The same report calls on security analytics and operations technologies to come to the assistance of security analysts responsible for dealing with the complexities, speed and scale of moving business-critical applications and workloads.
To handle cyberthreats, Security Operations (SecOps) teams generally employ Security Information and Event Management (SIEM) solutions. However, they find it difficult to keep pace with digital changes by spending too much time deploying and maintaining SIEM solutions, rather than dealing with the near-incessant threats to the mounting loads of data.
To this end, artificial intelligence and machine learning offer a promising path to addressing many of today’s global cyber challenges that plague SecOps. Together, these two technologies can provide security administrators with the ability to prioritize the most critical tasks.
Answering the call to develop a cloud-native SIEM that would offer the right tools for SecOps teams in an organization of any size, Microsoft launched Azure Sentinel in February 2019. Azure Sentinel provides intelligent analytics at cloud scale for all workloads.
When a new technology is released, it provides an opportunity to review the existing landscape. This helps you to discern how it may improve the current situation and how it differs from other options. Understanding the differences requires some analysis of what the new technology is, how it works and what will change when it’s deployed.
Azure Sentinel simplifies and strengthens the way security data is collected from users, devices, applications and infrastructures deployed — on premises as well as in multiple clouds — across your entire hybrid environment. To fully understand Azure Sentinel and how best to assess and deploy it, your organization should carry out a high-level discovery of all aspects with the guidance of a Security Operations Center (SOC) expert.
By reviewing the technologies that you currently deploy to help secure your IT infrastructure and applications, you can assess the current state of your security architecture. This will probably be a patchwork of solutions that have been acquired and deployed over the last 3–5 years. In a heterogeneous environment, there’s likely a mix of solutions from a wide range of technology vendors, including an alphabet soup of acronyms like IAM, EDR, NGFW, SIEM, SOAR, CASB and CSPM.
Azure Sentinel is positioned to be both a SIEM and a Security Orchestration Automation and Response (SOAR) solution that’s built as a true cloud service — scalable and evergreen. Until now, the selection of these types of solutions has been limited to server-based solutions that come with a heavy upfront investment (and ongoing management) of the infrastructure required to support them.
However, with Azure Sentinel, you can be up and running on day one. This makes the Microsoft solution attractive and potentially a huge cost saver when compared to traditional SIEM platforms. The opportunity to invest in other technologies incur more in initial outlay, but far outweigh the money lost on the legacy SIEM. The integration it provides across the full Microsoft suite of protection tools (Azure and Microsoft 365), as well as for many third-party solutions and sources that can transmit syslog data into Azure Log Analytics, also make it attractive to SecOps and analysts.
Many of the skills required in the SOC are not specific to a single technology. Over time, talented engineers and analysts gain exposure to multiple technologies and approaches. Azure Sentinel is built on the long-standing foundation of the Azure Log Analytics platform, which will require the SOC team to learn a few new skills, especially Kusto Query Language (KQL).
The physical location of your team should also be considered. Hiring is tough enough without limiting your selection to the local talent pool or forcing relocation to a central building. With a cloud-based SOC platform, you don’t need to ensure physical proximity to the data. You just need to ensure secure access and responsive communications channels. This shift provides an opportunity to review the way the SOC teams gain access to and interact with your whole security architecture.
The implementation of a new SIEM/SOAR platform provides you the best opportunity to create a new approach to the way it will be operated. Several factors that drive the transition of Security DevOps (SecDevOps) to the development of automated detection and response minimize the need for manual intervention. Some of the factors of any new SOC design include a rapidly changing threat landscape in an ever-changing operating environment, the volume of data and the alerts it generates, and the cost and availability of skilled resources, particularly if much of the data is born in the cloud.
Discussions and assessments of your security operations may uncover several trends that correspond to those emerging across other organizations.
The release of Azure Sentinel has come just in time for many organizations that are facing changing requirements and increasing threats to their operational environment. The solutions needed to identify, detect and block threats are often complex and expensive; and the market of available skilled professionals isn’t keeping up with demand.
It’s time for a change in approach. Find out more about how Insight can help you modernize your cloud-based security operations with Microsoft Azure Sentinel. Engage an Insight security consultant to learn how.