Uplift the capability of your existing Enterprise SIEM with Azure Sentinel to address Cloud security gaps

Most of the organizations are at an early stage of a process where they want to improve log analysis and build a SIEM capability for cloud-based workloads. The existing SIEM works perfectly for on-prem, but the organizations going digitally are adopting public cloud technologies rapidly.

I want to discuss more on how on-prem based SIEM-Security Information and Event management co-exist with modern cloud-native SIEM based on our experience.

I am responsible for the Cyber Platform Engineering at Adfolks LLC in Dubai. We are building a new approach for system monitoring and data collection called Opsbrew the observability pipeline, which is a zero-code cloud-native platform build on highly standardized open-source components. It helps the DevSecOps teams(in Modern World) or System Administrators to seamlessly build and manage the data pipeline for SOC and Cyber Team with the amount of data and the number of tools modern systems demand these days.

We use Azure Sentinel for a few months now with our customers, and I must say it is delivering much value to them. The speed of releasing new functionality is also rather impressive. Most of our clients run a large “old-fashioned” IT estated across the Middle East, and for that, they use a SOC managed by an external vendor, which is based either on Splunk or Qradar. But the customer already sees the information, actions, correlation information by Sentinel is far more superior than the “homegrown” Splunk/Qradar implementation. As you can imagine, most of these customers, there is still an internal battle ongoing what to use in the future for on-prem environments, which will stay for a while. Still, they have chosen Sentinal as their modern SIEM 1st line of defense environment for the Cloud workloads. Of course, we helped these customers to use Sentinel to handle their on-prem environments as well, but as said, still ongoing debates.

Azure Sentinel Design

Thank you Adrian Grigorof for the detailed explanation of Azure Sentinel

As most of the enterprises consume more cloud services, there is a huge requirement for cloud-scale SIEM, which should have the following features.

• SOAR-Security Orchestration and Auto-remediation Capability
• Collection of logs from SaaS, PaaS, and IaaS
• Ingestion of Logs from non-IT systems
• Effortless infinite scale
• Continually maintained cloud and on-prem use cases enhanced with ML
• Avoid sending cloud telemetry downstream SIEM

Here I’m categorizing the customer based on SIEM maturity levels and scenarios on how they can adopt Azure Sentinel easily.

Explorer

Customer exploring to procure or renew their existing SIEM, then worth exploring Azure Sentinel as it becomes future proof to support their Cloud and Digital Enterprise Journey along with saving money on licenses for renewals.

Achiever

Customers who have Enterprise SIEM Procured with limited use-cases build and no integrations are done for cloud workloads. Here we suggest exploring Azure Sentinel SOAR capabilities and build more use-cases for cloud and on-prem systems.

Master

Customers who have invested heavily in Splunk or Qradar licenses and resources with SoC use-cases, here Sentinel can integrate with Microsoft Graph Security API, and ingesting Azure Sentinel alerts into Splunk or Qradar to address your cloud security gaps while maintaining your existing SIEM.

For Master’s check the Microsoft blog for more details.