Microsoft has unveiled a cloud-hosted, machine learning-powered SIEM solution and a “managed hunting” service for users of its Windows Defender Advanced Threat Protection (ATP) system.
Both products debuted on the eve of the 2019 RSA Conference, one of the security industry’s biggest events of the year, which takes place next week in San Francisco.
Called Azure Sentinel, the new SIEM offering is available in public preview via the Microsoft Azure portal. According to Microsoft, it’s “the first cloud-native SIEM within a major cloud platform.”
The system allows users to aggregate and analyze data from Azure, Office 365, Microsoft 365, and other cloud-based Microsoft offerings. Embedded connectors to products from Check Point, Cisco, F5, Fortinet, and Palo Alto Networks, among others, allow organizations to import data from a wide range of third-party solutions as well. Support for Common Event Format, Syslog, and other industry-standard log formats further enable organizations to keep tabs on all of their devices, applications, and infrastructure through a single administrative console.
“In just a few clicks, they can bring their Office 365 data for free as well as combine it with their other data for analysis, and they’ll be able to take advantage of Microsoft’s vast threat intelligence and years of experience of protecting some of the biggest enterprises on the planet,” says Ann Johnson, corporate vice president of Microsoft’s Cybersecurity Solutions Group.
Azure Sentinel targets corporate IT departments and managed security service providers struggling to spot evidence of danger in a perpetually shifting and expanding sea of security telemetry. “They can’t keep pace with the volume of data or the agility of our adversaries,” says Johnson. Indeed, Microsoft itself sifts through some 6.5 trillion signals from PCs, servers, mobile devices, and cloud solutions a day.
Built-in artificial intelligence technology in Azure Sentinel is designed to make log analysis simpler by filtering out time-consuming false alarms. “It helps reduce noise drastically, with an overall reduction of up to 90 percent in alert fatigue,” Johnson says. The new system has helped early adopters complete threat hunts in milliseconds versus hours, she continues, and automates 80 percent of an organization’s most common security-related tasks.
The solution lets users capitalize on the Azure platform’s power and efficiencies as well, Johnson adds. “Our customers’ defenders can take advantage of limitless cloud speed and scale and invest their time in security, not servers.”
Microsoft partners using Azure Sentinel already include powerhouse MSSPs like CyberProof, Insight, and New Signature.
The managed hunting service, called Microsoft Threat Experts, is designed to help Windows Defender ATP users leverage the knowledge and experience of Microsoft’s in-house security specialists.
“Even as we look to arm our defenders with the latest technologies, we also recognize that technology alone can’t solve the challenges that this landscape poses,” Johnson says. “Microsoft is now offering our security experts as an extension of our customers’ teams.”
The service proactively sends alerts about newly spotted dangers to subscribers through the Microsoft 365 security center. Users can also click a new “Ask a Threat Expert” button in their Windows Defender ATP interface to submit ad hoc questions.