Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Maximising Your Microsoft Security Environment

If you're a Microsoft-focused organization you may be able to leverage the technology you already have to become more secure.

Nirvana, for many of the organizations I speak with on a daily basis is to maximize what is already included in their licensing agreement and use the current people already in their IT and security department. This presents a challenge for smaller organizations without the extensive security analyst teams of a big financial institution.

Maximise_MS-inline-Blog-Header

No, your SOC probably doesn’t look like this.

First, the IT security team is often already very stretched. If you were thinking of setting up your own Security Operations Centre (SOC), Trustwave's lead SOC consultant in PAC - Leigh Costin - tells me that optimally it takes a team of up to 18 people to properly staff it, accounting for differing roles and responsibilities, appropriate coverage (24 x 7 all year) and staff leave. The additional challenge is configuring Microsoft Sentinel and Defender to accurately suit your specific organizational needs and ensure you're not missing key alerts and incidents.

First step, check your licensing agreement to understand the Microsoft security licensing you may already have in your organization. 

Here are five topics to consider as you spin up your Microsoft Defender and Sentinel platforms and keep it running.

 

Where to Start and End

 

 Map the existing event sources, including the non-Microsoft installed technology contributing to the security environment, and integrate these into the Sentinel SIEM. The clients I work with ALL have mixed vendor security technology in their environment.

Encompassing existing security technology investments into a single point of focus will assist you in covering any critical attack surfaces you define. Sometimes this can require working with APIs, API gateways and knowing more about the log sources. The aim is to look for gaps and understand what that may mean for your network security posture.

 

Sorting Out the Anomalies

 

 Although a wide range of use cases are available for the Sentinel/Defender toolset in the new Community Hub or GitHub, tuning your security environment can make the difference between being overwhelmed with noise or noticing the important stuff early and responding fast.

Your MS environment will find anomalies from trends. However, this takes time, and it doesn't handle this function by itself for periodic activities, such as completed end-of-month or end-of-quarter. These may result in different levels of security alerts for your business, and you'll get spikes of false positive alerts due to the change in behavior. 

Iterative tuning and baselining is a skill, so there is a distinct advantage of utilizing people who have done this before, at scale and in industries like yours. 

 

Build and Adapt Specific Use Cases

 

 MS Sentinel automatically detects multi-stage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the cyber kill chain. Based on these discoveries, Sentinel generates incidents that would otherwise be very difficult to catch, providing you have connected the right data sources giving you coverage.

By design, these security incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned on by default. The machine learning (ML) engine in Sentinel uses only 30 days of historical data to train the ML systems. Tweaking these rules to suit your business environment can help reduce false positives.

Indeed, Microsoft currently provides 90 multi-stage attack scenarios for Sentinel, 35 of which are generally available. Consider which additional queries to add as custom analytics rules to maximize your Microsoft detection coverage.

Trustwave consultants have been providing  Use Case As A Service engagements for organizations wishing to leverage our experience to quickly build and deploy these into their environment. The engagements we've seen can be as short as three days to ensure you have the right scenarios set up as custom analytics.

Trustwave also has a Use Case Accelerator program that can provide at regular intervals (quarterly) a review of your use cases and tune these to changes in the security landscape and your environment. We consider whether new event sources have been added, if infrastructure changed, or are there new attack surface concerns. Automating repetitive response actions can help maximize your SOC's efficiency and effectiveness. Employing automation in your Sentinel environment can help manage incident handling through workbooks. 

 

Beyond the Tools

 

It's highly advisable (actually mandatory) to develop a set of standard operating procedures (SOPs.)These procedures are formal, written guidelines or instructions for incident response that typically have operational and technical components. SOPs help coordinate incident response and manage interactions within the information security team and the rest of the business. These should draw on best practices and be ready and available should an incident occur. 

The SOP should include the steps to triage, investigate, and remediate an incident, as well as non-technical aspects. For example, who in the organization should be notified – HR? Your marketing team? Legal? 

There are some playbook templates in Sentinel – consider which ones you should customize and then augment with manual steps. Trustwave Security Colony CISO resource site also has a great deal of information available on how to develop an incident response plan.

An organization should document these SOPs as a one-page flowchart, not a 10-page Word doc. They also need to be practiced. Everyone on the page needs to be on the same page; no one likes surprises.

 

Nothing Stays the Same

 

New threats are discovered daily, which means your Microsoft environment will need security content updates, patches and fixes to ensure managed technology is protected. Trustwave consultants strongly recommend connecting third-party threat intelligence feeds to Sentinel using the Threat Intelligence Upload Indicators API data connector. The ongoing maintenance of your Sentinel and Defender setup is critical to staying up to date with the latest threats. 

Remember that security is an ongoing process, and it's important to continuously assess, adapt, and improve your environment to stay ahead of evolving threats.

 

Resources

 

Learn how Trustwave helped Higgins Coatings become more secure by leaning on Trustwave's Security information and event management (SIEM) and SOC Experts to transform their security operations.   

Trustwave has leading services for Microsoft technology - we're a top-managed SOC partner for Microsoft Sentinel and Microsoft Defender.

We're also a Microsoft FastTrack specialist, helping clients deploy Microsoft 365 security solutions more effectively. Contact us, and we'll help you get started with a Threat Protection Engagement. We can help you develop a strategic plan for your Sentinel and Defender setup customized for your organization.

 

Learn More 

 

 

 

About the Author

Grant Hutchons is APAC Director for Managed Security Services Engineering at Trustwave. He specializes in Managed Detection and Response and targeted Co-Managed SOC solutions, helping organizations in healthcare, education, and government sectors enhance their cybersecurity posture. Follow Grant on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo