With every week bringing new headlines about crippling cyberattacks, and with organizations growing increasingly distributed, security squads are constantly to ask him to do more with less. Moving to cloud-native security information and event management( SIEM) can help security teams analyze data with the extent of the cloud, and empowers them concentrated on protecting the organization , not managing infrastructure. As the industry’s first cloud-native security operation and automated response( SIEM+ SOAR ), Azure Sentinel provides security analytics across the organization to fight today’s sophisticated cyber menaces. It does this by collecting data across the digital estate–including on-premises systems, software as a service( SaaS) applications, and non-Microsoft cloud environments such as Amazon Web Services( AWS ), Linux, or firewalls–and cross-correlating it applying AI and machine learning, enabling security runnings( SecOps) squads to stop menaces before they do damage.
In part one of this three-part series, we explored the first three steps every SecOps team should take to help ensure a successful migration to Azure Sentinel. For part two, we’ll look at ways to manage the transitional phase of your migration. Specifically, we’ll compare the pros and cons of a short-term versus long-term side-by-side deployment, including an examination of the five types of side-by-side configurations, and which one maximizes value from both Azure Sentinel and your traditional SIEM.
What is the transitional phase in a cloud-native SIEM migration?
For an organization using an on-premises SIEM, migration to the cloud typically requires a three-stage process 😛 TAGEND
Step 2, the transitional phase, involves running Azure Sentinel in a side-by-side configuration either as a short-term solution or as a medium-to-long-term operational model. Both approaches culminate in a completely cloud-hosted SIEM architecture; the difference is: how long does it serve your interests to remain tethered to your traditional SIEM?
Transitional side-by-side( recommended)
Pros: Gives your faculty time to adapt to new processes as workloads and analytics migrate. Gains deep correlation across all data sources for hunting scenarios; eliminates having to do swivel-chair analytics between SIEMs or writer forwarding rules( and close investigations) in two places. Likewise enables your SecOps team to quickly downgrade traditional SIEM solutions, eliminating infrastructure and licensing costs.
Cons: Can require a shortened read curve for SecOps staff.
Involves leveraging both SIEMs side-by-side to analyze different subsets of data indefinitely. In this framework, some organizations choose to take an extended side-by-side approach over a long period of time, or even plan to run side-by-side permanently.
Pros: Leverage Azure Sentinel’s key benefits–including AI, machine learning, and investigation capabilities–without moving wholly away from your traditional SIEM. Saves money compared to your traditional SIEM by analyzing your cloud or Microsoft data in Azure Sentinel.
Cons: Separating analytics across two different databases results in greater complexity( for example split case management and investigations for multi-environment incidents ). Greater staff and infrastructure costs. Requires staff to be knowledgeable in two different SIEM solutions. It also ensues in a much longer time to universal value for Azure Sentinel if the intention is to ultimately migrate to a single SIEM.
What’s the best approach for side-by-side SIEM deployment?
There are five basic deployment frameworks for the side-by-side phase of the migration process. Some of these approaches may seem easier to implement but can introduce unwanted intricacy in the long run. Let’s run through the advantages and drawbacks of each 😛 TAGEND Approach 1: Moving logs from Azure Sentinel to your traditional SIEM
In this configuration, organisations use Azure Sentinel only as a log relay, forwarding logs to their existing on-premises SIEM. This approach is not recommended, since operating Azure Sentinel strictly as a log-relay means you’ll continue to experience the same cost and scale challenges as with your on-premises SIEM. In addition, you’ll be paying for data ingestion in Azure Sentinel together with storage expenses in your traditional SIEM. Another drawback: use Azure Sentinel merely as a log relay means you’ll miss out on Azure Sentinel’s full SIEM+ SOAR capabilities, including detectings, analytics, AI, investigation, and automation tools.
In this approach, your SecOps team forwards logs from your traditional SIEM to Azure Sentinel. For reasons similar to the above, this approach is not recommended. While you’ll be able to benefit from the full functionality of Azure Sentinel without the capacity limitations of an on-premises SIEM, their own organizations still will be paying for data ingestion to two different vendors. In addition to adding architecture complexity, this framework can result in higher costs for your business.
In this modeling, your squad utilizes Azure Sentinel to analyze cloud data while continuing to use your on-premises SIEM to analyze other data sources. This setup allows for clear bounds considering when to use which solution, and it avoids the duplication of costs. However, cross-correlation between the two becomes difficult; so this scenario is not recommended. In today’s landscape–where menaces often move laterally across the organization–such gaps in visibility pose a significant risk.
In this approach, you’ll analyze cloud data supplied by Azure Sentinel, then send the alerts made to your traditional SIEM. There, you can continue to use your traditional SIEM as your single pane of glass and do any cross-correlation on alerts generated by Azure Sentinel. Though it avoids replication costs while giving you the freedom to migrate at your own pace, this configuration is still suboptimal. Simply forwarding enriched incidents to your traditional SIEM restrictions the value you could be getting from Azure Sentinel’s investigation, hunting, and automation capabilities.
In this configuration, your SecOps team will ingest and analyze cloud data within Azure Sentinel while use the traditional SIEM to analyze on-premises data–generating alarms back to Azure Sentinel. In this way, your team is free to do cross-correlation and investigation within Azure Sentinel as your single pane of glass, and still access your traditional SIEM for deeper investigation if needed. This is our recommended side-by-side migration method because it allows you to get full value from Azure Sentinel while migrating data at a pace that’s right for your organization.
Coming soon in part 3: Use occurrence migration
In the third and final post in this series, we’ll examine best practises for migrating your data sources and detections, including the way in which to get the most from Azure Sentinel’s powerful automation abilities. We’ll also offer some tips for finishing the migration and moving altogether off your traditional SIEM. For a complete overview of the migration journey, download the white paper: Azure Sentinel Migration Fundamentals.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Likewise, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post How to manage a side-by-side transition from your traditional SIEM to Azure Sentinel appeared first on Microsoft Security Blog.