Problem Statement and Challenges

The client is large-scale and has an extensive workforce, which can be easily targeted with phishing attacks. To safeguard against that, the client wanted a Security Operations Center to monitor and analyse the system for constant threat detection vigilantly.

---

Solution

The Security Operations Center starts by analysing the sign-in logs of all user accounts, and if it finds any unusual pattern, it marks it as an anomaly.

After which, a user is asked to verify themselves, and if they fail to do so, the account gets locked to restrict access to sensitive company data.

Moreover, the network IPs and device IDs are also monitored and analysed to detect anomalies following the MS Intune complaint.

The user's or device's geolocation activity is also logged in, and if found mismatched with the user's continuous workflow or travelling, it's again marked as an anomaly. Along with this, an unusual login attempt notification is also configured.

Lastly, the recovery remediation process for lost/stolen devices is set up to act in case such a case happens immediately.

It starts with notifying the concerned set of users, locking the device in a frozen state, and beginning the re-imaging process onto another device to replicate the data on the stolen device.

• MS Azure Active Directory
• Microsoft Defender
• Sign-In Log Monitoring
• Unusual Login Alerts
• Network IP and Device ID Monitoring
• Geolocation Monitoring and Analysis
• Recovery-Remediation for Lost/Stolen Devices
• User Identity Verification

---

Results and Success Criteria

With the implementation of a Security Operations Center, the client was relieved from the fear of data theft due to vulnerable points of entry, which were wide open and quite visible to an attacker.

Moreover, the data is still intact even if something happens, such as a device being stolen or a user ID being compromised.