Sumo Logic has rolled out a security benchmark service based on threat data aggregated from all its customers, and is working on how to apply the approach to other problems.
The Global Intelligence Service for Amazon Guard Duty uses data generated by Amazon’s Guard Duty service to deliver a baseline for analysing threats, and insights for individual customers.
Sumo Logic CTO Christian Beedgen said, “For a long time we’ve have had this desire to leverage the fact that we’re seeing data from more than one customer. To give insights back to each customer based on some sort of ‘aggregate’ of what we are seeing at other customers.”
“We’ve been working for a long time along two axes, one is getting processes in place where we are doing these types of things in a responsible fashion, and second to figure out what does it completely mean.”
He said AWS’s Guard Duty service lent itself to this approach. It delivered a well structured data set, he said, but, “like with any other automated alerting systems you end up scratching your head because you feel that because there’s something put in front of you you have to do something – it’s overwhelming.”
He said Sumo Logic had applied its own algorithmic processes, to allow it to establish a baseline and “present that to people as a global dashboard.”
He said that 75 per cent of the messages are “low severity reconn events, port scans – cosmic background noise…”
The interesting part, he continued, was “How the types of alerts you’re getting compared to the global baseline. If particular type getting more instances than the general population, that’s something you should focus on”.
The other interesting part, he said, was identifying the things that “almost never happen.”
“There’s a separate display for those,” he said. “The idea is to give additional focus to the long tail, compared and normalised against the global baseline
If the routine reconn traffic is ignored, around half of the remainder consists of what AWS deems unauthorised access. “It’s not necessarily someone is looking into your machine – it’s people using the AWS API to potentially escalate privileges.”
“At the bottom of the list comes crypto,” he said. During the beta phase it emerged that one customer had a load of EC2 instances lying around, and these had been hijacked by bitcoin miners.
Other services were in the pipeline, he said. “We’ve been experimenting internally with different kinds of benchmarking things – we looked at resource uses of databases, and there might be more along these lines in the future.”
“In general, the ideal solution would be to do cross customers, generic anomalies for anything – but that’s just not going to be possible,” he said.
“We have a whole team that’s trying to formulate hypotheses as to what algorithms could usefully help to identify.”