One of the most interesting challenges in cybersecurity is how to approach the implementation. At LRS Education Services, in our NIST Cybersecurity Framework training courses we actually address this issue head on as we work through the details of the NIST Cybersecurity Framework.
Of course, not every set of security tools has the implementation manual built in like the NIST CSF. But do you know what I find interesting? Microsoft designed their recently updated Microsoft Security Operations Analyst course (SC-200) using a method that lends itself well not only to learning, but also to implementation.
The Basics
Let’s begin with an overview of the course, then we will dig into the value it can bring your organization. The official name is MS-SC-200T00 - Microsoft Security Operations Analyst…and it’s no joke. We do some serious security analyst work in this class.
You’ll learn how to “investigate, respond to, and hunt for threats using Microsoft Sentinel, Microsoft Defender, and Microsoft 365 Defender.” Just an FYI, there are more “Defender” products than quarters I spent in the 80s playing Defender. Ok, that last may be hyperbole…I spent a LOT of paper route money playing Defender.
Another feature of this class is you’ll get to see what Microsoft now has under the Microsoft Purview umbrella. And finally, we must mention the last four (wait, no, FIVE) Learning Paths. They’re all about Microsoft Sentinel. You’d think it’s too much, but Sentinel is a fascinating set of cloud-native tools for SIEM and SOAR.
Before we go any further, I should mention that when we teach our vendor-neutral NIST framework courses, we don’t get into vendor-specific tools very much (hence the term vendor-neutral). However, if you have a significant investment in Microsoft products and solutions, especially in the Azure cloud platform, using the Microsoft tools makes integration much easier and often more effective. Trust me, your integration team (is that you?) will be grateful.
Start Wide
The reason we titled this blog post Start Wide, Go Deep with Microsoft Security is simple. This is the strategy used by the courseware authors to effectively cover the material for best understanding. I’ll explain. Here is the list of Learning Paths in the SC-200 course:
Learning Path 1 – Mitigate threats using Microsoft 365 Defender
Learning Path 2 – Mitigate threats using Microsoft Purview
Learning Path 3 – Mitigate threats using Microsoft Defender for Endpoint
Learning Path 4 – Mitigate threats using Microsoft Defender for Cloud
Learning Path 5 – Create queries for Microsoft Sentinel using Kusto Query Language
Learning Path 6 – Configure your Microsoft Sentinel environment
Learning Path 7 – Connect logs to Microsoft Sentinel
Learning Path 8 – Create detections and perform investigations using Microsoft Sentinel
Learning Path 9 – Perform threat hunting in Microsoft Sentinel
Please observe the pattern, which executes well for the classroom, but also allows you to see the different tools. In Learning Paths 1-4 we look at how each of four technologies is used to deal with threats to your environment. We learn about the technology from an overview perspective, see how it is used to mitigate threats, and note how it interacts with the other security tools. That’s the “wide” part.
But in Learning Path (LP) 5 we take a seeming detour. And if you’re a PowerShell fan like me, it’ll be a road you’ll enjoy. In this LP you learn how to create queries in Kusto Query Language (KQL). Now, it’s not PowerShell, the syntax is somewhat different, but it is another language you can quickly pick up and use for your SIEM and SOAR responsibilities. You see, KQL is what’s used in Microsoft Sentinel to search through the (admittedly) huge amount of data gathered by the SIEM part of Sentinel.
OK, Now the Deep Part
Following our introduction to KQL in LP5, we move through four more Learning Paths ALL focused on Sentinel. And it’s a good thing because this thing, while very powerful, is a beast to master! Configuring Sentinel, connecting log sources (which is a primary part of any SIEM), and learning how to do detections and investigations will keep you busy for a while.
And then there is LP 9. Ohhhhhh, threat hunting. Most of us have the idea that threat hunting is a very manual process. In fact, threat hunting is often defined as, “using deep technical skills to find Indicators of Compromise (IoCs) that are not detectable by automated tools.” But what if there was a tool, or a tool set, that could boost your threat hunting skills? Friends, threat hunting isn’t for the brand-new security analyst. It takes years of developing those deep technical skills.
Except maybe it doesn’t have to. LP 9 is relatively short, but it has the capability to put you on the path to becoming a skilled threat hunter beyond your current level of experience.
The Unvarnished Truth
OK, I’m going to tell you something that is of great importance. You know who this course is NOT designed for? People with zero interest in Microsoft Sentinel. If you don’t use Sentinel, don’t plan to use Sentinel, or don’t want to learn about Sentinel, this is not the course for you.
If you want to learn more along the lines of an overarching methodology for creating or improving a cybersecurity strategy for your organization, you’d be better off taking one of our NIST Cybersecurity Framework training courses.
Or if you’d like to learn about the basics of security or being a cybersecurity analyst from a CompTIA perspective, we offer both Security+ and CySA+. But if your organization is planting a flag in the world of Microsoft Azure, then our MS-SC-200T00 - Microsoft Security Operations Analyst course may be exactly what you’re looking for.
-Troy Stoneking
NIST Cybersecurity Framework Professional Trainer and Cybersecurity Assessor, Microsoft MCT