It’s not often the infamous lines from J.R.R Tolkein’s classic Lord of the Rings can be seen as a metaphor of the risks posed to your enterprise cloud security, but for IT managers who combine a love of Game of Thrones and Lord of the Rings with all things Microsoft Cloud, this analogy ought to resonate.
“The Eye was rimmed with fire, but was itself glazed, yellow as a cat’s, watchful and intent, and the black slit of its pupil opened on a pit, a window into nothing”. – Lord of the Rings
Imagine a cloud security solution as powerful as The Eye of Sauron, the all-seeing eye, in your enterprise estate? You could see all the threats trying to steal your precious business data and information! Well now you can thanks to Azure Sentinel, Microsoft’s intelligent security analytics for your entire enterprise. Azure Sentinel is your bird’s eye view across the enterprise.
What is Microsoft Azure Sentinel?
Microsoft Azure Sentinel is a new cloud native SIEM (Security Information Event Management) service and SOAR (Security Orchestration Automated Response) solution with built-in AI for analytics that removes the cost and complexity of achieving a central and focused near real-time view of the active threats in your environment.
These two features provide the following benefits:
- SIEM – Real-time analysis of security alerts/logs
- SOAR – Automated responses to security threats
In short, Azure Sentinel is your all seeing “Eye of Sauron” looking over everything that happens within your environment, flagging real security threats “hobbits” (security alerts) and automatically responding with “orcs” by quarantining, blocking and escalating.
Azure Sentinel sees and stops threats before they cause harm by doing 4 main things:
Connect to Collect
Azure Sentinel is essentially a SIEM built in the cloud. First things first you need to have an Azure subscription which you can connect your security resources to Azure Sentinel, obviously it being a Microsoft product the Microsoft integrations are readily available but when it comes to non-Microsoft applications you can connect these via common event formats (e.g. Syslog). You can find more info on Microsoft and external service connections here.
Detect the sneaky “hobbitses”
As Azure Sentinel is using powerful machine learning and user analytics, it detects threats fast.
- Based on the security analytic rules, when a match is detected, Azure Sentinel sends the alerts to Azure ATP.
- Azure ATP checks which user entities are related to the alerts and calculates the investigation priority for those users.
- Azure ATP then recalculates the score of the users after it is enriched with data from your analytics rules for Azure Sentinel.
All of this information then gets populated into a user friendly, modern and sleek dashboard providing the likes of events and alerts overtime, potential malicious events, recent cases and data source anomalies.
Investigate using “the Nazguls”
In Lord of the Rings when Sauron found out where Frodo was, he would send out the air-borne Nazguls to investigate and hunt him down. In this case Azure Sentinel has deep investigative tools to understand the scope of the threat and find potential root causes.
The above scenario initially started from an alert of a failed login attempt from a user on a specific host. Next Azure Sentinel analyzed the data associated with the user to find additional insights and related alerts bringing up notifications of suspicious PowerShell scripts, odd sign-ins and mass downloads from said user revealing the full scope of what occurred to help paint a bigger picture.
Begin the hunt
Investigating alerts is reactive, but organizations should also be proactive about Azure Sentinel has a ‘Hunting’ feature (yes, the option is actually called Hunting) where you can run powerful queries both built-in or bespoke to scour the mountains of data you have for anomalies, suspicious activity and more.
There is a lot more information with respect to queries, so do click here for more info.
Automation so you can RELAX
Built on the foundation of Azure Logic Apps you are able to orchestrate automated responses based on rules you have set.
What alerts do you get in Azure Sentinel?
- Create record in ServiceNow
- Post message in Security Teams Channel
- Send approval Email
- Block user in Azure AD
- Block IP on Firewall
These procedures are known as security playbooks which are used in response to an alert, they are highly customizable to most scenarios.
Do you have more questions regarding Azure Sentinel?