QNET increases security response efficiency 60 percent with Microsoft Security Solutions

QNET, a subsidiary of the Hong Kong–headquartered conglomerate QI Group, specializes in wellness and lifestyle products that are promoted using a direct selling business model. The company has successfully merged the tried-and-tested direct selling model with e-commerce to provide customers and distributors a seamless experience across shopping, post-sales service, and business-building support. As QNET has grown internationally, so has its footprint in the cloud. Over the years, the company’s multicloud infrastructure has presented complex security challenges, including identity management and the proper allocation of role-based permissions. “The biggest challenges in data security are the relentless and ever-evolving threats we face,” says James Eduard Andaya, Security Operations Team Lead at QNET. “When you begin managing multiple identities per user across multiple clouds, you expand the attack surface available to your would-be infiltrators.”

Through the course of his work, Andaya discovered that far too many of the company’s cloud users had been over-allocated permissions. “I found an alarming number of accounts that had been given owner and contributor roles for our production environment,” he recalls. “Any one of those accounts would have been a high-value target for bad actors, as their permissions would have granted broad access and control across our systems.” While QNET had begun its journey toward building a Zero Trust framework at the onset of its cloud adoption process, Andaya’s discovery reinforced the company’s need to adopt modern security and identity protection capable of providing visibility and control across its entire cloud estate. “We began utilizing Microsoft Entra’s identity protection mechanisms to the full early on,” says Ked Mardemootoo, Cloud Infrastructure Manager at QNET. “We knew that we would be placing identity at the heart of our trust-but-verify approach, and that made Conditional Access, multifactor authentication, Privileged Identity Management, and Microsoft Intune incredibly important to us.”

QNET’s Zero Trust security strategy would put equal focus on identities and endpoints, two powerful ways to control access to data within a zero trust architecture. Microsoft Sentinel and Defender for Endpoint were early cornerstones of the solution, with their functionalities built upon soon thereafter by the addition of Defender for Cloud Apps, Defender for Identity, and Defender for Office 365. The Defender solutions each provide detailed insights into potential threats, which Microsoft Sentinel analyzes, using AI to detect and prioritize threats. Microsoft Sentinel then automates and coordinates responses across the Defender solutions, ensuring quick and efficient remediation. By integrating these solutions, the QNET security operations center (SOC) can unify its security strategy in order to detect, analyze, and thwart attacks faster than ever. 

Microsoft Sentinel also helps Andaya and his team detect whether misused permissions lead to potential security incidents—information that helps them understand how to right size permissions based on actual need. The company has also created compliance policies in Microsoft Intune. Conditional Access uses these policies to assure user endpoints meet its strict requirements before allowing them to connect to any QNET resources.

Fine-tuning identity security, management with Microsoft Entra ID

QNET adopted Microsoft Entra ID as the sole mechanism for granting identity-based access to its resources. To generate the roles for user identities, the company uses Microsoft Entra Permissions Management to understand what permissions different employee groups use on a regular basis. QNET then creates roles for these groups in Privileged Identity Management, a service in Entra ID. This aids in securing and controlling accounts that require broad privileges as well as identifying when roles are experiencing permissions creep or have taken on extra elements of risk through expanded access. As an added layer of access control, QNET has also adopted Microsoft Entra multifactor authentication for its users.

This level of control extends beyond the company’s Microsoft infrastructure. The third-party secure remote access solution adopted by many QNET users, for instance, is made more secure through Microsoft Entra ID Conditional Access.

Adopting Microsoft Sentinel was a phased process for QNET, in part because the solution allowed the company to move its SOC in-house. “We used to rely on an outside company for our SOC,” says Andaya. “As our expertise with Microsoft Sentinel began to grow, we quickly saw our new insourced SOC become, by orders of magnitude, more effective than our vendor ever was.” Part of the SOC team’s effectiveness can be attributed to their use of the automation and AI functionalities of Microsoft Sentinel’s built-in security orchestration, automation, and response (SOAR) capabilities. For example, Andaya has been impressed with the solution’s AI-generated User and Entity Behavior Analytics functionality, which builds baseline behavioral profiles from all of its connected data sources and then uses these baselines to help identify suspicious behavior.

Planning for tomorrow with Copilot for Security

QNET has been an early adopter of many AI solutions in the security space, including Microsoft Copilot for Security. Andaya sees GenAI as a powerful nascent partner capable of handling vast quantities of data—and a solution which could also become the answer to tomorrow’s yet-to-be-developed threats. On busy days, Microsoft Sentinel collects as much as 100 gigabytes of signals data from QNET’s Microsoft Azure workloads.

Copilot for Security has helped the company better analyze this influx of data in three unique ways: accelerating technical processes, improving data quality available to SOC team members, and aiding in organizational transformation. For instance, with the solution’s natural language to Kusto Query Language capabilities, writing complex queries has become much simpler. “We’ve seen even our junior analysts gain a clear picture of security-event storylines faster, diagnose incidents with greater ease, and conduct malicious-code analysis more effectively since adopting Copilot for Security,” says Andaya. “On top of that, the solution’s ability to learn our environment and provide rapid high-level executive incident reports has made it an important member of our SOC team.”

QNET is already using the script analysis capabilities of Copilot for Security to great advantage. Andaya reports that the solution has helped the company identify malicious scripts faster than it could before, without the need for any other tools. "Our workplace is becoming more data-driven and efficient with Copilot for Security,” he says. “It will play an even more important role in automating routine tasks, accelerating our security operations, and enhancing our security measures in the future, I’m certain.” The company has also begun integrating Copilot for Security into its Intune admin center. There, the GenAI solution can help with incident triage measures, enhance security policies and configurations, and assist in analyzing all of the company’s managed devices.

A comprehensive suite of security solutions

With Microsoft Sentinel, Microsoft Entra ID, Intune, Copilot for Security and more, QNET can now complete numerous tasks that were previously either too challenging or time-consuming. Global Secure Access, the security service edge solution built into Microsoft Entra, helps simplify how the company’s SOC protects its applications and data, and Andaya believes it has made the company’s systems much safer. Cloud security posture management tools in Microsoft Defender for Cloud have infused DevOps pipelines with new ways to measure the potential exposure of workloads and given security teams both a north star to work toward and tangible metrics that help measure their progress. Copilot for Security enables real-time analysis of threats and vulnerabilities—an impossibility for the previous solution. “As early adopters of Microsoft Copilot for Security, we can report up to 40 percent time savings and 60 percent increased efficiency for our security teams, regardless of their level of expertise,” says Andaya. “The solution has been instrumental in reducing the time security analysts take to understand and respond to threats.”

Put together, the numerous Microsoft security solutions QNET has put in place have helped the company transform its incident response capabilities by empowering security teams and enhancing cybersecurity operations. “We’ve seen our secure score go from 42 percent to 73 percent,” says Mardemootoo. “That indicates a substantial enhancement of our security posture, especially concerning endpoint and identity management—both of which are critical areas often targeted by cyberattacks.” 

Andaya believes that the best part of being a security practitioner is the similarity to a detective who is constantly solving new mysteries. “The constant challenge and ongoing learning inherent to my field is something I look forward to on a regular basis,” he says. “With Microsoft Sentinel, Microsoft Entra ID, Intune, and Copilot for Security, the QNET SOC team and I now have the advanced investigative tools we need to not only take on a more adaptable and agile security posture, but to respond to complex, advanced mystery threats for years to come.”

Find out more about QNET on Twitter, Facebook, Instagram, YouTube, and LinkedIn.