In the Cloud, Things Aren’t Always What They SIEM: Microsoft Rolls Out Ai-Driven Azure Sentinel

And 'ask a Redmond security bod' panic button for Windows Defender ATP customers

RSA Microsoft has wheeled out two new enterprise security tools – Azure Sentinel, a cloud-based SIEM, and Microsoft Threat Experts, an infosec advice-as-a-service bundled with a panic button.

The two services are part of Redmond's ongoing invasion of the cloud security market. It will be showing off the technology at the RSA Conference in San Francisco next week.

Ann Johnson, Microsoft's cybersecurity solutions veep, described Azure Sentinel as the "first native SIEM within a major cloud platform".

Azure Sentinel customers are exhorted by Microsoft to marvel at "nearly limitless cloud speed and scale", assuming the public cloud service and things hanging off it haven't gone for an unscheduled nap, as happens from time to time.

The hackneyed message from Johnson is for businesses to "invest your time in security and not servers".

"Azure Sentinel supports open standards such as Common Event Format (CEF) and broad partner connections, including... Check Point, Cisco, F5, Fortinet, Palo Alto and Symantec, as well as broader ecosystem partners such as ServiceNow."

Press the big red Microsoft panic button

Johnson also revealed Microsoft Threat Experts, another aaS product that appears to target businesses without an extensive in-house security presence or capability. It was presented as "a new service within Windows Defender ATP which provides managed hunting to extend the capability of your security operations centre team".

You give the keys to your castle over to Microsoft's security folk, who will then "proactively hunt over your anonymized security data for the most important threats, such as human adversary intrusions, hands-on-keyboard attacks, and advanced attacks like cyberespionage" in Johnson's words.

Microsoft flings open Azure Functions to Java workloads

READ MORE

This is security-as-a-service comes with a panic button for when you just don't know the answer to a burning infosec question yourself. Thanks to Redmond's "Ask a Threat Expert", you can "submit questions directly" to MS security bods via the Windows Defender ATP console.

Tom Kranz, head of cyber labs at British tech consultancy 6point6 and a one-time enterprise security architect, was not impressed by the announcement. He told The Register:

“Microsoft Azure Sentinel continues a worrying process of cloud providers eating their partners’ lunch, which is neither good for the industry nor for customers. Azure Operations Management Suite and Security Centre lacked the event correlation and automation that market leaders like Splunk and Alienvault know is needed for a SIEM to be anything other than an irritating source of noise."

Kranz did concede that Sentinel "may fill that 'just good enough' gap between basic tools like OMS and the full-fat products like Splunk."

To join the public preview of Microsoft Threat Experts, apply in the Windows Defender ATP settings, or if Azure Sentinel floats your corporate boat, there's more about it on Microsoft's website. ®

Niloufar Namvar