Azure Sentinel 101Presenter: Joe Kuster

22

IntroducingCatapult

Transforming organizations for today’s modern

world

15,000 projects

completed over 25 years

Top .01% of Microsoft Partners with 14 Gold & 2 Silver

Competencies

Serving all 50 states, Mexico, Canada and the Caribbean

33

Our Partnershipwith Microsoft

• National Solutions Provider (NSP) in top .01% of Microsoft’s partner ecosystem

• 2019 Microsoft Partner of the Year Awards

• Modern Workplace – Security and Compliance -Winner

• PowerApps - Winner

• Modern Desktop - Finalist

• PowerBI - Finalist

• 2018 Microsoft Partner Award Azure Compete (United States)

• 2017 Microsoft Global Cloud Partner of the Year Finalist

• 2016 Microsoft Partner of the Year Winner (United States)

• On-staff experts awarded Microsoft’s “Most Valuable Professional” (MVP)

• 20+ Years of experience working with the Microsoft technology stack

44

Security & Compliance Services

SecurityEnvironment

Analysis

▪ Analyze existing technology stack

▪ Map to compliance needs to identify gaps

▪ Identify overlapping solutions & opportunities for ROI improvement

▪ Recommend best practice technology adoption

Tool Optimization & Implementation

▪ Demonstrate art of the possible

▪ Deploy new technologies, such as Microsoft M365 E5

▪ Optimize implemented technologies, such as Azure Identity Protection

ContinuousPosture

Improvement

▪ Security Coach provides ongoing insight & support

▪ Dashboard connects disparate signals into dashboard for improved insight

▪ Technical experts available on demand

Spyglass

55

Security and Compliance Challenges

93%of cyber attacks target user identity

50% of business cloud adoption is led by Shadow IT

63%of businesses are understaffed in security expertise $3.9M

average cost of a successful security breach

51%can’t find and keep the needed skillsets

62% of cloud adopters nervous about cloud security

80%of security

incidents occur

from within

Agenda

What is Sentinel?

What does it connect to?

Common Use Cases

Getting Started

Understanding Pricing / Licensing

Example Walk Through

77

SIEM solutions aggregate events and alerts from numerous solutions to correlate intelligence. The consolidated view streamlines threat hunting as well as allows for automated remediations, or assisted investigations.

SOAR solutions are a stack of compatible software programs that allow an organization to collect data about security threats from multiple sources and respond to low-level security events without human assistance.

What is Azure Sentinel and Why You Need It

Sentinel is Microsoft’s Security Information and Event Management

(SIEM) and Security Orchestration, Automation and Response (SOAR)

88

• Find your alerts in one place.

• Makes repeatable searches easier.

• Centralized place for investigations.

• Machine learning surfaces unusual activity.

• Ability for semi-automated or automated response.

That’s nice, but what does it really mean?

99

Example: Ransomware hit employees via email and their cloud files were impacted

• Cloud App Security (What files were infected?)

• Azure AD Sign In Activity (Who logged in, from what IP?)

• Office 365 Activity (What else did they do during that session?)

• Symantec Malware Logs (Was AV patched and up to date when it slipped through?)

• Azure AD Identity Protection (Did an attacker come in from a breached account?)

• Azure Security Center (Did the payload change their device configuration, or just encrypt the files?)

#1 Sentinel is a place to ship your events and alerts. (Single Pane for Investigations)

1010

• Machine Learning systems (Microsoft’s, or your own custom ML) analyze data for anomalies.

• Repeatable Threat Hunting Queries and Automatic Analytic Triggers find issues faster.

#2 Sentinel Speeds Up Investigations

1111

• Allows investigators to tag events / alerts / notes as they go.

• Playbooks allow for automated or semi-automated response.

• Investigator identifies false positive, triggers event that logs it, whitelists IP, and closes ticket.

• Impossible Travel Scenario = Automatically create a ticket and lock account if not on a corp device.

#3 Sentinel Streamlines Response

1212

• Most organizations don’t have their cloud data integrated yet.

• Those that do pay an exorbitant amount to import it (database bloat).

• Few orgs have meaningful SIEM/SOAR maturity for O365, Azure, Amazon Web Services, or Enterprise Mobility + Security solutions.

• Sentinel is a modern SIEM that uses artificial intelligence (Fusion) to reduce alert fatigue and automatically surface anomalous data.

• Also… it’s free for O365/Azure basic threat hunting, so there’s that ☺

What if you already have a SIEM

1313

Getting Started

1414

What’s needed?

Azure Subscription •Account must have access to source system data to be analyzed.

Azure Log Analytics

•Recommend Standard Tier. Free logging lacks many critical security data points.

Azure Logic Apps •Necessary for some

remediations

Azure Automation

•Necessary for some remediations

Azure Security Center

•Optional, but streams great data!

Navigating Sentinel

• Overview: Automatic reports generated based on your

data

• Logs: Manual queries for threat hunting / correlation

• Cases: SOC Burn Down List (Tickets) – Created by

Analytics

• Dashboards: Common reports sorted by source type

• Hunting: Reusable Queries for Investigations

• Notebooks: Jupyter notebooks w/ Markdown Text

• Data Connectors: Connect to data sources.

• Analytics: Trigger conditions that create cases.

• Playbooks: Logic App playbooks to remediate / manage

issues.

• Workspace settings: where Sentinel data is stored. Can

pull data ingestion and cost data. Adjust retention here!

1616

Follow the Wizard

Once workspace is ready:

• https://portal.azure.com

• Search for Azure Sentinel

• Follow Getting Started Wizard

1717

Creating Data Connectors

Data connectors are usually:

1. Cloud based and you only need your

admin credentials.

2. Agent based and you use the Microsoft

Monitoring Agent for the log upload.

3. Most common scenarios are turn-key

(Syslog, Endpoint Protection, etc.)

1818

Workbooks

1919

• Attacker IP Query / Investigation

OfficeActivity | where ClientIP == '13.64.199.41’

Table | clause Column operand value

• Starter Tip: Browse tables, find the data,and add column to the query. Delete the excess.

Building a Query with Kusto Query Language

2020

Tracking the Investigation (Bookmarks & Notebooks)

2121

Investigations – Sample: Login Attempts from Blacklisted IP

2222

• Azure Logic Apps

• Tons of connectors to web services or on-prem apps

• Similar to MS Flow/Power Automate or IFTTT, but different.

• Remember that it’s log analysis based, not real time! (Not a replacement for proactive protection)

Building Responses

2424

2626

• Fusion – must be manually enabled via PowerShellhttps://docs.microsoft.com/en-us/azure/sentinel/connect-fusion

• AI Investigation is a Private Preview (Request form is online).

• HTTP Post = Graph API & Many, Many Other Things!

• Workspace / Source System Pricing Tiers Matter.

• It can take an experienced eye to identify what is going on.

Things they don’t tell you

2727

• Data import from Office 365 and Azure is free.

• Charges occur for: Data Ingestion, Automation Workflows or custom Machine Learning Models

• Data ingestion / retention will be the largest charge for typical deploy.

• Free tier is available (500 mb / day).

• 31 days retention is free.

• Beyond the free amount/period: $2.30 per GB ingestion, $0.10 per GB per month retention.

How is it priced?

2828

• There will be no charges specific to Azure Sentinel during the preview.

• Data import from Office 365 is free.

• Even during preview, charges occur for: Data Ingestion, Automation Workflows or custom Machine Learning Models

• Data ingestion / retention will be the largest charge for typical deploy.

• 5GB per customer per month is free.

• 31 days retention is free.

• Beyond the free amount/period: $2.30 per GB ingestion, $0.10 per GB per month retention.

How is it priced?

2929

Example from the field (Skype Hybrid Brute Force)

3030

Example from the field

3131

Example from the field

Successful Sign-ins(30 days)

40 Countries

Q&A

Joe Kuster

Director, Security & Compliance Solutions

Catapult Systems

Joe.Kuster@CatapultSystems.com

3636

Catapult’s Security Services

Spyglass is a Catapult’s Security Coaching Service

There are Several Ways We Assist Clients:

• Assessments: Office 365, Azure, Greenfield, Planning

• Monthly Subscriptions: Right-sized to meet your needs, environment, and budget.

• Flexible On-Demand Expertise: Assistance when you need it and as much as you need across the entire Microsoft stack.

3737

Spyglass, Office 365 Security Assessment

O365 Assessment Insights:

• Identifying risky user and administrator behavior

• Evaluates environment against common regulatory standards (e.g., PCI DSS 3.2, SOC)

• Provides Actionable Insight on:

• Identity & Access

• Data & Storage, Leakage

• Phishing & Malware

• Threat Protection

• SecureScore

• Review results and roadmap in-person

Thank you.