Why Migrate from a Legacy SIEM to Microsoft Sentinel?
Security operations center (SOC) teams use centralized security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solutions to protect their increasingly decentralized digital estate. While legacy SIEMs can maintain good coverage of on-premises assets, on-premises architectures may have insufficient coverage for cloud assets, such as in Azure and other hyper-scaler cloud platforms. In contrast, Microsoft Sentinel can ingest data from both on-premises and cloud assets, ensuring coverage over the entire estate. SOC teams face a set of challenges when managing a legacy SIEM:
- Slow response to threats. Legacy SIEMs use correlation rules, which are difficult to maintain and ineffective for identifying emerging threats. In addition, SOC analysts are faced with large amounts of false positives, many alerts from many different security components, and increasingly high volumes of logs. Analyzing this data slows down SOC teams in their efforts to respond to critical threats in the environment.
- Scaling challenges. As data ingestion rates grow, SOC teams are challenged with scaling their SIEM. Instead of focusing on protecting the organization, SOC teams must invest in infrastructure setup and maintenance, and are bound by storage or query limits.
- Manual analysis and response. SOC teams need highly skilled analysts to manually process large amounts of alerts. SOC teams are overworked and new analysts are hard to find.
- Complex and inefficient management. SOC teams typically oversee orchestration and infrastructure, manage connections between the SIEM and various data sources, and perform updates and patches. These tasks are often at the expense of critical triage and analysis.
A cloud-native SIEM addresses these challenges. Microsoft Sentinel collects data automatically and at scale, detects unknown threats, investigates threats with artificial intelligence, and responds to incidents rapidly with built-in automation.
Our Approach:
Our goal is to simplify and streamline the deployment of Microsoft Sentinel, while prioritizing what is migrated through an intentional and thoughtful process, so you can get up and running as soon as possible. Our consulting service is customized based on your needs and on average takes 2-4 weeks to migrate to Microsoft Sentinel.
Discovery
We conduct a discovery to better understand the current state of your SIEM. We collect monitoring and alerting use cases and requirements.
- Identify requirements and detailed use cases.
- Identify and document your existing automation, remediation, and alerting tools and processes.
- Identify your existing SOC processes, including investigation, automation, and remediation.
- Identify critical security assets.
- Assess existing security portfolio.
- Identify integrations with IT service management (ITSM), threat intelligence, and automation.
Design
We create a comprehensive design that aligns with your current security portfolio and existing data sources.
- Design integration of Microsoft and third-party sources.
- Map rules to Sentinel built-in rules.
- Map dashboards to Sentinel workbooks.
- Map automation to Sentinel playbooks.
- Design custom alerting for Sentinel.
- Map existing SOC processes to Sentinel| features.
- To migrate historical logs, we review the available target platforms and data ingestion tools.
Implementation
Implement the design phase: Integrate data sources that will connect to Microsoft Sentinel; ensure that Microsoft Sentinel works as designed.
- Connect Microsoft sources, cloud logs (AWS/GCP), network devices, and third-party security solutions.
- Deploy Azure Monitor Agent to collect logs from VMs (Windows/Linux) and network devices.
- Review your MITRE ATT&CK coverage.
- Implement automation via Azure Logic Apps.
- Convert remaining rules to Sentinel rules.
- Deploy/create playbooks and automation rules.
- Deploy playbooks for ITSM platforms, SOAR, and threat intelligence platform integration.
- Deploy workbooks and convert dashboards to workbooks.
- Review SOC operations migration best practices.
Operationalize
Operationalize Microsoft Sentinel Investigation and Response within existing security monitoring, alerting, and incident response.
- Assist with refining monitoring and alerting processes.
- Assist with security incident management processes.
- Assist with triage/investigation processes.
- Assist with alerting use cases refinement.
- Define SOC processes based on the mapping done in the design phase.