Article Details

Sumo Logic wrestles with security breach, pins down customer data. Compromised AWS account led to fears that user info could have been exposed to cybercriminals. Sumo Logic has confirmed that no customer data was compromised as a result of the potential security breach it discovered on November 3. In a customer update that includes the results of the investigation verified by third-party forensic specialists, Sumo Logic, maker of the SaaS log analytics platform, said it now considers the case closed. "We remain committed to providing all of our customers with secure and reliable digital experience and are doing everything we can to emerge safer from this incident," it said.  "To that end, we will be undertaking additional evaluation to learn from this incident and identify any measures or modifications to prevent future incidents." The data analytics biz first revealed on November 7 that it had detected activity indicating that one of its AWS accounts had been accessed using a compromised credential. It wasn't able to confirm at the time whether customer data was compromised but did say that, like always, it remained encrypted. In response, Sumo Logic "immediately" secured the exposed infrastructure and worked to identify any customer credentials that were potentially exposed to the individual who accessed the AWS account. Those thought to be at risk of exposure were automatically rotated by the company "out of an abundance of caution," as well as adding additional security measures to Sumo Logic's systems. Every customer, regardless of whether their credentials were believed to be at risk, was advised at the time to rotate their credentials too. This applied to those used to access both Sumo Logic's platform directly and those provided to the company to access other systems. Special emphasis was placed on rotating Sumo Logic API access keys – the company advised all customers to change them immediately. As an additional precautionary measure, it also recommended changing third-party credentials stored by the company as part of webhook connection configuration. From there, Sumo Logic provided regular updates to customers, with new posts to its security response center appearing every two to three days. The speed and content of its disclosure were praised by experts such as Jason Kent, hacker in residence at Cequence Security. "Often when I read headlines about breaches and a suggestion to rotate API keys I assume the breach is going to be major," he said.  "No breach is good news but look at how quickly and cleanly the response from their security team was orchestrated. It seems like customer-side data wasn't impacted but the suggestion to rotate keys is always a good one in these cases. In fact, a good step would be to invalidate/revoke all the API Keys they think could be impacted. "All of us should use this as a lesson to make sure we can react to things quickly and to go looking for persistent API Keys that are being used and rotate them. If it is painful to rotate the keys when there is no urgency, imagine how much harder it will be if you really need to get it done quickly."