Why you should be using Azure Sentinel as an MSSP
If you have been following me on Twitter or my blog, it’s no secret that I absolutely love Azure Sentinel. It’s on the fastest moving product within the Microsoft Security stack and provides some awesome capabilities.
But unfortunately, a lot of people seem to be afraid of it. When you start talking about a ‘SIEM’ solution, there are often hesistant in deploying one because they are scared the setup might become too complex. I often see this when talking to different MSSP’s.
Alex Fields has an awesome blog over at https://itpromentor.com which focuses on the Microsoft 365 stack for MSSP’s. I was inspired by one of his blog ‘Why aren’t you charging your customers to take care of M365‘ to write this blog about how Azure Sentinel can provide a benefit to MSSP’s.
Too often than not, I see MSSP’s or consultants in general migrating a company to the cloud without much aftercare. They migrate the mailboxes to the cloud, enable MFA (if the customer is lucky) and call it a day.
While I absolutely love the cloud, it does come with it’s own challanges. Things like OAuth phishing attacks are a real threat that customers should be aware of and defend against. This is just one of the many examples of threats that a company should be aware of when moving to the cloud.
When you start implementing a lot of the security controls that Microsoft 365 has to offer, such as:
- Microsoft Defender
- Conditional Access
- Identity Protection
You have to monitor a lot of different portals and be mindful of what each portal is meant for. For a company with a small(er) IT team, this can be a lot of information for which they might not have the knowledge nor time.
This is where there is an opportunity for you as an MSSP that can create a mutual benefit. As an MSSP, you can focus on becoming an expert for the Microsoft 365 Security stack in order to help your customers. In the meanwhile, your customers don’t have to worry about all the recent attacks because you have them covered.
In my opinion, there are a couple of things an MSSP should do in order to secure a customers cloud environment:
Because the cloud is ever changing, you need to be on top of the latest developments. New features are added almost everyday and as an MSSP, you need to be aware of them and know how they can help your customers. Some examples are: Tamper Protection, Self Service License Purchase….
This is also where an opportunity for the MSSP present itself. During the aftercare, you will notice some security holes within the customers environment. This gives you the opportunity to provide extra services/licenses to better protect the environments.
Next to the products which are constantly moving, the threat landscape is also ever changing. Almost daily new attack vectors and attacks are discovered. A very recent example is the HAFNIUM attack which has impacted a tremendous amount of organizations. As an MSSP, you should familiarize yourself with the latest attacks and know how to defend against them.
Last but not least, an MSSP should be monitoring the security products it has implemented. A lot of the different security products from Microsoft Defender generate alerts, incidents and detections. If you don’t respond and manage the incidents, you aren’t taking full advantage of the license.
Managing and triaging these incidents can be tricky at first, but this is where Azure Sentinel comes in.
Enter Azure Sentinel
Azure Sentinel is Microsoft’s first and only SIEM/SOAR product. It allows you to easily aggregate all alerts and logs into a single place. It supports both on-premises and cloud data for an easy event aggregator. For an MSSP, there are a couple of advantages.
Single pane of glass
One of the main advantages is how easy it is to use as a single pane of glass for all the (Microsoft) security incidents within a customers environment. If you enable the following connectors, you can ingest almost all alerts from the Microsof security stack:
- Azure Defender
- Azure AD Identity Protection
- Microsoft 365 Defender
Just as easy, you can connect data sources such as Azure Activity, Azure AD Sign-ins to add extra intelligence and provide your own intelligence in order to protect environments.
In order to show you that setting up an Azure Sentinel environment isn’t rocket science, I have some sessions coming up where I’ll be walking you through setting up your first environment in 50 minutes.
Because a lot of the first-party data connectors are free, the cost of an Azure Sentinel environment (with limited data connectors) is negligible. When you are just ingesting incidents/alerts from the different products, Azure Sentinel is free as these are free to ingest.
It’s only when you add things like Azure data, Firewall logs, other cloud products… that the costs start adding up and costs can become difficult to predict.
One of the main advantages for MSSP is the native support for Azure LIghthouse. Azure Lighthouse lets partners authenticate to the subscriptions of your customers without using Azure B2B or specific accounts. The subscriptions of your tenant are accessible from within your own Azure portal where you can view multiple customers at once.
Azure Sentinel supports an aggregated incident overview, which enables you to view the current incidents across a couple of customers. This enables you to keep an eye on the incidents of your customers, without having to switch accounts/portals.
With the power of Azure Lighthouse, you can easily automate the entire solution by using Azure DevOps and Logic Apps.
With Azure DevOps, you are able to manage multiple environments at scale, without having to configure every environment manually. I have talked about using Azure Lighthouse in combination with Azure DevOps before.
With the use of Logic Apps, you can automate actions within Sentinel or across different products. This enables you to easily block users in AAD, send email notifications or sync your incidents from Sentinel to your ITSM. I have been working on a solution using Logic Apps and Azure Functions to keep Sentinel incidents in sync with JIRA Cloud. I hope to have a blog about this published soon.
Azure Sentinel might be very daunting at first due to it’s overload of options, connectors and rule templates. I strongly advise to use it as an incident aggregator first and move on from there. When you have explored the product, activate the AAD and Azure data connectors and onboard some of the built-in rule templates. From that moment on you can explore the product according to your needs.
Microsoft has released some MSSP specific documentation around Azure Sentinel which is available for free download: aka.ms/azsentinelmssp.
This is one of more chaotic blogs, but I hope with this I have enticed some of you to take another look into Azure Sentinel. It might all seem a lot at first, but try to start small and provide added value to your customers.
Leave a Reply