Empower your security operations with Azure Sentinel

January 5, 2020 posted by


[MUSIC]>>Hello everyone, welcome to the
Azure Security Expert Series. I’m Ann Johnson and I lead Microsoft’s Cybersecurity
Solutions Group. In this episode, we’re going
to focus on how to empower your security operation
teams with Azure Sentinel, Microsoft SIEM solution
that was born in the Cloud. We will hear from Microsoft
experts like John Lambert, who will show us how Azure
Sentinel was used during our public preview to defend against previously
undetected attacks. Steve Dispensa will share with us how Azure Sentinel will help you modernize your security
operations also. We will also get to
hear from our partner Accenture and one of our
early preview customers RapidDeploy on how they are using Azure Sentinel to strengthen the
security of their organization. If you have any questions during this presentation please
use the chat window. Microsoft security
experts are online to answer your questions
throughout the entire session. Now, as part of my job I get to meet security teams from virtually
every industry around the world. They’re doing amazing work to
protect their organizations. This allows me to see and
to understand how they are striving to keep up with the pace and the scale
of cyberattacks. Traditional security information
and event management solutions have not kept pace with
the digital environment. I commonly hear from customers
that they are spending more time with deployment and
maintenance of SIEM solutions, and they are unable to
handle the volume of data or the agility
of our adversaries. This is why Microsoft knew the Cloud was critical
to the SIEM solution. The Cloud enables a new class of intelligent security technologies
to reduce complexity, and to integrate with the
tools that you depend upon. Azure Sentinel is that
Cloud-native SIEM, which enables security across the entirety of your enterprise
in a very intelligent way. It has been available on public
previews since March of this year. And we are thankful for this
overwhelming response. More than 12,000 customers have
joined us in this preview program. So together with you as
our design partners, we have continuously evolved the service capabilities to
match our growing needs. I’m ecstatic to announce that Azure Sentinel is now
generally available. It’s ready for you to
protect your organization. With Azure Sentinel, you
do not need to deploy or maintain any
infrastructure On-Prem; you can just scale automatically
in the Cloud as you need. Azure Sentinel collects and
analyzes data from all sources, On-Prem to Azure itself, and even throughout other
Cloud environments. And it provides built-in
artificial intelligence and automation to help you
respond to threats faster. Of course, it’s also backed by Microsoft’s unique threat
intelligence gained from analyzing trillions of diverse signals globally
on a daily basis. Azure Sentinel blends the insights of Microsoft experts and
artificial intelligence with a unique insights and skills of your own in-house defenders to uncover the most
sophisticated attacks. To show how Azure Sentinel will help defend against threats
with real case examples, let me introduce you to John Lambert, a distinguished engineer and
General Manager here at Microsoft. John is the founder and head of the Microsoft Threat
Intelligence Center, which we call MSTIC. This is our center for excellence for security research and its members
develop security infrastructure, detections, and programs for many
Microsoft Security offerings. John, over to you.>>Thanks, Ann. I founded the
Microsoft Threat Intelligence Center five years ago to focus on adversary base threads to
Microsoft’s customers. Attackers study customers, they
study technology, we study back. Over 12,000 customers signed
up to use the preview, we work with Azure Sentinel
customers to understand their data, and collaborate on threat scenarios. I’ll show you how we
use Azure Sentinel with them and how it improved
their operations. One thing we know is that
defenders need data. Security teams need data from all over the network,
it’s how we see. Our customers want to get access to their common
data sources quickly, that’s why there are built-in
connectors for Azure AD, Office 365, Microsoft Cloud App Security, and Palo Alto Networks, we’ll use them all today. Let me start with
Office 365 and MCAS, and show a feature called Fusion. The SOC needs their
SIEM to work for them. Insight comes from seeing unrelated
events linked together. The reality is that the SOC
deals with a lot of alerts for benign activity because
their SIEM has no context. With Fusion behind the scenes, Azure Sentinel is mapping activity
from alerts to the kill chain. It uses machine learning and a basic probability model
to constrain edges, it builds connections using
a stochastic process, similar to how epidemics
and outbreaks are modeled. It calculates the kill chain connectivity metric which
is then used for scoring. Let’s look at this alert. The first alert was a user logging
in from an unusual location. The second was a forwarding
rule that was added to the account’s mailbox
to forward email on. Fusion link these
two alerts together, and identify an attacker progressing forward in the kill
chain to steal data. A SOC analyst is going to
want to validate this alert. We watch how SOC analyst treat Azure alerts and built these
steps into Azure Sentinel. Attackers think in graphs and with the Investigation graph feature
defenders can do so too. If you click “Investigate”
from an alert, you’ll be able to see all
the relevant entities. You can see related alerts
from any of the entities, we click on the “User” here. We can see all the entities, whether they’re the user accounts, IP addresses, or
other various alerts. And if we want to see the raw events
we can click “Events” and drop right down into the
logs at the right spot. And then Azure Sentinel has a timeline
view so that we can go and see all the aspects of the
investigation in sequence here, from the anomalous access here to the suspicious
inbox forwarding rule. After investigating, the SOC
is going to need to remediate. Azure Sentinel makes it
easy with Playbooks. We built Playbooks for the
most common scenarios. They can be set to run manually or automatically when specific
alerts are triggered. We can take any one
of these Playbooks, you can customize them, see when they run,
you can clone them, and customize any of
the steps yourself. Security Playbooks in Azure Sentinel are based on Azure Logic Apps, which means that you
get all the power, customizability, and built-in
templates of Logic Apps. This example started with alerts. Security analyst also want to
hunt proactively over data. I have several examples
of how we’re doing that. Let me start with the first one. One of our preview customers is
a think tank in Washington DC. They are targeted by threat
actors around the world because of their influence
with government officials. They signed up as a private
preview customer and granted access to their tented
data to analyze in my team. We identified an Office
365 account belonging to the tenant that was being
targeted by a known threat actor. When we look at the logins, we see something unusual. Instead of coming from one IP, they were coming from different IPs all over the world
in rapid succession. We can see here California,
Georgia, Warsaw, Lyon. With this insight, we constructed a query in Azure Sentinel
to look for this blueprint, a burst of logins from a geographically dispersed area
in a short period of time. We discovered new malicious activity that the customer is
previously unaware of, their security people were
able to respond quickly. Searching 60 days of data took about two seconds
with Azure Sentinel. It was a great proof point that for Azure Sentinel with the right
tool on top of the customers Azure Active Directory
login data which was super easy to connect and out
of the box functionality, we’re able to uncover a
sophisticated actor’s activity. We worked with another
preview customer, and used this approach to identify compromising their
environment as well. This query was put on
the community GitHub, so that other customers can learn. We also have an open-source
community repository loaded with over 250 analytics across detections, hunting, and Jupyter Notebook, so that customers can
start with the knowledge that Microsoft in the
community already have. We’re adding to it every day, we have contributions from a threat experts across
Microsoft my team, and community members in
Europe and North America, and we absolutely love working
with customers on this. Here’s an example of a
Jupyter notebook that one of my teammates wrote
for Azure Sentinel. Sometimes the data you need to enrich your security information
is not in a table, it’s behind an API. This notebook written in Python uses data that’s
in Azure Sentinel, and calls APIs to enrich it
with threat intelligence. There’s a number of providers here. So here we see a PowerShell script
with an encoded command line. This uses Python to decode it, and then extract indicators from it, and then look those up in threat intelligence providers from AlienVault, VirusTotal, and others. Very cool. One thing that’s important in the SIEM world
are parsers for data. Many defenders around the world use the Sysmon tool
by Mark Russinovich. Multiple MSTIC team members have contributed directly to
the code over the years. You can see it supports
many different event types with many different fields. Since it is so popular, we wrote a parser for Azure
Sentinel that understands all of the fields and event types
and published it to our GitHub. In another case, we worked
with a preview customer, where we saw an attacker trying
to brute force account names. We used Azure Sentinel to devise a query to see the username guessing. Here, you can see the attacker
trying combinations of firstName, lastName, separated by
different delimiters, an underscore, a dot, and a dash. We saw the okhttp user agent, and thought it didn’t make
sense for that tenant, it was very unusual. We notice the IP that that
user agent from was trying multiple different mobile user-agent
strings from a dictionary. So we wrote a regular
expression to match them, and we saw many more
password guesses. Note this login. You can see here Sony
phones, LG phones, and here we have an
attempted login from a phone claiming to be
Windows Phone, probably not. We’re able to find several successful logins from the infrastructure and the customer confirmed them as compromised and we remediated them. Each query took seconds
to run an Azure Sentinel, and this allowed us to quickly provide the information
to the preview customer, all of these queries
are on our GitHub. This example looked at logins where the threat actor
was trying to infiltrate, let’s go to the other end
of the kill chain where the actor may be trying
to exfiltrate data. Azure Sentinel is built on top
of Azure’s powerful data tools, they can be used to
spot data exfiltration. Defenders often work with
logs with timestamps. In this example, this
visualization is showing byte counts from
outbound data transfers from Palo Alto to firewall logs. Palo Alto has native integration
with Azure Sentinel. With any firewall data there are
underlying patterns that make it hard to set atomic
rules to spot outliers. We call the seasonality trends. This data shows several trends. We have day versus night, week versus weekend, and a general
increase in traffic over time. What we need to do is
determine the baseline in the underlying data
and look for outliers. Azure Sentinel makes this incredibly easy to do with its
built-in functions, and then we can easily
see the spikes in the data from excessive
data transfers, including this one, which
clearly happened on the weekend and these other
two data points here. This kind of hunting is made very easy by the visualization and
analysis capabilities built in Azure Sentinel. You can see this query and other time series analysis ideas on our GitHub. We not only have these
queries for firewall data, but Palo Alto also
provided a dashboard that comes with Azure Sentinel to view their data because they know it best. We also have dashboards
for many other partners. This helps security folks
be productive right away. Azure Sentinel is a modern SIEM
solution born in the Cloud that uses all the underlying power of Azure to make the
SOC more effective, by saving time, enabling discovery of the most important
insights using the community, and providing powerful
Machine Learning features. My team is very excited
to work with customers in the months to come and see what amazing things we can do together, Ann, back to you.>>Thank you John. It
was great to see how Azure Sentinel helps SecOps
teams with hunting tools, Machine Learning, and augments their expertise with
insights from our own in-house experts like John. To get more details on the capabilities that
John just shared with us, please allow me to introduce
you to Steve Dispensa. Steve leads security product teams including Azure Sentinel
here at Microsoft. Thank you for joining me Steve.>>Thanks Ann, I am
excited to be here.>>So Steve, SIEM is a really critical tool
for our customers and yet almost every customer I talked to today has challenges implementing it. What are you hearing, and what are we doing about it?>>Well, this is a hard problem. The digital footprint continues
to expand at our customers, data volumes are
growing exponentially, and what we’ve found is that the traditional
On-premises solutions to these problems are just
not scalable any longer. In fact, just the other day I heard from CISO, from one
of our customers sharing that more than half of their security team
is now dedicated to just managing the infrastructure and machinery associated
with their SIEM.>>Wow.>>So they’ve got to have a scalable solution that
gets them past this. So that’s one of the focuses of Azure Sentinel where we
are working to empower our customers to focus on security and not just on
infrastructure maintenance. The other feedback that we
heard was just around noise. You know that our customers
are stretched for talent, that there just isn’t enough
security talent out there yet today, and so enabling the resources of the customer to really focus on the most important
problems is number one. So for us that means limiting or eliminating the noise
associated with alerts and allowing the SOC operators to focus on the most
important threats quickly. My team has worked really
hard to address these issues. Then, we’ve used
experience we’ve gained ourselves at Microsoft over the past few years facing
similar challenges. We’ve developed a lot of interesting
technology to help us scale, and now I’m excited
to be able to take that technology and ship it to our customers in the
form of Azure Sentinel.>>So Steve, ultimately
we need to enable the security teams to be
ahead of the adversaries. So how does Azure Sentinel help the SOC teams stay ahead
of the adversaries, considering the adversaries
are always innovating also?>>Yeah, it’s a great point. So Sentinel is all about focusing the SOCs attention on the most important threats
ahead of anything else. So the first thing we did, is we designed Sentinel
as a Cloud-native SIEM. What that means is it was
born in the Cloud and designed for the Cloud world-first. So you can free your security teams
from the complexity of setting up and managing all of this infrastructure that’s
usually associated with SIEMs. In fact, with Sentinel, Microsoft does that work for you. While it’s born in the Cloud, Sentinel was able to collect any
data from across the Enterprise. On-prem, Cloud, both Microsoft
Cloud and third-party Clouds.>>All right.>>So the next part
is about empowering teams with efficient
and modern tools. So Sentinel includes out of the box content to help your
SOC do their job. We include queries for detailed analysis of the
security data that you have, hunting capabilities
that are built right in and use our years of experience, and of course were built
on the strong foundation of Azure including services like Log Analytics that can
tear through terabytes of data in just seconds as you’re
hunting and investigating. In addition to the out
of the box queries, we’ve also brought
the experience from Teams like John’s MSTIC
team that we’ve gained from years of defending Microsoft
against adversaries and working with our customers to defend them against
the adversaries, and all of this experience
and know-how is collected in our public
GitHub community.>>Really? Wow.>>And in addition to that, we’re
inviting the community to come help us make Sentinel a
better and better product. So security teams often
spend days chasing down false alarms. One customer told us that out of their tens
of thousands of daily alerts, they’re able to only triage
about half of them. It’s a huge problem right now. So the third big
investment in Sentinel is bringing the power of
Artificial Intelligence to this enormous volume of data. So we’ve invested heavily
in AI and automation, again to allow the SecOps teams to focus on the most
important incidents. So we’ve brought easy to
use investigation graphs, automated response
playbooks and other ways to get the most out of the
limited resources that you have. In fact, our customers
in preview have seen their responses reduced from
hours to minutes already.>>So this is a fully
cross Cloud solution, we’ve automated some
of the playbooks, we have Machine Learning, we have Artificial Intelligence, and a lot of this stuff
I know John showed us and the real life
practical experience that his MSTIC team has
brought in helping develop the product with learning from
customers on us internally.>>Absolutely. I mean
our philosophy here is this is a security product
for the entire Enterprise. Not just a piece here
or a piece there, but cross Cloud, On-prem, first-party, third party, the whole IT infrastructure that
our customers are dealing with.>>That’s fantastic. So
AI and automation they’re truly empowering or
defenders to do more, and we’re going to share some more
examples of Machine Learning. I want to understand how we learned, how we’re going to
minimize alert fatigue. It’s the one thing we hear
from SOCs continually. They can’t respond to everything. And I heard we were
able to reduce it by more than 90% based on
customer feedback from the preview. You talk a little about that?>>Yeah. This is one of my favorite
statistics from our preview because the impact was
just enormous on SOCs. So yeah, we’re using
Machine Learning, ML, in Azure Sentinel, and really we designed the whole product with ML
right from the beginning. We’ve taken our years of experience building security Machine
Learning in other places like our identity systems and across our other security
products and brought it right to the customer
in Azure Sentinel. So the first thing I’d say
is alert fatigue is real. It’s a serious problem. It’s exacerbated by the
fact that resourcing is thin, there aren’t enough
analysts in the SOC today. So we’ve brought a number of ML based approaches to
sift through this sea of alerts and correlate alerts from different products to punch up the ones that matter the
most for our customers. So one example is a technology
that we call Fusion. Fusion basically takes
two yellow alerts and fuses them into a red alert. To say, “Hey, this alert is worth spending time on,
worth investigating.” Another one is our built-in
Machine Learning detections. They’re designed for security
analysts and for engineers. Even if you don’t have prior
experience to use Machine Learning, you bring your data in and we use
our off the shelf pre-trained, pre-built Machine Learning
to find things in your data.>>So someone like me
could come in and do this?>>Absolutely. Just add
data and our algorithms go to work immediately
to sift through and find the things
that matter the most. And customers can bring their own logs, their own data from
all their applications into Sentinel and the same Machine Learning models
will work through them and find the important
alerts in incidents.>>Wow. So I’m thrilled
to see that we’re lowering the barrier for security
experts to use Machine Learning and Artificial Intelligence because
I do believe it’s going to be a differentiator to them responding
more quickly to attacks. And they really don’t need
to invest in learning Machine Learning and learning
Artificial Intelligence models to use Azure Sentinel which will help the organizations become more secure. But can we shift gears
for just one second?>>Sure.>>So one of the things I hear
from customers constantly is the high total cost of ownership
associated with managing, building that infrastructure,
maintaining traditional SIEMs. Talk a little about how Azure Sentinel value model is
addressing those concerns.>>Yeah, so great point. There are really two big components to the cost of running
a SIEM traditionally. The first is hardware,
infrastructure, operations, staff associated
with managing and maintaining. These are huge implementations
that are large customers, very data intensive
and compute intensive. So just buying the equipment and
setting it up is very expensive. The second piece is
the software price, which is also very expensive. So with Sentinel, we’ve
taken a new approach. We’re taking a cost-effective
approach first, we’re aiming to be a
cost-effective SIEM. So of course that starts because
Sentinel is a Cloud service, Microsoft fully manages it
and fully maintains it. Then, we are taking a new approach to pricing where you pay
only for what you use, and so you can pay as you go
and bring data in as needed, and the system just scales for you.>>Additionally, we’re
enabling data ingestion from Office 365, Audit Logs, Azure Activity Logs, and also the Microsoft Threat Protection
solutions at no additional cost. This will be a huge cost and
complexity savings for our customers. So customers can pay as they go. Just as I said, you pay
for only what you use, or for customers that are able
to make a capacity reservation, they’ll have access to discounts
up to 60% off of our regular pricing to help create predictability in what
those costs will be.>>Okay. So let’s talk about how long customers actually have to commit in the capacity
tier they selected. Do we lock them in? And what happens when
their data ingestion and analytics modeling change? Because one of the other concerns
I hear from customers is, they get locked into these
really inflexible contracts, and they can’t scale their
business and they can’t have any elasticity in the type
of data they’re looking at.>>We’ve heard the same thing. So providing flexibility is
a critical element here. We heard this from
customers loud and clear. This is where we’re different
from the rest of the solutions in the market in that
we’re not actually requiring an annual commitment. We’ll do capacity reservations on a month-to-month basis
so that customers have the ability to dial up or down their commitments as their
needs change every 31 days. So because of that, customers get
predictability on the one hand, but they also have the
flexibility to evolve their Sentinel installation as their own needs grow
and change over time.>>That’s really good
to know that we’re addressing that concern because it is one of the top concerns
that I hear from our customers. I’ve always had the Cybersecurity as a team support and we’re
all in this together. It’s an ecosystem. So in that context, what are we doing to help
the security community on a continual basis?>>Well, we value the
security community deeply and we are a part of the security
community, and with Sentinel, we created a SIEM that was
designed from the beginning to support community engagement in
solving the security problems. So you just saw how John and his team shared their expertise
through our services. We have an active
community on GitHub, where we take contributions across all aspects of the
product from the community. We share best practices,
queries, custom workbooks, and more even bring your
own Machine Learning models on our GitHub community. We talked about detection
and hunting queries that are honed from
Microsoft’s experience, defending ourselves over the years, but also from customers experiences. So it’s really great also to
see that our partners and customers are starting to share their experiences on GitHub as well.>>I heard that this community
is actually helping us develop new capabilities. We had a private preview, I know, and then we had an
extended public preview with 12,000 customers. So what capabilities and types of things have our customers
helped us develop?>>We’ve had a fantastic experience working with the community and with our customers since our
preview announcement in March. So for example, lots of new threat detections had been created especially Machine
Learning based detections, based on our experience
with our customer’s data, and working with customers to
develop those detections for them. We’re continuously adding
new data connectors and new features for automation
based on community feedback, and actual customer needs. We’re integrating with
Azure Lighthouse, which will enable customers and service providers in
particular to view Azure Sentinel Instances across their different tenants
in Azure as well.>>That’s great. I really like that our community and Microsoft is
part of the security community. It’s not this
remote community, but I like that we’re
working together to address the global issue of
increasing cyber threats. So thank you Steve for giving so much rich context
on Azure Sentinel. I’m really looking forward to seeing the product and
production on our customers.>>Thanks Ann.>>Speaking of community and
partnering with each other, I would like to invite
Andrew Winkelmann, who was the Microsoft
Security Services lead within Accenture security to share their experiences and
plans with Azure Sentinel. Thank you for joining us Andrew. It’s great to see your collaboration throughout the preview
program and thank you for helping us design a solution that meets the requirements
of a modern SOC.>>Thanks Ann. Glad to be here.>>So can you tell
us a little bit more about Accenture security
practice all up?>>Sure. Accenture is one of the largest security services
providers in the world. We provide services across all
IT environments, physical, hybrid Cloud, different
Cloud service providers, you name it, we probably support it. My role within Accenture is
helping our clients secure their On-Premise and
Cloud environments using the Azure and Microsoft 365
security products and services. Accenture’s lens is
focused on the enterprise. The Global 2,000 and the
challenges they face in managing the costs and
effectiveness of security.>>So how does Azure Sentinel fit into your plans
for that practice?>>Azure Sentinel turbo charges our current Accenture security
solutions by providing advanced feature capabilities for
security analytics and enables us to spend more time customizing our solutions to acquaint
specific requirements. We currently have 14 clients right now on our Accenture log analytics SIEM solution that we are going to eventually convert over
to Azure Sentinel. With Azure Sentinel running
on top of log analytics, we are able to keep our same
custom use cases based on the Kusto Query Language
and adding the power of Microsoft security
investments in ML, AI, Threat hunting, Data
Connectors, Ticket Triage, and a separate case management
functionality that makes it easier for investigation
and automated response.>>So what are some of
the success factors that you think about when you’re
considering SIEM solutions?>>The first one I’d
say is data residency. Keeping your SIEM data
in a specific region, but with the ability to search
across all those regions. This makes it a lot easier to adhere to the data
residency requirements. As an example, this is what we
provide a security solution for a client where we have Log Analytics Workspaces
in the United States, Europe, Japan, and Australia. Those datasources stay
in the regions and those local servers and infrastructure will log to those
local Workspaces that we set up. We’re then able to search
across all of the Workspaces, but the data stays local. This is really really critical
for things like GDPR. The second one I’d say
is the DevOps model. Application teams use DevOps, infrastructure teams use
infrastructure as code. Why does security not
used that same model? Azure in general allows us to automate the stand-up
with overall platform. With Azure Sentinel,
we can now automate the deployment of a data
connectors and our use cases. This further reduces the
time required to roll out our security services and provide additional
value to our clients. And I say the last one is
the hybrid Cloud support. Not everything is in
Azure unfortunately, and we wanted a solution that
supported our clients in Azure, but also all the other service
Cloud service providers and the hybrid scenarios for
the clients that are going to take some time to move
to the public Cloud. With the use of Log
Analytics Gateway, we can now support internet
restricted data center environments. This setup will enable us for critical
infrastructure environments, where you would not want a host reaching directly
out to the internet. An example, we’re managing
our 1,500 servers across a Multi-Cloud environment
powered by Azure Sentinel and ingesting over 2TB
of data every single day.>>We know that support for a distributed environment is
absolutely critical to our customers, and how are you getting
insights across these Cloud environment
specific to Azure Sentinel?>>Sure. That’s a good question. The Multi-Cloud environments
is what we see a lot. This includes AWS as part
of the target environment, and we’re also securing
it in addition to Azure. How we start off this well, we would start by configuring
the AWS connector in Azure Sentinel data connector tab. We’d start ingesting the
AWS Cloud Shield Logs. Cloud trials where all the
different logs send to within AWS. We would then create custom alerts based on those use cases
that we want to learn on. For this scenario, we’ll use
alerting on the removal of the MFA or Multi-Factor
Authentication requirements on the AWS root account. If this happens, very, very
bad things happen. So alert query would be
the next thing we do in Azure Sentinel to look
for this specific event. So here we can see this
actually did happen. The next part is, we want
to see why this happens. So by integrating Accenture’s Threat Intelligence
Feed that we acquired a couple of years ago called iDefense into Azure Sentinel via the
Microsoft Security Graph API, we can check the threat intelligence
on the offending identity and also IP address to help clarify
if this is a malicious attack, an accident, or an
insider threat scenario. By utilizing the Investigative
Dashboard in Sentinel, we can also pivot to the corresponding alerts
and then respond with the built-in sort capabilities within Sentinel using azure
Logic App playbooks.>>Well, that’s a lot and as we all know Multi-Factor
Authentication Enabling, it is the one most critical
thing we tell our customers, and securing business-critical
applications is such an important aspect. So what scenarios do you commonly see within your customers related
to business-critical apps?>>That’s another great question. One that we see a lot is SAP. SAP holds critical
application data for a large number of our clients and a lot of it is
moving to the Cloud. So I can walk you through a scenario. So for SAP, you having an On-Premise
physical data center that’s hosting the SAP large instance or HANA large instance
that’s running SUSE Linux. That’s directly connected to Azure, where all the SAP application
servers are hosted. The physical data center does not
allow direct internet access. So we have deployed the Log Analytics
gateway to pull information from the SAP HANA large instance
into Azure Sentinel. We then created alerts in Sentinel
to trigger when someone makes a change
to the critical SAP files, both on the Windows and
the SUSE Linux platforms. As you can see we have a
couple alerts for changes to these critical SAP application files in the Azure Sentinel Case
Management Dashboard. This use case alerts our Accenture security
operations teams when a critical SAP component
is modified or deleted. In this specific use case, we’re alerting on when changes
to the SAP common library deals. So opening up the case in Azure
Sentinel for our custom alert, we’re able to drill down into the corresponding events in
Investigative Dashboard. We then can pivot to what
corresponding events are linked to this use
case from the same server. So we can now say with confidence, which user made that change, what they changed, and what application was
used to make the change. This reduces the time from hours
to minutes for investigating security events across the Cloud
Platform, Infrastructure host, and events from inside the
SAP application by constantly innovating to the new
Accenture security continues to push the boundaries
for security alert clients, Cloud workloads, and our SAP on Azure Security solution becomes even more powerful with the
release of Azure Sentinel.>>That’s just
fantastic. That’s great. The fact that you can
take an application that a lot of businesses
run on like SAP and reduce that detection time
from hour to minutes and stop something that could be
incredibly business impacting, and really take down a
customer’s environment. It’s amazing. Thank you for sharing
your plans for Azure Sentinel. I’m sure these insights
are going to be really helpful to the
entire community, and I’m looking forward to continuing the partnership with your
team. Thank you so much.>>Thank you.>>There is one more
guest I want to invite, his name is Alex Kreilein. He is the Chief Information
Security Officer, RapidDeploy, which provides Cloud
native solutions to public safety and
emergency communications. RapidDeploy joined the preview
program and they started seeing the early benefits for
their Security Operation Center. I would love Alex to come on board and share his experiences with us. Alex is joining us today
via Microsoft Teams. Welcome, Alex.>>Hey, thanks, Ann. I really
appreciate you having me.>>So Alex, can you tell us just a little bit more about Rapid Deploy?>>Yeah, we’re really excited about
the product that we’re able to offer it in public safety
in state government. So for us, our really key focus is to try and reduce response
times in emergencies. The way that we do that
is by building web and mobile applications and
supporting IoT products that are really able to get a
lot of value very quickly to public safety by focusing
on super easy deployment, low total cost of ownership, high features and functionality, and really effective security
that meet the Threat Model.>>Excellent. And Alex, what is your
team focused on specifically?>>Yeah, my Security
Team at RapidDeploy is kind of fun and a little weird, so we’re a SaaS company and we really want to be a
great SaaS company. So we really focus on
software development. So for security, I actually build a
lot of functional elements with security into all
the policies, processes and procedures that run my company. So like everybody
from my DevOps Team, my Developers, and Engineers,
even our help desk support and human resources were all involved in the fight
of cyber security, and we have a small team
that really focuses on the nitty-gritty stuff of actual
cyber security operations.>>Well, that’s pretty
impressive and yes it is unique. So what made you build your
solution on a Cloud platform?>>So for us, the Cloud was the natural choice because we
know that that’s where all the velocity really is going
into tech and IT solutions. We knew we could get
a lot of control, a lot of visibility, a lot of monitoring, and frankly real ease of deployment of services because of the shared responsibility
model of the Cloud. It was really for us about
selecting the right one based on the requirements that we really had for our mission critical environment.>>You’re building
your solutions on top of Microsoft Azure, correct?>>Yeah. So we really
wanted to focus on deployment with Microsoft
Azure for a couple of reasons. One, we knew it could give
us a lot of flexibility that would be hard to find elsewhere, but we would be able to
innovate on the platform. We’d really be able to get
access to a lot of services, but especially a lot of services
that focus on our customers, our segments, our
reliability requirements. So we selected Azure because we wanted to be really
big contributors to the Microsoft stack and
make full utilization of the work and innovation going
on throughout the world.>>So clearly security is a critical component of
all public safety systems, can you tell us more about what you and your teams are
concerned with today?>>Yeah. So there are a couple of things
that we’re concerned about for Public Safety System. So there are the traditional
things that SaaS companies all across the globe no matter who you are are
going to have to face. Application Security, FPLC like really security
DevOps implementation, infrastructure, access control,
the list goes on and on. But the thing that we really
also have to have to focus on is the threat model around
public safety specifically. So we have a lot of state and
local government customers who had succumbed to ransomware
and huge exploitation, remote code execution,
denial-of-service. So we know that our threat
model is really high because the people who
would really want to exploit public safety are super
motivated and super well financed in some circumstances to combine their cyber security attack
with a kinetic attack.>>And how did you decide to use Azure Sentinel for your
security operations?>>So for us, Azure Sentinel
was a natural choice, but we also really wanted to
put it through the ringer. We really had to focus around the ability to deploy
something effectively and get a full complete deployment
done because monitoring and visibility is the thing that we
were primarily concerned with. So for us given our focus
around building in Azure, we really found an ease
of deployment there which brought it back to the
great total cost of ownership, but also a really
quick time to value. So we knew that we wouldn’t be buying something and have
it sit on the shelf for months and months and months and
just grown through deployment, but rather we knew that
we could get something up and running quickly and effectively. But then we could utilize
it like you would want to in a best in class SIEM for hunting, alerting, monitoring,
detection, and analysis.>>That’s a really
important point, Alex. At Microsoft, we are on a mission
to empower organizations, even those who don’t have huge security teams to easily
secure their environments. So it’s really nice to see that
resonated with you and your team. But let’s take it a step further, can you give us examples
of how you were using Azure Sentinel and
the benefits you have seen for your Security
Operation Center?>>Yeah. So for us, Ann, deploying Azure Sentinel was really
effective and very quick, but we needed to do it over multiple subscriptions
in multiple regions, and we have a little bit of a complex estate that
we have to manage. But we also have to be really confident that we’re
able to ingest data from our IoT solutions sitting
on-prem with customers, ingest data from endpoint
detection and response, then network telemetry, the WAP data. All the things that really constitute not just
the perimeter security, but the inner workings
and functionality of our platform have to be really well integrated into Azure Sentinel,
and we found that through our test environment,
we found that through evaluation and we found that by working in real-world
with it as well.>>With a lean security team, how are you meeting your goals, and are you automating your
processes to meet those goals?>>So there’s probably two ways that we’re automating our processes
with Azure Sentinel. The first one is, we actually just derive a lot of natural
benefit from enabling it because it collects
so many more logs than just the normal
analytics workspaces do. So my Developers are
actually the ones who primarily benefit from this because they’re able to
see challenges and errors, they get a better analysis workspace to be better software developers. So that’s been a nice outcome
that we didn’t expect. But separately from that, I’ve automated Azure Sentinel by
creating playbooks, and triggers, and rules and trying to even though
it’s early days for us, build a really good development
around Jupyter Notebooks, and the ability to hunt
inside of the platform. That’s predicated on
integrating all this data, and it’s predicated on being
actually quite precise, and we found those outcomes to be really right in our strike
zone at RapidDeploy.>>So Alex, we have many customers
evaluating SIEM solutions, what additional insights can
you share with your peers?>>So I’d say, when you’re
going through to identify a SIEM, there’s a couple of really
important function to look at. I think people forget the
time to value function. I think it’s really important to not just to evaluate the technology, but really evaluate if
utilization in the organization. And so finding something that has a really short lifecycle
on time to value is huge because then
you can demonstrate that which you can rarely
do in cyber security. But the second piece is you really
want to make sure that you have a platform that doesn’t just integrate with all
your security tooling, but also really integrates
with your network stack, integrates with your application, integrates with outside
functions and features. Then I think the last
part would be to really understand the cost
analysis around it, and we were very impressed
with what we’ve found with super on market for Azure Sentinel, but also came with
all of this great ease of deployment and capability
to integrate data.>>Thank you, Alex, for
sharing your insights today. I’m thrilled to see how Azure
Sentinel is helping your team strengthen the security of
our public safety systems, and we really appreciate your active
feedback to the product team.>>Thanks, Ann. You
can count on that, and we really appreciate
the partnership here, it’s been great for us, and we look forward to seeing what
it does in the future.>>Thank you to all of
you for joining us today. The Cloud is unlocking
new capabilities. This is why we’re investing in the Cloud and artificial
intelligence to work for you, to extend and empower
your defenders who were the key to avoiding
future cyber threats. Azure Sentinel is just
the latest capability in our broad portfolio available to you to strengthen your
security operations. And don’t forget, our experts are still available to answer your
questions in the chat window. In closing, I encourage you
to join the community on GitHub and start using Azure
Sentinel today. Thank you. [MUSIC]

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *