In a recent blog post, Microsoft announced further investments to its intelligent security offerings in the form of a Security Information and Event Management (SIEM) product called Azure Sentinel. SEIMs are used by security professionals as a data store that is capable of aggregating security events from logs across a variety of systems, including servers, firewalls, routers, switches and end-user computing devices. Azure Sentinel is a platform service that includes artificial intelligence and machine learning to reduce the burden of traditional SIEMs by eliminating the need to maintain infrastructure and reducing alert fatigue by providing prescriptive guidance on emerging threats.
Organizations are struggling with maintaining proactive security practices. Microsoft feels they can address this growing problem with Azure Sentinel. Eliav Levi, director of product management at Microsoft, explains:
SecOps teams are inundated with a very high volume of alerts and spend far too much time on tasks like infrastructure setup and maintenance. As a result, many legitimate threats go unnoticed. An expected, shortfall of 3.5M security professionals by 2021 will further increase the challenges for security operations teams. You need a solution that empowers your existing SecOps team to see the threats clearer and eliminate the distractions.
Microsoft is able to analyze signals from a variety of locations and can scale to address the needs of enterprise customers. Koby Koren, senior product manager at Microsoft, explains how this is possible:
Azure Sentinel works by correlating the security logs and signals from all sources across your apps, services, infrastructure, networks, and users, whether they reside on-premises in Azure or any other cloud. Our built-in AI leverages Microsoft threat intelligence that analyzes trillions of signals every day. And our machine learning models refined through decades of security experience filter through the noise from alerts, drilling into it analyzing thousands of anomalous events, to return a view of threats that really require your attention.
For several years, companies have been exporting their cloud data from Office 365 and Azure and ingest it into their on-premises SIEM tools. However, this approach has created operational challenges for these organizations. Maarten Goet, a Microsoft regional director, explains:
In the past years, enterprises would hook up the alerts that Microsoft security solutions were generating and forward them back to their on-premise SIEM solution as part of their cloud security strategy. But they are struggling to keep pace with the increasing volume and variety of data they process. Unhappy users complained about the inability of their SIEMs to scale and the volume of alerts they must investigate. Azure Sentinel is a central place to analyze your security data, across all parts of your environment. Cloud security solutions like Azure Sentinel are set to disrupt the Security Operations Center (SOC).
Azure Sentinel is able to ingest events from several Microsoft and non-Microsoft platforms, including: Azure AD Identity Protection, Microsoft Cloud Application Security, Azure Security Center, Microsoft Graph Security API, DNS, Syslog and third party telemetry including F5, Palo Alto Networks, Checkpoint, and Cisco ASA.
Microsoft wants to reduce the amount of noise that security analysts face while improving the accuracy of alerts. To address these requirements, Azure Sentinel uses AI to triage alerts and perform correlation across many different products and services. Levi explains why they have deeply invested in AI and ML technologies:
Azure Sentinel uses state of the art, scalable machine learning algorithms to correlate millions of low fidelity anomalies to present a few high fidelity security incidents to the analyst. ML technologies will help you quickly get value from large amounts of security data you are ingesting and connect the dots for you. For example, you can quickly see a compromised account that was used to deploy ransomware in a cloud application. This helps reduce noise drastically, in fact we have seen an overall reduction of up to 90 percent in alert fatigue during evaluations.
Once threats have been detected, security analysts can use the case management features of Azure Sentinel to review, triage and prioritize incidents across a SOC team. Playbooks can be established and maintained based upon Jupyter notebooks so that teams can maintain consistent and automated processes to address cyber threats.
Additional automation opportunities exist, through the use of Azure Logic Apps, a cloud-based workflow platform, which includes an out-of-box connector that allows developers to listen for Azure Sentinel events. Azure Logic Apps can then orchestrate a business process which can include creating incidents in ServiceNow, communicating with team members over Microsoft Teams and performing proactive security measures such as disabling users in Azure AD or blocking firewall IP addresses.