Modern Security Operations Best Practices And Lessons Learned From The Microsoft Cyber Defence Operations Centre

Modern Security Operations: Best Practices and Lessons Learned from the Microsoft Cyber Defence Operations Centre Modern Security Operations 2 Contents

The role of security operations Business relationships Typical security operations functions From reactive to proactive Increasing visibility Reducing the attack surface Zero Trust and modern security operations Protecting against insider threats Modern Security Operations 3 Security operations overview As security professionals, you know the threats to your environment are evolving and accelerating. Cyberattacks today are organised criminal endeavours. Cybercriminals share information with each other about what works and about vulnerabilities. They work to evolve their techniques as the technology evolves. Cyberattacks are more than just an evolving technological threat. Trends like Ransomware- as-a-Service (RaaS) are part of an increasingly industrialised and sophisticated economy, where attackers who may not have the skill or technical wherewithal to develop their own tools can now manage ready-made penetration testing and sysadmin tools to perform attacks. These lower-level criminals can also simply buy network access from a more sophisticated criminal group that has already breached a perimeter, and with a successful ransomware and extortion attack, both parties profit. As attackers continue to innovate, it’s imperative that security teams work to continually modernise their security operations to stay prepared for adversaries. This means addressing your technology stack to ensure you have protection and visibility across all attack vectors. But it also means assessing the processes of your team – is it able to protect, detect and respond to real threats quickly and accurately, or are team members overwhelmed with too much signal, and chasing false positives? We’ve created this guide to help you modernise your security operations and protect your organisation in an evolving threat landscape.

Modern Security Operations 4 The Microsoft Corporate IT SOC protects a cross-platform environment with a significant population of Windows, Linux and Macs running Microsoft and non-Microsoft software. Lessons learned from the Microsoft SOC The learnings and best practices presented here are derived from conversations with Microsoft customers and from our own experience developing and maturing our Security Operations practices at Microsoft. While it may seem surprising to some, the Microsoft Corporate IT SOC protects a cross- platform environment with a significant population of Windows, Linux and Macs running Microsoft and non-Microsoft software. Previously, this SOC operated a traditional SOC model similar to what we see in most organisations, and we faced the same set of natural challenges with the model: ●Event volume – High volume and growth (on the scale of 20 billion events a day currently) exceeded the capacity of the on-premises SIEM to handle it. ●Analyst overload – The static rulesets generated excessive amounts of false positive alerts that led to alert fatigue. ●Poor investigation workflow – Investigation of events using the traditional on-premises SIEM was clunky and required manual queries and manual switching to different tools. Our team knows what you’re dealing with because we’ve been there. Throughout this guide, we’ll share with you best practices and key lessons we’ve learned as we’ve worked to modernise our own security operations at Microsoft for both ourselves and our customers.