Forum Discussion
Single pane of glas for all security related events
MicrosoftThanks Joe for the answer. When someone tell me a Dashboard that shows ALL Security related information, I think about:
1. Application Vulnerabilities - all applications (SQL, Web, Custom applications (SDL), Oracle, Adobe, Office, etc.) so to me is all application whether Microsoft or third party
2. Data Security - DACLs, SACL, RMS, Labels, compliance
3. Infrastructure - Firewalls, IDS, Router, Switches, host firewalls, storage, cloud services, etc including third party
4. Devices - Any OS whether client or servers, configuration compliance, vulnerability checks, malware detection, etc.
5. Hybrid Identity related for all identity providers
6. Oversight checks, Insider threats, etc.
7. Disaster Recovery - DOS, Crypto, etc
But not one single team in an organization deals with all security on the environment so how do you expose ALL information in a way that can be understood by each team and still ensure the need to know? I see ways of picking information from most of it, correlating it and providing a something similar to what Advanced Threat Protection is aiming to do but the focus is against threats.
Almost everything that you mentioned below is already interconnected, but that is not all your organization security related (on-prem, ALL cloud services, infrastructure, mobile devices, BYOD, etc.) information. Below I am attaching a drawing where I started documenting service interconnectivity. That is not all that Microsoft has … only with what I have played a bit with. Now having interconnectivity changes the way people plan for security. Because the improper selection of a provider can cause a domino effect on the rest of the systems. For example, imagine having all the systems that you mentioned below but choosing an Identity provider that has not been tested with all these. Would the Identity system provide the required information for all these systems to work properly?
This provides more information about the interconnectivity capabilities: https://www.youtube.com/watch?v=ESjV1rQggDA
I understand that you mentioned that the Security Graph API is not suitable. There is a lot of development being done on it and the purpose is to give organizations and partners to build Organization focused dashboards. Because what is important for a financial information, may not be the same for a Government or a Health organization. In addition, different teams will want to focus on the tasks that they are in charge of managing rather than having everything and having to figure out what is important to them. So yes, there will be consolidated views but more focused per role and per organization. While all that is being built, you can enjoy the connectivity that our tools provide.
Smiles,
Gladys
There has been significant progress for interconnecting the Microsoft security solutions and that is an important first step.
The diagram illustrates that there are way too many places a SOC would have to look to effectively and efficiently detect a cybersecurity incident.
The Microsoft Threat Protection Dashboard significantly helps smaller companies who have little or no on-premises footprint.
Larger organizations that have their own internal SOC or have an outsourced SOC are requiring alerts and incidents to flow through a centralized SIEM.
If Microsoft can provide a SIEM as part of M365 E5, then clients would not have to invest in 3rd party solutions from IBM, Splunk, etc. Microsoft is already a leader in Security and having a SIEM strategy/solution would help further Microsoft's mission.
Therefore, the SIEM should really be at the center and heart of the diagram and vision. Microsoft should be a leader in the SIEM space because that is the tool that mature SOCs rely upon to detect security incidents.