A comprehensive, expertly-implemented Security Information and Event Management system (SIEM) can identify security breaches, Distributed Denial of Service (DDoS), or malware attacks before or as they happen. Capturing and storing event logs are some of the primary functions of most security information and event management systems, yet the evolution of cyber security has enhanced leading SIEMs with functionality like:
- Cloud threat data collection across users, applications, devices, and cloud infrastructure
- Identifying previously undetected threats and minimizing false positives
- Proactively hunting for suspicious activities
- Incident response, security orchestration, and automated remediation tasks for known or common threats
A SIEM strategy with the depth and breadth of threat intelligence that Microsoft has can help detect these events which may otherwise go undetected. If you are already familiar with SIEM systems like Microsoft Sentinel, you can skip the next section to get right to the SIEM best practices.
What is SIEM?
A SIEM platform like Microsoft Sentinel (formerly Azure Sentinel) collects log files, security alerts, and event data to enable security professionals to understand and analyze their cloud traffic’s origins, destinations, and patterns. It monitors data flowing across endpoint security protocols, firewalls, intrusion detection and prevention systems (IDS/IPS), anti-virus applications, and the like. A SIEM strategy consolidates monitoring and reporting from all these systems. Based on a set of rules, the SIEM alerts security personnel so they can remediate any gaps and measure and minimize data loss from detected breaches.
A SIEM also generates reports for audit and regulatory compliance purposes around both normal and abnormal “User Entity Behavior Analytics” (UEBA) to detect events like large data downloads or uploads from unfamiliar IP addresses. Security Orchestration, Automation, and Response (SOAR) functionality in SIEM platforms automate the detection, response, and remediation of minor known and repetitive threats.
Implementing a Zero Trust strategy
Download this whitepaper to discover the steps you should take to implement a Zero Trust Security approach within your organization, helping protect you from cyber-attacks.
5 SIEM Best Practices
To maximize your Microsoft Sentinel return on investment while securing your data, apply these SIEM best practices from security professionals, starting with pre-deployment planning:
1. Define your use cases and data sources
Depending on your industry, your compliance requirements, like HIPAA or banking compliance, the nature, and scope of your data, and how your employees work (office-based or remote), your SIEM use cases will vary. Your organization may run a variety of applications and databases on multi-cloud infrastructure. Design (or have a consultant design) your Sentinel Workplace architecture.
Understanding the scale and distribution of your data, across on-premises systems, cloud, and SaaS platforms is an excellent first step before deploying Microsoft Sentinel.
2. Plan for Microsoft Sentinel cost models
The Microsoft Sentinel pricing model is based on the volume of data logs for analysis and storage. If you have been running workloads on Microsoft Azure for a decent amount of time, you are likely familiar with their pricing calculators. However, it’s important to understand that Microsoft Sentinel is only a portion of a monthly Azure bill. Pricing pages and calculators are available on the Microsoft Sentinel documentation page here.
3. Establish and assign roles and permissions
Ensuring that only privileged employees and contractors can view and configure your security logs, alerts, and event rules is critical. Granular Sentinel role-based permissions can be assigned based on roles, for reading logs and reports, connecting data sources, assigning incidents to guest users, or creating and deleting workbooks.
4. Data collection best practices
Prioritizing which data connectors you will collect log data from, and setting up filters on that data makes a big difference in how effective your Sentinel SIEM strategy will be, and how much it will cost on an ongoing basis. Sentinel offers free connectors and fee-based partner data connectors. They also provide development tools for custom connectors. Be sure to understand the challenges and opportunities of connecting all of your security services and systems all at once compared to taking a phased approach.
5. SIEM implementation strategy
Deploying Sentinel, and running through the various best practice resources Microsoft and its partners offer is well documented online, including:
- Migration from 3rd party SIEM software
- Log source onboarding
- Automation playbooks to
- Deployment workbooks and notebooks
- Deploying alerts and cyber threat intelligence
Microsoft offers quickstart onboarding resources to identify the prerequisites, permissions, and other resources to deploy Sentinel and connect data sources. If your business doesn’t have the time or staffing resources to scour through the vast amount of documentation, tutorials, and how-tos available for deploying and managing Microsoft Sentinel into your Azure or multi-cloud environment.
Yorktel offers deep knowledge and experience in the IT security realm, with Microsoft and compatible technologies in particular. We can help you accelerate your SIEM initiative from planning, design, and architecture to deployment, management, and trouble-shooting.
SIEM software has been the core SOC platform for monitoring, managing, and remediating data security for many years. Some are strictly monitoring tools, and don’t offer any automation or remediation functionality. Others are proprietary or too complex to integrate with diverse applications or cloud environments. Microsoft Sentinel offers a comprehensive, consolidated, admin-friendly set of log management and reporting tools, and is compatible with a broad spectrum of security safeguards and protocols, data sources, and connectors.
Connect with us via our website or contact us at LearnMore@yorktel.com to speak with a Yorktel Microsoft Security expert and learn more about how our SIEM best practices can help your organization, today.Back