Fifteen years ago, if you wanted to really flex your Cyber Security as a company, that meant running a full-time Security Operations Center, or SOC. These were typically offices or segments of a company that were designed to operate 24/7/365. They had cyber security professionals who reviewed and monitored logging for your systems day and night. As a result, these were expensive, and often separated the haves from the have nots in the world of cyber security. As the journey to the cloud picked up steam, the amount of logging and data produced by your services went into overdrive. Some enterprises and organizations that had SOCs soon found themselves drowning in data and unable to effectively operationalize the information they were receiving.
Enter a real game changer in the security space: Microsoft Sentinel. Released at Ignite in 2019, Sentinel has rapidly become the go-to leader in cloud scaling SIEM solutions. For Q4 in 2020, Forrester named Sentinel a “Leader” in the Cloud SIEM world and specified that Sentinel is the best solution for overall security Strategy. Azure Sentinel is a true cloud native software as a service solution for SIEM+SOAR (Security information and event management + Security orchestration and automated response) with automatic scalability, no server installation, maintenance, or complex configuration. It lets your SecOps team focus on the most important tasks: defending against threats to your organization. This allows you to focus on your business and lets Microsoft parse through the petabytes of data required, isolating down the meaningful pieces that you need to pay attention to.
That all sounds great, but what does it really mean? In plain English, Microsoft Sentinel takes the hard technical analysis and scaling of data that exists in the modern cloud and parses through the noise to bring to the surface only the things you should be worrying about, the potential one-off actions that could indicate a breach or compromise, while also supplying some wonderful tools and automation to make your world easier. Sentinel has never been more approachable and consumable than it is now. You can set up and configure Sentinel in a way that enables it to monitor and review your Azure AD and M365 logging for no additional fee.
In our “You Already Own It” session this month, I am going to share the setup and configuration of Sentinel from the beginning and highlight how I have configured sentinel for many of our partners, as well as in my own lab, in a way that can be done entirely cost free. Should you choose to retain data longer or pull in additional resources there may be some cost, but the setup and configuration at its core can be incorporated without having to incur any additional costs. Once set up, you get a single pane of glass that allows you to get insights and information at a glance that would have been buried in your logging data before.
I have always viewed sentinel as a tiered value offering, or even a Russian nesting doll with many layers, with increasing value the higher you go up. In my mind, there are four distinct tiers of service, and we will be reviewing and discussing them all!
Tier 1: Logging and Querying data from your logs.
- This was the world of traditional SOCs for years and there is still some real value here. Sentinel will allow you to ingest all your logs from your various services, both cloud and on-prem, and pull them together in a single source. They have pre-populated and recommended queries you can run against the data, and if you know what you are doing you can create them yourself!
- Parse through tremendous amounts of logs quickly with key commands and actions
Tier 2: Workbooks
- Probably my favorite value-add of Sentinel with little to no custom configuration. Think of Workbooks as visualizations of the raw data contained in your log files and information.
- Often developed by the product and engineering teams of the specific product set in question, they help to visualize and consume data in an easy to understand and interpret way. You don’t need to be a cyber security professional to read and understand this data.
- Often it is “clickable,” and you can drill down in the visualizations and workbooks themselves, like how powerBI functions.
Tier 3: Hunting
- Once you have multiple systems and processes integrated together, Sentinel gives you that one stop shop to correlate all the anomalies and actions together in one security event. Trace what occurred and what happened all through your systems that are connected and together in sentinel.
- Creates a visual map to trace any actions or events that occurred.
Tier 4: Automation
- Now that we have all the data together, we can start to flex Azure Logic Apps and Playbooks to start putting automation on top of known repeatable actions.
- Have everything from simple “send an email/create a ticket in our ticketing system” for an alert to full on actions that can simulate resolution.
In our “You Already Own It Session” for September, I am going to be going over Microsoft Sentinel as a product. Talking about how to configure it in your own tenant, what we are seeing partners do in the real world, as well as talking through the various tiers of value I see mentioned above. Sentinel is probably my favorite Microsoft product developed in the last 5 years, and I cannot wait to show you the power and scalability it can offer your organization! Please come join us, or if you can’t make sure you get access to the recording for later!