Why Azure Sentinel is Gaining Attention in the SIEM World
Since its launch in 2019, Azure Sentinel has come a long way in a short time. Being a native cloud application (inside Azure), this brings with it the benefits of a cloud service: no hardware, patching, updates or scaling issues. This post doesn’t cover or talk about the cost in managing the data or log retention as this can become difficult to navigate with mixed environments, however all SIEM solutions cost in this respect. But to that note, 5GB are free before costs are associated and Sentinel provides 72 days of log retention before additional cost are added. On another note, since Sentinel is located in the Azure cloud, the ingestion of data from sources not in Azure are not tagged as a cost (in bound to Azure). This also shows that in Hybrid environments, leveraging a log collector on premise can help customers retain log retention locally and only send pertinent data to Sentinel while keeping longer term logs on-premise.
What is a SIEM and why is it important?
A typical SIEM (Security Information and Event Management) is to collect the security-related information (logs) and security events (logins, port scans, etc.), and combine thousands of these events from hundreds or thousands of devices and provide a summary view to human consumption (something no person nor team could do on their own). As cloud technologies have increased in almost every company, the impact and stress on legacy SIEM solutions have stressed not only the IT budget but also the IT staff.
As the security landscape expanded, a need to orchestrate actions to the events that SIEMs provided, led to customers seeking automation as a way to lower costs and speed resolution. Over time this evolved to dedicated tools to help the IT staff (SOC) react quicker to threats and issues. Hence the term SOAR (Security Orchestration, Automation and Response) in tools such as Cyberbit and Demisto, along with mature SIEM vendors bolting on support such as IBM’s Resilient to QRadar and Splunk Phantom. These tools, when implemented well, can provide automated response to the ever-increasing threats and issues (not all problems are some masked person trying to steal your data) in every computer network. However, they come with a cost in both man hours and continued financial costs. For most small to medium sized organization a “managed” security offering is something to consider.
Microsoft Sentinel, while new to the game, has multiple benefits in its favor:
- Being created in the cloud, it leverages itself to all the benefits that cloud technology was created to solve – speed, scalability, availability, CAPEX spend and management of hardware to name a few
- Combination of SIEM and SOAR into a single product. Microsoft has learned from players such as IBM and SPLUNK that today’s complex environments need the combination of technology that come from both a SIEM and SOAR products provide
- Ease of use. If you’re a Microsoft customer with a presence in Azure, O365, Teams or other products, then getting this data into your SIEM is as easy as clicking a button
- Logic Apps Framework – easy to use point and click building of basic rules. Legacy SIEMS and SOAR solutions can require quite a bit of expertise knowledge. Sentinel (for basic rule and playbooks) provides an intuitive framework for building out rules along with a library of pre created rule to leverage. More advanced rules will require skills, but the ability to link Logic Apps to Function Apps (another tool set) can make quick work of 80% of rule writing
Other aspects of Microsoft Sentinel is the ever-growing integration with existing enterprise tools and applications such as Symantec, Barracuda, Cisco and others that allow fairly easy integration with your existing infrastructure. Lastly, and native integration with AWS CloudTrail allows mutli-cloud views from a single console. Behind all of this is one of the largest analytics of threat analysis (about 6 trillion events per day) from Microsoft machine learning itself.
On Demand Azure Sentinel Webinar Discussion
Have a look at Azure Sentinel
Cyber security is not easy and an ever-changing landscape. No vendor or tool can provide you with complete security. However, Microsoft has coming out of the gate in a short time with an impressive SIEM/SOAR solution that certainly leverages lessons learned from older vendors tools (QRadar/Splunk etc.) with a very robust tool that is worth a look if you wish to operate and run your own SOC. 3rd parties will continue to flock to Microsoft as a leader in this space as time goes on with integration making it easier to re-use existing tools. Along with Microsoft vision of supporting other clouds like AWS CloudTrail, is a smart move knowing over 70% of the cloud market share is NOT in Azure.
If your using Microsoft 365, Azure, AD or Windows 10 inside your organization, let Champion show you the benefits of starting Sentinel (which itself if free) for your security bird’s eye view.