Microsoft’s SIEM with built-in AI
What is SIEM?
- Security Information and Event Management (SIEM) is a software solution that aggregates and analyzes activity from many different resources across your entire IT infrastructure.
- SIEM collects security data from network devices, servers, domain controllers, and more.
- SIEM stores, normalizes, aggregates, and applies analytics to that data to discover trends, detect threats, and enable organizations to investigate any alerts.
SIEM CAPABILITIES
- Threat Detection
- Investigation
- Time to Respond
- Security monitoring
- Log Collection
- Normalization
- Notification and alerts
- Threat Response workflow
- Security Incident Detection
- Forensics and incident response
SIEM provides two primary capabilities to an Incident Response team:
Reporting and forensics about security incidents. Alerts based on analytics that match a certain rule set, indicating a security issue.
At its core, SIEM is a data aggregator, search, and reporting system. SIEM gathers immense amounts of data from your entire networked environment, consolidates, and makes that data human accessible. With the data categorized and laid out at your fingertips, we can research data security breaches with as much detail as needed.
Limitations
- Provide limited contextual information
- Blind spot on unstructured data and emails
- Ineffective in the cloud.
- Not Agile, Too Heavy
- Designed for Outdated Technology
- Inability to Scale
- SIEM applications provide limited contextual information about their native events, and SIEMs are known for their blind spot on unstructured data and emails. For example, you might see a rise in network activity from an IP address, but not the user that created that traffic or which files were accessed.
In this case, context can be everything.
What looks like a significant transfer of data could be completely benign and warranted behavior, or it could be a theft of petabytes of sensitive and critical data. A lack of context in security alerts leads to a ‘boy that cried wolf’ paradigm: eventually, your security will be desensitized to the alarm bells going off every time an event is triggered.
SIEM applications are unable to classify data as sensitive or non-sensitive and therefore are unable to distinguish between sanctioned file activity from suspicious activity that can be damaging to customer data, intellectual property, or company security.
Ultimately, SIEM applications are only as capable as the data they receive. Without additional context on that data, IT is often left chasing down false alarms or otherwise insignificant issues. Context is key in the data security world to.
How Microsoft is Doing SIEM with AI?
With the cloud and the intelligence from decades of Microsoft security experience, threat detection and response will get smarter and faster. And with no upfront costs for data ingestion, one can rapidly analyze large volumes of data and set alert thresholds visually based on your actual data.
Azure Sentinel is built on a proven analytics database with Azure Monitor (Formerly Azure Log Analytics) and uses native integration of Machine Learning (ML), and Microsoft’s vast threat intelligence to empower teams to rapidly spot anomalies without a mountain of false positives that wastes their valuable time.
It simplifies Security Operations Centers (SOC) tasks by providing integrated security orchestration and automation (SOAR) capabilities.
Azure Sentinel uses scalable machine learning algorithms based on decades of learnings from the Microsoft security team that can find, investigate and respond to the real threats in minutes, not days. These built-in models correlate millions of low-fidelity anomalies and connect the dots to present a few high-fidelity security incidents to the analyst. One can also use Azure Machine Learning to build or customize your own models.
Azure Sentinel provides built-in automation and orchestration with pre-defined or custom playbooks to solve repetitive tasks and to respond to threats quickly.
Microsoft developed a set of hunting queries and Azure Notebooks–based on Jupyter notebooks–which perform the same proactive hunting as Microsoft’s Incident Response and Threat Analysts teams.
As the threat landscape evolves, Microsoft will provide new queries and Azure Notebooks via the Azure Sentinel GitHub community.
Azure Sentinel uses Azure Monitor which is built on a proven and scalable log analytics database that ingests more than 10 petabytes every day and provides a very fast query engine that can sort through millions of records in seconds.
With built-in connectors for collecting data, Azure Sentinel ingests security data from a wide range of data sources including Azure, SaaS applications including Office 365, networks, and on-premises systems, Linux, Windows, Amazon Web Services (AWS), Azure, other Microsoft services, hardware.
These built-in connectors also include an ever-growing list of our partners including Check Point, F5, Palo Alto, Symantec and many more.
Features
Using Azure Sentinel’s powerful hunting search-and-query tools, based on the MITRE framework, which enable you to proactively hunt for security threats across your organization’s data sources, before an alert is triggered.
The toolbar across the top tells you how many events you got over the time period selected, and it compares it to the previous 24 hours.
Currently, in preview, Azure Sentinel deep investigation tools help you to understand the scope and find the root cause, of a potential security threat. You can choose an entity on the interactive graph to ask interesting questions for a specific entity and drill down into that entity and its connections to get to the root cause of the threat.
To help you reduce noise and minimize the number of alerts you have to review and investigate, Azure Sentinel uses analytics to correlate alerts into incidents. Incidents are groups of related alerts that together create an actionable possible-threat that you can investigate and resolve. Use the built-in correlation rules as-is, or use them as a starting point to build your own. Azure Sentinel also provides machine learning rules to map your network behavior and then look for anomalies across your resources. These analytics connect the dots, by combining low fidelity alerts about different entities into potential high-fidelity security incidents.
