{"id":4665,"date":"2023-07-18T18:17:00","date_gmt":"2023-07-18T18:17:00","guid":{"rendered":"http:\/\/www.sumologic.com\/blog\/dont-just-shift-left-level-up-building-a-modern-cyber-defense-program"},"modified":"2025-06-10T09:08:47","modified_gmt":"2025-06-10T17:08:47","slug":"dont-just-shift-left-level-up-building-a-modern-cyber-defense-program","status":"publish","type":"blog","link":"https:\/\/www.sumologic.com\/blog\/dont-just-shift-left-level-up-building-a-modern-cyber-defense-program","title":{"rendered":"Don\u2019t just shift left, level up: Building a modern cyber defense program"},"content":{"rendered":"\n<section class=\"e-stn e-stn-0d652506f82b000a392973813b918ee25d5b4211 e-stn--glossary-inner-content e-stn--table-of-content\"><div class=\"container\">\n<div class=\"wp-block-b3rg-row e-row row\">\n<div class=\"wp-block-b3rg-column e-col e-col-1f7b3997080fc292474d26ff00c905d99d3520fa e-col--content-wrapper  col-sm-12 col-lg-12 col-xl-12\">\n<div class=\"e-div e-div-a1b32f66e1749758df41d5aea14f647cd10e362c e-div--card-btn-link\"><div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1400\" height=\"400\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Dont-just-shift-header.jpg\" alt=\"Don&#039;t just shift left header\" class=\"wp-image-4658\" title=\"\"><\/figure>\n<\/div>\n\n\n<p><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-a4922635ea892263b3a5be0fa95e7ea5\">Within the security community of late, the focus has been on \u201cshifting left\u201d, and while that has merit, it is somewhat myopic missing some of the realities of defense in practice. Instead, I propose a simple framework to help guide initiatives that will \u201clevel up\u201d defenses and greatly improve security postures wholistically. Some license is taken in terminology in order to keep things simple, memorable, and applicable. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-5ebd2e08cf877efc16669719cef524b1\">We start with the three basic pillars of development, design, and detection. To be more specific, <strong>secure<\/strong> development (or DevSecOps), secure architectural design (such as zero-trust architectures &amp; security reference architectures) and lastly, modern detection and incident response. These three pillars are built on the foundation of automation and doing \u201ceverything as code\u201d, including Infrastructure as Code (IaC), Detection as Code (DaC), and Security Orchestration Automation and Response.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-da0032710605e2efd5031e2aecd995b6\"><\/p>\n\n\n\n<figure><img class=\"alignnone size-medium wp-image-00\" data-failed-src=\"https:\/\/lh5.googleusercontent.com\/oqIWN_qVnz-SC_7FaH_H4uJuUsSyDjuWyu1DH1qNbW4by3Cxj1kLHFuS7uUPLQhPJZrUoJoAABtAKHzgCYlBFyJHmfvpzicaOzmvGTW-xV4nzXjmzlgpEof_bDkfuTQXzDmnHONTaqUM-nghKzSebl4\" alt=\"\" \/><\/figure>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-e2ef41743532a4cd006dcf7c27e0e68e\">Why is automation the foundation supporting the three pillars? Because manual security processes are prone to human error, such as accidental misconfigurations, drift from secure baselines, or in the world of detection&#8211;distractions and alert fatigue. Manual processes also don\u2019t scale, limiting the ability to have a consistent security posture that is centrally managed and monitored. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c2ebb19e8b0d51dc201883223ebb7461\">Note that each of the three disciplines applies automation and \u201cas code\u201d in different ways, but the most mature teams are aggressively moving to these programmatic approaches. Unfortunately when organizations fall short in any one area, even the most mighty houses can fall.<br><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-da0032710605e2efd5031e2aecd995b6\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-95668460890fc43bf704ce3c2fa2e907\" id=\"development\">Development<\/h2>\n\n\n\n<figure><strong><img loading=\"lazy\" decoding=\"async\" width=\"526\" height=\"561\" class=\"alignnone size-medium wp-image-4662\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Development-1.png\" alt=\"\" title=\"\"><\/strong><\/figure>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-429af88cfa8181d449d54dbfbe3da059\">In a <a href=\"https:\/\/www.sumologic.com\/blog\/security-in-serverless-lambda-world\/\">previous article<\/a>, I emphasized that end-to-end visibility starts at development time. Where we once focused our security efforts on securing single monolithic applications and servers, the new modern app is spread across containers, microservices, and different cloud providers, and unless you design these complex apps with security from the start, the battle may be already lost. In the military, they speak of \u201cmoving left of bang\u201d. The guiding principle is, it&#8217;s better to detect adversarial intentions early than respond to malicious actions after the damage is done. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-265ff263ce991abb9f24c299d5fa4412\">Fortunately, developers fix problems, and they do it programmatically. We now have tools to do security validation early on in the development lifecycle. This is especially true with the open-source community rallying to solve the hard problems of supply-chain risk, software vulnerabilities, and instrumenting <a href=\"https:\/\/www.sumologic.com\/glossary\/telemetry\/\">telemetry<\/a> at the lowest levels of our software. I described this previously as <a href=\"https:\/\/www.sumologic.com\/blog\/ultimate-race-condition-securing-open-source-infrastructure\/\">\u201cthe ultimate race condition\u201d<\/a> in which developers must create tooling to secure critical applications, continuously validate they are secure and operating as designed, and incorporate these functions into the <a href=\"https:\/\/www.sumologic.com\/glossary\/continuous-integration\/\">CI<\/a>\/<a href=\"https:\/\/www.sumologic.com\/glossary\/continuous-deployment\/\">CD<\/a> pipeline and are part of the build and run-time processes. This reduces the security risk, but everything comes at a cost. Having these additional gates and checks does create overhead that can slow things down, and that then becomes a business risk.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c5398d28bb56ba25292a4cc6710fc1d2\">Creative and bleeding-edge development drives business revenue and is the reason companies can innovate at high speed. From a business perspective, security is a necessary evil. And although cyber doesn\u2019t add to the bottom line, by leveling up cyber defenses, organizations can reduce the risk of cyberattacks and their associated costs, including financial losses, reputational damage, and legal liabilities. It also helps ensure that critical business functions can continue in the event of a security incident. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-11238f1658ad48b2da873c965ff91dcb\">Positioning secure development as an investment, and not a cost center helps reframe the conversation. As security practitioners, we need to be able to articulate the benefit that comes from secure design processes and DevSecOps. Here are four principles I advise security professionals to keep them aligned with business objectives.<br><\/p>\n\n\n\n<ul>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c9b14b4f2884aa64a35c5445afb41c76\"><strong>Understand the \u201cwhy\u201d behind your business. <\/strong>Your role is to support the business. Sometimes that means accepting risks.<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-7e0203ca3f33c9b521d79dc743d9b290\"><strong>Don\u2019t make enemies with the developers. <\/strong>Help them work smarter not harder to ease the burden of additional requirements.<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-de174cc2762ba9724290094883232597\"><strong>Stop saying \u201cno,\u201d and start explaining \u201chow.\u201d<\/strong> Flexing your \u201cleet speak\u201d is not helpful to those making business decisions.<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-d0473db361b0fca0f7bc87576790963f\"><strong>Remember that security can be part of the \u201csale\u201d.<\/strong> Help the business frame security strengths as a value-add that customers benefit from. Security is an investment and customers are willing to pay a premium for secure products.<\/p>\n\n\n\n<\/li>\n<\/ul>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-b6a67801c3db49a2952e095ca722d1b4\">To dive deeper into how to make your development shop an \u201celite performing team\u201d, read how to <a href=\"https:\/\/www.sumologic.com\/brief\/accelerate-your-sdlc-with-devsecops\/\">accelerate and secure your SDLC with DevSecOps<\/a>. It\u2019s not enough to follow these secure development practices once. They must be part of the development process at the deepest level. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-e55427c274b396af78447226a475114f\">Implement tools that automate static and dynamic application security testing (SAST\/DAST), software composition analysis (SCA) and also validate API and container security. This achieves the desired \u201cshifted left\u201d results. Once that is achieved, this secure software needs to be pushed into production securely. This is best done through infrastructure as code (IAC) and leads us into the next related pilar of secure design and adopting proven security reference architectures.<br><\/p>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-815509dcf43f51b2bad3743e01aaf3ac\" id=\"design\">Design<\/h2>\n\n\n\n<figure><strong><img loading=\"lazy\" decoding=\"async\" width=\"520\" height=\"543\" class=\"alignnone size-medium wp-image-4664\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Design-1.png\" alt=\"\" title=\"\"><\/strong><\/figure>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-da0032710605e2efd5031e2aecd995b6\"><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-d653b3ce2341acee8de0d52671d5a7b5\">Remember shifting left is just one leg of a three-legged stool. Once you have secure code, it needs to be securely deployed and monitored with automation. Designing the architecture and the infrastructure that will run applications is the next consideration. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-d22bb71efa31704ce5cba40f4e7ecf91\">I\u2019m using the term \u201cdesign\u201d here not in the sense of software design, as that is covered under development. At the most granular level, the design pillar incorporates modern application architectures. At a higher level, it represents the myriad of tools running in a modern enterprise security stack. Note there is significant overlap here, as well as overlap between design and development. In fact the lines between software and infrastructure\/architecture continue to blur as most everything is done through code at some level. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-58c1f09a8fb1fccb56c1d8007f3adaf3\">Security Posture Management tools have come a long way, allowing policies to be created, and when configurations deviate or vulnerabilities get pushed into production, alarms can be raised. I\u2019m most excited about the advancements of <a href=\"https:\/\/www.sumologic.com\/blog\/power-community-driven-cloud-security-cspm\/\">open-source Cloud Security Posture Management (CSPM)<\/a> tools like CloudQuery and SteamPipe. Because these solutions are modular and open, they easily fit into a <a href=\"https:\/\/medium.com\/@alexanto\/steampipe-multi-cloud-compliance-as-a-code-36101afcd3af\" target=\"_blank\" rel=\"noopener\">Multi-Cloud Compliance as a Code<\/a> strategy. Here at Sumo Logic, we\u2019ve been experimenting with leveraging AI\/ML to intelligently ingest vast inventory data and their respective configurations, and then provide remediation steps down to the actual commands an administrator should use to address vulnerabilities and security findings. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-1a6c33ea5eaca26f4f581270f663cdda\">Having a centralized platform that spans development, operational and security use cases is one of the reasons customers love the Sumo Logic solution. The number of required solutions to run a secure enterprise continues to grow, and having a tool to cross correlate and allow collaboration from different business units is paramount.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-f6dcd9f13154ae2169508adbdb240fdf\">Distinct and purpose-built security solutions provided by vendors will continue to flourish, but it\u2019s necessary to have some blueprint on how everything should be wired together. To run a successful security machine, every gear and sprocket has to be in place. Integration across systems is key. Here we can lean on what is known as Security Reference Architectures and a Zero Trust Architecture.<br><br><a href=\"https:\/\/csrc.nist.gov\/glossary\/term\/zero_trust#:~:text=Definition(s)%3A,a%20network%20viewed%20as%20compromised.\" target=\"_blank\" rel=\"noopener\">As NIST defines it<\/a>, <em>Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture (ZTA) encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.<\/em><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-50a7cc9fcb315f2ad5afe22a8d9bb847\">According to <a href=\"https:\/\/www.forrester.com\/report\/five-steps-to-a-zero-trust-network\/RES120510\" target=\"_blank\" rel=\"noopener\">Forrester Research<\/a>, a ZT architecture &#8220;abolishes the idea of a trusted network inside a defined corporate perimeter. ZT mandates that enterprises create micro-perimeters of control around their sensitive data assets to gain visibility into how they use data across their ecosystem to win, serve, and retain customers.&#8221; <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-146cb11ebf4356ddb031cc6a4cb51ada\">In a related effort, Microsoft, with its Cybersecurity Reference Architecture (<a href=\"https:\/\/learn.microsoft.com\/en-us\/security\/cybersecurity-reference-architecture\/mcra\" target=\"_blank\" rel=\"noopener\">MCRA<\/a>), has done a lot to bring security architecture and design principles into a single cohesive set of blueprints. Their reference architecture is more vendor (Microsoft specifically) focused but describes how customers should enable zero trust user access, security operations, attack chain coverage, cloud providers security controls by integrating across vendor solutions and 3rd party apps.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-43e8f2a367af02c71a0f87a403530609\">Good security, compliance and identity solutions require deep integration across ALL your other solutions. When building a wall around your castle, having a gap in any area negates all the other effort spent. A <a href=\"https:\/\/www.forrester.com\/blogs\/introducing-detection-surface-the-cybersecurity-defense-that-parallels-attack-surface\/\" target=\"_blank\" rel=\"noopener\">recent article<\/a> by Allie Mellen, a Senior Analyst at Forrester, broke this down even further by separating \u201cattack surface\u201d from \u201cdetection surface\u201d. We can build castle walls, and motes to protect critical assets, but what are all the detections, cameras, trip-wires and virtual guards we have in place to ensure these defenses are working properly? <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-12bc80930940e5eea82bb62807ec4615\">When looking at all the interdependencies, a comprehensive security reference architecture can be head-splitting. Here at Sumo Logic, we distilled this down into high-level solution verticals in a <a href=\"https:\/\/www.sumologic.com\/blog\/modern-enterprise-security-architecture\/\">Modern Enterprise Security Architecture<\/a>.<br><\/p>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1311\" height=\"678\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Modern-Enterprise-Security-Architecture.png\" alt=\"Modern Enterprise Security Architecture\" class=\"wp-image-4659\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-97d748d529dc0ba4d6bbf3065c762fa2\">When done correctly, your organization will not only have \u201cshifted left\u201d but it will also have \u201cleveled up\u201d. To level up cyber defenses means enhancing an organization&#8217;s cybersecurity posture and increasing its resilience against cyber threats. Cyber resilience is achieved as this involves a combination of technological solutions, policies, and procedures all designed to protect an organization&#8217;s critical assets. A next-generation <a href=\"https:\/\/www.sumologic.com\/solutions\/cloud-siem\/\">SIEM (security incident and event management) solution<\/a> lies at the heart of these integrations. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-4a121cc4e3283e4c4242074733715081\">When you are evaluating new solutions, do not view them in isolation. Increase the scope of your proof-of-concept testing to include integration across the stack into your <a href=\"https:\/\/www.sumologic.com\/guides\/siem\" data-type=\"resource\" data-id=\"3026\">SIEM<\/a>, SOAR and identity solutions. Your engineers and analysts will thank you when they are handed a new shiny thing to integrate with and it actually works, especially when it\u2019s not one more tool they have to log into on every shift. Bonus points if you can incorporate infrastructure as code principals where all configurations can be applied programmatically.<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-a205d78c4c2545b610cc49bdfc8a3c30\" id=\"detection_and_response\">Detection and response<\/h2>\n\n\n<div class=\"e-img \">\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"519\" height=\"550\" src=\"http:\/\/www.sumologic.com\/wp-content\/uploads\/Detection-and-response.png\" alt=\"\" class=\"wp-image-4660\" title=\"\"><\/figure>\n<\/div>\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-1cdd3979a9723bc16811b9f5d10b3384\">When everything above fails, and attackers still breach your environment (and they will), you need a modern detection strategy in place. As cyber defenders, we have to assume that software will be vulnerable. We have to assume misconfigurations will happen. We must have a \u201cbreach mindset\u201d. If it&#8217;s truly a matter of \u201cwhen\u201d not \u201cif\u201d, our software should have the required hooks embedded at the lowest levels to provide the observability and <a href=\"https:\/\/www.sumologic.com\/glossary\/telemetry\/\">telemetry<\/a> we\u2019ll need when things go haywire.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-337978d31d59cf4ec2e546bf7fed2a88\">This for me is the most exciting area. Huge advancements are taking place in the ability to dynamically track and detect attackers&#8217; activity, providing analysts and feeding automation leads to high-fidelity alerts. OpenTelemetry standardizes the collection of MELT telemetry (Metrics, Events, Logs and Traces). Sumo Logic has <a href=\"https:\/\/www.sumologic.com\/blog\/sumo-logics-investment-in-otel\/\">greatly contributed to OTel<\/a> as it provides the data that feeds our SIEM, UEBA and SOAR solution. Having these three solutions in a single security platform, underpinned by a single security datalake has been a game changer for our customers.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-9627c7660b44e48285fed826b025f69f\"><strong>Why is SIEM + UEBA + SOAR a game changer?<\/strong> It\u2019s a 1-2-3 punch because first, with the advent of true <a href=\"https:\/\/www.sumologic.com\/glossary\/ueba\/\">user and entity behavior analytics (UEBA)<\/a> capabilities that baseline entity behavior to identify unusual patterns, alerts become more high fidelity. These UEBA detections leverage machine learning algorithms and statistical analysis models to establish normal behavior or patterns per user or system in order to detect anomalies. Unfortunately, UEBA solutions alone have been extremely noisy and customers had difficulty baking in the \u201cnormal\u201d baselines before good alerts were generated. The juice of having a separate UEBA solution just wasn\u2019t worth the squeeze. Things are different now. Case in point, advanced UEBA directions are now natively part of the Sumo Logic detection strategy, as is our new automation service borrowed from our SOAR technology.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-da08f8ce071e2da86fadc0e765f81015\">Now that these alerts are correlated within the SIEM alongside other proven detection rule types\u2014at scale across all users dynamically\u2014we finally have extremely actionable insights that may be a cluster of multiple alert types. With these insights, actions can be taken immediately and in many cases automated. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-89975c58424c868e48d8091fcf8d04cc\">There are some pitfalls to automating cyber defenses. Historically, the garbage in, garbage out dilemma has been a major roadblock for automating security operations. The last thing your security team needs is to be blamed for conducting a DoS (Denial of Service) against critical systems because of a false-positive action or errant remediation that blocked paying customers from your services or prevented the company from operating. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-7d22c2b884f679dfd3ee48da2f91fec5\">Having advanced playbooks that can pause for analyst interventions and validation is a good way to reduce some of this risk. Many of the hundreds of out of the box low-code playbooks we provide have such human actions part of the response and remediation flow.<br><\/p>\n\n\n\n<figure><img class=\"alignnone size-medium wp-image-00\" data-failed-src=\"https:\/\/lh4.googleusercontent.com\/rvfDjT2uCveBxmJ1EQi-7Kh3086rkgKuoBEEzAHQ6PnBuyIleXn_kAQSn5r2bNkpPBpPZ66CCZJT5vNszrDoxMW-YwBdhIV8h43aerGUfNYonZWwWU1pA7U3odGRX3_QvH6jbdj9-evIleYiqN0Kou8\" alt=\"\" \/><\/figure>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-c26d3034259aedd1a8ef38ca3eb6ed25\">Today we have very powerful ways to classify adversarial behavior and indicators of compromise. <a href=\"https:\/\/www.sumologic.com\/blog\/building-your-modern-cloud-siem\/\">A modern cloud SIEM<\/a> should be able to generate alerts, combine these alerts with those provided by point solutions (EDR, IDS, WAF etc) and then overlay these events into a single attack timeline. This timeline should also include the MITRE ATT&amp;CK adversary tactics and techniques.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-216791762e41a649c04f7671442e5054\">Triaging isolated alerts does not scale and is extremely ineffective. As <a href=\"https:\/\/cyberscoop.com\/cybersecurity-consolidation-cylance-blackberry-thoma-bravo\/\" target=\"_blank\" rel=\"noopener\">aptly put by Bill Crowell<\/a>, former NSA Deputy Director, &#8220;Cyberdefense is about having an integrated set of tools that work together to prevent attacks, but the industry now has a thousand points of light and no illumination.&#8221;<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-feafd18b3a7096920951ae80d5f211dc\">When considering a modern SIEM+UEBA+SOAR platform, ask yourself the following:<\/p>\n\n\n\n<ul>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-16f855201466016cb1734130063ff7c9\">Does it include a broad set of automations and integrations out-of-the-box, with little or no additional charges to deploy automations?<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-977c4e7d09bc23e24679e45214ac17e5\">Does it operate in an entity-centric way, automatically correlating observable events to entities (e.g., users, systems, IPs, etc).<\/p>\n\n\n\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\">Does it include multiple detection capabilities within its rules engine? For example, ask vendors<br \/>\n            to demonstrate each of the following detection techniques with out-of-the-box rules: <\/p>\n<ul>\n<li dir=\"ltr\">\n<p dir=\"ltr\"><strong>First Seen rules:<\/strong> Used to detect any suspicious, never seen before<br \/>\n                    behavior<br \/>\n                    based<br \/>\n                    on learned baseline. It\u2019s critical that the first seen rules engine allows for both dynamic<br \/>\n                    entity-based<br \/>\n                    baselines or enterprise-wide baselines.<\/p>\n<p>Entity based example:<em> Bob always does things X,<br \/>\n                        while<br \/>\n                        Alice does things Y. Alert me when either Bob or Alice does something abnormal for them based on<br \/>\n                        a<br \/>\n                        previous learned baseline. <\/em><\/p>\n<p>Enterprise or global example:<em> All users within the<br \/>\n                        organization are expected to do things Z, however when any new behavior is seen across ALL<br \/>\n                        users,<br \/>\n                        create<br \/>\n                        an alert.<\/em><\/p>\n<\/li>\n<\/ul>\n<ul>\n<li dir=\"ltr\">\n<p dir=\"ltr\"><strong>Outlier rules:<\/strong> Used to detect patterns in data that would otherwise not be<br \/>\n                    considered suspicious and require dynamic baselines learned over time that are unique to individual<br \/>\n                    entities.<br \/><em>Example: Bob usually uploads 10MB a day to external sites, but this week his<br \/>\n                        outbound<br \/>\n                        traffic was 100x his normal indicating possible data exfiltration or a compromised account.<\/em><\/p>\n<\/li>\n<\/ul>\n<ul>\n<li dir=\"ltr\">\n<p dir=\"ltr\"><strong>Chain rules: <\/strong>Used to detect when two or more distinct events occur in a<br \/>\n                    given<br \/>\n                    time<br \/>\n                    window. These events may be from unrelated data sources.<br \/><em>Example: Five failed login attempts<br \/>\n                        followed<br \/>\n                        by one success in under one hour.<\/em><\/p>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-8cd7e8220852b6a93f38da86065a9c76\">That\u2019s a lot of words, but what does this look like applied to an actual breach scenario we see within our customer environments? Here is an example of a correlated Insight following a successful phishing attack. <\/p>\n\n\n\n<figure><img class=\"alignnone size-medium wp-image-00\" data-failed-src=\"https:\/\/lh4.googleusercontent.com\/VRYxb749iE6fyT89sx6Gq_sHZbtM-8RUwCYP3cJ2I7bARJKcRbhp0dS8DeaRS0oQvj7UNuJ96uzevRcMawGkVSnQNBAuQYAikqAShmBibN_MX-vvTJ7VrjZ_W2EuQTD5EmM6YEdFnGAI93gICy6JVQ\" alt=\"\" \/><\/figure>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-da0032710605e2efd5031e2aecd995b6\"><\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-f7b30bbf54e797c7d6f16c91d8562d36\">Of course, all of this requires the stars to be aligned and each of your detections fire appropriately. Multiple detection strategies help mitigate false negative rules, however. Adversaries should be tripping detection wires as they move laterally and do attacker things. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-51b698fc3599e807f76b3e330cfb51e6\">Case in point above, an astute observer would notice the lack of an EDR endpoint alert. Ideally, this type of breach would have fired such an alert when malicious binaries were observed on the host. However, that is not always the case, and even when one point solution fails, cross-correlation across all data sources makes up the difference. Again, this is a testament to the power of entity-centric correlation only a SIEM can provide.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-3b9c20b43780e17fa5d1ffd9454ca165\">Let\u2019s underscore the claim that was made where automation and \u201ceverything as code\u201d is the foundation of all three pillars. How does it apply to detection and response? In the example above, note that from beginning to end&#8211;the detections, enrichments and notifications, were all automated and done \u201cas code\u201d. Security engineers should also be driving towards autonomous SOCs that integrate defense into automated playbooks for both enrichments and remediations. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-8148f55f0b6260eb94c3034d3b7a5ddc\">Katie Teitler had<a href=\"https:\/\/thereformedanalyst.substack.com\/p\/it-spend-in-2023-why-automation-will?utm_medium=podcast\" target=\"_blank\" rel=\"noopener\"> a great piece<\/a> titled \u201cIT Spend in 2023: Why Automation Will be the Hero\u201d. In it she states that given the state of cybersecurity staffing, the current economic climate, and greater pressure on security teams, a survey of 213 cybersecurity executives in the U.S. found that automation was top of mind for efficiency, efficacy, and cost cutting measures. And 86% of cybersecurity leaders are prioritizing automating threat detection and response, and 84% are prioritizing integrating and automating cybersecurity capabilities with new and existing technologies. <\/p>\n\n\n\n<blockquote class=\"pull\">\n<p>\u201cAutomation is a force multiplier. It allows the machines to churn through mountains of data quickly and surface results to the humans, who are better suited for sentient analysis and business-specific decision making. Automation offers faster, actionable information, giving the business clearer insight to patterns and threats not easily identified by humans in short time spans\u2026 Automation is the answer. The good news is that many of today\u2019s commercially available security tools have automation built in.\u201d &#8211; Katie Teitler, Senior Cyber Security Strategist at Axonius.<\/p>\n<\/blockquote>\n<p dir=\"ltr\">Here at Sumo Logic, we\u2019re excited to announce that,<br \/>\nfollowing a SOAR acquisition last year, we now provide many automations&nbsp; natively within our SIEM at no additional cost. Through our built-in<br \/>\nautomation service, alerts can be automatically enriched through our<br \/>\nhundreds of out-of-the-box integrations. For more advanced automation functionality, we will also continue to develop our<br \/>\ncloud-based <a href=\"https:\/\/www.sumologic.com\/blog\/no-code-vs-low-code-and-near-no-code-security-automation\/\">low-code SOAR<\/a>. <\/p>\n<p dir=\"ltr\">Built on our <a href=\"https:\/\/www.sumologic.com\/glossary\/open-integration-framework-oif\/\">Open Integration Framework<\/a>,<br \/>\n OIF is a graphical environment that modularizes actions and<br \/>\nintegrations so that they can be used in a playbook designer by<br \/>\nengineers who may not have in-depth coding skills. For those who do<br \/>\nenjoy rolling up their sleeves and diving into code, it also includes a<br \/>\nfull-fledged IDE and supports multiple languages: Python, Perl,<br \/>\nPowerShell, Bash scripting, and YAML, allowing anyone to change existing<br \/>\n code, add new code, and define custom playbook actions.<\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-48b9d0a2300b83e5a88b7d3211657029\">When automation is introduced into detection and response, these three critical areas are improved:<br><\/p>\n\n\n\n<ol>\n<li dir=\"ltr\">\n<p dir=\"ltr\"><strong>Increased efficiency: <\/strong>Automating<br \/>\n cybersecurity tasks can significantly increase efficiency and reduce<br \/>\nthe risk of human error. Automated tools can perform tasks such as<br \/>\nnetwork monitoring, threat detection, and vulnerability scanning at a<br \/>\nfaster pace than humans, enabling security teams to respond to threats<br \/>\nmore quickly and minimize the damage caused by cyberattacks.<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\"><strong>Increased ecalability:<\/strong><br \/>\n Cybersecurity threats are constantly evolving and increasing in<br \/>\ncomplexity. Automated security tools can be scaled up quickly to address<br \/>\n the growing volume and complexity of threats. This becomes increasingly<br \/>\n important as the number of solutions in the security stacks increases.<\/p>\n<\/li>\n<li dir=\"ltr\">\n<p dir=\"ltr\"><strong>Increased consistency:<\/strong><br \/>\n Manual security processes can be prone to error due to human factors<br \/>\nsuch as fatigue or distraction. Automated security tools can perform<br \/>\ntasks consistently and accurately, reducing the risk of errors and false<br \/>\n positives. Automating security processes can help organizations meet<br \/>\ncompliance requirements by ensuring consistent and accurate security<br \/>\npractices. This can help avoid costly fines and penalties for<br \/>\nnon-compliance.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading has-eigengrau-color has-text-color has-link-color wp-elements-75634a32e81e1b1bdfa6b684886c5b44\" id=\"leveling_up_=_cyber_resilience\">Leveling up = cyber resilience<\/h2>\n\n\n\n<p dir=\"ltr\">Embracing &#8220;security as code&#8221; across development, design and detection will allow organizations to quickly identify and mitigate<br \/>\npotential threats, reducing the potential impact of any security<br \/>\nincidents. Leveling up requires robust security measures to be embedded<br \/>\nat every level of an organization&#8217;s operations and a combination of<br \/>\npeople, processes, and technology to manage and respond to cyber threats effectively. <\/p>\n<p dir=\"ltr\">Being cyber resilient means having the ability to<br \/>\nanticipate, withstand, and recover from adverse conditions, stresses or attacks on our critical systems.&nbsp;Security information and event management, or SIEM solutions, help organizations stay ahead of the never-ending stream of security risks and vulnerabilities the typical business faces.&nbsp;Learn more in <a href=\"https:\/\/www.sumologic.com\/guides\/siem\/\">our ultimate guide to SIEM<\/a>.&nbsp;It&#8217;s about ensuring that an organization&#8217;s<br \/>\n digital infrastructure can effectively operate even under challenging<br \/>\ncircumstances such as cyber threats and attacks, system failures, or<br \/>\nnetwork disruptions. <\/p>\n\n\n\n<p class=\"has-delft-blue-color has-text-color has-link-color wp-elements-208919044b1f8eb4d18f2d9f0a477b38\"><a href=\"https:\/\/www.sumologic.com\/security\/\">Learn more about how Sumo Logic can help you build a stronger cybersecurity infrastructure.<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div><\/section>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":78,"featured_media":25801,"template":"","meta":{"_acf_changed":false,"show_custom_date":false,"custom_date":"","featured":false,"featured_image":0,"learn_more_label":"","image_alt_text":"","learn_more_type":"","show_popup":false,"learn_more_link_file":0,"event_date":false,"event_start_date":"","event_end_date":"","place_holder_image_url":"","post_reading_time":"12","notification_enabled":false,"notification_text":"","notification_logo":"","notification_expiration_time":0,"is_enable_transparent_header":false,"selected_taxonomy_terms":{"blog-category":[127],"blog-tag":[]},"selected_primary_terms":[],"learn_more_link":[],"featured_page_list":[],"notification_enabled_post_list":[],"_gspb_post_css":"","_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"4668,71369,71176","_relevanssi_noindex_reason":"","inline_featured_image":false,"footnotes":""},"blog-category":[127],"blog-tag":[],"class_list":["post-4665","blog","type-blog","status-publish","has-post-thumbnail","hentry","blog-category-secops-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/4665","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/users\/78"}],"version-history":[{"count":4,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/4665\/revisions"}],"predecessor-version":[{"id":26519,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog\/4665\/revisions\/26519"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/media\/25801"}],"wp:attachment":[{"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/media?parent=4665"}],"wp:term":[{"taxonomy":"blog-category","embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog-category?post=4665"},{"taxonomy":"blog-tag","embeddable":true,"href":"https:\/\/www.sumologic.com\/wp-json\/wp\/v2\/blog-tag?post=4665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}