At the moment, most organizations rely on SIEM solutions (Security Information and Event Management) to monitor and analyze events in their IT infrastructure in order to detect security incidents as early as possible. There are several checkboxes that a good SIEM must tick:
You should know about Microsoft Azure Sentinel - a modern Cloud SIEM
Microsoft Azure Sentinel is Microsoft’s SIEM solution in the cloud. Not only does it tick all the boxes above, but it follows an important Cloud computing tenet: data born in the Cloud stays in the Cloud! Sentinel is, however, not limited to data coming from Microsoft Azure services. It conveniently supports multiple other data sources from Microsoft and from other vendors. All data for Sentinel is stored in the Azure Log Analytics Workspace service that can hold data coming from anywhere.
Around 120 data connectors are already available to Sentinel users, and we can expect this number to keep rising. To paint you a clear picture of the growth: two years ago, there were only 30 connectors available. That is 300% increase! It’s hard to imagine what this number will be in another two years – and it definitely speaks volumes about the usefulness of Sentinel and its compatibility to other Azure services. Using Log Analytics Workspace solves not only data aggregation, but also retention as it can keep data for a period of up to two years.
Once data is ingested in Log Analytics, you can query it with KQL (Kusto Query Language). Querying is of course critical for a SIEM like Sentinel. There are 114 workbooks available to use OOTB, and you can create your own with your custom queries. This empowers you to smoothly set up dashboards and visually present Key Performance Indicators (KPIs). You can configure the queries to be executed on schedule, and send alerts if anomalies are detected. The queries can be done across all data in Log Analytics Workspace, and that will enable you further to query all your different data sources. This then addresses the correlation and forensic analysis aspect.
Machine Learning targets the most sophisticated attack vectors
When protecting your IT systems, it is important to always keep in mind that security threats are evolving and getting more and more sophisticated. You can look for known threats and incidents, but what about anomalies and zero-day attacks?
A recent cybersecurity report from the Ponemon Institute shows that most companies are not able to detect data breaches before six months after they have happened! Nobody should allow that much time to pass before acting, as detecting security incidents late can cause even more significant damages.
Fortunately, Microsoft Sentinel uses machine learning to tackle this problem. Options like UEBA (User and Entity Behavior Analytics) and Fusion (multistage attacks detection) use data for modeling and creating ML algorithms to detect incidents in real time.
Leaked credentials and Machine Learning
Most attacks start with leaked credentials. The origin can be a phishing attack, or any advanced social engineering technique. Of course, damage can also be done from inside the organization by a dissatisfied or careless employee. Using the UEBA engine, data is analyzed to establish a base line and then monitored for any kind of anomaly to identify compromised assets. Having larger data sets, collected over longer time, provides better algorithms and the ability to detect even the smallest anomaly.
Another great example is Fusion, a form of multistage attack detection, which helps apply the same principle across different data sources and connect events that do not look connected at first glance. For instance, if we look at event A and event B individually, they may not look to be a problem. But when connected they can represent a serious security threat.
Fusion analyzes existing data and user information compared to known threats. It can then detect, learn, and evolve from incidents, even when these are coming from different resources and other time periods. Manually doing the same would be an impossible task, especially when it comes to zero-day and advanced attacks.
Do you still want more? Microsoft Sentinel even supports BYOML (Bring Your Own Machine Learning) and makes it possible to connect Azure Databricks to Sentinel, create your own ML models and algorithms, analyze the data, and publish your results.
Once a threat is detected…
The ingestion of data into Sentinel is automatic. Once an incident or threat is detected, you can define what to do next. The detection can consist of a simple notification, sending an alert to the team responsible for acting. But, as time can be essential when it comes to security, a few minutes can be too late, and damage can already be done. Using playbooks, you can create automated responses and thereby stop attacks as soon as they are detected. If a playbook is triggered, it can perform any number of actions, like blocking attackers’ IP addresses or disabling a potentially compromised account. Doing so can minimize, mitigate, or completely eliminate damage and therefore prevent serious consequences.
With modern security being tested to its limits, we need all the help we can get. Microsoft Sentinel provides many useful tools that help us find incidents, respond to threats, and keep our resources safe. It would be irresponsible not to use it. Be responsible and stay secure!