Single pane of glas for all security related events

Deleted
Not applicable

Hi,

Are there any plans to bring all security related events (and information) together into one single pane of glas? At the moment there are alot of tabs I need to have open to get the holistic picture. Windows Defender ATP Portal, OMS, Intune, ASC, ATA etc.

 

9 Replies

Hi again 😉

 

you hope you have seen the integration WDATP, Office 365 ATP and (announced as on the roadmap) with MS ATA. This is a first step - investigating across products, without losing context. We will continue our jouney with other products where it makes sense, but I dont have anything to share in additional today.

Yeah, got that turned on!

What does it mean to have a single pane of glass for all security events?  Which teams are you aiming to serve?  What information are you trying to expose? 

When talking with some customers, it seems that they are talking about everything but:

- A lot of organizations tend to have decentralized administration.  This means that different teams need to have access to different information

- Some organizations have groups within the organization such legal, hr, etc.., that may not want certain things managed by central IT or may not want other groups within the organization for them to see what they are doing since they are performing audits or insider threat investigations

- Usually, the team that perform malware analysis are not the ones that ensure patching or security configurations are in place.


 Just trying to understand how is this to be accomplished.

 

Gladys

Hi Gladys,

The reality is that the more customers who purchase M365 E5 find themselves with multiple web interfaces to juggle to detect and respond to security events.

Which tools should they check daily or weekly? 

Eventually, they will stop checking regularly if it becomes burdensome. 

The Security API is not a practical answer for 90% of organizations at this time because:

1) It is limited to reporting Identity Protection alerts and Azure Security Center

2) The Security API doesn't have a user-friendly interface for SOC analysts to consume, so the wish/desire is for MSFT to provide a SOC analyst view that brings events from all of their M365 E5 security investments. 

Tools we would like a single pane of glass for simplified SOC analysts to review: 

Cloud App Security

Threat Intelligence in Security and Compliance Center

Azure Identity Protection - users at risk and risky sign-ins

Azure Security Center

Windows Defender ATP

Azure ATP

Office 365 Alerts from Security and Compliance Center

DLP policy violations

Azure Information Protection - validating business justification override events or unauthorized access attempts

Microsoft Threat Protection was announced yesterday at Ignite. It's a single dashboard for detection, investigation, and remediation across endpoints, email, documents, identity, and infrastructure in the Microsoft 365 admin console. That means you can see information across Windows Defender ATP, Azure AD Identity Protection, and Office 365 Threat Intelligence. More details are coming soon. Here's an early preview:

 

microsoft-threat-protection.jpg

This is an improvement in the right direction. Now the Security Analyst only needs to check three security Dashboards: Cloud App Security, Azure Security Center, and Microsoft Threat Protection Dashboard.
It's progress!
Thank you.
Joe

Cloud App Security will also feed into the Microsoft Threat Protection Dashboard, only two left 😉

Thanks Joe for the answer.  When someone tell me a Dashboard that shows ALL Security related information, I think about:

1.  Application Vulnerabilities - all applications (SQL, Web, Custom applications (SDL), Oracle, Adobe, Office, etc.) so to me is all application whether Microsoft or third party

2.  Data Security - DACLs, SACL, RMS, Labels, compliance

3. Infrastructure - Firewalls, IDS, Router, Switches, host firewalls, storage, cloud services, etc including third party

4. Devices - Any OS whether client or servers, configuration compliance, vulnerability checks, malware detection, etc.

5. Hybrid Identity related for all identity providers

6. Oversight checks, Insider threats, etc.

7. Disaster Recovery - DOS, Crypto, etc


But not one single team in an organization deals with all security on the environment so how do you expose ALL information in a way that can be understood by each team and still ensure the need to know?  I see ways of picking information from most of it, correlating it and providing a something similar to what Advanced Threat Protection is aiming to do but the focus is against threats.  

 

Almost everything that you mentioned below is already interconnected, but that is not all your organization security related (on-prem, ALL cloud services, infrastructure, mobile devices, BYOD, etc.) information.  Below I am attaching a drawing where I started documenting service interconnectivity.  That is not all that Microsoft has …  only with what I have played a bit with.  Now having interconnectivity changes the way people plan for security.  Because the improper selection of a provider can cause a domino effect on the rest of the systems.  For example, imagine having all the systems that you mentioned below but choosing an Identity provider that has not been tested with all these.  Would the Identity system provide the required information for all these systems to work properly? 

This provides more information about the interconnectivity capabilities: https://www.youtube.com/watch?v=ESjV1rQggDA

 

I understand that you mentioned that the Security Graph API is not suitable.  There is a lot of development being done on it and the purpose is to give organizations and partners to build Organization focused dashboards.  Because what is important for a financial information, may not be the same for a Government or a Health organization.  In addition, different teams will want to focus on the tasks that they are in charge of managing rather than having everything and having to figure out what is important to them.  So yes, there will be consolidated views but more focused per role and per organization.  While all that is being built, you can enjoy the connectivity that our tools provide.

 

Smiles,

 

Gladys

The diagram looks great, well done!
There has been significant progress for interconnecting the Microsoft security solutions and that is an important first step.
The diagram illustrates that there are way too many places a SOC would have to look to effectively and efficiently detect a cybersecurity incident.
The Microsoft Threat Protection Dashboard significantly helps smaller companies who have little or no on-premises footprint.
Larger organizations that have their own internal SOC or have an outsourced SOC are requiring alerts and incidents to flow through a centralized SIEM.
If Microsoft can provide a SIEM as part of M365 E5, then clients would not have to invest in 3rd party solutions from IBM, Splunk, etc. Microsoft is already a leader in Security and having a SIEM strategy/solution would help further Microsoft's mission.
Therefore, the SIEM should really be at the center and heart of the diagram and vision. Microsoft should be a leader in the SIEM space because that is the tool that mature SOCs rely upon to detect security incidents.