azure sentinel 101 - catapult systems
TRANSCRIPT
22
IntroducingCatapult
Transforming organizations for today’s modern
world
15,000 projects
completed over 25 years
Top .01% of Microsoft Partners with 14 Gold & 2 Silver
Competencies
Serving all 50 states, Mexico, Canada and the Caribbean
33
Our Partnershipwith Microsoft
• National Solutions Provider (NSP) in top .01% of Microsoft’s partner ecosystem
• 2019 Microsoft Partner of the Year Awards
• Modern Workplace – Security and Compliance -Winner
• PowerApps - Winner
• Modern Desktop - Finalist
• PowerBI - Finalist
• 2018 Microsoft Partner Award Azure Compete (United States)
• 2017 Microsoft Global Cloud Partner of the Year Finalist
• 2016 Microsoft Partner of the Year Winner (United States)
• On-staff experts awarded Microsoft’s “Most Valuable Professional” (MVP)
• 20+ Years of experience working with the Microsoft technology stack
44
Security & Compliance Services
SecurityEnvironment
Analysis
▪ Analyze existing technology stack
▪ Map to compliance needs to identify gaps
▪ Identify overlapping solutions & opportunities for ROI improvement
▪ Recommend best practice technology adoption
Tool Optimization & Implementation
▪ Demonstrate art of the possible
▪ Deploy new technologies, such as Microsoft M365 E5
▪ Optimize implemented technologies, such as Azure Identity Protection
ContinuousPosture
Improvement
▪ Security Coach provides ongoing insight & support
▪ Dashboard connects disparate signals into dashboard for improved insight
▪ Technical experts available on demand
Spyglass
55
Security and Compliance Challenges
93%of cyber attacks target user identity
50% of business cloud adoption is led by Shadow IT
63%of businesses are understaffed in security expertise $3.9M
average cost of a successful security breach
51%can’t find and keep the needed skillsets
62% of cloud adopters nervous about cloud security
80%of security
incidents occur
from within
Agenda
What is Sentinel?
What does it connect to?
Common Use Cases
Getting Started
Understanding Pricing / Licensing
Example Walk Through
77
SIEM solutions aggregate events and alerts from numerous solutions to correlate intelligence. The consolidated view streamlines threat hunting as well as allows for automated remediations, or assisted investigations.
SOAR solutions are a stack of compatible software programs that allow an organization to collect data about security threats from multiple sources and respond to low-level security events without human assistance.
What is Azure Sentinel and Why You Need It
Sentinel is Microsoft’s Security Information and Event Management
(SIEM) and Security Orchestration, Automation and Response (SOAR)
88
• Find your alerts in one place.
• Makes repeatable searches easier.
• Centralized place for investigations.
• Machine learning surfaces unusual activity.
• Ability for semi-automated or automated response.
That’s nice, but what does it really mean?
99
Example: Ransomware hit employees via email and their cloud files were impacted
• Cloud App Security (What files were infected?)
• Azure AD Sign In Activity (Who logged in, from what IP?)
• Office 365 Activity (What else did they do during that session?)
• Symantec Malware Logs (Was AV patched and up to date when it slipped through?)
• Azure AD Identity Protection (Did an attacker come in from a breached account?)
• Azure Security Center (Did the payload change their device configuration, or just encrypt the files?)
#1 Sentinel is a place to ship your events and alerts. (Single Pane for Investigations)
1010
• Machine Learning systems (Microsoft’s, or your own custom ML) analyze data for anomalies.
• Repeatable Threat Hunting Queries and Automatic Analytic Triggers find issues faster.
#2 Sentinel Speeds Up Investigations
1111
• Allows investigators to tag events / alerts / notes as they go.
• Playbooks allow for automated or semi-automated response.
• Investigator identifies false positive, triggers event that logs it, whitelists IP, and closes ticket.
• Impossible Travel Scenario = Automatically create a ticket and lock account if not on a corp device.
#3 Sentinel Streamlines Response
1212
• Most organizations don’t have their cloud data integrated yet.
• Those that do pay an exorbitant amount to import it (database bloat).
• Few orgs have meaningful SIEM/SOAR maturity for O365, Azure, Amazon Web Services, or Enterprise Mobility + Security solutions.
• Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert fatigue and automatically surface anomalous data.
• Also… it’s free for O365/Azure basic threat hunting, so there’s that ☺
What if you already have a SIEM
1414
What’s needed?
Azure Subscription •Account must have access to source system data to be analyzed.
Azure Log Analytics
•Recommend Standard Tier. Free logging lacks many critical security data points.
Azure Logic Apps •Necessary for some
remediations
Azure Automation
•Necessary for some remediations
Azure Security Center
•Optional, but streams great data!
Navigating Sentinel
• Overview: Automatic reports generated based on your
data
• Logs: Manual queries for threat hunting / correlation
• Cases: SOC Burn Down List (Tickets) – Created by
Analytics
• Dashboards: Common reports sorted by source type
• Hunting: Reusable Queries for Investigations
• Notebooks: Jupyter notebooks w/ Markdown Text
• Data Connectors: Connect to data sources.
• Analytics: Trigger conditions that create cases.
• Playbooks: Logic App playbooks to remediate / manage
issues.
• Workspace settings: where Sentinel data is stored. Can
pull data ingestion and cost data. Adjust retention here!
1616
Follow the Wizard
Once workspace is ready:
• https://portal.azure.com
• Search for Azure Sentinel
• Follow Getting Started Wizard
1717
Creating Data Connectors
Data connectors are usually:
1. Cloud based and you only need your
admin credentials.
2. Agent based and you use the Microsoft
Monitoring Agent for the log upload.
3. Most common scenarios are turn-key
(Syslog, Endpoint Protection, etc.)
1919
• Attacker IP Query / Investigation
OfficeActivity | where ClientIP == '13.64.199.41’
Table | clause Column operand value
• Starter Tip: Browse tables, find the data,and add column to the query. Delete the excess.
Building a Query with Kusto Query Language
2222
• Azure Logic Apps
• Tons of connectors to web services or on-prem apps
• Similar to MS Flow/Power Automate or IFTTT, but different.
• Remember that it’s log analysis based, not real time! (Not a replacement for proactive protection)
Building Responses
2626
• Fusion – must be manually enabled via PowerShellhttps://docs.microsoft.com/en-us/azure/sentinel/connect-fusion
• AI Investigation is a Private Preview (Request form is online).
• HTTP Post = Graph API & Many, Many Other Things!
• Workspace / Source System Pricing Tiers Matter.
• It can take an experienced eye to identify what is going on.
Things they don’t tell you
2727
• Data import from Office 365 and Azure is free.
• Charges occur for: Data Ingestion, Automation Workflows or custom Machine Learning Models
• Data ingestion / retention will be the largest charge for typical deploy.
• Free tier is available (500 mb / day).
• 31 days retention is free.
• Beyond the free amount/period: $2.30 per GB ingestion, $0.10 per GB per month retention.
How is it priced?
2828
• There will be no charges specific to Azure Sentinel during the preview.
• Data import from Office 365 is free.
• Even during preview, charges occur for: Data Ingestion, Automation Workflows or custom Machine Learning Models
• Data ingestion / retention will be the largest charge for typical deploy.
• 5GB per customer per month is free.
• 31 days retention is free.
• Beyond the free amount/period: $2.30 per GB ingestion, $0.10 per GB per month retention.
How is it priced?
Q&A
Joe Kuster
Director, Security & Compliance Solutions
Catapult Systems
3636
Catapult’s Security Services
Spyglass is a Catapult’s Security Coaching Service
There are Several Ways We Assist Clients:
• Assessments: Office 365, Azure, Greenfield, Planning
• Monthly Subscriptions: Right-sized to meet your needs, environment, and budget.
• Flexible On-Demand Expertise: Assistance when you need it and as much as you need across the entire Microsoft stack.
3737
Spyglass, Office 365 Security Assessment
O365 Assessment Insights:
• Identifying risky user and administrator behavior
• Evaluates environment against common regulatory standards (e.g., PCI DSS 3.2, SOC)
• Provides Actionable Insight on:
• Identity & Access
• Data & Storage, Leakage
• Phishing & Malware
• Threat Protection
• SecureScore
• Review results and roadmap in-person