Higher Intelligence: Azure Sentinel Integration Through ICDx

A cyber security strategy, like a military strategy, depends on intelligence. And information is the raw material of intelligence. The good news is there is more information than ever. The bad news is the sheer quantity of information and the growing number of information sources. The challenge of sifting through it all to find real threats, not false positives, keeps getting tougher. Alert fatigue increases the possibility that ever-morphing threats will sneak through to steal data and wreak havoc on your systems.

A defensive strategy built on fragmented tools won’t get the job done. Chances are you don’t have a staff large enough to pay attention to dozens of different tools. It’s not that you don’t need multiple tools – you do – but integration and unification are needed. That’s why we have integrated Symantec Integrated Cyber Defense (ICD) and Microsoft Azure Sentinel through ICD Exchange (ICDx). Here’s what you need to know:

Integrated Cyber Defense (ICD)

First, Symantec’s ICD is a platform that integrates products, services and partners. ICD combines information protection, threat protection, identity management, compliance and other advanced services, powered by shared intelligence and automation across endpoints, networks, applications and clouds. Symantec TIPP (Technology Integration Partner Program) partners create integrations – there are more than 250 so far. Click here for more details about ICD.

In February, we announced ICDx, a layer of free software that takes integration to the next level. ICDx features include:

• A unified event model that makes it easy to standardize the rich data sets created by Symantec products
• Built-in data archiving
• A wide selection of pre-built collectors and forwarders to simplify integration, data filtering and storage
• Streamlined orchestration of real-time actions targeting multiple products simultaneously
• A variety of dashboard views to query and display critical attributes and metrics
• Free front-end viewers for Splunk, ServiceNow, Elastic and other popular SOC tools
• APIs for custom integrations.

Azure Sentinel

The day after we announced ICDx, Microsoft announced Azure Sentinel, a cloud-based Security Information and Event Management (SIEM) system. Azure Sentinel collects security data across your hybrid organization from devices, users, apps and servers on any cloud. What’s more, Microsoft will let you import user and activity behavior data from Office 365 into Azure Sentinel for free. Most important, Azure Sentinel adds the power of AI to sift through results to find the real threats quickly.

Because it’s cloud-based, Azure Sentinel frees you from the burden of setting up and maintaining infrastructure to run a SIEM system – which can be expensive. Instead, you pay for what you use. Scott Woodgate, Senior Director of Microsoft Azure Management and Security Marketing, explains:

“As threats continue to evolve and the volume of data continues to expand, customers want to move beyond on-premises SIEM systems, which are not well-designed for importing cloud information and can’t store it all. Azure Sentinel is cloud-native, and it connects to every type of security tool. It collects information into a database, performs analytics and delivers actionable alerts.”  

AI is Essential

This isn’t just another partnership announcement. It’s about preventing cyber mayhem from happening to you. Because attacks are constantly changing and they are better disguised than ever, integration and AI are key. Consider Dragonfly.

Dragonfly 1.0 emerged way back in 2011, using email, watering hole attacks and Trojanized software to pierce defenses. Then Dragonfly hibernated for a while, later to re-emerge as Dragonfly 2.0 from 2015-2017, again using a variety of attack vectors with files masquerading as Flash updates that installed malicious backdoors. This time, Dragonfly targeted the energy sector, with disruption as a possible goal. It took Symantec’s AI capabilities on top of our global telemetry information base to discover Dragonfly.

Could you have predicted Dragonfly 2.0 based on what you knew about Dragonfly 1.0? There are many more attacks that we once thought were under control. Maybe they have just gone dormant. Any of them can take on a new shape and attack us in new ways. AI capabilities can spot the subtle anomalies that are signs of new and re-emerging threats.

ICD is vital for an effective security strategy. Its solution set builds on our decades of experience analyzing telemetry from consumer and enterprise endpoint protection products, and now combines that information with network data, both on premises and in the cloud, that is generated by Symantec’s suite of network security products. While not every company can build the sophisticated data lakes and analytics capabilities that detect targeted attacks such as Dragonfly, combining the “data gravity” of ICD telemetry with Azure Sentinel through ICDx brings to bear both Symantec and Microsoft AI capabilities.

Azure Sentinel’s machine learning (ML) algorithms correlate millions of low-fidelity anomalies, connecting the dots to present you with a few high-fidelity security incidents. For example, you can quickly see a compromised account that was used to deploy ransomware in a cloud application.

The ML models in Azure Sentinel are based on Microsoft’s work in protecting customers’ cloud assets, but you can bring your own models to Azure Sentinel through its ML service. Also, you can build hunting queries and Azure Notebooks that are based on Jupyter Notebooks. And once you have solved a problem, you can automate your response.

Integration and Unification

In short, via ICDx and Azure Sentinel we can bring it all together for our customers, combining information from ICD with Office 365, Azure AD and other sources to provide comprehensive visibility. Azure Sentinel ML cuts through the reams of data to isolate real threats. During Azure Sentinel evaluations, Microsoft has seen an overall drop of up to 90 percent in alert fatigue.

How can you give this a try? Very simple. Go to the Azure portal, create a new Azure Sentinel service, then connect to the ICDx connector. If you’re coming from the ICD side, just deploy ICDx and enable a forwarder to submit data to Azure Sentinel log analytics.

Azure Sentinel integration through ICDx gives you the benefits of both breadth and depth: A wide view of what’s going on by combining the results of many tools – while examining potential threats in depth thanks to AI and ML. It’s the intelligence your cyber security strategy needs.