I Have Azure Sentinel… Do I Need Azure Security Center?

4 min read

Introduction

According to Gartner, Cloud Security Posture Management (CSPM) tools are fundamental to cloud security. Gartner states that “Cloud Security Providers (CSP) concentrates on security assessment and compliance monitoring, primarily across the IaaS cloud stack”. CSPM typically involves leveraging API integrations with one or more cloud providers in order to automatically discover cloud assets and their associated risks.

Cloud Workload Protection Platforms (CWPPs) are software platforms designed for monitoring and protecting cloud workloads. While such “workload-centric” solutions are usually agent-based, the focus should be on the workload – not the agent. An ideal CWPP would offer agentless and agent-based approaches to protecting workloads of different types in the traditional datacenter, public-cloud and private-cloud environments – including workload-centric security protections for bare-metal servers, SQL servers, storage accounts, orchestrated containers, serverless “functions” and virtual machines (VMs).

Within this realm of SIEM, Security Center, and Sentinel, I often get asked by customers the following common question: we have already Azure Sentinel, do we need Azure Security Center as well?

In this quick article, I will clarify this frequent question and share with you why you need to have Azure Sentinel and Security Center to protect your cloud workloads end-to-end and be proactive.

Azure Security Center

Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two mains value proposition:

  1. Cloud Security Posture Management (CSPM) – Helps you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
  2. Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises or in different clouds such as Amazon AWS or Google GCP, in additional to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.

Azure Security Center is meant to be that one tool that gives you a unified overview of your hybrid cloud environment’s current security configuration and informs you about current threats and attacks against your workloads and services.

Azure Sentinel

Azure Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

As I mentioned earlier, Security Center is around Cloud Security Posture Management (CSPM), and Cloud Workload Protection Platform (CWPP) scenarios while Azure Sentinel covers SIEM/SOAR scenarios that sit on top of other Microsoft security solutions. Azure Sentinel will do all the data ingestion and not only from the Security Center perspective but also for third-party and other Microsoft products.

The following diagram illustrates where each product fits in the realm of Microsoft Security solutions.

I Have Azure Sentinel... Do I Need Azure Security Center? 1

~Image courtesy of Microsoft~

The data ingestion is done by Sentinel which will be the one that does data correlation, think of each one of those products as a data source that feeds Sentinel, and once Sentinel gets the data, you can do the data correlation across all those data sources.

Do I need Security Center?

The answer is yes of course!

Azure Sentinel and Azure Security Center are completely two different products covering two different scenarios.

The following diagram should give you enough information and show how Azure Sentinel and Security Center complement each other to strengthen your Security Operations Center (SOC) Team. I Have Azure Sentinel... Do I Need Azure Security Center? 2

~Image courtesy of Microsoft~

The Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) are two different platforms since Azure Security Center is the only solution in Microsoft (secure package) to address those scenarios. If you want CSPM and CWPP, then you need Azure Security Center. And you can take advantage of all the Threat Detection in Security Center which is part of CWPP capability to feed into Azure Sentinel.

The threat intelligence from Security Center is very unique, the threat detection from SQL ATP, Azure Defender for Storage, Azure Defender for Key Vault, Azure Defender for Servers, and all those detection and protection capabilities Sentinel does NOT have awareness at all if not ingested via Security Center connector. So, Azure Security Center and Azure Sentinel are complementary to that aspect.

Summary

Azure Sentinel and Azure Security Center are completely two different products covering two different scenarios, by connecting Azure Security Center to Azure Sentinel will give you more insight into your organization’s network and system by view dashboards, you can create custom alerts, run automated playbooks and further investigate any suspicious activity.

To learn more about Azure Security Center, check the official documentation from Microsoft.

The power of Azure Sentinel comes from the ability to detect, investigate, and remediate threats. To do this, you must first ingest data in the form of alerts from different security providers, such as Azure Security Center or other Microsoft solutions, as well as other third-party solutions.

To learn more about Azure Sentinel, check the official documentation from Microsoft.

I hope this article gave you a clear picture on how Azure Security Center is essential for Azure Sentinel to protect your workloads across public and hybrid clouds.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

About Charbel Nemnom 579 Articles
Charbel Nemnom is a Cloud Architect, Swiss Certified ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

4 Comments

  1. Hi Charbel, Thanks you for this post. We migrated our enterprise to Microsoft E5 plan this year and implemented Sentinel on our workstations by connecting them to the Log Analytics Workspace. Our issue is Azure Security Center is now recognizing our 50 workstations as VM’s or servers and and wanting to deploy Azure Defender in addition to the Microsoft Defender ATP we already have deployed which we fill would be duplicating services and costs. We have opened a case with Azure support about this and they seem stumped and are not sure hot to make this alert go away. Was Sentinel implemented improperly thus causing this alert?
    Thank You,
    David

    • Hello David,
      Thanks for the comment.
      So if I understood your issue, you already have Microsoft 365 Defender for Endpoint agent installed on all those 50 workstations, right?
      Are those workstations servers or clients? Which OS is installed on them?
      When you pay $15 per server to protect your virtual machines (workstations) in Security Center, you also get the Defender for Endpoint license activated on these machines. So one agent and one license. You should not pay double.
      Here are more details about Azure Security Center and Microsoft Defender ATP integration.
      Can you share the alert that you are getting (screenshot)?
      Thanks!

  2. Hi Charbel,
    Yes the workstations are Windows 10 Pro and Windows 10 Enterprise all are physical machines. As I mentioned we use Microsoft 365 E5 Licensing which includes the Microsoft Denender ATP. thus not wanting to pay the additional $15 on the azure side.

    Here is the screenshot of the Azure Security Center Recommendations showing those machines https://www.dropbox.com/s/tm5xfa74xdthcnz/image.png?dl=0

    Following your instructions for the integration. I do not have the workspace with the workstations enabled in Azure Defender yet in fear or being charged for price per machine.

    • Thanks David!

      What security feature do you want to leverage/use from Azure Security Center on those 35 (Windows 10 Pro and Windows 10 Enterprise) workstations? In short, do you want to use Security Center for those Workstations?
      Usually you Onboard Windows servers/Windows 10 to the Microsoft Defender for Endpoint (ATP) service, and not Windows 10 machines to Azure Security Center.

      If your concern is to have Log aggregation with Azure Sentinel only, then you can connect Microsoft Defender for Endpoint (ATP) directly to Azure Sentinel without Security Center. The new connector is called Microsoft 365 Defender which includes the entire Microsoft 365 Defender suite.

      If your concern about this warning message that you shared in the screenshot above in Azure Security Center, and you don’t want to use Security Center, then you can exempt those 35 machines from the recommendations by following the steps described here, and then they won’t be shown anymore in the Recommendations section.
      Since we are exempting Azure Security Center and we don’t want to integrate those 35 machines, then make sure that under Security Center | Pricing & Settings | Subscription-Name | Threat Detection | uncheck (Allow Microsoft Defender for Endpoint to access my data).

      Let me know if this works for you.

      Hope this helps!
      -Charbel

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.