This blog is for all those who use Microsoft technology – cloud or on-prem. In fact, if you use AWS or GCP you might want to continue reading as well, because Azure Sentinel can benefit you too, reducing your cyber risks!
But let’s start from the beginning: According to the HM Government’s UK National Cyber Strategy 2022 Report[1], “reducing cyber risks so businesses can maximise the economic benefits” is one of the core pillars. This means, IT Security is becoming the most important IT topic for every organisation as we see more and more threats, security breaches, hacks, ransom ware attacks and other vulnerabilities which pose an ever greater threat to businesses and our personal lives.
Reducing cyber risks, so businesses can maximise the economic benefits
HM Government, 2022
Many organisations acknowledge these threats but lack the understanding to elevate their security posture for 2 main reasons:
- Firstly, the threats become more and more sophisticated and some are only recognised after a long while (when the breach has unfolded and the damage is done).
- Secondly, because of false belief that the first party security products, such as firewalls, anti-virus, anti-malware, anti-spam etc provide sufficient security.
To gain the appreciation of the problem at hand, we need to put ourselves in the shoes of an attacker. Attackers no longer just send dodgy emails with viruses. Instead today’s attacks are highly sophisticated and the primary goal is to gain users’ identities. With that in mind, the prime targets are users with elevated privileges: administrators; managers; heads of departments; directors, etc.
And here is the first challenge: such end users do not necessarily have the IT skills to recognise an attack. On the other hand, the IT Security teams and IT administrators have little or no control over a user’s account (identity), their devices and their day-to-day IT related activities.
And all these aforementioned first party products can provide insular security and protection but it requires a lot more to fend off attacks of the 21st century.
Here is where a product like Azure Sentinel come into the mix.
If you’re not familiar with Azure Sentinel. it is a SIEM product.
SIEM stands for security information and event management
This means, the entire IT eco-system of on organisation comes into scope for Azure Sentinel, anything from your on-premises infrastructure, to your device estate, user identities as well as your cloud footprint (e.g. Azure and Office 365).
Gartner predicts in their 2022 report that Consolidated Security Products are the future[2]. Driven by the need to reduce complexity, leverage commonalities and minimize management overhead, security technology convergence is accelerating across multiple disciplines.
Consolidated Security Products are the future
Gartner Group, 2022
Imagine the billions of signals that this entire eco-system generates. Anything from accessing a file, a web-session passing through the firewall, a user being granted access to a database or folder in Azure Blob storage or SharePoint Online.
How does an organisation with a typical IT budget want to control all of this? Making informed decisions on granting and denying access, responding in real-time and understanding and judging if any of these transactions is legitimate, non-fraudulent or in fact an attack?
Azure Sentinel offers all of this and more providing an end-to-end security operations solution including collection, detection, investigation and response.
First of all, it allows of these signals to be funnelled into a single storage space (a Log Analytics workspace). From here, so called play-books can analyse the data in the context of a say user-journey or automate threat responses and by integrating Azure Logic Apps.
For example: a user is being given elevated permissions, then the same user is granting themself access to a folder in SharePoint Online, then accessing files within and copying these into another folder or sending via email. Looks perfectly harmless but Sentinel is able to use additional context to judge if this is legitimate or should be alerted.
Such lateral movements are almost impossible to analyse manually by a human, but with Azure Sentinel and Microsoft’s AI capabilities (and the input of your organisation’s Security and IT teams), you can take control and become the hunter. In other words, what was a truly reactive operation becomes highly sophisticated and pro-active.
How do you analyse these vast amounts of data captured and stored in the Log Analytics workspace? Sentinel has its own query language – KQL. If you are familiar with SQL, you understand that with a certain logic, it allows to query the captured data, i.e. all the signals or transactions captured.
Because of the nature of the Sentinel product, KQL syntax puts an emphasis on things such as querying the data efficiently in terms of data and time e.g. list all login-attempts that failed in the last 7 days for system A and compare with login-attempts for system B. With such syntax it enables the user to undertake effective threat hunting and analysis.
The result is an increase in security posture, and that means the business is far less likely to suffer significant damages through an attack and all its ramifications.
risual (https://www.risual.com) offers 1-day Sentinel workshops which are funded by Microsoft[3]. If you want to see how Sentinel works in practice, our Managed Service team uses Sentinel for all of our CSP customers who benefit from the improved security this offers.
Azure Sentinel FAQs:
Can I use Azure Sentinel if I only have Office 365 and all my IT infrastructure is on-premises?
Yes, absolutely, Azure Sentinel allows to monitor, detect and have threat responses for your on-prem environment and Office 365 and the associated services can be enabled in Azure only.
What scope can Azure Sentinel be used for?
Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premise and cloud.
Can Azure Sentinel be used to detect and protect against threats in AWS?
Yes, Microsoft Sentinel monitors the AWS environment for misconfiguration, potential malware, and advanced threats to AWS identities, devices, applications, and data.
Microsoft Sentinel integrates with Defender for Cloud Apps and AWS to detect and automatically respond to threats.
Can Azure Sentinel be used with Google GCP?
Yes, on the Azure Marketplace is a Google Cloud Platform IAM Solution (Preview) which allows its administrators authorize who can act on specific resources, giving full control and visibility to manage Google Cloud resources centrally.
What other sources/systems can I ingest data from to broaden the security ecosystem?
Azure Sentinel offers approximately 100 pre-configured data connectors[4] for anything from Apache, AWS, Salesforce and many more. Also, you can connect to your own data sources via a REST API.
[1] National_Cyber_Strategy_-_FINAL_VERSION.pdf (publishing.service.gov.uk)
[3] Microsoft 365 & Security for Partners – Cloud Accelerators
