Combining Azure Security Centre with Azure Sentinel to improve your security posture
Wednesday 9th December 2020 | 2-3 minute read
As the modern IT operating environment increases in complexity, so too does the task of maintaining security. With assets on-premise, in the cloud, or potentially spread across both, you need a comprehensive toolkit capable of centralising your monitoring and response capabilities.
For Microsoft Azure users, Azure Security Centre (ASC) is the natural starting place for managing cloud security posture and protecting cloud workloads. The tools provided allow you to identify and fix misconfigurations and to “see” immediate threats and remediate them. Indeed, it provides the rudimentary basics of a security information and event management (SIEM) platform for your Azure assets.
There are limitations to ASC in terms of SIEM services however, not least the per virtual machine billing model. And so, Microsoft developed Azure Sentinel, a fully-fledged SIEM and SOAR platform to complement ASC. These two products now co-exist and interact to further strengthen your security posture and response capabilities.
Enhanced alerting and threat detection
ASC is an important source of security information related to your cloud infrastructure. However, Azure Sentinel sits in a layer above ASC, offering additional SIEM and SOAR capabilities.
Importantly, Azure Sentinel extends security intelligence to third-party systems too. With the ability to import and process alerts from a wide range cloud and on-premise sources, you gain true end-to-end visibility of your entire IT estate.
Centralising log management is just part of the story though. As an intelligent SIEM platform, Azure Sentinel uses machine learning to establish a baseline of “normal” operations. In this way, Azure Sentinel can cut through the general noise that regularly overwhelms your security team, surfacing only those alerts and events that require further investigation.
Accelerating your response
The underlying technology powering Azure Sentinel allows you to pre-define events of note from third party systems using ‘Entity types’ in your queries. These entities – Account, Host, File Hash Values or IP Address – are mapped to the corresponding fields in Azure Sentinel so that the machine learning engine knows how to handle them.
Azure Sentinel also supports custom Kusto Query Language (KQL) queries that allow you to extend and customise detection and response capabilities. These custom triggers and alerts can then be used to assign workloads and resources to deal with the issues that really matter to your business.
The real value of building a security monitoring platform with Azure Sentinel and ASC is realised when you begin to apply artificial intelligence (AI) to incident response. As it combs through millions of data points and Indicators of Compromise (IoCs), the Azure Sentinel machine learning engine begins applying threat recognition logic using the built-in AI engine.
You can then build out “security playbooks” that leverage Azure Logic Apps to automate and orchestrate your security response. This could be almost anything, from raising a new case in your IT service management (ITSM) platform, to creating firewall rules to block suspicious connections to disabling specific user accounts in Active Directory. Not only do you accelerate initial response times, but you also give the security team precious time to actually focus on resolving issues.
Using the power of the cloud to analyse and manage event logs intelligently will pay dividends. Using smart analysis to reduce the Mean Time to Detection (MTTD) will also shorten the Mean Time to Resolution (MTTR) creating several benefits. First, exposing and mitigating security issues earlier reduces the potential for exploitation. Second, you can better control the costs associated with identifying and fixing issues because you spend less time and resources tracking problems. Finally, by reducing potential damage, you reduce the overall cost of repair.
It is important to remember that ASC and Azure Sentinel are standalone products – you can use them individually or together as you choose. But when combined, these tools offer enhanced security capabilities that protect all of your assets.
To learn more about building an intelligent, holistic SIEM platform, get in touch with our experts.