How much security is ‘enough’ security? Looking at Microsoft 365 Defender vs. Azure SentinelAlex Fields
How much security is ‘enough’ security? This is in fact a trick question, I just threw it in there to get your attention. When it comes to security, one can never be ‘safe,’ but only ‘safer’ (even with the most expensive of cybersecurity tools and talented, dedicated humans to back it up). At the same time, there are so many different cybersecurity products available, even from a single vendor like Microsoft, that it can be difficult to understand what you are getting yourself into when you buy certain products or bundles.
Today, I want to talk about two distinct products that many of my readers still find confusing: Microsoft 365 Defender products (formerly Microsoft Threat Protection), versus Azure Sentinel.
Microsoft 365 Defender
Microsoft 365 Defender is now described as Microsoft’s XDR solution (Extended Detection & Response). It is in fact a marriage of several products under a single banner, and all of these are available through either of the SKUs:
- Microsoft 365 E5
- Microsoft 365 E5 Security
The products that are included under the Microsoft 365 Defender brand are also available as standalone add-ons to any other subscription, and each of them provides coverage over a specific domain or area:
- Defender for Office 365 provides zero-day anti-malware and anti-phishing protection for Exchange Online messages as well as files stored OneDrive for Business, Teams and SharePoint Online
- Defender for Identity provides actionable insights and cybersecurity alerts against traditional Active Directory domains
- Defender for Endpoint is Microsoft’s Endpoint Detection & Response (EDR) product, so this covers security events on endpoint devices
- Microsoft Cloud App Security provides the same types of cybersecurity insights and alerts, but with regard to cloud apps such as Office 365, as well as third-party apps like Box and Salesforce (and several others)
All of these products can share insights with each other through the Microsoft Intelligent Security Graph, and thereby provide Security Operations Center analysts some correlations between seemingly disparate events in different domains. The key here is that these products exist to surface “interesting data” out of all the noise of raw log data.
Plus, you can do some cool stuff like take threat information from a device and integrate that with Azure AD Conditional Access to automatically bar access to devices which are over a certain risk threshold according to Defender. Or, if a malicious file is discovered by Defender on an endpoint, that data can be shared back through to Office 365, where any copies of that malicious attachment, if it exists in any mailboxes, can be ZAP’d into oblivion.
Azure Sentinel is a cloud-native SIEM and SOAR tool, which you can use to collect log data from any number of sources, including Microsoft 365 Defender! However, you can also import logs from other on-premises sources such as servers or security appliances including firewalls.
Once you have the log data being ingested into the Azure Sentinel workspace, you can run queries against that data either automatically or manually, and set up your own custom alerts as well as automated responses or playbooks when certain criteria is found or met. This tool would require you to have a more advanced, dedicated SOC team to configure, monitor, tweak and customize this tool over time.
I contrast Sentinel against Microsoft 365 Defender (XDR) products in the following ways:
- I argue that the Defender products are a bit easier/quicker to implement and are less to manage on an on-going basis; even junior, start-up or “part-time” SOC teams can get benefit from these tools quickly and without much capacity being dedicated to their development and maintenance
- Sentinel is much broader in its application and much better for getting at raw data, and building custom queries and hunting. This is especially important when you have data sources outside of the Microsoft 365 space such as on-premises servers and security appliances; as well you can choose to retain your data for longer periods of time in Sentinel.
Microsoft Defender does give you some access to raw data, but it is optimized to surface “interesting” events via alerts (potential incidents). That having been said, know that even Sentinel has some pre-canned alerts and playbooks that you can deploy and use out of the box, meaning you can get value from it pretty quickly. The reality however, is that to get the full benefit of this tool would require a more nuanced approach and more experienced cybersecurity professionals with dedicated capacity.
Opportunity for Service Providers
Both the Microsoft 365 Defender XDR products, as well as Azure Sentinel, are ripe with opportunities for Service Providers who are looking to build a Managed Security Services Practice (MSSP). Defender for Endpoint and Microsoft Cloud App Security are my favorite go-to recommendations for teams who are just getting started; they can often replace other endpoint and/or cloud monitoring tools with these native products, and I think they often do an even better job at certain things, vs. some of the competition (plus Gartner consistently puts Microsoft Defender in the Magic Quadrant).
But I will also add that Sentinel has a unique value proposition for Service Providers in particular. Why? Because Azure Lighthouse will allow you to manage multiple Sentinel workspaces from all of your various customer tenants/subscriptions. Unlike Microsoft Defender products, we aren’t waiting for multi-tenancy; we already have it, and you can stand up a pretty comprehensive solution with centralized management built-in.
The other really good news is that Microsoft Defender data can be ingested into Azure Sentinel for free. Most other data sources will result in additional charges, but not the native Microsoft stuff. Therefore, if you configure some of the Defender products such as Microsoft Cloud App Security, Defender for Endpoint and so on, then you can surface that information in your multi-tenant portal, in Azure Lighthouse/Sentinel.
So that is the reason that you will most likely want to consider both very carefully, if you are building a Managed Security Practice (they are certainly better taken together). That having been said, if you are brand new to all of these products, I would recommend that you “dig in” starting with the Defender XDR stuff, and moving over to Azure Sentinel after that:
- Microsoft Defender for Office 365
- Microsoft Cloud App Security
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity (legacy AD environments only)
- Azure Sentinel (to bring it all together)
Now remember that you can also offer a “Basic” Managed Security Service without touching any of these additional “super-tools”; indeed, that is basically the subject of my first two cybersecurity courses on teachable. However, adding Microsoft 365 Defender and Azure Sentinel will certainly help to reduce your risk further, and to raise your visibility and awareness to certain pre- and post-breach events. They will take you much further into “detection & response” territory. Therefore, these would be an excellent basis for launching an “Advanced” Security offering / MSSP service.
Here are some other resources if you are getting started with these tools:
- My own Beginner’s Guide for E5 Security on GumRoad (Updated November 2020)
- Become a Microsoft 365 Defender Ninja
- Become an Azure Sentinel Ninja
- Microsoft 365 Defender Connector for Azure Sentinel (preview)
- Using Azure Lighthouse and Azure Sentinel to Investigate Attacks Across Multiple Tenants
- Build a scalable security practice with Azure Lighthouse and Azure Sentinel
What is the take away?
Do you really need all of these different security tools? Never forget: the customer always has a choice. At the present moment, Sentinel is probably the best option for a serious Service Provider given the multi-tenant functionality via Lighthouse, not to mention the fact that you can standardize on one tool, regardless of what other security subscriptions are present in any given customer’s tenant. But Sentinel comes with a steeper resource commitment. You have to be really serious about building an offering on this; if you are going to do it, be prepared to invest some serious time and money into the undertaking.
If you want to get started with less investment, then I can report that tools like Microsoft Cloud App Security are extremely easy to use, and MCAS in particular even allows you to send notifications from custom email addresses (so a ticketing system can more easily identify which customer each alert is associated with). Defender for Endpoint is much like other endpoint security products, and can likely replace whatever you already use in this space (plus it is “agentless” so that makes for easy deployment and immediate benefits when integrating with Conditional Access and other areas in the Microsoft ecosystem).
We have never had this many solid options before from a single vendor (and there are so many other choices out there from excellent third-party security vendors, too); it is certainly not a bad problem to have, even if it can be a bit difficult to navigate.