Microsoft Azure Sentinel: not your daddy’s Splunk

OK, I must admit; this title is misleading. I am not going to do a side by side comparison of Splunk and Azure Sentinel. Although that seems to be the thing that people on social media are talking about these days: how does Azure Sentinel compare to other SIEM solutions such as Splunk, etc.

Instead, I’ll be focusing on what role Azure Sentinel plays in securing your enterprise. And while Azure Sentinel does provide the advanced SIEM capabilities and dashboarding that many companies need, I really want you to understand the broader picture as Azure Sentinel, as a cloud security solution, is set to disrupt the SOC.

And with Microsoft owning and operating a big part of the technology you use every day in your workplace, along with making security a strategic investment and bet, I argue that they are becoming the biggest security company in the world.

Biggest security company in the world

Microsoft is investing heavily in security in recent years. Not only have they upped their game in finding and fixing product defects, they for instance also have a big organizational unit around threat intelligence (Microsoft Threat Intelligence Center). They are investing tens if not hundreds of millions in developing security products and solutions for their platforms.

And while one could argue that the early days of their AV solution were not watertight, they certainly turned around that “ship”, and Microsoft should not be underestimated if they are taking security seriously. If you look at their evolved EDR solution today, Windows Defender is not only achieving high scores, it also detects bad actors in ways and speed other vendors do not and cannot.

Because Microsoft’s owns both one of the two biggest cloud platforms in the world, as well as sell the most used cloud endpoint (Windows), they are poised to become the biggest security player in the world. On top of this, it can leverage its immense computing power to use machines learning and artificial intelligence to really make a difference in how security is approached.

You see this coming to life when you connect Windows Defender to their Azure cloud; you start to receive threat intelligence feeds, and new malware is detected and remediated through machine learning in under 14 minutes. This is why Defender ATP is growing very strong in adoption at enterprises in recent months.

Traditional SIEM’s and the cloud: a sour-sweet combination

As mentioned, Microsoft has an EDR solution called Windows Defender. But it has many more offerings. For instance, they also have specific solutions for protection your valuable data such as Cloud App Security and Office 365 ATP. They can protect your identity with Azure AD, and Azure ATP. Microsoft also has Azure Security Center to protect the assets that run on Microsoft Azure, and there are many more security solutions in their portfolio.

One thing that seemed to be lacking was a central orchestrator. A coordinator for all your security efforts. Something that ties this all together.

In the past years, enterprises would hook up the alerts that Microsoft security solutions were generating and forward them back to their on-premise SIEM solution as part of their cloud security strategy. But they are struggling to keep pace with the increasing volume and variety of data they process. Unhappy users complained about the inability of their SIEMs to scale and the volume of alerts they must investigate.

Enterprises struggling with the cost of data analysis and log storage often turn to open source tools like Elasticsearch, Logstash, and Kibana (ELK) or Hadoop to build their own on-premise data lakes. However, to gain useful insight from the data they collect, they realiz the expense of building and administering these “free” tools is just as great as the cost of commercial tools.

Sentinel, orchestrating your security efforts

This is where Azure Sentinel comes in; a central place to analyze your security data, across all parts of your environment. Cloud security solutions like Azure Sentinel are set to disrupt the SOC, Forrester concludes:

“This week, as thousands of security pros gather in San Francisco for RSA, tech titans Microsoft and Google (Alphabet) launch cyber security tools that promise to disrupt the traditional way of taking in and analyzing security telemetry. Chronicle Backstory (an Alphabet company) and Microsoft Sentinel are cloud-based security analytics tools that are addressing the challenges faced by SOC teams such as:
  • Ingesting security data from multi-cloud and on-premise environments
  • Analyzing large data volumes
  • Alert triage
  • Log management and storage
  • Threat hunting
Chronicle and Microsoft are making these challenges cloud native with virtually unlimited compute, scale, and storage. These vendors have a unique advantage over legacy on-premise tools since they also own their cloud infrastructures and aren’t dependent on buying cloud at list price from would-be competitors.”

Connecting any and all clouds

One could lead to think that this will be an all-Microsoft centered approach. But nothing is truer. While Microsoft has not confirmed this publicly, they are indeed working with other cloud vendors to get their security data programmatically.

If you take a look at the Data Connections section of the Azure Sentinel preview, you already see a placeholder section for connecting the AWS CloudTrail data soon. I’ll write more about this in an upcoming blog.

The Intelligent Security Graph is at the center of this all

I’ve written about what Microsoft’s Intelligent Security Graph is before:

“Microsoft describes ISG as a way to ‘build solutions that correlate alerts, get context for investigation, and automate security operations in a unified manner.”

But with the release of Azure Sentinel, it really amplifies that strategy and makes it come to life. The intelligent security graph is a core piece of Sentinel’s backend to grab the relevant information from other Microsoft services such as Azure ATP, Defender ATP, Azure Security Center, etcetera.

But not only for Microsoft services. Exactly a year ago at RSA 2018, many vendors such as Palo Alto Networks, F5, Symantec, Fortinet and Check Point integrated their solutions into the intelligent security graph. Azure Sentinel leverages those technical integrations to get events from the network.

But not only network vendors integrate with Microsoft’s intelligent security graph. Well-known names such as Anomali, Sailpoint, Ziften and many others have joined the party recently.

Using the dashboards technology already available in Azure, Sentinel is able to provide you with a single pane of glass on the security of your environment. And because of the graph, it provides detailed out of the box drill-down dashboards for those network vendors, as part of your investigation.

Azure Firewall is the perfect example

But it doesn’t stop at getting even data from the network. Microsoft just announced new capabilities in its own Azure Firewall, most notably a feature called Threat intelligence-based filtering.

Azure firewall can now be configured to alert and deny traffic to and from known malicious IP addresses and domains in near real-time. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed powered by The Microsoft Intelligent Security Graph.”

Threat intelligence-based filtering is default-enabled in alert mode for all Azure Firewall deployments, providing logging of all matching indicators. Customers can adjust behavior to alert and deny.

Democratizing AI: meet Azure Sentinel FUSION

Azure Sentinel features something Microsoft calls FUSION. As Microsoft is looking to democratize Artificial Intelligence, they are making it easy to use machine learning as part of your triage.

Instead of sifting through a sea of alerts, and correlate alerts from different products manually, ML technologies will help you quickly get value from large amounts of security data you are ingesting and connect the dots for you.

For example, you can quickly see a compromised account that was used to deploy ransomware in a cloud application. This helps reduce noise drastically.

Conclusion

I agree totally with Joseph Blankenship:

“For security pros that have been around awhile, don’t let your cynicism block the potential advantages your organization could experience by making use of Azure Sentinel. Take off the tinfoil hat and realize that Microsoft is a security company now. What Google and Microsoft have introduced will make the entire industry better, and that’s something to applaud.
The future of cybersecurity, just like the IT resources it protects, is in the cloud. The Tech Titans are staking out a claim and changing the way security solutions are purchased, delivered, and consumed… and it couldn’t come at a better time for the industry.”

Over the course of the next couple of weeks I’ll share my real-world experiences on Azure Sentinel with you in a multi-part blog series at http://www.maartengoet.org.

Part one will be about ‘design considerations for Azure Sentinel’. Stay tuned!

— Maarten Goet, MVP & RD