The evolution of security has meant “naming in this space has been an adventure,” and the challenge for cloud vendors has been to provide capabilities while automating and making platforms easy to use, said Rhett Dillingham, vice president security product at security operations provider Sumo Logic.
Dillingham spoke on the topic at RSA with Adrian Sanabria, a host of Enterprise Security Weekly.
Sumo Logic’s history has been to make it easy to bring logs in, get initial value, and automate as much as possible, Dillingham said. Part of being a cloud vendor in the security space has meant trying to make platforms “self-service adaptable.”
Tackling the people aspect of automation
Security automation has been a big topic for a while now, given the dynamic nature of threats and companies grappling with talent shortages, Sanabria observed. Another issue is the overhead associated with products.
Even with the benefits automation brings, someone still has to create the automation, make sure a platform works properly, monitor it, fix it if something breaks, and know how to deal with APIs, he noted.
Automation, Sanabria added, is scary.
Sumo Logic aims to alleviate the operational aspect of managing security stacks, which frees teams up to derive value from them, Dillingham said.
As teams work through the end-to-end security operations workflow from collection to detection to investigation response and think about what can be automated in that chain, “there tends to be an over-rotation toward the investigation response portion,’’ he said. So Sumo Logic has focused “on automating as much as possible and investigation by clustering” events into a “refined, true positive alert.”
The goal is for security teams to be able to easily compile information into the platform, Dillingham said. Sumo Logic last week announced it has integrated the workflow automation portion of its cloud SOAR offering as part of its SIEM. It aims to provide “a stepping stone short of full SOAR adoption” as the next step in automation.
The idea is once you’ve clustered entity relationships around investigations in triage, now you can automate enrichment into that alert, Dillingham explained. From there, you can do the refining and automate notifications.
SOAR vs. SIEM
The two discussed the features of SOAR and SIEM, which came to be defined in security operations in a way that “lumped a few technologies together [and] met your capabilities in a way that has made it unapproachable for a certain segment of enterprises,” Dillingham said.
Sumo Logic’s goal is to make the incremental steps easier to adopt and utilize, regardless of the nomenclature of what SIEM and SOAR are, he said. “It’s a platform for security operations.”
Another concern with adopting SOAR technology has been the risk of over-automating beyond what the organizational culture is ready for, specifically, in automated response, Dillingham observed.
The way Sumo Logic sees it, he said, is you should be automating the work as much as possible to become more efficient. Then you can move into response and make it more iterative so it becomes an efficiency gain.
Large language models and ChatGPT
Sumo Logic has also just integrated its SOAR framework into a chat provider of a customer’s choice. That enables them to utilize Q&A and chat capabilities out of the box, he said.
The platform collects data from a variety of sources and alerts or raw data, so someone can pull in common remediation methods for that technology, for example.
But Dillingham noted that it is an organizational decision as to whether they are comfortable with the information coming from ChatGPT.
CISO struggles
Tool consolidation has become a big pain point for CISOs, Dillingham said. So is the efficiency and efficacy of teams.
This is why Sumo Logic is aggregating SIEM with SOAR and building a bridge between the two to address the consolidation of alerts coming from the proliferation of tools, he said.
By Esther Shein
