Blog Why Azure Sentinel offers best SIEM value

By Insight Editor / 16 Feb 2021 / Topics: Cloud Microsoft Azure

For some time now, the technology industry has made the case that ‘data is the new oil’. But, like any mineral deposit, the presence of data alone does not determine its value. Instead, value results only when that deposit is put to good use.

With information security, there is and always has been plenty of data to work with. So much so that one of the major challenges is making sense of it all, a task which once fell to trained experts who would pour over endless logs, looking for exceptions, patterns, evidence of unusual, dangerous or unexplained activity. Sure, they’d use technology tools to help, but a sharp set of eyes was (and in some cases is) the essential factor in identifying trouble.

If that sounds terrifically retro in times where artificial intelligence is doing everything from driving cars around to assisting with managing schedules, well, it is.

The limitations of this approach led to the introduction of Security Incident and Event Management solutions around the time when large enterprises were busying themselves with Payment Card Industry Association Data Security Standard (PCI-DSS) compliance; SIEM has subsequently become an essential service for most companies.

This is where the core of the Azure Sentinel value proposition becomes clear. As a catch-all for all security data, Sentinel gathers information from across your enterprise, then applies intelligence, helping you move from reactive threat management towards proactive control.

Now, for those unfamiliar with Sentinel, it is Microsoft’s SIEM solution which was first introduced just over a year ago. Sentinel is ‘cloud native’, resides in the Azure platform and in a nutshell, it tracks, stores and analyses the behaviours of pre-defined targets.

Here’s a more detailed look at what Sentinel does:

Collects data at cloud scale—across all users, devices, applications and infrastructure, both on-premises and in multiple clouds
Detects previously uncovered threats and minimises false positives using Microsoft analytics and threat intelligence
Investigates threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft
Responds to incidents rapidly with built-in orchestration and automation of common tasks

Whilst doing that, and as you might expect, Sentinel consumes large volumes of data from just about everything connected to the corporate network - from individual user devices, right through to back-end servers and storage, whether on-premise or in the cloud.

Now, with any SIEM implementation, cost is always a concern. Did I mention data? And quantity? All the logs, security events and so on constantly generated every time a mouse is clicked, an email sent, or a keyboard tapped on, has to go somewhere. This has an overhead; not only must that data reside somewhere but turning it from raw data into the “good oil” of useful information demands computing power. Storage + compute = expensive. Storage + compute + analysts = very expensive.

Consider the total cost…and value

But here’s the good news. The total cost of ownership for Microsoft Sentinel is highly competitive. In fact, a recent Forrester Total Economic Impact study on Sentinel shows just how well the solution performs, with headline findings including:

A three-year 201 percent return on investment (ROI) with a payback period of less than six months.
A 48 percent reduction in costs compared to legacy SIEM solutions, saving on expenses like licensing, storage, and infrastructure costs.
A 79 percent reduction in false positives and 80 percent reduction in the amount of labor associated with investigation, reducing mean time to resolution (MTTR) over three years.
A 67 percent decrease in time to deployment compared to legacy on-premises SIEMs.

I’ve bolded the third point, because this ties directly back to security analysts and engineers spending their time identifying security threats. If your people are investing their time on security analysis, you are investing your money on security analysis!

This is the central and key point of Sentinel. Having data is easy. Storing it is easy (and costly, especially if nothing is being done with it!) Putting it to use is the tricky bit, and that’s exactly what Sentinel does for you.

Finally, note that Sentinel represents a key component in Microsoft’s ongoing big push into security; with native protection included in products like Microsoft 365, Sentinel integrates seamlessly with other Microsoft services like Azure Security Center and Azure Active Directory, and offers connectors for services including as Cloud App Security and Information Protection; third-party connectors consume data from the typically heterogenous environment you’re likely to be running, including Cisco, Check Point, Palo Alto Networks, and many more.

The central and defining feature of Sentinel is the incorporation of Microsoft’s machine learning and artificial intelligence (AI) technology. This effectively does the job of security analysts by putting all that data to work, analysing, contextualising and ‘understanding’ the security landscape, and then automatically adapting to evolving threats. (Threats, of course, evolve constantly, because although devious, hackers and other bad actors are undoubtedly also ingenious and highly motivated).

And it is called Sentinel for a good reason – because it stands watch over your enterprise, tirelessly.