Sumo Logic Looks to Hacker-Powered Pen Testing for Security and Compliance
Secrecy has been a trademark of security culture for decades. Companies like cloud-based log management and analytics company Sumo Logic are choosing transparency. Subject to extreme compliance and regulation standards, Sumo Logic is sharing the results and inner workings of its open line of communication with the hacker community for the first time. Thus, flipping that stereotype on its head.
Meet George Gerchow. He’s the Chief Security Officer at Sumo Logic, where they are responsible for delivering real-time IT insights for companies like Samsung, Toyota, Adobe, Kaiser Permanente, Delta, Estee Lauder, and others. The company has $235 million in funding to-date and is said to be on track for an IPO. Sumo Logic is not exclusively a data company, they are a security company — responsible for protecting the massive cloud-based and high-risk datasets for some of the largest brands in the world, while also meeting compliance standards and continuous auditing.
In late 2017, Gerchow faced a challenge most only dream of — pen testing reports kept coming back clean. While this seems like good news, it meant Sumo Logic’s attack surface was hardening, and Gerchow knew nothing is bulletproof.
“After seeing a few reports come back with all the boxes checked but no new findings, I knew it couldn’t be because we’re perfect. It’s because our pen testers kept looking in the same places,” he said. “We decided that we needed a more diverse group of testers, while still meeting and exceeding compliance standards, which is what lead us to HackerOne and the hacker-powered security model.”
Sumo Logic initiated its first private, time-bound bug bounty program (HackerOne Challenge) in Q4 2017. In just 15 days, 5 hackers found 12 vulnerabilities that had been missed by earlier pentests. Gerchow then decided to include auditors in the vulnerability review and remediation process to ensure compliance throughout the process. His team also leveraged HackerOne managed services to help triage reports as they came in, effectively becoming an extension of Sumo Logic’s security team and decreasing response times to hackers. Since then, Sumo Logic has completed two additional challenges garnering a total of 93 participating hackers, 30 vulnerabilities reported (9 of which were high or critical severity).
The findings? Nothing short of valuable. In recent months, a hacker found and reported a social engineering vulnerability that granted him access to receive emails and create document access requests from a Sumo Logic email address which could have been used to trick employees into sending sensitive data to this email address if they weren't careful or aware.
Thanks to the bug bounty program, a minor bug that could have potentially become a major security risk was quickly remediated, and is another proof point in the importance of developing a solid and transparent path to remediation that constantly improves overall company security posture.
“The diverse perspectives and creativity of the participating hackers was astounding. We were so impressed, we couldn’t wait to do another Challenge,” Gerchow said. “Some of these vulnerabilities would never have been found otherwise. The community and HackerOne’s team served as a complement to and extension of our internal security team, allowing us to scale on a moment’s notice, and exceed compliance standards.”
Hailing from Dell EMC and VMware, Gerchow joined Sumo Logic’s team in March 2015 as the Vice President of Security and Compliance, leading all internal cybersecurity and compliance initiatives with a risk-based approach. Sumo Logic works with a lot of customers who operate in highly regulated industries, which means they have to be prepared for audits themselves. Over the last three years, he’s scaled one of the most mature security organizations 100% based in the cloud, seamlessly blending security engineering, developer operations, and auditors to continually produce a secure product its customers can rely on.
Sumo Logic is gearing up for its fourth HackerOne Challenge in the coming months. Keep your eyes peeled — more news from their team soon! In the meantime, check out their public vulnerability disclosure policy by visiting https://www.sumologic.com/compliance/.