The RSA Security Conference is taking place this week (travel advice: stay away from Moscone Center in San Francisco this week if you can!). Microsoft announced, prior to the start of the conference, Azure Sentinel, an Azure-based SIEM (Security Information and Event Manager). Bonus coverage: see here for a nice Azure Sentinel video, and here for another article describing the announcement.
As I’ve consulted with customers looking to get on a proper security footing, I’ve been bothered by the inability to be proactive about threat management. We spend a lot of time enhancing our ability to react to threats, but we know it isn’t enough. We also know that we don’t have staff to go chasing down threats. There’s a shortage of cybersecurity professionals out there. All this means that we need automated methods of analyzing and chasing down threats. Azure Sentinel looks like it has a lot of tools for this.
If Azure Sentinel can deliver on automating the most common security management tasks, that will be big. If its AI algorithms can separate signal from noise and therefore reduce alert fatigue, that will also be big.
Azure Sentinel: What’s to Like
Perhaps one of the most appealing aspects of Azure Sentinel is its pricing. I’ve written before about the focus of security vendors (especially startups) on Fortune 500 organizations and governments—leaving a gap in the market for small and mid-sized organizations (most of our customer base). Azure Sentinel pricing is consumption based. Consumption pricing will benefit smaller organizations, since the amount of log data they present for analysis will be much smaller than for large organizations. And BTW, since Azure Sentinel is in beta, you can try it for free right now.
Here are some other things to like about Azure Sentinel.
- It’s cloud-based (natch). This means it will scale with the organization’s security needs in an easy manner.
- Azure Sentinel incorporates on-premise as well as cloud-based security endpoints—users, applications, servers and the like.
- It works outside of the Microsoft “stack.” You can connect Azure Sentinel to solutions from Palo Alto Networks, F5, Symantec, Fortinet and Check Point. And there’s an API for connecting to other solutions via protocols such as Syslog.
Azure Sentinel: What’s Not to Like
This looks like a promising solution. But you’ll want to step carefully for a couple of reasons.
- There are lots of security solutions (hello, Cisco) that don’t yet have built-in Azure Sentinel connectors. Waiting for someone else to do this kind of programming might be a wise move.
- There’s lots of power here, which also means the potential for lots of complexity. (I heard reference to writing a PERL script in the video linked above). Remember: you’re trying to ramp up security without having to hire a security specialist (which, by the way, is the hardest IT position to fill right now!) And as fun as it might be to geek out with Azure Sentinel, you really should be spending your time with stakeholders and staff.
Evaluation Would Be a Good Next Step
I’ll be pressing our CTO to sign up for the Azure Sentinel beta. We need to see if it can deliver real value to us and our customers.
It could be worthwhile for you to sign up for the beta and evaluate Azure Sentinel as well. See what it can do to tell you about threats in your network. What out-of-the-box capabilities are useful? Does Azure Sentinel help you take a proactive (vs. reactive) stance with regards to threat management? Answering these questions could help you understand if Azure Sentinel is the right SIEM solution at the right price.