Sumo Logic ahead of the packRead article
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.
Virtually every organization is a victim of cybercrime today. As the threat landscape evolves and proliferates, it’s necessary to prioritize the protection of data, customers’ privacy and brand reputation. Security directors must be prepared and equipped with the necessary tools to detect security events and address them accordingly at all times. This cannot be achieved without security investigation and correlation, and with the latest technologies, these can be performed at cloud-scale with ease.
In this article, we will learn:
Security investigation is a core function of security defense and it aims to identify threats and determine the nature and scope of security issues. It covers events - suspected intrusion events, in particular - to indicate what happened and how to act upon it quickly.
For security analysts, security investigation means analyzing massive amounts of data and patterns of behavior and making informed decisions based on the evidence they find. Typical methods of discovering a threat include rule-based algorithms, dashboard activity, obvious damage and threat intelligence.
There are two main points of focus in the investigation:
The process is oriented at answering the following five Who-What-Where-When-Why questions:
Answering these questions should lead analysts to an informed decision on actions required to remediate the attack and eliminate further threats.
Correlation is one of the key components of any SIEM tool. It helps to decide what to pay attention to in an avalanche of highlighted threats. SIEM absorbs vast amounts of data from your entire digital environment and compares sequences of activities against predefined rules to identify possible issues; that’s correlation. The rules may be predefined by your SIEM vendor or be custom modified as needed.
If your SIEM tool has appropriate rules in place, it will able to identify a potential threat from a series of failed log-in attempts. Most SIEM products available on the market come with pre-defined correlation rules. It is recommended to sift through them and decide which ones will be useful for your business and create new rules as needed.
You should also be aware that if you implement too many rules, you may end up with a significant amount of false positives, so it’s important to strike the right balance.
In many cases, less than 10% of high priority threats are fully investigated because threat investigation in SIEM is extremely challenging. Here are the limitations security directors will have to address, and what security directors will need to tackle:
If you implement too many correlation rules, you will likely end up with a significant number of false positives, just like with any other monitoring algorithm. You don’t want to waste the efforts of your security administrators on nonexistent threats, so it’s important to strike the right balance. Bear in mind, however, that even if your SIEM is working properly, you will have some false positives generated anyway.
Achieving this balance is a challenge in itself because you will have to decide which pre-configured correlation rules are not applicable to your environment and which rules you will have to configure by yourself. If these are not applied properly, you will end up with an overall slow and inefficient SIEM system.
We’ve established that to investigate threats effectively, data must be analyzed in real-time and in unified workflows. Unlike other analytics solutions, Sumo Logic makes it quick and easy to get started with advanced analytics that unify logs and metrics data. Our solution helps make sense of petabytes of data (unstructured, semi-structured or structured) by using statistical, index, filtering and machine learning techniques. The cloud-native platform analyzes logs and metrics on a large scale to drive actionable insights in real-time, which allows you to isolate problems quickly with outlier detection and machine learning algorithms.
The Sumo Logic SIEM solution offers cloud scale correlation based on rules for known threats and subquery-based correlation for new threats that emerge. This means the solution allows you to identify users with compromised credentials, understand the extent of a compromise, identify an attacker and automate the response going forward; all of these are easy to track via the app dashboard.
In the example below we look at the Alert Center Investigations dashboard in our integration with the G Suite App:
By filtering out all activities performed by the compromised user, the dashboard will display (among others):
There are more functionalities of this integration; to find out more about them, please refer to this post.
Another useful functionality of our platform is the sub-query. These can be instrumental in preventing future attack scenarios. Sumo Logic sub-queries can be used to develop a search to automatically correlate alerts with user activity on other data sources such as Salesforce.com; see the example below.
You are now ready to convert this search to a scheduled search to automate the creation of an incident in your incident response tool.
Once you’ve identified the user and the extent of their activity after the compromise, you can then investigate how this user could have been compromised in the first place.
Reduce downtime and move from reactive to proactive monitoring.
Build, run, and secure modern applications and cloud infrastructures.Start free trial
Moving to the cloud offers more than economics; it comes with unique security challenges that on-premises solutions cannot address. In minutes, Cloud Infrastructure Security for AWS from Sumo Logic brings cloud-native security analytics to AWS cloud environments. Curated workflows, out-of-the-box dashboards and AI-driven anomaly detection help security personnel easily monitor cloud security posture and cloud configurations and manage cloud risk from a centralized platform.
The principles of data protection are the same whether your data sits in a traditional on-prem data center or in a cloud environment. The way you apply those principles, however, are quite different when it comes to cloud security vs. traditional security. Moving data to the cloud introduces new attack-surfaces, threats, and challenges, so you need to approach security in a new way.