It’s been nine months since Microsoft announced Azure Sentinel, and about a month since its general availability. And it doesn’t surprise me that reviews of this integrated SIEM have been positive (here is one summary). Despite the early challenges addressed by Bill Gates in his famous trustworthy computing note, Microsoft has transformed itself into a responsible leader in enterprise security. Not long ago, I'd have not expected to make such a claim.
The secret sauce to Microsoft’s security success lies in integration – and given my personal legacy, this view should not surprise you. When we, in the telecom industry, dared to argue that network security might be best done (ahem) in the network, the suggestion was often met with confused silence. But when AT&T invented MPLS-based firewall services two decades ago, the value of natively-integrated protections became glaringly obvious.
So, the availability of a SIEM from Microsoft that is natively embedded into Azure is a strong continuation of this promising trend toward using security that is integrated into your assets, rather than placed over-the-top. The reliability and quality communities decoded this integration puzzle years ago. For example, you don’t buy a quality overlay for a product. Rather, you demand that quality be built-in. And yet, the security community has lagged.
I met recently with Ann Johnson, CVP, Cybersecurity Solutions Group, and Jonathan Trull, Chief Security Advisory from Microsoft to learn more about Azure Sentinel SIEM. It appears to be a fine product with all the features, connectors, and capabilities one would expect. The demo was grand, and the spec sheet had checks in all the right boxes. And I liked the elasticity of the tool, and can see that it will up with massive volumes if pushed.
Sentinel also exhibits extensibility and orchestration capabilities, which are required for customers who seek to bring in non-Microsoft tools from their local or other environments. The tool is cloud-native with advanced analytics to support SOC threat hunters. Many published reviews exist that describe the comprehensive set of Sentinel features, so it seems redundant to include them in this narrative. Go here and you’ll get the idea.
Instead, I will provide the following prediction: In the coming years, you will buy more-and-more security solutions from the bigger providers of cloud, application, and network services. They have the immense advantage of selling you the underlying beef, with the option to include the condiments as part of the integrated meal. I see this integration trend as an existential threat to any smaller companies with me-too products. Expect consolidation.
My advice to anyone working in the enterprise security game is this: Find the time to meet with Microsoft. Ask them to explain the best methods for protecting Active Directory. And ask them to explain how Sentinel protects not only Azure resources, but also cloud assets hosted on other commercially available cloud services. Oh, and you should ask them about their new threat hunting service. Maybe you should set aside half a day for all this.
I believe that 2020 will be an important year for the larger participants in the cyber security industry – and this includes Microsoft. If these larger companies play their cards right, then cyber protection will evolve to more integrated methods, and native controls will find their way into everyone’s enterprise security architecture. This implies that you will need to have a Microsoft strategy for how their protections fit into your enterprise.
As always, I hope you will share your views with all of us on this topic. With so much investment being thrown at so many cyber security companies every day, not everyone will agree with the words I’ve written here. Microsoft can be a powerful (even scary) participant in this ecosystem. But you cannot change the direction in which the wind blows, and I strongly sense a tailwind for the software company from Redmond.