Roadmap to Achieving the Full Potential of Your Investment in Microsoft Sentinel

Widely regarded as one of the most effective solutions in the security information and event management (SIEM) space, Microsoft Sentinel was named a Leader in the 2022 Gartner Magic Quadrant for SIEM and positioned highest on the “Ability to Execute” axis. Microsoft Sentinel is built to provide the most holistic threat monitoring and detection platform available to stop breaches.  

However, even with leading innovations, Microsoft Sentinel can be a complex solution, requiring the right capabilities and know-how to optimize configuration, data consumption, and security operations. The results of getting it wrong can be dire, leading to inefficiencies that degrade effectiveness, or oversights that invite catastrophic failures. To meet customer needs for effective threat detection and response, Managed Detection and Response (MDR) providers have begun to emerge with solutions to optimize Microsoft Sentinel. Not all providers are created equal, however.  

Our new “Buyer’s Guide for MDR Services for Microsoft Sentinel” is an overview of how organizations can maximize the performance of Microsoft Sentinel through MDR services and evaluate MDR service providers. The Buyer’s Guide defines: 

  • The key requirements for delivering the most effective threat detection and response outcomes for Microsoft Sentinel 
  • The essential capabilities to look for in an MDR service provider 
  • And, as outlined below, critical questions to ask any prospective Microsoft Sentinel MDR service provider  

Shopping Around for an MDR Service Provider? Consider These Questions 

Not all MDR solutions providers are the same. To ensure the MDR partner you select has the foundation in place to help you get the most from your Microsoft Security products, make sure they have good answers to the following questions.  

What outcomes can I expect? 

Delivering an effective MDR solution is more than reducing alerts and creating response actions. Similar to metrics to measure success, improved security outcomes for the business and security investment are also critical. An MDR provider must also have an outcome-based approach focused on delivering value across areas critical to your organization: 

  • Actionable intelligence – How does the MDR provider deliver actionable views of attacks in progress with clear, step-by-step response guidance? 
  • Situational awareness – Does the MDR provider help my security teams gain situational awareness they can use, while mapping detection content to the MITRE ATT&CK framework? 
  • Risk-based decision-making – How does the MDR provider enable risk- based decision-making and improving attack coverage effectiveness? 
  • Align cybersecurity investment – Can the MDR provider deliver data and reporting that articulate the value of our MDR service to help you align cybersecurity investment with business outcomes?  

Do you treat all alerts equally? 

Many vendors practice alert suppression to reduce the overall volume of alerts while only focusing on alerts categorized as critical or high. And they may not even be able to effectively automate the process for closing these alerts. But here’s the real problem: Ransomware attacks can often register only a medium or low-priority alert. That’s why we use the Critical Start Zero Trust Analytics Platform™ (ZTAP ®) to investigate every alert. The Trusted Behavior Registry (TBR) within ZTAP is designed to eliminate false-positives at the scale by resolving known-good and safely trusted alerts.  

Do you offer Managed SIEM services?  

In many cases—especially where an organization has a small IT staff and budget—it makes sense to outsource the day-to-day administration of Microsoft Sentinel to a provider of Managed SIEM services. These specialized teams take responsibility for the back-end components and maintenance of your Microsoft Sentinel implementation. But again, not all Managed SIEM providers are created equal. If you’re considering engaging this kind of solution, be sure to confirm in advance that they deliver all the following: 

  • Management of software version updates. 
  • Application performance optimization. 
  • Ingest cost analysis to analyze billing versus ingest to ensure you are ingesting the right security data to get the most value. 
  • Relief from having to maintain software or keep up to date with accreditations. 
  • Ability to focus on other priorities, increasing the overall efficiency of your business. 
  • Reduction in overall costs through reduction in in-house requirements. 
  • Enhanced detection coverage and compliance posture. 

SLO or SLA? 

Read the fine print. Is your prospective MDR provider willing to put a Service Level Agreement (SLA) in black and white? If any MDR offering you consider won’t include an SLA in their contract, and simply wants to talk about abstract goals around managing risk as part of a Service Level Objective (SLO) clause, keep shopping.  

How extensive are your playbooks? 

An MDR vendor might have a playbook that details how to deal with an alert based on severity, but what about routing an alert to the right person to evaluate it? What about a playbook for resolution of alerts? And finally, can this entire process be automated to ensure alerts arrive at the most positive outcome in the most efficient manner possible? 

How to measure success 

When working with an MDR provider, if they have the right team, tools, methodology and process to protect your organization, then over 99 percent of security alerts should be resolved effectively. We’ve also found that many companies accept dwell times, or the time from when an incident is first detected to the final resolution, of 100 days or more. With the right MDR in place, we’ve found that dwell time should be 22 minutes on average. 

Ready to learn more? 

To learn how Critical Start MDR Services for Microsoft Sentinel can help you get the highest performance and protection, see our MDR for Microsoft Sentinel page or contact a Critical Start expert today.  


You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
Join us at RSA Conference - booth #449 South!
This is default text for notification bar