Learn more about how you can utilise Microsoft Sentinel in your organisation with Dallas Silcock, Security Operations Centre Manager at AC3.
Learn more about how you can utilise Microsoft Sentinel in your organisation with Dallas Silcock, Security Operations Centre Manager at AC3.
Transcript
"Hi, my name is Dallas Silcock, I'm the Security Operation Centre Manager here at AC3.
We've all heard about Microsoft Sentinel, but what is it? And can it benefit your business?
Sentinel is a cloud native Security Information Event Management, or SIEM as it's known, platform that provides security orchestration, automation, monitoring, and response activities across the enterprise.
Used as part of a managed cyber security service, Sentinel and AC3 can provide a single integrated view of an organisation’s security position, enabling organisations to detect, prevent and respond to security incidents more quickly and effectively than ever before.
From identifying sophisticated threats to responding to issues quickly, Sentinel offers several benefits to meet and satisfy your business's security needs.
Including early and fast to set up.
Automates threat detection and response. Extensive data collection capabilities across a broad range of platforms and services including all of the major hyperscalers.
Native integration across Microsoft's M365, O365 and Azure platforms.
Cost savings due to OpEx PAS model, no cost ingest of many native sources. Monitors key metrics from a central point.
Better orchestration via Workbooks. In-depth threat hunting, effective alert organisation. How does Sentinel work?
Sentinel collects logging data from multiple sources across the enterprise using built-in data connectors and stores the data inside Azure Monitor Log Analytics workspaces.
Sentinel then enriches the data using Microsoft's threat intelligence streams and AI, alongside in-built log correlation to detect any suspicious, potentially suspicious, or compromising behavior.
Should Sentinel find such behavior, it will in seconds, use automated orchestration to immediately commence containment and recovery actions to eradicate the threat or prevent it from becoming weaponised.
Why is it best placed in the market?
There are several benefits of using Sentinel over other SIEM platforms.
As a cloud native offering, there is no investment required for costly hardware or storage.
Sentinel also integrates natively with other Microsoft productivity and security products, including Microsoft and Office 365, Defender for Identity, Cloud, and the Azure and Office 365 Security and Compliance Centres.
Native threat hunting capabilities are another advantage of Sentinel, making it easier for users to identify and respond to potential threats.
Security orchestration is included rather than extra, making Sentinel's overall pricing very competitive.
Why are organisations moving to Sentinel and how are they moving?
How easy is it?
The first time your security operations team logs into Sentinel they'll find it preloaded with in-built data connectors that make it easy to ingest data from across your organisation.
Along with a friendly and intuitive operational interface that makes the user experience friendly and well organised.
As for migrating to Sentinel, this is easy, thanks to its in built data connectors and onboarding orchestration.
When migrating to Sentinel, SecOps teams start by ingesting their cloud native data such as Azure activity logs, Office 365 audit data, Defender logs, Azure Security Centre, cloud app security, and Azure information protection logs.
Once the foundational logs are ingested, SecOps teams begin translating existing detection rules from the old platform and mapping them into existing or new Sentinel rules, to ensure existing alerting and detection is being performed as it was in the previous SIEM.
Lastly, SecOps implement security orchestration that automates workflows that streamline both common and critical tasks as well as the execution of automated playbooks used to gather additional information or apply remedial action.
Once all three steps are complete, the old SIEM can be decommissioned, and the move to Sentinel will be complete."