AWS Partner Network (APN) Blog
Multi-Account Threat Intelligence Using AWS Organizations and Sumo Logic Cloud SIEM
By Dilip Rajan, Sr. Partner Solutions Architect – AWS
By Himanshu Pal, Sr. Integration Engineer – Sumo Logic
By Vinay Maddi, Sr. Solutions Architect – AWS
Sumo Logic |
Amazon Web Services (AWS) has come a long way from the early days when companies ran their entire workloads on a single account. Now, customers from small to mega-cap enterprises have tens of hundreds of accounts running everything from test workloads to critical production-grade payments and financial applications.
DevSecOps teams are responsible for providing enhanced infrastructure observability while ensuring they have the ability to respond to security events in a matter of minutes across the entire organization.
To address this challenge, Sumo Logic and AWS collaborated to build a solution that provides end-to-end security and incident management (SIEM) across an enterprise using AWS Organizations. Customers have the option of connecting their sources to Sumo Logic from on-premises hardware, providing end-to-end visibility across their entire infrastructure.
This SIEM solution is based on the AWS Security Reference Architecture (AWS SRA), and we’ll explore it in this post using a reference architecture. We’ll also show how you can get started with Sumo Logic and AWS Organizations through an AWS Quick Start in a matter of minutes.
Sumo Logic is an AWS Partner with Competencies in Data and Analytics, Security, Containers, and DevOps. It provides seamless observability and SIEM capabilities across multi-cloud and hybrid cloud environments.
Sumo Logic Cloud SIEM for AWS Organization
We highlighted the need to have security-related logs and event details across multiple AWS accounts. But how does one go about designing such a solution?
To answer that, Sumo Logic and AWS leveraged the AWS Security Reference Architecture as the best practice for implementing a comprehensive solution.
The AWS SRA was designed after reviewing countless customer and professional services implementations; using it as a reference allows customers to design, implement, and manage AWS security services aligned with AWS best practices.
Let’s take a deeper look at the solution and how it can be deployed.
Figure 1 – Sumo Logic security integrations for AWS Organizations.
Based on the AWS SRA best practices, this solution recommends accounts be organized on the AWS Organization structure, where in addition to an organization management account a security tooling and log archival account are also created. These accounts are known as “delegated admin accounts” with special access for security, network, and audit teams who can view logs and events.
A key benefit to setting up this new structure is that a security tooling or log archival account have the ability to collect logs and events from AWS security services from all of your member accounts. If a company uses a partner such as Sumo Logic, they do not need to repeat the collectors across each account. Instead, they’re able to see all of the events and logs using a single collection mechanism in a centralized dashboard.
Figure 1 above illustrates that for all current and new accounts, the events and logs are sent to security tooling and log archival accounts. They are then forwarded to Sumo Logic through those accounts; there is no need to create multiple collection mechanisms across accounts.
Solution Overview
To help automate the AWS SRA, Sumo Logic and AWS jointly built an AWS Quick Start that collects and centralizes security events from multiple AWS accounts. Let’s review what happens when you launch the Quick Start.
Prerequisites
Please note that you must have a Sumo Logic account with Sumo Logic Access ID, Sumo Logic Access Key, and Sumo Logic Organization ID before you get started.
Deployment Actions
During the deployment, the following resources will be set up in all current and new accounts in your AWS Organization:
- Amazon GuardDuty, AWS Security Hub, AWS WAF, AWS Network Firewall, and AWS Firewall Manager are set up or enabled. The events range from malicious activities and security events and security posture to firewalls rules management and network protections.
In your security tooling account:
- Amazon CloudWatch relays security events to AWS Lambda integration functions.
- Lambda integration functions do the following:
- Creates a Sumo Logic collector and multiple sources. A collector is an agent that receives logs from a source before encrypting and forwarding them to a Sumo Logic service. A source is a configuration that collect logs from AWS services.
- Installs the security apps you select during deployment to your Sumo Logic account.
- Amazon Kinesis Data Firehose forwards AWS WAF logs to Sumo Logic.
- Amazon Simple Storage Service (Amazon S3) bucket stores Network Firewall logs.
- Amazon Simple Notification Service (Amazon SNS) topic publishes Network Firewall logs to Sumo Logic.
- In your AWS Organization management account, AWS CloudTrail tracks user activity and API usage in the organization.
- In your log archive account:
- Amazon S3 stores CloudTrail logs.
- Amazon SNS topic publishes CloudTrail logs to Sumo Logic.
Additionally, the Quick Start sets up the hosted collectors and corresponding apps on Sumo Logic.
Figure 2 – Sumo Logic Guard Duty app for AWS Organizations.
This figure illustrates a sample Sumo Logic Amazon GuardDuty app that highlights logs and events collected from multiple accounts using a single hosted collector and CloudWatch events forwarder.
Now that we have set up the Quick Start, let’s take a look at the some of the advanced features of Sumo Logic Cloud SIEM enterprise.
Sumo Logic Cloud SIEM Enterprise
Sumo Logic offers an enterprise version of this software called Sumo Logic Cloud SIEM Enterprise. It’s a security operations center (SOC) offering that automatically analyzes and correlates threat alert data to help SOC analysts more efficiently discover and resolve meaningful threats.
Some core features of the solution include:
- Alert analytics generating signals from logs.
- Correlation-based detection.
- Automated prioritization and alert triage.
- Security telemetry beyond logs: network, user, asset, and APIs.
Conclusion
Sumo Logic and AWS have built a solution for collecting security-related logs and metrics from a single delegated account available through an AWS Quick Start.
This post reviewed the solution that’s based on customer feedback and best practices, and provides security teams, professional services consultants, and solutions architects with a quick way to implement a multi-account strategy and improve their organization’s overall security posture.
Sumo Logic is available in AWS Marketplace and provides a free 14-day trial, so feel free to set up the experiment with the Quick Start.
Sumo Logic – AWS Partner Spotlight
Sumo Logic is an AWS Partner that provides seamless observability and SIEM capabilities across multi-cloud and hybrid cloud environments.