Based on the customer feedback from the field, we realized that there was a pressing need to bring in all the Microsoft Security threat detection solutions under one roof. The below reference architecture provides a complete understanding of various Microsoft Security solutions (XDR + SIEM) and their native as well as third party solution integrations. The architecture also includes a CISO dashboard developed by Kloudynet to provide full visibility across all the security products, multiple cloud platforms (Azure, AWS, GCP), and the organization’s security posture.

Modern XDR + SOC Architecture

Click here to download the image in the formats: SVG, PDF or PNG

Microsoft Defender

Microsoft Defender is offered as, Microsoft 365 Defender for end-user environments and Defender for Cloud for cloud and hybrid infrastructure.

Microsoft 365 Defender

Microsoft 365 Defender delivers XDR capabilities for identities, endpoints, cloud apps, and emails. Microsoft 365 Defender includes the below technologies

• Microsoft Defender for Endpoint
  
• Microsoft Defender for Office 365
  
• Microsoft Defender for Identity
  
• Azure Active Directory Identity Protection
  
• Microsoft Defender for Cloud Apps
  

Microsoft Defender for Cloud (Previously Azure Security Center)

Defender for Cloud delivers XDR left capabilities to protect multi-cloud and hybrid workloads, that includes below capabilities

• Azure Defender which covers
  
  • Servers (VMs running on Azure or anywhere using Azure Arc)
    
  • App Service
    
  • SQL servers on machines
    
  • Azure Storage
    
  • Kubernetes
    
  • Container Registries
    
  • Azure Key Vault
    
• Azure Defender for IoT
  
• Azure Defender for SQL
  

Microsoft Sentinel

The XDR capabilities of Microsoft Defender delivered through Defender for Cloud and Microsoft 365 Defender provides rich insights and prioritized alerts, but to gain visibility across your entire environment and include data from other security solutions such as firewalls and existing security tools, we connect Microsoft Defender to Microsoft Sentinel, Microsoft cloud-native SIEM.

Special thanks to Ahsim Nisar (Technical Specialist, Cyber Security) for providing guidance and technical inputs to build the architecture diagram

Fahad Shaikh, Founder & CEO, Kloudynet Technologies

Azure Sentinel is a cloud-native Security Incident and Event Management (SIEM) solution built to provide security analysts with a powerful tool to detect and respond to cyberattacks. Azure Sentinel also contains a Security Orchestration and Automated Response (SOAR) capability. But before we answer why “Azure Sentinel” its important to understand the current Threat landscape and challenges organizations are facing

Current Threat Landscape:

NotPetya is seen as one of the worlds most sophisticated and disruptive cyberattacks that began in Europe in June 2017. NotPetya was meant for pure destruction, and although it pretended not to be a ransomware, there was no chance for the victim to restore the infected machines because the data was made indecipherable with encryption.

The component of NotPetya that made it so lethal was that it contained multiple lateral movement techniques to spread quickly following the initial infection. According to an assessment, the total financial damage from NotPetya attacks totaled $10 billion!

Furthermore, statistics say

• 86{9ee96c6d432e164aa8f1209d1934688fca0902a21c1f7400127c265baa8231f2} of all breaches are financially motivated, where threat actors are after company financial data, intellectual property, health records, and customer identities that can be sold fast on the Dark Web.
• 70{9ee96c6d432e164aa8f1209d1934688fca0902a21c1f7400127c265baa8231f2} of breaches are perpetrated by external actors, making endpoint security a high priority in any cybersecurity strategy.
• 55{9ee96c6d432e164aa8f1209d1934688fca0902a21c1f7400127c265baa8231f2} of breaches originate from organized crime groups.
• Attacks on Web apps accessed from endpoints were part of 43{9ee96c6d432e164aa8f1209d1934688fca0902a21c1f7400127c265baa8231f2} of breaches, more than double the results from last year.

Source: https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf

Security Challenges for SecOps:

For most organizations, the Security Operations Team (SOC) is the central hub responsible for identifying and responding to cybersecurity threats. Mitre (attack.mitre.org) defines the SOC as “a team primarily composed of security analysis organized to detect, analyze, respond to, report on, and prevent cyber security incidents. The commonly found pattern would include

Tier 1 – High Speed Remediation

Tier 2 – Advanced Analysis, Investigation, and Remediation

Tier 3 – Proactive Hunting and Advanced Forensics

Microsoft today has adopted the fusion center model for cyber defense operations known as Cyber Defense Operations Center (CDOC)

Resource Challenges:

Staffing shortages have hit Security Operations Center especially hard for a few reasons

• SOCs run operations 24X7X365 and therefore require heavy investments in security personnel
• Security analysts require unique set of knowledge and skills that are difficult to find
  • Understanding of common attacker techniques
  • Have strong intuition
  • Have a desire to dig into the details and volumes of alerts and logs
  • Be driven to continuously learn

With these challenges CISOs and SOC leaders are looking for solutions that make their analysts more efficient; reduce the volume of mundane, manual tasks; and provide robust automation and orchestration capabilities

Security Data Challenges

Security teams are drowning in the volumes of data generated by the digital assets they are required to protect. IIOT devices, smart sensors, BYOD, and other devices which are connected

• Security teams are often required to forgo connecting data sources because of the costs associated with scaling out their SIEMs
• Search and correlation engines cannot not handle large volumes of data and analysts’ queries
• Static correlation rules often miss anomalies that indicated that an attacked has successfully infiltrated the system
• Typical, early SIEM systems were not built on machine-learning models to help identify such anomalies
• Hiring so many data scientists to build, test and deploy their own models is expensive and hard
• Many SIEM deployments are done with a “deploy and forget mentality”. This results in analytics working on a higher number of false positives that strains personnel and makes identifying the true, high-value events difficult.

Azure Sentinel: Cloud-native SIEM

Azure Sentinel has been engineered to address the SecOps challenges identified earlier in this article

• Automatic scaling up to meet the data and storage requirements for enterprises of any size. All the log data for Azure Sentinel is stored in an Azure Log Analytics Workspace
• Integrating directly with the Microsoft Threat Intelligent Security Graph to help increase the likelihood of detecting advanced threats by leveraging Microsofts and its partners intelligence
• Integrating endpoint protection logs for early detection. Securing endpoint is the future of cybersecurity based on the data provided early in the article
• Reducing the need for human intervention by leveraging an open and flexible automation capability for investigating and responding to alerts
• Including the advanced anomaly detection using Microsofts machine learning algorithms (FUSION)
• Providing dashboards and user interfaces that are intuitive to analysts and built to streamline the typical operations within an SOC

Azure Sentinel: Core Capabilities

Azure sentinel provides security teams with unprecedented visibility into their digital estates

• Data collection and storage across all users, devices, applications, and infrastructure – whether on-premise or in the cloud
• Threat detection that leverages Microsofts analytics and threat intelligence
• Investigation of threats by hunting for suspicious activities at scale
• Rapid response to incidents by leveraging built-in orchestration and automation of common tasks

Azure Sentinel: Components

The below diagram shows the major components of Azure Sentinel

• Analytics: Analytics enables you to create custom alerts using Kusto Query Language (KQL). You can further take actions on these alerts by attaching the analytics to playbooks. Playbooks are created using Azure Logic Apps

• Cases: Also called as incident, is an aggregation of all the relevant evidence for a specific investigation. It can contain one or multiple alerts, which are based on analytics that you define

• Hunting: This is a powerful tool for investigators and security analysts who need to proactively look for security threats. The searching capability is powered by Kusto Query Language

• Notebooks: By integrating Jupyter Notebooks, Azure Sentinel extends the scope of what you can do with the data that was collected. One of the major reasons for using Jupyter Notebooks is the complexity of what you are trying to do with Azure Sentinels built-in tools becomes high
  • When the number of queries in your investigation chain goes high
  • Doing complex KQL query gymnastics to integrate some external data or extract some specific entity type from data

Most of Azure Sentinels Jupyter Notebooks heavily depend on msticpy Python package which is developed by Microsofts Threat Intelligence Center

• Data Connectors: Built-in connectors are available to facilitate data ingestion from Microsoft and partner solutions. Below is a list of some of the Microsoft and non-Microsoft connectors with Azure Sentinel. Note that this is not an exhaustive list of the built-in connectors
  • Amazon Web Services
  • Azure Active Directory
  • Azure Active Directory Identity Protection
  • Azure Activity
  • Azure Advanced Threat Protection
  • Azure Information Protection
  • Azure Security Center
  • Azure Security Center for IoT
  • Barracuda CloudGen Firewall
  • Barracuda Web Application Firewall
  • Check Point
  • Cisco ASA
  • Citrix Analytics (Security)
  • CyberArk (Coming soon….)
  • DNS
  • F5 BIG-IP
  • F5 Networks
  • Fortinet
  • Microsoft Cloud App Security
  • Microsoft Defender Advanced Threat Protection​
  • Microsoft web application firewall (WAF)
  • Office 365
  • Palo Alto Networks
  • Security Events
  • Threat Intelligence Platforms
  • Threat intelligence – TAXII
  • Trend Micro
  • Windows Firewall
  • Zimperium Mobile Threat Defense
  • Zscaler

If an external solution is not on data connector list, but your appliance supports saving logs as a Syslog Common Event Format (CEF), the integration with Azure Sentinel is available via CEF connector. If CEF support is not available on your appliance, but it supports calls to REST API, you can use HTTP Data Collector API to send log data to the workspace on which Azure Sentinel is enabled.

• Playbooks: A playbook is a collection of procedures that can be automatically executed upon an alert triggered by Azure Sentinel. Playbooks leverage Azure Logic Apps, which help you automate and orchestrate tasks/workflows.

• Workspace: A log Analytics workspace is a container that includes data and configuration information. Azure sentinel uses this container to store data that you collect from the different data sources.

Conclusion:

Utilizing a cloud-native SIEM will definitely reduce the integration costs and free up resources.

Ease of integration with telemetry data is the key to any SIEM success. Azure Sentinel offers a resilient and a straightforward way to connect data sources, without the need to any have server or storage infrastructure and going 100{9ee96c6d432e164aa8f1209d1934688fca0902a21c1f7400127c265baa8231f2} serverless.

With just a few clicks you can connect Sentinel to O365, Azure AD or Azure Activities and start receiving alerts immediately and get populated on the dashboards in minutes.

Now month-long projects on integration of O365 with legacy SIEM can be implemented in a day by onboarding to Azure Sentinel. Helps specially if customers are struggling with such integration of detection use cases to address auditors concerns.

All this is also true not only for collecting data from Microsoft sources. However Azure Sentinel AWS CloudTrial connector, which is based on serverless Cloud-To-Cloud connection, provides the same benefits.

Hope this write up gives a birds eye view of what Azure Sentinel is, its core capabilities & benefits and why enterprises should be looking at Azure Sentinel as their next SOAR and SIEM solution.

Fahad, Founder & CEO, kloudynet Technologies

Microsoft Gold Partner and Experts in Azure | Cybersecurity & Governance | Intelligent Automation