Microsoft Exec: Initial Response to Azure Sentinel Has Been ‘Overwhelming’

There has been an “overwhelming response” to Azure Sentinel, Microsoft’s new cloud-native security information and event management (SIEM) solution with built-in artificial intelligence (AI) and automation, since it became available as part of a public preview in early 2019, according to Ann Johnson, corporate VP of cybersecurity at the company.

More than 12,000 customers joined the Preview program and Sentinel is now generally available, she said Sept. 26 during an Azure Security Expert Series webinar called “Empower Your Security Operations with Azure Sentinel.”

Microsoft has “continuously evolved the service capabilities to match [the] growing needs” of users, she noted.

As the value of digital information increases, so do the number and sophistication of cyberattacks, according to Microsoft. Traditional SIEM solutions are failing to protect today’s infrastructure from the volume and speed of threats and security operations (SecOps) teams spend far too much time and money on tasks such as infrastructure setup and maintenance, the company said ahead of the webinar.

Sentinel was designed to address those issues. Organizations need to keep up with the pace and the scale of cyberattacks and Sentinel can help them, while modernizing an organization’s security operations, Johnson noted during the webinar.

“Traditional security information and event management solutions have not kept pace with the digital environment,” she told listeners, explaining: “I commonly hear from customers that they are spending more time with deployment and maintenance of SIEM solutions and they are unable to handle the volume of data or the agility of our adversaries. This is why Microsoft knew the cloud was critical to the SIEM solution. The cloud enables a new class of intelligent security technologies to reduce complexity and to integrate with the tools that you depend upon. Azure Sentinel is that cloud-native SIEM which enables security across the entirety of your enterprise in a very intelligent way.”

Using Azure Sentinel, an organization does “not need to deploy or maintain any infrastructure on-prem,” she pointed out, adding: “You can just scale automatically in the cloud as you need. Azure Sentinel collects and analyzes data from all sources on-prem, to Azure itself and even throughout other cloud environments, and it provides built-in artificial intelligence and automation to help you respond to threats faster.”

It’s also “backed by Microsoft’s unique threat intelligence gained from analyzing trillions of diverse signals globally on a daily basis,” she said, noting Azure Sentinel “blends the insights of Microsoft experts and artificial intelligence with the unique insights and skills of your own in-house defenders to uncover the most sophisticated attacks.”

Other Microsoft security leaders also explained how Sentinel is transforming SecOps.

John Lambert, general manager of the Microsoft Threat Intelligence Center, said the center was started five years ago to focus on adversary-based threats to Microsoft customers. He told listeners: “Attackers study customers. They study technology. We study back.”

Sentinel has improved the operations of those who signed up to use the Preview, he said, noting Microsoft has worked with them to understand their data and collaborate on threat scenarios.

Discussing a major problem that the industry faces, Steve Dispensa, director of program management for Cloud +AI Security at Microsoft, pointed out: “The digital footprint continues to expand” for his company’s customers. “Data and volumes are growing exponentially, and what we have found is that the traditional on-premises solutions to these problems are just not scalable any longer,” he said.

Citing one major focus of Sentinel, he noted: “We are working to empower our customers to focus on security and not just on infrastructure maintenance.”

In addition to investing heavily in AI and automation, Microsoft is also using machine learning (ML) in Sentinel and, in fact, the company “designed the whole product with ML right from the beginning,” he said. Noting that “alert fatigue is real [and] a serious problem,” he said it’s “exacerbated by the fact that resourcing is thin [and] there aren’t enough analysts” at organizations. Sentinel’s built-in ML detection used to search the user’s data can help address that, he indicated.

On pricing, he said Sentinel was designed to be a “cost-effective SIEM,” noting customers pay only for what they use and can pay as they go. Adding more value to the offering, “we’re enabling data ingestion from Office 365 audit logs, Azure activity logs and also the Microsoft Threat Protection solutions at no additional cost,” he said, adding: “This will be a huge cost and complexity savings for our customers.”