Add to collection(s) Add to saved
  1. No category
Uploaded by vinoth04

Azure Sentinel 101

advertisement 
Azure Sentinel
101
Presenter: Joe Kuster
Introducing
Catapult
Serving all 50 states, Mexico,
Canada and the Caribbean
Transforming
organizations for
today’s modern
world
Top .01%
of Microsoft Partners
with 14 Gold & 2 Silver
Competencies
15,000 projects
completed over 25 years
2
Our Partnership
with Microsoft
• National Solutions Provider (NSP) in top .01% of
Microsoft’s partner ecosystem
• 2019 Microsoft Partner of the Year Awards
• Modern Workplace – Security and Compliance Winner
• PowerApps - Winner
• Modern Desktop - Finalist
• PowerBI - Finalist
• 2018 Microsoft Partner Award Azure Compete (United
States)
• 2017 Microsoft Global Cloud Partner of the Year Finalist
• 2016 Microsoft Partner of the Year Winner (United
States)
• On-staff experts awarded Microsoft’s “Most Valuable
Professional” (MVP)
• 20+ Years of experience working with the Microsoft
technology stack
3
Security & Compliance Services
Spyglass
Security
Environment
Analysis
▪ Analyze existing technology stack
▪ Map to compliance needs to
identify gaps
▪ Identify overlapping solutions &
opportunities for ROI
improvement
▪ Recommend best practice
technology adoption
Tool Optimization &
Implementation
Continuous
Posture
Improvement
▪ Demonstrate art of the
▪ Security Coach provides
▪ Deploy new technologies,
▪ Dashboard connects
possible
such as Microsoft M365 E5
▪ Optimize implemented
technologies, such as Azure
Identity Protection
ongoing insight & support
disparate signals into
dashboard for improved
insight
▪ Technical experts available
on demand
4
Security and Compliance Challenges
62%
of cloud adopters nervous
about cloud security
80% 63%
of security
incidents occur
from within
51%
can’t find
and keep
the needed
skillsets
of businesses are
understaffed in
security expertise
93%
of cyber
attacks
target user
identity
50%
of business cloud
adoption is led by
Shadow IT
$3.9M
average cost of a
successful security breach
5
What is Sentinel?
What does it connect to?
Common Use Cases
Agenda
Getting Started
Understanding Pricing / Licensing
Example Walk Through
What is Azure Sentinel and Why You Need It
Sentinel is Microsoft’s Security Information and Event Management
(SIEM) and Security Orchestration, Automation and Response (SOAR)
SIEM solutions aggregate events
and alerts from numerous
solutions to correlate intelligence.
The consolidated view streamlines
threat hunting as well as allows
for automated remediations, or
assisted investigations.
SOAR solutions are a stack of
compatible software programs
that allow an organization to
collect data about security threats
from multiple sources and respond
to low-level security events without
human assistance.
7
That’s nice, but what does it really mean?
• Find your alerts in one place.
• Makes repeatable searches easier.
• Centralized place for investigations.
• Machine learning surfaces unusual activity.
• Ability for semi-automated or automated response.
8
#1 Sentinel is a place to ship your events and alerts.
(Single Pane for Investigations)
Example: Ransomware hit employees via email and their cloud files were impacted
• Cloud App Security (What files were infected?)
• Azure AD Sign In Activity (Who logged in, from what IP?)
• Office 365 Activity (What else did they do during that session?)
• Symantec Malware Logs (Was AV patched and up to date when it slipped through?)
• Azure AD Identity Protection (Did an attacker come in from a breached account?)
• Azure Security Center (Did the payload change their device configuration, or just
encrypt the files?)
9
#2 Sentinel Speeds Up Investigations
• Machine Learning systems (Microsoft’s, or your own custom ML)
analyze data for anomalies.
• Repeatable Threat Hunting Queries and Automatic Analytic Triggers
find issues faster.
10
#3 Sentinel Streamlines Response
• Allows investigators to tag events / alerts / notes as they go.
• Playbooks allow for automated or semi-automated response.
• Investigator identifies false positive, triggers event that logs it, whitelists IP, and closes
ticket.
• Impossible Travel Scenario = Automatically create a ticket and lock account if not on a
corp device.
11
What if you already have a SIEM
• Most organizations don’t have their cloud data integrated yet.
• Those that do pay an exorbitant amount to import it (database bloat).
• Few orgs have meaningful SIEM/SOAR maturity for O365, Azure,
Amazon Web Services, or Enterprise Mobility + Security solutions.
• Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to
reduce alert fatigue and automatically surface anomalous data.
• Also… it’s free for O365/Azure basic threat hunting, so there’s that ☺
12
Getting Started
13
What’s needed?
Azure
Subscription
•Account must have access to source system data to be analyzed.
Azure Log
Analytics
•Recommend Standard Tier. Free logging
lacks many critical security data points.
Azure Logic
Apps
•Necessary for some
remediations
Azure
Automation
•Necessary for some
remediations
Azure
Security
Center
•Optional, but streams
great data!
14
Navigating Sentinel
• Overview: Automatic reports generated based on your
data
• Logs: Manual queries for threat hunting / correlation
• Cases: SOC Burn Down List (Tickets) – Created by
Analytics
• Dashboards: Common reports sorted by source type
• Hunting: Reusable Queries for Investigations
• Notebooks: Jupyter notebooks w/ Markdown Text
• Data Connectors: Connect to data sources.
• Analytics: Trigger conditions that create cases.
• Playbooks: Logic App playbooks to remediate / manage
issues.
• Workspace settings: where Sentinel data is stored. Can
pull data ingestion and cost data. Adjust retention here!
Follow the Wizard
Once workspace is ready:
• https://portal.azure.com
• Search for Azure Sentinel
• Follow Getting Started Wizard
16
Creating Data
Connectors
Data connectors are usually:
1. Cloud based and you only need your
admin credentials.
2. Agent based and you use the Microsoft
Monitoring Agent for the log upload.
3. Most common scenarios are turn-key
(Syslog, Endpoint Protection, etc.)
17
Workbooks
18
Building a Query with Kusto Query Language
• Attacker IP Query / Investigation
OfficeActivity | where
ClientIP
==
Table
Column
operand
| clause
'13.64.199.41’
value
• Starter Tip: Browse tables, find the data,
and add column to the query.
Delete the excess.
19
Tracking the Investigation
(Bookmarks & Notebooks)
20
Investigations – Sample: Login Attempts from Blacklisted IP
21
Building Responses
• Azure Logic Apps
• Tons of connectors to web services or on-prem apps
• Similar to MS Flow/Power Automate or IFTTT, but different.
• Remember that it’s log analysis based, not real time! (Not a
replacement for proactive protection)
22
24
Things they don’t tell you
• Fusion – must be manually enabled via PowerShell
https://docs.microsoft.com/enus/azure/sentinel/connect-fusion
• AI Investigation is a Private Preview (Request form is
online).
• HTTP Post = Graph API & Many, Many Other Things!
• Workspace / Source System Pricing Tiers Matter.
• It can take an experienced eye to identify what is
going on.
26
How is it priced?
• Data import from Office 365 and Azure is free.
• Charges occur for: Data Ingestion, Automation Workflows or custom
Machine Learning Models
• Data ingestion / retention will be the largest charge for typical deploy.
• Free tier is available (500 mb / day).
• 31 days retention is free.
• Beyond the free amount/period: $2.30 per GB ingestion, $0.10 per GB per month
retention.
27
How is it priced?
• There will be no charges specific to Azure Sentinel during the preview.
• Data import from Office 365 is free.
• Even during preview, charges occur for: Data Ingestion, Automation
Workflows or custom Machine Learning Models
• Data ingestion / retention will be the largest charge for typical deploy.
• 5GB per customer per month is free.
• 31 days retention is free.
• Beyond the free amount/period: $2.30 per GB ingestion, $0.10 per GB per month
retention.
28
Example from the field (Skype Hybrid Brute Force)
29
Example from the field
30
Example from the field
31
Successful Sign-ins
(30 days)
40 Countries
Joe Kuster
Q&A
Director, Security & Compliance Solutions
Catapult Systems
Joe.Kuster@CatapultSystems.com
Catapult’s Security Services
Spyglass is a Catapult’s Security Coaching Service
There are Several Ways We Assist Clients:
• Assessments: Office 365, Azure, Greenfield, Planning
• Monthly Subscriptions: Right-sized to meet your
needs, environment, and budget.
• Flexible On-Demand Expertise: Assistance when you
need it and as much as you need across the entire
Microsoft stack.
36
Spyglass, Office 365 Security Assessment
O365 Assessment Insights:
• Identifying risky user and administrator behavior
• Evaluates environment against common regulatory
standards (e.g., PCI DSS 3.2, SOC)
• Provides Actionable Insight on:
• Identity & Access
• Data & Storage, Leakage
• Phishing & Malware
• Threat Protection
• SecureScore
• Review results and roadmap in-person
37
Thank you.
Related documents
Getting Started - Microsoft Azure Platform Academic 150 day Pass.ppt
Getting Started - Microsoft Azure Platform Academic 150 day Pass.ppt
Microsoft Dynamics AX Roadmap - The Partner Connections Event
Microsoft Dynamics AX Roadmap - The Partner Connections Event
Windows Azure Active Directory Overview
Windows Azure Active Directory Overview
Document
Document
Using Microsoft Cloud
Using Microsoft Cloud
azure-case-study-slide - Cloud Custom Solutions
azure-case-study-slide - Cloud Custom Solutions
Cloud OS Vision Deck Full Version
Cloud OS Vision Deck Full Version
Download
advertisement