For example, television video captioning was initially designed for the benefit of people who are hard-of-hearing. Today, it’s far more widely used, such as in loud places where people still want to watch TV and follow the context of the images. We at Microsoft and many of our customers make extensive use of video captioning in Microsoft Teams meetings. This makes the meetings not just accessible, but also convenient for people who may need to join meetings in noisy places—a perfect example of the widespread benefits of accessible design. Microsoft’s product design principles are based on a consistent approach: taking a disability-inclusive mindset in all product designs to strive to deliver a better user experience for all.

Consistent with this philosophy, Azure Sentinel already includes accessibility features that conform to the Web Content Accessibility Guidelines (WCAG), among others. We are now taking this commitment a step further by adding another significant useability enhancement delivered through responsive design. Responsive design is a software development approach that optimizes an application’s user interface to adapt to various screen sizes, ranging from small, medium, to large glass. It allows developers to make efficient use of screen space, leverage specific features on a particular device, and optimize for various forms of input with the goal of improving user experience regardless of the choice of form factor. Beyond ease of use, digital accessibility can have far-reaching benefits in broadening opportunities for people of all abilities. To learn more about the role Microsoft is playing, read the blog Doubling down on accessibility: Microsoft’s next steps to expand accessibility in technology, the workforce and workplace.

Responsive design benefits in Azure Sentinel

Without responsive design, security operations center (SOC) analysts trying to use Azure Sentinel would experience difficulty when trying to navigate around the interface, especially if they are using a mobile device. For example, they would need to scroll to the right side in order to visualize pages with large amounts of text, increasing the friction they experience while trying to get their work done. With Azure Sentinel incorporating responsive design in the user interface, users can now expect an enriched experience in the following key areas:

Mobile access

Responsive design now enhances the usability of the Azure Sentinel portal from any device, including browsers on mobile phones. This now greatly improves the convenience of using the products and facilitates the mobility of the experience, allowing users to access the portal from light-weight devices that the users typically carry with them. When it comes to incident response, time is of the essence—the ability to respond from anywhere from a portable device is of great benefit. Below is a screenshot of an incident in Azure Sentinel opened from a mobile phone.

Figure 1: Azure Sentinel incident opened on a mobile device.

Enhanced zoom

It is now possible to zoom in to up to 400 percent without distorting user interface elements. This capability makes it possible to move away from the constraints of fixed-width designs to one that adjusts screen elements without distorting them even when a user zooms to such high percentages. As a result, the capability significantly improves the accessibility of the user interface to users with low vision or even to anyone who prefers to read larger text. For users with limited dexterity, the ability to enlarge text makes user interface elements larger, making selections easier.

Figure 2: Azure Sentinel Analytics blade at 400 percent zoom at 1920×1080 display resolution.

Content reflow

The ability to accommodate different viewport sizes across devices of varying sizes without requiring the user to perform multiple scrolling operations is of significant benefit to anyone with accessibility needs and is a desirable user experience for any other user. With content reflow, the content automatically adjusts to fit the screen size, eliminating the need for horizontal scrolling to view content as depicted below:

Figure 3: Example of how text reflows from a large to small glass device and vice versa.

Linear order

Linear order is important for structure as it maintains predictability when navigating through content (like the appearance of columns in the source order determines how screen readers or Windows narrator reads out the content). With reflow, the order of item presentation in the user interface is preserved, which makes for a consistent and accessible experience. For example, users typically expect the flow to be from left to right, top to bottom as depicted in the image below.

Figure 4. Example of the linear order for mobile screen view.

One billion. This is the number of people with disabilities across the world. Designing software or hardware with this population in mind pushes the limits of creativity to new boundaries, resulting in improved products and user experiences for all. Additionally, it increases the chances for people with disabilities to be gainfully employed with jobs that have been enabled by accessible technology. By proactively building accessibility into product designs right at the onset, we at Microsoft make technology adapt to user preferences as opposed to the other way round. We are excited that the new reflow-powered features in Azure Sentinel will make the product more usable and the experience more portable for our customers. Log in to your Azure Sentinel portal today from a device of any size and respond to incidents from the convenience of your favorite device.

Learn more

• Doubling down on accessibility: Microsoft’s next steps to expand accessibility in technology, the workforce and workplace
• Responsive design techniques
• Microsoft Inclusive Design
• Azure Sentinel

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Special thanks to Ishan Soni for his input and Menny Mezamar-Tov and the rest of the accessibility engineering team for building the reflow capability into Azure Sentinel.

The post Accessibility and usability for all in Azure Sentinel appeared first on Microsoft Security Blog.

To help our customers address alert fatigue but still maintain detection efficacy, Microsoft is leveraging the power of Threat Intelligence, native solution integration, AI, and automation to deliver a unique SIEM and XDR approach—to help tackle the challenge of alert fatigue. But first things first—what exactly are alerts, events, and incidents in the context of security operations? Below is a graphic that will help answer this question before we delve deeper into how Microsoft technology is helping SOC teams sift through high volumes of alerts and narrow down to manageable high-fidelity incidents.

Let us now look at the six strategies that Microsoft employs to help our customers deal with the alert fatigue problem:

1. Threat intelligence

To combat cyberthreats, Microsoft amalgamates trillions of daily signals, across all clouds and all platforms, for a holistic view of the global security ecosystem. Using the latest in machine learning and artificial intelligence techniques—plus the power of smart humans—we put these signals to work on behalf of our customers taking automated actions when threats are detected, and providing actionable intelligence to security teams when further contextual analysis is required.

2. Native integration

Microsoft leverages the tight integration across its threat protection solution stack to help customers connect the dots between disparate threat signals and develop incidents by grouping quality alerts from different parts of their environment and stitching together the elements of a threat. First-party security solutions within the Microsoft 365 Defender offering enable our customers to benefit from real-time interactions amongst the tools, backed by insights from the Intelligent Security Graph. As a result, the quality of alerts is improved, false positives are significantly reduced at source, and in some cases, automatic remediation is completed at the threat protection level. Additionally, this can be combined with log data drawn from third-party solutions such as network firewalls and other Microsoft solutions to deliver an end-to-end investigation and remediation experience, as depicted in the image below.

3. Machine learning

The third strategy that we employ is the ingestion of billions of signals into our security information and event management (SIEM) solution (Azure Sentinel) then passing those signals through proven machine learning models. Machine Learning is at the heart of what makes Azure Sentinel a game-changer in the SOC, especially in terms of alert fatigue reduction. With Azure Sentinel we are focusing on three machine learning pillars: Fusion, Built-in Machine Learning, and “Bring your own machine learning.” Our Fusion technology uses state-of-the-art scalable learning algorithms to correlate millions of lower fidelity anomalous activities into tens of high fidelity incidents. With Fusion, Azure Sentinel can automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill-chain.

On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be difficult to catch. Secondly, with built-in machine learning, we pair years of experience securing Microsoft and other large enterprises with advanced capabilities around techniques such as transferred learning to bring machine learning to the reach of our customers, allowing them to quickly identify threats that would be difficult to find using traditional methods. Thirdly, for organizations with in-house capabilities to build machine learning models, we allow them to bring those into Azure Sentinel to achieve the same end-goal of alert noise reduction in the SOC. Below is a real-life depiction captured within a certain month where machine learning in Azure Sentinel was used effectively to reduce signal noise.

4. Watchlists

Watchlists ensure that alerts with the listed entities are promoted, either by assigning them a higher severity or by alerting only on the entities defined in the watchlist. Among other use-cases, Azure Sentinel leverages Watchlists as a high-fidelity data source that can be used to reduce alert fatigue. For example, this is achieved by creating “allow” lists to suppress alerts from a group of users or devices that perform tasks that would normally trigger the alert, thereby preventing benign events from becoming alerts.

5. UEBA

User and entity behavior analytics (UEBA) is natively built into Azure Sentinel targeting use-cases such as abuse of privileged identities, compromised entities, data exfiltration, and insider threat detection. Azure Sentinel collects logs and alerts from all of its connected data sources, then analyzes them and builds baseline behavioral profiles of your organization’s entities (users, hosts, IP addresses, applications, and more) across peer groups and time horizons. With the UEBA capability, SOC analysts are now empowered to reduce not just false positives but also false negatives. UEBA achieves this by automatically leveraging contextual and behavioral information from peers and the organization that typical alert rules tend to lack. The image below depicts how UEBA in Azure Sentinel narrows down to only the security-relevant data to improve detection efficiency:

6. Automation

The lower tiers of a SOC are typically tasked with triaging alerts, and this is where the critical decisions need to be made as to whether alerts are worth investigating further or not. It is also at this point that automation of well-known tasks that do not require human judgment can have the most significant impact in terms of alert noise reduction. Azure Sentinel leverages Logic Apps native to Azure to build playbooks that automate tasks of varying complexity. Using real-time automation, response teams can significantly reduce their workload by fully automating routine responses to recurring types of alerts, allowing SOC teams to concentrate more on unique alerts, analyzing patterns, or threat hunting. Below is an example of a security playbook that will open a ticket in ServiceNow and send a message to an approver. With a click of a button, if they confirm activity from a malicious IP as a true positive, then automatically that IP is blocked at the firewall level, and the user’s ID is disabled in Azure Active Directory.

Summary

We have looked at 6 effective strategies that organizations can use to minimize alert fatigue and false positives in the SOC. When combined together across a unified ecosystem including Threat Intelligence, the Microsoft Security suite, UEBA, automation, and orchestration capabilities tightly integrated with the Azure platform and Azure Sentinel alert noise can be significantly reduced. Additionally, Azure Sentinel offers capabilities such as alert grouping and the intuitive Investigation Graph which automatically surfaces prioritized alerts for investigation and also provides automated expert guidance when investigating incidents. To significantly increase your detection rates and reduce false positives while simplifying your security infrastructure, including our unique SIEM and XDR solution comprising Azure Sentinel and Microsoft Defender capabilities into your threat defense and response strategy.

Additional resources

• Microsoft Threat Protection stops attack sprawl and auto-heals enterprise assets with built-in intelligence and automation.
• Azure Sentinel uncovers the real threats hidden in billions of low fidelity signals.
• Microsoft uses threat intelligence to protect, detect, and respond to threats.
• Tutorial: Set up automated threat responses in Azure Sentinel.
• How a customer significantly reduced alert fatigue using machine learning in Azure Sentinel.
• Use Azure Sentinel Watchlists.
• What’s new: Azure Sentinel User and Entity Behavior Analytics in Preview—Microsoft Tech Community

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Special thanks to Sarah Young, Chi Nguyen, Ofer Shezaf, and Rafik Gerges for their input. 

¹ESG: Security Analytics and Operations: Industry Trends in the Era of Cloud Computing 2019.

The post 6 strategies to reduce cybersecurity alert fatigue in your SOC appeared first on Microsoft Security Blog.