6-7 Mins Read
Azure Sentinel is a cloud-native Security Incident and Event Management (SIEM) solution built to provide security analysts with a powerful tool to detect and respond to cyberattacks. Azure Sentinel also contains a Security Orchestration and Automated Response (SOAR) capability. But before we answer why “Azure Sentinel” its important to understand the current Threat landscape and challenges organizations are facing
Current Threat Landscape:
NotPetya is seen as one of the worlds most sophisticated and disruptive cyberattacks that began in Europe in June 2017. NotPetya was meant for pure destruction, and although it pretended not to be a ransomware, there was no chance for the victim to restore the infected machines because the data was made indecipherable with encryption.
The component of NotPetya that made it so lethal was that it contained multiple lateral movement techniques to spread quickly following the initial infection. According to an assessment, the total financial damage from NotPetya attacks totaled $10 billion!
Furthermore, statistics say
- 86% of all breaches are financially motivated, where threat actors are after company financial data, intellectual property, health records, and customer identities that can be sold fast on the Dark Web.
- 70% of breaches are perpetrated by external actors, making endpoint security a high priority in any cybersecurity strategy.
- 55% of breaches originate from organized crime groups.
- Attacks on Web apps accessed from endpoints were part of 43% of breaches, more than double the results from last year.
Security Challenges for SecOps:
For most organizations, the Security Operations Team (SOC) is the central hub responsible for identifying and responding to cybersecurity threats. Mitre (attack.mitre.org) defines the SOC as “a team primarily composed of security analysis organized to detect, analyze, respond to, report on, and prevent cyber security incidents. The commonly found pattern would include
Tier 1 – High Speed Remediation
Tier 2 – Advanced Analysis, Investigation, and Remediation
Tier 3 – Proactive Hunting and Advanced Forensics
Microsoft today has adopted the fusion center model for cyber defense operations known as Cyber Defense Operations Center (CDOC)
Staffing shortages have hit Security Operations Center especially hard for a few reasons
- SOCs run operations 24X7X365 and therefore require heavy investments in security personnel
- Security analysts require unique set of knowledge and skills that are difficult to find
- Understanding of common attacker techniques
- Have strong intuition
- Have a desire to dig into the details and volumes of alerts and logs
- Be driven to continuously learn
With these challenges CISOs and SOC leaders are looking for solutions that make their analysts more efficient; reduce the volume of mundane, manual tasks; and provide robust automation and orchestration capabilities
Security Data Challenges
Security teams are drowning in the volumes of data generated by the digital assets they are required to protect. IIOT devices, smart sensors, BYOD, and other devices which are connected
- Security teams are often required to forgo connecting data sources because of the costs associated with scaling out their SIEMs
- Search and correlation engines cannot not handle large volumes of data and analysts’ queries
- Static correlation rules often miss anomalies that indicated that an attacked has successfully infiltrated the system
- Typical, early SIEM systems were not built on machine-learning models to help identify such anomalies
- Hiring so many data scientists to build, test and deploy their own models is expensive and hard
- Many SIEM deployments are done with a “deploy and forget mentality”. This results in analytics working on a higher number of false positives that strains personnel and makes identifying the true, high-value events difficult.
Azure Sentinel: Cloud-native SIEM
Azure Sentinel has been engineered to address the SecOps challenges identified earlier in this article
- Automatic scaling up to meet the data and storage requirements for enterprises of any size. All the log data for Azure Sentinel is stored in an Azure Log Analytics Workspace
- Integrating directly with the Microsoft Threat Intelligent Security Graph to help increase the likelihood of detecting advanced threats by leveraging Microsofts and its partners intelligence
- Integrating endpoint protection logs for early detection. Securing endpoint is the future of cybersecurity based on the data provided early in the article
- Reducing the need for human intervention by leveraging an open and flexible automation capability for investigating and responding to alerts
- Including the advanced anomaly detection using Microsofts machine learning algorithms (FUSION)
- Providing dashboards and user interfaces that are intuitive to analysts and built to streamline the typical operations within an SOC
Azure Sentinel: Core Capabilities
Azure sentinel provides security teams with unprecedented visibility into their digital estates
- Data collection and storage across all users, devices, applications, and infrastructure – whether on-premise or in the cloud
- Threat detection that leverages Microsofts analytics and threat intelligence
- Investigation of threats by hunting for suspicious activities at scale
- Rapid response to incidents by leveraging built-in orchestration and automation of common tasks
Azure Sentinel: Components
The below diagram shows the major components of Azure Sentinel
- Analytics: Analytics enables you to create custom alerts using Kusto Query Language (KQL). You can further take actions on these alerts by attaching the analytics to playbooks. Playbooks are created using Azure Logic Apps
- Cases: Also called as incident, is an aggregation of all the relevant evidence for a specific investigation. It can contain one or multiple alerts, which are based on analytics that you define
- Hunting: This is a powerful tool for investigators and security analysts who need to proactively look for security threats. The searching capability is powered by Kusto Query Language
- Notebooks: By integrating Jupyter Notebooks, Azure Sentinel extends the scope of what you can do with the data that was collected. One of the major reasons for using Jupyter Notebooks is the complexity of what you are trying to do with Azure Sentinels built-in tools becomes high
- When the number of queries in your investigation chain goes high
- Doing complex KQL query gymnastics to integrate some external data or extract some specific entity type from data
- Data Connectors: Built-in connectors are available to facilitate data ingestion from Microsoft and partner solutions. Below is a list of some of the Microsoft and non-Microsoft connectors with Azure Sentinel. Note that this is not an exhaustive list of the built-in connectors
- Amazon Web Services
- Azure Active Directory
- Azure Active Directory Identity Protection
- Azure Activity
- Azure Advanced Threat Protection
- Azure Information Protection
- Azure Security Center
- Azure Security Center for IoT
- Barracuda CloudGen Firewall
- Barracuda Web Application Firewall
- Check Point
- Cisco ASA
- Citrix Analytics (Security)
- CyberArk (Coming soon….)
- F5 BIG-IP
- F5 Networks
- Microsoft Cloud App Security
- Microsoft Defender Advanced Threat Protection
- Microsoft web application firewall (WAF)
- Office 365
- Palo Alto Networks
- Security Events
- Threat Intelligence Platforms
- Threat intelligence – TAXII
- Trend Micro
- Windows Firewall
- Zimperium Mobile Threat Defense
If an external solution is not on data connector list, but your appliance supports saving logs as a Syslog Common Event Format (CEF), the integration with Azure Sentinel is available via CEF connector. If CEF support is not available on your appliance, but it supports calls to REST API, you can use HTTP Data Collector API to send log data to the workspace on which Azure Sentinel is enabled.
- Playbooks: A playbook is a collection of procedures that can be automatically executed upon an alert triggered by Azure Sentinel. Playbooks leverage Azure Logic Apps, which help you automate and orchestrate tasks/workflows.
- Workspace: A log Analytics workspace is a container that includes data and configuration information. Azure sentinel uses this container to store data that you collect from the different data sources.
Utilizing a cloud-native SIEM will definitely reduce the integration costs and free up resources.
Ease of integration with telemetry data is the key to any SIEM success. Azure Sentinel offers a resilient and a straightforward way to connect data sources, without the need to any have server or storage infrastructure and going 100% serverless.
With just a few clicks you can connect Sentinel to O365, Azure AD or Azure Activities and start receiving alerts immediately and get populated on the dashboards in minutes.
Now month-long projects on integration of O365 with legacy SIEM can be implemented in a day by onboarding to Azure Sentinel. Helps specially if customers are struggling with such integration of detection use cases to address auditors concerns.
All this is also true not only for collecting data from Microsoft sources. However Azure Sentinel AWS CloudTrial connector, which is based on serverless Cloud-To-Cloud connection, provides the same benefits.
Hope this write up gives a birds eye view of what Azure Sentinel is, its core capabilities & benefits and why enterprises should be looking at Azure Sentinel as their next SOAR and SIEM solution.
Fahad, Founder & CEO, kloudynet Technologies