Microsoft Sentinel – The Current Market for SIEM
Last Updated: 29/10/2024
Lets look at the current market for SIEM solutions and where Microsoft Sentinel fits in. Whilst some existing vendors are investing in SIEM solutions (such as Microsoft). Other security vendors are focusing on a joined-up approach with their security stack to create something called XDR or eXtended Detection & Response. There has been quite a bit of confusion between XDR and SIEM and if XDR is the replacement for SIEM.
What is XDR?
XDR is the next level above EDR (Endpoint Detection & Response) and takes a holistic approach to threat detection and response. XDR allows for the correlation and analysis of data from endpoints, networks, cloud workloads and email. Allowing for effective prioritisation of security incidents without having to use multiple tools/solutions/consoles. In short, XDR adds in the context that is otherwise missing from EDR by consuming other key data sources.
And yes, that does sound like a SIEM. However, a SIEM is a log collection tool intended for data collection from as MANY data sources as possible, as well as being able to cross reference events against Threat Intelligence, surfacing potential security incidents and providing a platform to investigate and respond.
In short, SIEM can consume a lot more data sources. Whilst XDR can be limited based on the vendor product and the ecosystem. They both provide a solution for identifying and responding to threats.
A good explanation of XDR can be found here.
What about Zero Trust?
In addition to XDR, we also have the Zero Trust model which made waves toward the backend of 2022 and beginning of 2023, and is still going strong in 2024. Zero Trust has 3 key principles:
- Always Verify/Verify Explicitly
- Use the Principle of Least Privilege/Use Least Privilege Access
- Assume a Breach
SIEM solutions have a good alignment to these principles given the capabilities they can offer in threat detection and compliance. For example, a SIEM can be used to collect data across the environment, perform analysis of threats and respond with automation. This can help contribute with the Always Verify principle. As even though a user is authenticated, we can be on the lookout for suspicious activities/events. Assume Breach is probably the key one associated with SIEM, as if we assume breach then we need to have a means to detect, investigate and respond.
For more information on Zero Trust, the Microsoft page here details out the principles as well as providing great ideas for the type of documentation required.
How does AI factor in?
And if Zero Trust isn’t enough, there is one other big thing…AI.
AI is certainly an interesting topic that’s creating a lot of buzz as it applies to all areas of IT, not just security.
I think the most interesting thing is if AI is adopted, will that make running a SOC team more viable for smaller businesses? As they can now be more efficient with less staff by using AI to increase efficiency. Additionally, out of hours work could be automated easier with the use of AI. We can all make a lot of assumptions on AI, but until its widely adopted, we can only speculate.
Microsoft Sentinel
As we have seen in the past few years, Microsoft is making major investments into providing enterprise ready security solutions. Its no surprise they have entered the SIEM market and shaken things up a bit (in a good way). Microsoft Sentinel is cloud borne, it hasn’t been migrated or retrofitted into the Cloud. Therefore it has all of the benefits of scalability as we are used to with Azure. Microsoft now having a SIEM solution fits very nicely into their portfolio of security products and bolsters their security ecosystem of solutions. All of this will continue to grow the market for SIEM.
If you are interested in using or deploying Microsoft Sentinel, please take a look at my post on planning and architecture tips.
Nice read, thank you!
Thanks!!