{"id":38235,"date":"2020-11-17T17:00:30","date_gmt":"2020-11-17T17:00:30","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=92195"},"modified":"2020-11-17T17:00:30","modified_gmt":"2020-11-17T17:00:30","slug":"key-layers-for-developing-a-smarter-soc-with-cyberproof-managed-microsoft-azure-security-services","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/key-layers-for-developing-a-smarter-soc-with-cyberproof-managed-microsoft-azure-security-services\/","title":{"rendered":"Key layers for developing a Smarter SOC with CyberProof-managed Microsoft Azure security services"},"content":{"rendered":"
<\/div>\n

This blog post is part of the Microsoft Intelligent Security Association (MISA) <\/em>guest blog series<\/em><\/a>. Learn more about MISA here<\/a><\/em>. <\/em> <\/em><\/p>\n

Security teams are struggling to reduce the time to detect and respond to threats due to the complexity and volume of alerts being generated from multiple security technologies.<\/p>\n

With more workloads being migrated to the cloud, this brings an additional perimeter, which requires constant vigilance for early signs of a cyber-attack. New security challenges also emerge due to its elastic nature and the constant provisioning of new services.<\/p>\n

How CyberProof is working with Microsoft to solve these challenges<\/h2>\n

CyberProof partnered with Microsoft to provide customers with cloud-scalable security monitoring, detection, and response services across the endpoint, network, identities, SaaS applications, and Azure cloud infrastructure.<\/p>\n

With the CyberProof Defense Center (CDC) service delivery platform pre-integrated with Microsoft\u2019s cloud-native SIEM, Azure Sentinel, CyberProof\u2019s built-in virtual analyst, SeeMo, automates up to 80 percent of tier one and two activities such as monitoring, enrichment, incident handling, and remediation. This frees up your team to focus on the most critical business issues.<\/p>\n

Key Layers to Building a Smarter SOC<\/h2>\n

We recommend that security operations center teams implement the following three key layers of a Smarter Security Operations Center (SOC) architecture when looking to generate continuous value from your Azure security stack with managed security services.<\/p>\n

Each layer includes the integrations between Microsoft and CyberProof that help facilitate this architecture. For more information, check out our on-demand webinar<\/a>\u2014which we ran in collaboration with Microsoft\u2019s Chief Security Advisor EMEA, Cyril Voisin.<\/p>\n

1. Data collection and integration layer\u2014enrichment of security data from multiple sources<\/h3>\n

This is particularly useful for enterprise-grade SOCs that collect and parse relevant data from multiple business units before going into a data lake. Organizing and classifying all of this data will save time and money when you start introducing integration and automation technologies, as the information will already be structured in an optimum way. Here\u2019s how log collection, normalization, and analysis work:<\/p>\n

    \n
  1. Integration<\/strong>: An organization identifies the assets, tools, technologies, and applications that need to be integrated.<\/li>\n
  2. Data normalization<\/strong>: Enterprise SOCs need to parse data before it enters the data lake\u2014to tag and filter it\u2014so the right information is being fed into the SOC in the most efficient way.<\/li>\n
  3. Data collection and<\/strong> analysis<\/strong>: Using a solution such as Microsoft\u2019s Azure Monitor Log Analytics and scalable storage such as Azure Data Lake, terabytes of data can be ingested in order to query and manage at scale. Machine learning can be used for the identification of anomalies and monitoring whether log sources are operating correctly, as well as to support threat hunting.<\/li>\n<\/ol>\n

    At CyberProof, we leverage Azure Monitor Log Analytics and CyberProof Log Collection (CLC) SaaS technology to pull logs from all sources of data. These include a customer\u2019s existing Microsoft investments\u2014including on-premises, SaaS, and Azure assets\u2014and existing Microsoft security controls that generate alerts across identities, endpoints, data, and email, and cloud apps.<\/p>\n

    2. Security analytics layer\u2014generating contextual alerts and minimizing false positives<\/h3>\n

    The traditional on-premises SIEM architecture has limited scalability\u2014such as, infrastructure costs are incurred up-front, based on peak requirements rather than on-demand provisioning that scales with current demand and growth over time. Also, effectively mapping logs from all ecosystems can be a time-consuming endeavor when having to correlate rules and create clear reporting.<\/p>\n

    The world of security data collection has evolved. It is no longer a single query or rule that triggers the discovery of an incident. Typically, security monitoring identifies the proverbial \u201cneedle in the haystack\u201d\u2014and to do this type of threat detection requires broad visibility across the enterprise. This requires more processing power and data collection, in order to establish what the baseline really looks like. These are attributes are best accomplished by implementing security in the cloud.<\/p>\n

    That\u2019s where Azure Sentinel comes in, supplying correlation and analytics rules and filtering massive volumes of events to obtain high-context alerts. Azure Sentinel uses machine learning to proactively find anomalies hidden within acceptable user behavior and generate alerts.<\/p>\n

    Microsoft Azure Sentinel is fully integrated with CyberProof CDC platform, so customers can work from a single console to manage high-context alerts, carry out investigations, and handle incidents.<\/p>\n

    3. Orchestration, automation, and collaboration layer\u2014facilitating faster threat detection and response<\/h3>\n

    Forrester\u2019s recent assessment of midsized MSSPs<\/a> notes that orchestration and security automation plays a vital role for overburdened SOC staff.<\/p>\n

    By automating tier one and two activities like monitoring, enrichment, investigation, and incident handling, our CDC platform takes much of the strain out of the process. Essentially, the CDC platform provides our IP as a service\u2014helping customers avoid the expenditure necessary to develop their own IP for a next-generation SOC.<\/p>\n

    The CDC platform gives customers a \u201csingle pane of glass\u201d view from which to manage high context alerts, incidents, and report generation for stakeholders. It integrates the functionality of Azure Sentinel as well as other security investments.<\/p>\n

    The CDC platform\u2019s benefits include:<\/p>\n