Azure Sentinel adds AI-driven SIEM for cloud security – TechTarget


Microsoft has bet that its latest public cloud tool will juice up its Azure cloud platform security posture and keep pace with rivals such as AWS and Google.

Azure Sentinel, now in preview, is a security information and event management (SIEM) tool that uses machine learning algorithms to pinpoint and surface the

most dire
threats out of a sea of alerts. The tool relies, in part, on Azure Monitor, which incorporates a log analytics database that sucks in more than 10 PB of information each day. It uses standard log formats such as

syslog
and common event format.

Azure Sentinel’s goal is to reduce “alert fatigue,” which can occur when security analysts wade through oceans of alert data to find the most pressing threats. Its algorithms, which use Microsoft’s own machine learning models developed for its cloud services, cull millions of low-fidelity anomalies to identify and present a few high-fidelity security incidents, Microsoft said in a blog post.

Data scientists also can bring their own preferred models into Sentinel via the Azure Machine Learning service. Sentinel also offers a set of proactive hunting queries derived from work by Microsoft’s internal incident response teams.

Customers also can use Azure Notebooks, which are based on the Jupyter open-source data visualization projects, to model threats. Azure Sentinel includes automated threat response capabilities via pre-defined or custom-built playbooks.

Azure Sentinel was built natively on Azure and has a pay-as-you-go model. These are advantages over traditional SIEM systems because they remove the complexity of setup and management and keep costs in check, according to Microsoft.

READ  Anker unwraps a battery-powered EufyCam 2 security camera that supports HomeKit - TechHive

It integrates with third-party security platforms from vendors such as Fortinet, Symantec and Check Point, as well as Microsoft’s Graph Security API. Customers can use the latter to repurpose existing threat intelligence feeds and create custom detection and alert rules.

Companies can join the Sentinel preview at no charge, and prices will be determined at a later date, according to Microsoft. To generate interest among its installed base, Microsoft will allow customers to move their Office 365 activity data into Azure Sentinel at no charge. The tool can also ingest data from third-party application sources to give a full picture of security threats.

Azure Sentinel may have

uphill
battle

In some ways, Sentinel is similar to AWS GuardDuty, a threat detection service that scans for malicious activity across a customer’s AWS accounts. Like Sentinel,

GuardDuty
incorporates machine learning, and ties

alerts
into its console and AWS CloudWatch Events so teams can take corrective actions.

It would be wrong to classify

GuardDuty
as a SIEM, however, said Rich Mogull, analyst and CEO of Securosis, a security consulting and research firm, located in Phoenix. “It’s more like a threat intelligence feed you would send to your SIEM,” he said.

Meanwhile, Google Cloud has Stackdriver, which is

a more
generalized monitoring and logging service, and third-party providers such as Sumo and Splunk offer cloud-based SIEMs, Mogull added.

As for Sentinel, the proof will be in the pudding, Mogull said. “We need to see how well it works in customers’ hands and if this is going to be able to replace their existing SIEM and SOC [security operations center],” he said.

Microsoft also must be careful not to confuse customers, and explain how Azure Sentinel relates to or complements existing products, Mogull said.

Having a cloud-native SIEM … is great, but do I use [Azure Sentinel], do I use Security Center, do I use both? Why have you not consolidated those? It’s a market confusion question.
Rich Mogull analyst at Securosis

“Having a cloud-native SIEM like [Sentinel] is great,” he said. “But do I use this, do I use [Azure] Security Center, do I use both? Why have you not consolidated those? It’s a market-confusion question.”

There’s

strong
appetite among enterprise IT shops for cloud-based SIEMs, as evidenced by the financial results of companies like Splunk, said Eric Ogren, an analyst with 451 Research, a research firm in New York. However, historically SIEMs are big-ticket items bought by large companies or ones in highly regulated industries.

“I don’t see Microsoft and Sentinel competing for big accounts right away,” Ogren said. “It takes time to figure out how to do a SIEM properly.”

However, heightened concerns about cybersecurity these days mean less of a perception problem for products like Azure Sentinel, Ogren said. It also could draw interest from smaller companies that fancy Azure Sentinel’s subscription pricing model and managed aspects.

“Five years ago security officers had the willies about shipping security data into the cloud,” he said. “The resistance to that has largely gone away.”



READ SOURCE

LEAVE A REPLY

Please enter your comment!
Please enter your name here