Use built-in ML and AI to cut through the noise
Monday 25th January 2021 | 3 minute read
As we have discussed in other blogs, generating alerts and events from infrastructure and applications is incredibly easy. And with Azure Sentinel security information and event management (SIEM) tools, centralised log management is similarly simple.
Without intelligent information and event management however, your security team runs into the same problem they always had with the on-premise SIEM solution – too much irrelevant data. They need to cut through this 'white noise' (low-level log entries that reveal nothing about security events) because it ties up security resources, leading to log fatigue and ignored alerts.
There are two challenges with security monitoring. First, you need to gather and assimilate more event logs to ensure you have a complete visibility of your entire hybrid IT estate – including applications and user and entity behaviour. Second, you need a way to search through tens of thousands of events quickly and effectively, linking activities that may indicate a security breach.
Azure Sentinel powered by Fusion – artificial intelligence (AI) security monitoring in the cloud
Azure Sentinel powered by Fusion AI helps to solve both these problems. Although run in the Cloud, Azure Sentinel interconnects and ingests from a wide range of third-party applications and services – including those installed in your on-premise data centre.
Azure Sentinel offers Fusion threat detection to identify multistage attacks. It does so by using machine learning (ML) to detect anomalous behaviour and suspicious activity that correspond to and are similar to that of an attack. AI is then used to piece together these anomalies to produce a timeline of events. Automated threat detection frees up your security team to focus their attention on troubleshooting real issues.
Fusion takes this ML-based detection a step further by reassessing these low fidelity “yellow” events against alerts from other data sources to create high fidelity “red” incidents that indicate a high probability of breach. Fusion carefully analyses entity activity from both Microsoft and third-party products and maps the behaviours to the cyber kill-chain to determine if something malicious is at play and at what stage, before prioritising it to a “red” incident in terms of severity.
As Fusion is used to detect advanced, multistage attacks which are made up of various individual events and alerts, a good use case for this would be detecting an anomalous login, followed by a suspicious Office 365 forwarding rule being set up on that account. These individual alerts on their own would be medium “orange” alerts and will likely be “in the queue” of alerts for your security team to work through. However, Fusion uses AI to piece these actions together and can then detect that this activity as a multistage attack. It can then create one high “red” incident that will immediately raise the attention of your security team, rapidly increasing response times to a potential breach.
According to Microsoft, Fusion processed 50 billion alerts from across the Azure Sentinel platform in December 2019. Of these, 111 were identified as incident candidates (yellow), before further AI-powered analysis narrowed the list to just 25 high fidelity (red) incidents.
There was just one red incident in every 2,000,000,000 events logged. This goes to show the scale and power of ML and AI when applied to SIEM – and gives some indication of how much time and resource can be saved.
Making Fusion work for you
Fusion truly is the next generation of threat detection in SIEM. Using ML and AI to convert these low-level yellow alerts into incidents not only helps identify the “low and slow” attacks, but also reduces the false positive rate in the process. This drastically reduces the mean time to detection (MTTD) rate of even the unknown threats that are traversing your network. In addition, this method of alerting boasts a 90% reduction rate in alert fatigue, which frees up resources to be proactive in threat hunting for any additional threats.
The headline benefits of Azure Sentinel Fusion alert rules include:
- Protection against known and unknown threats to improve overall security posture.
- Accelerated threat detection, reducing time to detection and remediation.
- Increased automation simplifies operations, freeing your security team to focus on developing fixes and hunting for additional threats.
- A consistent approach to all threats, helping to maintain quality standards and reduce the risk of an incomplete response.
- Improved compliance and reduced risk of fines for breaches.
With the ability to automatically identify unknown threats quickly, Azure Sentinel supports digital transformation efforts, ensuring rapid pace of change is not hampered by security concerns. Indeed, Azure Sentinel could become an essential strategic asset as your business seeks to grow.
To learn more about Microsoft Azure Sentinel and how it will improve your security posture, please contact us to arrange a demo.