When to use what – Azure Sentinel, CASB, Azure Security Center, Security & Compliance Center in Office 365, etc.
Many customers using Microsoft Cloud Services in the context of collaboration und communication often asked the “When to use what” question. Meanwhile we had several really good methods and tools to answer this question like the Periodic Table of Office 365. At the end it is not about when to use what, it is about “what do you want to do” or “what is your business case”? And this is the same with the Microsoft Security Features & Services.
Features & Services
Microsoft Azure Sentinel is a cloud-native SIEM solution with advanced AI and security analysis capabilities.
Microsoft Cloud App Security is a multimode Cloud Access Security Broker (CASB). It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services. Further infos about CASB
Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads.
Office 365 Security & Compliance Center is designed to manage security & compliance features across Office 365. Links to existing SharePoint and Exchange compliance features bring together compliance capabilities across Office 365.
Microsoft Intune is a management solution that provides mobile device, endpoint and operating system management. It aims to provide Unified Endpoint Management for corporate devices and BYOD.
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. It covers resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications along with any cloud apps developed by your own organization.
Microsoft Information Protection helps an organization to classify and protect its documents and emails by applying labels. It helps you discover, classify, label and protect your sensitive information – wherever it lives or travels. Further infos about Information Protection
Protect your enterprise from threats in the cloud and on-premises with Azure Advanced Threat Protection. ATP is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Microsoft Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Microsoft Defender ATP is built into Windows 10.
Typic discussions with customers
Azure Sentinel vs. Azure Security CenterAzure Security Center is focusing on Azure workloads. Azure Sentinel is used to for real-time event and detecting attacks covering your hole architecture.
Quote by Microsoft: To reduce confusion and simplify the user experience, two of the early SIEM-like features in Security Center, namely investigation flow in security alerts and custom alerts will be removed in the near future. Individual alerts remain in Security center, and there are equivalents for both security alerts and custom alerts in Azure Sentinel. Going forward, Microsoft will continue to invest in both Azure Security Center and Azure Sentinel. Azure Security Center will continue to be the unified infrastructure security management system for cloud security posture management and cloud workload protection. Azure Sentinel will continue to focus on SIEM. Source: Securing the hybrid cloud with Azure Security Center and Azure Sentinel
Azure Security Center vs. Security and Compliance Center in Office 365The Office 365 Security & Compliance Center is designed to help you manage security & compliance features across Office 365. Links to existing SharePoint and Exchange compliance features bring together compliance capabilities across Office 365. Azure Security Center analyzes data from a variety of Microsoft and also partner solutions. To take advantage of this data, machine learning for threat prevention, detection, and eventually investigation. Both services are part of the Microsoft Service Trust Platform
Azure Sentinel vs. CASBAzure Sentinel is a SIEM solution with advanced AI and security analysis capabilities. It integrates with third-party security platforms from vendors such as Fortinet, Symantec and Check Point, as well as Microsoft's Graph Security API. By connecting with Microsoft Cloud App Security, you will gain visibility into your cloud apps, get sophisticated analytics to identify and combat cyberthreats, and control how your data travels.
Office 365 Security Features vs. IntuneMicrosoft Intune and built-in security features in Office 365 for MDM both give you the ability to manage security & compliance in your environment. You can manage security & compliance using both Intune and Office 365 in the same Office 365 tenant. If you have both options available, you can choose whether you manage security & compliance in Office 365 or the more feature-rich Intune solution for MDM and MAM scenarios.
Azure AD vs. IntuneIntune manages mobile devices and apps. It integrates closely with other EMS components like Azure Active Directory for identity and access control.
Azure Advanced Threat Protection vs. Microsoft Defender ATPAzure Advanced Threat Protection enables you to integrate Azure ATP with Windows Defender ATP. While Azure ATP monitors the traffic on your domain controllers, Windows Defender ATP monitors your endpoints, together providing a single interface from which you can protect your environment. By integrating Windows Defender ATP into Azure ATP, you can leverage the full power of both services and secure your environment. Source & Details: Integrate Azure ATP with Windows Defender ATP
As you can see all this features work together like for example Microsoft Defender Advanced Threat Protection integration with Microsoft Cloud App Security or Azure Information Protection integration with Cloud App Security So trying to find the best tool / solution for your enterprise only discussing the detailed features isn’t the best way.
How to get started
To get a solid Security & Compliance strategy based on the Microsoft Security Stack the best way is to start with your scenarios. Dealing with the Microsoft Security Stack a best practices approach is to separate the topics like this:
Next step is to map the scenarios:
- Protect at the front door
- Protect your data anywhere
- Detect & remediate attacks
to those 4 categories / topics:
- Identity and access management
- Mobile device & app management
- Information protection
- Threat protection
Periodic table & mappingMicrosoft offers a good overview to tweak your scenarios in this article Top 10 Actions to Secure Your Environment. Based on this the following overview offers a blueprint to get started with your security strategy:
From a planning and architecture perspective the features and services must be separated in monitoring solution and solution used to natively setup regulations and policies.
For example: You can use Information Protection to protect you content and E-Mails and in addition you can integrate the Logs and Signals coming from Information Protection to Azure Sentinel. But natively you cannot use Azure Sentinel to protect you content and E-Mails.
So at the end it is all about your scenarios!