CISO Guide - Improve your Security Operations by 50%

In this article I explore the use of a cloud based, machine learning Security Information and Event Management (SIEM) solution to improve the efficiency and accuracy of cyber security operations.

A traditional Security Operations Centre (SOC) is normally portrayed as an expensive dedicated room. The room typically features a wall of large and impressive screens displaying flashy animations, while a mass of analysts diligently review log files from their minimalist style workstations. In fact the SOC sometimes looks like the mission control room used for the Apollo moon landings in the late 1960’s. The physical room may be impressive, but the software and methodologies used in some SOCs do actually date back to the late 1960s.

Today, if you want to detect and respond to cyber threats efficiently, and at scale, then a radically different approach is required.

In 2019 Microsoft reached out to a number of companies to discuss a new Security Information and Event Management (SIEM) solution they were thinking of developing. The solution eventually became Micrososft Azure Sentinel. The approach is rather different from having your SIEM sitting on dedicated servers, aggregating security data, applying bespoke filtering, running carefully designed correlations and routing alerts in a physical SOC.

The most obvious difference between Azure Sentinel and the likes of Arcsight, is that Azure Sentinel was created for the hybrid infrastructure (cloud and physical data centres) and to operate at scale with highly dynamic cloud level workloads. It also allows SOC Analysts to work from anywhere.

A cloud based SIEM is essential in a post Covid-19 world.

As we slowly emerge from the Covid-19 crisis, working from home may become an employee’s right rather than a privelege. Thus having a SIEM in the cloud allows your SOC analysts to work securely from wherever they are safe, comfortable and productive.

I can imagine a few diehard traditionalists who will probably be shaking their heads and raising concerns related to the dynamic exchange of ideas and information between SOC analysts and how important this can be. This is a valid concern but you don’t need to be in the same physcial room. You do need a consistent approach to working remotely. For example, the ASOS security team addressed this by shifting the majority of communications onto Microsoft Teams and integrating Microsoft Teams into common workflows.

Still not convinced?

Would you like to improve your SOC efficiency by 50% ?

As the financial shock of Covid-19 changes the world economy, it’s imperative that security teams ensure that they are as efficient as possible. In mid 2019 the ASOS Security Operations team performed a trial using an early version of Azure Sentinel. The objectives of the trial were to assess detection rates, consistency, efficiency and ease of use. The relatively new team then performed a comparison with the incumbent ArcSight SIEM that was receiving the same data set.

The trial highlighted a number of interesting observations and a startling result.

The first observation was how easy it was for Azure Sentinel to be set-up and to start becoming an effective solution. Over a short period, 60+ data sources were added and these varied from traditional firewalls in the last remaining data centre to resources from 100+ Azure subscriptions. In most cases the out of the box connectors were used.

The second observation is about automation. With Azure Sentinel you can use a lot of prebuilt playbooks and queries and it’s also pretty easy to use KQL to build your own queries.

The third observation was how short the refinement period was. During this period the team dramtically reduced the false postive rate.

Last but not least is the net effect on efficiency, which took into account the time to detect and mitigate a set of common incidents and the false positive rate.

Azure Sentinel reduced the time and effort to resolve low level incidents by an average of 50%. The diagram below shows the data flow from data source to resolved incident.

It’s important to note that Microsoft Azure Sentinel uses a generic machine learning model. This allows security teams to gain some immediate benefit, as you inherit the improvements that Microsoft continues to apply to the generic model. This also means your security team or data scientists don’t need to spend months building and refining their own model.

You can find out more about how ASOS reduced the handling of common security incidents via Azure Sentinel via this short video from Microsoft Ignite 2019.

Following this trial the team decided to migrate to Azure Sentinel and it’s fair to say they are enjoying the more advanced threat hunting capabilities.

Cyber Security is a collective responsibility

I’m George Mudie the Chief Information Security Officer @ ASOS. Outside of the office I enjoy box sets of nordic noir crime thrillers, Mexican cuisine and the works of Iain M. Banks.

Photo by Joshua Aragon on Unsplash