you can connect to Sumo Logic. Each product includes comprehensive instructions on collecting logs and events and installing the respective App and associated dashboards in your Sumo Logic account.

Now that we have our metrics and data sources from our cloud environment and our security tools, we can take a deep dive into several of the security and threat detection dashboards available within your Sumo Logic account.

CrowdStrike Threat Intelligence

This app correlates threat intelligence data from CrowdStrike with log data from your environment to detect and mitigate threats to your environment. The CrowdStrike Falcon platform is an industry-leading security platform that actively monitors your cloud environment for threats and automatically mitigates most malicious attempts to infiltrate your system. The Sumo Logic Threat Intel Quick Analysis App is especially adept at protecting your environment against sophisticated and persistent cyber-attacks.

The Threat Intel App specifically queries IP, URL, domain, Hash 256, and email logs together with CrowdStrike data from your environment. As this dataset can grow significantly, it’s essential to optimize the default queries to filter out unnecessary records and focus on the most critical areas of your environment. An optimization page describes these optimizations and provides clear examples of optimizing the queries based on your environment.

The app has six preconfigured dashboards that provide graphics information and count for the number of recent threats (within a 15-minute window), threat trends over time, and the type and source of threats detected. The dashboard shown below describes threats related to malicious IP addresses, including where the threat originated, the confidence of a hostile threat, and the trend in types of threat over time.

CrowdStrike Threat Intelligence

The dashboards available include:

  • Overview: Consolidated threat counts from each of the threat areas the app monitors.

  • Domain: Threats originating from malicious domains, including actors and sources.

  • Email: Emails received from known bad actors and domains and trends over time.

  • IP: Shown in the dashboard above. Source, types, and confidence of IP threats.

  • URL: Threats from URLs identified as individuals, groups, or nation-states.

  • Hash 256: Sources of threats involving cryptographic-related attempts by type and source.

By combining data from multiple sources, the Sumo Logic dashboards can present a holistic view of your AWS ecosystem, helping to protect your applications and email system while keeping you informed.

AWS CloudTrail insights

Within your AWS account, you have access to the CloudTrail service. CloudTrail records interactions with the AWS APIs, delivering audit capabilities to comply with various regulations and provide insights into activities that indicate potential security risks. As with many AWS services, CloudTrail is comprehensive, versatile, and rich in available data. When combined with the Sumo Logic CloudTrail App, you can visualize the data and create alerts and mitigation strategies.

The Sumo Logic CloudTrail App requires that you have CloudTrail enabled on your account. It gathers data through an IAM role that grants read-only access to the CloudTrail data. Once you’ve enabled the App on your account, you’ll have access to various dashboards, including the account overview, shown below.

AWS CloudTrail insights

Additional dashboards provide insights into:

  • User Monitoring: User location, top 10 actions by users, and recent launch and terminated instances.

  • Network & Security: Authorization failures, security events, short-lived critical actions, and ingress/egress concerns.

  • Operations: Actions by user for the past hour, recent regional events, Elastic IP, and resource creation and deletion events.

  • Console Logins: User activity relating to the AWS console, including outliers, failed logins, and logins without MFA.

The App also provides insights into public S3 objects and buckets.

AWS GuardDuty

Much like CloudTrail, AWS GuardDuty is an AWS service that monitors your AWS account and environment for malicious activity. GuardDuty works with CloudTrail logs to prevent unauthorized activity and improve your ability to monitor and investigate security incidents.

As with CloudTrail, you can install the GuardDuty App on your Sumo Logic account. Providing access to the GuardDuty data in your AWS account will enhance your ability to monitor and observe the state of security within your account. The GuardDuty dashboards present intuitive insights into security threats and their severity.

  • Overview: Shown below, this includes a map and threat details by severity, IP, region, and resource type.

  • CloudTrail: Details of CloudTrail threats in the past 24 hours, including trends and actions are taken.

  • GuardDuty: Threats identified by GuardDuty by region, severity, resource type, and security group, among others.

  • VPCs, Subnets, Security Group Details: Threats affecting your VPC, subnets, and security groups over the past 24 hours.

AWS GuardDuty

Cloud SIEM

For Enterprises with more sophisticated needs, Sumo Logic Cloud SIEM, a cloud-native system designed to support the security needs of single-cloud, multi-cloud and hybrid environments is available. Cloud SIEM from Sumo Logic is a Security Operations Center (SOC) platform to protect your enterprise from current and future threats.

You can use Cloud SIEM from Sumo Logic to secure AWS, your SaaS apps, infrastructure, and Kubernetes environments from a central control plane. You can even schedule a demo with a Sumo Logic expert to help you uncover all the ways that partnering with Sumo Logic can help you better secure your organization now and in the future.

Learning more

If you’d like to know more about how Sumo Logic can help your organization monitor, troubleshoot, and secure your cloud environment, please reach out to their responsive support team and a thriving community of enthusiasts. As mentioned above, you can also take advantage of a 30-day free trial test drive of each of the apps, dashboards, and features listed above.

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Start free trial

Categories

Spotlight

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial

Sumo Logic

More posts by Sumo Logic.

People who read this also enjoyed

Blog

How to choose and track your security KPIs

Key Performance Indicators (KPIs) can be crucial for your organization's security. But what KPIs to choose and track to enhance your security program?

Blog

Find threats: Cloud credential theft on Linux endpoints

How your cloud credentials are stored on Linux endpoints could lead to unforeseen risks. Learn how Sumo Logic helps you hunt for and monitor malicious activity.

Blog

The ultimate race condition: Securing open source infrastructure

Open source security software isn't for hobbyists anymore. Now that businesses rely on OSS for security, learn about the benefits and pitfalls.