blog に戻る

2019年06月25日 Sridhar Karnam

Launching the AWS security threats benchmark

Today, we are announcing the general availability of our new module within our Global Intelligence Service with a benchmarking capability on AWS security by baselining the Amazon GuardDuty findings. If you are one of the 100,000 users of Sumo, go to your App catalog and install the Amazon GuardDuty benchmark app with one click and see your threats against the global threats that we gather from hundreds of Sumo customers.

Sumo Logic has been a leader in providing the global intelligence data to our customers and anyone to download through our modern app report. We have called the industry insight, as it gives you insight into your configurations within AWS, what services go well with each other, and even insight into which Database fits well for your configuration on your EC2 based on benchmarking data.

Now, we are driving enterprise insights by leveraging the same statistical analysis and machine learning algorithms to create baselines on Amazon GuardDuty findings that can be used as a global benchmarking on AWS security threats. This AWS security benchmark app provides customers with a baseline on what is normal, what is expected, and a way to dig deeper into the long tail of rare security events that security analysts would typically miss.

To understand better what a baseline can do for you, let me show you my utility (electricity & gas) bill from California.

The utility company creates a baseline and shows how am I doing on electricity and gas compared to other similar homes and efficient homes. Based on this simple graph, I can now understand whether I need to focus on savings gas or electricity and take measures to reduce the consumption. This is the power of baselines. Now, if you see the same analogy and see how your threats are doing compared to other efficient configurations, and that you can double click on specific issues that are causing the gap, you would eventually get to the industry best practice in security configurations and managing your security threats on AWS.

Let us go back to the Sumo Logic GIS for Amazon GuardDuty Benchmark and focus on three things it specifically does that helps you with security.

What can security benchmark on AWS do for you?

1. Benchmark security threats on AWS

  • The Global Threat Activity dashboard gives you a view into active threats, their targets, their severity from a GuardDuty perspective, and spotlights unusual activity to take a proactiv
  • This dashboard does not have any customer specific data, instead, it displays the global threat profile as detected by AWS GuardDuty.
  • The purpose of this view is to provide customers a view into broader threat activity within AWS.
  • User can see types of threats that are active, what types of resources are being attacked, they can see the severity of those threats and can also observe detailed distribution of specific active threats.
  • They can also see rare threats that are active.

Sumo Logic Global Intelligence Service for Amazon GuardDuty finds the signal in the noise by providing you with a view into what’s happening from a threat perspective in the broader AWS environment. The Global Threat Activity dashboard gives you a view into active threats, their targets, their severity from a GuardDuty perspective, and spotlights unusual activity to take a proactive security approach..

2. Prioritize your rare events to investigate

  • The purpose of this dashboard is to compare the global baseline with your GuardDuty threat activity
  • Provides you a view of your threat view against your peers
  • User can see how many rare threat types are active in their account. They can see how their profile changes over time to help them see if their AWS account is under threat.
  • It helps them understand exactly which threat categories, targeted resources, and level of threat severity was different than global in order to direct their investigations.

Another interesting benchmark is the rare active threat type benchmark. It is relatively straightforward to figure out the top ten attacks on your account, however, that classic single-tenant view entirely misses whether what’s happening to you is unique or the normal part of the global landscape -- There are many security issues you can only analyze if you have visibility into global threat activity in order to determine what’s rare and look for those in your own threats.

3. Threat hunt your rare security events on AWS

  • A rare threat is a one-off, threat that happens that many customers typically ignore
  • The purpose of this dashboard is to highlight significant threats based on two primary methodologies: first are threats that appear in the customer's environment at a significantly different rate than globally and second are threats that appear in the customer's environment that are generally rare elsewhere in global environment.
  • Dashboard provides both indicators of threats that satisfy the above criteria as well as details of specific occurrences of those threats that include details such as account ids, targeted resource ids, AWS region where resource is located, and other details.

The benchmark app on Sumo Logic compares all active threats in your account to determine the significant contributors to the gap. Some of these threats would have gone unnoticed using a classic SIEM rules engine or even a single-tennant analytics because they’re missing the global context necessary to compare your threats with the global user-base. Without this lens, many important threats may remain buried under mountains of common findings.

Sumo Logic also enables you to integrate findings with 3rd party tools such as ticketing systems, collaboration tools, remediation tools etc. You can create alerts that trigger your standard security incident response processes, create incidents inside workflow tools for further investigation, or simply start collaboration with your team to address potential incidents.

4. Optimize AWS to align with baseline and industry best practice

The continuous improvement of security configurations against global baselines of Sumo customers help our customers not only to optimize their configurations, but also to improve the overall baseline. That will impact all the users again to refine and achieve even better configurations. This continuous improvement journey ensures that customers will benefit in the end with better security and compliance of their AWS infrastructure.

Customer Use Case: ThoughtWorks

ThoughtWorks is a leading modern application company that has contributed a lot to the open source community around the continuous integration and continuous development process of the software development life cycle.

"As a global consultancy, there are hundreds if not thousands of potential security threats and events that pass through our organization on any given day, making it a challenge to not only track, but prioritize how to handle these events," said Philip Duldig, senior security analyst at ThoughtWorks.

"As an early adopter of Sumo Logic's Global Intelligence Service for AWS GuardDuty, the biggest value we've experienced is the ability to get actionable insights to prioritize and benchmark rare or non-frequent security events from our AWS workloads so we can optimize our security posture. I also love that I can compare global benchmarking data with my local data, to see where we are stacking up."

How does the Sumo Logic Global Intelligence Service for Amazon GuardDuty help you?

Sumo Logic Global Intelligence for GuardDuty generates continuous machine learning and statistical baselines for KPIs (key performance indicators) and KRIs (key risk indicators) from Amazon GuardDuty threat detection service. Those baselines are used by Sumo Logic customers to benchmark, prioritize, and optimize security configuration and detection for their AWS accounts.

Customers benchmark their environment by observing, analyzing, and understanding the global threat profile on AWS provided through KPI and KRI baselines. They prioritize threats and security responses by comparing their own threats against the global KPI and KRI baselines. And finally, based on those baselines and resulting investigations, they improve and optimize both their security monitoring, configurations, and processes for their AWS accounts.

Sumo Logic Global Intelligence for GuardDuty is packaged a set of analytical capabilities that customers interface through new Sumo Logic app for GuardDuty available to Enterprise customers. The application is available to Enterprise customers free of charge.

Start your free trial here

Read about the press release here

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sridhar Karnam

Sridhar Karnam

More posts by Sridhar Karnam.

これを読んだ人も楽しんでいます