Business networks are very complex, and so is security management on them. The number of devices is huge, even in businesses of moderate size. Each one is a potential target. The number of threats on the Internet seems overwhelming, and new ones keep appearing.
Security administrators face a huge burden. Protective software is available, from firewalls to anti-malware protection to intrusion detection, and every IT department uses it. The problem is that it generates a huge amount of information. Most of it points at easily thwarted attacks or unusual but harmless patterns of activity. Finding the real risks requires getting past many false alarms. Better ways of managing security information are needed.
To meet this need, Microsoft is introducing Azure Sentinel. Its aim is to bring all of an enterprise’s security information together in one cloud service. It promises to greatly reduce the number of false or redundant alerts, letting admins zero in on real problems. They will have an overview in one place of the company’s security status, including multiple cloud services and on-premise systems.
What is Azure Sentinel?
Microsoft calls Sentinel the “first cloud-native SIEM [security information and event manager] within a major cloud platform.” A number of cloud-based SIEMs already exist, but they’re third-party products. The distinctive feature of Sentinel is that it’s a native part of the Azure platform, with all the support Microsoft can be expected to throw behind it.
Sentinel is built on Azure Log Analytics but adds a lot more power. It runs under the Azure portal for centralized management and a complete overview of the extended network. Integrations let it work with data in various formats and many sources. Collecting information from Office 365 is built in.
Extensive use of artificial intelligence lets Sentinel analyze large amounts of event data and distinguish threats from glitches. It works with threat intelligence providers to match the data against the latest threats.
Currently Sentinel is in public preview status. It’s available to use for free, though there may be charges for the services it invokes. There is no SLA, and Microsoft doesn’t recommend it for production use. Pricing hasn’t been announced yet. The public preview is an excellent opportunity to try it out and get familiar with it before its release as a commercial product.
Business-wide security management
Business networks are complex and have fuzzy boundaries. They include on-premises systems and cloud services. Often more than one cloud provider is involved. Personal devices, including mobile phones and home computers on a VPN, come and go. Shadow IT brings in devices which administrators don’t know about.
Administrators have the task of keeping it all secure. They need to be aware of issues everywhere on the network. It’s not enough to watch the perimeter; they have to identify internal threats as well.
Security software is necessary, but it can’t always tell what constitutes a real threat. In a well-protected network, most attacks are so ineffective that they don’t require any intervention. Unusual patterns of usage are often entirely legitimate. If all of these events trigger alerts, administrators will waste too much of their time probing situations that pose little or no risk.
New threats appear daily. Not everything fits a known threat signature, so protective software relies on behavioral patterns to catch zero-day threats. This approach is inevitably inexact. Too high a threshold for reporting leaves important issues out, but too many notifications make it hard to stay alert. What’s needed is enough intelligence to weed out the false alarms.
Doing more with less
Finding top-quality security people is hard. There aren’t enough of them. The solution to the information management problem isn’t to put more people on it, but to make them more productive. SIEM software needs to reduce the amount of noise in the information they receive and make it easier to understand.
Redundant information gets in the way, even when it identifies a serious issue. Multiple notifications are useful to make sure the admin has noticed, but they should make it clear when they all refer to the same issue. Sentinel collects alerts into “cases” to identify closely related events.
Behavioral threat identification needs to be accurate to be useful. By correlating all events across the network, Sentinel has more information to go by. It applies artificial intelligence methods and the latest threat intelligence information to gauge the likelihood that an anomaly is a threat and not just a legitimate jump in traffic.
Sentinel in the Azure environment
The market for Sentinel is businesses that use Azure or are considering it, but users of multiple cloud services aren’t left out. It’s designed to be integrated with security tools, including custom-developed ones. Its architecture is extensible, using a REST API to accept information from diverse sources.
Microsoft-specific integrations include Azure Active Directory, Azure Advanced Threat Protection, Microsoft Cloud App Security, and Office 365. Some of the non-Microsoft integrations currently available are Cisco ASA, Palo Alto Networks, Amazon AWS, Fortinet, and Barracuda. The software can import Common Event Format and Syslog data from any source. Third-party developers can create integrations using the Sentinel API, so any data source can contribute information.
Businesses have many ways of tracking issues. Sentinel supports playbooks to automate communication with issue tracking and other security systems. Playbooks, based on Azure Logic Apps, provide a simple way to configure automated tasks.
Like other Azure services, Sentinel can scale up to as much capacity as the situation requires. Customers will pay only for the amount of service they use, without any up-front cost.
The Sentinel dashboard
The dashboard gives the administrator an overview of all the business systems it covers. Clicking on any of the displayed elements brings up more information on an item. The toolbar shows the number of alerts that events have triggered, and the dashboard shows analytic information organized by cases.
The administrator can enter queries or call up saved ones to filter and analyze information. The query can return information in text or graphic form. A world map display shows where malicious events originated, based on their IP address.
Many task-specific dashboards are available. Each one deals with certain types of information and provides appropriate visualizations. Internally, a dashboard is a data description which contains queries, layouts, and external references. Administrators can install whichever ones best suit their needs.
Alerts and automated responses
Admins can create detection rules to specify criteria for events. This involves writing a query and specifying how frequently to run it. A rule can trigger an alert for the admin, with a designated severity.
To automate a response, the administrator creates a playbook. It can send notifications, create an item in a ticketing system, and initiate other actions. A playbook can run manually or be triggered by an alert. The actual work is done by processes which the playbook invokes, so there is almost unlimited flexibility on how to respond to an alert.
The admin can drill down into specific data using multiple stored queries, repeating the process to narrow in on suspected areas. Microsoft calls this “hunting.” The results highlight abnormal types of activity and make it possible to locate the process, user, or machine they’re associated with.
Graphic output makes it easier to spot abnormal situations. If an activity exceeds a threshold, it will stand out on a graph, showing when and where it occurred.
Azure notebooks, based on Jupyter interactive notebooks, are a way to encapsulate code and data in a document and expand on the hunting capabilities. A notebook specifies a workflow and provides visualizations for a particular use case. Sentinel includes built-in notebooks for alert investigation, endpoint host examination, and Office login analysis.
The Sentinel community
Microsoft is encouraging third-party contributions. It has a GitHub site with dashboards, playbooks, notebooks, queries, and more. The content is available under the MIT open source license. Users can download the code, using it as is or customizing it to their own needs. Developers can contribute to the site after accepting a Contributor License Agreement.
Taming the chaos of security data
To maintain security in all their systems, administrators have to isolate and identify real issues. The problem is too much data, not too little. The information comes from multiple products created by different vendors in different formats. Azure Sentinel provides a wealth of tools to bring all the information together. Its analytics let admins distinguish problems that need action from legitimate activity and ineffective probing.
Having to deal separately with each system is time-consuming, and it doesn’t give a big picture. Sentinel brings security analytics together in one cloud service, letting admins find problems more quickly and reliably. Its AI-based approach reduces the ratio of false alarms to genuine concerns. Its ability to work with third-party products makes it suitable for heterogeneous environments.
Sentinel isn’t available as a polished product yet, but the preview phase gives businesses a chance to experiment with it and decide whether it should have a place in their plans. Many of them will find it lets them identify security issues more reliably, making all their operations safer and more dependable. Contact us to learn about all the ways we can improve the performance and safety of your Microsoft cloud services.