Remediate Security Alerts Using Azure Defender (part 1)
Security Alerts
Respond to today's threats
To counter these, organizations often deploy various point solutions focused on defending either the enterprise perimeter or endpoints by looking for known attack signatures and these solutions often tend to generate a high volume of low fidelity alerts, which requires a security analyst to triage and investigate. Most organizations lacks the time and expertise required to respond to these alerts leading to so many go eventually unaddressed.
Besides, the attackers have also evolved their methods to subvert many signature-based defenses and adapt to aloud environments which lead to the extensive requirement of new approaches to more quickly identify emerging threats as well as expedite detection and response.
What are security alerts and security incidents?
A security incident is known as a collection of related alerts instead of listing each alert individually. Security Center uses Cloud Smart Alert Correlation to correlate different alerts and low fidelity signals into security incidents.
How does Security Center detect threats?
Security Center employs advanced security analytics, which is much better than the signature-based approaches and they includes the following:
- Integrated threat intelligence- Microsoft has an immense amount of global threat intelligence and the researchers can also receive threat intelligence information shared among major cloud service providers as well as feeds from other third parties. Azure Security Center can use this information to alert you to threats from known bad actors.
- Behavioral analytics- It is a technique that analyzes and compares data to a collection of known patterns that are determined through complex machine learning algorithms that are applied to the massive datasets. Azure Security Center can use behavioral analytics to identify compromised resources based on the analysis of virtual machine logs, virtual network device logs, fabric logs, and other sources.
- Anomaly detection- Azure Security Center also uses anomaly detection to identify threats. Unlike to behavioral analysis, anomaly detection is more "personalized" and focuses on baselines specific to your deployments. Machine learning is applied to determine normal activity for your deployments which then generate rules to define outlier conditions that could represent a security events.
Continuous monitoring and assessments
- Threat intelligence monitoring- which includes mechanisms, indicators, implications, and actionable advice about the existing or emerging threats. This information is shared in the security community, and Microsoft continuously monitors threat intelligence feeds from internal as well as external sources.
- Signal sharing- Insights from security teams across the Microsoft's broad portfolio of cloud and on-premises services, servers, and client endpoint devices are shared as well as analyzed.
- Microsoft security specialists- Ongoing engagement with teams across Microsoft that works in specialized security fields, like forensics, and web attack detection.
- Detection tuning- Algorithms are run against customer datasets, and security researchers work with customers to validate the results. True and false positives are used to refine machine learning algorithms.
To read part 2 please click here
Comments
Post a Comment