Implementing A New Microsoft Sentinel Solution (part 2)

 







To read part 1, please click here
To read part 3, please click here
To read part 4, please click here









Design Planning

Architectural Planning & Considerations

Some of the factors that can majorly affect the initial architecture used for the deployments of new Microsoft Sentinel instances or the migration from the existing SIEM platforms, are as follows:
  • Data Residency Requirements- Organizations may have certain compliance restrictions regarding logged data (which are not always very clear) depending on the type of business and customer residency. They can also choose local regions according to the charges as well as the available resources in order to avoid any kind of complications due to the legislation changes or auditing processes. Regions like East U.S. can offer a significant cost advantages as compared to the other regions.

  • Number of Azure Active Directory Tenants- As Azure AD offers Identity and Access Management (IAM) capabilities to the applications and resources of an organization, they can  have single or multiple Active Directory tenant in order to authenticate and authorize an access to a resource. 

  • Number of Azure Subscriptions- Although a single Microsoft Sentinel instance can easily integrate data from from multiple subscriptions, some security solutions might have restrictions on their logging capabilities to limit the sending of logging/diagnostics data to different subscriptions. However, Microsoft Sentinel can be easily deployed in the existing or in its own subscription without any implications for its functionality; and if it's deployed in multiple subscriptions they can be easily managed centrally via regular assignment of Azure Active Directory roles.

  • Number of Azure Resource Group- A resource group can be termed as a container that can hold related resources for an Azure solution. Although generally a single resource group is more than enough, but sometimes the full solution may span multiple resource groups. 

  • Distribution of Azure PaaS Resources- As there is no cost for the traffic spanning between Azure PaaS regions while non-Azure environments incurs a bandwidth cost, the preferred location should be in the region having the majority of log-generating Azure resources. 

  • Data Segregation Requirements- As stated above, some organizations have strict requirements regarding the accessibility of the logging data between different business units, a single Microsoft Sentinel unit may work for these types of logging data's permissions; however, in order to gain full isolation, a dedicated Microsoft Sentinel instance will prove to be more suitable. 

  • Complex Organizational Structures- As an SIEM can prove to be an expensive security control, the multiple business units generally contribute to the overall expense which leads to the requirement of different levels of access to specific dashboards or sets of data by various organizational units.

  • Role-Based Access Control (RBAC) Requirements- Microsoft Sentinel offers a long list of Azure built-in roles that can provide granular access according to the job requirements and permitted level of access. 

  • Ingestion of Operational Logs versus Security Logs- Since organizations may also accumulate performance as well as operational logs for monitoring and day-to-day operational analytics purposes, these data may overlap with the security-related logging data for which Microsoft Sentinel will cost additionally to this full set of data, hence it's recommended to separate them. However, some organizations also consider that the extra visibility or correlation across the whole data set justifies the additional expense. 

  • Estimation of Log Ingestion Volume & Pricing Model- It is very difficult to know about the future log ingestion as organizations either generally try to include many new log sources that are not included in prior SIEM solution, or try to include the full range of logs from the existing log sources that were previously only logging partially or not at all.  

Architecture Design Output

In the end, the following items should be decided and documented before concluding a high-level design phase:
  • Azure region used for the Microsoft Sentinel Log Analytic Workspace(s).
  • Azure subscription, resource group, and log analytics workspace along with the naming convention and tags. 
  • Azure AD groups and the RBAC to be applied to each.
  • Log sources in scope (on-premises, Cloud, SaaS).
  • Microsoft Sentinel data connectors to be developed (if any).
  • Custom data connectors to be developed (if any).
  • On-premises syslog collectors.
  • Initial list of used cases to be implemented.
  • Internet/VPN/LAN/WAN connectivity between log sources and Microsoft Sentinel.
  • Estimated log ingestion volume (GB/day).
  • Data retention policy (in days or months).
  • Pricing model vs reserved capacity, depends upon the estimated log ingestion volume. 












To read part 1, please click here
To read part 3, please click here
To read part 4, please click here











































































































Comments

Popular posts from this blog

Deployment (Part 3)

Project Resourcing (Part 2)

Design Planning (Part 3)