SoftwareOne logo

DevOps & automation in Azure security services [Azure Sentinel]

SoftwareOne blog editorial team
Blog Editorial Team
A blue square on a blue background.

Imagine - security monitoring 24/7 365 days a year using a fully automated incident response solution that can react on its own, based on the learned patterns and users' behaviors with real experts on top of it. All of that in 40 minutes. Yes, you read correctly. 40 minutes. Not a month, not even a week. Just a handful of minutes to get you fully protected. Nowadays it takes weeks or months to set up a security centre in mid to large-size organisations. We found a way to set up such a centre called Managed Security Operations Center (SOC) in a matter of 40 minutes. For those of you who are not familiar with this term, a Managed SOC means you'll have 24/7/365 security monitoring, as well as access to a team of fully trained security analysts and engineers. If you'd like to learn more about the Managed SOC itself, go visit this website

What is DevOps?

Before we go into the process, let's uncover one important term – DevOps. You've probably heard of DevOps before. For those of you who don't know it – DevOps is a set of practices to follow to reach the planned result in the shortest time possible. At SoftwareOne we use well-established best practices to ensure fast responses for ourselves and our clients. This, in terms of cybersecurity, is crucial not only at the implementation stage but throughout the entire process. How does it work?

Azure Sentinel: security rules and automated response

This is Azure Sentinel – the beating heart of our Security Operations Center, where we deploy our security rules, customised for a particular client. They are developed in the tool called Azure DevOps according to our Scrum-based process. This is the backlog in Azure DevOps, where we can add new types of security rules. An example of such a rule could be a query that detects any attempt of non-authorised file encryption, which may be the first indicator of ransomware. These rules are written down as a User Story, with a set of tasks to complete to make it production-ready.

When a certain, undesired event in the customer's system coincides with a security rule, we receive an incident alert. The great advantage of Azure Sentinel as a Microsoft solution is that if any information about a new vulnerability is found, we immediately get access to Microsoft's templates and ways to detect attempts to exploit this weakness. After our finetuning and upgrades, we can deploy this rule to all our clients simultaneously, including automatic incident response playbooks.

These are pre-defined incident scenarios that Sentinel can run by itself if the threat meets certain criteria. An example of such a scenario is automatically blocking the user that is marked as compromised by one of the security rules, before any malicious activity can be performed.

Security as a code approach

This is our code repository. We use Security Operations Center as a code approach, which enables fast implementation in a new system and a rapid response in the event of deletion. We can recover all Azure Sentinel assets in around 10 minutes. Additionally, using Git - the version control system - we can manage changes at the code level, so if something doesn't work as it should, we can roll it back immediately.

Quality Assurance

We can prevent accidental mistakes through Quality Assurance at each stage. Every new feature or change to a security rule must go through a set of automatic code analysers  - if anything seems off, uploading the change will be blocked. Also, at least 2 other people must approve the change. So, we make sure that every change is validated from many different angles. The most important security rules are deployed automatically to all customers. However, since not all security rules fit every environment, we configure and customise them according to the customer's needs.

Security deployment pipeline

Now, the main key to all automation is our Security Operations Center deployment pipeline, a generic set of steps that fit every client's infrastructure. Thanks to this, we can implement SOC in any business in about 40 minutes, guaranteeing an instant and fully secure environment. And that is how we use DevOps practices in our Managed SOC service.

Azure Lighthouse

Finally, we would like to mention Azure Lighthouse – the service we use to manage our client's infrastructure. Azure Lighthouse makes it possible to get access to the client's tenant without creating new accounts. That provides an additional security layer to our service because every new account is a new attack vector for bad actors.

To sum up: Azure Sentinel, Azure DevOps, and Azure Lighthouse – the three cloud technologies that make our Managed SOC ready to implement in 40 minutes. If you'd like to talk to us about it, or even just ask some questions, email us. We'll be happy to help!

Author

SoftwareOne blog editorial team

Blog Editorial Team

We analyse the latest IT trends and industry-relevant innovations to keep you up-to-date with the latest technology.