Más contenido relacionado


SEIM-Microsoft Sentinel.pptx

  1. Microsoft Sentinel Presentation For Cloud SIEM Solution
  2. SIEM Defined Security information and event management, SIEM for short, is a solution that helps organizations detect, analyze, and respond to security threats before they harm business operations. SIEM, pronounced “sim,” combines both security information management (SIM) and security event management (SEM) into one security management system. SIEM technology collects event log data from a range of sources, identifies activity that deviates from the norm with real-time analysis, and takes appropriate action. In short, SIEM gives organizations visibility into activity within their network so they can respond swiftly to potential cyberattacks and meet compliance requirements. How do SIEM tools work? SIEM tools collect, aggregate, and analyze volumes of data from an organization’s applications, devices, servers, and users in real-time so security teams can detect and block attacks. SIEM tools use predetermined rules to help security teams define threats and generate alerts. SIEM capabilities and use cases SIEM systems vary in their capabilities but generally offer these core functions: • Log management: SIEM systems gather vast amounts of data in one place, organize it, and then determine if it shows signs of a threat, attack, or breach. • Event correlation: The data is then sorted to identify relationships and patterns to quickly detect and respond to potential threats. • Incident monitoring and response: SIEM technology monitors security incidents across an organization’s network and provides alerts and audits of all activity related to an incident. Benefit of using a SIEM SIEM tools offer many benefits that can help strengthen an organization’s overall security posture, including: • A central view of potential threats • Real-time threat identification and response • Advanced threat intelligence • Regulatory compliance auditing and reporting • Greater transparency monitoring users, applications, and devices
  3. Collect Microsoft Services Apps, users, infrastructure Public clouds Security solutions Visibility Dashboard Analyze and detect Machine Learning, UEBA Investigate and hunt Pre-defined queries, Azure Notebook Automate and Orchestrate Response Playbooks Enrichment Data ingestion Data repository Data search Azure Monitor Integrate ServiceNow Other tools Community How it works
  4. Microsoft Sentinel Optimize security operations with cloud-native SIEM powered by AI and automation Collect data at cloud scale Stay ahead of threats Streamline investigation with incident insights Accelerate response and save time by automating common tasks Microsoft Sentinel capabilities
  5. Collect data at cloud scale Easily connect your logs with Microsoft Sentinel using built-in data connectors— across all users, devices, apps, and infrastructure—on-premises and in multiple clouds.
  6. After you onboard Microsoft Sentinel into your workspace, you can use data connectors to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many out of the box connectors for Microsoft services, which you can integrate in real time. For example, the Microsoft 365 Defender connector is a service-to-service connector that integrates data from Office 365, Azure Active Directory (Azure AD), Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. You can also enable built-in connectors to the broader security ecosystem for non-Microsoft products. For example, you can
  7. Stay ahead of threats Gain more contextual and behavioral information for threat hunting, investigation, and response using built-in entity behavioral analytics and machine learning. Identifying threats inside your organization and their potential impact - whether a compromised entity or a malicious insider - has always been a time-consuming and labor-intensive process. Sifting through alerts, connecting the dots, and active hunting all add up to massive amounts of time and effort expended with minimal returns, and the possibility of sophisticated threats simply evading discovery. Particularly elusive threats like zero-day, targeted, and advanced persistent threats can be the most dangerous to your organization, making their detection all the more critical. The UEBA capability in Microsoft Sentinel eliminates the drudgery from your analysts’ workloads and the uncertainty from their efforts, and delivers high-fidelity, actionable intelligence, so they can focus on investigation and remediation.
  8. Streamline investigation with incident insights Visualize full scope of an attack, investigate related alerts, and search historical data. When you come across a user account, a hostname / IP address, or an Azure resource in an incident investigation, you may decide you want to know more about it. For example, you might want to know its activity history, whether it's appeared in other alerts or incidents, whether it's done anything unexpected or out of character, and so on. In short, you want information that can help you determine what sort of threat these entities represent and guide your investigation accordingly.
  9. Streamline investigation with incident insights The Timeline The timeline is a major part of contribution to behavior analytics in Microsoft Sentinel. It presents a story about entity-related events, helping you understand the entity's activity within a specific time frame.
  10. Accelerate response and save time by automating common tasks Triage incidents rapidly with automation rules and automate workflows with built-in playbooks increasing security operations center (SOC) efficiency. Microsoft Sentinel as a SOAR solution The problem SIEM/SOC teams are typically inundated with security alerts and incidents on a regular basis, at volumes so large that available personnel are overwhelmed. This results all too often in situations where many alerts are ignored and many incidents aren't investigated, leaving the organization vulnerable to attacks that go unnoticed.
  11. Accelerate response and save time by automating common tasks The solution Microsoft Sentinel, in addition to being a Security Information and Event Management (SIEM) system, is also a platform for Security Orchestration, Automation, and Response (SOAR). One of its primary purposes is to automate any recurring and predictable enrichment, response, and remediation tasks that are the responsibility of your Security Operations Center and personnel (SOC/SecOps), freeing up time and resources for more in-depth investigation of, and hunting for, advanced threats. Automation takes a few different forms in Microsoft Sentinel, from automation rules that centrally manage the automation of incident handling and response, to playbooks that run predetermined sequences of actions to provide powerful and flexible advanced automation to your threat response tasks. A- Automation rules Automation rules allow users to centrally manage the automation of incident handling. Besides assign playbooks to incidents and alerts, and to automate responses for multiple analytics rules at once, automatically tag, assign, or close incidents without the need for playbooks, create lists of tasks for your analysts to perform when triaging, investigating, and remediating incidents, and control the order of actions that are executed. This capability complex workflows for your incident orchestration processes. B- Playbooks A playbook is a collection of response and remediation actions and logic that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response.
  12. “Microsoft roars into the security analytics market… The vendor’s entry into the security analytics space captivated security buyers. Microsoft’s bold move to allow the ingestion of Microsoft Azure and Microsoft Office 365 activity logs into Sentinel at no cost makes the solution attractive to enterprises invested in Azure and Microsoft 365.” - The Forrester Wave™: Security Analytics Platforms, Q4 2022 report The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.
  13. An end-to-end solution for security operations
  14. Visibility
  15. Collect security data at cloud scale from any source Azure + Microsoft 365 Security Alerts, Activity Data Collectors CEF, Syslog, Windows, Linux TAXII + Microsoft graph Threat Indicators APIs Custom Logs Proven log platform with more than 10 petabytes of daily ingestion
  16. Integrate out-of-the-box with your existing tools in Azure, on-premises, or in other clouds 150+ out-of-the-box integrations, with more on the way
  17. Get interactive dashboards for powerful insights  Choose from a gallery of workbooks  Customize or create your own workbooks using queries  Take advantage of rich visualization options  Gain insight into one or more data sources
  18. Analytics
  19. Leverage extensive library of detections or build your own  Choose from more than 100 built-in analytics rules  Correlate events with your threat intelligence and now with Microsoft URL intelligence + network data
  20. Improve insider and unknown threat detection with User and Entity Behavior Analytics  Use behavioral insights to detect anomalies, understand the relative sensitivity of entities, and evaluate potential impact  Get baseline behavioral profiles of entities across time and peer group horizons Powered by the proven Microsoft User and Entity Behavior Analytics (UEBA) engine
  21. Behavior Analytics What is User and Entity Behavior Analytics (UEBA)? As Microsoft Sentinel collects logs and alerts from all of its connected data sources, it analyzes them and builds baseline behavioral profiles of your organization’s entities (such as users, hosts, IP addresses, and applications) across time and peer group horizon. Using a variety of techniques and machine learning capabilities, Microsoft Sentinel can then identify anomalous activity and help you determine if an asset has been compromised. Not only that, but it can also figure out the relative sensitivity of particular assets, identify peer groups of assets, and evaluate the potential impact of any given compromised asset (its “blast radius”). Armed with this information, you can effectively prioritize your investigation and incident handling. UEBA analytics architecture
  22. Behavior Analytics Security-driven analytics Inspired by Gartner’s paradigm for UEBA solutions, Microsoft Sentinel provides an "outside-in" approach, based on three frames of reference: •Use cases: By prioritizing for relevant attack vectors and scenarios based on security research aligned with the MITRE ATT&CK framework of tactics, techniques, and sub-techniques that puts various entities as victims, perpetrators, or pivot points in the kill chain; Microsoft Sentinel focuses specifically on the most valuable logs each data source can provide. •Data Sources: While first and foremost supporting Azure data sources, Microsoft Sentinel thoughtfully selects third-party data sources to provide data that matches our threat scenarios. •Analytics: Using various machine learning (ML) algorithms, Microsoft Sentinel identifies anomalous activities and presents evidence clearly and concisely in the form of contextual enrichments, some examples of which appear below.
  23. Behavior Analytics Microsoft Sentinel presents artifacts that help your security analysts get a clear understanding of anomalous activities in context, and in comparison with the user's baseline profile. Actions performed by a user (or a host, or an address) are evaluated contextually, where a "true" outcome indicates an identified anomaly: • across geographical locations, devices, and environments. • across time and frequency horizons (compared to user's own history). • as compared to peers' behavior. • as compared to organization's behavior. The user entity information that Microsoft Sentinel uses to build its user profiles comes from your Azure Active Directory. When you enable UEBA, it synchronizes your Azure Active Directory with Microsoft Sentinel, storing the information in an internal database visible through the IdentityInfo table in Log Analytics. Scoring Each activity is scored with “Investigation Priority Score” – which determine the probability of a specific user performing a specific activity, based on behavioral learning of the user and their peers. Activities identified as the most abnormal receive the highest scores (on a scale of 0-10).
  24. Hunting
  25. Start hunting over security data with fast, flexible queries  Run built-in threat hunting queries—no prior query experience required  Integrate hunting and investigations
  26. Intelligence
  27. Monitor and manage threat intelligence  Create, view, search, filter, sort, and tag all your threat indicators in a single pane  Use alert metrics to help understand top threats targeting your organization  Use automation playbooks for leading threat intelligence providers to enrich alerts
  28. Use Watchlists to integrate business insights  Create collections of data for threat hunting and detection (e.g. restricted IPs, trusted systems, critical assets, risky users, vulnerable hosts)
  29. Incidents
  30. Visualize the entire attack to determine scope and impact  Navigate the relationships between related alerts, bookmarks, and entities  Expand the scope using exploration queries  Gain deep insights into related entities—users, domains, and more 80% reduction in investigation effort compared to legacy SIEMs1
  31. Automation
  32. Respond rapidly with built-in orchestration and automation Build automated and scalable playbooks that integrate across tools Security products Ticketing systems (ServiceNow) Additional tools
  33. Automate and orchestrate security operations using integrated Azure Logic Apps  Build automated and scalable playbooks that integrate across tools  Choose from a library of samples  Create your own playbooks using 200+ built-in connectors  Trigger a playbook from an alert or incident investigation
  34. Thank you

Hinweis der Redaktion

  1. .