Tech Journal Redefining the Cloud Security Landscape with Microsoft Azure Sentinel

As organizations increasingly adopt the cloud for their data and applications, the threat of cyberattack looms large. An ESG research survey published in September of this year, Security Analytics and Operations: Industry Trends in the Era of Cloud Computing Technologies, reports that 82% of organizations are committed to moving large volumes of their workloads and applications to the public cloud. 

The same report calls on security analytics and operations technologies to come to the assistance of security analysts responsible for dealing with the complexities, speed and scale of moving business-critical applications and workloads.

To handle cyberthreats, Security Operations (SecOps) teams generally employ Security Information and Event Management (SIEM) solutions. However, they find it difficult to keep pace with digital changes by spending too much time deploying and maintaining SIEM solutions, rather than dealing with the near-incessant threats to the mounting loads of data.

To this end, artificial intelligence and machine learning offer a promising path to addressing many of today’s global cyber challenges that plague SecOps. Together, these two technologies can provide security administrators with the ability to prioritize the most critical tasks.

Answering the call to develop a cloud-native SIEM that would offer the right tools for SecOps teams in an organization of any size, Microsoft launched Azure Sentinel in February 2019. Azure Sentinel provides intelligent analytics at cloud scale for all workloads.

How does Azure Sentinel help you?

When a new technology is released, it provides an opportunity to review the existing landscape. This helps you to discern how it may improve the current situation and how it differs from other options. Understanding the differences requires some analysis of what the new technology is, how it works and what will change when it’s deployed.

Azure Sentinel simplifies and strengthens the way security data is collected from users, devices, applications and infrastructures deployed — on premises as well as in multiple clouds — across your entire hybrid environment. To fully understand Azure Sentinel and how best to assess and deploy it, your organization should carry out a high-level discovery of all aspects with the guidance of a Security Operations Center (SOC) expert.

Diving into your security technology landscape to discover what you actually have

By reviewing the technologies that you currently deploy to help secure your IT infrastructure and applications, you can assess the current state of your security architecture. This will probably be a patchwork of solutions that have been acquired and deployed over the last 3–5 years. In a heterogeneous environment, there’s likely a mix of solutions from a wide range of technology vendors, including an alphabet soup of acronyms like IAM, EDR, NGFW, SIEM, SOAR, CASB and CSPM.

Azure Sentinel is positioned to be both a SIEM and a Security Orchestration Automation and Response (SOAR) solution that’s built as a true cloud service — scalable and evergreen. Until now, the selection of these types of solutions has been limited to server-based solutions that come with a heavy upfront investment (and ongoing management) of the infrastructure required to support them.

However, with Azure Sentinel, you can be up and running on day one. This makes the Microsoft solution attractive and potentially a huge cost saver when compared to traditional SIEM platforms. The opportunity to invest in other technologies incur more in initial outlay, but far outweigh the money lost on the legacy SIEM. The integration it provides across the full Microsoft suite of protection tools (Azure and Microsoft 365), as well as for many third-party solutions and sources that can transmit syslog data into Azure Log Analytics, also make it attractive to SecOps and analysts.

Working with cybersecurity professionals across your environment

Many of the skills required in the SOC are not specific to a single technology. Over time, talented engineers and analysts gain exposure to multiple technologies and approaches. Azure Sentinel is built on the long-standing foundation of the Azure Log Analytics platform, which will require the SOC team to learn a few new skills, especially Kusto Query Language (KQL).

The physical location of your team should also be considered. Hiring is tough enough without limiting your selection to the local talent pool or forcing relocation to a central building. With a cloud-based SOC platform, you don’t need to ensure physical proximity to the data. You just need to ensure secure access and responsive communications channels. This shift provides an opportunity to review the way the SOC teams gain access to and interact with your whole security architecture.

Getting SecOps up and running with the process

The implementation of a new SIEM/SOAR platform provides you the best opportunity to create a new approach to the way it will be operated. Several factors that drive the transition of Security DevOps (SecDevOps) to the development of automated detection and response minimize the need for manual intervention. Some of the factors of any new SOC design include a rapidly changing threat landscape in an ever-changing operating environment, the volume of data and the alerts it generates, and the cost and availability of skilled resources, particularly if much of the data is born in the cloud.

Outcomes for a successful SIEM with Azure Sentinel

Discussions and assessments of your security operations may uncover several trends that correspond to those emerging across other organizations.

1. What you have today might not be right for your evolving needs. It’s time for a change. If you don’t have an existing SIEM, a greenfield approach will be simple to deploy. However, if you’re limited to log collection and need to start analyzing the data for proactive and reactive cyberthreat hunting, you can redirect your logs to a new deployment of Azure Sentinel and get started quickly. You can avoid the renewal costs of licensing and hardware upgrades with an existing SIEM. The effort invested in deploying Azure Sentinel will pay for itself in short term.
2. Cloud transformation brings along new requirements. You might be satisfied with your current landscape (local and data center resources), but your shift to the cloud has incurred some new requirements like avoiding sending logs from the cloud back to on-premises storage, scaling up and down dynamically to adjust to changes in workload requirements, or having the ability to react to changes in compliance requirements.
3. A platform built for cloud scale at per-GB pricing is too tempting to ignore. You may have decided that you can reduce the amount of data being logged to avoid the excessive costs of increasing data consumption or decrease the time it takes to increase capacity when you need to scale up. What you should know is that Azure Sentinel offers greater discounts the more that’s consumed. The pricing changes for increased or decreased consumption are updated every month. This can provide you with potential cost savings that can be enough to justify investing in the assessment. As you move more workloads to the cloud, there’s less need for a server-based or locally hosted solution. If you use other Microsoft security tools, you’ll gain a central point for logging where the solution is free for many of them.

The release of Azure Sentinel has come just in time for many organizations that are facing changing requirements and increasing threats to their operational environment. The solutions needed to identify, detect and block threats are often complex and expensive; and the market of available skilled professionals isn’t keeping up with demand.

It’s time for a change in approach. Find out more about how Insight can help you modernize your cloud-based security operations with Microsoft Azure Sentinel. Engage an Insight security consultant to learn how.

About the Author: