Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/28/2019
12:45 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Debuts Azure Sentinel SIEM, Threat Experts Service

New services, which are both available in preview, arrive at a time when two major trends are converging on security.

Microsoft today debuted two new security services: Azure Sentinel, a cloud-native security information and event management (SIEM) system, and Microsoft Threat Experts, a service through which security operations teams can leverage expertise from Microsoft's experts.

The two services arrive at a time when two major trends are converging on security: SOC teams are struggling with an overwhelming amount of daily alerts and a lack of staff to handle them, and more organizations are moving their data and processes over to the cloud.

"As the cloud has revolutionized modern IT architecture, more and more enterprise workloads have moved to the cloud," says Steve Dispensa, program management lead for Microsoft's cloud and AI security division. The transition especially makes sense for security workloads, he adds, as they're both data- and compute-intensive.

Enter Azure Sentinel, which Microsoft reports is the first native SIEM within a major cloud platform. Many organizations still rely on traditional SIEM tools, which typically can't keep up with the cloud's scale and complexity. The AI built into Sentinel scours large volumes of data from users, applications, servers, and devices running on-prem or in the cloud. Microsoft reports early adopters of Sentinel have seen an overall reduction of up to 90% in alert fatigue.

"One of the key goals of Azure Sentinel was to really help SOC operators use their limited bandwidth in the most effective way possible," Dispensa notes.

Azure Sentinel pulls data from Office 365, combs for threats, and combines findings with other security data for analysis. Its integration extends beyond Microsoft: Users can leverage Azure Sentinel to pull data from clouds and software built by companies including Cisco, Check Point, Palo Alto Networks, and Symantec, said Ann Johnson, Microsoft's corporate vice president of security solutions, in a briefing ahead of next week's RSA Conference.

"An early goal of Azure Sentinel was to be able to integrate well with the infrastructure and services actually in use at these large enterprises," Dispensa says. This isn't just Microsoft cloud, he points out, and not just on-prem infrastructure, but apps and services in third-party clouds.

Data import for Office 365 is free, though you need to be a licensed Office 365 customer. Azure Sentinel is limited to Azure subscribers and is available in public preview starting today, Feb. 28. The preview period is also free; pricing will be announced in the future, Microsoft says.

Microsoft Threat Experts: Now Your Threat Experts
Alongside its Azure Sentinel announcement, Microsoft unveiled a service dubbed Microsoft Threat Experts, which connects the company's security experts with its in-house security staff. The idea is to give businesses an opportunity to augment security as part of Microsoft 365.

Microsoft Threat Experts is a managed threat-hunting service built into Windows Defender Advanced Threat Protection. It's intended to provide two capabilities. The first is targeted attack notifications, which are alerts tailored to organizations' critical threats. They're intended to inform the victim with timeline, scope of breach, and method of intrusions, for example.

The second is "experts on demand." When a breach exceeds the target's ability to investigate, Microsoft's security experts will provide technical consultation. If full incident response is necessary, the client can transition to working with Microsoft incident response services.

Dustin Duran, lead for Microsoft Threat Experts, says all participants in the program are full-time Microsoft employees who can provide either of the service's capabilities. "The same set of people have intimate knowledge of the operating system and features of security products, so they're able to do both," he explains.

Windows Defender ATP customers can now apply to join the preview of this service via the Windows Defender Security Center.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Tough Love: Debunking Myths about DevOps & Security
Jeff Williams, CTO, Contrast Security,  8/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5638
PUBLISHED: 2019-08-21
Rapid7 Nexpose versions 6.5.50 and prior suffer from insufficient session expiration when an administrator performs a security relevant edit on an existing, logged on user. For example, if a user's password is changed by an administrator due to an otherwise unrelated credential leak, that user accou...
CVE-2019-6177
PUBLISHED: 2019-08-21
A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Le...
CVE-2019-10687
PUBLISHED: 2019-08-21
KBPublisher 6.0.2.1 has SQL Injection via the admin/index.php?module=report entry_id[0] parameter, the admin/index.php?module=log id parameter, or an index.php?View=print&id[]= request.
CVE-2019-11601
PUBLISHED: 2019-08-21
A directory traversal vulnerability in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to write or delete files at any location.
CVE-2019-11602
PUBLISHED: 2019-08-21
Leakage of stack traces in remote access to backup & restore in earlier versions than ProSyst mBS SDK 8.2.6 and Bosch IoT Gateway Software 9.2.0 allows remote attackers to gather information about the file system structure.