Key considerations for your SOC onboarding journey

July 30, 2021

Congratulations! You’ve decided to go ahead with the services of a comprehensive Managed Security Operations Centre (SOC). The next question we often get when talking to prospective SOC clients is whether you should go with cloud-based or on-premises options.

The process of onboarding a SOC solution we use is that our specialist SOC team will sit down with your technical teams and look at the specific challenges your organisation faces. This includes looking at the data and sources of information that data comes from. It includes reviewing what applications need monitoring, and what levels of risk those pose.

Eventually we will discuss HOW we will manage your security monitoring and response program. There are essentially two options – cloud-based and on-premises based SIEM (security information and event management) offerings in the market.

Cloud-based SIEM versus on-premise approaches

Modern SOCs use cloud-based SIEM technologies (such as Microsoft’s Azure Sentinel) along with Artificial Intelligence (AI), Machine Learning (ML) and cloud-based analytics rules.

Using these advanced monitoring and automated responses, SOC teams can integrate external threat feeds with internal feeds for correlation and rapid response to detonate threats quickly on behalf of clients.

On the other hand, taking an on-premises SIEM solution approach requires more effort in terms of implementation, integration, keeping up-to-date and complexity if you later decide to move to another security partner. As availability is still a major concern for most businesses, you should also consider that cloud solutions have better availability than on-premises solutions, given Microsoft Azure cloud platform has 99.9% availability via the defined SLAs for Sentinel.

In addition, up-front cost for on-premises (traditional) type of SIEM solutions are greater compared with cloud solutions where you just pay for what you use. Having connected solutions and platforms that can receive real-time signals means the SOC team can detect threats quickly and apply security controls swiftly to neutralise them.

Why do we recommend using Microsoft Azure Sentinel?

Most of our clients use Microsoft suite of tools, platforms and infrastructure. The modern Microsoft environment is a diversified one, typically combining any or all of the following platforms – Active Directory, Azure AD, Windows, Office 365, Microsoft Threat Protection, Microsoft Cloud Application Security, Advanced Threat Protection (ATP) solutions (Microsoft Defender and Azure Defender), Azure Security Centre and many more.

To integrate and connect all this data from each of these sources, Azure Sentinel as SIEM and Security Orchestration, Automation and Response (SOAR) aggregates both Microsoft and other third-party protection and monitoring tools to deliver end-to-end detection, protection and response capabilities.

The platform has more than 100 built-in connectors for log ingestions (and still growing), with the most popular ones being free of charge via Sentinel. This list includes Azure Activity Logs, Office 365 Audit Logs (all SharePoint activity and Exchange admin activity) and alerts from Microsoft Defender products (Azure Defender, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint), Azure Security Centre and Microsoft Cloud App Security.

Furthermore, Microsoft Sentinel also provides a wide range of capabilities, starting from security monitoring, user behaviour analytics, real-time automation and playbooks, threat hunting, and a huge number of other features.

Finally, Microsoft Azure Sentinel provide different methods to ingest other external third parties and other vendors devices, platforms and services by ingesting data via different methods and formats such as:

  • Service to service integration: Some services are connected natively, such as AWS and Microsoft services. These services leverage the Azure foundation for out-of-the box integration, such as Amazon Web Services – CloudTrail.
  • External solutions via API: Some data sources are connected using APIs that are provided by the connected data source. Typically, most security technologies provide a set of APIs through which event logs can be retrieved. The APIs connect to Azure Sentinel and gather specific data types and send them to Azure Log Analytics, such as: Barracuda, Cisco, Citrix, F5, ForcePoint, Google Workspace (formerly G Suite), Okta, Qualys, Salesforce, Symantec and VMWare.
  • External solutions via agent: Azure Sentinel can be connected via an agent to any other data source that can perform real-time log streaming using the Syslog protocol. Most appliances use the Syslog protocol to send event messages that include the log itself and data about the log. The format of the logs varies, but most appliances support CEF-based formatting for log data. Such as Palo Alto Networks, Thycotic Secret Server, Zscaler, Trend Micro Deep Security, Fortinet, F5 ASM, Aruba ClearPass via CEF format and Cisco Meraki, Juniper SRX, Symantec, VMWare ESXi, Squid Proxy and huge number of other syslog-based appliances in syslog format. In addition, allow DLP solutions, DNS Machines, Azure Stack VMs, Linux servers and all other clouds.

Call us for a chat about your immediate SOC needs.

Follow us

Dive behind the scenes and keep up to date on the latest people centred tech.

Find out how we can support your business

Talk to us today