This content is part of the Buyer's Guide: Finding the right security analytics tools for your enterprise
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Sumo Logic Enterprise Security Analytics: Product overview

Expert Dan Sullivan examines Sumo Logic Enterprise Security Analytics, which uses a combination of rules, anomaly detection and predictive analytics to detect security threats.

The dynamic and persistent nature of cyberthreats requires a continual state of monitoring, blocking and -- potentially -- remediating. Security event and incident management platforms are designed to meet a number of important aspects of this continual monitor and response stance.

Sumo Logic is a cloud-based analytics vendor that focuses on security and compliance, but in the process addresses DevOps and infrastructure management issues as well. The Sumo Logic Enterprise Security Analytics platform is a security as a service offering that works with both on-premises and cloud-based enterprise infrastructure and applications.

Data collection

The Sumo Logic security analytics platform uses lightweight collectors to package and encrypt data that is then ingested in a centralized logging system. A search tool is provided so administrators and analysts can search through volumes of events. The system is designed to collect terabytes of data from on-premises applications, network infrastructure and devices as well as cloud resources.

The company's LogReduce tool is designed to take thousands of log events and group them into identifiable groups based on patterns. Sumo Logic also uses a specialized compression technique to find patterns across events, and enable the system to represent large number of events in a space-saving, efficient form for security analytics. The company's patented SumoLogic Elastic Log Processing engine is designed to scale as needed, depending on the computing, storage and processing resources available for each customer.

Analytics and altering

After collecting and ingesting data, the next logical step in the platform's workflow is analysis. Sumo Logic Enterprise Security Analytics employs a combination of rules, anomaly detection and predictive analytics to detect events of interest. Rules are useful for specifying well-known suspicious patterns, such as port scanning. Anomaly detection builds a baseline of typical activity and uses that to identify events that lie significantly outside the norm. Predictive analytics employs statistics and machine learning techniques to identity events that are likely precursors to security events of interest.

Sumo Logic's security analytics platform can also provide insights into data pulled from third-party sources both in the cloud and on premises, including AWS CloudTrail and Cisco Adaptive Security Appliances.

Administrators and security analysts can monitor the state of events using the Sumo Logic customizable dashboard. They can also configure alerts to send notifications in the event anomalous activity is detected. The alert system can be customized to notify security team members where specific data deviates from the baselines or thresholds set by the organization. Alerts can also be sent through existing email systems or real-time communications platforms like Slack.

For businesses in regulated industries, Sumo Logic provides compliance reports to support Payment Card Industry Data Security Standard (PCI DSS), HIPAA, the Federal Information Processing Standard (FIPS), the Sarbanes-Oxley Act, ISO and COBIT. The vendor also holds attestations and certifications related to EU safe harbor, Service Organization Control 2 (SOC 2) and SOC 2 Type II, HIPAA, PCI DSS and FIPS.

Cost and support

The Sumo Logic security analytics platform is priced according to the volume of data analyzed. The company offers a free version of the platform for one to three users and up to 500 megabytes of data analyzed per day. This level includes data collection, analysis and event detection, search and dashboards. Data is retained for seven days. Support is available on the community forum.

The next level up is the Professional level service that includes analysis of up to one gigabyte of data per day and three to 20 users. In addition to the free service level features, the Professional level adds alerting, collector management API and up to a 30-day retention of data. Professional support is available during business hours.

Larger enterprises that require the full range of Sumo Logic features may want to consider the custom priced Enterprise service. It includes all the features of the Professional level as well as anomaly detection, enterprise application integration, single sign-on and multiyear retention. The Enterprise level support is extensive and includes help with proof of concepts, RFP development, a professional services trainer and optional 24/7 support.


Sumo Logic Enterprise Security Analytics addresses a range of security monitoring and incident response needs. The security as a service reduces administrative overhead of on-premises administrator, and offers a range of support and service levels to meet the needs of those organizations just exploring SIEM and security analytics analysis to those enterprises that are ready to deploy such as product in a production environment.

Next Steps

Part one of this series explains the basics of security analytics products

Part two examines the use cases for security analytics

Part three looks at how to procure security analytics products

Part four compares the best security analytics products on the market

This was last published in October 2016

Dig Deeper on Data security technology and strategy