According to a new Ovum report, “[Azure Sentinel]…positions [Microsoft] to be a force for change in a security information and events management (SIEM) market that is ripe for disruption at the moment.” As enterprises migrate to the cloud, they’re increasingly operating on-premises and cloud environments spread across multiple cloud providers. These complex environments and multiple security products can make it challenging for security professionals to make correlations across their entire infrastructure and separate the signal from the noise.
The report, titled Microsoft’s Expanded Horizons in Security, written by Rik Turner and published in April 2019, evaluated Azure Sentinel among other new Microsoft services and determined that hybrid cloud customers who use Azure as one of their cloud providers should consider Microsoft for security across hybrid and multi cloud environments.
It has been noted by Ovum that in the last few years new services and capabilities have been introduced that support operating systems and platforms beyond Windows. The report identified the following reasons that Microsoft security products are appropriate, if you need to secure non-Microsoft products as well as Azure:
- Password-less authentication and conditional access.
- Microsoft Threat Protection secures identities, endpoints, user data, cloud apps, and infrastructure.
- Microsoft Information Protection services extend to cloud apps with Microsoft Cloud App Security.
- Azure Sentinel may disrupt the security management marketplace.
Azure for password-less authentication and conditional access
Active Directory and Azure Active Directory (Azure AD) are market leaders for on-premises and cloud-based directories that many enterprises already use. In addition to provisioning and deprovisioning, security capabilities such as modern authentication and conditional access make Azure AD a compelling choice for identity access management (IAM).
In recent years, Microsoft has introduced many capabilities to support modern authentication. Multi-Factor Authentication (MFA) or 2nd-Factor Authentication (2FA) allows you to enforce a secondary authentication method, so you don’t rely on passwords alone. Azure AD supports password-less authentication, such as biometrics and FIDO-2 compliant keys, and the Microsoft Authenticator mobile app, which generates a one-time passcode or push notification, can serve as a secondary authentication method.
Azure AD conditional access gives administrators additional control over who can access company resources both on the first access attempt and throughout the user session. Conditional access works by evaluating the circumstances of the authentication request—such as the device used, the location of the request, the user, or the network—to assign a risk score and then automatically apply pre-defined access polices.
For example, if a user attempts to access sensitive data from an unsecure network, Azure AD can block the request. If a user has been deemed likely compromised, Azure AD can require a password reset before allowing access.
Azure AD security policies aren’t just for Microsoft products. Integration with Microsoft Cloud App Security, a cloud access security broker (CASB) lets you extend authentication policies to all your cloud apps including non-Microsoft applications.
Microsoft Threat Protection secures identities, endpoints, user data, cloud apps, and infrastructure
Recent acquisitions and the Microsoft Intelligent Security Graph give Microsoft the data and technology to provide protection across identities, endpoints, emails, messages, documents, cloud applications, and infrastructure. The Intelligent Security Graph gathers threat information from Microsoft products deployed around the world, security partners, and Microsoft’s own security team. To make sense of trillions of signals, machine learning and artificial intelligence (AI) algorithms analyze the data to find correlations and patterns. The Microsoft Threat Protection suite of products uses analysis from the Microsoft Intelligence Security Graph to learn what is normal user behavior, so that it can detect and alert or block anomalous behavior.
Microsoft Information Protection services extend to cloud apps with Microsoft Cloud App Security
Microsoft Information Protection helps secure data at-rest in file repositories, cloud storage services, and on users’ devices. It protects data in motion as it moves or travels to different locations. The service accomplishes this with four steps: detection, classification, protection, and monitoring. Microsoft Information Protection is able to detect sensitive data across on-premises and cloud repositories. Once the data is detected, Microsoft Information Protection classifies and labels it based on a pre-defined taxonomy that identifies how sensitive the data is, such as “Highly Confidential” or “Non Business.” Protection is applied based on the classification and can include actions such as file encryption. You can set policies to prevent copy and save functions, among other protections. Monitoring capabilities allow administrators to track the document as it moves inside and outside of your organization.
Microsoft Cloud App Security integrates with Microsoft Information Protection to extend the discovery, classification, protection, and monitoring capabilities to cloud apps. Administrators can even quarantine a file or limit sharing after it has moved to non-Microsoft cloud services.
Azure Sentinel may disrupt the security management marketplace
Ovum’s report identifies opportunities to offer better products in security management, especially SIEM platforms and products. SEIMs aggregate log files into one repository, so security teams can analyze the data and remediate detected threats. As the amount of data has increased, the need to augment the SIEMs with more robust analytics capabilities has exploded. SIEMs charge a lot to store log files, and customers are overwhelmed by the number of alerts, many of them false positives generated by their SIEM platforms.
Azure Sentinel can save time, reduce costs, and reduce alert fatigue by using AI and machine learning models to sift through the noise and more accurately identify real threats. Azure Sentinel currently aggregates data from Office 365 apps and data from security partners. In pilot tests, it reduced alert fatigue by as much as 90 percent.
Microsoft’s other security management offerings can help customers manage security across a diverse cloud ecosystem. Azure Security Manager helps customers stay compliant with regulations, identifies security vulnerabilities, and detects and blocks threats. Later this year, these capabilities will be extended to Amazon Web Services (AWS) and eventually Google Cloud Provider (GCP).
The report offers several examples of how Microsoft is evolving its security strategy to support the complex environments that enterprises must secure. Ovum expects that Microsoft will continue to expand the number of products that secure multiple platforms as it provides more support for Mac, Linux, AWS, and GCP.
Read the Ovum report to learn more about how Microsoft’s current offering and strategy makes it a good fit for current Azure customers who have a mix of on-premises and clouds and/or use two or more cloud service providers.