How to pitch Hybrid security monitoring
Updated: Apr 2, 2022
About Alif : Alif empowers Microsoft MSP-CSP partners to provide exceptional IT services to their clients to ensure that the partners reduce their costs and focus on their business. We provide white-labelled managed services for technologies like Microsoft Azure, Microsoft 365, Microsoft Dynamics 365, Microsoft Security, SharePoint, Power Platform, SQL, Azure DevOps and a lot more. Our headquarter is in Pune, India whereas we work with over 50 partners across the globe that trust us with their client delivery.
How to pitch Hybrid security monitoring -
This reference architecture illustrates how to use Microsoft Defender for Cloud and Microsoft Sentinel to monitor the security configuration and telemetry of on-premises and Azure operating system workloads. This includes Azure Stack.
Potential use cases -
Typical uses for this architecture include:
Best practices for integrating on-premises security and telemetry monitoring with Azure-based workloads
How to integrate Microsoft Defender for Cloud with Azure Stack
How to integrate Microsoft Defender for Cloud with Microsoft Sentinel
Architecture Components -
The architecture consists of the following workflow :
Microsoft Defender for Cloud : This is an advanced, unified security-management platform that Microsoft offers to all Azure subscribers. Defender for Cloud is segmented as a cloud security posture management (CSPM) and cloud workload protection platform (CWPP). CWPP is defined by workload-centric security protection solutions, which are typically agent-based. Microsoft Defender for Cloud provides threat protection for Azure workloads, both on-premises and in other clouds, including Windows and Linux virtual machines (VMs), containers, databases, and Internet of Things (IoT). When activated, the Log Analytics agent deploys automatically into Azure Virtual Machines. For on-premises Windows and Linux servers and VMs, you can manually deploy the agent, use your organization's deployment tool, such as Microsoft Endpoint Protection Manager, or utilize scripted deployment methods. Defender for Cloud begins assessing the security state of all your VMs, networks, applications, and data.
Microsoft Sentinel : Is a cloud-native Security Information and Event Management (SIEM) and security orchestration automated response (SOAR) solution that uses advanced AI and security analytics to help you detect, hunt, prevent, and respond to threats across your enterprise.
Azure Stack : Is a portfolio of products that extend Azure services and capabilities to your environment of choice, from the datacenter to edge locations and remote offices. Systems that you integrate with Azure Stack typically utilize racks of four to sixteen servers, built by trusted hardware partners and delivered straight to your datacenter.
Azure Monitor : Collects monitoring telemetry from a variety of on-premises and Azure sources. Management tools, such as those in Microsoft Defender for Cloud and Azure Automation, also push log data to Azure Monitor.
Log Analytics workspace : Azure Monitor stores log data in a Log Analytics workspace, which is a container that includes data and configuration information.
Log Analytics agent : The Log Analytics agent collects monitoring data from the guest operating system and VM workloads in Azure, other cloud providers, and on-premises. The Log Analytics Agent supports Proxy configuration and, typically in this scenario, a Microsoft Operations Management Suite (OMS) Gateway acts as proxy.
On-premises network : This is the firewall configured to support HTTPS egress from defined systems.
On-premises Windows and Linux systems : Systems with the Log Analytics Agent installed.
Azure Windows and Linux VMs : Systems on which the Microsoft Defender for Cloud monitoring agent is installed.
The following recommendations apply for most scenarios. Follow these recommendations unless you have a specific requirement that overrides them.
Microsoft Defender for Cloud upgrade -
This reference architecture uses Microsoft Defender for Cloud to monitor on-premises systems, Azure VMs, Azure Monitor resources, and even VMs hosted by other cloud providers. To support that functionality, the standard fee-based tier of Microsoft Defender for Cloud is needed. We recommend that you use the 30-day free trial to validate your requirements.
Customized Log Analytics Workspace -
Microsoft Sentinel needs access to a Log Analytics workspace. In this scenario, you can't use the default Defender for Cloud Log Analytics workspace with Microsoft Sentinel. You'll need to create a customized workspace. Data retention for a customized workspace is based on the workspace pricing tier, and you can find pricing models for Monitor Logs here.
Microsoft Defender for Cloud roles – Defender for Cloud assesses your resources' configuration to identify security issues and vulnerabilities, and displays information related to a resource when you are assigned the role of owner, contributor, or reader for the subscription or resource group to which a resource belongs.
In addition to these roles, there are two specific Defender for Cloud roles :
Security Reader. A user that belongs to this role has read only rights to Defender for Cloud. The user can observe recommendations, alerts, a microsoft security policy, and security states, but can't make changes.
Security Admin. A user that belongs to this role has the same rights as the Security Reader, and also can update security policies, and dismiss alerts and recommendations. Typically, these are users that manage the workload.
The security roles, Security Reader and Security Admin, have access only in Defender for Cloud. The security roles don't have access to other Azure service areas, such as storage, web, mobile, or IoT.
Microsoft Sentinel subscription –
To enable Microsoft Sentinel, you need contributor permissions to the subscription in which the Microsoft Sentinel workspace resides.
To use Microsoft Sentinel, you need contributor or reader permissions on the resource group to which the workspace belongs.
Microsoft Sentinel is a paid service.
Scalability considerations -
The Log Analytics Agent for Windows and Linux is designed to have very minimal impact on the performance of VMs or physical systems.
Microsoft Defender for Cloud operational process won't interfere with your normal operational procedures. Instead, it passively monitors your deployments and provides recommendations based on the security policies you enable.
A security policy defines the set of controls that are recommended for resources within a specified subscription. In Microsoft Defender for Cloud, you define policies for your Azure subscriptions according to your company's security requirements and the type of applications or data sensitivity for each subscription.
The security policies that you enable in Microsoft Defender for Cloud drive security recommendations and monitoring. To learn more about security policies. You can assign security policies in Microsoft Defender for Cloud only at the management or subscription group levels.
Cost considerations –
Microsoft Defender for Cloud Standard tier.
Azure Monitor workspace offers granularity of billing.
Microsoft Sentinel is a paid service.