Microsoft is rolling out a brace of threat fighting capabilities for Windows 10 administrators that promise to bring the big guns of the company’s security experts, as well as its AI capabilities, to bear against attackers. The new services are Microsoft Azure Sentinel and Microsoft Threat Experts, which is part of Windows Defender ATP. Both are intended to be used for security operations administrators and managers.
Sentinel is a cloud-based threat analysis service that uses Microsoft’s cloud AI capabilities to monitor cloud and on-premises infrastructure against threats. According to Microsoft, Sentinel will monitor for threats on an enterprise-wide basis, including all devices and users, in locations that are in the cloud or on-premises.
Sentinel is a Security Information and Event Management (SIEM) tool that’s able to detect threats in a number of ways, including their activity in the enterprise, traces left in logs and changes to protected systems, then use AI to investigate the threats and produce alerts with sufficient details to allow the security staff to act on them. Sentinel will also help respond to threats through orchestration and automation of common tasks.
In its announcement, Microsoft says that there are no storage or query limits to using Sentinel. Right now, Sentinel is in its preview stage, which means you can sign up for a free trial. You need an Azure account to use it, and you need an Office 365 account to take advantage of some of the reporting features.
Security Experts at Your Service
Microsoft Threat Experts, meanwhile, uses human security experts to help with security, which is a different approach from Sentinel, which uses AI. Threat Experts is available through Windows Defender ATP, where there’s an “Ask an Expert” button that will provide threat expertise on demand.
The idea with Threat Experts is to serve as an extension to an organization’s in-house security team to provide help in examining security data to identify threats and intrusions and any other attacks. The service will provide proactive hunting for important threats to an enterprise, including human adversary intrusions and advanced attacks such as cyber-espionage. For organizations with exposure to state-sponsored attacks (which is nearly everyone these days), the ability to detect this sort of attack can be critical.
What’s really improving the capability of Microsoft’s service is the availability of human expertise to help with the most difficult problems. You can simply click on a button within the Windows Defender Security Center console to engage an expert at Microsoft. Those experts can examine anonymized data to help your team understand the threats they face, which machines may be compromised, causes for suspicious activities and detailed knowledge on persistent threats.
A key difference between the immediate threat response with Threat Experts and Sentinel is that Sentinel is designed to weed out routine alerts, determine which are actually problems and, where possible, handle them. If it’s not possible, then it will pass along an alert and recommended actions to the security operations team for action.
In effect, Sentinel is the replacement for the entry-level security employee that you’re punishing by making them comb through nearly endless false positives from your security appliances. But the difference is that Sentinel won’t get bored, won’t lose focus and won’t miss alerts because they’re in the break room looking for coffee when the bad guys break in.
But in reality, Sentinel is more than that, because while it can indeed sort those endless false positives created by your intrusion detection system, it can also correlate results across platforms, and it can look at intrusion data from other sources. It can, for example, detect related attacks on diverse cloud platforms and on the internal platforms that you have in your data center. The chances of this happening with a human staff are essentially non-existent.
Built to Support Security Managers
It’s worth noting that these services aren’t just consumer security products repurposed for business use. They are built from the ground up to support enterprise security managers, and because of this they can handle enterprise workloads. This means, for example, that Sentinel’s cloud-native software has the advantage of the breadth of cloud resources, and it can draw on the performance of extendable cloud services. You don’t have to worry about a lack of performance making you fall behind the threat.
Likewise, Threat Experts is designed to complement your existing security team. They will work with your staff to identify threats and to suggest actions you can take to eliminate them, but they’re not a remote security staff that will run your SOC for you. Think of them as highly skilled advisors who are available when you need them, because that’s exactly what they are.
At this point, both services are available in preview, which means that you may find that some new features show up without warning while others vanish. But for now the services themselves are free, although there will be a charge for related services, such as Azure and Office 365 as well as Windows Defender APT.
You still need your existing security solutions, but what Microsoft is offering will go a long way to providing the level of security you really need.