"We engaged IT Lab to deliver a fully managed Cyber Security Operations Centre (CSOC) service in 2018. With a lean in-house security team, we were keen to explore their new incident response service, utilising Sentinel. Pravesh Kara and his team submitted a compelling proof of concept, and overnight, we knew we'd made the right decision."
- IT Lab client in the finance sector and an early adopter of our new service and Sentinel, managing £6 billion worth of assets.
As the noise from a multitude of threats to businesses becomes almost deafening, defending vital assets is increasingly expensive, time-consuming – and sleep-depriving. The stance of the UK’s National Cyber Security Centre, Microsoft and several other respected bodies is to “assume breached”.
Why is this? Cybercrime is rapidly expanding because of the commoditisation of effective attack techniques. And worryingly, increased dwell time for a threat is intrinsically linked to the severity of a breach’s impact. This means that time – as well as detection – are paramount.
Conventional SIEM (Security Incident and Event Management) products will consolidate the information from across your IT landscape but invariably throw up false positives, soaking up the valuable (and expensive) time of security pros.
Enter Azure Sentinel, which returns a view of threats that genuinely require attention and is unlike any other security operations platform in the marketplace.
IT Lab is one of a select few Microsoft partners in the UK offering Cyber Services incorporating Azure Sentinel. As a Microsoft partner and advocate, we rapidly embraced it for our internal security operations while simultaneously making it available to our clients.
Join us for a quick tour of this revolutionary platform. See how Sentinel can save you money and how our incident response capabilities deliver unequalled levels of security and service excellence.
Launched in November 2019, Azure Sentinel is Microsoft’s new:
The service works by correlating the security logs and signals from all sources: apps, services, infrastructure, networks, and end-users, whether on-premises, Azure or any other cloud. And it scales automatically to need.
Sentinel’s integrated analytics remove the cost and complexities of achieving a central and focused view of active threats. And built-in AI leverages Microsoft’s threat intelligence which analyses trillions of signals every day. Furthermore, Microsoft’s machine learning models filter through the noise from alerts, drilling into and analysing thousands of anomalous events.
A customisable overview dashboard gives a bird’s eye perspective of your IT environment while facilitating a deep dive to granular information. And Sentinel seamlessly connects to other data sources and security solutions, effortlessly building a complete picture and all without leaving the one screen.
“Unlike other services that merely surface alerts for others to fix, we aim to own the problem by managing a verified threat alert through to containment,” said Pravesh Kara, IT Lab’s Product Director for Security and Compliance. “Optimised runbooks prevent real damage occurring, and our visibility of multiple clients benefits everyone. Our expansive view means that we apply the detection and containment in one environment to other clients’ situations.
“And our service is not solely reactive to threat activity, our proactive approach to reducing the attack surface and threat dwell time are core aspects, through threat hunting and regular vulnerability assessments.”
While Azure Sentinel provides many out-of-the-box integrations for rapidly deploying our service, our Security Engineering team can also create custom integrations with data sources. These include detection algorithms, automated responses, and analytics.
The benefits to our financial sector client include:
For existing users of Microsoft, Sentinel comes into its own, with noticeable cost-savings and frictionless integration with Azure and Office 365. The table below sets out how Sentinel differs from a traditional SIEM based service.
|
COMPARISON TABLE CONVENTIONAL SIEM PLATFORM BASED SERVICE VS AZURE SENTINEL BASED SERVICE |
|
|
TRADITIONAL SIEM SERVICE |
MICROSOFT AZURE SENTINEL SERVICE |
|
Static platform: set monthly subscription, with a fixed volume of data monitored regardless. Potential wastage. |
Dynamic platform: pay only for the volume of data monitored. Automatically scales up or down. |
|
Hundreds of supported technology integrations but required SIEM vendor to build them. No ability to develop custom integrations. Requires additional implementation cost and time. |
Many out-of-the-box near one-click integrations to key enterprise security solutions. Ability to develop custom integrations and handling logic through Logic Apps. |
|
Pay for all systems and data monitored. |
No charge for monitoring several Microsoft services and data.
|
| C. 1000 out-of-the-box rules by default. On average, 10-15% alerts will apply. |
Analytic rules customised for specific criteria across the environment to generate incidents. A different concept of rules and alerts: playbooks (aka automation). Only activate what you need using the toggle switch. |
|
False positives – the same alerts time and time again, demanding skilled – but ultimately wasted, resource.
|
Reduced alert fatigue using machine learning to produce actionable incidents that require evaluation and investigation. |
|
Broad picture view of the security landscape.
|
Deeper, granular view of your security landscape. |
|
Investigations – often involve looking at different cases and disparate systems to build the picture.
|
Investigate from a single pane of glass, pull in information from other sources with ease. And even query data sources outside of Azure. |
|
The stand-alone platform requires integration with other security solutions, which can be complicated and time-consuming. |
Fast and easy to integrate with other security toolsets, such as Amazon Web Service (AWS), firewalls, proxy servers and antivirus. Activate within minutes using a toggle switch. Sentinel is natively integrated with Azure, enabling you to take advantage of built-in services. |
|
Traditionally, SIEM solutions have evolved to embrace cloud technologies.
|
Sentinel is the first cloud native SIEM service. |
|
Incident Management requires separate processes and manual effort. |
Relevant response scenarios can be fully or partially automated using Sentinel Playbooks and further enhanced through an integration to Jupyter Notebooks for advanced hunting and analysis. |
How our CSOC Works
But technology – even world-class tools like Azure Sentinel, are only part of the picture. People and process are vital to a high-performing CSOC’s detection and response capabilities.
At a high-level:
Core features of our service - which operates under ISO 27001 certified ISMS - include:
And our most precious asset – our people – count as one of the most highly skilled CSOC teams in the UK. Their credentials include technology qualifications (Microsoft, Cisco), SOC specialisms, cyber security certificates and academic qualifications.
But they don’t operate in a silo; the technical expertise and experience across our group give us the capacity to respond to any type of threat without having to lose precious time waiting for external help.
In these exceptional times, we’re helping organisations by offering a free consultation with a tech expert in the subject area of your choice. Pravesh Kara is among the panel offering his time and expertise at no charge – meet Pravesh and enquire here.
Or you could opt for a free cyber security assessment – learn more and request one here.
And If you’d like to know more about our renowned Cyber Security Operations Centre and explore Sentinel for your business, give us your details here, and we’ll be in touch.
Thanks for reading, stay safe, and we’re here when you need us.