Kit Wai Chan - Fotolia
IT pros want one place to store and analyze SecOps and IT ops monitoring data, and they have a growing number of options to choose from as cloud and log analytics vendors add security capabilities.
Microsoft, for example, launched a cloud-based SIEM product, Azure Sentinel, last March, and Elastic SIEM appeals to some former Splunk shops with its pricing for security log indexing. Splunk remains the competitor to beat in this market, ranked first in 2018 market share for both IT operations management and security information and event management (SIEM) by IDC in reports issued in October 2019.
As 2020 begins, Sumo Logic is stepping into this fray with newly integrated IP from its November acquisition of SecOps analytics vendor JASK. Greg Martin, co-founder and CEO of JASK, is now at the helm of a newly formed Security Business Unit at Sumo Logic. The unit, comprised mostly of JASK's engineering staff, is tasked with raising the vendor's profile among enterprise SecOps analytics and IT ops monitoring products. SearchITOperations talked with him about his outlook on the market and the combined companies' roadmap plans.
What integration is planned between Sumo and the JASK organizations and tools?
Greg Martin: The integration is mostly on the technology side. We want to be able to offer JASK ASOC technology to existing Sumo customers, and integrate the search and log management capabilities of Sumo into the ASOC platform. We're both going up against folks like Microsoft and Splunk -- this is an opportunity to join forces and accelerate.
A Sumo Logic user SearchITOperations spoke to said he hoped that JASK would improve the security analytics in the Sumo Logic SIEM. Will that be a focus of the combined companies?
Martin: Our combined vision is a next-generation SIEM -- you take the analytics capability that we were developing at JASK and the SIEM capability that was being developed at Sumo, and you bring those pieces together in a comprehensive SIEM that runs natively in the cloud, and is able to handle cloud-native scale. You know, there's competitors are moving into that space, obviously, I mentioned Microsoft announced Sentinel, which is their cloud SIEM. It's very early as a product, but it's definitely on our radar and making some moves in the space. And then Splunk is heavily investing in cloud. But they didn't start off as cloud native. The shift to cloud is really driving our business. This is where the market is moving, and security buyers are starting to wake up to that fact. They're just not procuring software anymore that is not cloud-based.
Greg MartinGM, Security Business Unit, Sumo Logic
What does JASK bring to the table that Sumo Logic didn't offer before in SecOps analytics?
Martin: Sumo had been building out a SIEM focused on security log storage, search, and being able to provide compliance and [forensics] whenever there is a security incident, but they didn't have a lot of advanced capabilities to look at things like new and emerging threats. JASK can help automate finding and focusing SOC analyst attention on the most critical threats.
Will there be bi-directional integration of Sumo Logic's log analytics into JASK along with JASK security analytics into Sumo Logic's SIEM?
Martin: Yes. We expect that by February we will have a combined platform that we can sell together that's fully integrated from a data perspective.
Will customers still be able to get those pieces à la carte if they don't want both?
Martin: We're not going to sell JASK ASOC without Sumo. But customers can still obviously use the Sumo Logic core platform for security. They may not need all the extra analytics and functionality, so the advanced analytics will be a separate technology upgrade and upsell, very similar to the Kubernetes package that we released recently.
If somebody is a joint Splunk and JASK customer today, they now have to move to Sumo?
Martin: Not necessarily -- they can continue to use ASOC [as is]. But we have several conversations going with customers that love JASK and ASOC and are looking to move off Splunk. Splunk's a great company, but we're starting to see a lot of shifts in the market. One is the convergence of IT operations and cyber security -- organizations don't have the appetite to manage or procure multiple data lakes in the cloud for different use cases. There's a trend to consolidate into a single data platform, whether it be Sumo Logic or Splunk, and that's being driven by the CIO. That's coming up in almost every enterprise conversation lately.
One complaint I've heard from former Splunk users is about pricing. How can JASK and Sumo Logic compete there?
Martin: Not all data is created equally. In cybersecurity, there are some cases where you want to understand [the activities of] the highest levels of CFO, CTO, CEO, and the context of their data and what they're doing on a daily basis. That data is not very voluminous, and it's highly important. On the other hand, firewalls are generating millions of logs per second in a large organization. That data may be useful in a situation where there's a breach, but for day-to-day monitoring that data has very little real-time importance.
Sumo can tier the data based on importance, and we have three options for continuous, frequent and infrequent data access. Continuous gives you the full suite of analytics, AI, machine learning, for security and everything else that Sumo offers. The frequent option, the second tier, is about half the price of continuous, and the infrequent tier is about a 10th of the price. This is where the market is going, toward flexibility around the data economics, because every year the data size only gets larger. If it's all priced the same and all treated as high-value data, customers are just going to turn off the data collection they don't have budget for, and that's not necessarily a winning strategy.
[Editor's note: Splunk also introduced new pricing options in September 2019, including new entry-level Rapid Adoption Packages starting at $10,000. Sumo Logic began to offer analytics tiers under its Cloud Flex license in 2017, but introduced the infrequent access tier for $0.10 per GB in December, along with discounted pricing to ingest archival data. Sumo also charges for professional and enterprise software licenses.]