Microsoft Security: use what you have more effectively
Whilst simplicity is a big part of security, reality is many organisations have complex infrastructure; especially enterprise networks. Dealing with high technical debt, shadow IT, and legacy solutions that can take years to transition away from. However, that doesn't mean its impossible, and we shouldn't shy away from addressing these concerns head-on.
Unfortunately, may be due to fabulous marketing and a bit of that despair above, can lead to the approach of throwing money at the problem and implementing the latest shinny security tooling; without addressing the root cause. This typically leads us down the route of gaps in controls and processes, untailored solutions with a lot of noise, and big spend without return on investment. How can organisations begin to address their security programme effectively, in light of all of this? They can start by asking themselves, what are we trying to achieve, or what does success look like?
What you likely realise, is success can look different depending on your perspective. By aligning these different views, we can get buy-in from stakeholders, ensure long term engagement, and most importantly actually address the issue. Some examples of success for:
Users: good user experience, easy to use, minimal to no impact on workflows.
Technical team: easy to deploy and maintain, useful insights, able to integrate into existing environment.
Senior leadership: easy to understand, cost effective, and feeling a sense of confidence in the security posture.
Simplicity of integrations
During XFD7, Microsoft Security discussed the concept of making use of what you already have, to begin addressing these success factors effectively. "The hardest part of using a SIEM tool, is getting the data into the SIEM tool" Scott Woodgate mentioned during his talk on automating threat detection and response with SIEM+XDR.
A big advantage for Microsoft, if you want to get data in from your existing infrastructure of Azure, Defender for endpoint or identity, for example - they are all Microsoft, and therefore a few clicks ingests the data is all that's needed.
From my experience as a consultant, Microsoft is well known in organisations and within the operations teams. Further use of existing data and known vendors can provide an easier onboarding and approval, less administrative oversight in the procurement processes when the vendor is existing, and time from purchase to running as the up-skilling is reduced. Additionally, as Microsoft has the holistic view, across organisations, industries, and countries - they can continuously improve their models to reduce false positives and false negatives.
Having deployed a few solutions throughout my career, the requirements gathering phase is absolutely critical and often improperly done. Mistakes such as not including stakeholders, like speaking with the end users and understanding their actual needs, or completely skipping the requirements and immediately looking at solutioning. If organisations truly want to deploy Security by Design architecture - they need to embed security throughout the entire lifecycle.
During Microsoft's presentations, they hit on that exact point multiple times. Addressing the success factors, understanding the requirements, and laying on controls to protect your infrastructure throughout the data lifecycle, is how organisations can keep up with the ever changing threat landscape.
Whilst I do not have experience with Sentinel directly, I do know from years of consulting, that Microsoft has a lot of features and controls simply not turned on. I would personally consider reviewing your environment, understanding the needs and seeing if this solution is suited to your environment.
If you're interested in reading more in depth on Microsoft Security's presentation pieces, I suggest reading Chris Hayner's write up at this link. He does a brilliant job breaking it all down, and clarifying the acronyms.
If you want to watch all the videos from XFD7, see here, and take a moment to read my XFD7 discloser here.