SOC platform components

As described earlier, the SOC platform includes a range of technologies to assist with the proactive and reactive procedures carried out by various teams. Each of these solutions should help the SOC analysts to perform their duties at the most efficient level to ensure a high degree of protection, detection, and remediation.

The core components of the SOC include log management and SIEM, SOAR, vulnerability management, threat intelligence, and incident response. All these components are addressed by the deployment of Microsoft Sentinel. Additional solutions will be required, and integrated, for other SOC platform capabilities such as intrusion prevention/detection, file integrity monitoring, and disaster recovery.

An SOC deployment using Microsoft Sentinel comprises the following components:

• Azure Monitor Log Analytics workspaces are created for data collection and analysis. These were originally created to ensure a cloud-scale log management solution for both cloud-based and physical data center-based workloads. Once the data is collected, a range of solutions can then be applied to analyze the data for health, performance, and security considerations. Some solutions were created by Microsoft, and others were created by partners.
• Microsoft Sentinel was developed to address the need for a cloud-native solution as an alternative to existing server-based SIEM solutions that have become a mainstay of security and compliance over the last decade. Microsoft Sentinel is built upon the existing services of Azure Monitor and Log Analytics. It is also integrated with other services such as Logic Apps and Azure Data Explorer.

  The popularity of cloud services provides some key advantages, including reduced storage costs, rapid scale compute, automated service maintenance, and continuous improvement as Microsoft creates new capabilities based on customer and partner feedback.

  One of the immediate benefits of deploying Microsoft Sentinel is rapid enablement without the need for costly investment in the supporting infrastructure, such as servers, storage, and complex licensing. The Microsoft Sentinel service is charged based on data consumption, per gigabyte per month. This allows the initial deployment to start small and grow as needed until full-scale deployment and maturity can be achieved.

  Ongoing maintenance is also simplified as there are no servers to maintain or licenses to renew. You will want to ensure regular optimization of the solution by reviewing the data ingestion and retention for relevance and suitability. This will keep costs reasonable and improve the quality of data used for threat hunting.

• Logic Apps provides integration with a vast array of enterprise solutions, ensuring workflows are connected across the multiple cloud platforms and to existing on-premises solutions. This is a core part of the integration and automation (SOAR) capabilities of the platform.

Logic Apps is a standards-based solution that provides a robust set of capabilities. You can also use third-party SOAR solutions if you have already invested in one of those platforms.

The SOC platform components are a starting point, but there may be several other services you will want to deploy in your SOC implementation. In the next section, we will look at an approach to mapping the SOC architecture's current state and requirements.