Scaling a SOC with Cloud SIEM

As a financial services firm serving customers in Australia, New Zealand, Canada and Singapore, Latitude Financial must adhere to a range of regional compliance requirements. This required the company to reexamine its IT security investments and processes.

At the time, the security team consisted of three analysts and overall security operations were heavily reliant on a third-party managed security services provider (MSSP). Internally, Latitude Financial had adopted Sumo Logic for log management, but, on the security front, the company didn’t have a security information and event management (SIEM) solution in place, and there was no end-to-end real-time visibility into the security state of the environment.

On a mission to build out the company’s in-house security operations center (SOC), Latitude Financial evaluated multiple SIEM solutions and landed on Sumo Logic Cloud SIEM as the leading choice. Several factors stood out to the security team in their decision to adopt Sumo Logic, including

• Outstanding vendor engagement and level of support

• Rapid deployment in only a few days

• User-friendly interface that makes it simple to investigate and drill into entity information without pivoting to other tools

• Cloud-native architecture and storage that alleviates the need to manage backups

Empowered security with visibility and actionable insights

The first step for the security team was implementing Sumo Logic Cloud SIEM to get visibility across the company’s infrastructure. Latitude Financial has 3,000 employees working across geographical locations and a range of workstations, servers, and other tools running both on premises and in AWS cloud environments. Setting up integrations was a simple process for Sumo Logic to ingest telemetry data from the environment, and the company now has 46 security sources that Sumo Logic analyzes to feed into the team’s SOC dashboards.

By centralizing data into Sumo Logic for security analysis, Latitude Financial effectively gained real-time security insights across the entire infrastructure and security stack. Sumo Logic’s daily ingestion of 100GB generates 61 million records and more than 100,000 signals. These deliver the security team eight to ten actionable insights daily.

Cloud SIEM’s powerful correlation and analysis allow the team to efficiently focus on the daily insights that require attention. Armed with out-of-the-box solutions and custom dashboards, the security team leverages 184 security dashboards that make it simple to manage the investigation process. Dashboards are interactive with “single click” actions that enable the security experts to drill deeper for investigation details, even pulling in entity details from integrated tools. This efficiency and ease of use empower the team to rapidly complete investigation workflows.

“We now have a robust and reliable solution that’s much more than a traditional SIEM tool. In conjunction with Sumo Logic’s powerful dashboards, there's no need to pivot between various tools, and the solution has really matured our SOC’s detection and response capabilities,” said Paul Maddicks, Senior Security Operations Analyst at Latitude Financial.

Upskilled team through Sumo Logic certifications

Latitude Financial now has ten seasoned security analysts on the SOC team, which has empowered the company to increase its focus on initiatives that advance and deepen the team’s security skills. Part of the team's development is made possible by making full use of Sumo Logic’s free training and certification program. Interactive training and virtual cert jams have provided such great value that Latitude Financial has made it a prerequisite for its security analysts to complete the training and obtain the required certification.

“Sumo Logic training certifications have upskilled our analysts, increased their knowledge on the product and built up their confidence. As a result, our team is more efficient and can swiftly respond, triage and investigate insights,” said Maddicks.

Agile threat hunting to investigate, validate and remediate IOCs

Leveraging Sumo Logic Cloud SIEM, Latitude Financial is continuously maturing its SOC playbooks and processes. The security team also applies a rigorous threat-hunting practice that, in addition to uncovering indicators of compromise (IOCs), identifies opportunities to tune and enhance Cloud SIEM’s detection capabilities. The platform’s comprehensive data combined with its simple query language make it easy and powerful for threat-hunting experts to search and uncover suspicious activity.

For example, Maddicks shares that “Sumo Logic generated an insight about an unapproved remote access tool, which kicked off the team’s threat-hunting activities. They quickly uncovered instances of TeamViewer on laptops and drilled into Sumo Logic’s log data to identify the laptop name, username, IP address, and where the laptop was beaconing out to.” In no time, the threat hunters validated that the insight on a possible IOC was, in fact, a real threat and successfully remediated it.