Azure Sentinel and various new security offerings showcased at Ignite.
Microsoft is extending its Azure Security Center portfolio with new offerings and integrations with various alliance partners. The new security capabilities introduced at last week’s Microsoft Ignite in Orlando include enhancements to the company’s Advanced Threat Protection service, Azure Active Directory and new Azure Sentinel Security Information and Event Management (SIEM) platform.
Azure Sentinel, first previewed earlier this year at the RSA Conference and released in late September, is Microsoft’s ambitious effort to disrupt the market for SIEM. Microsoft claims that Azure Sentinel can do so because it’s a cloud-native platform designed to give those who operate security operations centers (SOCs) a more modern approach to detecting and defending against threats. Microsoft also claims that its new SIEM uses Azure’s machine learning and AI capabilities to perform predictive analytics at a scale traditional SIEMs can’t achieve.
Early target adopters of Azure Sentinel are among the largest of global enterprises and managed security service providers (MSSPs). So far, approximately 20 MSSPs have deployed Azure Sentinel for their SOCs — among them are Accenture, Insight and Trustwave, according to Ann Johnson, corporate VP for Microsoft’s cybersecurity solutions group.
In advance of Microsoft Ignite, large global services integrator Insight announced its plans to offer managed security services with Microsoft Azure Sentinel to provide threat detection, reporting and around-the-clock monitoring of alerts provided by the new SIEM. The services will include automated notification and response. Insight also said it will use Azure Sentinel as the SIEM for its managed SOC and will offer consulting services that include enterprise assessments and solution options using the new SIEM platform.
“We are in a unique position to help clients take full advantage of Microsoft’s new SIEM and SOAR [security orchestration, automation and response] tool to improve their security analytics, respond to incidents rapidly with built-in orchestration and automation, and keep their SIEM costs under control,” according to a prepared statement by Shawn O’Grady, Insight’s SVP and general manager of its cloud and data-center transformation business.
Now that Microosft has trained some of the largest MSSPs, Johnson said the company plans to focus on regional providers. During an interview at Ignite, Johnson told Channel Futures that Azure Sentinel is well-suited to regional and small MSSPs as an alternative to on-premises SIEMs.
“Because it’s a cloud-native SIEM, you actually aren’t held to the legacy environment that you have with on-premises SIEMs,” Johnson said. “For an MSSP, it provides elastic scaling up and down for their environments. Azure Sentinel also offers the ability to perform threat intelligence and global intelligence with machine learning across the cloud at global scale, and in real time, which is something that you cannot do with an on premise SIEM.”
Traditional SIEMs function primarily as log collectors, she added, arguing they never evolved beyond that to offer advanced security analytics. While offerings such as RSA Security Analytics and Splunk Enterprise Security are SIEMs that offer such capabilities, Johnson said they can’t scale to the extent Azure Sentinel can.
“MSSPs can actually provide a very elastic offering for their customers with Azure Sentinel and they’re not actually dedicating hardware to it,” she said “As a result, the margins for them improve, because they can be very elastic in scaling up and down for their customers, they can take advantage of our threat intelligence, which is on a global scale — we see a billion signals a day.”
While many partners and customers have kept their work with Azure Sentinel close to the vest, Johnson note
one of its partners is working with a very large enterprise to modernize its SOC with Azure Sentinel by migrating them from IBM.
“The partner is going to manage it as a managed SOC project,” she said.
When Microsoft released Azure Sentinel, it included connectors to nearly 200 different third-party systems from various providers who can share telemetry such as Cisco and ServiceNow. At Ignite, Microsoft announced integrations with three additional alliance partners: Barracuda, Citrix and Zscaler. Microsoft also said that it is releasing new hunting queries and machine learning-based detections to make it easier for security analysts to identify and prioritize the most notable events.
In other security-related news at Ignite, Microsoft announced:
- Insider Risk Management for Microsoft 365 — a new capability now in preview that uses the Microsoft Graph and telemetry from other systems such as HR apps to detect potential patterns that may pose risks.
- Microsoft Authenticator, the multifactor authentication app, is now included in the Azure AD free plan.
- Microsoft Defender ATP: The endpoint protection and response tool for Windows is coming to MacOS. It’s now in preview, with planned support for Linux servers as well.