What is our primary use case?
I work as a SOC manager. We use it for incident security, incident monitoring, threat analysis, and looking at remediation or suppression.
What is most valuable?
Most use cases that come from Microsoft are all automated. Even before any manual effort, the tool is designed in such a way that it just does the threat analysis. It gives us exactly what the incident alert is all about:
- The priority
- The threat
- The impact
- The risk
- How it can be mitigated.
Those are the key features of this particular tool.
The solution has features that have definitely helped improve our security posture.
One important security feature is the incident alerts. Now, with all these cyberattacks, there are a lot of incident alerts that get triggered. It is very difficult to keep monitoring everything automatically, instead our organization is utilizing the automated use case that we get from Microsoft. That has helped bring down the manual work for a lot of things. The automation tool does the following (when human interaction is needed):
- Identifies what kind of an alert is it.
- Whether we have to dismiss it.
- When we need to take any action so the team can do it appropriately.
This is one of its key benefits.
It is easy to use based on my experience. If a newcomer comes in, it is just a matter of time to just learn it because it is not that difficult.
What needs improvement?
Most of the time, we are looking for more automation, e.g., looking to ensure that the real-time risk, threat, and impact are being identified by Microsoft. With the Signature Edition, there is an awareness of the real risks and threats. However, there are a lot of things where we need to go back to Microsoft, and say, "Are you noticing these kinds of alerts as well? Do we have any kind of solution for this?" This is where I find that Microsoft could be more proactive.
For how long have I used the solution?
I have been using it for more than nine years.
What do I think about the stability of the solution?
We have not had issues with tool usage or any hiccups.
There are certain glitches, which are areas of improvement, thus we continuously keep working with Microsoft. Microsoft does acknowledge this, because it's a learning experience for Microsoft as well. They always expect feedback and improvements on their tools, as it is a collaboration effort between Microsoft and the client.
What do I think about the scalability of the solution?
I work for an organization with more than 50,000 users. Under security alone, we have 5,000-plus users. On my team, we have around 400 people who are looking at it.
There are different roles in the company: project management, security operations (the red and blue teams), and pen testing. I lead a security operations center team, where we have L1, L2, L3, and L4 capabilities. All these come under the same umbrella of the security operations center, and they are all rolled up to the Chief Information Security Officer as part of security.
How are customer service and support?
An ongoing improvement for both Microsoft as well as for my organization: We need to work together. Sometimes, the solution doesn't work so we reach out to Microsoft Enterprise support for any help or assistance. If there is any feedback or improvement, then we work together, but they definitely have helped most of the time.
There are certain gray areas. We constantly work with Microsoft to notice whether there is something that only we, as a client, face. Or, if there are other clients who have the same kind of situation, issues, or scenarios where they need help.
I would rate Azure Security Center anywhere between five to six out of 10. Most of the time, when we log into the support, we don't get a chance to interact with Microsoft employees directly, except having it go to outsource employees of Microsoft. The initial interaction has not been that great because outsourced companies cannot provide the kind of quality or technical expertise that we look for. We have a technical manager from Microsoft, but they are kind of average unless we make noise and ask them to escalate. We then can get the right people and the right solution, but it definitely takes time.
Which solution did I use previously and why did I switch?
We use Microsoft Defender and Splunk. We primarily went with Azure Security Center because of client requirements.
How was the initial setup?
The initial setup is pretty easy and straightforward.
To deploy just Azure Security Center, it took three to four hours. However, there are a lot of things that it depends on.
Different clients have different requirements. If the client says, "We are using Azure Security Center. We want to use Microsoft technology or products." We will go with that. There are clients who are using Cisco products as well.
What about the implementation team?
The solution architect usually designs it, taking into consideration the initial setup guide, playbook, and documentation.
We don't use consultants for the deployment.
What's my experience with pricing, setup cost, and licensing?
It has global licensing. It comes with multiple licenses since there are around 50,000 people (in our organization) who look at it.
What other advice do I have?
For organizations who have an on-prem environment and are planning to move to a cloud-based solution, Azure Security Center is definitely one of the best tools that they can use. Year-over-year, I can see a lot of differences and improvements that Microsoft has definitely implemented, in terms of risk analysis, threat impact, and risk impact.
Most of the time, for any action that is performed within an organization or environment, if there is a risk or threat analysis, it is the security operation center who gets to know about it. The end user doesn't get affected at any cost unless there is a ransomware or cyberattack.
I wouldn't say that this is the only tool or product that has helped us out. There are a lot of technologies that Microsoft has come up with, which all together have made a difference. From a score of one to 10 for overall security, I would rate Azure Security Center somewhere between a seven to eight. This is not the only tool that my team depends on. There are other tools, but in terms of threat analysis and threat impact, this particular tool has definitely helped us.
We use a lot of Microsoft technologies, not only Azure Security Center. Apart from Azure Security Center, we use the playbook. We are also moving forward with Azure IoT Central and Log Analytics, which is a SIEM tool. So, I have Azure Security Center, Azure Advanced Threat Protection, Windows Defender, Log Analytics, and Azure IoT Central.
Using Azure Security Center, there are a lot of things that get automated. So, I am not dependent completely on Azure Security Center. It is a collaboration of different tools and technologies to achieve the end result. That is why I am saying seven to eight out of 10, because I am not dependent on a particular tool. It is also one of the tools that is definitely helpful for checking risk analysis, but there are other tools as well.
I would rate Azure Security Center as seven to eight of 10. If you talk about Microsoft products, I would rate it anywhere between eight to nine out of 10.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
*Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
