Sumo Logic : How IHG modernized SecOps during the pandemic

During AWS re:Invent 21, I had the honor of hosting Phil Weeks, Senior technical advisor at IHG for an informative session on IHG's security modernization journey during the pandemic which started with replacing a legacy SIEM.

IHG corporate overview

IHG Hotels & Resorts is a global hospitality company with the purpose to provide true hospitality for good. It includes a diverse collection of 17 brands, with more than 6,000 hotels in more than 100 countries. Its loyalty program, IHG Rewards, is one of the world's largest hotel loyalty programs.

Its brands include InterContinental Hotels & Resorts, Crowne Plaza, Holiday Inn, Kimpton, Hotel Indigo, Six Senses, and many more.

Modernizing security operations

When IHG was looking to modernize its security operations, IHG realized that their SIEM had a critical role and couldn't do it with their legacy SIEM.

IHG challenges with legacy SIEM

IHG's legacy on-premises SIEM was driven by compliance needs rather than by its Security Operations Center (SOC) or SOC use cases. The SOC team could not rely on SIEM for logs as it was often faster to search logs locally from source systems.

Search performance and usability were also a major challenge as searches failed "repeatedly" and had to be targeted, limiting the scope of the investigation. Often, rebooting the SIEM platform was necessary because too many searches timed out leading to a further lack of visibility.

Scaling was an ongoing concern as additional hardware was needed to handle growing data ingest and retention. Due to the inability to store all security-relevant data quickly, the backlog of data led to a backlog and the inability to search across desired data.

Maintenance and monitoring of their legacy SIEM was a daily concern. Constant adjusting custom parsers meant more time was spent on maintaining and patching the system rather than attempting to address the threat landscape.

Cumbersome upgrade processes combined with long waiting for service packs delayed keeping the SIEM up to date. Time to upgrade the 70+ virtual machines to handle data ingest was an ongoing disturbance.

Modern SIEM evaluation

It was clear to the IHG team they needed to decide on a modern cloud-native SIEM soon.

The IHG team identified more than ten vendors and created a detailed, lengthy request for information (RFI). They narrowed down the vendor list based on the detailed RFI requirements and invited several vendors for a remote proof of concept (POC) demonstration.

IHG followed a rigorous process during which each vendor had to demonstrate 88 requirements which were conducted over three 4-hour sessions. The vendor selection process was then vetted down to a list of five vendors and then sizing discussions commenced. When it came to the final contract phase and decision, Sumo Logic was the overall winner.

Choosing a cloud SIEM

There were many things about Sumo Logic that the IHG team liked from the get-go.

Sumo Logic was transparent and everything was clear. Unlike other vendors, Sumo Logic did not resort to a "dog and pony show". Instead, Sumo Logic had a consultative approach to types of use cases, ingesting and using real IHG data.

Sumo Logic Cloud SIEM handled real IHG data sources right away and the autocorrelation rules triggered promptly giving the IHG team valuable insights in real-time.

Sumo Logic followed the guidelines and exceeded the performance, usability expectations, and requirements, and proved its value in days.

IHG adopted a vendor-neutral approach by removing vendor branding and using objective scoring to decide on their modern SIEM over an 8-month process.

Previous searches that took 2-3 hours could be completed in less than a minute using Sumo Logic.

More than 60 SOC analysts and engineers use the Sumo Logic Cloud SIEM now overcoming the 3-4 limit legacy SIEM limitation.

IHG's "all data is not equal" approach required a novel way to assign relative importance to data sources. Sumo Logic's data tiering with its Continuous, Frequent, and Infrequent tiers helped IHG to proactively manage its data and roughly 1.7 TB/daily ingest effectively.

Time to value with Sumo Logic Cloud SIEM

IHG migrated from their legacy SIEM in 4 months, roughly a year and a half ahead of schedule. This included migrating the current 109 rules and supporting the addition of new rules and use cases. IHG had well over 50 different data sources, everything from cloud to custom on-premises applications.

The out of the box Cloud SIEM rules helped SOC engineers to ingest relevant data promptly. From the first day, the IHG SOC team gained 700+ new use cases that are standard with Sumo Logic Cloud SIEM.

Strategic partnership with Sumo Logic

Sumo Logic quickly gained IHG's trust starting with the demos using IHG data (instead of vendor-provided demo data), collaborative approach to problem-solving with Sumo Logic engineers.

Sumo Logic customer success team helped IHG to optimize searches, timely onboarding, and better manage its license with proper data tiering.

The IHG team realized quick value with Sumo Logic with rapid onboarding training. The IHG team got basic, advanced training and certification (provided for free) on the Sumo Logic platform even before the RFI process was completed enabling the SOC to onboard data, operationalize current and new use cases on the Sumo Logic Cloud SIEM very quickly.

Next steps

You can view the entire recording our the session by navigating to AWS re:Invent 21 virtual on-demand archive. Search for "How IHG" which will provide you with the on-demand link.

Meanwhile, if you wish to learn more about Sumo Logic's Cloud SIEM, see it in action here.

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Start free trial