The mere thought of moving to a dedicated SIEM solution can feel daunting for many businesses at the best of times, and let's be honest it's a big decision to make. However why re-invent the wheel when someone else has already been through the pain.
Depending on where you are in your journey, there are several key areas to focus on:
Cloud Security Standards
Before starting any new project, have you got the necessary security standards in place so the various stakeholders are clear on things like:
Naming conventions
Role Based Access Controls
For example:
Are you running a cloud only business or perhaps you're utilising a hybrid approach to identity management?
How will you ensure Sentinel Administrators have a separate identity for their job?
Where will the account be created and managed from?
What's the naming format for those accounts?
What's the naming format for the new Resource Groups?
Security Standards should be a key part of your cloud strategy and addressed as early as possible.
Platform
Do you need a new Azure Tenant or will you integrate with an existing one
Is a testing environment required
Data Sources
Identify all of the data sources you're planning to ingest
Identify what connectors are required
Do you need Syslog Servers
Consider a phased approach if you have multiple feeds
What's critical
What can wait
Utilise the Azure calculator to obtain rough ideas of daily costs (Log Analytics has cost banding which can help with reducing costs)
Identity Security
Aside from the naming conventions and location of the identity, there's the security element.
Who is authorised to access the platform
How is the access granted (MFA, Passwordless / FIDO2 hardware token)
Do you want to limit access to specific times of day
Do you want to enforce the least privileged model and use Entra Privileged Identity Management to ensure any roles needed must go through an approval process or perhaps raise alerts to a security mailbox
Design
Pulling all of these elements together in to a format that can be read and understood by key stakeholders , whether that's TechNotes, High Level Designs or Low Level Designs, the architect is a fundamental member of the team to articulating your new SIEM platform.
Implementation
Sometimes you need a little expertise with implementing these capabilities, so ensure you have access to the right skillsets.
I can help you with all of these forementioned elements. Whether you need someone to consult with for advice, need assistance with design or a hands on approach, I've been fortunate to work across all areas and develop better ways of working.
But How Does that Benefit You?
Cost savings - you don't have to worry about figuring things out
Time savings - Development takes time. Why not implement a known working approach instead?
Knowledge - Let me pass on the skills, the do's and don'ts to your teams so they can get up speed much faster
If you're interested in moving your SIEM to the Microsoft Cloud and need help or would like a conversation about it, please get in touch. It's not as scary as you might think!
Comments