You dont have javascript enabled! Please enable it! I Have Microsoft Sentinel... Do I Need Microsoft Defender For Cloud – Discover Here - CHARBEL NEMNOM - MVP | MCT | CCSP | CISM - Cloud & CyberSecurity

I Have Microsoft Sentinel… Do I Need Microsoft Defender for Cloud – Discover Here

4 Min. Read

During Microsoft Ignite in November 2021, Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. They’ve also renamed Azure Sentinel to Microsoft Sentinel.

In this article, we will clarify this frequent question and share why you need to have Microsoft Sentinel and Microsoft Defender for Cloud to protect your cloud workloads end-to-end and be proactive instead of reactive.

Introduction

According to Gartner, Cloud Security Posture Management (CSPM) tools are fundamental to cloud security. Gartner states that “Cloud Security Providers (CSP) concentrates on security assessment and compliance monitoring, primarily across the IaaS cloud stack.” CSPM typically involves leveraging API integrations with one or more cloud providers to automatically discover cloud assets and their associated risks.

Cloud Workload Protection Platforms (CWPPs) are software platforms designed for monitoring and protecting cloud workloads. While such “workload-centric” solutions are usually agent-based, the focus should be on the workload – not the agent. An ideal CWPP would offer agentless and agent-based approaches to protecting workloads of different types in the traditional datacenter, public-cloud, and private-cloud environments – including workload-centric security protections for bare-metal servers, SQL servers, storage accounts, orchestrated containers, serverless “functions” and virtual machines (VMs).

Within the realm of SIEM, Defender for Cloud, and Sentinel, I often get asked by customers the following common question: We already have Microsoft Sentinel, do we need Microsoft Defender for Cloud as well?

Microsoft Defender for Cloud

Microsoft Defender for Cloud (formerly known as Azure Security Center) gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Microsoft Defender for Cloud (MDC) has four main value propositions:

1) Cloud Security Posture Management (CSPM) — CSPM offers visibility throughout multi-cloud and hybrid environments, from development to runtime, and alerts and suggestions to security teams on vital vulnerabilities and misconfigurations that may result in security issues. Furthermore, CSPM comes equipped with built-in workflows to enhance security posture and facilitate remediation at scale.

2) Cloud Workload Protection Platform (CWPP) — Protect against threats for servers whether they are running in Azure, on-premises, or other clouds such as Amazon AWS or Google GCP, in addition to cloud-native PaaS workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.

3) DevOps security management Offers capabilities that allow developers to develop code more securely, offers guidance on best security practices for your source code repositories, and examines templates employed for deploying code in your Azure environment.

Related: Getting Started With Microsoft Defender for DevOps.

4) Cloud-Native Application Protection Platform (CNAPP) — CNAPP seamlessly combines security and compliance capabilities into a single platform to provide end-to-end cloud security for full-stack workloads across Amazon Web Services (AWS), Google Cloud Platform (GCP), and Azure Cloud Services.

Microsoft Defender for Cloud is meant to be that one tool that gives you a unified overview of your hybrid cloud environment’s current security configuration and informs you about current threats and attacks against your workloads and services.

Microsoft Sentinel

Microsoft Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

As I mentioned earlier, Security Center is around Cloud Security Posture Management (CSPM), and Cloud Workload Protection Platform (CWPP) scenarios while Microsoft Sentinel covers SIEM/SOAR scenarios that sit on top of other Microsoft security solutions. Microsoft Sentinel will do all the data ingestion and not only from the Security Center perspective but also for third-party and other Microsoft products.

The following diagram illustrates where each product fits in the realm of Microsoft Security solutions.

Microsoft Integrated Threat Protection
~Image courtesy of Microsoft~

The data ingestion is done by Sentinel, which will be the one that does data correlation; think of each one of those products as a data source that feeds Sentinel, and once Sentinel gets the data, you can do the data correlation across all those data sources.

Do I need Microsoft Defender for Cloud?

The short answer is Yes, of course!

Microsoft Sentinel and Microsoft Defender for Cloud are two completely different products covering two different scenarios.

The following diagram should give you enough information and show how Microsoft Sentinel and Defender for Cloud complement each other to strengthen your Security Operations Center (SOC) Team.

I Have Microsoft Sentinel... Do I Need Microsoft Defender for Cloud – Discover Here 1
~Image courtesy of Microsoft~

The Cloud Security Posture Management (CSPM) and Azure Defender are two different platforms since Azure Security Center is the only solution in Microsoft (secure package) to address those scenarios. If you want CSPM and Azure Defender, then you need Azure Security Center. You can also take advantage of all the Threat Detection and Advanced Workload Protection in Azure Security Center, which is part of Azure Defender’s capability to feed into Microsoft Sentinel.

The threat intelligence from Security Center is very unique, the threat detection from SQL ATP, Azure Defender for Storage, Azure Defender for Key Vault, Azure Defender for Servers, and all those detection and protection capabilities Sentinel does NOT have awareness at all if not ingested via Security Center connector. So, Azure Security Center and Azure Sentinel are complementary to that aspect.

In Summary

Azure Sentinel and Azure Security Center are completely two different products covering two different scenarios, by connecting Azure Security Center to Azure Sentinel will give you more insight into your organization’s network and system by viewing dashboards, you can create custom alerts, run automated playbooks and further investigate any suspicious activity.

To learn more about Microsoft Defender for Cloud, check the official documentation from Microsoft.

The power of Azure Sentinel comes from the ability to detect, investigate, and remediate threats. To do this, you must first ingest data in the form of alerts from different security providers, such as Azure Security Center or other Microsoft solutions, as well as other third-party solutions.

To learn more about Microsoft Sentinel, check the official documentation from Microsoft.

I hope this article gave you a clear picture of how Microsoft Defender for Cloud is essential for Microsoft Sentinel to protect your workloads across public and hybrid clouds.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Photo of author
About the Author
Charbel Nemnom
Charbel Nemnom is a Senior Cloud Architect with 21+ years of IT experience. As a Swiss Certified Information Security Manager (ISM), CCSP, CISM, Microsoft MVP, and MCT, he excels in optimizing mission-critical enterprise systems. His extensive practical knowledge spans complex system design, network architecture, business continuity, and cloud security, establishing him as an authoritative and trustworthy expert in the field. Charbel frequently writes about Cloud, Cybersecurity, and IT Certifications.
Previous

Critical Security Features in Microsoft 365 Admins Simply Can’t Ignore

How To Set Up Deployment Stages In Azure DevOps

Next

6 thoughts on “I Have Microsoft Sentinel… Do I Need Microsoft Defender for Cloud – Discover Here”

Leave a comment...

  1. Hi Charbel, Thanks you for this post. We migrated our enterprise to Microsoft E5 plan this year and implemented Sentinel on our workstations by connecting them to the Log Analytics Workspace. Our issue is Azure Security Center is now recognizing our 50 workstations as VM’s or servers and and wanting to deploy Azure Defender in addition to the Microsoft Defender ATP we already have deployed which we fill would be duplicating services and costs. We have opened a case with Azure support about this and they seem stumped and are not sure hot to make this alert go away. Was Sentinel implemented improperly thus causing this alert?
    Thank You,
    David

  2. Hello David,
    Thanks for the comment.
    So if I understood your issue, you already have Microsoft 365 Defender for Endpoint agent installed on all those 50 workstations, right?
    Are those workstations servers or clients? Which OS is installed on them?
    When you pay $15 per server to protect your virtual machines (workstations) in Security Center, you also get the Defender for Endpoint license activated on these machines. So one agent and one license. You should not pay double.
    Here are more details about Azure Security Center and Microsoft Defender ATP integration.
    Can you share the alert that you are getting (screenshot)?
    Thanks!

  3. Hi Charbel,
    Yes the workstations are Windows 10 Pro and Windows 10 Enterprise all are physical machines. As I mentioned we use Microsoft 365 E5 Licensing which includes the Microsoft Denender ATP. thus not wanting to pay the additional $15 on the azure side.

    Here is the screenshot of the Azure Security Center Recommendations showing those machines https://www.dropbox.com/s/tm5xfa74xdthcnz/image.png?dl=0

    Following your instructions for the integration. I do not have the workspace with the workstations enabled in Azure Defender yet in fear or being charged for price per machine.

  4. Thanks David!

    What security feature do you want to leverage/use from Azure Security Center on those 35 (Windows 10 Pro and Windows 10 Enterprise) workstations? In short, do you want to use Security Center for those Workstations?
    Usually you Onboard Windows servers/Windows 10 to the Microsoft Defender for Endpoint (ATP) service, and not Windows 10 machines to Azure Security Center.

    If your concern is to have Log aggregation with Azure Sentinel only, then you can connect Microsoft Defender for Endpoint (ATP) directly to Azure Sentinel without Security Center. The new connector is called Microsoft 365 Defender which includes the entire Microsoft 365 Defender suite.

    If your concern about this warning message that you shared in the screenshot above in Azure Security Center, and you don’t want to use Security Center, then you can exempt those 35 machines from the recommendations by following the steps described here, and then they won’t be shown anymore in the Recommendations section.
    Since we are exempting Azure Security Center and we don’t want to integrate those 35 machines, then make sure that under Security Center | Pricing & Settings | Subscription-Name | Threat Detection | uncheck (Allow Microsoft Defender for Endpoint to access my data).

    Let me know if this works for you.

    Hope this helps!
    -Charbel

  5. Thanks Charbel! Using the Microsoft 365 Defender Connector and removing the Log Analytics Workspace agent resolved the issue. I no longer have Azure Security Center nagging me to install its agent on my workstations. Thank you again for the assistance. I even had Microsoft stumped on how to resolve this.

  6. Thank you David for your feedback and confirmation!
    I am happy to hear that I was able to help you in resolving this issue :)
    All the best,

Let us know what you think, or ask a question...