What’s new: Microsoft Sentinel Zero Trust (TIC 3.0) Solution update

Lili Davoudian

This blog is co-authored by TJ Banasik, CISSP-ISSEP, ISSAP, ISSMP, Principal Product Manager, Microsoft Cloud & AI Security.

With demand continuing to grow for federal agencies to build Zero Trust security principles seamlessly into their existing architectures, we’re announcing the Microsoft Sentinel Zero Trust (Trusted Internet Connections 3.0) Solution, a powerful tool to help agencies assess, monitor, and enhance security posture relative to zero trust practices.

The next-evolution of the Microsoft Sentinel: Zero Trust (TIC 3.0) Workbook is the result of considerable positive feedback and valuable suggestions on the workbook we’ve received from our user community of 5,000+ security professionals.

Learn more about our updated solution in this demo:

Solution content

The updated Microsoft Sentinel: Zero Trust TIC 3.0 solution contains a workbook, analytics rules, and a playbook. The Zero Trust TIC 3.0 Workbook provides a single pane of glass for gathering and managing data to address control requirements across 25+ Microsoft products and third-party tooling.

This aggregation at big-data scale results in maximum visibility into on-premises, hybrid, and multi-cloud workloads with regards to relevant controls within the Zero Trust and TIC 3.0 frameworks. This visibility empowers security architectures, engineers, SecOps analysts, managers, and IT professionals to gain situation awareness into the security posture of their hybrid and multi cloud workloads.

Direct pivots to Microsoft Defender for Cloud recommendations allow for ease of correcting misconfigurations and hardening workloads against threats in accordance with zero trust requirements and practices.

Analytics rules further tap into Microsoft Defender for Cloud regulatory compliance mappings to measure Zero Trust alignment across each TIC 3.0 control family and alert on deviations from an established baseline. The default configuration is set for scheduled rules running every seven days; alerting if posture compliance is below 70 percent.

In response to these results, playbook can drive consistent, automated responses. This combination of analytics rules and playbooks allow for continuous monitoring and streamlined reporting that empowers teams to spend less time navigating across portals and more time focusing on remediation and getting secure based on collected insights from Microsoft Sentinel.

Solution benefits

• Single pane of glass for aggregating, managing, and actioning data from 25+ Microsoft products to address Zero Trust control requirements
• Deep links for seamless pivots between products
• Over-time analysis for more complete understanding of security and compliance posture
• One-click, customizable reporting
• Leverage pre-written KQL queries to gain insights from log telemetry with the option to customize for further analysis

New features

In this third iteration of the content, we’ve strived to provide cutting-edge capabilities providing maximum visibility/reporting for cloud, hybrid, and multi-cloud workload posture:

1. Performance upgrades: Operating at 200+ Workspace Aggregation Scale
2. New user interface: Improved performance, simplicity, and reporting
3. Geolocation enhancements: Correlation of Azure Active Directory Locations for Authentications, Security Alerts, Sensitive Data Access
4. Network mapping: Visualize and maneuver through your cyber key terrain with seamless pivots into Microsoft Defender for Cloud: Network maps
5. Documentation: Attest to security leadership, internal/external auditors on status of control compliance. Enhance system security plans and establish plan of action and milestones
6. Asset inventory: Leverage Azure Resource Graph for maximum accountability of hardware/software assets. Seamless pivots to Azure and M365 Defender inventory pages for hardware, software, IoT tracking with exportable reporting
7. Better Together with Microsoft Defender for Cloud: Policy and posture assessments all-up, by control family, and by Zero Trust controls. Every policy recommendation contains a seamless pivot to remediation page and is reinforced with Solution alerting.
8. System baselining: Establish security baselines with Microsoft Defender for Cloud + Intune/Mobile Device Management. Track system configuration down to file, certificate, hardware, software, and registry key levels with pass/fail assessments and asset groupings
9. Access control: Identify who, what, when, where, and how users/administrators are accessing your workloads, including trending, last sign-in location, and seamless pivots to Azure Active Directory profile pages.
10. Security incidents: Understand how you’re being attacked with alignment to Zero Trust (TIC 3.0) monitoring requirements. Third-party integration across all your first- and third-party security tooling ecosystem.
11. Conditional access: Monitor conditional access trending, application policy compliance, and blind spots in security architectures. Protect your applications, identify coverage gaps, and evaluate application access patterns.
12. Security orchestration, automation, and response (SOAR): Inventory your SOAR playbooks, identify triggers/trending over time. Highlight areas to mature automation capabilities. Seamless pivots to Microsoft Sentinel Automation for further configurations.
13. Vulnerability management: Assess each asset’s risk profile via High, Medium, Low and Total vulnerability. Identify available patches and prioritize critical assets. Track common vulnerabilities and exposures (CVEs) and seamless pivots into asset pages for further configurations/response

Getting started

Prerequisites

• Access Microsoft 365 Compliance Manager: Assessments
• Onboard: Microsoft Sentinel and Microsoft Defender for Cloud
• Add the Microsoft Defender for Cloud: NIST SP 800 53 R4 Assessment to Your Dashboard
• Continuously Export Security Center Data to Log Analytics Workspace
• Extend Microsoft Sentinel Across Workspaces and Tenants
• Review: Microsoft Service Trust Portal

Deployment

• Microsoft Sentinel > Content Hub > Search “Zero Trust” > Install or Update > Create > Configure Options > Review + Create
• Review Content
  1. Microsoft Sentinel > Workbooks > Search “Zero Trust”
  2. Microsoft Sentinel > Analytics > Search “Zero Trust”
  3. Microsoft Sentinel > Automation > Active Playbooks > Search “Notify-GovernanceComplianceTeam”, “Open-JIRA-Ticket”, “Create Azure DevOps Task”
• Review: ReadMe for additional Getting Started requirements.
• Feedback: Let us know what you think in the survey

Learn more about Zero Trust with Microsoft Security

Bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity or visit our website for the latest news and cybersecurity updates.

• Build and monitor Zero Trust (TIC 3.0) security architectures with Microsoft Sentinel
• Microsoft Zero Trust Model
• Announcing the Microsoft Sentinel: Zero Trust (TIC 3.0) Solution – Microsoft Tech Community
• Microsoft Sentinel Zero Trust (TIC 3.0) Solution on GitHub
• Zero Trust: 7 Adoption Strategies from Security Leaders

Disclaimer: The Azure Sentinel Zero Trust (TIC 3.0) Solution demonstrates best practice guidance, but Microsoft does not guarantee nor imply compliance. All TIC requirements, validations, and controls are governed by the  Cybersecurity & Infrastructure Security Agency. This workbook provides visibility and situational awareness for control requirements delivered with Microsoft technologies in predominantly cloud-based environments. Customer experience will vary by user, and some panels may require additional configurations and query modification for operation. Recommendations do not imply coverage of respective controls as they are often one of several courses of action for approaching requirements which is unique to each customer. Recommendations should be considered a starting point for planning full or partial coverage of respective control requirements.

Lili Davoudian Senior Product Manager, Microsoft Defender for Cloud

Follow