Microsoft Sentinel: How to Ensure Seamless Integration and Optimize Your SOC Licensing Costs
What is Microsoft Sentinel? An Overview
Microsoft Sentinel (previously known as Azure Sentinel) is a powerful cloud SIEM/SOAR tool organizations put at the vanguard of their security. Deployable across multiple clouds and hybrid setups, Microsoft Sentinel collects and analyzes security logs in real-time to supply SOC teams with comprehensive data. Many security-oriented organizations choose to upgrade to Microsoft Sentinel as part of their cloud migration strategy to ensure end-to-end coverage across their technical estate.
According to a comprehensive Microsoft Sentinel review, done by Forrester, adopters report a plethora of post-adoption benefits:
- An average 79% reduction in false positives
- 80% reduction in labor efforts for advanced investigations
- 48% lower TCO compared to legacy solutions
- 6 months payback period for enterprise-size organizations
The cost factor is particularly compelling as Microsoft Sentinel is a SaaS solution — meaning there is no extra spending on physical hardware and its maintenance. Instead, you are billed per GB of ingested (and processed) security data. Pay-as-you-go pricing is $2.40 per GB-ingested and commitment tiers (fixed number of GBs / month), going as low as under a dollar per GB.
Even though the pricing is highly competitive, Microsoft Sentinel licensing costs can easily spin out of control without proper containment measures. Especially, in organizations processing large volumes of security telemetry data such as SOC teams in telecom or large-scale online retailers.
To help you navigate the adoption process, our cybersecurity team made a list of Microsoft Sentinel integration best practices with caveats for cost optimization.
Four Microsoft Sentinel Adoption Best Practices
From our experience, businesses often size up Microsoft Sentinel adoption as part of larger digital transformations and/or dedicated SOC team establishment. Therefore, we have tailored our recommendations to the above scenarios. Though a similar framework can also be used for cloud-first projects — where new security infrastructure is assembled to protect a cloud-native environment.
1. Start with an End Goal in Mind
Similar to any type of technology, SIEM/SOAR adoption assumes:
- IT Infrastructure assessment. To ensure consolidated coverage, it is important to map where your key infrastructure is located — on-premises, in hybrid or multi-cloud environments. The assets’ location will dictate how security telemetry data can be accessed and integrated for further analysis.
- Cybersecurity maturity levels. If you lack people, documented processes, and supporting technology for baseline security tasks, you should first cover the existing gaps. Then look into augmenting your standardized workflows with SIEM/SOAR
- Use cases. These vary a lot depending on your industry and the security/compliance requirements your organization faces. For instance, companies in the financial sector have tighter requirements for customer data storage and processing. Whereas a large-scale retailer, facing high loads during peak periods, may also be interested in procuring application performance data, on top of security logs.
Ultimately, your goal is to determine which assets need to be connected for SIEM monitoring, what type of data you need to collect, and how your existing security workflows should be adapted to ensure a fast, effective, and consolidated response.
The big boon of Microsoft Sentinel is that it natively integrates with the entire ecosystem of Microsoft products, as well as third-party solutions. Using pre-made connectors you can configure Microsoft Sentinel to collect log data from all popular cloud platforms (AWS, Google Cloud Platform, Alibaba Cloud, IBM, etc.), as well as business applications such as SAP, Salesforce, Zoom, Atlassian, and many more. Seamless integration with all Azure services and Microsoft products — from Azure Active Directory (AD) to Azure Traffic Manager — is a given.
Microsoft Sentinel lets you connect your entire technical estate and collect log analytics insights that go beyond security. For example, you can also set up application performance monitoring or infrastructure reliability monitoring using data obtained from Microsoft Sentinel without relying on a third-party tool (and paying extra licensing costs).
However, such a degree of “integrability” can result in scenarios, where you end up with more data than you need and a higher operational bill. This leads us to the second point.
2. Formalize Your Set of Use Cases
Microsoft Sentinel lets you capture ample data from:
- Firewall logs
- Proxy/web filtering logs
- Identity management solutions
- Cloud workloads
- Business apps
Not only is the collected data useful for security, but can also be used to locate gaps in infrastructure performance, hindering reliability and availability. Best of all — you can automate alerting and reporting on such bottleneck issues. Then pursue further IT infrastructure optimization.
Here is a sample use case: You can use Microsoft Sentinel data to identify and block unwanted bot activity. This can be particularly crucial during peak load periods (e.g., a major annual sales event). By rapidly blocking bot traffic from accessing your resources, you can improve your infrastructure availability, so that real customers have a delightful experience with your company.
On the other hand, being able to collect more data does not mean you should actually do it. Remember: Microsoft Sentinel bills you per ingested GB. The more data gets processed, the higher your bill goes. Additionally, you also have to spend extra on data storage either on-premises, in a cloud data lake, or data warehouse.
According to a recent Seagate and IDC study, enterprises are already hoarding more data than they can effectively handle. At present, companies collect only 56% of data, potentially available to them. Yet, out of that 56%, 43% of data remains unused.
The bottom line: Assess different Microsoft Sentinel use cases. Then determine what type of data you need to collect for them. For example, if you operate in the finance space and are concerned by the PCI DSS requirement, use the existing guidelines to identify what type of data you need to collect and process to tick all the security boxes.
3. Develop a Strategy for Connecting On-Premises Resources
Despite being a cloud-native solution, Microsoft Sentinel is also compatible with hybrid scenarios. For one reason or another, you may decide to keep some of your assets on-premises. However, you would still want to have them secured.
In such cases, we recommend building local infrastructure for data collection, data cleansing, and aggregation. Then securely dispatch the pre-processed logs to the cloud for analysis. In fact, migrating your security to the cloud can be a solid “stepping stone” for larger projects. Still, if large-scale cloud migration is not your current priority, you still benefit a lot from such a hybrid security scenario.
Staunch cybersecurity requires continuity and, by proxy, rapid scalability. On-premises operations can rarely deliver that. Case in point: one of our clients was considering SOC adoption. Based on the preliminary analysis, they required an extra 10 TB of data storage for hosting security information and supporting SIEM/SOAR systems. Their IT could not procure the required hardware in the local data center and had to order extra items, which led to significant project delays.
Similar constraints also come to light post-M&A, when the acquirer attempts to bring the new company under their security veil but fails to do so due to limitations in their physical infrastructure. As a result, the company operates with limited visibility into some tech estate and that can escalate to security issues.
By using cloud SIEM/SOAR solutions such as Microsoft Sentinel, you benefit from instant, on-demand scalability. Not only can you rapidly provision extra permanent resources, but also scale up for a short period to do some experimentation. For example, test out Microsoft Sentinel threat intelligence as part of a proactive threat hunting session. Then scale down to reduce consumption.
4. Determine If You Need Custom Connector Requirements
Though Microsoft provides a lavish selection of connectors, they are far from covering every type of application. Microsoft Sentinel is compatible with standard Windows logs and Linux Syslog. However, some apps generate log data in JSON or other custom formats. To connect these, you need to develop a custom integration.
One of the scenarios we recommend is using Logstash from Elastic and then developing a parser for transforming and integrating the data in a Microsoft Sentinel compatible format. In this case, a sample workflow can go like this:
- Data collection from an on-premises application
- Data analysis for identifying required event properties (the logs you require)
- Parser development for effective data normalization (conversion to a suitable format + data cleansing)
- Deployment for SIEM analysis
The above scenario can be adapted to a wide range of systems.
Microsoft Sentinel Cost Optimization for Hybrid and Cloud Scenarios
Microsoft Sentinel cost optimization boils down to proactive data consumption reduction. As mentioned earlier, you do not need to collect all the available data to ensure end-to-end visibility and protection.
Here are two major ways to prevent unnecessary data from going into Azure:
- On-premises: Aggregate and analyze data locally for on-premises applications. Configure your log forwards to send only relevant data to the cloud for analysis.
- In the cloud: Reduce the volume of raw data (logs) by leveraging pre-processed data from other Microsoft products. Microsoft Security Center, Defender for Cloud Apps, Azure AD, and Microsoft EDR among others also collect security telemetry such as events, alerts, and anomalies. You can integrate this data to Microsoft Sentinel to augment your reporting without paying extras.
For example, if your goal is to improve endpoint protection for a digital workplace, instead of collecting log data from user devices, you can obtain processed intel from MS EDR tools without any extra licensing costs.
Final Thoughts: What is Next Post-Adoption?
Once configured and fully integrated with all your systems, Microsoft Sentinel will provide your teams with extensive data for threat monitoring and prevention. Yet, it is worth remembering that cybersecurity is a continuous process. If there are any changes to the infrastructure — from new software updates and patching to new asset integrations — you will need to audit and possibly refresh your Microsoft Sentinel setup. Similarly, extra tuning may be required to accommodate a new use case or establish protection against a novel attack vector.
Contact Infopulse cyber security consultants to learn more about Microsoft Sentinel adoption prerequisites and integration scenarios.