Microsoft Sentinel vs Microsoft Defender vs Copilot for Security- which Zero Trust tool do you need? | SoftwareOne blog (2024)

Speaking at a recent Cybersecurity Summit, Microsoft CEO Satya Nadella explained that: “we've spent years building our zero trust approach internally at Microsoft… We are committed to sharing what we have learned to help every organisation accelerate their progress”.

Microsoft Sentinel and Microsoft Defender for Cloud, and more recently Microsoft Copilot for Security, are tools the technology company has released to help companies “accelerate their progress” towards world-class security.

All three can be used in the development of an extremely successful Zero Trust security strategy, and so it can be unclear which you should use, or how. Let’s learn more about these two solutions, and how they work together to support Zero Trust.

What is Zero Trust?

Before comparing Microsoft solutions, it’s first helpful to understand their purpose. Essentially, both technologies can be used to support a Zero Trust security model.

Zero Trust means exactly what the name implies. It’s a security model where people (or devices) who enter your company’s IT network must continually prove that they are who they say they are. Just because they’ve correctly logged in once, they are not implicitly trusted.

To understand Zero Trust, it’s helpful to compare it with the traditional security model:

Traditional security

Someone enters your systems with a username and the correct password. You implicitly trust that this person is a ‘good actor’ because they’ve got the correct login credentials. Once they’re inside, they can do whatever they want on your network.

If a hacker has entered your systems, there are almost no checks to prevent them doing any more damage.

Zero Trust model

Someone enters your systems with the correct credentials. However, they are only given access to files or systems that they have been given permission to view. If they want to explore more of your network, they need to prove who they are again. They must regularly confirm their identity – often using very advanced authentication methods (such as with biometrics).

If a hacker has entered your system, their progress will continually be slowed or stopped.

Why do we need Zero Trust?

Today, people often work outside the company network, using different devices and on networks with an unknown security level. Therefore, a more rigorous approach to security is required.

At the same time, attacks are increasingly heterogeneous, spanning different parts of the enterprise and various resource types. For example, they might start from an IoT device, proceed to an endpoint, spread to a cloud service or a database, and involve multiple user accounts or tenants, etc.

Three Microsoft solutions for Zero Trust

If your organisations primarily uses Microsoft technology, then Microsoft Defender, Microsoft Sentinel, and Microsoft Copilot for Security are three solutions that help support a Zero Trust model across your environment. They have several things in common, but also have a slightly different purpose from one another.

What is the difference between Microsoft Defender and Microsoft Sentinel and Microsoft Copilot for Security?

If you have not used Microsoft Sentinel, Copilot, or Microsoft Defender before, you might be unsure about the differences between the two products and how they should be used. Putting it simply:

Key features of Microsoft Sentinel and Microsoft Defender

What is Microsoft Sentinel?

Microsoft Sentinel is a cloud-native, Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution.

Microsoft introduced Sentinel as a single solution for intelligent security analytics, event management, threat detection, threat visibility, proactive hunting (hunting query), and threat response. It allows your security team to focus on threat detection and mitigation, rather than running the service. The main advantage of Sentinel is its holistic view across the environment, providing intelligent security analytics. This allows:

• early threat detection
• rapid threat response towards sophisticated attacks
• shorter resolution time
• reduction in the volume of security incidents.

How does Microsoft Sentinel work?

Sentinel gives a birds-eye view of the events happening in the environment: events, active cases with their status, and trends. Using Microsoft threat intelligence and analytics, Sentinel correlates alerts into incidents and identifies attacks based on your data. It then places them on a visual map, so malicious traffic can be analysed and quickly handled with built-in orchestration and automation of typical tasks.

The intelligent security graph forms the core of Sentinel, gathering relevant information from other Microsoft services (Azure Advanced Threat Protection, Microsoft Defender Advanced Threat Protection, etc.).

Microsoft Sentinel also includes user behaviour analytics to help to identify anomalies, compromised identities, and malicious insider actions.

According to Forrester, “Microsoft Sentinel’s AI-driven correlation engine and behaviour-based analytics reduced the number of false positives for the SOC team by up to 79%, and it reduced the amount of labour associated with advanced investigations by 80% resulting in an improved MTTR (Mean Time to Repair).”

Key features of Sentinel include:

1. Security alerts: When you are handling threats that can affect the whole business, every second matters. Microsoft Sentinel correlates security alerts and signals from different data sources - applications, devices, services, networks, infrastructure, and users - regardless of their place (on-premises, in Azure, or in any other cloud). You can create security playbooks to respond to alerts. These are collections of procedural responses to an alert, based on Azure Logic Apps. Playbooks can be run manually or configured to be triggered automatically.
2. Reduction in alert ‘noise’: Built-in artificial intelligence (AI) and machine learning mechanisms use Microsoft threat intelligence to analyse signals from different data sources, reducing noise from alerts, minimising false positives, and analysing anomalous events to present incidents that really require attention.
3. Data connectors and integrations: Microsoft Sentinel provides native and third-party integrations, which enable customers to integrate it with the rest of their services and/or bring data from other products and easily analyse it at scale. The service is accompanied by a number of data connectors for Microsoft solutions, providing real-time integration with Microsoft 365 Defender solutions, Microsoft 365 sources (including Office 365), Azure AD, Microsoft Defender for Identity, Microsoft Cloud App Security, Domain name system, Windows Firewall, SQL, and more.
4. Responds to IT security needs: Through Sentinel, security teams can receive real-time alerts, remediate incidents through machine learning and AI automation, and use Kusto Query Language (KQL) statements for detection, identification of threats and anomalies, analysis, and proactive hunting. Visual and interactive dashboards save time by aggregating reports from different business units. This enables decision-makers to get direct insights and analyse their capabilities in a single place.

What is Microsoft Defender?

Microsoft Defender, previously known as Azure Security Centre (ASC), is a unified infrastructure security management system. It provides real-time visibility across the workloads (cloud and on-premises), through monitoring of security configurations and health. It also enables cloud security posture management and cloud workload protection.

Defender provides security policies, continuous assessment, and proactive recommendations for Azure compute, data, identity and access, and networking resources. By collecting events from Azure or Log Analytics agents, Microsoft Defender makes a correlation in a security analytics engine and provides tools to strengthen security posture, protect against threads, harden your network, and secure the services.

How does Microsoft Defender work?

The major differentiator for Microsoft Defender is its continuous discovery of new resources that are being deployed across workloads. It also performs an initial assessment if they are configured according to the best security practices. If abnormal behavior is detected, Microsoft Defender flags resources, prioritises activities, and provides a list of recommendations for the users, driven by Azure Security Benchmark. This is an Azure-specific set of guidelines for security and compliance best practices, based on a common compliance framework. To make it even easier for users to prioritise their security items, Microsoft Defender groups recommendations into security controls and assigns a secure score value to each of them.

Key features of Microsoft Defender include:

• Streamline the regulatory compliance process: Using dedicated dashboards, you can see the status of the environment, based on selected standards and regulations. Security policies built into Microsoft Defender are then reflected in the Azure Policy initiative in audit-only mode to all Security Centre registered subscriptions, as well as Azure Monitor logs and other Azure security solutions like Microsoft Cloud App Security.
• Security policies: With Defender you get standard Azure policy controls but can also configure tailored security policies for your specific organisation (or for certain departments).
• Network map: Microsoft Defender also includes a network map - an interactive view of the network topology of your Azure workloads and the traffic routes. By default, the topology map displays resources that have network recommendations with high or medium severity.
• Resource onboarding: As a native part of Azure, the Microsoft Defender automatically discovers and onboards Azure resources, including Platform as a Service (PaaS) services (Service Fabric, SQL Database, SQL Managed Instance, storage accounts, etc.). Additional non-Azure resources (for both Windows and Linux) can be onboarded and protected via the installation of Log Analytics agent or Azure Arc. The data collected from virtual machines is stored in a Log Analytics workspace. For PaaS services such as SQL ATP, you can use continuous export that enables security alerts to be stored in a Log Analytics workspace.

And where does the all-new Microsoft Copilot for Security fit in?

What if we had the ability to protect at the speed and scale of AI? This is the concept behind Microsoft Copilot for Security. Fully Integrated with Microsoft Sentinel and Microsoft Defender, Copilot for Security enables organisations to:

• Resolve Incidents at speeds never seen before.
• Quickly apply policies and configure devices with best practices.
• Using Natural language to summarise policies and reports.
• Find risky users through GenAI.

Copilot natively levels up the capacity of cybersecurity teams to react to threats and accelerate Security Analysts’ tasks. In a recent study, security professionals with Copilot for Security presented 7% more accurate answers and 22% faster responses, which is a significant improvement.

Mario Gama
Practice Leader