When to use what – Azure Sentinel,CASB, Azure Security Center, Security & Compliance Center in Office 365,etc.
Manycustomers using Microsoft Cloud Services in the context of collaboration undcommunication often asked the “When to use what” question. Meanwhile we hadseveral really good methods and tools to answer this question like the Periodic Table of Office 365. At the end it is not about when to use what,it is about “what do you want to do” or “what is your business case”? And thisis the same with the Microsoft Security Features & Services.
Features & Services
MicrosoftAzure Sentinel is a cloud-native SIEM solution with advanced AI and securityanalysis capabilities.
MicrosoftCloud App Security is a multimode Cloud Access Security Broker (CASB). Itprovides rich visibility, control over data travel, and sophisticated analyticsto identify and combat cyberthreats across all your cloud services.Furtherinfos about CASB
AzureSecurity Center provides unified security management and advanced threatprotection across hybrid cloud workloads.
Office365 Security & Compliance Center is designed to manage security & compliancefeatures across Office 365. Links to existing SharePoint and Exchangecompliance features bring together compliance capabilities across Office 365.
MicrosoftIntune is a management solution that provides mobile device, endpoint and operatingsystem management. It aims to provide Unified Endpoint Management for corporatedevices and BYOD.
AzureActive Directory (Azure AD) is Microsoft’s cloud-based identity and accessmanagement service. It covers resources, such as Microsoft Office 365, theAzure portal, and thousands of other SaaS applications along with any cloudapps developed by your own organization.
MicrosoftInformation Protection helps an organization to classify and protect itsdocuments and emails by applying labels. It helps you discover, classify, labeland protect your sensitive information – wherever it lives or travels.Furtherinfos about InformationProtection
Protectyour enterprise from threats in the cloud and on-premises with Azure AdvancedThreat Protection. ATP is a cloud-based security solution that leverages youron-premises Active Directory signals to identify, detect, and investigateadvanced threats, compromised identities, and malicious insider actionsdirected at your organization.
MicrosoftDefender Advanced Threat Protection (ATP) is a unified platform forpreventative protection, post-breach detection, automated investigation, andresponse. Microsoft Defender ATP is built into Windows 10.
Typic discussions withcustomers
Azure Sentinel vs. AzureSecurity Center
Azure Security Center is focusing on Azureworkloads. Azure Sentinel is used to for real-time event and detecting attackscovering your hole architecture.
Quoteby Microsoft: To reduce confusion and simplify the user experience, two ofthe early SIEM-like features in Security Center, namely investigation flow insecurity alerts and custom alerts will be removed in the near future.Individual alerts remain in Security center, and there are equivalents for bothsecurity alerts and custom alerts in Azure Sentinel. Going forward, Microsoftwill continue to invest in both Azure Security Center and Azure Sentinel. AzureSecurity Center will continue to be the unified infrastructure securitymanagement system for cloud security posture management and cloud workloadprotection. Azure Sentinel will continue to focus on SIEM. Source: Securing the hybrid cloud with AzureSecurity Center and Azure Sentinel
Azure Security Center vs.Security and Compliance Center in Office 365
The Office 365 Security & Compliance Centeris designed to help you manage security & compliance features across Office365. Links to existing SharePoint and Exchange compliance features bringtogether compliance capabilities across Office 365. Azure Security Centeranalyzes data from a variety of Microsoft and also partner solutions. To takeadvantage of this data, machine learning for threatprevention, detection, and eventually investigation. Both services are part ofthe Microsoft Service Trust Platform
Azure Sentinel vs. CASB
Azure Sentinel is a SIEM solution with advancedAI and security analysis capabilities. It integrates with third-party securityplatforms from vendors such as Fortinet, Symantec and Check Point, as well asMicrosoft's Graph Security API. By connecting with Microsoft Cloud App Security,you will gain visibility into your cloud apps, get sophisticated analytics toidentify and combat cyberthreats, and control how your data travels.
Office 365 SecurityFeatures vs. Intune
Microsoft Intune and built-in security features inOffice 365 for MDM both give you the ability to manage security &compliance in your environment. You can manage security & compliance usingboth Intune and Office 365 in the same Office 365 tenant. If you have bothoptions available, you can choose whether you manage security & compliancein Office 365 or the more feature-rich Intune solution for MDM and MAMscenarios.
Azure AD vs. Intune
Intune manages mobile devices and apps. Itintegrates closely with other EMS components like Azure Active Directory foridentity and access control.
Azure Advanced ThreatProtection vs. Microsoft Defender ATP
Azure Advanced Threat Protection enables you tointegrate Azure ATP with Windows Defender ATP. While Azure ATP monitors thetraffic on your domain controllers, Windows Defender ATP monitors yourendpoints, together providing a single interface from which you can protectyour environment. By integrating Windows Defender ATP into Azure ATP, you canleverage the full power of both services and secure your environment. Source& Details: Integrate Azure ATP with WindowsDefender ATP
As you cansee all this features work together like for example Microsoft Defender Advanced ThreatProtection integration with Microsoft Cloud App Security or Azure Information Protectionintegration with Cloud App Security So trying to find the best tool / solution foryour enterprise only discussing the detailed features isn’t the best way. To get a solid Security & Compliancestrategy based on the Microsoft Security Stack the best way is to start withyour scenarios. Dealing with the Microsoft Security Stack a best practicesapproach is to separate the topics like this: Next step is to map the scenarios: Protect at the front door Protect your data anywhere Detect & remediate attacks to those 4 categories / topics: Identity and access management Mobile device & app management Information protection Threat protection Microsoft offers a good overview to tweak yourscenarios in this article Top 10 Actions to Secure YourEnvironment.Based on this the following overview offers a blueprint to get started withyour security strategy: From aplanning and architecture perspective the features and services must beseparated in monitoring solution and solution used to natively setupregulations and policies. For example: You can use Information Protection to protectyou content and E-Mails and in addition you can integrate the Logs and Signals comingfrom Information Protection to Azure Sentinel. But natively you cannot useAzure Sentinel to protect you content and E-Mails. Soat the end it is all about your scenarios!Roundup
How to get started
Periodic table &mapping
Architecture
Roundup