Microsoft has announced two new cloud services to help administrators detect and manage threats to their systems. The first, Azure Sentinel, is a perfect match for other cloud services: it relies on automatic machine learning to sift through a large amount of data to find a signal from all the noise. The second, Microsoft Threat Experts, is a little different: it is powered by humans and not by machines.
Azure Sentinel is a security management information and events-based machine learning that supports the (often overwhelming) flow of security events: incorrect password, unsuccessful attempt to raise privileges, unusual executable blocked by anti-malware, etc. and distinguishes between important events that really merit investigation and mundane events that can probably be ignored.
Sentinel can use multiple data sources. There are obvious Microsoft sources – Azure Active Directory, Windows event logs, and so on. – as well as integrations with third-party firewalls, intrusion detection systems, anti-malware software for endpoints, and so on. Sentinel can also integrate any data source using the common ArcSight event format, which has been adopted by a wide range of security tools.
Azure Sentinel is available today in preview and is in the Azure Dashboard. During the preview, its use is free and Microsoft has not decided on pricing once it will be available.
Threat Experts is a new advanced Windows Defender (ATP) threat detection feature, which has two components. Targeted attack notifications use a combination of machine learning systems and human surveillance (using anonymized data) to alert administrators in particular about targeted attacks, malicious activity targeting a particular organization data that they should not see ), rather than being part of a larger, mass-targeted campaign (such as auto-propagating ransomware).
The second item is a "Ask a threat expert" button in Windows Defender Security Center. You see signs of an attack that makes your anti-malware a trap and needs help to investigate? Click Ask a threat expert and you will be put in touch with a real human to help you understand what is happening and how to react and, if necessary, the Microsoft Incident Response Service.
Threat experts bring their human expertise not only to identify suspicious behavior, but also to investigate it. Machine learning can be useful for monitoring logs and events to detect signs, for example, of sideways movements, which reuse stolen identification information to explore a company's network or network connections to unexpected IP addresses. Threat experts go beyond that to help determine the initial point of entry, the security vulnerabilities that allowed this entry, and how an attacker gains persistent access to compromised systems. For the moment, at least, these are deductions and investigations that people do better than computers.
The big problem with people is of course scalability. With Sentinel 's computer – controlled, Microsoft can simply paste it to the Azure portal and allow users to try it out, using Azure' s massive computing infrastructure to provide the setting – to – the – go. scale needed. Threat Experts requires the use of true IT security experts, and these can not be generated as quickly as a new virtual machine or container. As a result, the preview program is much more limited; Interested organizations should ask to be in the overview, and then wait for the approval.