rvlsoft - Fotolia

Azure Sentinel adds AI-driven SIEM for cloud security

Azure Sentinel, Microsoft's take on a security information and event management platform, relies on AI for threat detection and competes with the likes of Splunk.

Microsoft has bet that its latest public cloud tool will juice up its Azure cloud platform security posture and keep pace with rivals, such as AWS and Google.

Azure Sentinel, now in preview, is a security information and event management (SIEM) tool that uses machine learning algorithms to pinpoint and surface the most dire threats out of a sea of alerts. The tool relies, in part, on Azure Monitor, which incorporates a log analytics database that sucks in more than 10 PB of information each day. It uses standard log formats, such as syslog and common event format.

Azure Sentinel's goal is to reduce alert fatigue, which can occur when security analysts wade through oceans of alert data to find the most pressing threats. Its algorithms, which use Microsoft's own machine learning models developed for its cloud services, cull millions of low-fidelity anomalies to identify and present a few high-fidelity security incidents, Microsoft said in a blog post.

Data scientists also can bring their own preferred models into Sentinel via the Azure Machine Learning service. Additionally, Azure Sentinel offers a set of proactive hunting queries derived from work by Microsoft's internal incident response teams.

Customers can use Azure Notebooks, which are based on the Jupyter open source data visualization projects, to model threats. Azure Sentinel includes automated threat response capabilities via predefined or custom-built playbooks.

Sentinel was built natively on Azure and has a pay-as-you-go model. These are advantages over traditional SIEM systems, because they remove the complexity of setup and management and keep costs in check, according to Microsoft.

It integrates with third-party security platforms from vendors such as Fortinet, Symantec and Check Point, as well as Microsoft's Graph Security API. Customers can use the latter to repurpose existing threat intelligence feeds and create custom detection and alert rules.

Companies can join the Sentinel preview at no charge, and prices will be determined at a later date, according to Microsoft. To generate interest among its installed base, Microsoft will allow customers to move their Office 365 activity data into Azure Sentinel at no charge. The tool can also ingest data from third-party application sources to give a full picture of security threats.

Azure Sentinel dashboard
Azure Sentinel provides a GUI that security teams can use to track threats and take defensive actions.

Azure Sentinel may have uphill battle

In some ways, Sentinel is similar to Amazon GuardDuty, a threat detection service that scans for malicious activity across a customer's AWS accounts. Like Sentinel, GuardDuty incorporates machine learning and ties alerts into its console and Amazon CloudWatch Events, so teams can take corrective actions.

Having a cloud-native SIEM ... is great. But do I use [Azure Sentinel]? Do I use Security Center? Do I use both? Why have you not consolidated those? It's a market confusion question.
Rich Mogullanalyst, Securosis

It would be wrong to classify GuardDuty as a SIEM, however, said Rich Mogull, analyst and CEO of Securosis, a security consulting and research firm located in Phoenix. "It's more like a threat intelligence feed you would send to your SIEM," he said.

Meanwhile, Google Cloud has Stackdriver, which is a more generalized monitoring and logging service, and third-party providers such as Sumo and Splunk offer cloud-based SIEMs, Mogull added.

As for Sentinel, the proof will be in the pudding, Mogull said. "We need to see how well it works in customers' hands and if this is going to be able to replace their existing SIEM and SOC [security operations center]," he said.

Microsoft also must be careful not to confuse customers and explain how Azure Sentinel relates to or complements existing products, Mogull said.

"Having a cloud-native SIEM like [Sentinel] is great," he said. "But do I use this? Do I use [Azure] Security Center? Do I use both? Why have you not consolidated those? It's a market confusion question."

There's a strong appetite among enterprise IT shops for cloud-based SIEMs, as evidenced by the financial results of companies like Splunk, said Eric Ogren, an analyst at 451 Research. However, historically, SIEMs are big-ticket items bought by large companies or ones in highly regulated industries.

"I don't see Microsoft and Sentinel competing for big accounts right away," Ogren said. "It takes time to figure out how to do a SIEM properly."

However, heightened concerns about cybersecurity these days mean less of a perception problem for products like Azure Sentinel, Ogren said. It also could draw interest from smaller companies that fancy Azure Sentinel's subscription pricing model and managed aspects.

"Five years ago, security officers had the willies about shipping security data into the cloud," he said. "The resistance to that has largely gone away."

Dig Deeper on Cloud provider platforms and tools

Data Center