myCloudDoor Workshop:

Microsoft Sentinel and Microsoft Defender XDR

There are numerous cybersecurity tools designed to assist organizations in protecting their data, people, and information systems. In the market, we can find tools that analyze emails for phishing attempts, protect ICT infrastructures and cloud environments, and provide generative AI to detect advanced threats and elevate the response level beyond human capability. Although each of these tools is valuable in itself, each only plays a part in the overall cybersecurity management of an organization. The most effective approach to protecting your organization is to implement a unified platform at the Security Operations Center (SOC), combining all these cybersecurity functions into one. Microsoft has prioritized efforts to unify these tools and is now taking the next step in consolidation.

At the Microsoft Ignite 2023 event, Microsoft announced they are unifying Microsoft Sentinel, which offers advanced threat analytics and threat intelligence, with Microsoft Defender XDR, the extended detection and response (XDR) solution, into a unified security operations platform. This platform offers more comprehensive features, automation, guided experiences, and more accurate threat intelligence.

During the myCloudDoor workshop on Microsoft Sentinel and Microsoft Defender XDR, we explored the SOC capabilities of Microsoft Sentinel, a scalable and cloud-native solution that provides both Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR). Additionally, we explored the latest technology around Microsoft's integrated SIEM and XDR solution and how it can protect your environment and protect you from adversaries.

Furthermore, we shared that Microsoft Security Copilot is an integrated experience on the platform, benefiting organizations with its generative AI capabilities.

But how can combining various cybersecurity tools into a unified security operations platform help your organization, and how can it benefit a modern SOC?

• What is a unified SOC platform?

A unified SOC platform is a fully integrated set of tools that enable security teams to prevent, detect, investigate, and respond to cybersecurity threats within their organization. This means offering the best of SIEM capabilities, an XDR platform, SOAR, and the proper management of postures and threat intelligence with advanced generative AI in a single platform.

This will better protect your organization and all its components—including hybrid identities, endpoints, cloud applications, enterprise applications, email and documents, the Internet of Things (IoT), the network, operational technology (OT), infrastructure, and cloud workloads—with the capabilities of a unified security platform. And this allows you to protect all of it more efficiently. Microsoft has the only unified security operations platform that offers SIEM, SOAR, and XDR capabilities with full functionalities and capabilities.

1.Unify Insights

One of the main issues with a non-unified approach to cybersecurity is that data is scattered across various logs and security tools. This poses an obstacle when trying to extract information from data early enough to better anticipate cyber threats and defend against them. Another challenge of not having a unified solution is that it is nearly impossible to see how a cyber attacker moves through the different vectors of an attack. Since cyber attackers can move laterally across an organization's network and establish persistence, it is imperative to detect them agilely and efficiently, without leaving any "blind spots".

By unifying search, incidents, data models, and other threat protection functions in SIEM, SOAR, and XDR, it is possible to search everything in one place, without needing to remember where data is stored, run two different search queries, or different search queries or normalizing data across various tools. Unified incidents provide a holistic and centralized view of all threats, as all information is located in one place, resulting in better threat intelligence. The outcome of having this overview of what is happening in your organization is a time-saving for analysts and increased confidence in your protection.

It's possible to keep the organization secure while analysts benefit by focusing on actual risk signals, spending less time correlating alerts, addressing false positives, and speeding up the average time of response and recovery. Time is crucial when it comes to maintaining your organization's security, and a unified solution empowers analysts to stay ahead of cyberattacks.

2.Achieve Better Protection

With a unified approach to corporate security, you get the best of both worlds. Gaining all the flexibility of a SIEM with the depth of protection, automated response capability, and immediate value of an XDR. This aspect of flexibility starts with a choice of how to deploy a unified platform, doing it in a way that suits your needs, priorities, and budget. When multiple security capabilities are spread across multiple solutions in a single platform, your organization remains safer as it gains storage flexibility and automatic containment against attacks.

Additionally, SOC optimization is a new feature, offering recommendations to ensure that security value is maximized; for example, by storing data at the most efficient log level, achieving detections across all your data, and maintaining a strong detection posture.

Once such a unified platform is deployed, it is important to have capacity and flexibility in data storage and advanced security functions. With Microsoft Sentinel's data storage, we will have flexibility in data retention, with a default value of 90 days at no cost. Moreover, with the extended capability for containment and disruption against attacks from Microsoft Defender XDR, on the data ingested through Microsoft Sentinel, such as SAP® data, increases immunity to cyberattacks, containing incidents before they can spread throughout your organization.

3. Enhance and Improve Threat Investigation with Generative AI

With the increasing number and complexity of cyberattacks, security teams may feel overwhelmed. This is where the help of AI can come into play, detecting threats that security teams might overlook. A unified platform that includes generative AI can help the security team achieve better security outcomes. For example, generative AI can assist with guided investigations, natural language hunting, prescription and action recommendations, and straightforward summaries.

Microsoft Security Copilot, Microsoft's generative security solution powered by AI, is available for additional purchase to further strengthen the unified SOC platform. Security Copilot leverages AI to assist analysts with complex and slow daily workflows, including:

• End-to-end incident investigation and response with clearly described cyberattack narratives.
• Guidance on step-by-step corrective measures.
• Summarized incident activity reports, natural language Kusto Query Language (KQL) search, and expert code analysis, optimizing SOC efficiency through Microsoft Sentinel and Defender XDR data.

Security Copilot makes it easier than ever for experienced professionals to take every necessary security step, accelerate tasks such as writing KQL and decoding scripts, and helps level up new employees with intuitive step-by-step guidance.

4.Get to Know and Test Microsoft's Unified SOC Platform

myCloudDoor offers a workshop that allows you to get to know and deploy Microsoft Sentinel and Microsoft XDR's unified platform. This way, you'll gain a deep understanding of the platform, ready-to-use integration of SIEM, SOAR, and XDR, tuning on the most important use cases, and a vision of the value that the service and platform bring to your organization.

If a unified platform approach to modern SecOps sounds interesting, we can help you verify that having Microsoft Sentinel, Defender XDR, Security Copilot, and a managed 24x7 detection and response service can benefit your organization with a comprehensive security approach.

Miguel Monedero
Security Director at myCloudDoor