Blog Why Azure Sentinel offers best SIEM value
By Insight Editor / 16 Feb 2021 / Topics: Cloud Microsoft Azure
By Insight Editor / 16 Feb 2021 / Topics: Cloud Microsoft Azure
For some time now, the technology industry has made the case that ‘data is the new oil’. But, like any mineral deposit, the presence of data alone does not determine its value. Instead, value results only when that deposit is put to good use.
With information security, there is and always has been plenty of data to work with. So much so that one of the major challenges is making sense of it all, a task which once fell to trained experts who would pour over endless logs, looking for exceptions, patterns, evidence of unusual, dangerous or unexplained activity. Sure, they’d use technology tools to help, but a sharp set of eyes was (and in some cases is) the essential factor in identifying trouble.
If that sounds terrifically retro in times where artificial intelligence is doing everything from driving cars around to assisting with managing schedules, well, it is.
The limitations of this approach led to the introduction of Security Incident and Event Management solutions around the time when large enterprises were busying themselves with Payment Card Industry Association Data Security Standard (PCI-DSS) compliance; SIEM has subsequently become an essential service for most companies.
This is where the core of the Azure Sentinel value proposition becomes clear. As a catch-all for all security data, Sentinel gathers information from across your enterprise, then applies intelligence, helping you move from reactive threat management towards proactive control.
Now, for those unfamiliar with Sentinel, it is Microsoft’s SIEM solution which was first introduced just over a year ago. Sentinel is ‘cloud native’, resides in the Azure platform and in a nutshell, it tracks, stores and analyses the behaviours of pre-defined targets.
Here’s a more detailed look at what Sentinel does:
Whilst doing that, and as you might expect, Sentinel consumes large volumes of data from just about everything connected to the corporate network - from individual user devices, right through to back-end servers and storage, whether on-premise or in the cloud.
Now, with any SIEM implementation, cost is always a concern. Did I mention data? And quantity? All the logs, security events and so on constantly generated every time a mouse is clicked, an email sent, or a keyboard tapped on, has to go somewhere. This has an overhead; not only must that data reside somewhere but turning it from raw data into the “good oil” of useful information demands computing power. Storage + compute = expensive. Storage + compute + analysts = very expensive.
Consider the total cost…and value
But here’s the good news. The total cost of ownership for Microsoft Sentinel is highly competitive. In fact, a recent Forrester Total Economic Impact study on Sentinel shows just how well the solution performs, with headline findings including:
I’ve bolded the third point, because this ties directly back to security analysts and engineers spending their time identifying security threats. If your people are investing their time on security analysis, you are investing your money on security analysis!
This is the central and key point of Sentinel. Having data is easy. Storing it is easy (and costly, especially if nothing is being done with it!) Putting it to use is the tricky bit, and that’s exactly what Sentinel does for you.
Finally, note that Sentinel represents a key component in Microsoft’s ongoing big push into security; with native protection included in products like Microsoft 365, Sentinel integrates seamlessly with other Microsoft services like Azure Security Center and Azure Active Directory, and offers connectors for services including as Cloud App Security and Information Protection; third-party connectors consume data from the typically heterogenous environment you’re likely to be running, including Cisco, Check Point, Palo Alto Networks, and many more.
The central and defining feature of Sentinel is the incorporation of Microsoft’s machine learning and artificial intelligence (AI) technology. This effectively does the job of security analysts by putting all that data to work, analysing, contextualising and ‘understanding’ the security landscape, and then automatically adapting to evolving threats. (Threats, of course, evolve constantly, because although devious, hackers and other bad actors are undoubtedly also ingenious and highly motivated).
And it is called Sentinel for a good reason – because it stands watch over your enterprise, tirelessly.
Need assistance? Get an overview of Azure Sentinel along with insights on active threats to your Microsoft 365 cloud and on-premises environments with an Azure Sentinel Workshop