In the cloud, things aren't always what they SIEM: Microsoft rolls out AI-driven Azure Sentinel

And 'ask a Redmond security bod' panic button for Windows Defender ATP customers

RSA Microsoft has wheeled out two new enterprise security tools – Azure Sentinel, a cloud-based SIEM, and Microsoft Threat Experts, an infosec advice-as-a-service bundled with a panic button.

The two services are part of Redmond's ongoing invasion of the cloud security market. It will be showing off the technology at the RSA Conference in San Francisco next week.

Ann Johnson, Microsoft's cybersecurity solutions veep, described Azure Sentinel as the "first native SIEM within a major cloud platform".

Azure Sentinel customers are exhorted by Microsoft to marvel at "nearly limitless cloud speed and scale", assuming the public cloud service and things hanging off it haven't gone for an unscheduled nap, as happens from time to time.

The hackneyed message from Johnson is for businesses to "invest your time in security and not servers".

"Azure Sentinel supports open standards such as Common Event Format (CEF) and broad partner connections, including... Check Point, Cisco, F5, Fortinet, Palo Alto and Symantec, as well as broader ecosystem partners such as ServiceNow."

Press the big red Microsoft panic button

Johnson also revealed Microsoft Threat Experts, another aaS product that appears to target businesses without an extensive in-house security presence or capability. It was presented as "a new service within Windows Defender ATP which provides managed hunting to extend the capability of your security operations centre team".

You give the keys to your castle over to Microsoft's security folk, who will then "proactively hunt over your anonymized security data for the most important threats, such as human adversary intrusions, hands-on-keyboard attacks, and advanced attacks like cyberespionage" in Johnson's words.

Business suit wearing man walks out of closing door in darkened room into the bright sunlight and blue sky

Microsoft flings open Azure Functions to Java workloads


This is security-as-a-service comes with a panic button for when you just don't know the answer to a burning infosec question yourself. Thanks to Redmond's "Ask a Threat Expert", you can "submit questions directly" to MS security bods via the Windows Defender ATP console.

Tom Kranz, head of cyber labs at British tech consultancy 6point6 and a one-time enterprise security architect, was not impressed by the announcement. He told The Register:

“Microsoft Azure Sentinel continues a worrying process of cloud providers eating their partners’ lunch, which is neither good for the industry nor for customers. Azure Operations Management Suite and Security Centre lacked the event correlation and automation that market leaders like Splunk and Alienvault know is needed for a SIEM to be anything other than an irritating source of noise."

Kranz did concede that Sentinel "may fill that 'just good enough' gap between basic tools like OMS and the full-fat products like Splunk."

To join the public preview of Microsoft Threat Experts, apply in the Windows Defender ATP settings, or if Azure Sentinel floats your corporate boat, there's more about it on Microsoft's website. ®

Similar topics

Broader topics

Other stories you might like

  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading
  • Microsoft gives its partners power to change AD privileges on customer systems – without permission
    Somewhat counterintuitively, this is being done to improve security

    Microsoft has created a window of time in which its partners can – without permission – create new roles for themselves in customers' Active Directory implementations.

    Which sounds bonkers, so let's explain why Microsoft has even entertained the prospect.

    To begin, remember that criminals have figured out that attacking IT service providers offers a great way to find many other targets. Evidence of that approach can be found in attacks on ConnectWise, SolarWinds, Kaseya and other vendors that provide software to IT service providers.

    Continue reading
  • FabricScape: Microsoft warns of vuln in Service Fabric
    Not trying to spin this as a Linux security hole, surely?

    Microsoft is flagging up a security hole in its Service Fabric technology when using containerized Linux workloads, and urged customers to upgrade their clusters to the most recent release.

    The flaw is tracked as CVE-2022-30137, an elevation-of-privilege vulnerability in Microsoft's Service Fabric. An attacker would need read/write access to the cluster as well as the ability to execute code within a Linux container granted access to the Service Fabric runtime in order to wreak havoc.

    Through a compromised container, for instance, a miscreant could gain control of the resource's host Service Fabric node and potentially the entire cluster.

    Continue reading

Biting the hand that feeds IT © 1998–2022