<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=1711172&amp;fmt=gif">
Email us hello@itlab.com
General Enquiries 0333 241 7689
Manchester Support 0161 925 7777
London Support 020 7030 3999
Insights

Informed, researched and occasionally controversial: but above all helpful. Browse our blog topics by IT Lab’s subject matter experts and partners.

F

Cybersecurity / 4 minute read

IT Lab Announces Unique Cyber Security Operations Centre Service

Manchester CSOC is First in the UK to Adopt Azure Sentinel and to Offer Incident Response as a Service

"We engaged IT Lab to deliver a fully managed Cyber Security Operations Centre (CSOC) service in 2018. With a lean in-house security team, we were keen to explore their new incident response service, utilising Sentinel. Pravesh Kara and his team submitted a compelling proof of concept, and overnight, we knew we'd made the right decision."

                   - IT Lab client in the finance sector and an early adopter of our new service and Sentinel, managing £6 billion worth of assets.

SOC blog header 1254 x 480

 

As the noise from a multitude of threats to businesses becomes almost deafening, defending vital assets is increasingly expensive, time-consuming – and sleep-depriving. The stance of the UK’s National Cyber Security Centre, Microsoft and several other respected bodies is to “assume breached”.

 

Why is this? Cybercrime is rapidly expanding because of the commoditisation of effective attack techniques. And worryingly, increased dwell time for a threat is intrinsically linked to the severity of a breach’s impact.  This means that time – as well as detection – are paramount.

 

Conventional SIEM (Security Incident and Event Management) products will consolidate the information from across your IT landscape but invariably throw up false positives, soaking up the valuable (and expensive) time of security pros.  

 

Enter Azure Sentinel, which returns a view of threats that genuinely require attention and is unlike any other security operations platform in the marketplace.

 

IT Lab is one of a select few Microsoft partners in the UK offering Cyber Services incorporating Azure Sentinel. As a Microsoft partner and advocate, we rapidly embraced it for our internal security operations while simultaneously making it available to our clients.  

 

Join us for a quick tour of this revolutionary platform. See how Sentinel can save you money and how our incident response capabilities deliver unequalled levels of security and service excellence.

 

What is Azure Sentinel?

Launched in November 2019, Azure Sentinel is Microsoft’s new:

 

  • Cloud-native Security Incident and Event Management (SIEM) and;
  • Security Orchestration, Automation and Response (SOAR) platform.

 

The service works by correlating the security logs and signals from all sources: apps, services, infrastructure, networks, and end-users, whether on-premises, Azure or any other cloud. And it scales automatically to need.

 

Sentinel’s integrated analytics remove the cost and complexities of achieving a central and focused view of active threats. And built-in AI leverages Microsoft’s threat intelligence which analyses trillions of signals every day. Furthermore, Microsoft’s machine learning models filter through the noise from alerts, drilling into and analysing thousands of anomalous events.

 

CSOC Technology

 

A customisable overview dashboard gives a bird’s eye perspective of your IT environment while facilitating a deep dive to granular information. And Sentinel seamlessly connects to other data sources and security solutions, effortlessly building a complete picture and all without leaving the one screen.

 

How Are IT Lab Clients Benefitting from Azure Sentinel?

“Unlike other services that merely surface alerts for others to fix, we aim to own the problem by managing a verified threat alert through to containment,” said Pravesh Kara, IT Lab’s Product Director for Security and Compliance. “Optimised runbooks prevent real damage occurring, and our visibility of multiple clients benefits everyone. Our expansive view means that we apply the detection and containment in one environment to other clients’ situations.

 

“And our service is not solely reactive to threat activity, our proactive approach to reducing the attack surface and threat dwell time are core aspects, through threat hunting and regular vulnerability assessments.”

 

While Azure Sentinel provides many out-of-the-box integrations for rapidly deploying our service,  our Security Engineering team can also create custom integrations with data sources. These include detection algorithms, automated responses, and analytics.

 

The benefits to our financial sector client include:

 

  • With the original SIEM platform, our customer was consuming and paying for a significant amount of data each month. Their like-for-like security monitoring, with the inclusion of free ingestion of Microsoft data sources into Sentinel, has reduced the paid-for data by 91%. Consequently, this has achieved a noticeable cost reduction.
  • Broader, more granular coverage of the firm’s infrastructure gives greater visibility, context and insight while improving the operational efficiency of limited internal resources.
  • Soft benefits: efficiency gains by IT Lab’s CSOC team, meaning our client enjoys a better service.  

 

How Does Azure Sentinel Compare with a Conventional SIEM Platform?

For existing users of Microsoft, Sentinel comes into its own, with noticeable cost-savings and frictionless integration with Azure and Office 365.  The table below sets out how Sentinel differs from a traditional SIEM based service.

     

COMPARISON TABLE

 CONVENTIONAL SIEM PLATFORM BASED SERVICE VS AZURE SENTINEL BASED SERVICE

TRADITIONAL SIEM SERVICE

MICROSOFT AZURE SENTINEL SERVICE

Static platform: set monthly subscription, with a fixed volume of data monitored regardless. Potential wastage.

Dynamic platform: pay only for the volume of data monitored. Automatically scales up or down.

Hundreds of supported technology integrations but required SIEM vendor to build them. No ability to develop custom integrations. Requires additional implementation cost and time.

Many out-of-the-box near one-click integrations to key enterprise security solutions. Ability to develop custom integrations and handling logic through Logic Apps.

Pay for all systems and data monitored.

No charge for monitoring several Microsoft services and data.

 

C. 1000 out-of-the-box rules by default. On average, 10-15% alerts will apply.

Analytic rules customised for specific criteria across the environment to generate incidents.

A different concept of rules and alerts: playbooks (aka automation). Only activate what you need using the toggle switch.

False positives – the same alerts time and time again, demanding skilled – but ultimately wasted, resource.

 

Reduced alert fatigue using machine learning to produce actionable incidents that require evaluation and investigation.

Broad picture view of the security landscape.

 

Deeper, granular view of your security landscape.

Investigations – often involve looking at different cases and disparate systems to build the picture.

 

Investigate from a single pane of glass, pull in information from other sources with ease.  And even query data sources outside of Azure.

The stand-alone platform requires integration with other security solutions, which can be complicated and time-consuming.

Fast and easy to integrate with other security toolsets, such as Amazon Web Service (AWS), firewalls, proxy servers and antivirus. Activate within minutes using a toggle switch.

Sentinel is natively integrated with Azure, enabling you to take advantage of built-in services.

Traditionally, SIEM solutions have evolved to embrace cloud technologies.

 

Sentinel is the first cloud native SIEM service.

Incident Management requires separate processes and manual effort.

Relevant response scenarios can be fully or partially automated using Sentinel Playbooks and further enhanced through an integration to Jupyter Notebooks for advanced hunting and analysis.

 

 

IT Lab's Cyber Security Operations Centre: Adding Value

 

How our CSOC Works

How CSOC works

 

But technology – even world-class tools like Azure Sentinel, are only part of the picture. People and process are vital to a high-performing CSOC’s detection and response capabilities.  

 

At a high-level:

 

  • For optimised monitoring, our CSOC team undertakes daily, monthly and quarterly tasks, dictated by their criticality.
  • When a correlation results in an alarm, our CSOC follows a mature approach to incident response, verifying and identifying all incident artefacts and ultimately containing it.
  • With our Incident Response as a Service, we will remediate the issue. Alternatively, our analysts can assist your in-house team with the clean-up and participate in lessons learned sessions.

 

Core features of our service - which operates under ISO 27001 certified ISMS - include:

 

  • 24 x 7 x 365 coverage
  • Scales to your needs
  • Ability to integrate custom data sources and develop custom detections
  • Fully auditable Privileged Access and Identity Tooling included
  • Integrates with your ITSM tools or utilise our ServiceNow
  • Your complete visibility of the platform and underlying data

 

And our most precious asset – our people – count as one of the most highly skilled CSOC teams in the UK. Their credentials include technology qualifications (Microsoft, Cisco), SOC specialisms, cyber security certificates and academic qualifications.

 

But they don’t operate in a silo; the technical expertise and experience across our group give us the capacity to respond to any type of threat without having to lose precious time waiting for external help.

 

Unmissable Cyber Security Support - Without Costing You a Penny

In these exceptional times, we’re helping organisations by offering a free consultation with a tech expert in the subject area of your choice. Pravesh Kara is among the panel offering his time and expertise at no charge – meet Pravesh and enquire here.

 

Or you could opt for a free cyber security assessment – learn more and request one here.

 

And If you’d like to know more about our renowned Cyber Security Operations Centre and explore Sentinel for your business, give us your details here, and we’ll be in touch.

 

Thanks for reading, stay safe, and we’re here when you need us.

 

Email subscription image

Never miss out on insights

You may also like...