If you’re on a Security team, chances are you may be able to leverage some of the Operations team’s existing tools for log management and SIEM. That was certainly the case with Threat Stack’s use of Graylog.
On June 22, Sam Bisbee, Threat Stack’s CSO, joined Lennart Koopmann, the founder and CTO of Graylog, to discuss how Threat Stack moved from a manual logging system with data silos and a lack of overall visibility, to using centralized log management and a SIEM to create a holistic picture of our cloud infrastructure security — incorporating data from our own systems as well as third-party applications to cost-effectively create real-time actionable security intelligence.
During the webinar, Sam and Lennart addressed key questions including the following:
- Why host your own log management system?
- What drove the need for a SIEM?
- How did Threat Stack unify its data across various platforms?
- How did Threat Stack make our security intelligence actionable?
Here’s a recap of the discussion which, I hope, will be helpful if you’re evaluating log management or SIEM vendors for inclusion in your SecOps tech stack.
Webinar Recording: To hear the entire webinar, click here.
Combining Log Management With a SIEM
When Threat Stack first started, we stored logs on internal hosts, and gradually began aggregating them to a SaaS-based log management system. This approach works if you’re small, and your security concerns from outsourcing your data to a third-party SaaS platform are relatively minimal. But, as you grow and want to add data sources to your log management system, you may find that many of these third-party log management applications’ ecosystems are relatively closed, which creates more and more data silos between your internal apps and third-party applications. With no way to centralize this data and do a thorough analysis in real time, many security issues can slip through the cracks.
As Threat Stack grew and took on more customers, we knew we had to make our cloud infrastructure as secure as possible and manage customer data in a manner that would support rigorous compliance standards. Since our Ops team was already heavily invested in Graylog, we concluded that we could create a system that would meet the following requirements:
- Detection: Generate alerts based on generic system and application logs
- Alert Management: Store alerts from multiple sources and alert on specific patterns (for example, multiple failed logins followed by a successful one)
- Analytics: Drive security program priorities and decision making, as well as determine control efficacy based on data instead of magic
Using Graylog and Security Orchestration
As a next step, our team carved out specific indices and dashboards restricted to security, analyzed and built dashboards around existing logs, and used Threat Stack alerts for analysis and aggregation. All of the logs from our internal applications flowed through the Graylog tool, which we hosted on AWS.
We still had the challenge of aggregating data from various third-party applications that didn’t speak the same language as Graylog and merging that data with our internal app logs. To achieve this, we built our own security orchestration (SOAR) application to push and pull data, including Threat Stack alerts, between various systems. SOAR both pushed information to Graylog, and pulled out Graylog alerts, which were sent to tools like Slack and PagerDuty to notify our staff of any potentially anomalous activity.
Key Business Takeaways: Reduce Cost, Lower Risk, Save Time, and Enable Innovation
We found that Graylog was the ideal solution for addressing our Security team’s needs. We avoided the need to invest in an expensive SIEM and leveraged the existing Graylog investment that had been made by our Operations team. With Security and Operations using the same toolset, we were able to integrate security into existing Operations processes with minimal disruption.
From a compliance perspective, our team knows that our log data is safe, since we’re hosting Graylog on AWS rather than trusting our data to a SaaS-based log management system. By consolidating system-level event alerting into one platform that’s correlated with internal event data, we created a single system of record that makes compliance a regular part of the team’s workflow (rather than an afterthought).
Perhaps most importantly, the combination of Graylog and SOAR enabled us to build in enough automation to create a fast, comprehensive picture of what was happening across all our applications. As a result, we’re continuously able to analyze data quickly, make decisions on how to act, and increase the pace of our own innovation as a company.
Final Words . . .
Contact us today if you’re interested in learning more about how the: