Still Is an Expensive Mess
By CMD Technology Group
3 min read
Don Lino: What does that mean?
Sykes: Nothing. I’m just sayin’…
Don Lino: I bring you in here, look you in the eye, tell you what’s what, and what?
Sykes: What?
Don Lino: What “what”?
Sykes: You said, “what” first.
Don Lino: I didn’t say what, I asked you what.
Sykes: You said, “And then, what?” I said, “What?”
Don Lino: [confused] No, I said, “what what,” like what what?
Sykes: You said, “what” first.
Don Lino: Now you’re making fun of me?
Sykes: No, you misunderstood.
If you have ever tried correlating security events in your infrastructure, you know that it sounds just like the conversation between Don Lino and Sykes quoted above from the movie Shark Tale. Tracking down a series of events and what happened first is excruciatingly hard work. Did the attack vector start with user A’s PC, or was it user B’s? Or was it a security flaw on the firewall or the routers, or was it an SSH vulnerability. Was it a combination of all of them? But what happened first? “You said, “what” first.”- Sykes.
This is why Security Information and Event Management (SIEM) software has been so unwieldy, difficult to implement, and cost prohibitive for most. I remember implementing a SIEM solution for a large financial institution. Millions of dollars were spent on a solution, of which there was no way of testing. In other words, the vendor says, “believe everything I say and give me a blank check.” The vendor had to install the equipment, or else it was not “certified,” which meant no support. After about six months, we had about eight full racks of equipment that no one knew how to manage. We couldn’t even extract or correlate events. Also, we had to purchase development if we had devices that were not supported by the vendor. In hindsight, the lucky ones were the companies that could not afford this “solution.” I think SIEM really stands for Still Is an Expensive Mess.
Azure Sentinel
Would you like to test a SIEM solution without all the headaches? Welcome, Azure Sentinel! If you are “the little guy,” the initial cost could be just a couple of dollars a month. Did you build your Azure Sentinel the wrong way? Delete and start over. Try that with eight racks full of paperweights!
Don’t get me wrong; implementing SIEM is still hard work. But you can setup Azure Sentinel in a few hours versus months, and you don’t have to make an upfront investment. There are many Data Connectors (basically configuration setups for devices), which make it very easy to start collecting logs, and Azure is adding more. The screenshot below shows a Data Connector for Fortinet.
I have enabled two Data Connectors, and this screenshot shows the AWS Cloudtrail Data Connector successfully receiving logs. A very simple implementation which only requires the creation of an AWS Role with the permission AWSCloudTrailReadOnlyAccess.
The image below also demonstrates the Azure Data Connector and the activity logs. You can see that we are using two Data Connectors for different cloud providers: AWS and Azure.
Like I said before, implementing SIEM is still hard work, but Azure Sentinel makes it easier by providing Workbooks already preconfigured to gain insight into what’s happening. Below we can see a Workbook for AWS Network Activities and another for User Activities.
SIEM no longer has to mean “Still Is an Expensive Mess.” Azure Sentinel can be a cost effective solution for what used to have such a high barrier to entry. If you would like to take advantage of Azure Sentinel in your infrastructure but have questions specific to your environment or looking for additional guidance, our team here at CMD is happy to help. If you are just curious about the solutions offered and would like to request a live demo of Azure Sentinel, give us a call, and we can schedule one.
If you have a question about any of our solutions or any feedback you’d like to share, contact us. We would love to hear from you!
afernandez@cmdtg.com | (407) 442-0265