If you're a Microsoft-focused organization you may be able to leverage the technology you already have to become more secure.
Nirvana, for many of the organizations I speak with on a daily basis is to maximize what is already included in their licensing agreement and use the current people already in their IT and security department. This presents a challenge for smaller organizations without the extensive security analyst teams of a big financial institution.
No, your SOC probably doesn’t look like this.
First, the IT security team is often already very stretched. If you were thinking of setting up your own Security Operations Centre (SOC), Trustwave's lead SOC consultant in PAC - Leigh Costin - tells me that optimally it takes a team of up to 18 people to properly staff it, accounting for differing roles and responsibilities, appropriate coverage (24 x 7 all year) and staff leave. The additional challenge is configuring Microsoft Sentinel and Defender to accurately suit your specific organizational needs and ensure you're not missing key alerts and incidents.
First step, check your licensing agreement to understand the Microsoft security licensing you may already have in your organization.
Here are five topics to consider as you spin up your Microsoft Defender and Sentinel platforms and keep it running.
Where to Start and End
Map the existing event sources, including the non-Microsoft installed technology contributing to the security environment, and integrate these into the Sentinel SIEM. The clients I work with ALL have mixed vendor security technology in their environment.
Encompassing existing security technology investments into a single point of focus will assist you in covering any critical attack surfaces you define. Sometimes this can require working with APIs, API gateways and knowing more about the log sources. The aim is to look for gaps and understand what that may mean for your network security posture.
Sorting Out the Anomalies
Although a wide range of use cases are available for the Sentinel/Defender toolset in the new Community Hub or GitHub, tuning your security environment can make the difference between being overwhelmed with noise or noticing the important stuff early and responding fast.
Your MS environment will find anomalies from trends. However, this takes time, and it doesn't handle this function by itself for periodic activities, such as completed end-of-month or end-of-quarter. These may result in different levels of security alerts for your business, and you'll get spikes of false positive alerts due to the change in behavior.
Iterative tuning and baselining is a skill, so there is a distinct advantage of utilizing people who have done this before, at scale and in industries like yours.
Build and Adapt Specific Use Cases
MS Sentinel automatically detects multi-stage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the cyber kill chain. Based on these discoveries, Sentinel generates incidents that would otherwise be very difficult to catch, providing you have connected the right data sources giving you coverage.
By design, these security incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned on by default. The machine learning (ML) engine in Sentinel uses only 30 days of historical data to train the ML systems. Tweaking these rules to suit your business environment can help reduce false positives.
Indeed, Microsoft currently provides 90 multi-stage attack scenarios for Sentinel, 35 of which are generally available. Consider which additional queries to add as custom analytics rules to maximize your Microsoft detection coverage.
Trustwave consultants have been providing Use Case As A Service engagements for organizations wishing to leverage our experience to quickly build and deploy these into their environment. The engagements we've seen can be as short as three days to ensure you have the right scenarios set up as custom analytics.
Trustwave also has a Use Case Accelerator program that can provide at regular intervals (quarterly) a review of your use cases and tune these to changes in the security landscape and your environment. We consider whether new event sources have been added, if infrastructure changed, or are there new attack surface concerns. Automating repetitive response actions can help maximize your SOC's efficiency and effectiveness. Employing automation in your Sentinel environment can help manage incident handling through workbooks.
Beyond the Tools
It's highly advisable (actually mandatory) to develop a set of standard operating procedures (SOPs.)These procedures are formal, written guidelines or instructions for incident response that typically have operational and technical components. SOPs help coordinate incident response and manage interactions within the information security team and the rest of the business. These should draw on best practices and be ready and available should an incident occur.
The SOP should include the steps to triage, investigate, and remediate an incident, as well as non-technical aspects. For example, who in the organization should be notified – HR? Your marketing team? Legal?
There are some playbook templates in Sentinel – consider which ones you should customize and then augment with manual steps. Trustwave Security Colony CISO resource site also has a great deal of information available on how to develop an incident response plan.
An organization should document these SOPs as a one-page flowchart, not a 10-page Word doc. They also need to be practiced. Everyone on the page needs to be on the same page; no one likes surprises.
Nothing Stays the Same
New threats are discovered daily, which means your Microsoft environment will need security content updates, patches and fixes to ensure managed technology is protected. Trustwave consultants strongly recommend connecting third-party threat intelligence feeds to Sentinel using the Threat Intelligence Upload Indicators API data connector. The ongoing maintenance of your Sentinel and Defender setup is critical to staying up to date with the latest threats.
Remember that security is an ongoing process, and it's important to continuously assess, adapt, and improve your environment to stay ahead of evolving threats.
Resources
Learn how Trustwave helped Higgins Coatings become more secure by leaning on Trustwave's Security information and event management (SIEM) and SOC Experts to transform their security operations.
Trustwave has leading services for Microsoft technology - we're a top-managed SOC partner for Microsoft Sentinel and Microsoft Defender.
We're also a Microsoft FastTrack specialist, helping clients deploy Microsoft 365 security solutions more effectively. Contact us, and we'll help you get started with a Threat Protection Engagement. We can help you develop a strategic plan for your Sentinel and Defender setup customized for your organization.
Learn More
