What is the difference between Azure Security Center and Azure Sentinel?
Many Cloud Architects and Cloud Engineers are somewhat confused to grasp the difference between Azure Security Center (ASC) and Azure Sentinel. Both products look quite similar at a first glance and both offered by Microsoft to secure your Azure infrastructure. Moreover, in all Microsoft’s Cybersecurity reference designs these products work shoulder-to-shoulder. There are several main reasons for this confusion: the historical set of functionality that both products offer, the complementary functionality they perform and, the most important, is that they share a subset of functionality in the Cybersecurity activities life-cycle.
The picture above represents a high-level sequence of activities happening in a typical Security Operations Center (SOC). Both ASC and Sentinel play a significant part in some of these activities. Azure Security Center plays a vital role in “Collect” and “Detect” roles. While Azure Sentinel in addition to the first two roles also designed to perform “Investigate” and “Respond” roles.
To understand the differences, we shall look deeper into both offerings.
Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud — whether they’re in Azure or not — as well as on-premises.
Azure Security Center addresses the three most urgent security challenges:
Rapidly changing workloads — It’s both a strength and a challenge of the cloud. On the one hand, end-users are empowered to do more. On the other, how do you make sure that the ever-changing services people are using and creating are up to your security standards and follow security best practices?
Increasingly sophisticated attacks — Wherever you run your workloads, the attacks keep getting more sophisticated. You have to secure your public cloud workloads, which are, in effect, an Internet-facing workload that can leave you even more vulnerable if you don’t follow security best practices.
Security skills are in short supply — The number of security alerts and alerting systems far outnumbers the number of administrators with the necessary background and experience to make sure your environments are protected. Staying up-to-date with the latest attacks is a constant challenge, making it impossible to stay in place while the world of security is an ever-changing front.
To help you protect yourself against these challenges, Security Center provides you with the tools to:
Strengthen security posture: Security Center assesses your environment and enables you to understand the status of your resources, and whether they are secure.
Protect against threats: Security Center assesses your workloads and raises threat prevention recommendations and threat detection alerts.
Get secure faster: In Security Center, everything is done in cloud speed. Because it is natively integrated, deployment of Security Center is easy, providing you with auto-provisioning and protection with Azure services.
Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
Detect previously undetected threats, and minimize false positives using Microsoft’s analytics and unparalleled threat intelligence.
Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cybersecurity work at Microsoft.
Respond to incidents rapidly with built-in orchestration and automation of common tasks.
Azure Sentinel performs more roles including hunting, automated playbooks and incident responses as well as assistance with manual incident investigations. On the other hand, Azure Security Center is a great source of recommendations, alerts and diagnostics that can be utilised by Azure Sentinel to provide even better analytics and incident alerts. Therefore, both products must be used in a well-architectured SOC. These products are highly complementary and can be easily enabled thanks to the great out-of-the-box integration.
Below is an illustration of the entire process and where Azure Sentinel and ASC play their roles.
Security Center is one of the many sources of threat protection information that Azure Sentinel collects data from, to create a view for the entire organization. Microsoft recommends that customers using Azure use Azure Security Center for threat protection of workloads such as VMs, SQL, Storage, and IoT, in just a few clicks can connect Azure Security Center to Azure Sentinel. Once the Security Center data is in Azure Sentinel, customers can combine that data with other sources like firewalls, users, and devices, for proactive hunting and threat mitigation with advanced querying and the power of artificial intelligence.
To reduce confusion and simplify the user experience, two of the early SIEM-like features in Security Center, namely investigation flow in security alerts and custom alerts will be removed in the near future. Individual alerts remain in Security Center, and there are equivalents for both security alerts and custom alerts in Azure Sentinel.
Microsoft will continue to invest in both Azure Security Center and Azure Sentinel. Azure Security Center will continue to be the unified infrastructure security management system for cloud security posture management and cloud workload protection. Azure Sentinel will continue to focus on SIEM.
If you have any Business or Technology ideas or challenges that you would like to discuss, then please post your questions, challenge my opinion and please send me a message.