blog に戻る

2021年08月16日 Drew Horn

Modern security ops with Zscaler and Sumo Logic

The move to modernize security operations to keep up with the proliferation of complex, highly ephemeral apps and infrastructure has become more daunting than ever with the added explosion of remote work and the resulting acceleration of lift-and-shift and hybrid-cloud initiatives. With Sumo Logic’s cloud-native Continuous Intelligence Platform and Cloud SIEM, it’s now easier than ever to integrate with Zscaler’s Internet and Private Access platforms to gain visibility across your cloud apps with out-of-the-box content, respond in real time to correlated security incidents and monitor your ZTNA deployment. We’ve worked closely with Zsaler to deliver a simplified integration process, completely overhauled dashboards for ZIA and an all new Sumo App for ZPA to help security teams cost-effectively reduce risk and alert fatigue at the speed and scale required to protect your users and defend your apps from external threats.

At a high level, with these two new apps for Zscaler, you can now:

  • Monitor, alert and respond to incidents from across your security stack at scale using cloud-based services.

  • Correlate Zscaler Internet Access logs and events with data collected from other endpoint and security machine data to analyze behavioral patterns to identify anomalies and vulnerabilities, as well as the health and performance of your security architecture.

  • Audit and monitor your Zscaler Private Access deployments to assure compliance, avoid misconfigurations and maintain uptime for a seamless user experience.

  • Correlate blocked and allowed ZTNA traffic events from your Private Access deployments with user data and out-of-the-box threat intelligence for real-time, automated threat detection.

How does it work?

Collection

Sumo Logic has released separate apps for Zscaler Internet Access and Zscaler Private Access. The process of cloud-to-cloud log collection for each platform is slightly different, so we have provided instructions on how to configure each app separately:

App Use Cases

Let’s walk through some of the key use cases for these two new Zscaler apps for Sumo Logic. While Zscaler Internet and Private Access products are both geared towards securing your digital properties and workforce, the apps for Sumo Logic have slightly different use cases.

ZIA

The app for Zscaler Internet Access (ZIA) is primarily a tool for security ops teams, analysts and engineers to monitor, alert and respond to external threats.

Anomaly detection for blocked traffic and geographic hotspots

Identifying threats amongst benign traffic distributed across the globe has become a machine-scale problem. Sumo Logic has provided out-of-the-box dashboards that aggregate data from ZIA and perform outlier detection to reduce alert fatigue and provide valuable context to optimize the incident response process. The ZIA overview dashboard provides an excellent starting point for configuring alerts.

Sumo Logic Zscaler Dashboard 1

In addition, drill-down dashboards for blocked traffic are included for security analysts to deep dive into specific events.

Sumo Logic Zscaler Dashboard 2

Traffic Behavior Analysis

Another challenge that arises when attempting to secure modern applications at a large scale is analysis of allowed traffic patterns and trends to identify security events or incidents of interest. The Behavior dashboard analyses these traffic patterns in multiple dimensions with simplified time series visualizations that security engineers can leverage for alerting and response. Users can now easily intuit deviations from normal traffic patterns by user, content type, content category, super category and bandwidth.

Sumo Logic Zscaler Dashboard 3

File Classification, Threats and DNS Analysis

Detailed analytics and insights on threats is also made available through additional dashboards focused on classification of blocked files, URLs, server locations, threat categories, threat risks and individual transactions.

Sumo Logic Zscaler Dashboard 4

To learn more about these three dashboards, see our documentation on ZIA here.

ZPA

The app for Zscaler Private Access (ZPA) is a tool to help IT and Ops teams monitor and optimize their ZPA deployments to ensure a Zero Trust model without affecting user productivity. From a single dashboard, IT and Ops personnel can get immediate visibility into the health and performance of their ZPA deployment.

Sumo Logic Zscaler Dashboard 5

Connector Health and Performance Analytics

One of the primary challenges in implementing and operating a modern, large-scale Zero Trust Network Access (ZTNA) solution is avoiding end-user disruptions in productivity. If a connector is overloaded with traffic or stops responding, workforce productivity is immediately impacted. The Connector and Performance dashboards for the ZPA app provide operators with detailed analytics and insights into their distributed ZPA deployment.

Sumo Logic Zscaler Dashboard 6

Alerts can be configured to alert based on trends in connector performance in order to flag issues before they impact the end-user.

Sumo Logic Zscaler Dashboard 7

Auditing and User Activity Monitoring

While detailed auditing of any ZTNA deployment is useful, or even required, from a compliance perspective, it’s also an ideal way to track down operator misconfigurations or surface ways to optimize existing configurations based on end-user activity. In order to accommodate these use cases, we have provided an Audit and User Activity Dashboards.

Sumo Logic Zscaler Dashboard 8

Monitoring user activity can help drive policy updates or configuration changes based on real-time policy blocks and timeout blocks. We’ve also included a panel that correlates connection details with out-of-the-box threat intelligence to determine potentially malicious connection attempts.

Sumo Logic Zscaler Dashboard 9

To learn more about the content made available in the ZPA app for Sumo Logic, see our documentation here.

Get Started Now!

The Sumo Logic apps for Zscaler Internet and Private Access help security engineers gain visibility across their cloud apps with out-of-the-box content, respond in real time to correlated security incidents and monitor your Zero Trust Network Access deployments. Prebuilt dashboards combined with realtime alerts and correlated threat intelligence make it simple to monitor and identify anomalous activities, vulnerabilities and respond to security incidents.

To get started, check out the Sumo Logic Zscaler Internet Access and Zscaler Private Access documentation. If you don’t yet have a Sumo Logic account, you can sign up for a free trial today.

Additional Resources

For more great security-focused reads, check out the Sumo Logic blog.

Download the Sumo Logic Continuous Intelligence Report that quantitatively defines the state of the modern application stack and the shift in technology used by enterprises adopting Cloud and DevSecOps during the COVID-19 global pandemic.

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial
Drew Horn

Drew Horn

Director, Business Development, ISVs

As a Director of Business Development, Drew is responsible for providing leadership and evangelism for the App Intelligence Partner Program, helping independent software vendors successfully evaluate and integrate the Sumo Logic platform with their solutions.

Drew has over 15 years of experience in IT ranging from early stage startups to Fortune 500 enterprises across engineering, quality assurance, DevOps, customer success, solutions engineering and professional services.

Recently, Drew was the Senior Director of Automation at Applause (a Vista Equity Partners portfolio company) where he spearheaded the GTM strategy, customer success and professional services for their test automation offering. Prior to joining Applause, Drew lead the DevOps team at Amherst InsightLabs, facilitating the delivery and operation of data analytics platforms used to power Amherst's broker dealer, asset management and single family buyer/renter platforms. Drew started his career in InfoSec, helping enterprise network security software development teams build, test and deliver high quality products. He holds a B.S. in Mathematics from the University of Texas, Austin.

More posts by Drew Horn.

これを読んだ人も楽しんでいます