Microsoft’s cloud-based SIEM, Azure Sentinel, achieved general availability (GA) on 9/24/2019. Two previous articles Azure Sentinel: New Microsoft SIEM almost free to trial and Azure Sentinel updates: New Data Connector UX, AWS live, CyberArk coming walked through the Azure Sentinel basics and evolution during it’s almost 9 month preview period. Now that the product is ready to purchase and use in production, it’s time to focus on real-world use cases that demonstrate the SIEM features.
To Start: Paying for Azure Sentinel
For an organization that is “all-in” with the Microsoft stack: Office365, Azure AD, and Azure or Windows infrastructure (Linux is good too) including Azure Security Center, there is the powerful synergy of having all your security-sensitive metadata in one place and benefitting from a sophisticated awareness of all the involved security entities. Azure Sentinel data connectors exist to provide end-to-end SIEM incident prosecution across clouds (including AWS), identity systems, computing resources, and devices (including most firewall and router vendors).
Even if Azure Sentinel was the ultimate logical SIEM destination, to be viable, like any solution Azure Sentinel needs to be priced appropriately. In fact, before making a decision on Azure Sentinel, the cloud architect needs to validate the basic affordability and cost-effectiveness of Sentinel in the target estate. A best practices Sentinel deployment includes “lighting up” a broad set of logs from computers, users, services, and devices. Observe the many data sources in Figure 1, a screenshot from a best-practice production Azure Sentinel deployment:
Figure 1 – Azure Sentinel Usage report from best practices deployment detailing data types analyzed by Sentinel.
There are going to be costs associated with piping all that data from many heterogeneous and discrete sources into Azure, storing it there, and pushing the data through Sentinel for security analysis. There are sometimes base costs like turning on Azure Security Center or deploying Azure Log Analytics agents that can add to the cost of running a maximum value Azure Sentinel deployment.
It’s hard to give a ‘one size fits all’ cost of using Azure Sentinel since the costs vary greatly according to an organization’s current investment in Microsoft technologies.
- For the “all in” Microsoft customer, all the data is already available in Azure and the specific new cost of Sentinel analysis is the only additional cost. Almost a no brainer to evaluate!
- A “net new” customer to Microsoft would need to establish an Azure presence, possibly deploy and integrate Azure Active Directory P1/P2, and fund new Log Analytics, Azure Monitor/Azure Automation, and Azure Security Center services in addition to Azure Sentinel analysis. If the customer is not even using Office365 the starting costs are harder to justify.
Comparing the cost of Azure Sentinel
Since Azure Sentinel is a cloud-based SIEM application that runs on top of a cloud-based analytics and data collection solution (Azure Log Analytics), it’s probably fair to compare the cost to Splunk, Inc.’s Splunk Cloud SIEM as a Service, that “combines Splunk Cloud and Splunk Enterprise Security for a cloud SIEM solution” or to AT&T’s (formerly AlienVault) Azure Security Monitoring and Compliance Management. In my initial assessment Azure Sentinel compares favorably in cost to existing premier cloud-based SIEM solutions. (Splunk pricing here.)
Considerations on estimating Azure Sentinel costs
Currently there are no charges for using Azure Sentinel. On November 1, 2019, charges for Azure Sentinel will go into effect. Click to learn more about Azure Sentinel pricing.
With Sentinel pricing, it’s all about how much data you are pushing through for security analysis. Your Azure monthly bill will increase based on consumption of Sentinel analysis services and other Azure services such as Log Analytics, Logic Apps, Automation, and Storage that are used by Sentinel.
Another price consideration is that Azure Sentinel utilization charges vary by the Azure region where the Azure Sentinel workspace resides. Figure 2 compares Capacity Reservation and Pay-As-You-Go Azure Sentinel pricing in the West US vs. the East US regions (West US Azure costs 30% more than East US, for example):
Figure 2 – Azure Sentinel pricing varies by Azure region. For example, West US costs 30% more than East US.
Sample Sentinel costs (Pay-As-You-Go and Reserved Capacity scenarios including Log Analytics):
(using prices in Azure US South Central region)
- Higher price using Pay-As-You-Go: for Azure Sentinel at $2.40 per GB of data analyzed by Sentinel, which does not include Azure Log Analytics. Sentinel customers will need to provide for Log Analytics costs. Pay-As-You-Go pricing for Azure Log Analytics is $2.76 per GB, including 5-GB per customer per month free, making some Sentinel-analyzed data cost up to $5.15 per GB at combined Pay-As-You-Go rates.
- Lower price Reserved Capacity discounts of up to 60% for Sentinel and up to 25% for Log Analytics yield a net combined price of $3.03 per GB (for a 500-GB or more per day reservation).
- For both pricing types this applies: Some data types are not charged for by Sentinel, so actual Sentinel costs will be lower.
Azure Pricing Calculator supports Azure Sentinel
Eliminate all doubt and run your numbers through the Azure Pricing Calculator for Azure Sentinel shown in Figure 3. The calculator will automatically select the best deal for you given your expected consumption. Examples shown are a small business with a $600 monthly Azure Sentinel bill and a large business with a $10,000 monthly bill.
Figure 3 – Costs to use Azure Sentinel are simply consumption based. There are no other subscription “fees”.
Tip: If you expect to consume between 80-GB and 100-GB, go ahead and buy the 100-GB / day capacity reservation. 80-GB is the point where Pay-As-You-Go gets more expensive than the 100-GB reservation.
Other costs associated with a best practices Azure Sentinel deployment
- Azure Security Center (ASC) Standard tier: Although not required by Azure Sentinel, enrollment of computers and services in Azure Security Center Standard tier adds great value to Sentinel and should be considered an integral component of a complete Sentinel solution. (ASC Standard Tier is free for Azure VMs and $15.00 per non-Azure node per month.)
- To integrate Azure Sentinel with Azure Active Directory, you need to participate in Azure Active Directory Premium P1 or Premium P2 licenses.
- If you want to forward your on-premises and in-cloud physical and virtual firewall appliance logs to Azure Sentinel (which you do!), you will need one or more Linux utility virtual machines (VMs) for syslog forwarding. Provisioning new on-premises or in-Azure Linux VMs for this purpose may incur a cost.
Also working in your favor cost-wise
- Azure Sentinel doesn’t charge for every data type: Azure Activity Logs, Office 365 Audit Logs and alerts from Microsoft Threat Protection are available for ingestion at no additional cost.
- The costs for Azure Log Analytics may be partially or wholly offset by ‘node licensing’ for existing Log Analytics customers.
- Large enterprise customers may have unused Azure consumption grants that can be applied to some or all Azure Sentinel costs.
- Many customers already are using Azure AD Premium or Microsoft Defender Advanced Threat Protection (ATP) that are entitled to essentially a free Sentinel benefit for those services.
- You can demo and trial with Azure Sentinel for free, click “Start free” at this link. This lets you model your Sentinel production deployment on a small scale before you need to pay for Azure services in your production environment.
Forrester research agrees: Azure Sentinel accelerates cloud adoption by cybersecurity
“Security Pros: Embrace The Change
“For security pros that have been around awhile, don’t let your cynicism cloud (pardon our pun . . .) the potential advantages your organization could experience by making use of these tools. Take off the tinfoil hat, and realize that Microsoft is a security company now.”
Read Forrester’s VP, Research Director report on “Cloud ToolSet To Disrupt The SOC” (@infosec_jb courtesy of @maarten_goet.)
You may discover that for your organization, Azure Sentinel makes achieving the competitive advantage of a functional Cloud SIEM affordable as well as essential.
Tags: #MVPBuzz #HybridCloud #Azure #AzureSecurity #cloudSecurity #SIEM #securityManagement #networkSecurity