Sentinel, security & skills
Standing still isn't an option...
If I were to attempt to capture the essence of why cyber security is so difficult, I think it would look something like this…
Cyber security relies on our ability to prioritise important work that few will notice, over urgent work demanded by many…
This description is incomplete, but it hints at a few of the reasons that contribute to the challenge:
It requires intentional leadership
The individual tasks are in conflict with immediate business priorities
Success is the absence of an event
When security measures do show up in the land of business staff, it’s often in mandatory training videos or annoying password and authentication restrictions. Unfortunately, there’s a reason that the last 5 podcasts I’ve listened to covering cyber security have jokingly referred to the CISO as the “king of ‘No’”.
With that context in mind, I’m sharing some notes today on a topic I’ve been asked about several times in the past few months - Microsoft Sentinel. This post definitely needs a health warning, in that I’m neither a cyber security expert, nor an expert in Sentinel specifically. I’m also not at liberty to disclose anything too specific about the systems we’re protecting. Hopefully this is a good starting point for discussions around in house capabilities, and ways to develop them without blowing our entire IT budget on security services and tools.
Too many plates to spin…
We, like most trusts with an in-house IT team, are generalists. We lack the scale to build robust capabilities in discrete teams, and therefore whenever we have cause to investigate something in cyber-space, we’re probably dropping some urgent work that’s directly related to a business issue or project.
Microsoft 365 is, these days, pretty good at providing the logs needed for these investigations, but gathering them from across the various admin consoles is a laborious task, and correlating activity from various log sources stretches even my fluency with excel. All of this work needs doing whilst the clock is ticking twice - once for the potential threat burrowing its way into the data that we’re doing our best to protect, and a second time for the business project that we’re delaying, much to the chagrin of our colleagues.
This friction isn’t just frustrating, it also leads to a less thorough investigation. If it’s difficult, our capacity to investigate is decreased.
So, how does Sentinel help…
Enter the SIEM…
Sentinel is a SIEM (Security Information & Events Management) platform with a bunch of SOAR (Security Orchestration Automation and Response) features. At a simple level, you fire a load of logs from different parts of your digital world over to Sentinel, and then you can do cool stuff with them all from a single workspace.
Our start with Sentinel came courtesy of a project with Performanta and the excellent Marcus Burnap. I’d thoroughly recommend a read of his blog where he covers Sentinel with significantly more authority than I have any right to…
There’s very little technical work that we outsource, but Sentinel set-up is definitely one of those areas where I’d go to the experts. Thanks to their help, we were able to use the full 30-day trial to evaluate the functionality and the value, rather than just getting it working.
New capabilities, new skills
In a recent presentation to a group of IT professionals in Leeds, I shared a list of areas where I thought we needed to invest our time in learning. High on that list was KQL, which (for us) was the greatest immediate benefit of Sentinel. A quick crash course in the basics, and we could replicate hours worth of stitching together audit logs from various admin centres with a single query. Queries are re-usable, and allow us to pivot quickly from evaluating account activity to IP addresses, user agents, link clicks and more. I’m not exaggerating when I say that work that used to take hours was now done in about 10 minutes.
The second benefit is the more advanced alerting that came with the set up that was done for us. We now have much more sophisticated alerting than is provided for within Entra ID, and have responded to and remediated incidents that I’m not sure we’d have previously caught at all.
These two areas are barely scratching the surface of what Sentinel can do, and we’re gradually extending our exploration of the functionality, and other log sources to improve the contextual understanding.
Costs & closing thoughts
Cyber security tools have a reputation for costing £££, and most vendors just don’t seem to be pitching at a place that Education technology budgets can access, but I think this was the greatest surprise for us. After the optimisation work done during our set up process, we’re ingesting far less billable data than I had feared. For us, the costs pay for themselves in technical capacity released for other work, including other security projects, and there’s further improvements to come once we explore some more functionality in the near future.
There are a bunch of log sources that you can ingest for free and with A5 licensing, if you have that, you have an additional allowance per user. Even if there’s no chance of any budget for anything more than that, I’d certainly spend the time to get the free log sources set up.
If you can find a fairly humble amount of cash, I’d genuinely recommend a pilot similar to the one that we started with. If that’s the only time you bring in external support, then you’ll have made several months worth of technical progress in a few days, and can use that as an accelerator to get value out of your new tools far quicker than doing the set up in house.
Roughly 12 months ago, I wrote a note that said we as a sector had the guidance we needed and it was time for action (you can read that post below). If our experience here is representative then it’s also true that the tools are much better, and much more accessible, than one might think.
