Congratulations! You’ve decided to go ahead with the services of a comprehensive Managed Security Operations Centre (SOC). The next question we often get when talking to prospective SOC clients is whether you should go with cloud-based or on-premises options.
The process of onboarding a SOC solution we use is that our specialist SOC team will sit down with your technical teams and look at the specific challenges your organisation faces. This includes looking at the data and sources of information that data comes from. It includes reviewing what applications need monitoring, and what levels of risk those pose.
Eventually we will discuss HOW we will manage your security monitoring and response program. There are essentially two options – cloud-based and on-premises based SIEM (security information and event management) offerings in the market.
Cloud-based SIEM versus on-premise approaches
Modern SOCs use cloud-based SIEM technologies (such as Microsoft’s Azure Sentinel) along with Artificial Intelligence (AI), Machine Learning (ML) and cloud-based analytics rules.
Using these advanced monitoring and automated responses, SOC teams can integrate external threat feeds with internal feeds for correlation and rapid response to detonate threats quickly on behalf of clients.
On the other hand, taking an on-premises SIEM solution approach requires more effort in terms of implementation, integration, keeping up-to-date and complexity if you later decide to move to another security partner. As availability is still a major concern for most businesses, you should also consider that cloud solutions have better availability than on-premises solutions, given Microsoft Azure cloud platform has 99.9% availability via the defined SLAs for Sentinel.
In addition, up-front cost for on-premises (traditional) type of SIEM solutions are greater compared with cloud solutions where you just pay for what you use. Having connected solutions and platforms that can receive real-time signals means the SOC team can detect threats quickly and apply security controls swiftly to neutralise them.
Why do we recommend using Microsoft Azure Sentinel?
Most of our clients use Microsoft suite of tools, platforms and infrastructure. The modern Microsoft environment is a diversified one, typically combining any or all of the following platforms – Active Directory, Azure AD, Windows, Office 365, Microsoft Threat Protection, Microsoft Cloud Application Security, Advanced Threat Protection (ATP) solutions (Microsoft Defender and Azure Defender), Azure Security Centre and many more.
To integrate and connect all this data from each of these sources, Azure Sentinel as SIEM and Security Orchestration, Automation and Response (SOAR) aggregates both Microsoft and other third-party protection and monitoring tools to deliver end-to-end detection, protection and response capabilities.
The platform has more than 100 built-in connectors for log ingestions (and still growing), with the most popular ones being free of charge via Sentinel. This list includes Azure Activity Logs, Office 365 Audit Logs (all SharePoint activity and Exchange admin activity) and alerts from Microsoft Defender products (Azure Defender, Microsoft 365 Defender, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Endpoint), Azure Security Centre and Microsoft Cloud App Security.
Furthermore, Microsoft Sentinel also provides a wide range of capabilities, starting from security monitoring, user behaviour analytics, real-time automation and playbooks, threat hunting, and a huge number of other features.
Finally, Microsoft Azure Sentinel provide different methods to ingest other external third parties and other vendors devices, platforms and services by ingesting data via different methods and formats such as:
Call us for a chat about your immediate SOC needs.
Dive behind the scenes and keep up to date on the latest people centred tech.