Upload
others
View
11
Download
1
Embed Size (px)
Citation preview
Microsoft Azure Sentinel- Next Generation SIEM+SOAR born in the Cloud
Lilja Fjeldsted
CISSP – CISM - CISA
12.09.2019
Security Operations TeamExpanding digital estate
What is SIEM
© Microsoft Corporation Azure
What is SIEM
According to a 2018 Gartner report:
“Gartner defines the security and information
management (SIEM) market by the customer’s need to
analyze event data in real time for early detection
of targeted attacks and data breaches, and to
collect, store, investigate and report on log data for
incident response, forensics and regulatory
compliance…SIEM technology aggregates event data
produced by security devices, network infrastructure,
systems and applications…The technology provides
real-time analysis of events for security
monitoring, query and long-range analytics for
historical analysis and other support incident
investigation and management, and reporting (e.g.,
for compliance requirements).
What does ‘cloud-native SIEM’ mean?
Cloud-based SIEM offerings is an emerging
market category that the traditional SIEM
market is moving towards. In its Innovation
Insights for SIEM as a Service Gartner states
that “by 2020, 25% of new security
information and event management
(SIEM) technology implementations will
be delivered as a service, which is a
substantial increase from 5% today”.
What sets Azure Sentinel apart from other
SIEMs SaaS vendors is that it is built-in the
cloud as opposed to being adapted to the
cloud “as a service”.
How SIEM and SOC has evolved- from reactive to proactive
© Microsoft Corporation Azure
Descriptive Analysis
Diagnostic Analysis
Predictive Analysis
Proactive Analysis
Prescriptive Analysis
Too many
disconnected
products
High volume
of noisy alerts
Security skills
in short supplyLack of
automation
Rising infrastructure
costs and upfront
investment
IT deployment &
maintenance
Sophistication
of threats
Traditional SOC Challenges
Cloud + Artificial Intelligence
Security Operations Team
Microsoft Security Advantage
$1B annual investment in cybersecurity
3500+ global security experts
Trillions of diverse signals for unparalleled intelligence
Introducing Microsoft Azure Sentinel
Collect
DetectRespond
Limitless cloud speed and scale
Faster threat protection with AI by your side
Bring your Office 365 data for Free
Easy integration with your existing tools
Investigate
Cloud-native SIEM for intelligent security analytics for your entire enterprise
Security data across your enterprise
Rapidly and automate protection
Threats with vast threat intelligence
and AI
Critical incidents guided by AI
Focus on security, unburden SecOps from IT tasks
© Microsoft Corporation Azure
No infrastructure setup or maintenance
SIEM Service available in Azure portal
Scale automatically, put no limits to compute or storage resources
Built on Azure Monitor which leverages a proven analytics database that ingests more than 10 Petabytes daily and offers a rich query language that filter millions
of records in seconds to give quick insights
Reduce security and IT costs
No infrastructure costs or upfront commitment
Only pay for what you use
Bring your Office 365 Data for free
Cloud-native, scalable SIEM
How it works
© Microsoft Corporation Azure
Microsoft
Services
Analyze & Detect Investigate & HuntAutomate &
Orchestrate ResponseVisibility
Data Ingestion Data Repository Data Search
Enrichment
IntegrateCollect
Staying above current threat landscape- the high volume of known attacks should be automated
© Microsoft Corporation Azure
TIER 3Proactive hunting & Advanced Forensic
TIER 2Deeper Analysis & Remediation
TIER 1High Speed Remediation
AutomationAutomated Investigation & Remediation
Well known attacks
Default Alert Plan
Special cases
Microsoft Threat ProtectionA comprehensive, seamlessly integrated solution providing end-to-end security for your organization.
Microsoft 365 Security Center
Azure Security
Center
3rd party data
sources
Azure Active
Directory
Microsoft Defender
ATPOffice 365 ATP
Microsoft Cloud
App Security
Microsoft Cloud
App SecurityAzure ATP
Microsoft Cloud
App Security
Microsoft Threat Protection automation
Microsoft Azure SentinelOur next generation SIEM
Event orchestration
Cloud & Hybrid
Infrastructure
EndpointsIdentities Data & Email Cloud Apps
Demo- Overview dashboard and data collection
© Microsoft Corporation Azure
Limitless cloud speed and scale
Reduce security and IT costs
No infrastructure costs or upfront commitment
Only pay for what you use
Bring your Office 365 Data for free
Cloud-native, scalable SIEM
Integrate with existing tools and data sources
Pre-wired integration with Microsoft solutions
Connectors for many partner solutions
Standard log format support for all sources
Collect security data at cloud scale from all sources across your enterprise
Proven log platform with more than 10
petabytes of daily ingestion
Microsoft 365
Bring your own insights, machine learning models, and threat intelligence
Tap into our security community to build on detections, threat intelligence, and response automation.
Optimize for your needs
© Microsoft Corporation Azure
Bring your own ML Models & Threat Intelligence
Security Community
Correlated rules
User Entity Behavior Analysis integrated with Microsoft 365
Bring your own ML models
Pre-built Machine Learning models
Threat Detection and
Analysis
ML models based on decades of Microsoft
security experience and learnings
Millions of signals filtered to few correlated and
prioritized incidents
Insights based on vast Microsoft threat
intelligence and your own TI
Reduce alert fatigue by up to 90%
Detect threats and analyze security data quickly with AI
Investigate threats with AI and hunt suspicious activities at scale, tapping into years of cybersecurity work at Microsoft
© Microsoft Corporation Azure
Get prioritized alerts and automated expert guidance
Visualize the entire attack and its impact
Hunt for suspicious activities using pre-built queries and Azure Notebooks
Respond rapidly with built-in orchestration and automation
Build automated and
scalable playbooks that
integrate across tools
! Security Products
Ticketing Systems (ServiceNow)
Additional tools
Demo- Threat detection, investigation and response
© Microsoft Corporation Azure
What our partners and early adopters say about Azure Sentinel
© Microsoft Corporation Azure
“Azure Sentinel provides a unique and cloud
centric security incident and event
management solution that is both simple to
deploy and able to manage complex hybrid
customer environments.”
Jeff Dunmall
Executive Vice President of Global
Managed Services
“My team has the upper hand with Azure
Sentinel. I get unbridled capacity, and the built-in
AI and threat intelligence based on Microsoft’s
years of cybersecurity experience really helps my
team focus on keeping our clients secure vs
managing infrastructure and threat feeds”.
Andrew Winkelmann
Global Security Consulting Practice Lead
Take actions today
Connect data sources
To learn more, visit
https://aka.ms/AzureSentinel
Start Microsoft Azure
Open Azure Sentinel preview dashboard
in Azure Portal