When to use what – Azure Sentinel,
CASB, Azure Security Center, Security & Compliance Center in Office 365,
etc.
Many
customers using Microsoft Cloud Services in the context of collaboration und
communication often asked the “When to use what” question. Meanwhile we had
several really good methods and tools to answer this question like the Periodic Table of Office 365. At the end it is not about when to use what,
it is about “what do you want to do” or “what is your business case”? And this
is the same with the Microsoft Security Features & Services.
Microsoft
Cloud App Security is a multimode Cloud Access Security Broker (CASB). It
provides rich visibility, control over data travel, and sophisticated analytics
to identify and combat cyberthreats across all your cloud services. Further
infos about CASB
Office
365 Security & Compliance Center is designed to manage security & compliance
features across Office 365. Links to existing SharePoint and Exchange
compliance features bring together compliance capabilities across Office 365.
Microsoft
Intune is a management solution that provides mobile device, endpoint and operating
system management. It aims to provide Unified Endpoint Management for corporate
devices and BYOD.
Azure
Active Directory (Azure AD) is Microsoft’s cloud-based identity and access
management service. It covers resources, such as Microsoft Office 365, the
Azure portal, and thousands of other SaaS applications along with any cloud
apps developed by your own organization.
Microsoft
Information Protection helps an organization to classify and protect its
documents and emails by applying labels. It helps you discover, classify, label
and protect your sensitive information – wherever it lives or travels. Further
infos about Information
Protection
Protect
your enterprise from threats in the cloud and on-premises with Azure Advanced
Threat Protection. ATP is a cloud-based security solution that leverages your
on-premises Active Directory signals to identify, detect, and investigate
advanced threats, compromised identities, and malicious insider actions
directed at your organization.
Microsoft
Defender Advanced Threat Protection (ATP) is a unified platform for
preventative protection, post-breach detection, automated investigation, and
response. Microsoft Defender ATP is built into Windows 10.
Typic discussions with
customers
Azure Sentinel vs. Azure
Security Center
Azure Security Center is focusing on Azure
workloads. Azure Sentinel is used to for real-time event and detecting attacks
covering your hole architecture.
Quote
by Microsoft:To reduce confusion and simplify the user experience, two of
the early SIEM-like features in Security Center, namely investigation flow in
security alerts and custom alerts will be removed in the near future.
Individual alerts remain in Security center, and there are equivalents for both
security alerts and custom alerts in Azure Sentinel. Going forward, Microsoft
will continue to invest in both Azure Security Center and Azure Sentinel. Azure
Security Center will continue to be the unified infrastructure security
management system for cloud security posture management and cloud workload
protection. Azure Sentinel will continue to focus on SIEM. Source: Securing the hybrid cloud with Azure
Security Center and Azure Sentinel
Azure Security Center vs.
Security and Compliance Center in Office 365
The Office 365 Security & Compliance Center
is designed to help you manage security & compliance features across Office
365. Links to existing SharePoint and Exchange compliance features bring
together compliance capabilities across Office 365. Azure Security Center
analyzes data from a variety of Microsoft and also partner solutions. To take
advantage of this data, machine learning for threat
prevention, detection, and eventually investigation. Both services are part of
the Microsoft Service Trust Platform
Azure Sentinel vs. CASB
Azure Sentinel is a SIEM solution with advanced
AI and security analysis capabilities. It integrates with third-party security
platforms from vendors such as Fortinet, Symantec and Check Point, as well as
Microsoft's Graph Security API. By connecting with Microsoft Cloud App Security,
you will gain visibility into your cloud apps, get sophisticated analytics to
identify and combat cyberthreats, and control how your data travels.
Office 365 Security
Features vs. Intune
Microsoft Intune and built-in security features in
Office 365 for MDM both give you the ability to manage security &
compliance in your environment. You can manage security & compliance using
both Intune and Office 365 in the same Office 365 tenant. If you have both
options available, you can choose whether you manage security & compliance
in Office 365 or the more feature-rich Intune solution for MDM and MAM
scenarios.
Azure AD vs. Intune
Intune manages mobile devices and apps. It
integrates closely with other EMS components like Azure Active Directory for
identity and access control.
Azure Advanced Threat
Protection vs. Microsoft Defender ATP
Azure Advanced Threat Protection enables you to
integrate Azure ATP with Windows Defender ATP. While Azure ATP monitors the
traffic on your domain controllers, Windows Defender ATP monitors your
endpoints, together providing a single interface from which you can protect
your environment. By integrating Windows Defender ATP into Azure ATP, you can
leverage the full power of both services and secure your environment. Source
& Details: Integrate Azure ATP with Windows
Defender ATP
To get a solid Security & Compliance
strategy based on the Microsoft Security Stack the best way is to start with
your scenarios. Dealing with the Microsoft Security Stack a best practices
approach is to separate the topics like this:
Next step is to map the scenarios:
Protect at the front door
Protect your data anywhere
Detect & remediate attacks
to those 4 categories / topics:
Identity and access management
Mobile device & app management
Information protection
Threat protection
Periodic table &
mapping
Microsoft offers a good overview to tweak your
scenarios in this article Top 10 Actions to Secure Your
Environment.
Based on this the following overview offers a blueprint to get started with
your security strategy:
From a
planning and architecture perspective the features and services must be
separated in monitoring solution and solution used to natively setup
regulations and policies.
For example: You can use Information Protection to protect
you content and E-Mails and in addition you can integrate the Logs and Signals coming
from Information Protection to Azure Sentinel. But natively you cannot use
Azure Sentinel to protect you content and E-Mails.