Sponsored by Sumo Logic
Four Ways to Use Data Analytics to Fortify Your Cloud Security
When moving applications and data to the cloud, many organizations assume the cloud providers take over security. While most certainly offer enhanced security features, much of the responsibility remains with an organization. Unfortunately, security management can be quite complex in hybrid and multi-cloud environments. In this video, RTInsights talks with Siri Oaklander, principal product manager for Sumo Logic, and explores the security issues organizations face and the need for data analytics to improve cloud security.
Transcript
Joe McKendrick: Okay, welcome everyone, to today’s webcast, part of our series of discussions here at RTInsights with thought leaders from across the technology world. I’m Joe McKendrick, your host and
analyst and contributor with RTInsights. And I am so pleased to be speaking today with Siri Oaklander,
Principal Product Manager for Sumo Logic. Welcome, Siri.
Siri Oaklander: Thank you, it’s great to be here, Joe.
Joe McKendrick: It’s great to have you. Siri, you’re a seasoned industry expert, you have more than 20 years of experience in development, data management, and security. You know, I looked at your LinkedIn so, (laughs), you have quite a very impressive resume there.
Your career spans technology and leadership positions in companies such as McKesson, WhiteHat Security, Splunk, CloudPassage, and now Sumo Logic, so you really know your stuff and we’re really pleased to be able to have you here and learn particularly about data analytics and the way data analytics is changing the dynamics of cloud security.
So, let’s start off. Siri, there’s a notion out there that’s prevailing, where people assume that when they go to the cloud and they move their applications or data to the cloud, that the cloud provider takes over a lot of that security, but this is really something we can’t outsource, right? Security can’t be outsourced, is
that right?
Siri Oaklander: That’s right. I don’t know about you, but I have alerts set up on my bank account for any transfer above a certain amount, right? Now, certainly, my bank, and I won’t name any banks here, is responsible for security and banks have issues but I’ve been in the security industry long enough to know they’re also very determined and rigorous about making sure their systems are secure.
And yet, that’s one of the main things that hackers are after in the consumer space and they’re using the very tools that, that we use to do business in the cloud to steal stuff from the cloud. So just being in the cloud does not inherently make you secure.
It does externalize some of the responsibilities, right? So, as in the AWS shared responsibility model, you no longer have to be concerned with the physical security of your server, and you still have to be concerned about, say, something like sequel injection or other things that are about the security of how your system is built and how it can be abused.
Or simply, using the system correctly but being able to spoof, or acquire the credentials of a
legitimate user and then make use of it and, you know, as security professionals, we need to be
watching for those things on behalf of our organizations.
Joe McKendrick: Great, great. We’re here to talk about, you’re gonna be telling us about cloud security analytics. Can you talk about some common cloud security use cases?
Siri Oaklander: Yeah, let’s start sort of at the broadest level, right? So we can then zoom in. Sometimes I like to start small, sometimes big. But let’s start at the broadest level, because the first question is, what is the data and why, right?
And if you think about the anatomy of what an attacker is doing, what a defender is doing, we can dig in deep but let’s stay pretty high in general. An attacker is looking to get access to a system in order to extract something valuable, either an actual resource, the usage of that resource, information, right?
Extract that, use it, get out. And a defender is looking to make sure their system is architected for a minimal access necessary to try to avoid those kinds of problems so that, that it’s audited, security audits, application security testing, you are network security testing these kinds of things, auditing your code to make sure that their, you minimize the amount of vulnerabilities and attack surfaces available to attackers. And then to watch what’s going on so you can see when something has happened, either to be able to remediate it, to report on it, or hopefully to stop it.
And when you’re in that context and sort of Zoom out like that, you start to realize you need to know
who’s logging in when because that can help you know if that login is legitimate and where from, right?
You need to know what data is moving around, what systems are being used, what systems are being
spun out, right? You’re on a cloud environment that exposes you to this new reality that it’s not just the
resources you have, but the ability to provision those resources that’s at risk, right?
So all these different systems. Everything you interact with from the computer that we’re using to talk to each other to your email, your SAC, your bank accounts, your AWS or Azure or Google servers and infrastructure. All that, there is authentication risk, there is potentially sensitive data there or actual resources, money or information there. And all that is potentially a target and potentially an avenue to get to the target.
So when you’re looking at that universe, the first thing you have to think about is, “Well, okay, so how do I have data around all of this and have some ability to action around that?” One of the things that we call that at a higher level is a security data lake.
Joe McKendrick: What about the concept of security data lake? How is that helping the security posture, data security posture of companies?
Siri Oaklander: Yeah, that’s a great question because a security data lake is sort of a broad term. It’s just data, right? The reason you wanna think about it as a data lake is I like to think of, it’s not really two layers but
let’s say two layers of security data.
There’s the security data that has higher short term value, so what vulnerabilities do you have? What data most can be analyzed to detect threats and attacker actions, and then there’s this additional data that you need for audit and investigation, ’cause a lot of additional data that if something is happening, you may need to dig into to understand what’s happening to be able to stop it, to be able to diagnose it, to see what might have been lost, to understand the scope of your risk.
And so you need multiple tiers of the ability to store data. You need to be able to store both that
higher value, quicker access data and the broader lake of data that you may need to leverage and
analyze. And when we talk about all those different data sources that are possible, you can imagine the
amount of data that produces and that you need to be thoughtful about making sure you collect what
you need but also thinking about how do you manage that and store that? And that’s what a security
data lake is doing for you.
Joe McKendrick: Okay, and another area where you see a lot of data being generated and hopefully being put to good use is auditing compliance and, again, how are organizations using data or data analytics in this area, you know, helping with clients’ requirements, their auditing requirements?
Siri Oaklander: I see that in two layers. One is, there’s the compliance for yourself and there’s the compliance for your clients, which are demanding compliance of you, in order to be compliant. So, compliance to be honest, when I started in security and went from development to security, I saw compliance in a pretty bad light because it didn’t feel like it was really rigorous and not understood enough.
It felt like a checkbox, but as I get more mature and I realize the operational realities of doing security and doing that at a large scale with many companies, you realize that compliance is an avenue to making sure you are doing what you need to do. So a lot of audit and compliance simply requires you to have the data and have done the actions, right? So you need the analytics and data for that.
And then secondarily, you need to analyze what is the actions that you’re doing, what is the that you have built report on that so you can be compliant and prove compliance, so all, everything that you do for security applies to compliance and oftentimes, you know, I used to think of compliance as I said, as a sort of checkbox that wasn’t very important but it is a great guide for beginning with security and it’s where a lot of companies start.
They are either dealing with HIPPA or PCI or GDPR, or something like that because their clients need it or SoC 2, and that gives them guidance for the kinds of data they need to collect, the kinds of processes they need to have in place to analyze their attack surface and to look for attacks, and that gets them started. And so you both need to be able to execute those actions which requires analytics, and you need to be able to analyze what you’ve done and report on it in order to actually achieve compliance.
Joe McKendrick: That’s interesting you raise that about compliance as well as being a way to better manage your data and better manage your security. When compliance mandates come in to help these people and companies tend to groan and, (laughs) you know, see it as another layer of bureaucracy or tax on their operations but there’s a lot of benefit coming out of that as well, if properly employed with analytics.
Siri Oaklander: Yeah, and if you’re a compliance organization, you’re thinking about that systems-level, right?
We’re thinking, and as a security organization, I worked on the vendor side for most of my security life. We’re thinking about that systems level too. Like WhiteHat, you mentioned WhiteHat. I used to do, help Jeremiah Grossman produce a report on what our customers attack surface looked like and how well they remediated different kinds of things so we could look at what is the environment out there, according to what we can see?
And we’re not just concerned with our company’s security. We have, of course, we have people for that, we’re concerned with the security ecosystem, the general essentially hostility to the success of attackers and ability to, you know, to attack what they’re doing and prevent it.
So, at an ecosystem level, I think compliance is important and it’s much more useful to us if we lean into
it as a guide that helps us get there instead of as just an annoying checkbox.
Joe McKendrick: Great, great. And, of course, when we talk about ecosystem and look at the whole picture, there’s application security, where does data analytics come in to assist organizations in ensuring the security of their applications as well?
Siri Oaklander: Well, a lot of application security is data analytics, and then there’s also the reality that, that when I’m working with our customers, they’re working with a lot of different vendors that are helping them do application security, anything from vulnerability scanning to application security testing, to tools that help them look at their pipeline and avoid supply chain rest.
There’s a lot of different aspects to that but when it comes down to dealing with all of that information, it’s very useful to have a place to put that in to report on for compliance, but also to sort of cross reference it and be able to see, okay, what is my overall attack surface for this application? Well, it’s not just the application’s security results, right? It’s also the servers that it’s on, and it’s also the cloud system that it’s on. Those are often all different vendors or systems that are running to check those things. You need to bring them together and be able to analyze and then collect the dots.
I’ve talked with customers and what they’re excited about when it comes to application security isn’t just those results, but being able to say, “Okay, so yes, I’ve got some vulnerabilities on this EC2 instance on Amazon. Great.” And that the access, right? Is that public? Are there other vulnerabilities in the application or on the cloud layer that make that accessible, make those vulnerabilities more of a risk? Or are they not, right?
So that helps them know where do they need to put their energy, what is their real attack surface? And that requires some analytics that goes beyond just the results that are of that initial analytics to know if you got something vulnerable.
Joe McKendrick: And, Siri, we know that the large corporations, large organizations have huge security teams. They have huge IT departments, of course, and huge data management departments, but they also have fairly robust security departments as well with a lot of people working in those areas. But the small and the medium-sized businesses don’t necessarily have that and I imagine that makes them more vulnerable to security incidents. Can you talk to that and what we need to know about that?
Siri Oaklander: That’s true and I think that that’s been a particular concern for me and my team is how to enable a security practice to begin and grow. My wife works for a small startup, so I’ve watched her go through this as she built that startup from 6 to 70 people and starting with SoC compliance and various other things, building up both the ability to sell via compliance and also the ability to avoid security breaches in general.
And one of the disturbing trends, and it’s not really surprising, is that attackers seem to be focusing more on small businesses. They’re realizing, just as many organization do, that while it is attempting to go hunt whales and there’s a lot of [inaudible 00:01:18], that you can do, there’s a lot more fish in the sea than there are whales in the sea and you can do a lot better casting big nets ,and just like they attack users with big fishing campaigns, they start to attack small businesses with big pan- campaigns and then they don’t need to succeed on any one.
In some ways the game here is the classic you don’t need to be faster than the bear, you just need to be faster than your friend. In some ways, it’s really just that you need to be covering your bases. And as a small business you do have unlimited resources, unquestionably. So how do you begin to harden yourself and cover your bases and audit the things that are going to be most obvious?
Now, don’t begin with the most sophisticated stuff. Make sure that you’re covering your bases, the things that the attackers are going to be automatically going after. These attackers are less likely to be doing highly targeted persistent attacks against a small business than they are to be looking to employ systematic techniques across a broad range. So you can use the existing tools.
If your budget is low, start with sort of the most priority tools and consider some of the open source security projects out there, those are getting better and more varied and a solution to pull that data together so that you can analyze it and see what’s going on.
And again, have some thought about how you’re going to build that in the future. Believe in your company,
believe that you’re gonna grow and be a more attractive target, and that you’re gonna have more resources to grow that security program. So start with auditing your attack surface, getting basic awareness of compliance, that’s where compliance is gonna help you out because it gets your directed in the right place, getting that security data in so you can analyze it and have that available for audit and compliance. And then, start to work your way up to more advanced threat detection and install it.
Joe McKendrick: Fantastic, and I know you’re doing a lot of work in this area. Sumo Logic’s doing a lot of work in this area. Can you tell us how Sumo Logic helps secure the data and the applications that are in the cloud?
Siri Oaklander: I’d love to give you just sort of a high level because we could spend a long time on this, because Sumo Logic definitely does a lot in this area. And I think where we’re at with this conversation, we need to sort of start with what does Sumo Logic help you with to get this data to be able to store and access it, right? So let’s start there.
So first of all, Sumo Logic makes it very easy to bring data in. In addition to a variety of sort of standardized mechanisms that allow you to just send data over, we also have specific integrations with a lot of vendors where they don’t make that kind of general thing easy.
Beyond that, Sumo Logic makes it easy to stratify your data so that data lake use case we talked about, we have these different tiers that allow you to pay less for data you’re gonna access infrequently. So if you’ve got this data that’s needed more for audit and investigation and in that contingency, that data can be brought in and stored at a much lower cost than the data that you’re bringing in to do day to day analytics and threat detection. So that really helps out.
Then we can talk about all the tools and there’s a lot of them that Sumo provides for analytics from a very powerful and easy to use query language to dash boarding and out of the box content for security and for observability and reliability all together to more advanced tools like our cloud sim and our cloud storage tools. So there are a deep stable of tools that you get with Sumo Logic that you have access to to build and grow your security practice.
Joe McKendrick: Wonderful, wonderful. Any final thoughts on what should managers, executives, people running data, people in the IT as well as the business. What do they need to know? Any final thoughts on what they need to know about securing data and applications in the cloud?
Siri Oaklander: I think that it’s important just to remember that security is about managing risk, right, and about protecting your business and your customers, and so you need to sort of step back and think about what are the risks to your company, what are the risks to your customers, and what are your obligations to your customers, and to the public, right? And within that context we don’t have to have the full complete answer from the beginning, but it’s important to start to think about how can you build up a security practice that’s going to get better over time?
When I work with my customers of Sumo Logic, I’m always trying to help them think about where do they begin with what data, how do they grow that over time, and it’s not get it all right today, but what are the important pieces? And I think there’s a reason that things like cloud security posture management and other compliance things are often a first step, it’s not just because of the compliance, it’s because it is a good way to sort of sanitize and get an initial cut.
And then as you start to circle around, you start to cut deeper and start to look at your supply chain, you start to look at your application security testing and your static code analysis.
You start to look at threat detection and SIEM, so, you know, have a plan and build up, don’t try to get perfect from day one, but also think about how you can build up your plan. And I think that Sumo Logic is built very well to enable that. It’s one of the reasons I work here. And I hope that we’re able to help you if you decide to engage with us.
Joe McKendrick: Fantastic. Siri, this has been great. This is a really important topic, you know, companies want to be data-driven, they want to be digital, they want to depend on their technology, but security has to be job one, has to be everyone’s concern, it has to be right out there, up front, the foremost concern.
Great talking with you about this and, again, thank you for joining us.
Siri Oaklander: Thanks for talking with me, Joe. It was great to see you today.