{"id":16530,"date":"2019-10-07T14:00:38","date_gmt":"2019-10-07T22:00:38","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/10\/07\/news-10269\/"},"modified":"2019-10-07T14:00:38","modified_gmt":"2019-10-07T22:00:38","slug":"news-10269","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/10\/07\/news-10269\/","title":{"rendered":"CISO series: Lessons learned from the Microsoft SOC\u2014Part 3a: Choosing SOC tools"},"content":{"rendered":"

Credit to Author: Todd VanderArk| Date: Mon, 07 Oct 2019 21:20:56 +0000<\/strong><\/p>\n

The Lessons learned from the Microsoft SOC<\/a> blog series is designed to share our approach and experience with security operations center (SOC) operations. Our learnings in the series come primarily from Microsoft\u2019s corporate IT security operation team, one of several specialized teams in the Microsoft Cyber Defense Operations Center (CDOC<\/a>).<\/p>\n

Over the course of the series, we\u2019ve discussed how we operate our SOC at Microsoft. In the last two posts, Part 2a, Organizing people<\/a>, and Part 2b: Career paths and readiness<\/a>, we discussed how to support our most valuable resources\u2014people\u2014based on successful job performance.<\/p>\n

We\u2019ve also included lessons learned from the Microsoft Detection and Response Team (DART)<\/a> to help our customers respond to major incidents, as well as insights from the other internal SOC teams.<\/p>\n

For a visual depiction of our SOC philosophy, download our Minutes Matter poster<\/a>. To learn more about our Security operations, watch CISO Spotlight Series: The people behind the cloud<\/a>.<\/p>\n

As part of Cybersecurity Awareness month, today\u2019s installment focuses on the technology that enables our people to accomplish their mission by sharing our current approach to technology, how our tooling evolved over time, and what we learned along the way. We hope you can use what we learned to improve your own security operations.<\/p>\n

Our strategic approach to technology<\/h3>\n

Ultimately, the role of technology in a SOC is to help empower people to better contain risk from adversary attacks. Our design for the modern enterprise SOC has moved away from the classic model of relying primarily on alerts generated by static queries in an on-premise security information and event management (SIEM) system. The volume and sophistication of today\u2019s threats have outpaced the ability of this model to detect and respond to threats effectively.<\/p>\n

We also found that augmenting this model with disconnected point-solutions lead to additional complexity and didn\u2019t necessarily speed up analysis, prioritization, orchestration, and execution of response action.<\/p>\n

Selecting the right technology<\/h3>\n

Every tool we use must enable the SOC to better achieve its mission and provide meaningful improvement before we invest in purchasing and integrating it. Each tool must also meet rigorous requirements for the sheer scale and global footprint of our environment and the top-shelf skill level of the adversaries we face, as well as efficiently enable our analysts to provide high quality outcomes. The tools we selected support a range of scenarios.<\/p>\n

In addition to enabling firstline responders to rapidly remediate threats, we must also enable deep subject matter experts in security and data science to reason over immense volumes of data as they hunt for highly skilled and well-funded nation state level adversaries.<\/p>\n

Making the unexpected choice<\/h3>\n

Even though many of the tools we currently use are made by Microsoft, they still must meet our stringent requirements. All SOC tools\u2014no matter who makes them\u2014are strictly vetted and we don\u2019t hesitate to reject tools that don\u2019t work for our purposes. For example, our SOC rejected Microsoft\u2019s Advanced Threat Analytics tool because of the infrastructure required to scale it up (despite some promising detection results in a pilot). It\u2019s successor, Azure Advanced Threat Protection (Azure ATP) solved this infrastructure challenge by shifting to a SaaS architecture and is now in active use daily.<\/p>\n

Our SOC analysts work with Microsoft engineering and third-party tool providers to drive their requirements and provide feedback. As an example, our SOC team has a weekly meeting with the Windows Defender ATP team to review learnings, findings, request features or changes, share engineering progress on requested features, and share attacker research from both teams. Even today, as we roll out Azure Sentinel<\/a>, our SOC is actively working with the engineering team to ensure key requirements are met, so we can fully retire our legacy SIEM (more details below). Additionally, we regularly invite engineers from our product groups to join us in the SOC to learn how the technology is applied by our experts.<\/p>\n

History and evolution to broad and deep tooling<\/h3>\n

Microsoft\u2019s Corporate IT SOC protects a cross platform environment with a significant population of Windows, Linux, and Macs running a variety of Microsoft and non-Microsoft software. This environment is approximately 95 percent hosted on the cloud today. The tooling used in this SOC has evolved significantly over the years starting from the classic model centered around an on-premises SIEM.<\/p>\n

Phase 1\u2014Classic on-premises SIEM-centric model<\/strong><\/p>\n

This is the common model where all event data is fed into an on-premises SIEM where analytics are performed on the data (primarily static queries that were refined over time).<\/p>\n

\"Infographic<\/p>\n

We experienced a set of challenges that we now view as natural limitations of this model. These challenges included:<\/p>\n