One of the most common questions in cloud solutions design is, "Which services should I use to compose my workload, and why?" It's not a trivial question because:
- You don't want to overpay for the return on investment (ROI) you currently realize
- If you don't strictly speaking need the service, you're needlessly increasing your attack surface
- The more services you have involved in your solution, the more you and your team need to know to keep the environment secure
Speaking of security, that's what I wanted to talk about in more detail. In the Microsoft Azure cloud, the two flagship security services are:
- Microsoft Defender for Cloud (MDC)
- Microsoft Sentinel
Now of course the Azure catalog includes separate security controls for each of its resource providers, but MDC and Sentinel are the two main "all up" centralized security solutions.
The question of the day is, "What is the distinction between Microsoft Defender for Cloud and Microsoft Sentinel? How do I know if we should adopt one service, both, or neither?"
In keeping with the old aphorism "You must first learn to crawl before you can walk," let's start by understanding each Azure security service separately.
What is Microsoft Defender for Cloud?
Microsoft Defender for Cloud (formerly called Azure Security Center and then Azure Defender) is a security solution offered by Microsoft that provides security recommendations and advanced threat protection not only for Azure and Microsoft 365 environments, but also servers located in other clouds and your on-premises datacenters.
What I want to stress here is Microsoft Defender for Cloud is aimed at most job roles who work in Azure. In other words, you don't have to be a full-time information security professional to make use of its security recommendations.
For instance, MDC uses an abstraction called Secure Score to make it easier for you and your team to track your multi-cloud/hybrid-cloud environment's security hygiene. Each recommendation you implement increases the Secure Score. The higher your score, the closer is your cloud environment to fully following Microsoft's proven best practices in their highly regarded Zero Trust framework.
As you dig deeper into MDC, you'll find that its recommendation engine is powered largely by Azure Policy. Azure Policy is the primary governance solution in Azure; MDC includes hundreds of policy initiatives aligned to Microsoft proven security practices and regulatory compliance programs from around the world.
What is Microsoft Sentinel?
Microsoft Sentinel (originally named Azure Sentinel) is a cloud-native security information and event management (SIEM)/security orchestration and automated response (SOAR) platform that uses machine learning and automation to detect and respond to threats across an organization's entire infrastructure.
It provides a holistic view of an organization's security posture and allows security teams to quickly identify and respond to potential threats. Additionally, Microsoft Sentinel includes features such as security incident management, security automation, and security orchestration.
Whereas MDC is aimed at most members of an Azure administration and development team, Sentinel is intended for use by full-time information security professionals. Specifically, Sentinel goes head-to-head with SIEM/SOAR competitors such as:
- Splunk Enterprise
- LogRhythm
- QRadar
- Sumo Logic
- Datadog
Like Microsoft Defender for Cloud, Microsoft Sentinel embraces hybrid cloud/multi-cloud, enabling you to monitor servers regardless of where they're located. However, Sentinel goes further than MDC in terms of its data connector model.
Microsoft Sentinel includes an ever-growing library of API connectors to all the Microsoft services you need to monitor:
- Azure Active Directory
- Azure Defender 365
- Azure Key Vault
- Azure Kubernetes Services
- Office 365
- Power BI
The connector library also includes third-party connectors to make sure your on-premises and cloud security appliances are covered; some of these include:
- Barracuda firewalls
- Cisco firewalls
- Citrix web application firewalls
- F5 BIG-IP
- Fortinet
- Juniper SRX
- Palo Alto firewalls
- Thycotic Secret Server
Microsoft published the connector application programming interface (API) so your developers can make their own data connectors for your currently unsupported line-of-business applications.
How does MDC relate to Microsoft Sentinel?
I mentioned previously that while both Microsoft Defender for Cloud and Microsoft Sentinel aim to improve your hybrid cloud/multi-cloud security posture, their toolsets are intended for use by different audiences.
However, it's crucial you understand that MDC relates to Sentinel in an important way. Specifically, you can enable the Microsoft Defender for Cloud data connector to import all your MDC data into Sentinel! That's a powerful solution, especially when your company's Azure environment consists of more than one Azure AD tenant.
Both MDC and Microsoft Sentinel include some of the same assumed skill sets. You need to be proficient in Kusto Query Language (KQL), Microsoft's home-grown log search language, to perform threat hunting and configure log search-based alert definitions in both services.
Furthermore, you'll need to understand how to build and debug logic apps to create workflow automations in both MDC and Sentinel. MDC and Sentinel call them playbooks, but they are actually logic apps.
In case you don't know, a logic app is way to stitch together different APIs in a simple- to complex workflow process. Logic apps are initiated via a trigger, for example, a security alert. The key logic app value proposition is you don't have to know all the underlying REST API "plumbing" of the various services you link in the app thanks to the enormous pre-built logic apps connector library.
Quick example: Look at the following sample playbook in the screenshot, and I'll then walk you through it.
- The logic app is initiated when a Microsoft Sentinel incident (essentially a correlated collection of individual security alerts) is created
- Post a notification method to Microsoft Teams
- Send a customized, personalized approval email message via Outlook
- If the manager agrees to block a user or IP address, do so
- Otherwise, close the incident in Service Now
Which service to use, when
Ultimately, we're brought to the question, "So, Tim, which Azure security service should I use – Microsoft Defender for Cloud, or Microsoft Sentinel?"
Here's my advice for you distilled into a simple, two-point bulleted list:
- Everybody on your team should make use of Microsoft Defender for Cloud
- If your organization has a dedicated security team, they should strongly consider creating a Microsoft Sentinel instance, being sure to onboard MDC into your management scope
If your business already uses a competing product (for example, Splunk), Microsoft offers plenty of migration guidance for you to consider, all free of charge in their docs.
