Optimising threat detection in noisy environments with the power of Microsoft automation

The role of the security analyst has never been more important. Increasingly sophisticated cyber threats, fuelled by GenAI, mean that the stakes are higher than ever in the never-ending game of cat and mouse between threat actor and sec ops analyst.

According to Beaming, 2024 was the worst year on record for cyberattacks on UK businesses with an average of 753,341 malicious attempts amounting to a new attack every 42 seconds. The third quarter of 2024 saw a peak with 2,192 attacks per day. This means it is now more important than ever that security analysts cut through the noise of incoming data and alerts, to stop threat actors in their tracks.

The volume of data generated by endpoints, firewalls, applications, cloud services and network traffic is vast. And while this data holds the keys to detecting threats, they are often buried within an overwhelming sea of false positives and routine activity. Security analysts often find themselves navigating a deluge of alerts, each vying for attention. This overwhelming influx can obscure genuine threats, making it challenging to discern critical risks. Our role is to help security teams optimise threat detection and provide clarity amidst this complexity. By leveraging advanced Microsoft technologies, we assist analysts in filtering out the noise, enabling them to focus on what truly matters. This approach not only alleviates cognitive strain but also enhances the precision and efficiency of threat detection.​

From a threat detection perspective, automation can strengthen your security position through contextualised intelligence, faster response times, better consistency and improved efficiencies.

Reducing the noise in a busy environment

There are several reasons why a security operations team might look to bring automation into the threat detection journey. It could be due to the complexity of the environment, budgetary constraints, resource challenges or a desire for increased agility. But in most cases, automation is deployed to minimise the volume of incidents that require analyst intervention. At Softwerx, our analysts process tens of thousands of alerts each day, and we maximise efficiencies within the threat management process by harnessing Microsoft automation tools with an expert eye. When configured well, automation will cut through the noise, meaning that the true positive incidents which analysts need to deal with, such as malware attacks, phishing scams or zero day exploits, get the priority needed to head off a breach.

Microsoft Sentinel comprises several powerful automation tools to help security analysts streamline and simplify workflows. This can take the form of continuous monitoring, filtration of false positives, prioritisation of threats and correlation of data to identify patterns and anomalies. But with so many tools within Sentinel available, the question we hear a lot is, but where do I start?

Threat hunting

In our experience, trying to plan automation entirely on paper is the least efficient way to achieve your goals. You can go round in circles for days trying to second guess what might happen. The route that we advise for our customers starts with a proactive, hands-on approach using threat hunting to game out scenarios using live data and the intelligence on threat actors’ tactics, techniques and procedures (TTPs) that Sentinel provides. The knowledge gathered during each hunting scenario is put back into Sentinel in the form of automations and analytics to enhance the ability to detect and respond to sophisticated attacks.

A well thought out threat hunting strategy enables businesses to evaluate security flaws from various angles. These flaws could include exposed APIs, open firewall ports, misconfigurations, outdated software, excessive permissions and weak authentication mechanisms – any potential entry points that can leave a business vulnerable. The art of threat hunting is to game out scenarios that expose these before the attackers can exploit them, and this is what we help our customers to achieve.

The knowledge gained helps identify both what’s possible in theory and what’s practically possible for an attacker. When you discover how an actual compromise might unfold, you’ll understand how to build detection rules for it and be able to inform your wider IT security team so that they can take proactive measures against it.

Through this process of understanding where you are vulnerable, you create the foundation for effective security automation. You are developing detection logic based on real-world attack scenarios rather than theoretical models.

Summarise and assist with Security Copilot

Once automation has been used to reduce the volume of alerts, AI can be harnessed to assist security analysts even further by summarising the threat detection analysis. Microsoft Security Copilot’s advanced capabilities leverage AI to provide a comprehensive overview of the threat landscape.

Taking into account all the variables that were discovered during analysis, Microsoft Security Copilot offers a simplified overview of the narrative, in plain English, reducing the analyst’s manual workload in decoding the log data. It can generate reports which put forward suggestions for risk evaluation, incident prioritisation and remediation steps, even highlighting lists of affected machines and vulnerable users to streamline the security team’s scope of work whilst keeping them informed and providing actionable insights that enable analysts to make better, data driven decisions.

Microsoft Sentinel’s automation capabilities can improve security team efficiencies, reducing the risk of human error and enabling a more rapid and accurate threat response. Ultimately, this can strengthen an organisation’s overall security posture which in turn leads to greater successes, better business agility and stronger competitive advantage.

We work with midmarket organisations across the UK, Europe and beyond, helping security teams to harness Microsoft AI and automation tools to optimise threat detection and streamline security processes, reducing risk and enhancing business resilience.