One Place - Dashboards, Insights, Connectors & Analytics that enable Security Democratization

Security democratization empowers xOps teams to take ownership of their security posture and to collaborate across different domains and platforms. This blog post shows you how to use DevOps methods with security democratization using a tool such as Security Insight which automates the deployment and management of Microsoft Sentinel to create dashboards, insights, analytics all driven from data connectors, irrespective of whether the workloads are cloud, on-prem, SaaS or hybrid all while maintaining data sovereignty for each team in their own Azure tenant.

Microsoft Sentinel is a cloud-native security information and event management (SIEM) solution that collects data from various sources and applies advanced analytics and artificial intelligence to detect and respond to threats. Security Insight and Microsoft Sentinel enables xOps teams to have one place to view all security detection and response and to customise their view according to their role and needs. For example, xOps teams can use Microsoft Sentinel to investigate alerts and incidents, a security engineer can use Microsoft Sentinel to create and manage rules and playbooks, a security manager can use Microsoft Sentinel to monitor the overall security posture and compliance, and a business stakeholder can use Microsoft Sentinel to get reports and insights on the security performance and value.

One of the key features of Microsoft Sentinel is the ability to use PowerBI for reporting and trending. PowerBI is a business intelligence tool that allows users to create interactive dashboards and visualisations from various data sources. PowerBI integrates seamlessly with Microsoft Sentinel and enables xOps teams to create custom reports and dashboards that suit their specific needs and preferences. For example, a PowerBI dashboard can show the number of alerts and incidents by severity, source, status, and time; the distribution of threats by type, category, and location; the trends of security metrics such as mean time to detect (MTTD), mean time to respond (MTTR), mean time to remediate (MTTR), and risk score; and the comparison of security performance against benchmarks and goals.

One of the key benefits of using PowerBI with Microsoft Sentinel is the use of least privilege in being able to democratize security detection and response. By using PowerBI, xOps teams do not require direct access to Microsoft Sentinel, which reduces the risk of unauthorised or accidental changes or exposures. Instead, xOps teams can access the data and insights they need through PowerBI dashboards that are controlled by pipeline permissions. Pipeline permissions are a feature of Azure DevOps that allow users to grant or deny access to specific resources or actions based on roles, groups, or conditions. Pipeline permissions enable xOps teams to implement the principle of least privilege and ensure that only authorised users can access or modify sensitive data or resources.

Another benefit of using DevOps methods with security democratization is the ability to automate the deployment and destruction of instances and content of Microsoft Sentinel for different teams and environments. Automation is a key aspect of DevOps that enables xOps teams to increase efficiency, reliability, consistency, and scalability. Automation also helps xOps teams to reduce human errors, manual efforts, and operational costs. By using automation tools such as Security Insight, xOps teams can quickly deploy and destroy instances of Microsoft Sentinel for different purposes such as sandbox, dev, UAT, and production. This allows xOps teams to test new features or configurations in isolated environments before applying them to production. It also allows xOps teams to remove unused or outdated instances of Microsoft Sentinel when they are no longer needed.

Automation also helps xOps teams to separate security platform engineering and security content engineering for effective detection and response. Security platform engineering is the process of designing, building, deploying, managing, and maintaining the security infrastructure such as Microsoft Sentinel. Security content engineering is the process of creating, updating, testing, validating, and tuning the security content such as rules, playbooks, queries, reports, dashboards, etc. By using automation tools such as Azure DevOps pipelines or GitHub Actions workflows along with Security Insight, xOps teams can separate these two processes and ensure that they follow best practices such as version control, code review, testing, validation, and approval. This helps xOps teams to maintain separation of duties between security and xOps teams and to improve security posture awareness and reduce the mean time of remediation of security vulnerabilities and threats.

Finally, automation also helps xOps teams to show the overall organisation position within risk appetite with the ability to drill into hot spots and trends. By using automation tools such as Azure Monitor alerts or Logic Apps triggers, xOps teams can create notifications and actions based on predefined thresholds or conditions. For example, an automation tool can send an email or a message to a relevant stakeholder or a team when a security metric or a risk score exceeds or falls below a certain value. An automation tool can also initiate a remediation action such as running a playbook or a script to mitigate or resolve a security issue. By using automation tools, xOps teams can ensure that they are aware of the current security status and that they can respond quickly and effectively to any changes or incidents.

In conclusion, security democratization is a powerful concept that enables xOps teams to take charge of their security posture and to collaborate across different domains and platforms. By using DevOps methods with security democratization using a tool such as Microsoft Sentinel with Security Insight, xOps teams can create dashboards, insights, analytics all driven from data connectors, irrespective of whether the workloads are cloud, on-prem, SaaS or hybrid all while maintaining data sovereignty for each team in their own Azure tenant. By using PowerBI for reporting and trending, xOps teams can leverage the principle of least privilege and access the data and insights they need without requiring direct access to Microsoft Sentinel. By using automation tools for deployment and destruction, xOps teams can separate security platform engineering and security content engineering and improve their efficiency, reliability, consistency, and scalability. By using automation tools for notification and action, xOps teams can improve their security posture awareness and reduce their mean time of remediation of security vulnerabilities and threats. By using DevOps methods with security democratization, xOps teams can have One Place to view all security detection and response and to customise their view according to their role and needs.