Securing the hybrid cloud with Azure Security Center and Azure Sentinel

Udgivet den 4 juni, 2019

Principal Group PM Manager, Azure Security Center

Infrastructure security is top of mind for organizations managing workloads on-premises, in the cloud, or hybrid. Keeping on top of an ever-changing security landscape presents a major challenge. Fortunately, the power and scale of the public cloud has unlocked powerful new capabilities for helping security operations stay ahead of the changing threat landscape. Microsoft has developed a number of popular cloud based security technologies that continue to evolve as we gather input from customers. Today we’d like to break down a few key Azure security capabilities and explain how they work together to provide layers of protection.

Azure Security Center provides unified security management by identifying and fixing misconfigurations and providing visibility into threats to quickly remediate them. Security Center has grown rapidly in usage and capabilities, and allowed us to pilot many new solutions, including a security information and event management (SIEM)-like functionality called investigations. While the response to the investigations experience was positive, customers asked us to build out more capabilities. At the same time, the traditional business model of Security Center, which is priced per resource such as per virtual machine (VM), doesn’t necessarily fit for SIEM. We realized that our customers needed a full-fledged standalone SIEM solution that stood apart from and integrated with Security Center, so we created Azure Sentinel. This blog post clarifies what each product does and how Azure Security Center relates to Azure Sentinel.

Going forward, Security Center will continue to develop capabilities in three main areas:

  1. Cloud security posture management: Security Center provides you with a bird’s eye security posture view across your Azure environment, enabling you to continuously monitor and improve your security posture using the Azure secure score. Security Center helps you identify and perform the hardening tasks recommended as security best practices and implement them across your machines, data services, and apps. This includes managing and enforcing your security policies and making sure your Azure Virtual Machine instances, non-Azure servers, and Azure PaaS services are compliant. With newly added IoT capabilities, you can now reduce attack surface for your Azure IoT solution and remediate issues before they can be exploited. We will continue to expand our resource coverage and the depth insights that are available in security posture management. In addition to providing full visibility into the security posture of your environment, Security Center also provides visibility into the compliance state of your Azure environment against common regulatory standards.
  2. Cloud workload protection: Security Center's threat protection enables you to detect and prevent threats at the infrastructure-as-a-service (IaaS) layer as well as in platform-as-a-service (PaaS) resources like Azure IoT and Azure App Service and on-premises virtual machines. Key features of Security Center threat protection include config monitoring, server endpoint detection and response (EDR), application control, network segmentation, and is extending to support container and serverless workloads.
  3. Data security: Security Center includes capabilities that identify breaches and anomalous activities against your SQL databases, data warehouse, and storage accounts, and will be extending to other data services. In addition, Security Center helps you perform automatic classification of your data in Azure SQL database.

When it comes to cloud workload protection, the goal is to present the information to users within Security Center in an easy-to-consume manner so that you can address individual threats. Security Center is not intended for advanced security operations (SecOps) hunting scenarios or to be a SIEM tool.

Going forward SIEM and security orchestration and automated response (SOAR) capabilities will be delivered in Azure Sentinel. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Azure Sentinel is your service operations center (SOC) view across the enterprise, alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution timeframes. With Azure Sentinel you can:

  • Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
  • Integrate curated alerts from Microsoft’s security products like Security Center, Microsoft Threat Protection, and from your non-Microsoft security solutions.
  • Detect previously undetected threats and minimize false positives using Microsoft Intelligent Security Graph, which uses trillions of signals from Microsoft services and systems around the globe to identify new and evolving threats. Investigate threats with artificial intelligence and hunt for suspicious activities at scale, tapping into years of cyber security experience at Microsoft.
  • Respond to incidents rapidly with built-in orchestration and automation of common tasks.

SIEMs typically integrate with a broad range of applications including threat intelligence applications for specific workloads, and the same is true for Azure Sentinel. SecOps has the full power of querying against the raw data, using AI models, even building your own model.

So how does Azure Security Center relate to Azure Sentinel?

Security Center is one of the many sources of threat protection information that Azure Sentinel collects data from, to create a view for the entire organization. Microsoft recommends that customers using Azure use Azure Security Center for threat protection of workloads such as VMs, SQL, Storage, and IoT, in just a few clicks can connect Azure Security Center to Azure Sentinel. Once the Security Center data is in Azure Sentinel, customers can combine that data with other sources like firewalls, users, and devices, for proactive hunting and threat mitigation with advanced querying and the power of artificial intelligence.

Diagram representing how Azure Sentinel connects with Azure Security Center

Are there any changes to Security Center as a result of this strategy?

To reduce confusion and simplify the user experience, two of the early SIEM-like features in Security Center, namely investigation flow in security alerts and custom alerts will be removed in the near future. Individual alerts remain in Security center, and there are equivalents for both security alerts and custom alerts in Azure Sentinel.

Going forward, Microsoft will continue to invest in both Azure Security Center and Azure Sentinel. Azure Security Center will continue to be the unified infrastructure security management system for cloud security posture management and cloud workload protection. Azure Sentinel will continue to focus on SIEM.

To learn more about both products, please visit the Azure Sentinel home page or Azure Security Center home page.