If you’re an IT pro like me, then you probably face the same kind of problem I do — keeping abreast of current developments in the IT security field. This means learning about the latest threats and the newest tools you can use to defend yourself from such threats. I’m constantly plumbing the expertise and experience of my colleagues in the IT profession as well as sharing my own tips and gotchas with them. One colleague who has helped me keep abreast with security developments in Microsoft’s Azure cloud services platform is Sasha Kranjac, CEO and cloud security architect at Kloudatech. Sasha is an Azure and security specialist, consultant, and cloud architect. He helps companies and individuals embrace the cloud and be safe in cyberspace, delivering Microsoft, EC-Council, and his own custom Azure and Security courses and PowerClass workshops, consulting or architecting cloud solutions internationally. He is also a Microsoft Most Valuable Professional (MVP), Microsoft Certified Trainer (MCT), MCT Regional Lead, and a Certified EC-Council Instructor (CEI). To learn more about him, you can follow Sasha on Twitter. In June 2019, here on TechGenix, Sasha introduced us to Azure Sentinel, a security information event management (SIEM) tool that Microsoft was just in the process of releasing. To update readers on what’s been happening with Azure Sentinel since then, I asked Sasha to share any news or enhancements Microsoft has made to Azure Sentinel, and here is what he shared with me.
Azure Sentinel news and enhancements
Azure Sentinel is a security information event management (SIEM) and security orchestration automated response (SOAR) solution, Microsoft’s cloud-native answer to increasingly sophisticated threats and large volumes of warnings and alerts, across all the enterprise — infrastructure and applications, users and devices — but spanning to multiple clouds and on-premises as well.
This year, a virtual, online edition of Microsoft Ignite 2020 brought a wave of news across Microsoft’s portfolio of products and services, and Azure Sentinel has not missed the opportunity to be a part of the publicity.
On its first birthday, Azure Sentinel is different than it was a year ago, and for the better. The latest announcements included many innovations, helping to shape Azure Sentinel to become a product better suited to confront modern threats with improved efficiency.
We have witnessed the announcement of:
- User and Entity Behavior Analytics (UEBA)
- Entity profiles
- Threat intelligence
- Enterprise-wide data collection
- Machine learning
User and Entity Behavior Analytics
User and Entity Behavior Analytics, or UEBA, is an Azure Sentinel capability that can help security professionals detect insider and unknown threats, identify anomalous behavior, and shorten response time to threats.
UEBA is an evolution from the user behavior analytics, or UBA, which did not include entities when looking for anomalous conduct. By expanding monitoring and analysis to entities, such as servers, endpoints, routers, switches, and IoT devices, UEBA-capable solutions are better. They can detect deviations from normal behavior patterns in a more efficient way. Some of the entities UEBA in Azure Sentinel supports are Azure resources, registry keys and values, security groups, IP addresses, user accounts, hosts, files, processes, URLs, and others.
What advantages does UEBA bring to the table? Organizations might have tools that protect from viruses and trojans, but how can they protect themselves from “trusted” threats? For example, a user regularly logs on at 9 a.m., logs off around 5 p.m., and does that from Monday to Friday. During work hours, this particular user usually accesses around 5GB of files. One week, the user starts downloading or accessing 10GB of files, including files he never accessed before. Additionally, the user logged on during off-hours and on weekends.
That is where UEBA thrives because it relies on machine learning and complex algorithms to establish and detect anomalous user and entity behavior, that is, to distinguish between actions that are not “normal” or legitimate user actions and actions that might be malicious and threatening.
Typical organizations have numerous entities and users, where manual analysis and tracking becomes virtually impossible without artificial intelligence, not only because of the sheer number of subjects security professionals would need to track but also because of the extreme complexity of the analytical process.
User and Entity Behavior Analytics does not trace devices or events. It traces all entities and users, or to be precise, it follows their behavior.
Gartner defines three primary UEBA characteristics, which Azure Sentinel’s UEBA closely follows:
- Use-cases: UEBA systems have to monitor, detect, and alert many different anomalies such as compromised users, malicious insiders, zero-day threats, and advanced persistent threats.
- Data sources: UEBA-capable products can ingest and analyze large amounts of data from various sources, such as events, logs, and network (meta) data.
- Analytics: UEBA solutions produce results — for example, detect threats and isolate anomalies — using machine learning, complex algorithms, and advanced statistical modeling.
Entity Behavior and UEBA features are in General Availability in Europe West, United States regions, and Australia regions, while in Preview in all other regions.
Follow these simple steps to get started using UEBA in Azure Sentinel. Before anything else, you need to visit Settings to enable Entity Behavior Analytics in Azure Sentinel.
Next, click Select Data Sources to choose which data sources will be profiled and analyzed by UEBA, such as Azure activity, security events, sign-in logs, and audit logs.
Then, under Entity Behavior, perform a search for hosts or accounts while choosing the timeframe to display the number of alert results.
Entity information shows important fields displaying important data that can help investigating and diagnosing potential threats:
- Azure Security Center information
- Microsoft Defender for Endpoint data
- Events and alerts over time
- Alerts and activities timeline
- Windows sign-in activity
- Sign-ins over time
- Windows process execution info
- Process rarity via entropy calculation
- Anomalously high number of a security event
- Action on accounts
- Enumeration on hosts, users, groups on host
- Enumerations over time
- Actions on account
- Anomalously high office operation count
- Resource access over time
- Anomalously high Azure sign-in result count and others
Threat intelligence brings the possibility to add threat indicators or cyberthreat intelligence information to Azure Sentinel enabling you to get additional information and details about potential threats.
Threat indicators are pieces of information connecting malicious activity like malware or phishing with entities such as IP addresses, URLs, or file hashes. This way, security professionals can use threat indicators to find threats, detect malicious activity, and be more successful in their attempts to stop attacks.
Another important addition to Azure Sentinel are watchlists used to collect data from external sources, such as servers’ and clients’ IP addresses, hashes of important files, or users. As soon as you import data via CSV file, you can use these watchlists in various scenarios, for example, to reduce alert fatigue by suppressing alerts from well-known or trusted entities, to create deny or allow lists to detect specific behavior or logging in to a network, to use a watchlist in queries and analytics rules, and more.
Other improvements include additional Microsoft products support in Azure Sentinel, like Microsoft Teams and Microsoft Defender for Endpoint; new connectors for Azure DDoS, Azure Firewall, and Azure WAF; new third-party connectors for Citrix WAF, CyberArk, Beyond Security, and ForgeRock. Azure Machine Learning service is backing up notebooks in Azure Sentinel, enabling IntelliSense support, notebook file explorer, and point-in-time notebook snapshots. You can enhance the development of machine learning models using new frameworks comprising templates, tools, and data templates.
As attackers are evolving their techniques to get their hands on our valuable data, I am confident that we do not have to be afraid that our tools will be obsolete, as Microsoft showed with recent announcements that it is committed to following the latest trends and innovations in cloud data protection and threat detection.