Microsoft Azure Sentinel – A new generation in cyber security

As leaders within the ever-evolving cyber security sector, we come across the question of “What is Azure Sentinel” quite often. In this blog, we will attempt to answer this question, covering how Azure Sentinel truly represents a real step-change in industry thinking and practice and, how ultimately, Azure Sentinel is far more than just a SIEM.

There can be no denying the fact that, for the past two decades, Microsoft have steadily evolved to become the most secure ecosystem in the world for most customers within the cyber security industry. Azure Sentinel is Microsoft’s answer to what was originally known as the Security Information & Event Management (SIEM) product category. However, it is quite simply, unfair, to refer to Azure Sentinel as just a SIEM.

In order to properly address the question of “What is Azure Sentinel”, first, we must wind the clock back to get a better picture and understanding of how Microsoft, with Azure Sentinel, have completely reshaped the cyber security industry.

Back in the early-2000’s, coming from what we shall refer to as Generation 1 – the big SIEM vendors such as IBM & Hewlett Packard (HP) were developing the big technological breakthroughs which enabled us, for the first time, to centralise data and derive security insights from said data. Fast forward a few years and we come to the point in time that we shall refer to as Generation 2.

Generation 2, starting in the mid-2000’s, allowed for more comprehensive analysis of unstructured data. That being, up until this point, users had very structured data, which had to look a very certain way and also had to be logged in a very certain way, in order for the user to centralise the data. The significant change and true innovation in Generation 2 came about from the realisation that many users don’t actually know what they needed to be analysing, they just knew they had to amalgamate their data with a “thing” and let it do something “smart” with it.

It is around this time that we see the rise of terms such as “big data” and “data visualisation” which, in essence, is the crux of what Generation 2 SIEM’s allowed us to eventually achieve.

However, Generation 2 still represented rather large, costly, on-premise solutions requiring a lot of time and effort to run and manage, as well as the need for large consumption licenses. Enter Azure Sentinel. There are many in the industry who believe that Microsoft, with Azure Sentinel, initiated a real step-change within the cyber security industry.

Federico Charosky, Managing Director of Edinburgh-based cyber security firm, Quorum Cyber, feels that it was very much the arrival of Azure Sentinel in the market which signalled a shift in exactly what a current generation SIEM can and should be able to do:

“In my opinion, what Azure Sentinel did was inaugurate a whole new generation within the industry. It really altered our perception of what a third, or current generation, SIEM should do. It’s not just being able to ingest any form of data out there; and the fact Azure Sentinel allows us to do this in the cloud. But also, the need for on-site physical premises was completely removed, it eradicated the need for large servers, management of the environment, as well as all the overheads which are associated with these factors. Azure Sentinel is a cloud solution, allowing us to ingest as much data as we want, as quickly as we want, it truly has zero restrictions in this regard. On top of all this, Azure Sentinel includes a range of capabilities that, until this point, were traditionally provided by competing products, meaning that in order to achieve, even parity status with Azure Sentinel, on previous generational setups, customers would need to consider these additional features – which, inevitably, come with additional costs.”

And that is why Microsoft developed Azure Sentinel, it allowed their customers to invest smartly, by focussing time and resources on the actual security aspects themselves, eliminating infrastructure complexity and ongoing maintenance. Azure Sentinel is the first cloud-native SIEM produced by a major cloud provider.

Customers who choose Azure Sentinel find they no longer need to concern themselves with storage limit or query limit with Azure Sentinel providing limitless cloud speed and scale. Meaning, customers have the choice to only purchase the resources their organisation actually needs, reducing infrastructure costs by automatically scaling resources.

Yes, Azure Sentinel is a cloud-based SIEM, however, it also has in-built features such as a threat intelligence platform, giving the users the ability to integrate other sources of threat intelligence in order to enrich the data you have brought in from your logs and signals. As if all this wasn’t enough, Microsoft then imbues this data with their own threat intelligence feed, so not only do you have the platform to ingest whatever feed you want it to, but you also have Microsoft’s private feed, which is the biggest source of threat intelligence in the market; with more data on what a threat actor actually looks like than anywhere else.