By  Insight Editor / 9 Feb 2024 / Topics: Data and AI Cybersecurity
With the modern era of digitalisation, we now live in an identity-driven security perimeter. Today’s security teams face numerous challenges, including speed and sophistication of threats, and exponential growth of endpoints/assets and associated logs. Corporate security teams are drowning in the volumes of data being generated by digital assets. Data volumes are increasing every day as more operations are digitised and being able to triage quickly is important. The time window to respond when under attack is short; advanced adversaries typically only need hours to gain access, elevate privileges and exfiltrate data.
Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) solution built to provide security analysts with a powerful tool to detect and respond to cyberattacks. Sentinel’s SOAR capability is fully customisable and allows security teams to write playbooks that can (if desired) automate the entire response to a security event. For example, once Microsoft Sentinel identifies a malicious domain, a playbook that would automatically add a block rule to the company’s firewalls for that domain can be triggered.
For the past decade, SOC leaders have tried to leverage SIEM technologies to establish a “single pane of glass” for their security operations. A “single pane of glass” means leveraging SIEM to identify and investigate security issues, which signifies that large volumes of data need to be ingested, processed, correlated and stored. Unfortunately, challenges with early SIEM technologies made this single-pane-of-glass view difficult because of the constant need to buy and install more hardware to handle increasing data volumes. SOC leaders faced a variety of challenges, including the following:
Microsoft Sentinel is Microsoft’s cloud-native SIEM and SOAR solution. It is the first SIEM solution built into a major public cloud platform to help empower the security operations centres teams by leveraging cloud-native capabilities and addressing the traditional SIEM SecOps challenges by:
Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting and threat response. Sentinel natively incorporates proven foundation services from Azure, such as Log Analytics and Logic Apps. Also, it enriches investigation and detection with Artificial Intelligence (AI) in conjunction with Microsoft's threat intelligence stream. The below diagram depicts major Microsoft Sentinel components.
Threat hunting is the process of iteratively searching through a variety of data with the objective to identify threats in the systems. Threat hunting involves creating hypotheses about the attackers’ behavior and researching the hypotheses and techniques that were used to determine the artifacts that were left behind. As you can see in the figure below, Tier 3 is responsible for performing proactive hunting and advanced forensics. The goal of this team is to perform an analysis to identify anomalies that may indicate advanced adversaries. While most incidents are remediated at Tiers 1 and 2, only unprecedented findings or deviations from the norm are escalated to Tier 3 teams.
Microsoft Sentinel has a dedicated threat hunting capability designed specifically for hunt teams and Tier 3 analysts and ships with built-in hunting queries that have been written and tested by Microsoft security researchers and engineers. Within Sentinel, an analyst can create a new query, modify existing queries, bookmark, annotate, and tag interesting findings and launch a more detailed investigation.