Forum Discussion
Single pane of glas for all security related events
Hi Gladys,
The reality is that the more customers who purchase M365 E5 find themselves with multiple web interfaces to juggle to detect and respond to security events.
Which tools should they check daily or weekly?
Eventually, they will stop checking regularly if it becomes burdensome.
The Security API is not a practical answer for 90% of organizations at this time because:
1) It is limited to reporting Identity Protection alerts and Azure Security Center
2) The Security API doesn't have a user-friendly interface for SOC analysts to consume, so the wish/desire is for MSFT to provide a SOC analyst view that brings events from all of their M365 E5 security investments.
Tools we would like a single pane of glass for simplified SOC analysts to review:
Cloud App Security
Threat Intelligence in Security and Compliance Center
Azure Identity Protection - users at risk and risky sign-ins
Azure Security Center
Windows Defender ATP
Azure ATP
Office 365 Alerts from Security and Compliance Center
DLP policy violations
Azure Information Protection - validating business justification override events or unauthorized access attempts
MicrosoftThanks Joe for the answer. When someone tell me a Dashboard that shows ALL Security related information, I think about:
1. Application Vulnerabilities - all applications (SQL, Web, Custom applications (SDL), Oracle, Adobe, Office, etc.) so to me is all application whether Microsoft or third party
2. Data Security - DACLs, SACL, RMS, Labels, compliance
3. Infrastructure - Firewalls, IDS, Router, Switches, host firewalls, storage, cloud services, etc including third party
4. Devices - Any OS whether client or servers, configuration compliance, vulnerability checks, malware detection, etc.
5. Hybrid Identity related for all identity providers
6. Oversight checks, Insider threats, etc.
7. Disaster Recovery - DOS, Crypto, etc
But not one single team in an organization deals with all security on the environment so how do you expose ALL information in a way that can be understood by each team and still ensure the need to know? I see ways of picking information from most of it, correlating it and providing a something similar to what Advanced Threat Protection is aiming to do but the focus is against threats.
Almost everything that you mentioned below is already interconnected, but that is not all your organization security related (on-prem, ALL cloud services, infrastructure, mobile devices, BYOD, etc.) information. Below I am attaching a drawing where I started documenting service interconnectivity. That is not all that Microsoft has … only with what I have played a bit with. Now having interconnectivity changes the way people plan for security. Because the improper selection of a provider can cause a domino effect on the rest of the systems. For example, imagine having all the systems that you mentioned below but choosing an Identity provider that has not been tested with all these. Would the Identity system provide the required information for all these systems to work properly?
This provides more information about the interconnectivity capabilities: https://www.youtube.com/watch?v=ESjV1rQggDA
I understand that you mentioned that the Security Graph API is not suitable. There is a lot of development being done on it and the purpose is to give organizations and partners to build Organization focused dashboards. Because what is important for a financial information, may not be the same for a Government or a Health organization. In addition, different teams will want to focus on the tasks that they are in charge of managing rather than having everything and having to figure out what is important to them. So yes, there will be consolidated views but more focused per role and per organization. While all that is being built, you can enjoy the connectivity that our tools provide.
Smiles,
Gladys
- The diagram looks great, well done!
There has been significant progress for interconnecting the Microsoft security solutions and that is an important first step.
The diagram illustrates that there are way too many places a SOC would have to look to effectively and efficiently detect a cybersecurity incident.
The Microsoft Threat Protection Dashboard significantly helps smaller companies who have little or no on-premises footprint.
Larger organizations that have their own internal SOC or have an outsourced SOC are requiring alerts and incidents to flow through a centralized SIEM.
If Microsoft can provide a SIEM as part of M365 E5, then clients would not have to invest in 3rd party solutions from IBM, Splunk, etc. Microsoft is already a leader in Security and having a SIEM strategy/solution would help further Microsoft's mission.
Therefore, the SIEM should really be at the center and heart of the diagram and vision. Microsoft should be a leader in the SIEM space because that is the tool that mature SOCs rely upon to detect security incidents.