21. Define the concepts of SIEM, SOAR and XDR
At the end of the day, as a security engineer, it’s your job to protect, defend, and respond. And how you do it is what’s going to make a significant difference in how effectively or quickly you can put out those fires. There are many different tools to achieve these objectives, and they are evolving bit by bit. We’ve heard several of these buzzwords these days. What we call SIM stands for Security Information and Event Management.
Then there is SOAR, which stands for “security orchestration automated response,” and XDR, which stands for “extended detection and response.” We need to understand these tools that will help you do SIM, SOAR, and XDR. SIM and SOAR are important tools in the cybersecurity stack because they gather a wealth of data about potential security incidents throughout your system and store that information for review. But just like the nerve endings in the body sending signals, what good are these signals if there is no brain to process them, categorize them, and correlate that information? That’s where XDR comes into view, and XDR is a solution that’s a necessary component for solving the data overload problem, which is a brain. The brain is what examines all of the past data, present data, and collected information and assigns a collective meaning to these disparate pieces. Without this additional layer, the XDR organizations are unable to take full advantage of SIM and Soar solutions while they are acting like a nerve.
The XDRengine, which receives and interprets these signals, is the brain of it all. The business world has changed almost overnight as a large number of employees have switched to remote working, opening up another window for cybercriminals to exploit. The IT departments have rushed to patch and strengthen their staff’s devices and their access to company assets and resources as well. During times of national or global crisis, cybercriminals frequently increase their activity. It doesn’t matter to them. They are always looking to exploit the situation. Find ways to get into your organization. You must have a resilient and robust set of industry standard tools to help you mitigate and prevent those exploits. That’s where SIM and SOAR come into play.
These are responsible for providing excellent security insights and security automation that can enhance an organization’s network security perimeter. Let’s go ahead and get a general understanding of the Azure tools that are supporting SIM, SORE, and XDR in protecting your network security perimeter. The first one is SIM, or security incident and event management. This is a tool that an organisation would use to collect data across the entire state of services that you’re providing, including infrastructure, virtual machine software, and various resources. It does analysis, looks for correlations or anomalies, and generates alerts and incidents. SOAR is security orchestration and automated response.
The name itself says a lot of things. So Sore is receiving alerts from multiple sources. For example, the SIM solution triggers action-driven automated workflows and processes to run those security tasks in order to mitigate the issue. The next point is XDR, which stands for “extended detection and response.” And this is designed to deliver intelligent, automated, and integrated security across an organization’s domain. It will assist you in preventing, detecting, and responding to threats across multiple identities, endpoint applications, email, IoT infrastructure, cloud platforms, and so on. To provide a comprehensive security perimeter, an organisation needs to use a solution that will embrace or combine all three systems. Keep in mind that the XDR layer is an additional layer to the company’s cybersecurity strategy that will most effectively use your SIM and give all of those nerve signals a genius brain that can sort them out and provide the context needed in today’s cyber threat landscape. Also, XDR, SIM, and SOAR are generic terminologies and not tools. These are like generic terms. For example, when you say “cloud,” cloud is not a tool. But then you’ve got several other vendors who are tied to the cloud, for example, Microsoft, Amazon, and Google. Similarly, there are a lot of tools that are provided in the spaces of SIM, SORA, and XDR. Thanks for watching so far. I hope it has been an informative session. I’ll see you in the next lesson. We’ll go over the Sentinel’s integrated threat protection in greater detail.
22. Azure Sentinel
We spoke about SIM and SOAR in the previous lesson. In Microsoft Azure’s world, Azure Sentinel is a tool that delivers both SIM and SOAR capabilities. So Azure Sentinel is the one that’s delivering intelligent security, analytics, and threat intelligence across the enterprise. It provides a single solution for your alerting, detection, threat visibility, proactive hunting, and threat response as well. Let’s take a look at this picture. Now here we can see that there is end-to-end functionality delivered by Azure Sentinel. You’ve got to collect, detect, investigate, and respond.
In the collect phase, Azure Sentinel is collecting data at cloud scale across users, devices, applications, and infrastructure, as well as on premises and probably in other clouds as well. It can then detect any kind of previously uncovered threat and minimize the false positives using analytics and unparalleled threat intelligence. Following that, it can use AI to investigate threats and detect suspicious activity at scale. This is where we are tapping into decades of cybersecurity work at Microsoft.
And finally, you will respond to incidents rapidly with the built-in orchestration and automation of common security tasks. Azure Sentinel is here to help you with your end-to-end security operations. It starts with log ingestion and continues through the automated response to those security alerts. You might be wondering what kind of information Azure Sentinel will gather. Is it going to collect just Windows logs because it’s a Microsoft tool? Is it only going to collect Azure logs because they are also proprietary to Microsoft? Well, let’s go ahead and take a look at that in the next lesson, where we’ll also learn about the various ingestion points of Azure Sentinel and also what kinds of tools tightly integrate or tightly couple with Sentinel to provide a full-blown security solution. Thanks for watching so far, and I’ll see you in the next lesson.
23. Azure Sentinel Features
Azure Sentinel collects data from various sources. Microsoft has created several connectors that are available out of the box and also provide real-time integration. So if you have Microsoft 365 Defender or other Microsoft three, six, five sources such as Office365 or Azure Active Directory, Microsoft Defender for Identity, formerly known as Azure ATP or even Cloud App Security. So you can have integrations done with several of these solutions. First, you must have your data ingested into Azure Sentinel, for which you need to collect the data.
There are data connectors that cover a wide range of scenarios and sources. Data can be collected from Syslog’s, Windows Event Logs, the CEF (a common event format trusted automated exchange of indicator information), Taxi for Threat Intelligence, Azure, or AWS, for example. But then, this list is a short one. Azure Sentinel can accommodate a great deal more. There are a whole lot of data connectors out there. Well, after you connect the data sources to Azure Sentinel, you can monitor the data using Azure Sentinel integration with Azure Monitor Workbooks, and you will see a canvas for data analysis and the creation of rich visual reports through the Azure Portal. Now, with the help of this integration, Azure Sentinel allows you to create custom workbooks across your data. So it also comes with built-in workbook templates that allow quick insights across your data.
As soon as you connect the data source, Azure Sentinel is really powerful, and that power comes into play now because, at this point, you will start to use the built-in analytics alerts within the Azure Sentinel workspace and you will get notified when anything suspicious occurs. And there are various types of alerts, some of which you can edit for your own needs. But when an incident is created, when an alert is enabled or triggered, then you can do a standard incident management task like probably changing its status or assigning incidents to individuals for investigation in Azure Sentinel because that also helps investigation functionality. So you can visually investigate incidents by mapping entities across log data along a timeline. You can also use Azure Sentinel to automate some of your security operations and make them more productive. So Azure Sentinel will integrate with Azure Logic Apps, so you can create automated workflows or playbooks in response to those events. Now, this functionality could be used for incident management, enrichment, investigation, or remediation. Well, in general, a playbook is a collection of procedures that can help you automate and orchestrate your response.
You can either run that manually or also let it trigger automatically when certain alerts appear in Sentinel Security. Playbooks in Azure Sentinel are based on logic apps, so you can get all the power, customizability, and built-in templates of logic apps. Now, each playbook is created for a specific subscription. You choose. One of the most important things is hunting. So Azure Sentinel’s powerful hunting search and query tools are based on what’s called a “MitraAttack” or “Mitre” framework, which is used to hunt proactively for security threats across your organization’s data sources before an alert is triggered. So there is some proactive monitoring happening here. So after you discover which hunting query provides high-value insights into possible attacks, you can also create custom detection rules based on your query and surface those insights as alerts to your security incident responders in your team.
Azure Sentinel can also integrate with threat protection. Threat protection is continuously evolving. Battlefront Cybercriminals look for any vulnerability they can exploit to steal, damage, or extort a company’s data assets and resources. So Microsoft provides a suite of tools that give you extended detection and response (XDR) through something called Microsoft 365 Defender and Azure Defender. Now, both of these tools—the three-six-five Defender and Azure Defender—will integrate smoothly with Azure Sentinel to provide a complete and thorough threat protection capability for your organization. That’s all there is to Azure Sentinel. Now that we’ve explored Azure Sentinel and understood the various key features it provides, including incidents, workbooks, hunting, notebooks, analytics, and playbooks, Let’s go ahead and understand all of these wonderful features. How much does it cost? Thanks for watching so far. I’ll see you in the next lesson.
24. Azure Sentinel – Pricing
Azure Sentinel is collecting a lot of data. Where is it stored when you have to store somewhere, and that location is called Azure Monitor Log Analytics? This is a workspace, which means that the data for the analysis done by Azure Sentinel is stored in the Azure Monitor Log analytics workspace. Keep in mind that you will be charged for this information. Billing is based on the volume of data that is ingested for analysis in Azure Sentinel and stored in the Azure Monitor Log analytics workspace. There are two ways to pay for the Azure Sentinel service. There are capacity reservations as well as pay as you go options. What’s a capacity reservation? With capacity reservations, you are billed a fixed fee based on the selected tier, which will enable a predictable total cost for Azure Sentinel. Pay as you go is all about getting billed per gigabyte for the volume of data ingested for analysis in Azure Sentinel, and that’s also stored in the Azure Monitor Log analytics workspace.
25. Chapter Summary
There’s a long way to go before talking about various Azure security services. But as we complete this chapter, we need to summarize. So this is a milestone. Where are we? What we learned about the security defenses available to protect your company’s digital estate or digital infrastructure We know that Azure Sentinel is supporting key security operations in the cloud. It also integrates with your existing security systems. You now have a one-stop shop for alert detection, threat visibility, proactive hunting, and threat response. You understood the concepts of SIM, SORE, and XDR and how Azure Sentinel provides integrated threat protection. We also know about the capabilities of Azure Sentinel and its pricing. We are now jumping into the next lesson, where we talk about the capabilities of Microsoft 365.
26. Describe the threat protection capabilities of – Introduction
The risk of getting exploited is everywhere. It’s in your applications, your email, your collaboration endpoints, your SaaS solutions, your identities, and just about everywhere else you can think of. That means that security threat prevention is not just limited to network security; you also need integration points. Points. Now, specifically with the Microsoft 365 Defender solution, all the security professionals can stitch things together. They can integrate all the threat signals that each of these products receives and determine the full scope and impact of that threat.
So they can analyses things like how it enters our environment, what it’s affecting, and how it’s currently impacting the organization. So this lesson is all about how the Microsoft Defender service can help protect your organization. So we’ll explore the various capabilities of Defender Services, how they protect and how they can protect the identity of Office 365 endpoints and cloud apps, and how Microsoft 365 Fender is providing integrated protection against sophisticated attacks. And finally, we learn about the Cabool cloud access security broker from Microsoft. What’s called “Microsoft Cloud App Security” can help defend your data assets.
27. Microsoft 365 Defender services – Introduction
Attackers are eyeing your data. They are scanning for information inside your applications on your endpoints, like your laptops or desktops, and, of course, in your emails. Plus, they’re also using “password spray” techniques on your identities. Does this imply that you’ll need multiple solutions to protect your emails, identities, applications, and other endpoints? Is there a one-stop shop to detect, prevent, and investigate all the threats across your emails, identities, and applications? Absolutely. You have access to Microsoft 365 Defender, which will protect you from sophisticated cyberattacks. You can use the 365 Defender to coordinate threat detection, prevention, investigation, and response across your emails, identities, and applications, as well as on endpoints.
Microsoft 365 Defender allows admins to assess threat signals from applications, emails, and identities to determine the scope of an attack and what the possible impact might be. It gives a lot of insight into how the threat occurred, what systems have been impacted, and whether we can take automated action to prevent or stop the attack. Microsoft 365 Defender is a suite of services for your identities because it integrates tightly with Azure AD Identity Protection. It also works with your endpoints. So you’ve installed Microsoft Defender for Endpoints to provide preventive protection, post-breach detection, automated investigation, and response. As well. There are applications that can integrate with Microsoft cloud app security. Now, Cloud App Security is a comprehensive cross-software solution, bringing deep visibility, strong data controls, and enhanced threat protection to your cloud applications. It’s paramount that you protect your emails as well. Protect your emails from those malicious threats that are posed by email messages, links, and collaboration tools. The Defender for Office 365 safeguards your organisation against all of these. As a result, you will use Microsoft Defender to safeguard your organisation against sophisticated cyber attacks by coordinating your detection, prevention, investigation, and response to threats across identities, emails, and applications. So this is a one-stop shop. Let’s go ahead and talk about each of these services provided by Office 365, one by one, starting with Microsoft Defender for Identity.
28. Microsoft Defender for Identity
We spoke about what identities are in module two. Here, we’re talking about securing and protecting those identities. Back in the day, there was a tool. what’s called azure. Advanced self-protection It was a cloud-based security solution that protected the identities. Today, we call it Microsoft Defender. That is, Microsoft Defender now provides what was previously known as “Azure thread protection.” So it uses your on-premises Active Directory data, which we’re going to call signals. And it will use them to identify, detect, and investigate your advanced threats, compromised identities, and malicious insider actions directed at your organization.
So, Defender for Identity is covering three key areas. It will monitor and profile user behaviour and their activities. It will also protect user identities and limit the attack surface. With all of this, it will be able to detect any suspicious activity or advanced attack across the cyber attack kill chain. Let’s talk about the first one. Monitor and profile user behaviour and activities. Defender for Identity three, six, and five are monitoring and analysing user activities and information across your network, including where it will check permissions and group memberships and create something called a “behavioral baseline” for each user. Defender for Identity then detects any type of anomaly using what is known as adaptive built-in intelligence. It will thereby give insights into suspicious activities and events, revealing the advanced threats, compromised users, and insider threats facing your organization.
The next point is to protect user identities and reduce the attack surface. The Identity Defender, on the other hand, provides invaluable information on identity configurations as well as security best practices. With the help of the reports and user-profile analytics, Defender for Identity will help reduce your organization’s attack surface, making it harder to compromise user credentials in advance of an attack. Defender for Identity will be helping identify the users and devices that authenticate using clear-text passwords. As a result, it provides additional insights into how to improve the security posture and policies. Finally, it is identifying suspicious activities and advanced attacks across the cyberattack kill chain. So typically, attacks are launched against any accessible entity, such as a low-privileged user.
Attacks then quickly move laterally until the attacker accesses valuable assets. These assets might include sensitive accounts, domain admin accounts, and highly sensitive data. Defender for Identity identifies these advanced threats at the source throughout the entire cyberattack kill chain. If you take a step back and think about what a cyberattack kill chain process will include, whether it has reconnaissance, compromised credentials, lateral movements, and finally domain dominance, with all these wonderful features, it will then be able to help you investigate alerts and user activities. So the three, six, and five Defenders for Identity are designed to reduce any kind of general alert noise, providing only important security alerts in a simple, real-time organisational attack timeline. You will use the Defender’s identity attack timeline view and the intelligence of smart analytics to stay focused on what matters. Also, you can use Defender for Identity toquickly investigate threats and gain insights across theorganization for users, devices and network resources.
All in all, the Defender for Identity is protecting your organisation from any kind of compromised identity, advanced threats, and malicious insider actions. Let’s go take a look at Microsoft Defender for Office 365 in the next lesson.
29. Microsoft Defender for O365
The next one in the line is Microsoft Defender for Office. Three, six, five. This was previously known as “Office 3:6:5”. Advanced Threat Protection Now, Defender for Office 65 protects your organisation from malicious threats posed by email messages, any links in your emails, collaboration tools such as Teams or SharePoint Online, or OneDrive for Business, or any other type of Office client. Threat protection policies, reports, threat investigation and response capabilities, as well as automated investigation and response capabilities, are all covered by the Defender for 365. The Threat Protection Policies: Now this is where you can define threat protection policies to set the appropriate level of protection for your organization. when it comes to reports. You can view real-time reports to monitor the Microsoft Defender for Office 365 performance in your organization. You will be using cutting-edge tools to investigate, understand, simulate, and prevent the threats.
And finally, the automated investigation This is where you will save a significant amount of time and effort investigating and mitigating threats. So when it comes to pricing and plans, the Microsoft Defender for Office 365 is available in two plans. The plan you choose influences the tools you will see and what you will use in your organization. It’s important to make sure that you select the best plan to meet your organization’s needs. Now let’s talk about plan one and plan two. Looking at the plan First, you get safe attachments. It means that you can check email attachments for malicious content. The safe links are there. That means every link will be scanned when you click on it, and a safe link will remain accessible. However, malicious links are blogged. You’ve got security for SharePoint, OneDrive, and Microsoft Teams. So when your users collaborate and share files, the Defender for 365, the Plan One, will be identifying any kind of malicious content and blocking it as well. You have anti-phishing protection, which will detect any attempts to impersonate your users.
There are real-time detections, of course. You’ll be getting a nice, wonderful, best-looking report that allows you to identify and analyse recent threats. Plan Two includes everything that was covered in Plan One, as well as automation, investigation, remediation, and simulation tools to help protect your 365 suite. Threat Explorer, you have threat trackers. Automated investigation and response In short, call it AAR, and then you have an attack simulator. The threat trackers provide the latest intelligence on prevailing cybersecurity issues and allow organisations to take countermeasures before there is an actual threat. The Threat Explorer, which is a real-time report that allows you to identify and analyse recent threats, The next one is AI. It includes a set of security playbooks that can be launched automatically. So that’s a series of scripts, and it will be generating an alert. So that means that a security playbook can start an automated investigation, provide detailed results, and recommend actions that the security team can approve or reject.
Finally, you can have realistic attack scenarios in your organisation to identify any kind of vulnerability. So these are the two plans that you have when it comes to Microsoft Defender for Office 365. Let’s talk about the availability section, right? So the Defender for Three Sixty-Five is included in certain subscriptions. As an example, if you purchase Microsoft 3 6 5E 5, you will also receive a licence for Office 3 6 5E 5, a licence for Office 365 A 5, and the Microsoft 3 6 5 Business Premium. And if your subscription does not include Defender for 365, you can purchase it as an add-on. So all in all, you will use three-six-five Defender for 365 to protect your organisation’s collaboration tools and messaging capabilities. Let’s talk about the next one, which is Microsoft Defender for endpoints, in the next lesson. Thanks for watching so far. I’ll see you there.
30. Microsoft Defender for Endpoint
Once upon a time, there was a tool called Microsoft Defender Advanced Threat Protection. Today. This is called Microsoft Defender for endpoints. There has been a lot of rebranding in the past, specifically in the Microsoft security area. They will be preventing, detecting, investigating, and responding to the advanced threats. Microsoft Defender for endpoints embeds technology built into Windows 10 and Microsoft Cloud services. The technology will use endpoint behavioural sensors that collect and process signals from the operating system.
Cloud security analytics that convert signals into insights, detections, and recommendations, as well as threat intelligence to identify attacker tools and techniques and generate alerts. Let’s take a look at the capabilities of Microsoft Defender for Endpoints. Threat and vulnerability management, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and remediation, Microsoft threat experts and management, and APIs are all included. If you take a look at the first one, which is threat and vulnerability management, that is a risk-based approach to discovery, prioritization, and then finally the remediation of endpoints. So it will use sensors on the devices to avoid the need for agents or anything else to scan, and it will still be able to prioritise the vulnerabilities, reducing the attack surface. This is there to reduce the places where your organisation is vulnerable to cyber threats and attacks as well. By ensuring only allowed apps can run, it will also be preventing apps from accessing dangerous locations. The next generation of protection is bringing together machine learning, big data analysis, in-depth threat resistance research, and the Microsoft Cloud infrastructure to protect devices in your organization. Endpoint Detection and Response provides advanced attack detections in near real time that are actionable. Security analysts can prioritise these alerts, see the full scope of their breach, and take appropriate actions to remediate the threats. One of the most important things is automated investigation and remediation.
This particular feature uses inspection algorithms and certain processes used by analysts to examine the alerts and take quick remediation action to resolve breaches. This process significantly reduces the volume of alerts that must be investigated individually. The Microsoft Threat Experts are a managed threat hunting service that provides security operation centres with monitoring and analysis tools to ensure critical threats don’t get missed. Finally, the management and APIs in this feature include APIs for integrating with other security solutions. All in all, Microsoft Defender for Endpoint includes Microsoft Secure Score for devices to help you dynamically assess the security state of your enterprise network. Not just that, it will identify unprotected systems and recommend actions to improve the overall security posture of your organization. Microsoft Defender for Endpoint will be integrating with various components in the Defender suite and other Microsoft solutions, including MDM solutions like Intune and Azure Security Center. That is all about Microsoft Defender for Endpoint. Let’s go ahead and learn about Microsoft Cloudapp security in the next section.