Microsoft Azure Sentinel- Next Generation SIEM+SOAR born in the Cloud

Lilja Fjeldsted

CISSP – CISM - CISA

12.09.2019

Security Operations TeamExpanding digital estate

What is SIEM

© Microsoft Corporation Azure

What is SIEM

According to a 2018 Gartner report:

“Gartner defines the security and information

management (SIEM) market by the customer’s need to

analyze event data in real time for early detection

of targeted attacks and data breaches, and to

collect, store, investigate and report on log data for

incident response, forensics and regulatory

compliance…SIEM technology aggregates event data

produced by security devices, network infrastructure,

systems and applications…The technology provides

real-time analysis of events for security

monitoring, query and long-range analytics for

historical analysis and other support incident

investigation and management, and reporting (e.g.,

for compliance requirements).

What does ‘cloud-native SIEM’ mean?

Cloud-based SIEM offerings is an emerging

market category that the traditional SIEM

market is moving towards. In its Innovation

Insights for SIEM as a Service Gartner states

that “by 2020, 25% of new security

information and event management

(SIEM) technology implementations will

be delivered as a service, which is a

substantial increase from 5% today”.

What sets Azure Sentinel apart from other

SIEMs SaaS vendors is that it is built-in the

cloud as opposed to being adapted to the

cloud “as a service”.

How SIEM and SOC has evolved- from reactive to proactive

© Microsoft Corporation Azure

Descriptive Analysis

Diagnostic Analysis

Predictive Analysis

Proactive Analysis

Prescriptive Analysis

Too many

disconnected

products

High volume

of noisy alerts

Security skills

in short supplyLack of

automation

Rising infrastructure

costs and upfront

investment

IT deployment &

maintenance

Sophistication

of threats

Traditional SOC Challenges

Cloud + Artificial Intelligence

Security Operations Team

Microsoft Security Advantage

$1B annual investment in cybersecurity

3500+ global security experts

Trillions of diverse signals for unparalleled intelligence

Introducing Microsoft Azure Sentinel

Collect

DetectRespond

Limitless cloud speed and scale

Faster threat protection with AI by your side

Bring your Office 365 data for Free

Easy integration with your existing tools

Investigate

Cloud-native SIEM for intelligent security analytics for your entire enterprise

Security data across your enterprise

Rapidly and automate protection

Threats with vast threat intelligence

and AI

Critical incidents guided by AI

Focus on security, unburden SecOps from IT tasks

© Microsoft Corporation Azure

No infrastructure setup or maintenance

SIEM Service available in Azure portal

Scale automatically, put no limits to compute or storage resources

Built on Azure Monitor which leverages a proven analytics database that ingests more than 10 Petabytes daily and offers a rich query language that filter millions

of records in seconds to give quick insights

Reduce security and IT costs

No infrastructure costs or upfront commitment

Only pay for what you use

Bring your Office 365 Data for free

Cloud-native, scalable SIEM

How it works

© Microsoft Corporation Azure

Microsoft

Services

Analyze & Detect Investigate & HuntAutomate &

Orchestrate ResponseVisibility

Data Ingestion Data Repository Data Search

Enrichment

IntegrateCollect

Staying above current threat landscape- the high volume of known attacks should be automated

© Microsoft Corporation Azure

TIER 3Proactive hunting & Advanced Forensic

TIER 2Deeper Analysis & Remediation

TIER 1High Speed Remediation

AutomationAutomated Investigation & Remediation

Well known attacks

Default Alert Plan

Special cases

Microsoft Threat ProtectionA comprehensive, seamlessly integrated solution providing end-to-end security for your organization.

Microsoft 365 Security Center

Azure Security

Center

3rd party data

sources

Azure Active

Directory

Microsoft Defender

ATPOffice 365 ATP

Microsoft Cloud

App Security

Microsoft Cloud

App SecurityAzure ATP

Microsoft Cloud

App Security

Microsoft Threat Protection automation

Microsoft Azure SentinelOur next generation SIEM

Event orchestration

Cloud & Hybrid

Infrastructure

EndpointsIdentities Data & Email Cloud Apps

Demo- Overview dashboard and data collection

© Microsoft Corporation Azure

Limitless cloud speed and scale

Reduce security and IT costs

No infrastructure costs or upfront commitment

Only pay for what you use

Bring your Office 365 Data for free

Cloud-native, scalable SIEM

Integrate with existing tools and data sources

Pre-wired integration with Microsoft solutions

Connectors for many partner solutions

Standard log format support for all sources

Collect security data at cloud scale from all sources across your enterprise

Proven log platform with more than 10

petabytes of daily ingestion

Microsoft 365

Bring your own insights, machine learning models, and threat intelligence

Tap into our security community to build on detections, threat intelligence, and response automation.

Optimize for your needs

© Microsoft Corporation Azure

Bring your own ML Models & Threat Intelligence

Security Community

Correlated rules

User Entity Behavior Analysis integrated with Microsoft 365

Bring your own ML models

Pre-built Machine Learning models

Threat Detection and

Analysis

ML models based on decades of Microsoft

security experience and learnings

Millions of signals filtered to few correlated and

prioritized incidents

Insights based on vast Microsoft threat

intelligence and your own TI

Reduce alert fatigue by up to 90%

Detect threats and analyze security data quickly with AI

Investigate threats with AI and hunt suspicious activities at scale, tapping into years of cybersecurity work at Microsoft

© Microsoft Corporation Azure

Get prioritized alerts and automated expert guidance

Visualize the entire attack and its impact

Hunt for suspicious activities using pre-built queries and Azure Notebooks

Respond rapidly with built-in orchestration and automation

Build automated and

scalable playbooks that

integrate across tools

! Security Products

Ticketing Systems (ServiceNow)

Additional tools

Demo- Threat detection, investigation and response

© Microsoft Corporation Azure

What our partners and early adopters say about Azure Sentinel

© Microsoft Corporation Azure

“Azure Sentinel provides a unique and cloud

centric security incident and event

management solution that is both simple to

deploy and able to manage complex hybrid

customer environments.”

Jeff Dunmall

Executive Vice President of Global

Managed Services

“My team has the upper hand with Azure

Sentinel. I get unbridled capacity, and the built-in

AI and threat intelligence based on Microsoft’s

years of cybersecurity experience really helps my

team focus on keeping our clients secure vs

managing infrastructure and threat feeds”.

Andrew Winkelmann

Global Security Consulting Practice Lead

Take actions today

Connect data sources

To learn more, visit

https://aka.ms/AzureSentinel

Start Microsoft Azure

Open Azure Sentinel preview dashboard

in Azure Portal