01 Oct Microsoft Azure Sentinel
Microsoft has announced a new intelligent security tool called Azure Sentinel in February 2019. Microsoft Security Intelligence report discusses about trends in cyberattacks with relevant statistics.
Azure sentinel is a 100% cloud-based Security Information and Event Management (SIEM) system, which empowers security professionals to face security challenges and threats in the form of sophisticated cyber attacks.
Azure Sentinel is a strong solution that empowers your team to have a clear look at many possible threats and eliminate distractions. You can tactfully stop threats before they cause much harm using Microsoft Azure Sentinel.
What is Microsoft Azure Sentinel?
Microsoft Azure Sentinel is a Cloud Native SIEM (Security Information and Event Manager Platform) with built-in AI for Analytics. This tool simplifies your security operations and enable scalability as they grow. Azure Sentinel is useful while analysing huge volumes of security logs across the enterprise. This platform gathers security data from different sources which includes users, applications, servers and numerous devices which run on-premises or in any cloud platform.
Main attraction of Azure Sentinel is the speed with which it allows you to analyse over millions of records. This has in-built connectors for easy take-in of popular security solutions. You can collect data from many sources with the support for open standard formats like CEF and Syslog.
What is SIEM?
SIEM (Security Information and Event Management) is an advanced approach to security management which merges SIM (security information management and SEM (security event management) into one security management system.
This is how a SIEM system works:
- SIEM systems basically aggregate activity logs from different sources and quickly identify deviations from a norm to take appropriate actions accordingly.
- Upon detecting a potential issue SIEM system logs in all additional information
- Creates an instant alert
- Instructs related security controls to stop the progress of the activity
At the most basic level SIEM platforms systematically deploy a statistical correlation engine to establish relationships between log entries. Modern SIEMs often include user and entity behaviour analytics (UEBA) and security orchestration and automated response (SOAR). SIEM is a platform which is of great benefit to Financial Institutions in the capacity of detecting various forms of cyber-attacks and threats.
Here is a comprehensive guide to Azure Sentinel, the new Microsoft service which is intended to monitor cloud security and detecting threats. This contains a synopsis of Microsoft’s recent investments in security and few details on how you can leverage on microsoft’s assets to deliver advanced security solutions. This article also covers cloud security challenges and downfalls of traditional SIEMs. This article discusses about the difference between Sentinel and Microsoft’s other security tools, Pricing and official release details, Compatibility with hybrid and multi-cloud infrastructures, Sentinel Dashboard overview, Machine Learning Capabilities in Azure Sentinel, Automation and Investigation options/features in Sentinel.
Microsoft on road to be the Biggest Security Company in the World.
Microsoft has a proven history in providing proactive and responsive security solutions to safeguard the interests of a variety of enterprises. With the introduction of Microsoft Azure Sentinel many scary challenges in SIEM landscape can be effectively addressed along with simplifying data residency and GDPR concerns.
Microsoft’s digital transformation philosophy includes a strong security strategy which places customer/employee identity at the centre. Based on latest reports Microsoft invests $1 billion on cyber security every year. This includes innovative software like Azure Sentinel, devices and related security products.
Microsoft provides multi-layered security solutions across its cloud data centres, infrastructure and operations in Azure. You can take advantage of the integrated cloud security controls which are embedded into the hardware and firmware components. In addition to this you can leverage on the threat protection features which guards you against DDoS attacks.
Here are a few tools and services which you can leverage to deliver advanced security solutions:
- Azure Security Centre which provides advanced threat protection across your hybrid cloud/on-premise Azure workloads and strengthens security posture of your data centres.
- Identity and Access Controls which is a multitenant cloud-based directory and identity management service.
- Network Isolation which allows isolation via VPNs, Azure firewall, Virtual Networks etc.
- Azure Firewall which has high availability and scalability which protects your Azure virtual network resources.
- Azure Monitor which helps you to understand application performance and identify issues in cloud and on-premise environments.
Based on insights gathered from a lot of security surveys Microsoft brings forth these key trends.
- Steady decline in Ransomware attacks
In ransomware attack data on a victim’s computer is locked by encryption and money is demanded to get access to data through decryption. This type of attack is on a decline because users are smarter about the response and attackers have shifted to more stealth attacks.
- Cryptocurrency mining is ubiquitous.
Mining coins require huge amount of computing power to perform complex calculations. Attackers often install malware on users’ systems to rob the necessary computing power.
- Software supply chains are at some sort of risk.
One attack tactic is to incorporate a compromised component into a legitimate software application which gets distributed to the users via the software. These attacks are very difficult to detect.
- Phishing is a very common method of attack
Phishing has become a sophisticated mode of attack and social engineering tools are deployed to steal user data, login credentials and credit card numbers.
Now, here is a list of the top 5 cyber-attack prone industries:
- Financial Services
Financial services industry is an all-time favourite of hackers and cyber thieves. The scene has improved a lot due to enhanced cybersecurity budgets at big banks.
Cloud data which gets stored outside the enterprise firewall carries a huge amount of risk due to many factors. Following are the key cloud security challenges:
- Data keeps moving to and from the cloud over the vulnerable internet. Protection and confidentiality of this data is a key challenge.
- Provider employs many people and has numerous internal processes, trusting data to these people and processes is another challenge.
- Threat of confidential data getting circulated amongst other customers is another challenge.
- Regulatory compliance and legal norms is yet another challenge.
- Feasibility of cloud vendor.
Traditional SIEMs Is a story of the past.
For many years traditional SIEMs has been useful enough to detect targeted attacks and data breaches across many industries. But the scenario is tougher now given the volume, complexity, variety and speed of data which continues to grow and grow.
Many of the legacy SIEM tools are incompatible with Cloud, why?
- Futile in the Cloud: Most of the traditional SIEM tools are incapable of analysing and integrating cloud data and this makes it incredibly tough to understand security compliance needs.
- Poor Agility, Scalability and Flexibility: Traditional SIEM tools are often heavy and rigid and often fail to keep pace with the unpredictable volumes of data which needs to be analysed and prioritized in the cloud. Scalability is poor in order to handle the growth spikes in cloud.
- Crafted for outmoded technology: Traditional SIEM tools were built to handle logs in legacy hardware environments. They often lack the proactiveness which is required to provide insights from time-sensitive services like microservices.
Sentinel – Azure Native SIEM
Azure Sentinel is a promising new Security Tool from Microsoft and it is different from many other existing tools. Here are a few key differences:
- Azure Sentinel detects most of the unnoticed threats and is capable of identifying false alarms. This improves the productivity and is helpful in reducing false security alarms.
- This is unbelievably faster compared to other tools and you can bring your MS Office 365 data quickly and freely and combine it with other security data and analyse.
- Sentinel uses the power of AI to identify threats quickly. Traditional tools are too time consuming since you have to waste time and money in setting up, maintaining, and scaling infrastructure.
- Sentinel is built on Azure, so you can enjoy speed and limitless cloud scalability. Traditional SIEMs are quite expensive to own and operate. With sentinel you pay for only what you use.
Microsoft Azure Sentinel is now available to anyone with an Azure account. This SIEM integrates with various Azure services. Pricing is also similar to other Azure services. You can enjoy this service with no up-front cost, it gets billed based on your usage. Azure Sentinel is currently available in preview from Azure portal and a full release is coming soon in the future.
Enterprises are increasingly migrating to the cloud and hence there are more challenges for security professionals mainly because the operations is spread across multiple cloud environments/providers. It is advisable for hybrid cloud customers who use Azure to consider using Microsoft Sentinel for security purposes across hybrid and multi cloud environments.
The Sentinel dashboard provides many ways of looking at the security infrastructure and solutions. Toolbar contains lots of information about the number of events and alerts over a time period. Also, it contains details about new, investigated and closed events. Administrators have access to a geospatial view of potentially dangerous incidents on a world map. Built in dashboards include Azure AD logs, information about firewall, insecure protocols, Azure activity etc. Dashboards are shared using role-based authorization which makes it accessible for job specific users.
Machine learning capabilities of Azure Sentinel are huge. This can detect indicative behaviours of a threat and suspicious behaviours such as abnormal traffic in firewall data, suspicious authentication patterns, resource creation anomalies. This detects patterns and helps analysts to learn the expected behaviour in their enterprise. Azure Sentinel provides out-of-the-box detection queries which leverage ML capabilities.
You can automate common security tasks like event alerts, threat responses and process workflows using the Security Orchestration and Automation features of MS Azure Sentinel. This way you can manage and streamline enterprise security efforts. Your security team can choose to create workbooks and build highly efficient automated security process in order to detect and mitigate network threats.
- Pre-built/customizable playbooks
- Integrates with more than 200 data connectors
- Arrange and format automated threat responses
- Integration with Azure Logic Apps to achieve automated workflows
Azure Sentinel is becoming the central hub to aggregate security, and investigations would happen most likely from there. Let us have a look at the Investigation UI in Sentinel by navigating to a case. For each case there are 2 buttons:
- View Full Details
Investigation experience window has 3 sections. It shows Case name, and Case Details. You can find 4 buttons on the right side: Timeline, Info, Entities and Help. The main window will show all entities related to this Case in a graphic style.
You click on an entity to see more details, hovering will show you some quick actions like these: Related Alerts, Hosts the account Failed on, and Hosts which the Account is logged on to.
You can expand your search on extra entities which are mapped.
Azure Sentinel saves time, reduces cost and reduce alert fatigue by incorporating AI and ML models to sift through noise. Real threats are identified with greater precision. This lets you manage security across a diverse cloud ecosystem. Adopt Sentinel and Stay compliant with regulations, identify and tackle security vulnerabilities, detect and block threats before they cause much harm. Azure Sentinel won’t restrict your teams by their infrastructure setup, storage or query limits, scalability is guaranteed based on your enterprise resource needs.