The True Cost of Microsoft Sentinel
Selecting a SIEM for your Microsoft 365 environment can be a difficult task. With so many options available, it’s difficult to differentiate fact from fiction. Many SIEM vendors integrate with Microsoft 365 (formerly Office 365), but not every integration is seamless or easy.
Meanwhile, you may be eyeing Microsoft Sentinel, thinking that a native security information and event management (SIEM) platform will always be the best option for your Microsoft 365 environment. But Microsoft Sentinel isn’t a silver bullet, either.
Let’s discuss how to select the right SIEM for Microsoft 365.
Microsoft 365 environments generate large volumes of data. Since Microsoft 365 is such a robust product suite with many different components, a user or admin can perform millions of actions within it, and every action produces logs. For example, an organization with 1,000 users generates 15,000 Azure audit logs per day, according to Microsoft.
The increasing volume of critical data stored within Microsoft 365 — combined with its rising popularity — makes it a prime target for cyberattacks. Microsoft Office is the most commonly exploited software in malware attacks, according to an Atlas VPN report.
Without continuous monitoring through logs, admins could miss potential security risks. For example, a user that sets up an email forwarding rule to forward email to an external address could be benign, or it could be a threat actor’s attempt to maintain persistence in an environment.
Continuous monitoring is nearly impossible without a centralized repository for those logs. Without a SIEM for Microsoft 365, IT and security teams would need to sift through and interpret hundreds of thousands of raw logs. Sending those logs to a centralized location like a SIEM helps to maintain visibility.
All Microsoft 365 plans come with security settings out-of-the-box that can provide basic security protection at no extra cost. Any Microsoft 365 admin can:
You can get more protection with certain add-on features, such as Microsoft Advanced Threat Protection, which includes malware protection via Microsoft Defender Antivirus, information rights management, remote wipe via Intune, and more.
Advanced Threat Protection also includes Microsoft Defender for Office 365, which helps protect against more sophisticated attacks such as zero-day threats, advanced malware, and ransomware.
While Microsoft Defender is a solid and ever-improving product, it is insufficient to protect against Microsoft 365 cyberattacks. Its malware detection rates fall behind many third-party competitors, and the user interface can be clunky. Furthermore, it struggles to protect against emerging threats like zero-day vulnerabilities.
No single security product can offer complete protection; a layered security approach utilizing various products and technologies is crucial to minimize the risk of successful cyberattacks. Third-party security products may provide advanced features like sandboxing or behavior-based detection to help identify and stop sophisticated attacks—capabilities that Microsoft Defender might not have or may not be as robust.
As Microsoft Defender is developed by the same company that creates the software it protects, some users might worry about potential conflicts of interest or a lack of independent oversight. Solely relying on Microsoft Defender can lead to a false sense of security, causing users to overlook other vital aspects of cybersecurity, such as user education, strong password policies, and regular software updates.
Cybersecurity experts recommend a layered approach, which means that relying on Microsoft’s built-in features is simply not enough for today’s emerging security threats. A SIEM correlates and alerts on all of the data from disparate data sources — including firewalls, cloud apps, on-premises apps, identity management, and an endpoint detection and response (EDR) platform such as Microsoft Defender — to provide a holistic view of your environment.
As organizations tighten their IT and security budgets to prepare for the recession, it may make sense on paper to stay within Microsoft’s ecosystem. In theory, vendor consolidation should equate to cost-effectiveness.
Microsoft Sentinel is the company’s cloud-native SIEM offering that runs in the Microsoft Azure cloud and provides attack detection, threat visibility, proactive hunting, and threat response.
Microsoft markets affordability as one of Sentinel’s differentiators, claiming that it reduces costs by as much as 48% in comparison to legacy SIEM solutions. Microsoft often bundles many products into a single subscription, leading to the common misconception that Sentinel is low-cost or even free.
But Microsoft Sentinel is rarely affordable for the average small to midsize business (SMB). First of all, it’s not bundled into a Microsoft 365 subscription but rather a premium E5 plan, which starts at $57 per user per month.
Additionally, Microsoft Sentinel pricing depends on how much data your environment consumes. An ingestion-based pricing model can make the decision of which logs to ingest one that’s based on budget rather than true security needs, leading to gaps in coverage.
Microsoft includes certain log types for free — namely, Office 365 audit log, Microsoft Defender alerts, Azure activity logs, and Azure AD Identity Protection. But to achieve true security visibility, organizations should ingest log types beyond that. Some essential logs for consideration are:
As you can see, the log types included with Azure Sentinel are a very small piece of the puzzle when it comes to security visibility. When ingesting many different types of logs, costs can quickly increase in Microsoft’s SIEM.
Log retention costs can significantly impact organizations, particularly smaller ones without a security operations center (SOC). Although Microsoft offers a free 90-day retention period when Sentinel is enabled on Azure Monitor Log Analytics, retaining security data beyond that comes at a cost per GB. For instance, healthcare organizations required to retain logs for six years to comply with HIPAA may find Sentinel log retention costs rapidly escalating.
Additionally, operational costs associated with Microsoft Sentinel can be burdensome, especially for smaller IT or security teams. To fully utilize Sentinel, these teams must either learn the complex Kusto Query Language (KQL) to build custom parsers or hire third-party consultants. Integrating unsupported third-party solutions also necessitates learning the Advanced Security Information Model (ASIM) to create parsers.
While Sentinel is a valid option for large enterprises deeply invested in Microsoft’s ecosystem with extensive technical resources and expertise, smaller teams and organizations may not experience a strong return on investment (ROI) when using Sentinel.
This is due to several reasons:
Blumira’s cloud-based SIEM with threat detection and response is built for small and under-resourced teams. We do things differently than Microsoft by providing more value for better security outcomes, including:
Integrate easily with your tech stack. We work particularly well with Windows environments and integrate with a wide variety of Microsoft services, including Microsoft 365, Windows Server, Azure Active Directory, Intune, Microsoft Teams, and Microsoft 365 Defender for Cloud Apps, just to name a few. But we also offer a lot of integrations outside of the Microsoft ecosystem, which means that you won’t experience vendor lock-in. If your tech stack includes a variety of different vendors, we’ll work with you to achieve security success with your existing resources and technology.
Predictable pricing. Blumira’s flat fee, subscription-based pricing model ensures that you can make decisions based on your security needs, not your budget. Ingest as much data as you need without cost consequences. Blumira also retains one year of data by default in our Cloud and Advanced editions, so there’s no need to export logs every three months and store them in a different location. Access and review all of your current and past findings with our convenient portal and meet cyber insurance and compliance easily and quickly with the team you have today.
Easy setup and maintenance. We do all the heavy lifting for your team to save them time, including parsing, threat hunting, creating native third-party integrations, and testing and tuning detection rules to reduce noisy alerts and false positives. Designed for non-security experts to easily use, our platform doesn’t require your team to learn complex query languages or spend all day sifting through thousands of alerts. Deployment takes a matter of hours; our free edition integrates directly with Microsoft 365 tenant to detect suspicious activity within your environment.
Blumira’s cloud-based SIEM includes a wide range of pre-tuned detections to defend against Microsoft 365 threats, and our Incident Detection Engineering team is constantly working to develop more as new threats emerge.
Integrating Blumira’s SIEM with Microsoft 365 is an easy process that only takes a few minutes. Blumira’s Cloud Connectors automate the configuration of your integrations without requiring you to use a sensor.
Read the full instructions on our Support page.
Then, Blumira will begin receiving your Microsoft 365 logs. Here are just some of our detections for Microsoft 365:
These detections are just a sliver of what you’ll get when you sign up for Blumira’s Free SIEM — the industry’s only free threat detection and response platform for Microsoft 365 environments.
Here’s the value of what you get for free:
Sign up for your free account today.