Azure Sentinel

Editor's Notes

• #4: Today, organizations are faced with the incredibly difficult task of trying to protect their expanded digital estate from increasing cyber threats. The move to the cloud and a mobile workforce have pushed the border of your estate beyond the boundary of your physical network. You data and users and systems are everywhere. Meanwhile the frequency and sophistication of attacks are ever growing. Regardless of the size of your organization or the industry, you are a target.​ This is the challenge that we all struggle with in IT security. And it's a challenge we at Microsoft think that we can uniquely help with.
• #5: The SecOps mission of protecting organizations’ information and assets is becoming increasingly difficult. Attack techniques, frequency, and complexity are evolving fast. Security teams are under strain from the expanding breadth of defensive technologies, accelerating hybrid cloud adoption, and borderless, zero-trust networks. The shortage of SecOps talent makes this problem worse.     Considering the future needs of SOCs, these are the most prominent pain points:   Threats continue to grow in complexity and volume Attacks are increasingly heterogeneous. A typical attack spans different parts of the enterprise and crosses various resource types: it might start from an IoT device, proceed to an endpoint, spread to a cloud service or to a database, involve multiple user accounts or tenants, and so on.   Alert fatigue: SOCs see too many alerts from disconnected products Enterprise SOCs typically have dozens of security products, each producing a large volume of alerts. In isolation, these products often have high false positive rates and poor response prioritization, resulting in deafening alert noise. Attacks fall through the cracks despite generating alerts. Unfortunately, legacy SIEMs are functioning only as aggregators and don’t increase response capabilities. Enterprise SOCs need a way to integrate their security products to reduce the noise, prioritize alerts, and enable investigation and hunting across the entire dataset.   There is a global shortage of security analysts and experience The need for skilled security professionals has greatly increased, and supply cannot meet current or future demand. A recent report by CSO magazine showed that this global talent shortage will increase to 3.5 million unfilled security jobs by 2021.   Investigation is complex and time-consuming Every second counts when SecOps personnel are handling a threat that might jeopardize their organization. The clock is ticking fast, but investigation requires highly skilled security analysts and can often take days or weeks.   Current solutions are not architected for today’s demands, or tomorrow’s Legacy on-premises SIEMs require powerful hardware and extensive maintenance that make them expensive to operate. Storage and compute needs increase dramatically during an incident, which is difficult for an on-prem footprint to accommodate. The move to the cloud has enabled a new degree of enterprise scale-out, and with the explosion of cloud-born data, legacy SIEMs are less and less able to cope with the demand.
• #6: The cloud can help manage that complexity of the expanding digital estate. It simplifies and makes security easy to manage. Harnessing the power of cloud will set your SecOps teams free of IT work and help them focus on security work with no limits. Next generation of AI and automation in the cloud helps to super-charge your work. It will leverage the large-scale intelligence available in the cloud and make it work for you.
• #7: That’s why we re-imagined the SIEM + SOAR tool to introduce a new cloud-native solution called Microsoft Azure Sentinel - providing intelligent security analytics at cloud scale for your entire enterprise. Azure Sentinel makes it easy to collect security data across your entire hybrid organization from devices, users, apps, servers and any cloud, it uses the power of artificial intelligence to ensure you are identifying real threats quickly, and unleashes you from the burden of traditional SIEMs by eliminating the need to spend time on setting up, maintaining and scaling infrastructure. Since it is built on Azure, it offers limitless cloud scale and speed, scaling automatically to address your needs. Traditional SIEMs have also proven to be expensive to own and operate, often requiring you to commit upfront and incur high cost for infrastructure maintenance and data ingestion. With Azure Sentinel there will be no upfront costs, you will only pay for what you use, and we are offering free Office 365 activity data import to help you reduce security costs significantly
• #8: At Microsoft, we spend over a billion dollars every year on research and development to secure your organization and enable you to digitally transform - without compromising productivity. We try to keep it simple for our customers knowing you have limited resources and dollars. We do this through our operations, technology and partnerships. What makes Microsoft so different to other cloud providers and even security providers is that we have over 3,500 security professionals and Intelligence informed by trillions of sources so we can help you make smarter decisions and remediate faster. We provide a truly holistic approach to technology. Microsoft helps you protect identities, data, applications, and devices across on-premises, cloud, and mobile - end to-end. This protection is at global scale with enterprise –class technology. Benefit from the investment of security at global scale with built-in capabilities and resources.
• #10: Azure Sentinel is a true software as a service solution for SIEM and SOAR with automatic scalability -no server installation, maintenance, or complex configuration. It lets your SecOps team focus on the most important tasks- defending against threats to your organization. Azure Sentinel is available in the Azure portal and becomes a central place for security operations, getting a near real time view of security events and providing tools to investigate and respond to incidents. As an Azure Service, you can easily augment security operations with other cloud services in Azure portal like Machine Learning, Logic Apps and Azure Monitor.
• #11: Traditional SIEMs have proven to be expensive to own and operate, often requiring you to commit upfront and incur high cost for infrastructure maintenance and data ingestion. With Azure Sentinel there are no upfront costs, you pay for what you use. Our aim is to provide you a cost effective SIEM solution. Many enterprises are using Office 365 and are increasingly adopting the advanced security and compliance offerings included in Microsoft 365. There are many cases when you want to combine security data from users and end point applications with information from your infrastructure environment and 3rd party data to understand a complete attack. It would be ideal if you could do this all within the compliance boundaries of a single cloud provider. Today we are announcing that you can bring your Office 365 activity data to Azure Sentinel for free. It takes just a few clicks and you retain the data within the Microsoft Cloud. Reduce infrastructure costs when you automatically scale resources  as you need and only pay for what you use. Pay nothing extra when you ingest data from Office 365 audit logs, Azure activity logs, and alerts from Microsoft threat protection solutions. Save up to 60 percent as compared to pay-as-you-go pricing through capacity reservation tiers. Receive predictable monthly bills and the flexibility to change your capacity tier commitment every 31 days.  
• #13: With Azure Sentinel you can aggregate all security data with built-in connectors, native integration of Microsoft signals and support for industry standard log formats. Microsoft 365 customers can import their Office 365 activity data for free to gain deeper insights. We continue to collaborate with many partners in the Microsoft Intelligent Security Association and support easy connectors and customizable dashboards for popular solutions including Palo Alto Networks, F5, Symantec, Fortinet and many more to come  . Azure Sentinel is based on Azure Monitor that uses a proven and scalable log analytics database that ingests more than 10 petabytes everyday and provides a very fast query engine that can sort through millions of records in seconds.  Azure Sentinel also integrates with Graph Security API to enable customers to import their own threat intelligence feeds.
• #14: Azure Sentinel is an open and extensible solution. It enables your team to bring your own insights, tailored detections, machine learning models, and threat intelligence to customize analytics for your own environment. For e.g. If you want to customize and enrich the detections more than the built-in ML models, then you can bring your own models to Azure Sentinel using the built-in Azure Machine Learning service or use Microsoft Graph API to integrate your existing Threat Intelligence feeds with Azure Sentinel. Additionally, it enables a community driven approach to share and enhance best practices, threat intelligence and mitigation. GitHub community available through the Azure Sentinel dashboard can be used to share hunting queries or pre-defined Jupyter Notebooks.
• #16: Analyze and detect threats quickly with AI on your side- Security analysts face a huge burden of triage as they not only have to sift through a sea of alerts, but also correlate alerts from different products manually or using a traditional correlation engine. That’s why Azure Sentinel uses state of the art, scalable machine learning algorithms to correlate millions of low fidelity alerts  to few high fidelity security incidents. Azure Sentinel also includes user behavior analytics to help you identify anomalies, compromised identities, and malicious insider actions. ML technologies will help you quickly get value from large amounts of security data you are ingesting and connect the dots for you. For example - a compromised account leading to Office 365 Mailbox exfiltration. It helps reduce noise drastically, we have seen an overall reduction of up to 90% in alert fatigue with early adopters. These machine learning models are built-in and give you the benefits of decades of Microsoft security experience and ongoing knowledge from running 100s of cloud services. you do not need to be a data scientist to run such models. Some SecOps teams may need  to customize ML based analysis and they can even bring their own ML models in Azure Sentinel.  
• #17: Graphical and AI-based investigation will reduce the time it takes to understand the full scope of an attack and its impact. You can visualize the attack and take quick actions in the same dashboard. Proactive hunting of suspicious activities is another critical task for the security analysts. Oftentimes, the process by which SecOps collect and analyze the data is a repeatable process – and therefore – can be automated. Today, Azure Sentinel provides two capabilities that enable you to automate your analysis by building hunting queries and Azure Notebooks (Jupiter notebooks). Based on the proactive hunting that our own Incident Response and Threat Analysts teams perform, we’ve developed a set of queries and Azure Notebooks that are available today in Azure Sentinel to help SecOps navigate the most common scenarios. And as the threat landscape evolves, so will our queries and Azure Notebooks. We will provide new queries and Azure Notebooks via the Azure Sentinel GitHub community. ------------------------------------ ------------------------------------ Automated expert guidance with a feature called virtual analyst- it automatically reasons over the alerts, provides a confidence score for their severity and helps you get a prioritized list of alerts. Virtual analyst “works and thinks” like a cybersecurity analyst; it automates expert-knowledge by generating a ”tailor-made” rich entity-based hunting graph for each security alert and assigns these alerts with confidence scores in attempt to evaluate their “maliciousness”. (Will not be available at Preview launch) Interactive visualization leveraging analytics (automate expert-knowledge) to explore and analyze massive amounts of data Proactive guided data exploration; allowing pivoting in real time between disparate datasets, using bookmarks and creation of cases Enable a hunter to filter and prioritize data, employing advanced data science techniques (using Azure Notebooks) Live stream to look at and understand event flows in real time
• #18: While AI sharpens your focus on finding problems, once you have solved the problem you don’t want to keep finding the same problems over and over – rather you want to automate to address common issues. Azure Sentinel provides built-in automation with pre-defined or custom playbooks to solve repetitive tasks and to respond to threats quickly. Azure Sentinel will augment existing enterprise defense and investigation tools, including best-of-breed security products, homegrown tools, and other systems like HR management applications and workflow management systems like ServiceNow.