Insights
Key Layers for Developing a Smarter SOC with CyberProof’s Managed Microsoft Azure Security Services
Ben Chant
Security teams are struggling to reduce the time to detect and respond due to the complexity and volume of alerts being generated from multiple security technologies.
Ben Chant
With more workloads being migrated to the cloud, this brings an additional perimeter, which requires constant vigilance for early signs of a cyber attack. New security challenges also emerge due to its elastic nature and the constant provisioning of new services.
HOW CYBERPROOF IS WORKING WITH MICROSOFT TO SOLVE THESE CHALLENGES
CyberProof partnered with Microsoft to provide customers with cloud-scalable security monitoring, detection and response services across the endpoint, network, identities, SaaS applications, and Azure cloud infrastructure.
With the CyberProof Defense Center (CDC) service delivery platform pre-integrated with Microsoft’s cloud-native Security Information and Event Management (SIEM) solution, Azure Sentinel, and Azure ATP threat protection controls, customers are able to aggregate relevant data across the enterprise into a single CDC dashboard to generate high-context alerts, reduce false positives and prioritize escalations. The unique ability of this solution, however, is leveraging CyberProof’s built in virtual analyst, SeeMo, to automate up to 80% of tier 1 and 2 activities such as monitoring, enrichment, incident handling, and remediation. This frees up your team to focus on the most critical business issues.
KEY LAYERS TO BUILDING A SMARTER SOC
We recommend that security operations center teams implement the following three key layers of a smarter SOC architecture, when looking to generate continuous value from your Azure Security Stack with managed security services.
Each layer includes the integrations between Microsoft and CyberProof that help facilitate this architecture. For more information, check out our on-demand webinar – which we ran in collaboration with Microsoft’s Chief Security Advisor EMEA, Cyril Voisin.
1. Data Collection and Integration Layer – enrichment of security data from multiple sources
This is particularly useful for Enterprise grade SOCs that collect and parse relevant data from multiple business units before going into a data lake. Organizing and classifying all of this data will save time and money when you start introducing integration and automation technologies, as the information will already be structured in an optimum way. Here’s how log collection, normalization and analysis works:
- Integration: An organization identifies the assets, tools, technologies, and applications that need to be integrated.
- Data normalization: Enterprise SOCs need to parse data before it enters the data lake – to tag and filter it – so the right information is being fed into the SOC in the most efficient way.
- Data collection and analysis: Using a solution such as Microsoft’s Azure Log Analytics Security Data Lake, terabytes of data can be ingested in order to query and manage at scale. Machine learning (ML) can be used for the identification of anomalies and monitoring whether log sources are operating correctly, as well as to support threat hunting.
At CyberProof, we leverage Azure Log Analytics and CyberProof Log Collection (CLC) SaaS technology to pull logs from all sources of data. These include a customer’s existing Microsoft investments – including on-prem, SaaS, and Azure assets – and existing Microsoft security controls that generate alerts across identities, endpoints, data & email, and cloud apps.
2. Security Analytics Layer - Generating contextual alerts and minimizing false positives
The traditional on-premise SIEM architecture has limited scalability – i.e., infrastructure costs are incurred up-front, based on peak requirements rather than on-demand provisioning that scales with current demand and growth over time. Also, effectively mapping logs from all ecosystems can be time-consuming endeavor when having to correlate rules and create clear reporting.
The world of security data collection has evolved. It is no longer a single query or rule that triggers the discovery of an incident. Typically, security monitoring identifies the proverbial “needle in the haystack” – and to do this type of threat detection requires broad visibility across the enterprise. This requires more processing power and data collection, in order to establish what the baseline really looks like. These are attributes are best accomplished by the implementing security in the cloud.
That’s where Azure Sentinel SIEM comes in, supplying correlation and analytics rules and filtering massive volumes of events to obtain high-context alerts. Sentinel uses ML to proactively find anomalies hidden within acceptable user behavior and generate alerts.
Microsoft Azure Sentinel is fully integrated with CyberProof’s CDC platform, so customers can work from a single console to manage high-context alerts, carry out investigations, and handle incidents.
3. Orchestration, Automation and Collaboration Layer - Facilitating faster threat detection and response
Forrester’s recent assessment of midsized MSSPs notes that orchestration and security automation play a vital role for overburdened SOC staff.
By automating Tier 1 and 2 activities like monitoring, enrichment, investigation, and incident handling, our CDC platform takes much of the strain out of the process. Essentially, the CDC platform provides our IP as a service – helping customers avoid the expenditure necessary to develop its own IP for a next-generation SOC.
The CDC platform gives customers a “single pane of glass” view from which to manage high context alerts, incidents, and report generation for stakeholders. It integrates the functionality of Azure Sentinel as well as other security investments.
The CDC platform’s benefits include:
- Orchestration – Integrates external intelligence sources, enrichment sources, the IT service management system, and more into a single view.
- Automation – Leverages CyberProof’s virtual analyst, SeeMo, who uses our Use Case Factory – a catalog of attack uses cases consisting of prevention, detection rules and response playbooks all aligned to the MITRE ATT&CK framework – to continuously update playbooks.
- Collaboration – Facilitates real-time communication with our nation-state level analysts to help remediate incidents.
- Hybrid Engagement – Supports collaboration of CyberProof’s experts with the customer’s team to remediate incidents and upskill the customer’s team.
CUSTOMERS CAN START BENEFITING - NOW
CyberProof’s solution, used in tandem with Azure Sentinel provides 24x7 security monitoring, which frees up SOC teams to focus on critical incidents.
The platform’s use of ML and behavioral analysis can reduce alert fatigue and false positives by up to 90 percent. It offers large-scale collection and correlation of data from the endpoint, cloud network, and users – facilitating high-context alerts.
These capabilities, as well as the platform’s high-level collaboration abilities and up-to-date response playbooks, contribute to greater efficiency in threat detection and in responding to validated incidents.
Yet, it doesn’t take a lot of time to transition to CyberProof’s solution. CyberProof has a defined onboarding process that’s based on each customer’s requirements.
As a managed service provider, we find that we can help customers get through the transition much more quickly than they would have on their own – accelerating the process and shortening the time needed to start reaping the benefits of the solutions.
Want more information? Check out the CDC platform from CyberProof and our integration with Microsoft Azure Sentinel. Or contact us to learn more about how we can help you transition you to a smarter SOC.