M+E Connections

Using Elastic’s platform for search-powered solutions on Microsoft Azure can help an organization, its employees and its customers in various ways, according to Israel Ekpo, principal cloud solutions architect at Microsoft.

“Elastic is one of the pioneers that I really enjoy working with because it helps a lot of our partners that are building solutions on Azure, he said April 26, during the webinar “Gain Microsoft 365 Visibility with Elastic on Microsoft Azure.”

Several Microsoft customers and partners use Elastic for monitoring, for instance, he noted.

He explained: “One thing when you think about Elastic is that it’s not just about search and about log aggregation or event aggregation like some people call it. But they also have different capabilities like machine learning … that allow you to solve problems for your customers.”

One of the reasons why he continues to recommend Elastic is that an organization coming from an environment where it was “responsible for setting up this environment, setting up the storage [and] setting up the servers … can easily transfer that knowledge that you had in on-prem to the cloud,” he pointed out.

But there is one significant difference, he pointed out. “Once you come to Microsoft Azure, you are pretty much no longer responsible for any of the headache of having to do competitive planning, of having to be responsible for upgrades or patching after doing all this underlying infrastructure maintenance. When you come to Azure cloud, all you really focus on is on ….  just consuming what you need to use,” he explained.

Sometimes customers worry about bundling a compute layer and bundling the storage layer together, he noted.

There’s also a new feature that “came out recently …. that allows you to scale pretty much infinitely the amount of storage you need,” he went on to say.

“Since we are doing monitoring, we’re going to be collecting a lot of information, a lot of events, a lot of logs, and we need some way to keep that log over time. And in some environments, like for a healthcare customer, there’s a lot of activities happening all the time in all the environment,” he noted.

That “requires a lot of storage capacity for you to keep track of” and it is “very simple to implement if you’re doing this with the Elastic Cloud offering instead of having to figure this out by yourself,” he added.

Another benefit is that it’s “much easier for you to do these integrations,” he said, adding: “If you want to integrate with Microsoft 365 or with any other Microsoft products like Microsoft Teams, it is much easier for you to get started.”

There is also integrated resource management and integrated billing that can be  integrated in the Azure portal, he noted.

So, partnering with Elastic has “really helped us reach our  customers to help them solve the problem that they really needed to solve,” he said.

The final benefit he pointed to was that, “once you come to Azure, running it on Azure, you don’t have to worry about maintaining or grading.”

The benefits of using Elastic on Azure was also detailed during the webcast by Eric Ooi, director of security and research at Iron Vine Security.

He first discussed the impact on security, telling viewers: “As a cybersecurity company, this is our primary reason for leveraging Elastic to monitor our Microsoft 360 environment.”

“Contrary to what many may think, cloud security is actually a shared responsibility between the cloud provider and the tenant,” he said. “While the cloud provider typically secures the infrastructure layer, the tenant is responsible for securing the application layer. One of the best ways for a tenant to meet this responsibility is by capturing and analyzing audit logs.”

So why capture those logs? “There’s several reasons for doing this,” Ooi explained. “First is security and compliance. Capturing logs will help us meet the shared responsibility of securing our Microsoft cloud environment. They enable us to better understand what’s normal in our environment and helps us more easily identify abnormal activity.”

Also, he said, “most organizations must adhere to compliance standards that require storing system logs for a period of time in a dedicated repository.”

He went on to explain: “A second reason is to centralize logs. More than likely, Microsoft 365 is not the only cloud application your team is using. Activities that occur in Microsoft 365 may often relate to something that’s happening in another platform. Wouldn’t it be great to centralize these disparate logs into a single location? This would enable us to quickly correlate our Microsoft 365 logs with all of our platforms and reduce our response times.”

Last, he pointed out that “logs can help identify and investigate notable activity, be it an alert or something that just doesn’t feel right.”

Collecting logs “enable us to not only identify anomalous behavior but to fully investigate and determine root cause,” he said, noting that “works for both security and operational use cases.”

So why use Elastic to do that? “At Iron Vine, we run a number of federal security programs, and we understand the value of collecting logs for security monitoring and incident response, especially in the cloud-first world that we live in,” he explained.

“With so many organizations using or moving to Microsoft 365, we knew we needed an easy … and cost effective solution to capture and analyze these detailed audit logs, to monitor and investigate suspicious events,” he said.

Although there are “plenty of logging solutions available, we found that Elastic’s integration” with Microsoft application programming interfaces (AIPs) its “out-of- the-box SIM rules and its powerful searching and visualization capabilities made it the ideal solution,” he said

An added benefit is that Elastic “natively supports many of our existing system and security platforms, enabling us to easily search across all of our logs and perform powerful correlation,” he noted.

He went on to tell viewers: “Once we got our own Microsoft logs flowing into Elastic, we started asking ourselves what questions we could answer with this new data. Over time, we developed a collection of saved searches and visualizations that enabled us to monitor and respond to incidents much quicker than before.”

He added: “We’ve also published a companion blog that walks through each dashboard so that you can fully understand how you can best use them.”

He went on to walk through a fuller explanation, with images, of how his firm used Elastic on Azure.

For example, when it comes to authentication, he noted, his company was able to “quickly spot anomalous logins based on location.” For example, if employees were only based in the U.S., “you might find it strange to see logins coming from Europe or Asia,” he said. “We could use this information to tune our detections or update our login policies to prevent international login attempts.” Over time, “we could look for abnormal spikes, like what we see here that might warrant further investigation,” he noted.

To view the full presentation, click here.