Machine data analytics is the process of parsing data generated by software from a wide variety of sources including servers, networks, applications and financial records. These, and many other similar sources, produce massive amounts of data including from local operating systems, identity/access management tools, cloud consoles and their associated log files, alerts, scripts and profiles. The goal of machine data analytics is to make this data more understandable by converting it into useful insights to monitor security events.
How user analytics accelerates detection and investigation
So how does user analytics help security teams accelerate detection and investigation?
User analytics allows data-driven businesses across many verticals to address a need for deeper insights into their systems’ technical operations and understand specific user activities. At any given moment, companies should ideally be able to answer several key questions:
Who is trying to access my systems?
Where are they entering from?
Who is gaining access to systems?
What do those users do once logged in?
Are there anomalies to address?
Is there any behavior that is out of the ordinary?
Ideally, the specific threat is made clear at the start of the investigation and progresses using both broad data analytics and a deeper, more granular user-focused approach.
Sumo Logic user analytics dashboards and queries identify elevated security risks allowing security engineering teams to quickly detect the existence of threats and prioritize them without the need to create predefined policies or rules. Security engineers are now able to monitor systems in real-time to identify issues, problems and attacks before they impact customers, services and revenue.
Key queries that drive user analytics visualizations:
User Activity: Displays user activity in kilobytes for the last 24 hours in a single value chart.
Incidents for Review: Provides information on incidents that have occurred in the last three hours in a table including time, user, message text and the severity.
Top Users with Access Activity: Shows the top users of the system and their activity for the last three hours in a bar chart.
Top User Activity: Displays the top ten users of the system and their activity for the last six hours in a bar chart.
User Activity by Hour: Provides information on user activity by user by the hour in a stacked column chart on a timeline using time slices of one hour for the last six hours.
All Access Attempts to Environment: Lists all attempts to access the environment in a table for the last three hours, including the user name, destination host, message text, time of the latest attempt, and the time of the earliest attempt.
Anomaly Event Distribution: Displays the distribution of anomaly events in a column chart using time slices of 30 minutes on a timeline for the last 12 hours.
The benefit of a user-focused approach to security investigations
To stay ahead of potentially malicious activity and bad actors, security engineering teams must monitor broad swaths of cloud and on-premise data, all of which can become vulnerable to malicious actors when not being closely monitored.
In many cases, it is necessary to begin with a broader security monitoring dashboard, then dive into details as areas of investigation are clear. Security engineers may need to make an educated guess when evaluating a potential security threat as to what's causing it and identify a likely reason for the event to have occurred.
A vendor-neutral approach to data collection feeding into a broader set of security monitoring dashboards can initially explain which data is most relevant, what's interesting and also identify gaps in knowledge that may need to be addressed.
Summarized dashboards show which data indicates a security concern and can also point security teams in the right direction of which groups of users to focus on. To help the process along, Sumo Logic provides out-of-the-box app catalog content in the form of quick-to-setup and easy-to-use dashboards that allow teams to jump to a topic or particular data source to reveal actionable anomalies.
The user-focused security monitoring dashboards that Sumo Logic offers allow you to drill down to the server, application, user and event level to better understand what’s going on with your network and associated security gaps. Additionally, built-in anomaly and outlet detection make it easy to quickly spot trends in activity.
An example app from the Sumo Logic app catalog
Azure Active Directory
Azure Active Directory is a cloud-based directory and identity management service that allows for directory services, application access management and identity protection. The Sumo Logic app for Azure helps you monitor activity in the Azure Active Directory. The dashboards provide insight into role management, user management, group management, successful and failure sign-in events, directory management and application management data that helps you understand your users’ experiences, activities, and actions.
The Sumo Logic App for Azure Audit allows you to collect data from the Azure Activity Log (formerly known as Azure Audit logs) and monitor the health of your Azure environment. The App provides preconfigured Dashboards that allow you to monitor resource usage, service health and user activity.
Looking to start tracking and monitoring relevant data sources today? Visit the app catalog to find available out-of-the-box content aligned with your current infrastructure. Just getting started with Sumo? Sign up for a free trial at https://sumologic.com/sign-up.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.