Azure Sentinel vs. Azure Security Center

Security operations solutions

We live in a rapidly changing world with fast-progressing technologies. Every day new products and innovations force businesses to adapt to the changes in short timeframes. This is essential to staying competitive or growing faster than competitors. 

The events of the past year introduced a new trend – companies across the globe had to adapt to the model of remote work. Most businesses, while being focused on the remote work setup, did not fully grasp the potential risk for information security. Here we will go over services that can help with it.

What’s the risk?

People now work outside the company network, using different devices on networks with an unknown security level, leading to security incidents that are not even noticed. At the same time, attacks are increasingly heterogeneous, span different parts of the enterprise, and across various resource types. It might start from an IoT device, proceed to an endpoint, spread to a cloud service or a database, involve multiple user accounts or tenants, etc. 

There can be dire consequences for the business, such as undermined reputation, sensitive data exposure (know-how, patents, personal or financial data), financial losses, and even inability to operate. 

What can you do about it?

In this article, we’ll cover some timely proactive measures that, if introduced, can prevent such disasters. Let’s dive in!

Key points:

  • What is Azure Sentinel?
  • What is Azure Security Center?
  • What is the difference between them, and do you need both?

What are our options?

There are many products and solutions for event management, threat protection, and security monitoring. However, not many of them can be integrated with the existing environment. Additionally, they require separate management which leads to a lack of automation, product disconnection, and complicated security operations. 

This is not the case with Microsoft Azure Security Center (ASC) and Microsoft Azure Sentinel (AS). What are these solutions and how are they different?

What is Microsoft Azure Sentinel?

Microsoft Azure Sentinel is a cloud-native, Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution.

(There will be more on SIEM and SOAR in a moment.)

Microsoft introduced Azure Sentinel as a single solution for intelligent security analytics, event management, threat detection, threat visibility, proactive hunting (hunting query), and threat response. 

It allows your security team to focus on threat detection and mitigation, rather than running the service.

The main advantage of Sentinel is its holistic view across the environment, providing intelligent security analytics. This allows:

  • early threat detection
  • rapid threat response towards sophisticated attacks
  • shorter resolution time
  • reduction in the volume of security incidents. 
The main functions of Azure Sentinel

The main functions of Azure Sentinel (source: Microsoft)

How does it work?

Sentinel gives a birds-eye view of the events happening in the environment: events, active cases with their status, and trends.

Using Microsoft threat intelligence and analytics, Azure Sentinel correlates alerts into incidents and identifies attacks based on your data. It then places them on a visual map, so malicious traffic can be analyzed and quickly handled with built-in orchestration and automation of typical tasks.

The intelligent security graph forms the core Sentinel, gathering relevant information from other Microsoft services (Azure Advanced Threat Protection, Microsoft Defender Advanced Threat Protection, Azure Security Center, etc.). 

Azure Sentinel also includes user behavior analytics to help to identify anomalies, compromised identities, and malicious insider actions.

The impact of Azure Sentinel:

“Azure Sentinel’s AI-driven correlation engine and behavior-based analytics reduced the number of false positives for the SOC team by up to 79%, and it reduced the amount of labor associated with advanced  investigations by 80% resulting in an improved MTTR (Mean Time to Repair).” – Forrester

Security alerts

When you are handling threats that can affect the whole business, every second matters. Azure Sentinel correlates security alerts and signals from different data sources – applications, devices, services, networks, infrastructure, and users – regardless of their place (on-premises, in Azure, or in any other cloud).  

You can create security playbooks to respond to alerts. They are collections of procedural responses to an alert, based on Azure Logic Apps. Playbooks can be run manually or configured to be triggered automatically. 

Alerts noise reduction

Built-in artificial intelligence (AI) and machine learning mechanisms use Microsoft threat intelligence that analyses signals from different data sources, reducing noise from alerts, minimizing false positives, drilling, and analyzing anomalous events to present incidents that really require attention. 

Below is a real-life example of how Azure Sentinel’s machine learning was used to efficiently minimize signal noise.

Security alert fatigue reduction (source: Microsoft)

Data connectors and integrations

Azure Sentinel provides native and third-party integrations, which enable customers to integrate it with the rest of their services and/or bring data from other products and easily analyze it at scale.

The service is accompanied by a number of data connectors for Microsoft solutions, providing real-time integration with Microsoft 365 Defender solutions, Microsoft 365 sources (including Office 365), Azure AD, Microsoft Defender for Identity, Microsoft Cloud App Security, Domain name system, Windows Firewall, SQL, and more.

Azure Sentinel data flow

Azure Sentinel data flow (source: Microsoft)

Response to IT security and business needs

Through Sentinel, SecOps (Security Operations) teams can receive real-time alerts, remediate incidents through machine learning and AI automation, and use Kusto Query Language (KQL) statements for detection, identification of threats and anomalies, analysis, and proactive hunting.

Visual and interactive dashboards save time by aggregating reports from different business units. This enables decision-makers to get direct insights and analyze their capabilities in a single place.

Finding this post useful? Leave your email address to get the latest updates delivered to your inbox every two weeks. Subscribe for free

SIEM and SOAR – two components of Azure Sentinel

Azure Sentinel combines SIEM and SOAR capabilities in one product. Although these services complement each other, they do not provide the same functionalities.  

What is SIEM?

Security information and event management (SIEM) analyzes activities in the environment to distinguish between normal and anomalous incidents. It can be trained and regularly tuned to improve its capabilities. However, it increases the burden on security analysts and engineers, due to triaging a constant influx of data.  

What is SOAR?

Security orchestration, automation, and response (SOAR) integrates all tools, systems, and applications within the security toolset, spanning the whole organization and enabling security teams to automate incident response workflows.

Its main benefit is the automation and orchestration of time-consuming, manual tasks, without additional human intervention. SOAR solutions support the remediation of vulnerabilities and the overall automation of security processes. 

Below is a diagram, illustrating the workflow of SIEM and SOAR.

SIEM vs SOAR graphs

Such a combination of technologies is frequently used by the most successful security operations (SecOps) teams for optimization of their security operations center (SOC). Where SIEM raises the alerts, SOAR helps with the decisions on what to be done or decides on its own. 

Note:

If you want to strengthen your cybersecurity posture – check out our Managed Security Operations Center service.

What is Azure Security Center?

Azure Security Center (ASC) is a unified infrastructure security management system, providing real-time visibility across the workloads (cloud and on-premises), through monitoring of security configuration and health.

It provides security policies, continuous assessment, and proactive recommendations for Azure compute, data, identity and access, and networking resources.

By collecting events from Azure or Log Analytics agents, ASC makes a correlation in a security analytics engine and provides tools to strengthen security posture, protect against threads, harden your network, and secure the services. 

HOW DOES IT WORK?

The major differentiator for Azure Security Center is its continuous discovery of new resources that are being deployed across workloads. It also performs an initial assessment if they are configured according to the best security practices.

If abnormal behavior is detected, Azure Security Center flags resources, prioritizes activities, and provides a list of recommendations for the users, driven by Azure Security Benchmark. It is an Azure-specific set of guidelines for security and compliance best practices, based on a common compliance framework.

To make it even easier for users to prioritize their security items, Azure Security Center groups recommendations into security controls and assigns a secure score value to each one of them.  

Azure Security Center Secure Score

Secure Score dashboard (source: Microsoft)

Azure Security Center helps to streamline the regulatory compliance processes. Using dedicated dashboards, you can see the status of the environment, based on selected standards and regulations.

To use this feature, you need to enable Azure Defender. The security policy built into Security Center is then reflected in the Azure Policy initiative in audit-only mode to all Security Center registered subscriptions, as well as Azure Monitor logs and other Azure security solutions like Microsoft Cloud App Security. 

SECURITY POLICIES

The Secure Center policies are built on top of the standard Azure policy controls for an even more comprehensive solution. However, an additional set of tailored security policies might be required to run on management groups, across subscriptions, or even for a whole tenant. 

Another advantage is the overview of subscriptions which can be identified as Shadow IT subscriptions. The system points out if they are newly created, covered by policies, and protected by the Azure Security Center. 

Azure Security Center Policy dashboard

Azure Security Center Policy dashboard (source: Microsoft)

NETWORK MAP

Azure Security Center also includes a network map – an interactive view of the network topology of your Azure workloads and the traffic routes. By default, the topology map displays resources that have network recommendations with high or medium severity.  

Azure Security network map

Azure Security network map (source: Microsoft)

RESOURCE ONBOARDING

As a native part of Azure, the Security Center automatically discovers and onboards Azure resources, including Platform as a Service (PaaS) services (Service Fabric, SQL Database, SQL Managed Instance, storage accounts, etc.).

Additional non-Azure resources (for both Windows and Linux) can be onboarded and protected via the installation of Log Analytics agent or Azure Arc. The data collected from virtual machines is stored in a Log Analytics workspace. For PaaS services such as SQL ATP, you can use continuous export that enables security alerts to be stored in a Log Analytics workspace. 

What is the difference between Azure Security Center and Azure Sentinel?

If you have not used Azure Sentinel or Azure Security Center before, you might be unsure about the differences between the two products and how they should be used.

Even their names are similar, and both are offered by Microsoft to secure your environment. The reasons for the confusion are also due to the complementary functionalities they perform and more importantly – both being part of the cybersecurity lifecycle. 

Azure Security Center is a source of recommendations, alerts, and diagnostics that can be utilized by Azure Sentinel to provide better analytics and incident response.

Azure Sentinel performs additional roles, including hunting, automated playbooks, and incident response, as well as assistance with manual incident investigations.

Azure Sentinel vs. Azure Security Center diagram

Azure Sentinel vs. Azure Security Center responsibilities diagram

Both products are highly complementary and can be easily enabled due to out-of-the-box integration.

Conclusion

Both Azure Sentinel and Azure Security Center play a significant role in improving security operations. In the “Collect”, “Remediate”, and “Detect” elements of the workflow, Azure Security Center is critical. In addition to these roles, Azure Sentinel is also equipped to perform the “Investigate” and “Respond” tasks. That’s why a well-performing security architecture should include both products. 

Key takeaways:

  1. Azure Sentinel allows you to see the larger picture of what’s happening in your environment. It is a solution that combines two technologies: SIEM (for incidents management) and SOAR (for automated threat response). Both technologies were designed to give security analysts a powerful tool to detect and respond to cyber-attacks.
  2. Azure Security Center is the base for controlling your workloads’ security configuration and health. Security Center is one of the many sources of threat security data that Azure Sentinel gathers to build a comprehensive view for the entire enterprise. Together, these solutions provide seamless and effective security operations.