Sumo Logic piggybacks on Amazon Guard Duty for security benchmark service

By Team Devclass
-
Sumo Logic piggybacks on Amazon Guard Duty for security benchmark service

Sumo Logic has rolled out a security benchmark service based on threat data aggregated from all its customers, and is working on how to apply the approach to other problems.

The Global Intelligence Service for Amazon Guard Duty uses data generated by Amazon’s Guard Duty service to deliver a baseline for analysing threats, and insights for individual customers.

Sumo Logic CTO Christian Beedgen said, “For a long time we’ve have had this desire to leverage the fact that we’re seeing data from more than one customer. To give insights back to each customer based on some sort of ‘aggregate’ of what we are seeing at other customers.”

“We’ve been working for a long time along two axes, one is getting processes in place where we are doing these types of things in a responsible fashion, and second to figure out what does it completely mean.”

He said AWS’s Guard Duty service lent itself to this approach. It delivered a well structured data set, he said, but, “like with any other automated alerting systems you end up scratching your head because you feel that because there’s something put in front of you you have to do something – it’s overwhelming.”

He said Sumo Logic had applied its own algorithmic processes, to allow it to establish a baseline and “present that to people as a global dashboard.” 

He said that 75 per cent of the messages are “low severity reconn events, port scans – cosmic background noise…”

The interesting part, he continued, was “How the types of alerts you’re getting compared to the global baseline. If particular type getting more instances than the general population, that’s something you should focus on”.

The other interesting part, he said, was identifying the things that “almost never happen.”

“There’s a separate display for those,” he said. “The  idea is to give additional focus to the long tail, compared and normalised against the global baseline

If the routine reconn traffic is ignored, around half of the remainder consists of what AWS deems unauthorised access. “It’s not necessarily someone is looking into your machine – it’s people using the AWS API to potentially escalate privileges.”

“At the bottom of the list comes crypto,” he said. During the beta phase it emerged that one customer had a load of EC2 instances lying around, and these had been hijacked by bitcoin miners.

Other services were in the pipeline, he said. “We’ve been experimenting internally with different kinds of benchmarking things – we looked at resource uses of databases, and there might be more along these lines in the future.”

“In general, the ideal solution would be to do cross customers, generic anomalies for anything – but that’s just not going to be possible,” he said.

“We have a whole team that’s trying to formulate hypotheses as to what algorithms could usefully help to identify.”

AWS combines "building block" blueprints with CodeCatalyst for rapid project creation including DevO...
Cloudflare updates Workers platform with Python support, event notifications, and improved local dev...
Atlassian takes another step toward full DevOps automation
GitHub autofix progresses to public beta: insecure code corrected with AI, but only for enterprise
Fermyon promises over 5000 WebAssembly applications on one Kubernetes node via new platform
Secret leakage in public GitHub repositories increasing, claims new report
Test launch of TEA open source reward project clouded by repository spam attack 
From Docker to Dagger: Solomon Hykes on modernisation of the DevOps pipeline
Enterprises struggle with Agile methodology, reports long-standing survey of practitioners
Spotlight on GitHub self-hosted runners again as researcher demonstrates attack on PyTorch code
Amazon discontinues Aurora scale-to-zero database in favor of always-billed replacement
PyPy moves from Mercurial, says 'open source has become synonymous with GitHub'