Security Information & Event Management (SIEM) , Security Operations , Video
Sumo Logic CEO on Using Data to Improve Security PostureRamin Sayar Shares Strategies for More SOC Automation and Infrastructure Visibility
Sumo Logic has sharpened its ability to help customers of all sizes improve their security posture since going public two years ago, says President and CEO Ramin Sayar.
The Silicon Valley-based SaaS machine data analytics company has found that enterprises want to drive more automation in the SOC, while small to midsized clients seek more visibility into the infrastructure supporting users and applications, Sayar says. Sumo Logic has advanced its vision since the IPO by purchasing SOAR provider DFLabs in March 2021 and full-stack monitoring platform Sensu in June 2021, Sayar says (see: Modernization of Security Operations).
"We believe that there are far too few security practitioners, and we're trying to help them - not only with our analytics and technology but also connecting them more effectively to developers and applications upstream to remediate and fix issues themselves versus having to catch it downstream and secure it then," Sayar says.
In this video interview with Information Security Media Group, Sayar also discusses:
- What makes Sumo Logic's approach to SIEM different from its competitors;
- How customers have benefited from the DFLabs and Sensu buys;
- The top challenges organizations face in security operations.
Sayar has 20 years of industry experience as a strategic and operating leader of both small and large organizations and a strong track record of developing innovative products in both emerging and mature markets. He joined Sumo Logic from VMware, where he formulated strategy and led the development of the industry's leading private cloud management products. Cloud management became VMware's fastest-growing business unit, with nearly $1 billion in revenue during his almost five-year tenure. Previously, Sayar held executive roles at leading enterprises, including vice president of products and strategy at HP Software, senior director of products at Mercury Software, director of products and solutions at TIBCO, product line marketing manager at iPlanet Software and product line marketing manager at Netscape.
Michael Novinson: Hello, this is Michael Novinson with Information Security Media Group. I'm joined today by Ramin Sayar. He is the president and CEO at Sumo Logic. Good afternoon, Ramin. How are you?
Ramin Sayar: Good. Thanks, Michael.
Novinson: Thank you for making the time. I know you spend roughly two years since Sumo Logic completed its initial public offering. To start off with, I wanted to get a sense of the biggest advances you've made in your security practice since filing for IPO?
Sayar: Our heritage started many years ago in security, so it's not new for us. Given the background in logging, and compliance and audit, over the last few years, we've dramatically enhanced our portfolio with respect to not only the core security analytics module, but also with respect to compliance and audit, FedRAMP, and most notably, cloud, SIEM and SOAR. The simple reason is that we believe that there's far too few security practitioners and we're trying to help them not only with our analytics and technology, but also connect them more effectively to developers and the applications upstream to remediate and fix issues themselves versus have to catch a downstream in security.
Novinson: Very interesting. When it comes to your security practice, what's been the fastest growing part of your security business and why?
Sayar: I think some of that answer depends on the maturity of the customer. As we look at our enterprise customer base versus the mid-market, and enterprise base versus SMB, the answer to that will vary. , for the enterprises, it's about a modern SOC, driving more automation, and therefore, our cloud SIEM, and now even our SOAR is very pertinent. If you look at the mid-market, they typically won't have a formalized SOC, they may not may or may not have a CISO. They have some engineer doing security, and the security analytics module now, our cloud security monitoring analytics package is well geared towards them to be able to get visibility into the infrastructure of the applications and users and the various SaaS application over driving. It's also about security analytics, but also some compliance and audit that they may have to report that. The great thing about our portfolio lineup is regardless of your size, but more importantly your maturity, we have an on ramp for you to improve effectively your security posture.
Novinson: Why don't you tell us a little bit about how you got there, historically, when you are focused more, either on the SMB or the large enterprise, or have you always played in both?
Sayar: We've always played in both. Sumo Logic was founded in 2010 and the intention was to essentially build a SIEM in the cloud for the cloud. But it took quite a few years for enterprise customer CISOs to adopt SaaS and cloud. Naturally, we focused more on developers and mid-market and SMB until we saw better traction with not just cloud-native companies, but also those enterprise mid-market customers that are migrating to the cloud, as we much more aggressively now.
Novinson: Interesting. Why don't you give us a sense in terms of your approach to SIEM and SOC? How do you feel it's most differentiated versus maybe some of the legacy SIEM providers such as Splunk, LogRhythm and QRadar, as well as some of the newer entrants into the market?
Sayar: We've always been architected for the new, not the old, meaning that we've provided a foundation of SaaS. We're the gold standard in cloud log analytics. We built a lot of machine learning algorithms on top of the data, all the data that we analyzed, we're not sampling or aggregating ao that we can help essentially not just reduce the signal to noise, but also improve operator efficiency. I say operators because, again, back to the personas, it may be a security operations manager analyst. It may be a threat hunter or engineer that collectively have to work together. Oftentimes, there's also an MSP - managed service provider - and managed security service provider involved in that. Your level one, level two, level three teams are focused, sometimes it's insourced, sometimes it's outsourced or co-sourced. The unique delivery that we have with SaaS, the time to value in terms of the automation analytics, the scalable architecture is what distinguishes Sumo from the rest.
Novinson: I want to talk little bit about your acquisition history. I know you made two acquisitions in the first half of 2021, buying DFLabs and then buying Sensu. What did those acquisitions allowed you to do?
Sayar: Historically, we've acquired companies, some that we've announced and some that we've not announced. They've always centered around the team - the people IP first - secondarily, the product IP that we can bring in and accelerate an agenda that we're working on or wanting to work on. As you look at those two acquisitions, they built on things that we were doing before, both organically and inorganically. Let me start with Sensu. For quite some time, we've been focused on logging, troubleshooting, monitoring, and building that out, and we made other acquisitions to drive towards full stack observability and distributed tracing because the modern application performance management needs today are different than the tooling and instrumentation of yesterday and some of those vendors. We acquired some technology, built some stuff out. Sensu was a means for us to accelerate a motion that we wanted to push harder. That motion is toward something called open telemetry, whereby you're standardizing the way that you're collecting logs, metrics, traces, metadata and events. It's not about paying $5-$12-$15 a host for basic infrastructure metrics. It's more about uniform data collection. Now you have to deliver value on top of the data that you're collecting, not just charging for the click. That's where the antiquated tools of yesterday and some that are cloud and SaaS today, still charge. The Sensu acquisition for us is about developer community. It's about the standardization of data formats, and the initiative around open telemetry, and third, accelerating our self-service and product-led growth. But again, it was the team fitting into our strategy that existed, that helps us accelerate. Similarly, if you look at the DFLabs acquisition, it was a lot about the team. The team started by running as a MSP, essentially services for customers, so they know what customers face. They productize a lot of experience into a SOAR product that could sit on top of logging tools or SIEM tools, and deliver value through automation. They had hundreds of run books. Basically, actions are codified, based on patterns that they saw from large global companies and retail, manufacturing, and insurance and more. That intuitive knowledge that they had as being in a service provider transferred into product IP, and we want to both to accelerate our journey. What we've done is cloudify what they've productized, integrate it to the number one logging platform, and our SIEM product to help both enterprise customers, as well as MSPs that they served, accelerate their journey to automation, and analytics.
Novinson: Interesting. Looking forward, do you anticipate strategic commitment, M&A continuing to be part of the strategy? Or have you taken a step back, given the macroeconomics or given the state of your platform?
Sayar: I can't say never. I think what we are seeing in the market today is there hasn't been a rebalancing yet, in terms of valuations on the private side of the house where there has been a massive rebalancing on the public side. Once those do settle, we'll see. I would argue, though, however, we have the most comprehensive cloud-native platform for both reliability and security on the market. If we do look, it will be looking to bring in more talent, accelerate edges of what we're doing. It will tie into our multi-year product strategy we call horizons. We've been focused on horizon one, horizon two, horizon three, and we also have a horizon four effort that we've been working on. As it fits into one of those - great team, great cultural fit, celebration of those agendas - then we'll consider it.
Novinson: In terms of those horizons, what do you feel are some of the biggest advances you've made from horizon one to horizon four?>
Sayar: I think one of the biggest advances is in our core platform. If you look at the challenge that we are all facing in industry as practitioners whether you're a developer, site reliability engineer, security operations, threat hunter, budgets are not growing as fast as data. The tsunami of data is outpacing, accelerating, every tool that's out there, and that creates a lot of complexity. That complexity is further created because of the new architectures. Specifically, if you look at, we've gone from three tier applications to entry applications. Now you're running on this opaque cloud infrastructure that's ephemeral, so it comes and goes, and makes it hard to track troubleshoot and let alone monitor. Then third, to understand the impact they may have to posture security threats. What we've been doing a lot in that foundation, technology platform is being able to ingest all types of data - structured, unstructured, metadata, events - and being able to reason over that through collection, through our ingest pipeline, through our persistent stores. Ultimately, we can drive more analytics on top of that, and apply it towards horizon two, which is observability; horizon three, which is security; and more. A lot of investment's gone into the technology, which allows us to innovate not only by features, but also through packaging and licensing. Our cloud flex licensing model helps customers be able to take advantage. Secondly, our enterprise suite allows them to either pick one enterprise suite or pick both observability and security or if they want, they can start with one and evolve. Again, flexibility choice for customers. A lot of investment's gone into our foundation and technology platform. Similarly, a lot of investments gone into our observability suite. We just announced some new capabilities today around reliability management, SLI SLO and more around observability. Earlier last month, talked a lot about the security enhancements we've done. We're continuing to invest in features, usability, collection, and so much more that delivers ultimately, better value for our technology and our staff.
Novinson: Speaking about the security side of the business, what are the biggest changes you've seen in terms of what customers need from a security operations platform? How have the needs of the customer evolved since the onset of the COVID-19 pandemic?
Sayar: I think the pace and the sophistication of the attacks has only increased every month, every quarter. If you look back and you look at what used to go on for us security practitioners with Patch Tuesday, it was a pretty static environment. A lot of data was flowing through your DMZ, your firewall, and you're able to oftentimes detect or prevent that before it made its way in. The real risk was a patch that didn't get updated or something that was done internally. Now, if you look at this sophisticated phishing email, supply chain attacks, and more, there's so many bad actors inside and outside. The surface of attack is so much broader. It's not confined to your colo, your data centers. It's your SaaS apps, your cloud infrastructure, and more. I think one of the biggest challenges for a lot of folks is, where do I focus? How do I focus because I'm inundated with false alarms all the time? It drives the need for the technology architecture leadership that we have, with respect to that foundation platform, automation, and analytics that sits on top of it, to be able to collectively as a community, be able to work on things like Log4j, or things like the supply chain attacks, and give visibility and be able to prevent that and share common best practices, because we as a security community, need to come together to be able to attack the bad guys, not individually.
Novinson: In the security operations world, if you're in a competitive bid scenario, what vendors are you encountering the most often and what tends to be the reason you win are the things that sets you apart in those competitive bid scenarios?
Sayar: I think in the tool chain of security, there's a modernization happening at every level. From appliances, to firewall services, from legacy endpoints to new SaaS endpoints, from legacy email to new email sophisticated tools that use analytics and crowdsourcing and so much more. It's around how we integrate to the new and the old that distinguishes us, let alone our technology differentiators. Let alone the fact that we've been doing this ourselves for over 12 years in the cloud, for the cloud and protecting our customers and ourselves. What goes into the product is what we've seen how we've been managing our service, not just what we integrate with. I think when customers see that, realize that, they're able to have a confident approach with Sumo of how they can get from where they are today to where they need to be, whether it's legacy SIEMs because there's a lot of them that are out there still, to the modern cloud SIEM, or they may run them in tandem - leave the old SIEM for the legacy environment and bring in Sumo to address their new environment. Gradually as they migrate data, infrastructure, apps, users, then they're already covered. We typically win because of that. Now, the other answer to your question is, it's still tied up in old legacy SIEMs. That's one set of competitors, where they're figured out how to essentially shut the lights off over the time of the contract. And because more likely the person or teams that implemented that are no longer there. The manual correlation rules and the static rules are not applicable. They need someone to help integrate and manage that, let alone drive the path. That's where we differentiate in addition to our technology differentiation.
Novinson: Very interesting. When it comes to the CISO community, what do you feel that CISOs are overlooking most right now and why?
Sayar: I think there's a whole slew of requirements coming down on any public company, and or private company in terms of how you do business. The SEC rulings that are coming down in terms of that, the GDPR stuff, the privacy and sensitivity of data, there's so much coming out at a CISO right now. She or he has a hard time prioritizing which one of those to do first. I think us as a community need to probably come better together to be able to share some of those best practices versus try to firefight. I think a lot of CISOs are firefighting, because they're stuck with old antiquated tools, technologies. They are struggling with people and talent, and the business is moving to the cloud, and they're trying to keep up. The more that we can bring our community together to share best practices, the easier it will be for all of them and us to transition effectively. That's one. Second is get involved in helping shape what we're doing as a community, but also what other rulings are coming about us because a lot of times those who make those rulings aren't practitioners and don't know how to manage security operations teams. Use the community to influence some of those things that are going on with best practices and industry for Fed or for government or for verticals or the like, versus how they dictate it to us.
Novinson: Interesting stuff, Ramin. Thank you so much for the time.
Sayar: Michael, thank you as well. Appreciate the opportunity to see you and talk a little bit more about what Sumo's driving.
Novinson: Absolutely. We've been speaking with Ramin Sayer. He is president and CEO of Sumo Logic. For Information Security Media Group, this is Michael Novinson. Have a nice day.