This article is contributed. See the original author and article here.
Customers using the cloud today are experiencing new challenges, such as rapidly changing workloads and insecure configurations, increasingly sophisticated attacks, and limited visibility into security and compliance. Rapidly changing workloads are both a strength and a challenge of the cloud. On the one hand, end-users are empowered to do more. On the other, how do you ensure that the ever-changing services people are using and creating are up to your security standards and follow security best practices? On top of this, no matter where you run your workloads, attacks are getting more sophisticated. making end-to-end visibility into your security and compliance and staying up to date with the latest threats more important than ever. Given the shortage of security professionals, organizations are consistently doing more with fewer resources, which is increasingly complicated as resources become specialized and focus on different aspects of the threat protection story. Microsoft works to empower all security professional with the right tools to act quickly and efficiently.
Given the dynamic nature of the cloud and the constantly evolving threat landscape, we need intelligent, automated, integrated security to close the gaps, providing visibility and proactive response across the organization.
Microsoft provides SIEM and extended detection and response (XDR) tools that emphasize integration to help your security teams stay ahead of attacks. Microsoft Defender, our XDR, manifests itself in two tailored experiences: Azure Defender and M365 Defender.
Azure Defender, part of Azure Security Center, provides advanced threat protection across many resource types, including Servers, Kubernetes, Key Vault, and more.
Azure Sentinel, our cloud native SIEM, is deeply integrated with our XDR and provides security information event management and security orchestration automated response.
As a starting point, refresh your understanding of Azure Security Center, Azure Defender, and Azure Sentinel by checking out this article: What’s the difference between Azure Security Center, Azure Defender and Azure Sentinel? – Microsoft Tech Community
Many customers are currently using Azure Security Center and Azure Sentinel but are looking to get the most out of both products to enhance protection and visibility across their enterprise.
Azure Security Center continuously scans your hybrid cloud environment and provides recommendations to help you harden your attack surface against threats. When Azure Defender does detect attempts to compromise your system, it will surface an alert in Azure Defender. You can conduct investigation and remediation from the Azure Defender blade all from the same pane of glass. You can review the alert and understand what resources were affected, what severity the alert is, and more. Directly from the Azure Defender alert, you can also mitigate the threat or prevent future attacks by resolving relative ASC recommendations. To reduce the burden on your security team, you can also set up workflow automation, triggering an automated response for similar future alerts. By setting up a logic app to respond to similar alerts in the future, you can react faster and focus more time on remediating alerts.
Cloud workload owners who manage a cloud workload and its related resources are responsible for implementing and maintaining protections by the organization’s security policies. These personas find value in ASC’s recommendations based on out-of-the-box security initiatives and the Azure Security Benchmark. These initatives are customized through features like secure score exemption or adding custom policies. Cloud workload owners are typically not focused on alerts, as this is the responsibility of the Security Operations team, who monitor and respond to security alerts. The Cloud Workload owners concentrate on securing the infrastructure while the SecOps team responds to threats where they do occur. As such, these teams leverage different tools in support of their missions.
Cloud Workload owners will frequently leverage ASC’s recommendations blade to reduce the attack surface and harden against threats. SecOps teams will focus on monitoring alerts that do come in and working toward expedient remediation. This integration is where the Azure Security Center and Azure Sentinel better together story begins. Azure Sentinel comes with several connectors for Microsoft solutions, available out of the box and providing real-time integration. With Azure Sentinel’s built-in connector for Azure Security Center, you can stream Azure Defender alerts to Sentinel in just a few clicks. You can even stream information around security recommendations, secure score, and regulatory compliance through continuous export. Streaming updates will send information about changes in one of these categories, such as an increase in your secure score or a change in your compliance posture relative to a regulatory compliance metric.
But what if your SecOps team is interested in evaluating other sources of threats beyond Azure Defender? Beyond connectors to Microsoft solutions, Azure Sentinel has built-in connectors to the broader security ecosystem for non-Microsoft solutions.
By aggregating seemingly disparate alerts into a centralized source, Sentinel connects these alerts and builds a story. Once the data flows to Sentinel, we leverage a feature called fusion to employ scalable machine learning algorithms to correlate many low-fidelity alerts and events across multiple products into high-fidelity, actionable incidents. When we think about cloud security challenges, this feature provides the needed visibility and allows your security team to prioritize their time.
Note for our customers in Azure Government: Fusion is now available in Azure Government!
Once we have onboarded alerts to Sentinel through our connectors, SecOps teams can use playbooks, automation rules, and Kusto queries for further investigation, threat hunting, and automation. Graphical and AI-based analysis will reduce the time it takes to understand the full scope and its impact. You can visualize the attack and take quick actions in the same dashboard.
Automation rules help you triage incidents in Azure Sentinel. You can use them to automatically assign incidents to the right personnel, close noisy incidents or known false positives, change their severity, and add tags. They are also the mechanism by which you can run playbooks in response to incidents.
Playbooks are collections of procedures triggered from Azure Sentinel in response to an alert or incident. A playbook can help automate and orchestrate your response and are configured to run automatically when specific alerts or incidents are generated by being attached to an analytics rule or an automation rule, respectively.
Write Kusto Query Language (KQL) statements to query log data to perform detections, analysis, and reporting in Azure Sentinel. Simple actions like querying the log data allow Sentinel to bring value and turn the multiple data sources into meaningful, actionable information. These intelligent response and automation methods enable your team to quickly and efficiently address alerts and allow you to focus your time on high-priority items, which is increasingly important as we continue to do more with fewer resources in this space.
When we couple these two great products is an integrated end-to-end detection, investigation, and response platform for protecting cloud workloads. With Azure Security Center, we can gain visibility into our cloud environment and address recs to help us harden our attack surface. Azure Defender provides visibility where we do see threats or attempts to compromise our system. From here, we can stream these alerts to Sentinel for further investigation and threat hunting. Automated responses in Sentinel facilitate risk mitigation and focus on what’s important.
Integrating these tools also allows the different personas focused on defending workloads in an organization to have visibility into what matters to them. For example, even if a Cloud Workload owner suppresses an alert, it will still create an incident in Sentinel which surfaces in a dismissed state. This process facilitates focus on various aspects of the threat protection story. This integrations enables security analysts to receive actionable information reducing time to action and enabling decision-making.
Check out this video for more: Video | Better together for US government: Azure Security Center + Azure Sentinel | Azure Government (microsoft.com)
Get Started with Azure Security Center and Azure Sentinel and Learn More About Security with Microsoft
Below are additional resources for learning more about security with Microsoft. Bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity or visit our website for the latest news and cybersecurity updates.
- Get Started with Azure Security Center
- Get Started with Azure Sentinel
- Announcing the Azure Sentinel: Zero Trust (TIC3.0) Workbook
- What’s New: Cybersecurity Maturity Model Certification (CMMC) Workbook
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.