Q&A: Building a CSOC on Microsoft security technologies

Originally founded as a Managed Services Provider (MSP) in 1999, in the past few years we have evolved our services and heavily invested to build an advanced Cyber Security Operations Centre (CSOC) so that we can help UK organisations stay protected from modern threats.

Building a CSOC is no simple feat, which is why many organisations decide to partner with an MSSP so that they can benefit from cost-effective access to a CSOC. This takes away the heavy upfront investment and ongoing operational challenges – such as recruitment, training, personnel management, process establishment, technical architecture, etc – whilst ensuring 24/7 managed detection and response (MDR).

Underpinning any CSOC are three key elements: people, processes, and technology. In this Q&A article, we want to explore the ‘technology’ element to discuss our decision to use Microsoft security technologies for our CSOC architecture and share our reasons for this choice.

For this Q&A we’re talking with Mark Taylor, CTO at Chorus who originally founded the company in 1999.

Why were Microsoft technologies chosen for the Chorus CSOC architecture?

We’ve been working closely with Microsoft for many years, so we’ve been able to see up close the transition over the last 5-10 years into a very strong Cyber Security services provider. Because Microsoft are one of the largest public cloud providers in the world and trusted by many organisations with their data, they’ve had to develop exceptionally strong security. I know the quoted figures used to be $1billion invested annually but Microsoft have now announced they will be investing $20billion over the next five years. The security solutions that they develop are for first- and third-party use, meaning they are used both internally to protect their own data and externally, providing technologies to protect their customers and partners.

The other key strength is the sheer telemetry and intelligence that Microsoft have access to. Being able to detect threats rapidly all comes down to this level of intelligence and big data – and the visibility and signals (24 trillion daily) that Microsoft receive is unmatched.

It also goes beyond just threat detection. With Microsoft, new or emerging threats once identified from all their signals are then blocked and protected against in real-time. As most organisations are using Microsoft 365 for their end user productivity software, using security technologies that are built into these services ties further intelligence into the software and reduces complexity. With fewer vendors and greater insights, you gain an integrated approach to security with deeper capabilities. Using the technologies in Microsoft 365 Defender means you can track threats if they travel anywhere across your environment – and more importantly, you can ideally shorten the time to assess and deal with them.

What are the benefits to customers?

Because the security toolset is being delivered by the same company that is hosting your end user estate and data, you have the unique ability to benefit from integrated remediation. For example, if malware was found in an email and affected different users and endpoints, you could – within one view – identify where the threats has gone, who has been impacted and quickly remove it across the affected inboxes and endpoints. Third party services struggle to achieve the same security visibility and analytics don’t have the same degree of access to directly remove a threat like this. The important piece here is making sure that all the technologies are configured correctly. So, for me, while the detection capabilities are excellent, it’s the response piece that really stands out and I don’t think there are many other offerings that come close to this end-to-end, integrated approach.

Of course, there can often be a very simple benefit to customers too, which is cost. I’ve spoken to many organisations that have bought Microsoft 365 – even the full E5 licence – but haven’t deployed the security technologies and yet pay for third-party tools as well. Implementing these solutions can remove these third-party costs and bring that benefit of integrated remediation. For organisations considering Microsoft Sentinel (formerly Azure Sentinel) there is an additional benefit where many Microsoft sources are ingested free of charge – so the more you use Microsoft 365 Defender and move to the cloud, the less your SIEM ingestion costs are.

What is Microsoft doing that excites you most in security?

Good security today is based on big data – you must have huge quantities of data to be able to determine what is an anomaly. But this is also a downside – you have vast quantities of data to trawl through. Today, the answer to that are capabilities like machine learning, powerful analysis and automated responses– all of which reduce alert noise so only high-value threats and alerts come through rather than hundreds or thousands of alerts. For me, the most exciting thing about Microsoft’s security offerings is that these toolsets have been built with all these concepts in mind from day one and are designed to do this extremely well.

As an example – Microsoft recently published an article about the NOBELIUM attack. They outlined the Indicators of Compromise (IOCs) – it took us very little time at all to take these IOCs, load them into Microsoft Sentinel and then instantly all of our customers were better positioned to detect and deal with the threat. Because of how Sentinel works, this is constantly being scanned for and requires no manual intervention.

All these capabilities – machine learning, automation – are focused on reducing alert noise and Microsoft’s toolset enables our CSOC team to very effectively prioritise high risk activity so that our team can quickly jump into the alert and determine if it is a genuine attack and respond very quickly. For our customers, this means a much faster mean time to detect (MTTD) and mean time to respond (MTTR) which means less impact and damage.

By building these technologies with these concepts at the foundation, it’s not only inspiring for what’s possible today but also means there’s an exciting roadmap ahead.

What are Chorus doing that is unique in the market?

I still don’t think that the market is aware of how powerful the Microsoft toolset really is. If you have correctly deployed the full stack, then you are going to have extensive coverage (there is always more to be done of course). With these tools setup appropriately organisations can remove low-level noise and alerts and then better focus on detecting and responding to the high-value threats. We help our customers implement Microsoft 365 following a best-practice Zero Trust model, and even more importantly – ensure they have the ongoing support and expertise to help them.

We’ve found the major challenge for many organisations is once these tools have been implemented, there’s a lack of capacity or capability to be able to effectively respond to the threats that are coming in. That’s why we built our Cyber Security Operations Centre (CSOC) to help organisations that have implemented (or are in the process of implementing) these Microsoft technologies to have the right ongoing expertise and support. Our Managed Detection & Response (MDR) services have been built using a cloud-first approach that takes full advantage of all the capabilities across Microsoft 365 Defender and Microsoft Sentinel – particularly around automation. But perhaps most importantly, our services ensure highly skilled security staff are available 24/7 to detect and effectively respond to the threats that are being identified.

I think that there are only a few security providers in the market that are using Microsoft’s XDR and SIEM/SOAR services to their full potential, and we really focus on combining our technical expertise with a strong partnership focus.

Where do you see Microsoft’s security strategy going?

I think the main areas of focus will be cloud-first, big data, and integration. Microsoft have been pitching cloud-first for years and I think this will intensify. The safest way for organisations to go is moving to the cloud to bring that hyper-scale protection, so I think any future investment in their security technologies will be focused on the cloud and incentivizing their customers to adopt a cloud native approach.

The future of cyber security will be very reliant on big data and the ability to interpret big data, so I am sure there will be heavy continued investment in machine learning. These capabilities enable faster detection and response times and that is always the key – being able to identify a threat and contain it rapidly before damage can occur. With advanced machine learning, new or never-before-seen threats can still be detected.

The final area I see heavy investment is in integrations. Microsoft have many pre-built connectors and integrations but we’re seeing Microsoft continue to develop their integration ecosystem and work with more software vendors to ensure that they can feed their data easily into Microsoft Sentinel. Whilst Microsoft security technologies can cover many scenarios (the only major one I think is lacking is full pass-through web filtering), Microsoft know that organisations may want to retain some third-party services. Rather than make it difficult for these services to work together, they are continuing to expand their integration ecosystem so that any service can be plugged into Microsoft Sentinel.

What do you think the future looks like for managed security services?

It’s now very well-recognised that there will be a significant lack of cyber security expertise – Microsoft estimated that there would be a shortage of 3.5 million security professionals by this year. The difficulty is that this won’t be fixed overnight – cyber security skills take time to develop, and as threats and technologies are constantly evolving, people need to be able to have regular training and development.

For many businesses this will be a big challenge as they will struggle to recruit and train staff, which is why so many are outsourcing elements of their security. I expect that partnering with an MSSP will be the main approach for the foreseeable future and I predict this will continue to grow. One key reason is that it is easier for MSSP’s to attract and retain staff with the offer of broad exposure and hands-on experience across many clients and scenarios, paid training and certifications and the knowledge sharing and mentoring available when working as part of a large team.

Another challenge is the need for round-the-clock support but for all but the largest organisations this can be difficult to manage internally. I expect that cyber-attacks will start being timed with holidays and key dates to cause broader impact – by way of example we had the recent REvil ransomware attack that was timed for 4th July in USA. By choosing when offices are shut, there is a far slower response time for organisations with typical 9-5 office hours, which makes the impact even greater. Some attacks are launched to find the weakest entry point and take approximately 4-5 hours of automated activity until they get a foothold into the network. If this is launched out-of-hours, then it can be too late to detect this suspicious activity unless you have 24/7 managed detection and response (MDR) alongside 24/7 Network operations services as well. Organisations need to be thinking about both aspects going forward.

Gartner predict that 50% of organisations will be using MDR services by 2025 and I think that’s very likely. Unfortunately, cybercrime is now a very successful and organised commercial enterprise, so it won’t be going away. Companies are having to accept this and pay large cyber insurance premiums to cover themselves. My hope is more organisations partner with security providers, like Chorus, to take a more proactive and preventative approach to make themselves a smaller and smaller target that has a combination of the right people, processes, and technology in place to adequately protect themselves.

If you’d like to discuss any of the technologies or services mentioned in this Q&A, please feel free to get in touch or you can find out more about our MDR services here.