How Permissions Elevate both Transparency and Efficiency to Build Healthier Security Relationships
When working with a Managed Detection and Response (MDR) vendor, or any other security service provider, configuring permissions for security analysts is often a serious burden for companies. They struggle with the complexity of an analyst onboarding process designed by engineers who can sometimes overthink what should be a simple solution, or they struggle with a solution that isn’t engineered at all.
Setting up access should be simplified, standardized and operationalized so a client can secure their network quickly and efficiently, but that does not mean cutting corners. Another prevalent problem is that security providers will try to make it “easier” on clients by setting up analysts with super-user permissions. Granting complete access without restrictions, where a client never really knows who is in their system, can yield unintended consequences which are anything but simple. The goal should be that the least access is the right access for the right people at the right time. Fortunately, there is a better way to accomplish exactly that.
Microsoft Holds the Answer
Go all-in on Microsoft for security. By utilizing Microsoft Azure Active Directory (AAD) as an identity provider (IDP), organizations can use an existing tool to administer other security tools, such as Azure Sentinel or Microsoft Defender for Endpoints. This is a simple, yet highly secure and transparent way to collect consent for activities required to implement and run MDR services for EDR and/or SIEM under one identity provider. Rather than configuring access for users across a range of applications to onboard, the Global Admin for a business needs to only assign application-level permissions, Security Operations Center (SOC) user group permissions, and Sentinel Workspace permissions at the Resource level. The whole process can be as manual or automated as a customer feels comfortable with. The result should be transparent to both parties.
Every security layer needs controls. The goal is to maintain security controls AND control of the process while not being forced into a position where anyone must blindly trust their security provider.
Why This Approach Simply Makes More Sense
Microsoft Azure Active Directory enables highly visible, standardized access that empowers an MDR provider to deploy repeatable investigation procedures using Microsoft security tools. By ensuring that a user from the business with global admin permissions for AAD consents to the External Application, lower-permission individuals will not be able to consent on behalf of anyone else, thus closing an important gap in compliance. By erasing the number of over-privileged users, the risk is also reduced by limiting attack surface and attack vectors in the AAD implementation.
This creates a sustainable model for onboarding and permissions with both vendor and customer maintaining the ability to add or remove consent. An MDR service then becomes a continuous detection and integration of people, data and objects, similar to the type of workflow you might see in a Lean manufacturing environment, which shrinks bottlenecks and optimizes the effort of people through automation.
Comprehensive Visibility Without the Headaches
Transparency is the cornerstone of the success of this approach. It properly sets and manages expectations for all parties and ensures the security requirements, corporate practices, and compliance standards are all executed faithfully. By using Microsoft AAD to integrate with an MDR provider, you can ensure standards are not interrupted even during onboarding, and take advantage of the compliance benefits of closed, resolved alerts. This is the path for healthy and successful security and business relationship for all involved.
Using AAD, Azure Sentinel has the right permissions and keeps the customer at the focal point of all decisions. A company will not be locked into using one MDR service provider since the same integration process can be used when changing vendors. Basically, through this process, there is nothing created that cannot be changed or removed. Both the flow of alerts and how an individual can access them are joined in a fully transparent model where the customer always knows what’s happening and who is making those changes happen.
From a customer perspective, the key to building such a relationship is working with an MDR partner that really is an expert in Microsoft Azure Active Directory and security tools such as Microsoft Azure Sentinel. These highly effective tools should not be treated just like any other SIEM or IDP. It is a mistake to do so.
Your MDR service provider should be asking the right questions and demonstrating the right expertise to show they want to use Microsoft AAD to make your SIEM life easier. Be wary of vendors who utilize an approach to permissions that showcases complexity as though the most complicated solution is automatically the most effective and secure.
Permissions do not have to be a complicated subject. With the right approach, you can modernize your security processes and gain all the active handling of alerts MDR has to offer. With thousands of alerts, and each one needing to be categorized, identified, acted on, and mitigated when needed, you need a 24x7x365 SOC team at your disposal. You just need to make sure they can demonstrate they’re a team you can trust.