Microsoft Azure Sentinel: Security For the Modern Age

We at New Signature have been working with Microsoft around security for over a decade. During that time, the perception of what is acceptable has shifted, as increasingly larger and more costly exploits have made businesses keenly aware of the need to prioritize security within their organizations.

Today, Microsoft has announced a new tool to their existing suite of security services, Azure Sentinel. Armed with this, partners and customers alike can greatly improve the type of data collected and ultimately improve their intelligence to the risks that exist in the current environment.

Why does Sentinel exist?

Why does Sentinel exist? Because the set of legacy tools used in most shops, while good at collecting data, often don’t lead to true insights. Security Information and Event Management (SIEM) solutions were designed in the client-server era to collect event logs containing both application data and security event information from a variety of servers and network devices inside a customer’s network perimeter. The broader move to the cloud has created multiple challenges with this older model.

Many SIEM tools were designed to simply grab as many signals as possible from servers, staff and data, in the hope that after a compromise is discovered, that those same signals will be useful to investigators to figure out how the malicious act occurred. These same tools tend to be far less useful at preventing compromises, or better yet, indicating when low-risk activities change into higher-risk items. Instead, they all tended to serve as “after-action” discovery mechanisms. Even more challenging, each individual service tended to occupy a specific niche. Although many tools portrayed themselves as “best of breed”, they often didn’t interact together in any meaningful way, forcing security practice folks to flip from tool to tool in order to pain a coherent narrative. Because each tool was narrowly scoped, many enterprise organizations ended up adopting more than 60 security products just to stay protected. That increase in complexity alone hurt security.

As many environments have seen an explosion of devices, these challenges grew even larger: organizations that used to monitor 1,000 or so network devices suddenly had to look at 3,000 mobile devices, and 5,000 virtual machines that were being stood up every day in great numbers. This created a deluge of data that made tool architecture critical – suddenly every business of every size needed to think about a size and scale that was enormous. This has been a big change as organizations have moved to the cloud: what was designed during the client/server era simply doesn’t scale because it was never supposed to cover so many objects. In addition, too many security products monitoring too much data created a complexity nightmare for most security professionals, preventing real action to reduce risk.

Microsoft’s Solution

Sentinel addresses many of these concerns: it’s a single tool, delivered as an Azure service that can scale, designed to capture raw data from a great variety of devices, and to drive actionable insights, rather than simply auditing for look back. A true SIEM-as-a-service, it is the very enemy of complexity, because it takes into account all the work that Microsoft has done to protect their consumer and enterprise cloud services, and baked that knowledge into a service tuned to your environment. This sort of “cloud intelligence” enables security defense to gain a critical edge: in the old client/server days, an attack on one customer could never be used to protect another, but with Azure Sentinel, if Microsoft is seeing a particular type of attack in one area, that knowledge can inform all of their customers. Best of all, by reducing the need for so many (60!) security products, it can reduce complexity *and* cost simultaneously, all while securing your environment more easily.

By simplifying your environment, integrating with your existing data estate and automating security operations, Sentinel builds immediate situational awareness and reduces the time to respond to threats. You can have Sentinel automatically (or manually) run pre-built playbooks to take actions when certain behaviors are exposed. You also have rich “hunting” capabilities to look for unique types of behavior that specifically mirror your environment.

New Signature’s Solution

New Signature is extending our suite of security managed services to include Azure Sentinel and has been working with Microsoft through its development. We are inviting customers interested in SIEM-as-a-Service to reach out to us​ to address these challenges. The New Signature team of experts leverage innovative platforms like ServiceNow operations and service management system to secure workflows using a comprehensive single system of record. By integrating these technologies with Microsoft Azure, security concerns are managed and mitigated quickly, efficiently and proactively. As a leader in Microsoft IT security, New Signature is dedicated to helping businesses of all sizes adopt modern security solutions to protect against threats. Learn more about New Signature’s Security services on our Offers page.

At the RSA 2019 conference from March 4-8 in San Francisco, EVP of Global Managed Services Jeff Dunmall will be one of the few featured presenters alongside Microsoft to demonstrate advancements in SecOps capabilities. More information and a full schedule of events can be found on the RSA website. Dunmall will be presenting a session on SecOps: How to Operationalize Microsoft Cloud Data Security with ServiceNow. It will include a walk-through around how ServiceNow can onboard risk events from Azure AD Identity Protection and Microsoft Security Graph to add Microsoft Cloud Data Protection events to your system operation center. New Signature’s Director of Information Security, Daryl Novak, will also be on hand to discuss how to decrease risk by taking a modern approach to security.