Microsoft Unveils 'Azure Sentinel' and 'Threat Experts' for Security -- Redmondmag.com

Bekker's Blog

Microsoft Unveils 'Azure Sentinel' and 'Threat Experts' for Security

Just days before the 2019 RSA Conference, Microsoft on Thursday announced the preview releases of two new cloud-based security services: Azure Sentinel and Threat Experts.

Azure Sentinel is a native security information and event management (SIEM) tool that runs in Microsoft's public cloud. Ann Johnson, corporate vice president for Cybersecurity Solutions at Microsoft, touted Azure Sentinel as "the first cloud-native SIEM within a major cloud platform" during a media briefing on Wednesday.

Johnson said Sentinel was built from scratch with the help of industry partners as a modern security tool to collect, parse and present security data from users, devices, applications and infrastructure, both on-premises and in the cloud. Like many of Microsoft's current initiatives, key selling points are the flexible and scalable nature of having the solution running in the cloud and the ability to leverage Microsoft's artificial intelligence (AI) infrastructure and expertise.

At the same time, Microsoft also championed the tool's potential to cut both administrative burdens of on-premises SIEM approaches and the time wasted on inconsequential SIEM alerts.

"I don't need to have people maintaining infrastructure, patching, dealing with upgrades, things like that. I've just got my people focused on finding threats," said Eric Doerr, general manager of the Microsoft Security Response Center (MSRC), in a video about the MSRC's dogfooding of Azure Sentinel.

**[Click on image for larger view.]** *The dashboard for the public preview of the Microsoft Azure Sentinel cloud-native SIEM. (Source: Microsoft)*

Johnson put the alerts in the context of the IT security skills gap. "The cybersecurity landscape is at a point where the attackers do have an advantage due to a lack of skilled cyberdefenders. With an estimated shortfall of over 3 million security professionals by 2021, there simply are not enough defenders to keep pace with the growing profit opportunity that cybercrime offers," she said. "Existing defenders are overwhelmed by threats and alerts. They often spend their days chasing down false alarms instead of doing what they do best, investigating and solving complex cases."

Microsoft contends that its machine learning (ML) algorithms and knowledge from handling trillions of signals each day inform the Sentinel tool.

Pricing has not been set for Azure Sentinel. The preview is free and licensed Office 365 customers will be able to import data into the tool for free as an ongoing feature once the service is generally available.

The other preview, Threat Experts, is a high-end, "managed threat hunting service" within Windows Defender Advanced Threat Protection (ATP) that's aimed at security operations centers. The intent is again to use Microsoft's expertise, AI/ML resources and massive global signals collection to provide context around security alerts that could help organizations find, prioritize and respond to security problems. The service consists of attack notifications that are supposed to be tailored to an organization's needs and the availability of Microsoft experts who can be engaged on demand.

**[Click on image for larger view.]** *Microsoft Threat Experts provides customized alerts in the Windows Defender Security Center. (Source: Microsoft)*

"Not every organization has access to the level of human expertise they need. Microsoft is now offering our security experts as an extension of our customers teams," Johnson said. "Experts provide the insights our customers need to get additional clarification on alerts, including root cause or scope of an incident, suspicious machine behavior and next steps if faced with an advanced attacker. They can also help determine risk and protection regarding threat actors campaigns or emerging attacker techniques."

Although the new Threat Experts service is also in preview, customers will already need to have Windows Defender ATP to access it. The Windows Defender ATP platform is a toolbox of prevention, detection, investigation and response tools for enterprises. Threat Experts joins elements like attack surface reduction, endpoint detection and response, automated investigation and remediation, Secure Score and advanced hunting tools. Windows Defender ATP is available only in Microsoft's most expensive licensing packages, such as Windows 10 Enterprise E5 and Microsoft 365 E5.

Posted by Scott Bekker on 02/28/2019 at 3:12 PM

Featured

Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.
PowerShell Script Used in Phishing Attack May Be AI-Generated

A PowerShell script being used in a novel malware campaign may have been created by AI, according to security researchers at Proofpoint.
Using Microsoft Office to Build a Network Diagram, Part 1

Keeping documentation is a great way to ease your future hardware refresh and have what you need for insurance purposes.
Microsoft Claims Breakthrough in Quantum Computing Reliability

A new paper details Microsoft's recent progress in quantum computing -- specifically, its development of a system that is both significantly less prone to errors and better at correcting them.