Note: This blog will contain resources and material from various sources including Microsoft.com/Security, Ignite, and one of my cybersecurity heros: Mark Simos. This blog is not meant to be a replacement for any of these resources – but rather a collection that can be easily referenced.
The digital estate from which defenders must protect, is rapidly evolving from traditional desktops and laptops to smartphone, IoT devices and even cloud SaaS applications. This changes the perimeter of the environment, and results in a different approach to defend this perimeter. As the assets we are protecting changes, so do the types of threats that we must protect against – and as a result our defenders and their people, process, and technology must evolve.
When you look at the Kill Chain, how cybersecurity professionals view the framework of a breach, there are different phases in an attack – and in order to properly defend against these advanced attacks a defense in depth model must be part of your approach.
Security Operations Centers or “SOCs” monitor an organization’s IT environment for various cyber threats and typically consist of a wide range of tools, processes and different skill sets. However, given the evolution of the digital estate and types of threats today, the SOC must also evolve.
To better understand this rapidly changing landscape of threats and why we must evolve our approach to cybersecurity please review the “Minutes Matter” and “Motivation Matters” posters from our Cybersecurity Solutions Group (http://aka.ms/MinutesMatter and http://aka.ms/MotivationMatters to download)
I recorded the following video on the importance of modernizing your security operations center – and specifically how Microsoft modernized it’s SOC:
Minutes Matter and the “Fusion Center Model”
In the video I talked about the concept of a “Fusion Center” where all teams come together in a centralized manner:
Lessons Learned from the Microsoft Security Operations Center
This concept of a fusion center is the cornerstone to a modern SOC, but doesn’t come without it’s own challenges. To expand on the lessons learned from Microsoft’s own SOC modernization, I invite you to read this series of blogs that will help you to understand what must occur to modernize your approach to security – This is a must read before going further!
- Lessons learned from the Microsoft SOC—Part 1: Organization
- Lessons learned from the Microsoft SOC—Part 2a: Organizing people
- Lessons learned from the Microsoft SOC Part 2b: Career paths and readiness
- Lessons learned from the Microsoft SOC—Part 3a: Choosing SOC tools
- Lessons learned from the Microsoft SOC—Part 3b: A day in the life
Assume Breach Mindset
As we realize that cyber threats are evolving almost on a daily basis, our methodology and approach must evolve as well – this means a SOC must not only be reactive to threats, but proactive to hunt down and stop potential threats. Introduce, Threat Hunting. Microsoft’s approach to Threat Hunting involves tools like Azure Sentinel our SIEM + SOAR product in addition to using the MITRE ATT&CK framework.
I invite you to review the blog from Jonathan Trull, Microsoft General Manager of the Cybersecurity Solutions Group on why your SOC needs this capability. Threat hunting: Part 1—Why your SOC needs a proactive hunting team. In addition, review the following two sessions from Microsoft Ignite on this topic:
- Using Azure Sentinel to supercharge your threat hunting
- Threat Hunting in the Cloud with Azure Sentinel and Jupyter Notebooks
Leverage the Cloud
With the rapidly evolving threat landscape, when it comes to detection and remediation of these advanced threats seconds matter. With the introduction of Artificial Intelligence and Machine Learning, cloud based SIEM and SOAR products have the ability to correlate data quicker and even execute a remediation playbook faster than a human. As you modernize your SOC, you need to embrace cloud technologies to help you better secure your assets.
I invite you to review an excellent blog by Lesley Kipling and Anthony Petito from the Microsoft Detection and Response Team (DART) on how Changing security incident response by utilizing the power of the cloud—DART tools, techniques, and procedures: part 1
Technical Skills and Capabilitiy
In my opinion the most important part of modernizing your security operations, is to take care of the security analysts and IT professionals on the front lines. It’s our duty to help them learn new skills and adapt to the changing landscape professionally. A key part of this is ensuring diversity among the skillsets. I encourage you to read the following blog by Ann Johnson Corporate Vice President Microsoft Cybersecurity Solutions Group How to solve the diversity problem in security
A few things I recommend to get started when it comes to technical skills development in cybersecurity:
- Take advantage of the *free* training Microsoft provides via it’s Ignite on-demand video content, found here. This catalog contains over 1000 videos recorded at it’s yearly IT pro conference.
- Encourage staying up to date on professional certifications such as:
- Certified Information Systems Security Professional https://www.isc2.org/Certifications/CISSP
- Certified Ethical Hacker https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/
- CompTIA Security+ https://www.comptia.org/certifications/security
- Microsoft Security Certifications:
- Azure Security Engineer Associate https://docs.microsoft.com/en-us/learn/certifications/azure-security-engineer
- Microsoft 365 Security Administrator Associate https://docs.microsoft.com/en-us/learn/certifications/m365-security-administrator
- Other related industry and vendor certifications
Breaking Down Silos
In the video I discussed how SOC analysts are used to working in silos, whether it’s product specific silos or organizational silos. Attackers traverse silos, and unless your silos are talking to each other, attacks may go unnoticed.
“Attackers traverse silos, and unless your silos are talking to each other, attacks may go unnoticed.”
These silos must be integrated, where analysts can collaborate with their counterparts and share threat intelligence. Here’s a good visual that describes this:
Converging Tools & Data
Once the SOC teams are integrated, sharing intelligence and are able to collaborate, the tools and data also need to follow. The threat intelligence flowing in needs to automatically be correlated, and managed via a single interface – with the capability to automate response. A good example of this is using Microsoft Threat Protection and Azure Sentinel:
Note: Review Azure Sentinel Connectors to understand how to connect data sources from Microsoft Defender ATP, Azure ATP, Azure Active Directory, Microsoft Cloud App Security and more to Azure Sentinel.
Here is a good visual of the high level architecture of Azure Sentinel: