Earlier this month, threat actors leveraged compromised credentials to access Sumo Logic’s Amazon Web Services account. Sumo Logic immediately took down the infrastructure exposed by the incident, and conducted a rotation of credentials to prevent further compromises.
Sumo Logic is a cloud-based log management and analytics platform that empowers organizations to gain actionable insights from their machine-generated data. The platform is designed to handle and analyze massive volumes of log data, providing real-time visibility into the health and performance of applications, systems, and infrastructure. Sumo Logic helps organizations make informed decisions, troubleshoot issues, and optimize their IT environments by offering a centralized and scalable solution for log management, monitoring, and analytics.
At this time, Sumo Logic has reported that there is no evidence to suggest the breach will impact any of its customers.
Inside the Breach
It’s important to point out that the Sumo Logic breach was not a misconfiguration or vulnerability, but a breach caused by compromised credentials. The company reported that it has added extra security measures to further protect its system, including improved monitoring and fixing any gaps that might lead to future breaches of this nature.
Recommendations from Sumo Logic
Sumo Logic has recommended that its customers immediately rotate their Sumo Logic API Access key. This helps prevent attackers from using old keys that may have been compromised.
As an added precaution, Sumo Logic recommends that its customers rotate 3rd-party credentials that have been stored with Sumo Logic for data collection by the hosted collector (e.g., credentials for S3 access) or as part of webhook connection configuration.
Adaptive Shield’s platform has two security checks that are aligned with Sumo Logic’s recommendations.
- Webhook Connection with Authorization Header is a recently released security check that was added following this incident
- Sumo Logic API Access Key Rotation is an existing and customizable security check. We recommend users make sure that the “Affected” time frame covers the incident time frame
Automate Security Checks for Sumo Logic
Organizations that use Adaptive Shield’s SaaS Security Posture Management (SSPM) platform can easily gain visibility into Sumo Logic’s posture. Adaptive Shield has over 25 security checks for Sumo Logic, covering access control, key management, password management, and other security domains. Adaptive Shield also discovers administrative accounts and local accounts and consolidates multiple user identities into a single user as it monitors users and user behavior. This data, which is further enriched by other applications in the SaaS stack, provides contextualized visibility into those who are accessing the application and their behavior within the app, and is used to further secure the application.