Microsoft has bet that its latest public cloud tool will juice up its Azure cloud platform security posture and keep pace with rivals such as AWS and Google.
Azure Sentinel, now in preview, is a security information and event management (SIEM) tool that uses machine learning algorithms to pinpoint and surface the
Azure Sentinel’s goal is to reduce “alert fatigue,” which can occur when security analysts wade through oceans of alert data to find the most pressing threats. Its algorithms, which use Microsoft’s own machine learning models developed for its cloud services, cull millions of low-fidelity anomalies to identify and present a few high-fidelity security incidents, Microsoft said in a blog post.
Data scientists also can bring their own preferred models into Sentinel via the Azure Machine Learning service. Sentinel also offers a set of proactive hunting queries derived from work by Microsoft’s internal incident response teams.
Customers also can use Azure Notebooks, which are based on the Jupyter open-source data visualization projects, to model threats. Azure Sentinel includes automated threat response capabilities via pre-defined or custom-built playbooks.
Azure Sentinel was built natively on Azure and has a pay-as-you-go model. These are advantages over traditional SIEM systems because they remove the complexity of setup and management and keep costs in check, according to Microsoft.
It integrates with third-party security platforms from vendors such as Fortinet, Symantec and Check Point, as well as Microsoft’s Graph Security API. Customers can use the latter to repurpose existing threat intelligence feeds and create custom detection and alert rules.
Companies can join the Sentinel preview at no charge, and prices will be determined at a later date, according to Microsoft. To generate interest among its installed base, Microsoft will allow customers to move their Office 365 activity data into Azure Sentinel at no charge. The tool can also ingest data from third-party application sources to give a full picture of security threats.
Azure Sentinel may have
In some ways, Sentinel is similar to AWS GuardDuty, a threat detection service that scans for malicious activity across a customer’s AWS accounts. Like Sentinel,
It would be wrong to classify
Meanwhile, Google Cloud has Stackdriver, which is
As for Sentinel, the proof will be in the pudding, Mogull said. “We need to see how well it works in customers’ hands and if this is going to be able to replace their existing SIEM and SOC [security operations center],” he said.
Microsoft also must be careful not to confuse customers, and explain how Azure Sentinel relates to or complements existing products, Mogull said.
Rich Mogull analyst at Securosis
“Having a cloud-native SIEM like [Sentinel] is great,” he said. “But do I use this, do I use [Azure] Security Center, do I use both? Why have you not consolidated those? It’s a market-confusion question.”
“I don’t see Microsoft and Sentinel competing for big accounts right away,” Ogren said. “It takes time to figure out how to do a SIEM properly.”
However, heightened concerns about cybersecurity these days mean less of a perception problem for products like Azure Sentinel, Ogren said. It also could draw interest from smaller companies that fancy Azure Sentinel’s subscription pricing model and managed aspects.
“Five years ago security officers had the willies about shipping security data into the cloud,” he said. “The resistance to that has largely gone away.”