Last week, we talked about how life could be made easier through the democratization of security permissions and access. In particular, we discussed how Microsoft Azure Active Directory (AAD) simplifies user onboarding. There’s a second component to the Democratization of Security that can take this streamlining process even further. By taking a new approach to Security Information and Event Management (SIEM) content management, not just focusing on the content material itself, we can bring transparency and simplicity to another part of SIEM.
Let’s first simplify terminology. The democratization process starts with the words we use. Microsoft, the security community, and vendors talk about use cases, Indicators of Compromise (IOCs), detections, hunting queries, and exploration queries. There are so many ways to talk about how we want to solve the problem of finding threats. Analytic rules are a way to simplify the categorization of all the different iterations of HOW to protect against bad actors. The chief improvement provided by analytic rules is they give us a way to define the things that are custom, and the things Microsoft believes help to identify multistage attacks—evidence from multiple tools that share a common way to investigate true positives.
- Anomalous login leading to O365 mailbox exfiltration
- Anomalous login leading to suspicious cloud app administrative activity
- Anomalous login leading to mass file deletion
- Anomalous login leading to mass file download
- Anomalous login leading to O365 impersonation
- Anomalous login leading to mass file sharing
- Anomalous login leading to ransomware in cloud app
What this means is that investigations your Managed Detection and Response (MDR) service provides must change and adapt for identity, and escalate for validation with enriched data. Microsoft analytic rules focus on User and Entity Behavior Analytics (UEBA) to generate alerts. CRITICALSTART Managed SIEM with Microsoft Azure Sentinel is built with this in mind as orchestration with Active Directory is included in the service. But per our last blog, that is only one part.
Here at CRITICALSTART, we believe that the most democratic thing we can do for the community is:
- Leverage what Microsoft gives us
- Augment that with our list to provide the kind of MDR coverage Critical Start customers expect
- Focus on other problems we can help address for the community: where and when do I apply rules someone else created?
Simplification + Direction = Security That Works
How to make use of analytic rules from Microsoft is best decided with simplicity and direction. Start with tools being used today with supported Connectors and the industry-related tactics or procedures identified in your industry. The MITRE ATT&CK framework can help identify where additional analytic rules can be added around what Microsoft has provided, as all Microsoft analytic rules have ATT&CK tactics. CRITICALSTART also maintains a list we apply to environments if you want an even simpler direction to start.
The other direction to consider is the perspective of continuous integration. An MDR service provider will take on the responsibility for the update and content management process to ensure the rules are performing at their maximum potential, but how they do it should be simple and allow for transparent and continuous integration.
How Effective Content Sharing Builds Healthier Security Relationships
Consider this comparison: if an MDR vendor is building their own connections between technology platforms and providing their own proprietary library, a customer can become “trapped” in the relationship. But when a provider uses the platform-agnostic rules provided by Microsoft as a foundation and then guides the customer on how best to apply these rules for the security of their business, the customer is now firmly in control of a successful security process. And if a business has their own rules that they wish to use—no problem. An MDR provider with sophisticated Microsoft Azure Sentinel expertise should be able to include those rules in the customization process of the MDR service without the additional overhead required.
Remember, demonstrating complexity doesn’t equal expertise. The right MDR partner should always be looking for ways to simplify how security information is gathered, including methods to streamline content management and continuous integration in managed detection and response.
It All Comes Back to Communication
There’s one final advantage that Microsoft is adding to the mix. They’re encouraging other security companies to provide critical information such as threat intelligence and identification in open source formats. This is an idea that’s relatively unique in the SIEM market. By making content management accessible to all, as a community, we can work together to identify bad actors and threats and minimize the impact as soon as possible. The end of content silos is here. Long live the democratization of analytic rules.