Why Insight Chose Microsoft Azure Sentinel as Core SIEM Over Splunk

Insight Enterprises, the global systems integration division of Insight Technology Solutions, is among several managed security service providers in the early stages of provisioning customers using Azure Sentinel, Microsoft’s new cloud-native SIEM.

Microsoft introduced Azure Sentinel a year ago as an alternative to traditional on-premises AI-based, threat intelligence solutions such as ArcSight, RSA NetWitness and Splunk. When Azure Sentinel became generally available in late September, Insight Enterprises’ Cloud & Data Center Transformation (CDCD) organization was among the first 20 global partners trained by Microsoft in various stages of adding it to their managed security services.

In addition to Insight, Accenture and its Avanade business, Ascent, DXC Technology, EY Global, Infosys, KPMG, Optiv, PwC, Trustwave and Wipro have said they are building out modernized managed security operations centers (SOCs) hosted with Azure Sentinel.

Microsoft’s Ann Johnson

“We’re seeing more uptake on Azure Sentinel than we could possibly consume right now, which is a fantastic problem to have, which is why we’ve rushed and quickly trained a bunch of partners,” said Ann Johnson, corporate VP for Microsoft’s corporate cybersecurity solutions group, during an interview late last year.

While most of the launch partners offer multiple SIEM options for their SOCs, Insight has decided to base its revamped MSSP with Azure Sentinel as its primary SIEM, according to Richard Diver, a cloud security architect at Insight.

“We’re the only one that I am aware of that is only doing Sentinel; everyone else has something else and then looking to add Sentinel to their list, or they’ll migrate over to Sentinel over time,” Diver said.

Insight also is offering consulting services for customers seeking to migrate their current SOCs to Azure Sentinel.

Azure Sentinel is one of the first of a new class of cloud-native SIEMs that use machine learning at scale to continuously monitor billions of data are native cloud services. Another is Backstory, a security telemetry platform created by Chronicle, incubated from Google parent Alphabet, which last summer became part of Google Cloud.

Amazon launched AWS GuardDuty in 2017, a cloud-scale threat detection offering that monitors and analyzes data sources such as AWS CloudTrail, Amazon VPC Flow Logs and DNS logs. GuardDuty is primarily for AWS workloads, whereas Azure Sentinel can import AWS CloudTrail logs via a connector, Insight’s Diver said. At last month’s RSA Conference, Microsoft announced that customers can import AWS CloudTrail logs at no charge through June 30.

Insight had decided more than a year ago to sunset its ArcSight SIEM and initially was considering running the popular Splunk SIEM as virtual machine instances in AWS, according to Insight’s Diver.

“I stepped in and said that doesn’t make sense economically or technically,” Diver said. “Splunk on prem makes a lot of sense because you’ve got the hardware but trying to run it in AWS or Azure as VMs would cost a fortune. We noticed that a lot of companies that moved to the cloud with VMs in IaaS were coming back because the lift and shift was too expensive.”

Upon learning that Microsoft was developing Azure Sentinel, Diver made the case for it over Splunk, which Insight also sells to enterprises, underscoring the economics of moving Splunk VMs into cloud environments.

“You can’t take something that’s moving petabytes of data from an on-prem environment, and suddenly move to the cloud on a regular basis,” Diver said. “If you’re in the cloud, or going to the cloud, you also don’t want to build Splunk in a VM on Azure or AWS and you don’t want to pull that data back down. Azure Sentinel doesn’t require provisioning of servers, storage, networks, and all the engineering and licensing that goes with building a Splunk environment.”

Diver sees three core scenarios for Azure Sentinel: organizations without …