Azure Sentinel is a cloud-native and highly scalable Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) service from Microsoft. Sentinel conveys intelligent security analytics and threat intelligence for your business as a single solution for threat and alert detection, visibility, hunting, and response requirements.
It’s the 50,000-foot-view of the enterprise aimed at reducing the stress of what seems to be increasingly sophisticated attacks, alert fatigue, and endless resolution timeframes.
Sentinel allows you to collect data at scale across users, devices, applications, and infrastructure and does so both on premise and in multiple clouds, not just restricted to Microsoft. It gives you the ability to detect threats you may have overlooked before and (the greatest struggle with SIEM/SOAR solutions) minimises false positives using Microsoft’s wealth of advanced analytics and threat intelligence.
In turn, you can investigate threats with Artificial Intelligence (AI) and leverage the wealth of knowledge, experience, and resources at Microsoft to engage in advanced threat hunting. Best of all, you can quickly respond to incidents with built-in orchestration capabilities. Inside of a Microsoft-based Information Assurance Ecosystem, this should be easy as pie. Mmmmmm. Pie.
What Is It?
Before we get into specifics, we should first understand what exactly SIEMs and SOARs are. The amount of information generated on your network is the stuff nightmares are made of but making sense of it and separating the wheat from the chaff make that nightmare seem like a daydream. A SIEM (pronounced interchangeably as “SIM” or “SEEM”) can make the difference between making sense of it all and living a waking nightmare.
A SOAR, on the other hand, is where the rubber meets the road. The “Orchestration” part is where all of the various pieces integrate and work together under centralised management and direction. It’s kind of like the playground teacher that makes sure all the kids play nice in the sandbox. The Automation component is the action-driven part that does the actual work based on the workflows and processes required to perform a security task. For example, automating the termination of a user session, sending alert information to a messaging platform, or updating a status indicator. The Response part is exactly that; a response to an input which, in this case, is probably the result of data received via a SIEM (or another monitoring or management tool, to be fair).
One of the primary drivers for adoption of a SIEM is visibility and with the Notifiable Data Breach (NDB) Scheme now hovering over us here in Australia, the ability to reasonably determine if there has been a breach is more critical than ever. Combining it with a SOAR only makes sense towards doing something with the information received.
A SIEM consists of two parts. First, there is the Security Event Manager (SEM) that looks after the real-time events as they happen on your network. The second is the Security Information Manager (SIM) which looks after the longer-term data retention and analysis. Together, these two parts make a SIEM a valuable addition to any network by being able to manage events as they happen and generate reports and trend analysis over time. The second part is also important as breaches may not be detected immediately, but over time they can be detected when there is more of a pattern to work with. It’s nice to believe we can stop every eventuality as it happens, but then you may as well put on your tinfoil helmet and move to a cave.
Beyond these two primary components, a SIEM breaks them down further by handling aggregation and correlation, alerting, providing dashboards, achieving compliance, and in the longer term, offers data retention and forensic analysis. A lot of power, I know, and it must be respected.
Traditionally, a long-standing objection to SIEMs was their cost and, having implemented several myself, I can understand that. However, if you have existing Microsoft licensing and access to Azure Sentinel, the cost objection may be overcome as it’s a welcome uplift to your security profile. The cost should be seen as an investment in your Information Assurance Ecosystem.
Microsoft Azure Sentinel may be one of the newest, but it’s probably one of the best solutions out there for you. Not only do you get SIEM and SOAR capabilities, it’s all contained within the Microsoft environment that likely forms the core of your infrastructure and is also the Source Of Truth for all accounts used for authentication, authorisation, and auditing.
Where Do I Start?
First things first. Ask yourself if you know exactly (well, mostly) what is happening on your network at any given time and able to do so without extensive digging through multiple tools and manual processes. Probably not. It’s all right, you’re not alone and you’re in good company. You probably have some or most of the pieces needed but get a bit overwhelmed by how to go about it. Having a single firewall, switch, and router is one thing, but if you have dozens, if not hundreds of devices, then it gets crazy very fast. Even if you’re already heavily invested in Microsoft cloud technologies (which many of us are) like Azure and Office 365, it can get quite confusing.
Do you use any kind of centralised logging platform at present? SYSLOG or something similar? Do you go to each machine individually and dig through the logs? When was the last time you took a good look at your Windows server logs? You’re probably quickly realising how big the mountain of data is and when you ask anyone what you should be logging, they look up from their cup of coffee with a glazed look, mumble “everything”, and quickly turn and walk away. Even the most hardened cyber veterans can become remarkably elusive at times. We’re like chameleons that can disappear into the inner workings of datacentres!
A more important question is asking what information is important because while a SIEM has “Security” in the name, it often ends up handling everything else as well. Prioritise your data first and start small. Leave “The Big Bang Theory” on the television and not in your project plans. If you are most concerned about failed access attempts on the firewalls, start there. After that, figure out what kinds of information mean the most and don’t be afraid if something gets left out; you can add it later. Implementing a SIEM and SOAR solution is like eating an elephant… one bite at a time!
With a prioritised list of what you want to get out of a SIEM, it’s time to start looking for the one that suits your needs. If you don’t have the budget for one in-house, look at managed services where you ship your data off securely and let someone else look after the munging. With systems you can own and operate yourself, and with systems others use to deliver the services, you have a lot of options. Take your time and select the offering that will deliver what you want. Of course, if you’re already in the Microsoft space, Azure Sentinel can add the capability without additional complexity. I’m going to keep going over this again and again: reduce layers, improve integration, improve visibility, and reduce human error. Sentinel helps with three of these; the last one is up to you (but you will find it much easier).
Be mindful, however, of data retention as the more you collect, analyse, and preserve, the more it will cost. The scalability of a solution and storage must be right up there with capacity and performance. If you sell yourself short on the solution, you may find yourself no further ahead with an incomplete or limited data set. Getting the right people involved including service providers, vendors, and your stakeholders should help mitigate a lot of these issues. Failing to plan is planning to fail!
With the SIEM side sorted, you need to consider what you’ll do with the information and that is where the SOAR component shines. If you know what to do with the information, the SOAR side of Sentinel will do the heavy lifting to coordinate the various parts via orchestration and perform the tasks via automation.
Sentinel has a reasonable price structure for the amount of data processed, so if you can plan the implementation correctly, you should be able to budget accordingly for the operating costs which, I should add, will still be less than trying to own and operate it yourself on premise.
How do I make It Work?
Even though I’ve become a fan of Sentinel (and I’ve had my hands on a lot of SIEM solutions over the years), it MUST be designed, configured, and implemented correctly because it will all fall in a flaming heap like any other poorly-implemented SIEM. I don’t say that to frighten you (goodness knows we have our share of fear-uncertainty-doubt (FUD) out there) but to just take your time and do it right. Please get the right people involved and don’t hesitate to ask us for help!
Right. So now you’re eager to get started, have a plan in place and access to Sentinel. What first? Without going into too much detail, there are a few things you should do. These include:
Connect Sources: The first step is connecting to your security sources and Sentinel comes with several connectors for Microsoft solutions natively (as you’d expect). These include Microsoft Threat Protection solutions, Microsoft 365 sources (which include Office 365), Azure AD, Azure ATP, and Microsoft Cloud App Security (MCAS) to name a few. Better still, there are connectors for your non-Microsoft systems and you can use common event format, SYSLOG, or REST-API connections. This is important as everyone has a very vendor-diverse environment!
Workbooks: With your data sources connected to Sentinel, you monitor it with Azure Monitor Workbooks. These provide a versatile way to create custom workbooks and while Workbooks are displayed differently in Sentinel, it’s useful for you to see how to generate interactive reports. Even with custom Workbooks, you can use the built-in workbook templates to get started as soon as you have input data.
Analytics: To reduce noise (and we know how noisy a SIEM can be!) and reduce alert fatigue, Sentinel uses its powerful analytics to correlate alerts into incidents. There is some confusion at times what constitutes an “incident”, but to me, an incident is a group of related alerts that, when combined, create an actionable and potential threat for investigation and resolution.
You can choose to use the built-in rules as-is, or create your own based on them. Better still, use Sentinel’s machine learning capabilities to build a baseline and seek out the anomalies. Sentinel is very good at correlating several smaller and seemingly insignificant events into an actionable incident. How often have we missed the clues that were right in front of us because we couldn’t “connect the dots”?
SOAR: This is a game-changer in the SIEM market; the ability to automatically take action on the intelligence gained. Sentinel can automate common actions while simplifying orchestration through integrated playbooks in Azure and your existing tools. I’m a big fan of using what you’ve already invested in and getting the most out of it (ROI, anyone?)
There is a heap of built-in playbooks available and, as of this writing, more than 200 connectors for everything from ServiceNow to Teams to MCAS and more. Tying this into a ticketing system, for example, such as Service Now can streamline the action process when someone has to take an assigned action not possible to automate. In the end, we’re all very busy so the SOAR side of Sentinel alone is a worthwhile investment.
Investigate: Knowing about an incident or event is one thing, but understanding it is quite another. Sentinel offers a wealth of tools for a deep-dive to uncover that root cause and understand potential threats much better. One of the newer features of Sentinel, it will become more popular with those of us tasked with figuring out how the whole incident occurred in the first place and what we can do about it. Forensics specialists should be all over this.
Hunt: Threat Hunting is a seemingly newer discipline in cyber, but the reality is we’ve always been seeking to find threats before they find us. Sentinel’s hunting capabilities give you a leg-up in the cat & mouse game of finding issues (potential or actual) before they morph into something you’d rather not deal with. Proactivity is the name of the game here, and it also gives you the ability to share your findings with others seeking to mitigate or even prevent incidents.
Community: Best of all, the Sentinel community is a wealth of resources for threat detection and automation. New workbooks and playbooks are constantly being developed to keep the upper hand in cyber, and there is no shortage of downloadable content from GitHub you can use.
Now that you’ve figured out what you’re going to feed into your SIEM and that it can scale up, have selected a solution or a partner to help, have allowed for growth, performance, and data retention, then what?
It’s time to act but there are a few other things we need to consider.
Be sure the systems at both end and all connection points in between are secure. Encryption is a must – no plain text here, folks! Treat it like a big hub and spoke where any of the spokes can be an attack vector. Enable the logging on the monitored devices, starting high and working your way down (i.e. start with ONLY critical events first and then add… it’s easy to get overwhelmed if you start at the bottom and try to lean it out – those low priority events will stick around and be a thorn in your side.
Before you add any more, check, re-check, and check again to make sure everything is working as expected. Are events getting aggregated to make sure you don’t get the same issue a hundred times from a hundred devices? Are events being correlated to give more intel about them and a more reliable way to act? Are alerts being generated and forwarded as needed to the dashboard, and sent out by email or SMS? Are you capturing enough forensic data for trend analysis and reporting?
Be like the mechanic with a race car, hovering over the carburettor with a screwdriver…adjust until it’s exactly the way it needs to be. When you hit that sweet spot, go back and start again with something else to add more usable data. Slow and steady with Sentinel will yield amazing results.
Too much, too soon can kill the enthusiasm of even the sturdiest SIEM and SOAR devotees amongst us. Growth must be planned and gradual and every time you plan to feed something in, know what you need to get out of it. Adding in all your aggregation and access switches on top of the core switches? Be selective as things can get noisy, very fast. A New application that generates a lot of logs? Perhaps refine what gets sent to the SIEM and what can remain on the server. Adding a new device to feed into the SIEM doesn’t mean blindly dumping everything in. Ever heard of the old programmer term “Garbage in, Garbage out – GIGO?) Exactly.
Another pitfall is failing to plan for data retention. Too little yields little usable trend and forensic data. Too much ends up costing a fortune. Therefore, figuring out what you want out of the SIEM is so important upfront; you can design and plan accordingly. There are many others, but getting the right people involved from day-dot should help mitigate many pitfalls.
Ghosts in The Machine?
Because of how important the data is (provided it has been properly configured to capture the correct data) you need to safeguard the SIEM system and access aligned with the data it contains. If you have a SIEM on a highly classified network, the SIEM server and the data it contains, even just log files, must be treated as highly classified as well. The days of the wide-open SYSLOG server might be well and truly behind us with data being a new gold commodity. Another place where you want to use Multi-Factor Authentication, for sure!
Fortunately, with Azure Sentinel, a lot of these ghosts can be managed because it works primarily within your existing Microsoft Ecosystem and is part of the larger Information Assurance Ecosystem you’re building that consists of people, process, environment, and of course, technology.
Be sure that you include your SIEM solution in your security testing. Just because it contains security data doesn’t mean it is secure itself! Oh yes…. please make sure to harden the system and keep the patches up to date. Always remember your ASD / ACSC Essential Eight, especially when dealing with other security strategies. Thankfully, as a cloud service, Microsoft looks after a lot of the heavy lifting here with regards to keeping everything up to snuff.
Stay safe out there!
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through ShutterStock