Posted on February 12, 2024
Estimated reading time 5 minutes
Cyber attackers thrive on system vulnerabilities and can exploit organisations with alarming efficiency. Findings from Microsoft reveal that 93% of attacks result from poor privilege controls, 68% of victims lack proper patching, and it only takes less than 2 hours for an attacker to begin moving laterally once a device is compromised.
Further, many organisations find themselves drowning in security alerts from disparate systems, making it hard to identify genuine threats amongst the noise. Fortunately, Microsoft Sentinel, a cloud-native SIEM (Security Information and Event Management) platform, tackles the deluge of security alerts through a single unified platform. Its comprehensive security features also introduce automation into the mix, speeding up your ability to stop attackers in their tracks.
But, as our latest webinar highlights, the devil is in the details when it comes to optimising Microsoft Sentinel configurations and maximising this security investment. Read on to see four key takeaways from the webinar and discover how Atech (a globally-recognised Microsoft MISA partner) can help you achieve your security goals while driving down costs.
1. How Microsoft Sentinel tames the security data deluge
Karim Farad (Security and Productivity technical specialist at Microsoft) introduces Microsoft Sentinel within the context of security teams struggling to make sense of the terabytes of security data and how this issue is compounded with the introduction of BYOD and sophisticated cyber attack methods.
He demonstrated how Microsoft Sentinel tackles the security data deluge in six key ways:
- Unifying logs: Unite your security data, regardless of source, into Microsoft Sentinel’s centralised dashboard.
- Detection rules: Deploy pre-built templates or custom detection rules to reduce alert fatigue.
- Dynamic incident graphs: Visualise the scope and direction of an attack to help you break the kill chain faster.
- Automating defences: Eliminate common threats and contain incidents through automated rules (known as ‘Azure functions’ or ‘playbooks’).
- Threat hunting: Proactively threat hunt with custom KQL queries to minimise your attack surface.
- Content hub: Share automation rules and benefit from the collective expertise of the cybersecurity community.
2. Microsoft Sentinel configuration best practices
James Pearse (Atech Head of Security) showed viewers Atech’s best practices for laying the technical foundations of optimum Microsoft Sentinel deployment.
Here are some essential points to consider:
- Protect the ‘crown jewels’: Prioritise data ingestion for your ‘crown jewels.’ These are your critical assets that maintain business continuity.
- Streamline security event handling: Assign SOC responsibilities for incident assessment, response workflows and evaluating Microsoft Sentinel performance as your infrastructure evolves.
- Cut out the extra ‘noise’: Use Microsoft’s new AMA agent to separate intrusion attempt data from low-priority events (such as firewall logs), storing the latter in separate, basic log workspaces. This enables you to hold onto everything for compliance and investigative purposes without wasting money processing less relevant data in expensive analytics stores. Additionally, consider filtering data before sending it to Microsoft Sentinel to help you reduce costs.
- Automate security tasks: Leverage the power of Security Orchestration, Automation, and Response (SOAR) to automate everyday security tasks. We’ve created our own set of automation rules and playbooks to share amongst our client base, ensuring everyone gains from our Microsoft Sentinel expertise.
3. Take advantage of the free ingestion cap included in your existing Microsoft agreement
James and Karim explained that your existing Microsoft 365 license (A5, E5, F5, G5) includes 5MB per user per day of free data ingestion for Microsoft Sentinel across various data sources. And, if you use Defender for Cloud to protect Azure servers, this ingestion limit increases to 500MB daily. Built-in Microsoft Sentinel workbooks also allow you to track your savings by visualising how you utilise these free tiers so you can scale up if needed.
James highlighted a case study example: Atech helped a company slash £118,000 annually from its security budget using tiers and filtering firewall logs. Imagine the savings we could help you unlock, too!
4. Trust Atech to supercharge your Microsoft Sentinel deployment
Finally, James unveiled Atech’s USP in the cybersecurity space. We’re a trusted MSSP and Microsoft Intelligent Security Association (MISA) member, giving us exclusive access to funding and programmes designed to boost your Microsoft Sentinel deployment.
Our tailored Atech Assessments and Micorosft-led Engagements help you understand your needs and budget constraints and provide a clear roadmap towards cybersecurity excellence. Our Managed SOC offering also deploys Microsoft Sentinel to provide affordable 24/7 protection. If you would like to find out more, get in touch with us now.