One year on from reaching general availability, Microsoft’s Azure-based Sentinel security system now brings new user and entity behavioral analytics to help detect unknown and insider threats faster.
The behavioral analytics feature also gives customers another reason to send more security logs to the Azure cloud for analysis. Pay-as-you-go pricing is $2.46 per gigabyte (GB) of data analyzed by the Azure Sentinel security information and event management (SIEM) system.
Rather than customers buying their own hardware for an SIEM solution, Sentinel offers an option with no hardware setup or licensing costs.
But while the Azure security product can be cheaper than traditional SIEM solutions, Eric Doerr, vice president of cloud security at Microsoft, tells ZDNet that Sentinel is definitely not free and that customers are sometimes surprised by the cost of the cloud service after being tempted to stuff it with data and logs they might not have done with a legacy SIEM.
“No doubt about it, the total cost of ownership is for sure superior to going and buying a bunch of physical machines. But we have a funny challenge, which is a lot of people say: ‘Oh my god, this is so amazing, so I want to import 10 times as much data as I was importing in my old solution’,” said Doerr.
“And they’re like, ‘Oh wait, but that’s expensive’. And we’re like, ‘Well, right, 10 times the data volume instead of being a different number, right?’ It’s not free, you still have to pay for what you really care about. If all data in the universe were free, you’d store everything for ever.
“If there was no compliance – obviously for compliance reasons you don’t want to keep data around for too long. But it’s still like, ‘Do I install every firewall log for two years or do I store them for 90 days? Or do I find some hybrid model?’.”
Microsoft Sentinel has gained 6,500 customers in the year since reaching general availability.
The Sentinel User and Entity Behavioral Analytics platform, or UEBA in industry jargon, helps customers detect unknown and insider threats. The feature is available in preview and works by building a behavior profile of a user or device to detect anomalies.
The feature syncs information from Azure Active Directory and uses Active Directory audit logs, signing logs and Azure activity logs, combined with security event information that is displayed in a dashboard indicating whether a user or device is potentially high risk.
Security analysts can run a text search to find and open an entity profile, or click on an entity while investigating an incident. The profile includes contextual information, a timeline of activities and alerts across the most relevant data sources.
Microsoft has also launched a preview of Azure Security Center support for monitoring configuration and vulnerabilities for applications such as SQL that customers host in Google Cloud and Amazon Web Services. The feature is designed to help customers that may have merged with another company that uses a rival cloud to Azure.