As often happens in our office, I recently happened to stumble upon an internal meeting being held discussing various options to minimise security threats. These meetings or ‘technical workshops’ interest me, because whilst I have little idea what the guys are actually talking about given the ever-growing list of three letter acronyms being used, what they discuss ultimately translates into customer experiences and the sorts of problems we help solve.
Given the well published incidents of Ransomware and Malware attacks on major public institutions such as the Foreign Office https://www.bbc.co.uk/news/technology-60309335, I thought I might learn something here!
So I thought, what the heck, and having been invited to take a seat I thought I’ll sit down and listen to this stuff! As mentioned, in this case, it was about security threats and the best tools to track and monitor those. As a result, if any of this sparks an interest in you as a reader then by all means give us a call because we can help!
The discussion revolved around the various options for logging and tracking security threats, including topics such as the use of Log Analytics Workspace and Sentinel which I now understand is a native SIEM (Security Information and Event Management) application that allows the collection of data from all Microsoft applications and the analysis of that data for security threats (apologies if I’m preaching to the already aware!).
How best to run Scheduled Queries using Logic Apps or Power Automate was discussed, as well as Real Time Monitoring, various Audit logs covering things like policy changes, user risk ‘events’, sign in logs/threats (both internal and external, including those that might be from outside the UK) as well as situations where even those customers that might have Multi-Factor Authentication set up failed, or their Conditional Access Policies kicked in.
The conclusion of the session indicted that the best option would be to implement Sentinel. This is because of its wide template library, feature richness and its navigable GUI, allowing end users to monitor both native and foreign resources, regardless of their technical knowledge. Its application of AI being its biggest advantage, with features such as:
Fusion – A feature that uses machine learning algorithms to correlate activities from different services, such as Security Centre, AAD IdP and Microsoft Cloud App Security
Threat Hunting – A feature that proactively identifies Indications of Attacks (IOA) and enables the creation or modification of queries, bookmarking/tagging and the annotation of interesting findings to launch a more detailed investigation
The Incident Management System provides a graph that connects different entities extracted from alerts, providing an easy-to-trace timeline. Incidents can also be assigned to users and have notes added to them. Paired with Sentinel’s extensive range of built-in Workbooks, interactive reports can be generated in seconds. Exported data can also be sent to Power BI and Excel. Even if it happens that Sentinel doesn’t provide a user with the analysis needed, it’s Jupyter Notebook section includes full libraries for machine learning, visualisation and data analysis.
Gartner has recently said “cloud SIEM will be the future of how many organizations consume technology.”** with Microsoft Azure Sentinel being named a ‘Visionary’ so with that in mind and their words ringing in my ears I’m pleased our guys are on the case for our own customers!
** Gartner, Magic Quadrant for Security Information and Event Management Kelly Kavanagh, Toby Bussa, John Collins, 29 June 2021.
Comments