Rick Steele - Senior Account Manager, Satisnet
It all comes down to cost doesn’t it?
As security professionals, we may tell ourselves that only the best will do, but there is always a P&L somewhere that needs to be looked after. So how do we get the best tooling at the best price when we can’t negotiate price with the vendor?
The first problem you may have is finding out what Azure Sentinel would cost in your environment – even the Microsoft sales team can struggle to get you an answer – so take Satisnet's Azure Sentinel Price Calculator as a starting point and then see how the below tips can help.
You know your organisation is growing. Teams are spinning up containers in Azure all the time, but your current estate is below 100GB/day – which is the point at which Microsoft sharpen their pencil. A reserved instance of 100GB/day is half the price of a 99GB pay-as-you-go Azure Sentinel.
Yes, that old 'sales-rep' chestnut. Spend more money to save money…but let’s look at it in more detail. Currently, E5 gives you 100MB/day/E5 licence, reducing your Azure Sentinel bill (again, you can discover your savings by changing your E3-E5 licence in the Azure Sentinel Price Calculator).
This saving isn’t going to be enough to cover the cost of E5, but looking at the wider picture you won’t need to renew your AV, VM, or EDR tool – as E5 can do all of that. You also get MCAS and the DLP suite of tools thrown in. Suddenly, you have an argument you can take to the CFO, as well as getting a step closer to achieving true XDR and enhancing your security posture.
My colleague John Maton has written about understanding the vast security stack Microsoft offer here.
How hot does your data NEED to be? Be honest. You get three months hot data included in Azure Sentinel, which for most organisations is plenty. We can advise on exporting into cold storage, and guess what, the Azure Sentinel Price Calculator will show you how much this can save.
This deserves a blog post of its own. What logs do you really need to send into Azure Sentinel. It’s an amazing tool, but does it need everything single log from your Palo Alto's, or just the alerts? Could you use an elastic tool alongside to collate other noisy but less interesting parts of your estate, only passing into Azure Sentinel what it needs to keep watch? (Answer – yes you could, and it could shave 50% from your Azure Sentinel costs!)
Also, if you use a non-Microsoft EDR tool, let that do the hard work. It doesn’t need to be repeated by Azure Sentinel. We can advise on tuning Azure Sentinel so that it gets what it needs, rather than everything you can think of.
I’m cheating here, it won’t make Azure Sentinel cheaper but it will drastically reduce your cost of using it. We know standing up a 24x7 SOC can be ruinously expensive, and for SMBs even outsourcing to a managed service provider can be a step too far.
Did you know that you can use automations within Azure Sentinel (and add automations of your own) to deliver contextualised alerts into your ticketing system (or even email). This doesn’t give you the remediation you’d get with a full 24x7 managed service, but it means that rather than drowning in false positives, you only get notified about genuine incidents that need your attention – a cost-effective happy medium for smaller organisations.
If you’ve made it this far through this very brief blog, then you should probably join us on the 29th July 2021 where we touch on quite a lot of the above with your very own Azure Sentinel instance! Register here.