If you're considering a FedRAMP authorized solution these best practices can help. Learn from HackerOne and Sumo Logic why cloud migration is a unique challenge for federal agencies.

With so many simultaneous events going on, heightened awareness in response to state actors, US President Biden’s cybersecurity call-to-action, and the Microsoft Event, all of us need to remain aware and vigilant as supply chain attacks continue. We highly recommend taking a proactive approach to secure your environment with a defense-in-depth strategy and appropriate monitoring.

The tectonic shift happening within the public sector is seeing more and more federal organizations transitioning from legacy, on-premises systems to more scalable and secure cloud-based architectures. Sumo Logic’s cloud-first approach is a perfect fit for this so we’re excited to announce Sumo Logic has been prioritized by FedRAMP to work with the Joint Authorization Board (JAB) to achieve a Provisional Authority to Operate (P-ATO).

My role as a Chief Security Officer (CSO) has dramatically changed as we work to understand and adapt to COVID-19. It’s hard to believe that just a few weeks ago, my mind was focused on things such as FedRamp and the California Privacy Act (CCPA), now the majority of my time is focused on ensuring our employees safety and productivity, so they can continue to deliver products and support our customers and partners.

As we continue to adopt a digital-first mentality globally, there’s a massive shift to the cloud happening within federal agencies. While the sector has traditionally been slower to adopt new technologies, these agencies are understanding the urgent need to transition from legacy on-premise systems to more scalable and secure, cloud-based architectures.

The world is changing. The way we do business, the way we communicate, and the way we secure the enterprise are all vastly different today than they were 20 years ago. This natural evolution of technology innovation is powered by the cloud, which has not only freed teams from on-premises security infrastructure, but has also provided them with the resources and agility needed to automate mundane tasks. The reality is that we have to automate in the enterprise if we are to remain relevant in an increasingly competitive digital world. Automation and security are a natural pairing, and when we think about the broader cybersecurity skills talent gap, we really should be thinking about how we can replace simple tasks through automation to make way for teams and security practitioners to be more innovative, focused and strategic. A Dynamic Duo That’s why Sumo Logic and our partner, The Pokemon Co. International, are all in on bringing together the tech and security innovations of today and using those tools and techniques to completely redefine how we do security operations, starting with creating a new model for how security operations center (SOC) should be structured and how it should function. So how exactly are we teaming up to build a modern day SOC, and what does it look like in terms of techniques, talent and tooling? We’ll get into that, and more, in this blog post. Three Pillars of the Modern Day SOC Adopt Military InfoSec Techniques The first pillar is all about mindset and adopting a new level of rigor and way of thinking for security. Both the Sumo Logic and Pokemon security teams are built on the backbone of a military technique called the OODA loop, which was originally coined by U.S. Air Force fighter pilot and Pentagon consultant of the late twentieth century, John Boyd. Boyd created the OODA loop to implement a change in military doctrine that focused on an air-to-air combat model. OODA stands for observe, orient, decide and act, and Boyd’s thinking was that if you followed this model and ensured that your OODA loop was faster than that of your adversary’s, then you’d win the conflict. Applying that to today’s modern security operations, all of the decisions made by your security leadership — whether it’s around the people, process or tools you’re using — should be aimed at reducing your OODA loop to a point where, when a situation happens, or when you’re preparing for a situation, you can easily follow the protocol to observe the behavior, orient yourself, make effective and efficient decisions, and then act upon those decisions. Sound familiar? This approach is almost identical to most current incident response and security protocols, because we live in an environment where every six, 12 or 24 months we’re seeing more tactics and techniques changing. That’s why the SOC of the future is going to be dependent on a security team’s ability to break down barriers and abandon older schools of thought for faster decision making models like the OODA loop. This model is also applicable across an organization to encourage teams to be more efficient and collaborative cross-departmentally, and to move faster and with greater confidence in order to achieve mutually beneficial business goals. Build and Maintain an Agile Team But it’s not enough to have the right processes in place. You also need the right people that are collectively and transparently working towards the same shared goal. Historically, security has been full of naysayers, but it’s time to shift our mindset to that of transparency and enablement, where security teams are plugged into other departments and are able to move forward with their programs as quickly and as securely as they can without creating bottlenecks. This dotted line approach is how Pokemon operates and it’s allowed the security team to share information horizontally, which empowers development, operations, finance and other cross-functional teams to also move forward in true DevSecOps spirit. One of the main reasons why this new and modern Sumo Logic security team structure has been successful is because it’s enabled each function — data protection/privacy, SOC, DevSecOps and federal — to work in unison not only with each other, but also cross-departmentally. In addition to knowing how to structure your security team, you also need to know what to look for when recruiting new talent. Here are three tips from Pokemon’s Director of Information Security and Data Protection Officer, John Visneski: Go Against the Grain. Unfortunately there are no purple security unicorns out there. Instead of finding the “ideal” security professional, go against the grain. Find people with the attitude and aptitude to succeed, regardless of direct security experience. The threat environment is changing rapidly, and burnout can happen fast, which is why it’s more important to have someone on in your team with those two qualities.Why? No one can know everything about security and sometimes you have to adapt and throw old rules and mindsets out the window. Prioritize an Operational Mindset. QAs and test engineers are good at automation and finding gaps in seams, very applicable to security. Best Security Engineers didn’t know a think about security before joining Pokemon, but he had a valuable skill set.Find talent pools that know how the sausage is made. Best and brightest security professionals didn’t even start out in security but their value add is that they are problem solvers first, and security pros secondary. Think Transparency. The goal is to get your security team to a point where they’re sharing information at a rapid enough pace and integrating themselves with the rest of the business. This allows for core functions to help solve each other’s problems and share use-cases, and it can only be successful if you create a culture that is open and transparent. The bottom line: Don’t be afraid to think outside of the box when it comes to recruiting talent. It’s more important to build a team based on want, desire and rigor, which is why bringing in folks with military experience has been vital to both Sumo Logic’s and Pokemon’s security strategies. Security skills can be learned. What delivers real value to a company are people that have a desire to be there, a thirst for knowledge and the capability to execute on the job. Build a Modern Day Security Stack Now that you have your process, and your people, you need your third pillar — tools sets. This is the Sumo Logic reference architecture that empowers us to be more secure and agile. You’ll notice that all of these providers are either born in the cloud or are open source. The Sumo Logic platform is at the core of this stack, but its these partnerships and tools that enable us to deliver our cloud-native machine data analytics as a service, and provide SIEM capabilities that easily prioritize and correlate sophisticated security threats in the most flexible way possible for our customers. We want to grow and transform with our own customer’s modern application stacks and cloud architectures as they digitally transform. Pokemon has a very similar approach to their security stack: The driving force behind Pokemon’s modern toolset is the move away from old school customer mentality of presenting a budget and asking for services. The customer-vendor relationship needs to mirror a two way partnership with mutually invested interests and clear benefits on both sides. Three vendors — AWS, CrowdStrike and Sumo Logic — comprise the core base of the Pokemon security platform, and the remainder of the stack is modular in nature. This plug and play model is key as the security and threat environments continue to evolve because it allows for flexibility in swapping in and out new vendors/tools as they come along. As long as the foundation of the platform is strong, the rest of the stack can evolve to match the current needs of the threat landscape. Our Ideal Model May Not Be Yours We’ve given you a peek inside the security kimono, but it’s important to remember that every organization is different, and what works for Pokemon or Sumo Logic may not work for every particular team dynamic. While you can use our respective approaches as a guide to implement your own modern day security operations, the biggest takeaway here is that you find a framework that is appropriate for your organization’s goals and that will help you build success and agility within your security team and across the business. The threat landscape is only going to grow more complex, technologies more advanced and attackers more sophisticated. If you truly want to stay ahead of those trends, then you’ve got to be progressive in how you think about your security stack, teams and operations. Because regardless of whether you’re an on-premises, hybrid or cloud environment, the industry and business are going to leave you no choice but to adopt a modern application stack whether you want to or not. Additional Resources Learn about Sumo Logic's security analytics capabilities in this short video. Hear how Sumo Logic has teamed up with HackerOne to take a DevSecOps approach to bug bounties in this SnapSecChat video. Learn how Pokemon leveraged Sumo Logic to manage its data privacy and GDPR compliance program and improve its security posture.

Last week, a security vulnerability was announced involving the exploitation of common features in microprocessor chips that power computers, tablets, smartphones and data centers. The vulnerabilities known as “Meltdown” and “Spectre” are getting lot attention in the media, and no doubt people are concerned about its impact on business, customers, partners and more. Here’s what you really need to know about these vulnerabilities. What are Meltdown and Spectre? The Meltdown vulnerability, CVE-2017-5754, can potentially allow hackers to bypass the hardware barrier between applications and kernel or host memory. A malicious application could therefore access the memory of other software, as well as the operating system. Any system running on an Intel processor manufactured since 1995 (except Intel Itanium and Intel Atom before 2013) is affected. The Spectre vulnerability has two variants: CVE-2017-5753 and CVE-2017-5715. These vulnerabilities break isolation between separate applications. An attacker could potentially gain access to data that an application would usually keep safe and inaccessible in memory. Spectre affects all computing devices with modern processors manufactured by Intel or AMD, or designed by ARM*. These vulnerabilities could potentially be exploited to steal sensitive data from your computer, such as passwords, financial details, and other information stored in applications. Here is a great primer explaining these security flaws. What can be compromised? The core system, known as the kernel, stores all types of sensitive information in memory. This means banking records, credit cards, financial data, communications, logins, passwords and secret information could which is all be at risk due to Meltdown. Spectre can be used to trick normal applications into giving up sensitive data, which potentially means anything processed by an application can be stolen, including passwords and other data. Was the Sumo Logic platform affected? Yes. Practically every computing device affected by Spectre, including laptops, desktops, tablets, smartphones and even cloud computing systems. A few lower power devices, such as certain Internet of Things gadgets, are unaffected. How is Sumo Logic handling the vulnerabilities? As of January 4th, 2018, AWS confirmed that all Sumo Logic systems were patched, rebooted and protected from the recent Meltdown/Spectre vulnerability. We worked very closely with our AWS TAM team and verified the updates. Sumo Logic started the OS patching process with the latest Ubuntu release Canonical on January 9th. Risk level now that AWS has patched is low, but we will continue to be diligent in following up and completing the remediation process. We take this vulnerability very seriously and are dedicated to ensuring that Sumo Logic platform is thoroughly patched and continuously monitored for any malicious activity. If you have questions please reach out to secops@sumologic.com.

Cloud Data Breaches are on the rise because organizations do not leverage best practices and make recommended configuration changes to their S3 instances in AWS. As companies transition to the cloud, they should study the shared responsibility model and settle for the default settings. If you take these three simple steps you can help protect your data and prevent breaches in S3.

Every time I go to NYC I get a sudden surge of energy along with some edginess. During my first meeting ever in NYC I had a guy tell me, “You have 15 bleep bleep and bleep minutes to show me some value or your bleep is out the door.” I love this attitude because you know EXACTLY where you stand. The city that never sleeps sets the tone and pecking order when it comes to trends. I say usually because for the last two or three years, the good people of NYC have seemed a bit behind in technology and cloud services.

Hola peeps, Exciting times here at Sumo Logic! Last week we announced a new round of funding Sumo Logic Raises 80 Million and this week we are EXCITED to holla about our upcoming release of the AWS VPC Flow Log App! See the AWS blog by @jeffbarr https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/At a high level VPC Flow Logs allow AWS customers to create alarms that will fire if certain types of traffic are detected; you can also create metrics to help you to identify trends and patterns. The information captured by Flow Logs includes allowed and denied traffic (based on security group and network ACL rules). It also includes source and destination IP addresses, ports, the IANA protocol number, packet and byte counts, a time interval during which the flow was observed, and an action (ACCEPT or REJECT). The Sumo Logic Application will add a TON of additional value on top of what AWS is currently giving you with pre built Dashboards that show Geographical Locations of Network Traffic, highlight REJECTED IP’s Dashboard Uno: Packets dropping from China and Russia Dashboard Dos: Looking for Anomalies within the Network Traffic (Source, Destination, high rate of packets dropped) all dynamically set by our machine based learning analytics. This is just another step in quest of the Cloud Illuminati. Stay tuned for more updates and join us in our BETA program to get a head start on our AWS VPC Flow Application! Join the Cloud Illuminati Cambio y Fuera! George

In 2012, I wrote a Blog on how the RSA Conference was “Back to the Golden Age”. Now, in 2015, it has been confirmed. The excitement created by cloud startup solutions and the SecOps movement has more hype than the upcoming Mayweather vs Pacquiao bout! Having said that, all this great energy has an undercurrent of fear – fear of losing control. Fear that your archaic security architecture and processes will soon no longer be relevant and that you may not be involved in cloud strategy meetings. There are now billions of users going beyond the traditional boundaries of the enterprise into cloud offerings. That means over a billion users are moving at the ‘pace of cloud’ and using modern tools, while information security and compliance teams are operating in the dark with respect to this activity. Security professionals are being challenged with lack of visibility and growing threats within their environments transformed by these cloud offerings. Users are in the cloud, in and out of your network and out of your control. So what about user permissions, access control and compliance? Forget that, you cannot control these unless you try to incorporate about 20 disparate solutions which are likely not heterogeneous and cannot handle modern applications or the plethora of data that each generates. So as a security professional, you can take “samples” from this massive volume of data and hope that you can monitor trends and get a reasonable assessment of your security posture. That is like a Bronco fan having faith that Peyton Manning will bring them a Super Bowl win. Ain’t happening, unless, you get out in front of it with Sumo Logic’s Cloud Audit capabilities. Today, at RSA 2015, Sumo Logic is announcing that billions of users will no longer operate in the shadows. We are going to illuminate these users and empower the Cloud Illuminati to reclaim control while enabling productivity. Given our integrations with Microsoft Office 365, Box, ServiceNow, AWS and many other cloud solutions, users can go about doing their jobs beyond traditional boundaries with complete visibility and without any compromises. Visibility or illumination is the first measure of regaining control without compromising speed and agility. Visibility gives you the situational awareness to make critical, time-sensitive decisions, measure risk and manage threats based on comprehensive analysis of data. On- prem, off-prem, Saas, Paas, like a Ronda Rousey arm bar you can now start the process of securing your cloud. So we ask you now, do you want to be one of “those people”, or do you want to be one of us, the trail blazers, the storm troopers, the ones who have control, the Cloud Illuminati. We will be discussing Cloud Illuminati during my panel on Wednesday, April 22nd at 10:20am, Moscone West, Room 2022