Part Two: Microsoft XDR Lessons From the Kitchen to the SOC

August 16, 2022 | 4 min read

Mona Ghadiri

Director of Product Management

Ghadiri

Mise en Place or Cooking Fast?

In the first blog in this series, BlueVoyant’s Director of Product Management Mona Ghadiri, taking a lead from Mark Bittman’s Kitchen Matrix, surmised we need different XDR recipes — not more. In part two, she applies similar Bittman principles to connected security tools and cyber solutions.

In part one, I cited a 2021 blog written by tech security expert Dr. Anton Chuvakin and how the transposition of successful ideas can be effective.

Staying on the cooking theme, something else worth transposing to the SOC can be found in another lesson from Mark Bittman, author of the Kitchen Matrix, a successful recipe anthology in which thematic matrices can be applied to cooking ingredients. In 2014, Bittman wrote an article for TIME Magazine called The Truth About Home Cooking. In 2014, I was a young chef myself, trying to figure out how to make, well, anything. Having thoroughly turned the biscuits I had intended to make into biscuit puddles because I was rushed for time and hadn’t chilled my butter, I searched for advice. Bittman got to me at the right moment. Similar to the first blog, my thesis here is about what you do before you start; however, we move from recipe selection to cooking dinner.

In the article, Bittman said, “To get comfortable in the kitchen, pare down your ambitions, ease up on your expectations and start with something manageable that you will actually enjoy eating. Like any skill, cooking gets easier as you do it more; every time you cook, you advance your level of expertise.”

With ever-evolving cyber architectures, as with dinner, starting with something manageable can be what ensures you have dinner at a reasonable time. What is manageable is often what has already been packaged together. We are not here to shame anyone for cooking (or not cooking), by the way. For me, buying sushi or pasta sauce or putting taco materials in a bag of chips or making sub sandwiches is manageable, which provides a wonderful segue into security tools.

Connected security tools feel like a manageable expectation, but it's not with point cyber solutions. Why?

Bittman gives a lot of sage advice in his TIME article that could be applicable to tools and cyber solutions, but my favorite is a statement toward the end. “My advice is that you not pay attention to the number of steps and ingredients, because they can be deceiving. Instead, to get an accurate idea of the work involved, see how items need to be prepared.”

What great advice — how many items need to be prepared does not necessarily match the work involved per item.

If we follow the metaphor, cooking fast becomes our most powerful dinner tool (and SOC architecture strategy). What log sources we want in our SIEM is just like what Bittman describes as what we keep in our pantry to make dinner quickly.

In cybersecurity onboarding and implementation, the same rule applies. How items need to be prepared varies. If we start with an open XDR concept for cybersecurity tools, the list may look something like this. How many items need to be prepared?

  1. License/tool procurement per vendor and security area (Endpoint Detection and Response (EDR), SIEM, Identity & Access Management (IAM), Cloud Access Security Broker (CASB), Web Application Firewall (WAF), Cloud Workload Protection (CWPP), Firewall, Email Gateway)

  2. Console access per tool, per vendor, plus third party management infrastructure

  3. RBAC controls per users or user groups, per tool, per vendor

  4. API keys and secret generation per SOC platform or SIEM integration

  5. Agent deployments, on-premises log collector per network or per operating system

  6. Agent/content parsing, per log source

  7. onboarding per log source, per vendor

  8. Alert configuration/console settings configurations per log source, per vendor

  9. Automation use cases and escalations per detection, per log source, per vendor

  10. Tuning per detection, per log source, per vendor

  11. Incident response plan per detection, per log source, per vendor

  12. Reporting and controls assessment per device, detection, per log source, per vendor

  13. Training and onboarding per detection, per log source, per vendor

  14. Outsource to third-party provider

What happens when you bundle five-plus cybersecurity tools together with BlueVoyant? Time to value shrinks dramatically even with the same number of items to prepare because the work involved per item shrinks as the ecosystem converges:

  1. Tool procurement via single vendor with Microsoft (Endpoint Detection and Response (EDR), SIEM, Identity & Access Management (IAM), Cloud Access Security Broker (CASB), Web Application Firewall (WAF), Cloud Workload Protection (CWPP), Firewall, Email Gateway)

  2. GDAP and Lighthouse zero trust access for Microsoft cybersecurity ecosystem

  3. Agent deployment via Intune or ConfigMgr by device profile

  4. Agent/content onboarding per log source to Sentinel

  5. Alert configuration done by BlueVoyant M365Defender Accelerator

  6. SIEM Tuning done by BlueVoyant

  7. Incident response plan with BlueVoyant

  8. Reporting and controls based on MITRE ATT&CK, ASIM model and CIS baselines with BlueVoyant

  9. Training and onboarding to BlueVoyant co-managed MDR

What does a manageable place look like to start protecting against threats with Microsoft XDR and SIEM? Stock your pantry. Keep some healthy stuff in the fridge. Enable cross connections between Microsoft tools for configuration, investigation, and response. Make your SOC manageable.

Microsoft Sentinel

Bittman has one last bit I’ll talk about next. The best part is, you don’t have to go it alone.

Passionate about cybersecurity, tools, and solutions, Mona Ghadiriserves as the director of product management at BlueVoyant.