Azure Sentinel
•Download as PPTX, PDF•
0 likes•507 views
Microsoft Azure Sentinel is a new Cloud native SIEM service with built-in AI for analytics that removes the cost and complexity of achieving a central and focused near real-time view of the active threats in your environment.
More Related Content
What's hot
What's hot (20)
Similar to Azure Sentinel
Similar to Azure Sentinel (20)
More from Cheah Eng Soon
More from Cheah Eng Soon (20)
Recently uploaded
Recently uploaded (20)
Azure Sentinel
- 1. Azure Sentinel Eng Soon Cheah Microsoft MVP @CheahEngSoon
- 2. Who am I ? • Microsoft MVP • Senior IT Developer , Big 4 • Blog: https://dev.to/cheahengsoon • YouTube: https://www.youtube.com/c/engsooncheah
- 3. Security Operations Team Expanding digital estate
- 4. Too many disconnected products High volume of noisy alerts Security skills in short supplyLack of automation Rising infrastructure costs and upfront investment IT deployment & maintenance Sophistication of threats Traditional SOC Challenges
- 5. Cloud + Artificial Intelligence Security Operations Team
- 6. Introducing Microsoft Azure Sentinel Azure Sentinel Cloud-native SIEM for intelligent security analytics for your entire enterprise Respond Rapidly and automate protection Detect Threats with vast threat intelligence and AI Investigate Collect Security data across your enterprise Critical incidents guided by AI Limitless cloud speed and scale Bring your Office 365 data for Free Easy integration with your existing tools Faster threat protection with AI by your side
- 7. Microsoft Security Advantage $1B annual investment in cybersecurity 3500+ global security experts Trillions of diverse signals for unparalleled intelligence
- 8. Limitless cloud speed and scale
- 9. Focus on security, unburden SecOps from IT tasks © Microsoft Corporation Azure No infrastructure setup or maintenance SIEM Service available in Azure portal Scale automatically, put no limits to compute or storage resources
- 10. Traditional Reduce security and IT costs- Get a cost effective SIEM No infrastructure costs, Only pay for what you use Bring your Office 365 Data for free Predictable Billing with capacity reservations Flexible model, no annual commitments Sentinel Cloud-native, scalable SIEMHardware setup Maintenance Software setup
- 11. Integrate with existing tools & data sources
- 12. Collect security data at cloud scale from all sources across your enterprise © Microsoft Corporation Azure Pre-wired integration with Microsoft solutions Connectors for many partner solutions Standard log format support for all sources Proven log platform with more than 10 petabytes of daily ingestion
- 13. Optimize for your needs © Microsoft Corporation Azure Bring your own insights, machine learning models, and threat intelligence Tap into our security community to build on detections, threat intelligence, and response automation. Bring your own ML Models & Threat Intelligence Security Community
- 14. AI by your side
- 15. Detect threats and analyze security data quickly with AI © Microsoft Corporation Azure ML models based on decades of Microsoft security experience and learnings Millions of signals filtered to few correlated and prioritized incidents Insights based on vast Microsoft threat intelligence and your own TI Reduce alert fatigue by up to 90% Correlated rules User Entity Behavior Analysis integrated with Microsoft 365 Bring your own ML models Pre-built Machine Learning models Threat Detection and Analysis
- 16. Investigate threats with AI and hunt suspicious activities at scale © Microsoft Corporation Azure Get prioritized alerts and automated expert guidance Visualize the entire attack and its impact Hunt for suspicious activities using pre-built queries and Azure Notebooks
- 17. Respond rapidly with built-in orchestration and automation Build automated and scalable playbooks that integrate across tools ! Security Products Ticketing Systems (ServiceNow) Additional tools
- 18. Take actions today- Get started with Azure Sentinel To learn more, visit https://aka.ms/AzureSentinel Connect data sources Start Microsoft Azure trial Open Azure Sentinel dashboard in Azure Portal
- 19. Demo How can Tailwind Traders detect suspicious activity in Tailwind Traders Azure AD instance?
- 21. • Facebook : Microsoft Developers Malaysia • Twitter & Insta : msdevsmy ❖Like, Comment, Share & Subscribe❖
Editor's Notes
- Today, organizations are faced with the incredibly difficult task of trying to protect their expanded digital estate from increasing cyber threats. The move to the cloud and a mobile workforce have pushed the border of your estate beyond the boundary of your physical network. You data and users and systems are everywhere. Meanwhile the frequency and sophistication of attacks are ever growing. Regardless of the size of your organization or the industry, you are a target. This is the challenge that we all struggle with in IT security. And it's a challenge we at Microsoft think that we can uniquely help with.
- The SecOps mission of protecting organizations’ information and assets is becoming increasingly difficult. Attack techniques, frequency, and complexity are evolving fast. Security teams are under strain from the expanding breadth of defensive technologies, accelerating hybrid cloud adoption, and borderless, zero-trust networks. The shortage of SecOps talent makes this problem worse. Considering the future needs of SOCs, these are the most prominent pain points: Threats continue to grow in complexity and volume Attacks are increasingly heterogeneous. A typical attack spans different parts of the enterprise and crosses various resource types: it might start from an IoT device, proceed to an endpoint, spread to a cloud service or to a database, involve multiple user accounts or tenants, and so on. Alert fatigue: SOCs see too many alerts from disconnected products Enterprise SOCs typically have dozens of security products, each producing a large volume of alerts. In isolation, these products often have high false positive rates and poor response prioritization, resulting in deafening alert noise. Attacks fall through the cracks despite generating alerts. Unfortunately, legacy SIEMs are functioning only as aggregators and don’t increase response capabilities. Enterprise SOCs need a way to integrate their security products to reduce the noise, prioritize alerts, and enable investigation and hunting across the entire dataset. There is a global shortage of security analysts and experience The need for skilled security professionals has greatly increased, and supply cannot meet current or future demand. A recent report by CSO magazine showed that this global talent shortage will increase to 3.5 million unfilled security jobs by 2021. Investigation is complex and time-consuming Every second counts when SecOps personnel are handling a threat that might jeopardize their organization. The clock is ticking fast, but investigation requires highly skilled security analysts and can often take days or weeks. Current solutions are not architected for today’s demands, or tomorrow’s Legacy on-premises SIEMs require powerful hardware and extensive maintenance that make them expensive to operate. Storage and compute needs increase dramatically during an incident, which is difficult for an on-prem footprint to accommodate. The move to the cloud has enabled a new degree of enterprise scale-out, and with the explosion of cloud-born data, legacy SIEMs are less and less able to cope with the demand.
- The cloud can help manage that complexity of the expanding digital estate. It simplifies and makes security easy to manage. Harnessing the power of cloud will set your SecOps teams free of IT work and help them focus on security work with no limits. Next generation of AI and automation in the cloud helps to super-charge your work. It will leverage the large-scale intelligence available in the cloud and make it work for you.
- That’s why we re-imagined the SIEM + SOAR tool to introduce a new cloud-native solution called Microsoft Azure Sentinel - providing intelligent security analytics at cloud scale for your entire enterprise. Azure Sentinel makes it easy to collect security data across your entire hybrid organization from devices, users, apps, servers and any cloud, it uses the power of artificial intelligence to ensure you are identifying real threats quickly, and unleashes you from the burden of traditional SIEMs by eliminating the need to spend time on setting up, maintaining and scaling infrastructure. Since it is built on Azure, it offers limitless cloud scale and speed, scaling automatically to address your needs. Traditional SIEMs have also proven to be expensive to own and operate, often requiring you to commit upfront and incur high cost for infrastructure maintenance and data ingestion. With Azure Sentinel there will be no upfront costs, you will only pay for what you use, and we are offering free Office 365 activity data import to help you reduce security costs significantly
- At Microsoft, we spend over a billion dollars every year on research and development to secure your organization and enable you to digitally transform - without compromising productivity. We try to keep it simple for our customers knowing you have limited resources and dollars. We do this through our operations, technology and partnerships. What makes Microsoft so different to other cloud providers and even security providers is that we have over 3,500 security professionals and Intelligence informed by trillions of sources so we can help you make smarter decisions and remediate faster. We provide a truly holistic approach to technology. Microsoft helps you protect identities, data, applications, and devices across on-premises, cloud, and mobile - end to-end. This protection is at global scale with enterprise –class technology. Benefit from the investment of security at global scale with built-in capabilities and resources.
- Azure Sentinel is a true software as a service solution for SIEM and SOAR with automatic scalability -no server installation, maintenance, or complex configuration. It lets your SecOps team focus on the most important tasks- defending against threats to your organization. Azure Sentinel is available in the Azure portal and becomes a central place for security operations, getting a near real time view of security events and providing tools to investigate and respond to incidents. As an Azure Service, you can easily augment security operations with other cloud services in Azure portal like Machine Learning, Logic Apps and Azure Monitor.
- Traditional SIEMs have proven to be expensive to own and operate, often requiring you to commit upfront and incur high cost for infrastructure maintenance and data ingestion. With Azure Sentinel there are no upfront costs, you pay for what you use. Our aim is to provide you a cost effective SIEM solution. Many enterprises are using Office 365 and are increasingly adopting the advanced security and compliance offerings included in Microsoft 365. There are many cases when you want to combine security data from users and end point applications with information from your infrastructure environment and 3rd party data to understand a complete attack. It would be ideal if you could do this all within the compliance boundaries of a single cloud provider. Today we are announcing that you can bring your Office 365 activity data to Azure Sentinel for free. It takes just a few clicks and you retain the data within the Microsoft Cloud. Reduce infrastructure costs when you automatically scale resources as you need and only pay for what you use. Pay nothing extra when you ingest data from Office 365 audit logs, Azure activity logs, and alerts from Microsoft threat protection solutions. Save up to 60 percent as compared to pay-as-you-go pricing through capacity reservation tiers. Receive predictable monthly bills and the flexibility to change your capacity tier commitment every 31 days.
- With Azure Sentinel you can aggregate all security data with built-in connectors, native integration of Microsoft signals and support for industry standard log formats. Microsoft 365 customers can import their Office 365 activity data for free to gain deeper insights. We continue to collaborate with many partners in the Microsoft Intelligent Security Association and support easy connectors and customizable dashboards for popular solutions including Palo Alto Networks, F5, Symantec, Fortinet and many more to come . Azure Sentinel is based on Azure Monitor that uses a proven and scalable log analytics database that ingests more than 10 petabytes everyday and provides a very fast query engine that can sort through millions of records in seconds. Azure Sentinel also integrates with Graph Security API to enable customers to import their own threat intelligence feeds.
- Azure Sentinel is an open and extensible solution. It enables your team to bring your own insights, tailored detections, machine learning models, and threat intelligence to customize analytics for your own environment. For e.g. If you want to customize and enrich the detections more than the built-in ML models, then you can bring your own models to Azure Sentinel using the built-in Azure Machine Learning service or use Microsoft Graph API to integrate your existing Threat Intelligence feeds with Azure Sentinel. Additionally, it enables a community driven approach to share and enhance best practices, threat intelligence and mitigation. GitHub community available through the Azure Sentinel dashboard can be used to share hunting queries or pre-defined Jupyter Notebooks.
- Analyze and detect threats quickly with AI on your side- Security analysts face a huge burden of triage as they not only have to sift through a sea of alerts, but also correlate alerts from different products manually or using a traditional correlation engine. That’s why Azure Sentinel uses state of the art, scalable machine learning algorithms to correlate millions of low fidelity alerts to few high fidelity security incidents. Azure Sentinel also includes user behavior analytics to help you identify anomalies, compromised identities, and malicious insider actions. ML technologies will help you quickly get value from large amounts of security data you are ingesting and connect the dots for you. For example - a compromised account leading to Office 365 Mailbox exfiltration. It helps reduce noise drastically, we have seen an overall reduction of up to 90% in alert fatigue with early adopters. These machine learning models are built-in and give you the benefits of decades of Microsoft security experience and ongoing knowledge from running 100s of cloud services. you do not need to be a data scientist to run such models. Some SecOps teams may need to customize ML based analysis and they can even bring their own ML models in Azure Sentinel.
- Graphical and AI-based investigation will reduce the time it takes to understand the full scope of an attack and its impact. You can visualize the attack and take quick actions in the same dashboard. Proactive hunting of suspicious activities is another critical task for the security analysts. Oftentimes, the process by which SecOps collect and analyze the data is a repeatable process – and therefore – can be automated. Today, Azure Sentinel provides two capabilities that enable you to automate your analysis by building hunting queries and Azure Notebooks (Jupiter notebooks). Based on the proactive hunting that our own Incident Response and Threat Analysts teams perform, we’ve developed a set of queries and Azure Notebooks that are available today in Azure Sentinel to help SecOps navigate the most common scenarios. And as the threat landscape evolves, so will our queries and Azure Notebooks. We will provide new queries and Azure Notebooks via the Azure Sentinel GitHub community. ------------------------------------ ------------------------------------ Automated expert guidance with a feature called virtual analyst- it automatically reasons over the alerts, provides a confidence score for their severity and helps you get a prioritized list of alerts. Virtual analyst “works and thinks” like a cybersecurity analyst; it automates expert-knowledge by generating a ”tailor-made” rich entity-based hunting graph for each security alert and assigns these alerts with confidence scores in attempt to evaluate their “maliciousness”. (Will not be available at Preview launch) Interactive visualization leveraging analytics (automate expert-knowledge) to explore and analyze massive amounts of data Proactive guided data exploration; allowing pivoting in real time between disparate datasets, using bookmarks and creation of cases Enable a hunter to filter and prioritize data, employing advanced data science techniques (using Azure Notebooks) Live stream to look at and understand event flows in real time
- While AI sharpens your focus on finding problems, once you have solved the problem you don’t want to keep finding the same problems over and over – rather you want to automate to address common issues. Azure Sentinel provides built-in automation with pre-defined or custom playbooks to solve repetitive tasks and to respond to threats quickly. Azure Sentinel will augment existing enterprise defense and investigation tools, including best-of-breed security products, homegrown tools, and other systems like HR management applications and workflow management systems like ServiceNow.