Interview: How Harnessing The Cloud And Cross-Training Employees Can Improve Your Security And Operations Processes

George Gerchow is the Chief Security Officer and SVP of IT at Sumo Logic. Gerchow has over 20 years of experience in the cybersecurity space, with a particular focus on cloud technologies. In his role at Sumo Logic, Gerchow supports Sumo Logic’s IT, Security and Compliance, and Real Estate functions in order to modernize and automate their systems. Gerchow is also responsible for establishing Sumo Logic’s next-gen Global Operations Center (GOC) and DevSecOps teams, building security backed by automation directly into the heart of the company.

At RSAC 2022, we spoke to Gerchow to discuss how organizations can improve their security and operations processes, while navigating an ever-shifting threat landscape and the challenges of cloud migration, hybrid working, and the cyber knowledge gap.   

Sumo Logic was recently named a Visionary in Gartner’s Magic Quadrant for SIEM. What differentiates the Sumo Logic platform from other monitoring, management, and response tools?

What makes us stand out more than other solutions in the space, firstly, is scale. You know, the fact that we’re a multi-tenant platform hosted in AWS. Bring on the data! There’s just no challenge that we’re not going to accept when it comes to scale and ease of collection.

Then, in particular to cloud SIEM enterprise, it’s the proprietary algorithms that we have that cut right through the noise to get to the signal. And so, from an analyst perspective in a SOC, you reduce alert fatigue, and you’re able to get to what the exact problem is, based upon trends that we’ve seen within the industry.

And how do you achieve that scalability?

It’s true SaaS. When I’m walking through the floor here today, I’m seeing cloud, cloud, cloud. I’m sorry, if you’re single tenant, you’re not cloud, because that’s still something you have to try to grow and build, and it just doesn’t work that way. It’s that multi-tenancy that helps us scale that way.

In recent years, we’ve seen huge changes in the ways in which people work and engage with digital services, particularly with the wide-scale adoption of cloud services. What are some of the biggest security risks you’ve seen since the last RSA conference, as a result of this?

I think the place to start is the knowledge gap. I’m lucky enough to serve and support multiple departments. So, I have all of real estate, IT, and security and compliance. I think when the pandemic hit and everyone started going remote, people made a decision to move to the cloud right away, but there wasn’t enough education. There was no understanding of the shared responsibility model, when it came to Infrastructure-as-a-Service providers and Software-as-a-Service providers, and so a lot of things got lost in the mix. For example, a company suddenly moves to AWS and their data is being stored in S3, but what does that mean to me as a consumer? How do I encrypt that, client side, server side? And how do I monitor that? So, I think that lack of education was the first hit.

The second hit is now people are getting so crafty, craftier than ever when it comes to phishing. I mean, phishing just never goes away. Yesterday morning, the first text I got was from our “CEO” and our “Head of HR” with a beautiful phishing attempt that said, “Hey, I’m currently at the RSA Conference! I need W-2 forms from X number of people.” They’ve just gotten very, very crafty. 

I also think that, when people are using the same system for both work and personal stuff more than ever, that leaves them very susceptible to different kinds of attacks. You know, what does their password hygiene really look like? Are SSO and MFA being deployed across the environment?

And again, that’s good for us because those are different types of logs that we want to ingest, parse, correlate, normalize and then be able to say, “Hey, we feel like there’s an attack coming or happening here.”

What are the main challenges that your customers are facing when trying to overcome these risks?

It’s where to start. You’ll walk around here and see “zero trust” everywhere. Zero trust is not a product. It’s a concept. People start looking at that and think, “Where do I begin?”—which is definitely the hardest part of it. To be able to detect or prevent any kind of attacks, in my mind, there are a few simple things that you need to start with and get down first.

Identity, to me, is the beginning. Identity and access management and being able to get visibility into what that looks like and how it’s being deployed is the beginning. Then you tie that in with logging and SIEM capabilities, and you have a very powerful base as to what it is that you need to start building the rest of that foundation on, to be able to detect and prevent those attacks. 

But I think most of the time, people are like, “Okay, so is it incident response? Is it access management? Is it vulnerability management?” You just need to keep it simple in the beginning, like I said, then tie it around identity and logging. Then you set the foundation for all those other things on that journey to zero trust, which is never ending.

One of the main challenges that a lot of security professionals are facing when it comes to event management is alerting; either they’re overwhelmed with alerts, or they don’t have the resource in house to respond to issues that they’re alerted to. How does Sumo Logic help organizations to address this?

In my mind, it’s the power of cloud. If you stop and think about a traditional security environment, and especially around things we do with the SIEM, your team is managing that infrastructure, and also trying to manage the application that rides on top of that infrastructure. We make it easy because you’d no longer have to manage that infrastructure. You’re now focused on the application and data so you can get to results a lot faster.

So, our solution—even though it’s an enterprise solution—is purpose-built in the beginning for small teams that don’t have a lot of people in place, and need things like automation and visibility, and then eventually detection and prevention. So, to me, the power of cloud is never ending in this space.

What are your final words of wisdom for organizations that want to improve their security and operations processes? What is the first step they should be taking?

I think the first thing is starting off with just visibility in general. Don’t boil the ocean, make sure that you have a good handle on what it is that you want to see. I just met with a small SMB customer before coming in here. And when we were talking about it, I was like, when I started building out our security organization—because obviously we drink our own champagne—we looked at the use cases first.

And this makes a lot of sense because, if you look at a use case like access management, then you figure out what kind of data you need to make that strong from a security and operations perspective, then you start setting the goals and the journey for the rest, because after that comes incident response then vulnerability management. I think it builds a really nice roadmap when you start that way, but the beginning of it is definitely visibility.

The other thing that I’ll say that I think that we did that was unique when starting to grow, was combining IT and security. Those two things siloed create a lot of friction and a lot of tool overlap. On top of that, you have so many talented security people in IT and, when you’re moving to the cloud, their responsibilities start getting narrower because there’s no infrastructure, but when you redeploy them with more of a security mindset and start having seamless security around availability, it makes for a powerful team. So, we no longer have a NOC and a SOC. We now have what we call GOC, a Global Operations Center, with these talented folks working together as one on the same mission when it comes to providing services, but also making sure they’re secure.

Just to follow up on that—how much of a part do cross-training and upskilling play, when you’re combining IT and security?

What a great question, because that’s where we actually built the excitement around it. So, we took our security operations folks, and we were like, “We’re now going to start supporting business applications that are critical to our company, especially when it comes to a SOC’s perspective, because we can’t leave compliance out of this.” 

Then with the IT people, it was like, “Now we’re going to start cross-pollinating you to start understanding what’s going on from a security perspective, and having that hygiene and rigor with every application you deploy.” And it was a huge selling point, because both teams immediately just fell in love with that idea. And so, even though we’re working side by side virtually, in most cases, it’s that collaboration, open discussions and transparency that really led to this being a very successful move.

Thank you to George Gerchow for taking part in this interview. You can find out more about Sumo Logic’s cloud management and SIEM platform via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.