Automate your SIEM with Sumo Logic in 7 clicks

At Sumo Logic Illuminate 2020, The Energy Authority’s IT Director for Service Delivery and Support Scott Follick spoke about the TEA, how they do things, what they have learned in the process of searching for a SIEM solution, and why they chose Sumo.

About The Energy Authority (TEA)

The Energy Authority provides public power utilities with access to advanced resources and various technology systems across the US. Energy is much more than the electric grid—there's power plants, hydro optimization, wind and solar farms. All of these things make up the energy markets across the US, and TEA participates in seven of those energy markets across the US.

TEA runs a 24/7 shop that operates with a very small IT staff heavily invested in various technologies. They have 225 employees across the country and business partners all across the US that are also running 24/7/365. TEA’s partners of course want to keep the power on 24/7/365.

TEA’s approach in 7 to 10 clicks

To support their partners, TEA heavily invests in technologies like OpenDNS, Cisco, Mimecast, and Microsoft products across their various platforms. They take complex systems and they try to take a very simple approach. In all this, they take a cloud-first strategy. But they go beyond virtualization—everything has to be built from the bottom up. For TEA, it’s ideal that any tool they’re considering delivers in 7 to 10 clicks, and has automation, which is key for them.

Searching for a SIEM solution

As they began the journey into SIEM, they looked at Gartner, talked to fellow IT professionals, looked at trusted vendors, and did many proof of concepts (POCs). Looking at each one, Follick talked about how they evaluated each solution based on critical factors like licensing model, how upgrades are managed, where threat intelligence is sourced, and automation features.

SOC-as-a-Service

TEA evaluated hybrid, on-premises, and cloud security operations center as a service (SOCaaS) providers, and found that most had one or all of the following downsides:

• Very expensive
• Limited visibility into dashboards
• High analyst turnover due to alert fatigue or information overload
• Threat intelligence is gathered from free sources, the same sources threat actors get their data from

On-premises solutions

In evaluating on-premises solutions, Follick’s team found that they had the following pitfalls:

• Opaque pricing—many hidden costs like infrastructure costs and storage costs
• More work for their team in terms of having to keep the system upgraded
• Lack of clarity in terms of who takes care of backups and how they’re done
• Complicated and rate-limited licensing
• Limited automation that doesn’t cover all the languages their team might want to automate in

Cloud

Diving into cloud solutions, Follick found that not all cloud SIEMs are created the same.

• Automated response does not always mean no human interaction—it could require an add-on tool set that adds another step for their team
• One trick pony solutions—e.g., they're great at log correlation, and that is all they do
• Licensing based on the number of devices, limiting the amount of data
• Threat intelligence is also homegrown or taken from free resources—same free resources the threat actors use

After many POCs with different vendors, Follick and TEA chose to go with Sumo Logic.

Why Sumo Logic?

Simplification is crucial for Follick’s team, and Sumo Logic delivered. Starting with the clicks, Single sign-on (SSO), one click. Into the insights, one click. Onto the signals dashboard, single click. From there, they can get right into the raw logs—just four clicks to see where the threat actor is and deciding what action to take.

With CrowdStrike Threat Intelligence, which Sumo Logic has partnered with, threat intelligence sources come from all over. TEA’s team can quickly drill down into one of the many graphs with a single click and find out what's going on, on the raw logs. It doesn't take long, it's seconds instead of minutes for them to get to where they need to be, and make a decision.

Another point for TEA going with Sumo is automated response. TEA wanted to run scripts to automate threat detection and response actions. Sumo is able to take scripts from TEA and run it without human interaction—all automated. This is especially important as TEA wants to be able to take action first before alerting IT.

The team at TEA preferred Sumo’s simple and flexible tiered licensing model based on storage. It's not based on events-per-second, user count, or devices. TEA just had to identify how much storage they’re going to need, and they’re all set.

More than a SIEM

Follick’s team at The Energy Authority saw great value in Sumo Logic as a SIEM--but the benefits go beyond that. Follick also liked that Sumo’s platform can take in dashboards from Varonis, PowerShell, SharePoint Online, their email, their Mimecast, their Azure, and most widely-used systems. They knew going into their search for a SIEM solution that developers would be right behind them. Now, leveraging Sumo Logic for DevOps is the next step for TEA. Their DBA teams are also showing interest in using Sumo to monitor Mongo and SQL. They are also now looking at using Sumo to monitor Kubernetes, which is built-in within the platform.

Scott Follick is the IT Director for Service Delivery and Support for The Energy Authority (TEA). Prior to TEA, he worked with CSX Railroad, local hospitals, and other Fortune 500 companies across the US.