How Sega Europe slashed incident response times using cloud SIEM
Gaming company’s SOC radically improves its operational efficiency with Sumo Logic’s cloud SIEM service
Video gaming company Sega Europe has slashed the time it takes to respond to cyber security incidents and cut the average time its security operations centre (SOC) team takes to deal with security events, after introducing a cloud security incident and event management (SIEM) offering from Sumo Logic.
Sega Europe’s SOC has a wide-ranging remit to protect multiple game development studios, Relic Studios in Canada, Amplitude Studios in France, and Creative Assembly, Sports Interactive, Two Point Studios and Hardlight in the UK. It also oversees Sega’s publishing operations, which are located all over the world. These various studios run a mix of on-premise IT and both public and private cloud instances to oversee the game development process.
The SOC also works to secure the vast amount of data generated by customers playing live games, and with a great many gamers being under the age of 18, it also has added legal pressures to safeguard any personally identifiable information (PII).
As such, it is under intense pressure to better support the organisation’s security posture, particularly since specialist gaming firms can sometimes be at elevated risk of cyber attack thanks to a small element of crossover between the gaming and hacking communities.
“We have an incredibly broad mix of customers to support, so having the right management backing and approach to security is essential for us. The games that we produce create significant volumes of data, and our studios use that data to continuously influence how they are developed,” says Kashif Iqbal, Sega Europe’s head of corporate technology and cyber security.
“This means that our security approach has to be just as agile, able to deliver results faster and make our team more productive.”
Iqbal was on the lookout for a cloud-based SIEM service that was able to support the needs of both facets of Sega’s business, integrating its fast-growing cloud application suite and datasets in a so-called “single pane of glass”.
Read more about SIEM
- SIEM systems aggregate a lot of data across all types of infrastructure. For regular audits, admins should address notification settings, analysis protocols and storage locations.
- SIEM and SOAR tools are now seen as complementary to each other, but key differences in purpose and features may determine which one you decide to use in your datacentre.
- Endgame agents can now send endpoint security data to the Elastic SIEM, but UI and data schema integration – and the ability to take action on endpoints – will come sometime in 2020.
After a four-month bake-off that also included the likes of LogRhythm and Splunk, Iqbal found Sumo Logic’s Cloud SIEM product ticked these boxes nicely for a number of reasons, including smooth integration with public cloud instances; better scalability and elasticity at all aggregation levels; and superior threat intelligence.
“Sumo Logic’s Cloud SIEM provides us with that continuous intelligence and insight around security and the integrated threat intelligence approach has been very valuable for us as well. With Sumo Logic, the security team can be a proactive partner for our studios,” says Iqbal.
Iain Chidgey, EMEA vice-president at Sumo Logic, says: “Cloud-native security is becoming increasingly important to companies of all sizes as they move more of their systems into the cloud.
“Traditional SIEM and security analytics tools were not developed to meet those use cases and they struggle to cope with the sheer volume of data that these cloud services create. Sumo Logic Cloud SIEM is built for modern IT – whether it’s cloud, hybrid or microservices – to help SOC teams manage their security analytics and forensic investigations tasks faster, taking advantage of the same flexibility that cloud has to offer.
“By providing threat detection and incident response, we make it easier for SOC teams to investigate and triage issues quickly, improve their processes and automate their workflows,” he says.
The product delivers a unified view of security events, managing alerts, running threat detection analytics, forensic investigations, and incident response, focused on IT environments at every stage of the cloud journey.
In Sega Europe’s case, this comprises a hybrid framework including Amazon Web Services (AWS) and Microsoft Azure, which it deployed a few years ago – although it still maintains an array of on-premise servers. The firm had, incidentally, explored SIEM at the same time, but found a number of drawbacks, including cost, and the rather “brittle” set of SIEM apps that were then available, which needed costly professional services to keep them up and running.
In-house roll-out
As Iqbal considered it important to be able to on-board future Sega Europe acquisitions quicker, the roll-out was conducted with in-house personnel only, enabling his own team to invest the amount of time needed to establish a bespoke, logical architecture – including introducing consistent naming conventions, configuring data containers for future growth, and so on.
This done, Sega moved swiftly into production, ingesting machine data from its diverse set of security information sources, such as AWS GuardDuty, Microsoft Advanced Threat Protection, antivirus logs and some apps it had developed on its own, into the new instance. It aggregated 30 GB of data each day, which quickly grew to over 50 GB.
A year on, with around 15 users supporting the organisation, Sega is able to field a “far-reaching assortment” of Sumo Logic apps and alerts to provide security insight and analysis, as well as building its own customised dashboards. The firm says this has proved particularly useful because it its security training requirements – they no longer need to be experts on everything in the technology portfolio but can focus on the aggregated information flowing through Cloud SIEM.
Iqbal also highlighted a number of use cases that Sumo Logic has thrown up. The Sega security team uses the Observe, Orient, Decide and Act (OODA) process when assessing security events – by incorporating Sumo Logic into its playbook it can now consult its various dashboards for first-stage incident triage.
These resources also guide the team as to whether or not they need to escalate what they have seen to senior staffers. Consolidating all this information into a single source of truth, he reckons Sega has shortened the length of time it takes to investigate and fix security problems by a fifth.
In the future, Iqbal says Sega was already planning to go deeper on its relationship with Sumo Logic, adding more data from sources such as AWS Inspector and CrowdStrike, and building its own tailored dashboard.
He also hopes to leverage the Cloud SIEM machine learning capabilities to back up its threat intelligence capabilities, and use Sumo Logic’s Kubernetes dashboards as tools to administer Sega’s multi-cloud portfolio.