Azure Sentinel from the Field – The Cloud Aspect
This article is less technical but an article of those moments where you understand why a particular technology is the one that is important to focus on.
This article reminds me of different moments where I said, noted, and saw how things unfold, and not everyone saw the way as I do, but now they think as I am. I wanted to return to a few single moments out of many and good ones.
First, let’s go back to the one moment in 2019 when I heard about the Microsoft Business Productivity Online Suite (BPOS), and from that moment, I focused on it and knew it would be a big thing. Same for Azure.
Let’s go back to another moment in 2017, where I gave a speech in Microsoft TechReady about SaaS applications and the security risks in them and how it is recommended to harden. Even there, many people thought I was talking about spacecraft.
Many people consult with me on what to do and understand the security needs. Suddenly everyone’s hardening cloud apps. Some blog-post about OAuth Office 365 that posted recently warns of increasing OAuth Office 365 phishing attacks (bleepingcomputer.com)
Now, let’s go to SIEM and my opinion and experience from the field and with Azure Sentinel.
The Cloud is changing Everythings!
The words above are not new, but now it affects SIEM technology and its works – this category will be changed soon.
Something from the field. How do you monitor your cloud providers such as Azure, Microsoft 365, AWS, GCP, etc., or SaaS apps such as Monday, Concur, etc.? If you’re using a legacy SIEM-based system? Apparently, or more accurately for sure, in millions of percent, you missed it, big time!
Legacy SIEM that monitoring Cloud providers and SaaS apps, DO NOT know what happens inside the box, and of course, do not have any idea about security incidents in those cloud providers and saas applications, and do not know what is going on in the systems and apps you are monitoring!
Legacy SIEM missed alerts and security incidents that come from the cloud on a regular basis – no matter which cloud, saas apps or security products
You’ve gaps, big gaps, and your legacy SIEM couldn’t close the gaps. The old SIEM systems can not take the information properly, they do not know how to parse them, and of course, it is impossible to build automation or any other content with this situation.
Why does it happen? Today there are more security products (mostly based cloud), there are more cloud providers, there are more saas apps and without dependence on people or process. In short, security products and all other apps must adapt quickly to the SIEM.
From the field: once legacy SIEM is connected to a cloud provider, you can attack this specific cloud provider, and the legacy SIEM will not know what’s going on there.
When you break down SIEM into its small parts, it comes down to log management and security alerting. It seeks out logs from data-generating tools like firewalls, authentication portals, databases, and applications and organizes that data in a single location. Then it normalizes the data and scans it for security events to alert your security team.
So far, this seems relatively straightforward. However, SIEM doesn’t operate automatically. Instead, it operates according to the configuration rules set by security tools. Clearly, this creates a serious issue in that SIEM can only see what your team tells it to see.
This may not seem like a challenge; you probably know where your critical data sits and which devices generally access it, and traffic in data. However, this understanding becomes upended when your network becomes disparate with cloud, saas apps, security products, and work from home.
Where should your SIEM prioritize? How can it handle a scaled environment? Can you maintain visibility over your network when it isn’t under your direct vision, to begin with?
A Cloud-Native SIEM solution should enable your security team to revise and monitor configuration rules on the fly, easing the visibility issue. It should also scale with your environment even as it changes and transforms due to circumstances or deliberate transition to the cloud.
More and more governments now enforce stricter privacy and cybersecurity compliance mandates, with GDPR being simply the most famous.
As more and more of our lives transition to online, we expect that more industries and governments might follow suit; your enterprise must be ready to adapt to this new state of affairs. SIEM can help through its out-of-the-box, automatic compliance report capabilities, which can help meet compliance changes.
Remember, studies suggest that most users won’t engage with a brand that suffered an online data breach or fails to keep their data private. The incoming wave of new cybersecurity compliance mandates merely reflects this public sentiment. Meeting compliance might only scratch the surface of full optimized InfoSec, but it can provide a reassuring start.
A problem facing legacy SIEM solutions involves false positives. These alerts find something suspicious about an ordinary or perhaps unusual but non-malicious activity. It sends an alert, which wastes time and resources in the investigation.
One of these false positives every so often wouldn’t be a problem, but when they number in the hundreds? That’s more of a challenge, one which often buries legitimate leads.
SIEM aggregates critical logs and alert information. With it, SOAR would lose a vital source of insight into enterprise networks. Further, SOAR works through integration, binding SIEM to other critical cybersecurity solutions like endpoint security and identity management.
However, it remains unclear whether SOAR may one day incorporate SIEM capabilities into its own offerings. Certainly, it follows the pattern of modern cybersecurity solutions to evolve into new markets as demands change. The importance of automation certainly matters as the cybersecurity staffing crisis deepens. Is now the time for true innovation?
Automation of must is an integral part of the SIEM system. It is not possible to manage the events only with people, and the more automation there is, the better it is with the SIEM.
Sizing your SIEM solution right is important, as it directly impacts your SIEM performance and the storage required to operate it efficiently. Two key numbers are the amount of data generated in your network, measured in Events per Second and Gigabytes per Day, that help size your SIEM solution right.
Most SIEM vendors license their solutions based on EPS and/or GB/day, and legacy SIEM aggregate many data from CEF and Syslog, but they don’t know how to handle JSON in the same way. Nothing new.
EPS license is applied and processed on a real-time basis, twice per second, on the raw, inbound event stream. Every half-second, the system will pull off the allocated number of events, and if there are events left in the queue, they are throttled and held in the queue until the next half-second period.
While EPS license is described as a per-second value, flow licenses are usually documented as a per-minute value. This is because flows can have a life span that can traverse multiple seconds, and multiple minutes, or intervals, and thus, are really being tracked as sessions rather than strict, instantly occurring events.
All cloud providers, security tools (cloud-based), and SaaS apps working with JSON format and JSON format are a quarter of an event size compared to data that comes from CEF, Syslog, etc.
TIP: you can convert and parse any event to JSON format and minimize the price and work with log format that provides more value.
With Windows, average raw byte size = 700 bytes, and Linux raw byte size = 300 bytes. After enrichment to CEF, both of those events end up at 1765 bytes event size, and then the event gets compressed at roughly 10:1 and ends up at around 175-200 bytes – not all the time you can compress the event. (from ArcSight website)
JSON on average is 200 bytes, and now do the process with JSON, and you’ve got a minimal log with few bytes. JSON is about a quarter of the size of a simple event.
If you’re looking for the Cloud-Native SIEM, you could take many advantages, but it’s known, When it comes to the cloud (Cloud vendors and SaaS apps), the Cloud-Native SIME has a huge advantage!
From the “single pane of glass” of a cloud-based SIEM platform, you can:
- Monitoring cloud providers, systems, saas apps, and workloads, whether physical or virtual, anywhere in your network.
- Get real-time alerts on security incidents.
- Serve as the basis for risk analysis and audits.
- Consolidate and manage security and event log data.
- Automate incident response.
- Automate compliance reporting.
- Adapt system quickly.
- And more.
TIP: specifically for Active Directory, the Azure Sentinel can do the job much better than the legacy SIEM with a dedicated connector
The benefits of Cloud-Based SIEM
Cloud-based SIEM provides organizations with several key benefits over on-premises solutions. These are just tiny features of the advantages that Azure Sentinel can provide over legacy SIEM.
- Speed of deployment – With cloud-based SIEM, organizations can be up and running much more quickly. When businesses install an on-site SIEM solution, there can be a long onboarding process before the system is fully operational. By choosing to go with a cloud-based SIEM solution, the technology can be customized and deployed much more quickly.
- Less expertise needed – SIEM solutions can be complex, overbearing solutions that require a solution expert to configure and maintain properly. Cloud-based SIEM solutions are designed to simplify implementing and maintaining the solution, lowering the level of expertise required and the number of staff necessary to manage it.
- Adoption – When you onboard saas apps and new security products, you don’t have the time to learn the products and make sure you’ve got the right connector to collect the relevant information and alert when a security issue appears.
- Always modern– Cloud-based SIEM removes the need to handle updates and stay on top of emerging capabilities, allowing an organization to scale conveniently and as required. Any additional capacity is easily purchased from the CSP.
- No capital investments required – It’s an unavoidable truth that an on-premises solution will require a specific combination of hardware and software, which will become obsolete over time. The on-premises deployment will eventually require a refresh, but a cloud-based SIEM removes this worry for the organization as the CSP handles all this.
In conclusion, there are many more features and many layers with SIEM infrastructure. Still, Cloud-Native with Azure Sentinel has big advantages and won in any situation for the clouds.