Build a scalable security practice with Azure Lighthouse and Azure Sentinel

Article by Poornima Natarajan – Microsoft

The Microsoft Azure Lighthouse product group is excited to launch a blog series covering areas in Azure Lighthouse where we are investing to make our service provider partners and enterprise customers successful with Azure. Our first blog in this series covers a top area of consideration for companies worldwide—Security with focus on how Azure Lighthouse can be used alongside Microsoft’s Azure Sentinel service to build an efficient and scalable security practice.

Today, organizations of all sizes are looking to reduce costs, complexity, and gain efficiencies in their security operations. As cloud security solutions help meet these requirements by providing flexibility, simplicity, pay for use, automatic scalability and protection across heterogenous environments, more and more companies are embracing cloud security solutions.

While achieving efficiencies is the need of the hour, organizations are also faced with shortage of security experts in the market.  Here is where there is tremendous potential for service providers to fill this gap by building and offering security services on top of cloud security solutions. Before diving deeper, let me start with a brief introduction to Azure Lighthouse and Azure Sentinel.

Azure Lighthouse helps service providers and large enterprises manage environments of multiple customers or individual subsidiaries, at scale from within their single centralized control plane. Since the launch of Azure Lighthouse at Inspire, Azure Lighthouse has seen wide adoption from both service providers and enterprises, with millions of Azure resources being managed at scale across heterogenous environments.

Azure Sentinel is a cloud native security information event management (SIEM) and security orchestration automated response (SOAR) solution from Microsoft. It enables collection of security data at scale across your entire enterprise including Azure services, Microsoft 365 services or from hybrid environments,from hybrid environments, such as other clouds, firewalls, and partner security tools. Azure Sentinel also uses built-in AI and advanced querying capabilities to detect, investigate, respond to and mitigate threats efficiently.

We will now look at how you can use both these services together to architect a scalable security practice.

To start building a security practice that scales across multiple customer environments for a service provider or helps organizations centrally monitor and manage the security operations across their individual subsidiaries, we recommend using a distributed deployment and centralized management model. This is where you deploy Azure Sentinel workspaces within the tenant that belongs to the customer or subsidiary (data stays locally within the customer’s or individual subsidiary’s environment) and manage it centrally from within a service provider’s or from a central security operations center (SOC) unit’s tenant within an organization.

You can then leverage Azure Lighthouse’s capabilities to manage and perform security operations from the central managing tenant on the Azure Sentinel workspaces located in the managed tenant. To learn more about this model and its applicability for your scenario, read Extend Azure Sentinel across workspaces and tenants.

To deploy and configure these workspaces at scale, both Azure Sentinel and Azure Lighthouse offer powerful automation capabilities that you can use effectively with CI/CD pipelines across tenants. Here is what ITCSecure, Managed Security Services Provider and Microsoft Partner based in London has to say:

“With Azure Lighthouse’s ability to get delegated access to a customer’s environment and the powerful automation capabilities of both Azure Lighthouse and Azure Sentinel, we are now able to leverage a common set of automations to deploy Azure Sentinel. In real terms, this enables us to configure Azure Sentinel with existing content like queries and analytical rules. This has resulted in significant reductions in customer onboarding times, reducing delivery times from months to a few weeks and even a few hours in certain scenarios. This has enabled us to scale our onboarding processes and practices significantly and delivers faster ROI for our customers. Azure Lighthouse has also provided greater transparency and visibility for our customers, where they can clearly see work delivered. We run queries and apply workbooks across our customer’s subscriptions, deploy playbooks in our customer’s tenants, all from a central pane of glass, further adding to the overall speed of delivery of our service.” —Arno Robbertse, Chief Executive, ITC Secure

Threat hunting and investigation through cross-tenant queries

Running queries to search for threats and as a next step investigating them is an essential part of a SOC analyst’s job. With Azure Lighthouse, you can deploy Log Analytics queries or hunting queries in the central managing tenant (preserving IP for a service provider) and run those queries across the managed tenants using the union operator and workspace expression.

Visualizing and monitoring data across customer environments

Another technology that works well across tenants is Azure Monitor Workbooks, Azure Sentinel’s dashboarding technology. You can choose to deploy workbooks in the managing tenant or managed tenant per your requirements. For workbooks deployed in the managing tenant, you can add a multi-workspace selector within a workbook (in case it doesn’t have one already built into it), to visualize and monitor data and essentially get data insights across multiple workspaces and across multiple customers/subsidiaries if needed.

Automated responses through playbooks

Security Playbooks can be used for automatic mitigation when an alert is triggered. The playbooks can be deployed either in the managing tenant or the individual managed tenant, with the response procedures configured based on which tenant’s users will need to take action in response to a security threat.

Xcellent, a managed services provider and Microsoft partner based in Netherlands has benefited from access to a central security solution powered by Azure Sentinel and Azure Lighthouse, to monitor the different Microsoft 365 components across customer tenants. Response management and querying against their customer base has also become more efficient—dropping Xcellent’s standard response time to less than 45 minutes and allowed the team to create a more proactive security solution for their customers.

Cross-tenant incident management

Multiple workspace incident view facilitates centralized incident monitoring and management across multiple Azure Sentinel workspaces and across Azure Active Directory (Azure AD) tenants using Azure Lighthouse. This centralized incident view lets you manage incidents directly or drill down transparently to the incident details in the context of the originating workspace.

Resources to get you started

Azure Lighthouse extends Azure Sentinel’s powerful security capabilities to help you centrally monitor and manage security operations from a single interface and efficiently scale your security operations across multiple Azure tenants and customers.

The following resources will help you get started: