I got bunch of questions regarding what is the purpose or strategy of using Azure Sentinel when we have Azure Security Center (ASC). Giving the fact that everything Azure Sentinel has can be built within ASC technically. However the purpose of Azure Sentinel would be solely different.
For those who don’t know about Azure Sentinel, here is the introduction.
ASC is designed specifically to help organization to stay compliant with security policy and industrial compliance (e.g ISO, CIS, PCI…). It gives you security earlier in the life cycle of security posture which would minimize vulnerabilities. Also it gives an overall and consistent standard & security controls across your infrastructure (both cloud and on-premises). There is actually lack of the ability for proactive security engineer to do their job (e.g threat hunting and dynamic threat detection..). Custom Alert Rule feature in ASC is really limited, and would be only tighten into Log Analytics workspace only (where use case would be to monitor individual activity…). The target audience of ASC is Sec and Compliance Admin.
Azure Sentinel is an extended value to your security posture when it provides you the real ability to proactively deal with security threat. As stated Azure Sentinel is a SIEM-As-A-Service (of course it has been recently released so there is not much hope to see it be comprehensive like big boys like Splunk, Qradar…). But there are number of features which a general SIEM would have will be soon available to you. For example you are seeing the integration capability to gather data from Azure and other sources such as AWS, Palo Alto, Juniper, Cisco (I believe there will be more than these things). Another capability is Case Management for Security Incident which ASC doesn’t have. A Case Management gives you a powerful visualization with more than 15 entities to help you perform deep investigation across your environment when a breach occurs (it is completely imperative for an APT attack). You’d probably see how Microsoft categorizes bunch of stages in Azure Sentinal’s Hunting capability. It would be much helpful for APT detection and prevention.
And another vision of Azure Sentinel is Bring Your Own Data. You have your data and you’d like to normalize it with your ML model which would expect to be more accurate to detect a threat rather than relying on a traditional signature-based detection. I’d say it is a Proactive Data Exploration which modern SecOps engineer would need. What I’ve seen is the ingratiation of Azure Notebook to do with Python.
Azure Sentinel is really really targeted to Proactive Security. I must have emphasized the word “Proactive” number of different times here. But it is how Azure Sentinel is about to you. Once you realize how proactive you must be, you’d love Azure Sentinel more. In a nutshell, what is your opporutnity as a proactive security engineer when working on Azure Sentinel? Here they are:
- Solid integration with intelligence from Microsoft services (Office 365, APT, Azure..) and 3rd party (F5, Palo Alto, Symantec…)
- Bring your own data or AI model to improve signal-to-noise.
- Graphical AI-based investigation to reduce investigation time-to-insights.
In real-world you’d need to combine both ASC and Azure Sentinel. ASC would be your friend to achieve the first maturity level while Azure Sentinel is the upper one. And whether you are responsible for Detection or Hunting, Azure Sentinal fits you both.