Previously known as Azure Sentinel, the scalable, cloud native, SIEM (security information and event management) and SOAR (security orchestration, automation and response) solution is now called Microsoft Sentinel.
It delivers security analytics and threat intelligence across enterprises, providing a single solution for attack detection, threat visibility, proactive hunting and threat response. It’s a solution that is deeply infused with machine learning (ML), which means it delivers powerful built-in ML analytics, covering all the prevalent threats and data types connected to the specific SIEM.
It also offers support for users to build their own ML within the technology.
As a cloud native technology, Sentinel naturally integrates with the wide array of Azure and Microsoft technologies and security solutions, such as endpoint protection platforms, endpoint detection and response (EDR) solutions and cloud access security brokers (CASBs). Microsoft’s large ecosystem of security and other IT solutions that natively integrate with the platform includes 365 Defender, Azure Defender, Office 365 and Azure.
Sentinel does not only support Microsoft services, however, it also integrates with a large catalogue of vendor and community provided connectors that cover all major cloud platforms, hardware and software solutions.
“Where it probably makes most sense would be if the customer has some aspect of Microsoft in their hybrid typology, but they don’t need to be 100 percent in,” says Jonathan Black, Lead Enterprise Architect at AC3.
AC3’s Microsoft Sentinel Design and Build program provides customers with an experienced cyber security expert who will workshop, design and build the platform in line with Microsoft best practices.
Sentinel’s robust API interface allows for flexible interfaces based on the user’s requirements, which makes it an appealing solution for organisations looking to interface with the technology using different methods, and not solely via Sentinel’s own workspace interface.
“As with all security products there is customisation and configuration of alert rules and thresholds,” says Black.
It’s a relatively easy process to start, he adds, but requires expert guidance. Once installed, it is possible to build in automation to create remedies and other processes.
COSTINGS
As with most SIEM solutions, price depends on the volume of logs and events ingested daily, measured in gigabytes – the more gigabytes required, the greater the financial investment.
Choosing between reserved capacity (or committed tiers) and pay as you go, customers can access extended services such as extra storage, automation or ‘build your own ML’ for an additional cost.
“If you’re selective on what you’re sending to the platform, it can be fairly cost-efficient,” says Black. “If you throw everything at it, your prices are going to increase.”
Microsoft also includes allowances for certain M365 user licences, which allow for up to 5MB per user per day to be ingested, along with free ingestion from certain Microsoft Data Sources such as Azure and Office 365 activity and audit logs. AC3 also offers a best practice review for organisations that have already stood up Sentinel but aren’t sure whether they are getting optimisation from the platform.
HOW AC3 CAN HELP YOU LEVERAGE SENTINEL
Professional services:
- Microsoft Sentinel Best Practice Assessment – one-off analysis on Sentinel environment and business security practices
- Microsoft Sentinel Design and Build – one-off project to design and build fresh Sentinel instance
Managed services:
- SIEM Platform Management– entire SIEM platform management
- Managed Detection and Response for SIEM – security alert management and advice of incidents
- SecOps–customisable response purchased in committed hours per month