Six Questions to Ask About Your Organization’s Sentinel Usage

The careful act of balancing risk reduction and the cost of cybersecurity is an age-old challenge for every CISO. For organizations who choose to standardize on the Microsoft Security product portfolio, Microsoft Sentinel costs are at the center of this balancing act. In some cases, that concern is warranted: If not properly managed, SIEM costs can increase over time and become a problem.

However, the notion that Sentinel is inherently expensive is flat-out wrong. Like any SIEM, Sentinel can be costly if you don’t pay attention to the value of the data you’re ingesting and how you’re storing and managing it. But by adopting best practices for log ingestion and storage, and by carefully monitoring data ingestion trends, Sentinel’s industry-leading security capabilities can be cost effective as well.

To get the most out of their Microsoft security investments, organizations need to consider some key questions about the data they’re bringing into Sentinel:

  1. What data should be ingested into Sentinel? Monitoring all security-relevant signals is key. However, ingesting every possible log source can not only get expensive, but it can get noisy as well, slowing down operations without adding security value.
  2. Why are we ingesting the data that we are? Understanding what you’re currently monitoring or plan to monitor is critical to effectively managing that data. What sources are you monitoring for detection and response telemetry? What sources are you ingesting for compliance purposes?
  3. How are we storing and managing our Sentinel data? Storing everything in log analytics can provide the most flexibility and—as the name implies—analytical capability. But it’s not always necessary. Microsoft provides other ways to store logs that, if used judiciously, can save significant money without affecting security efficacy.
  4. How do we manage costs on a day-to-day basis? As software is upgraded, new technology is introduced to the security stack, configuration templates are adjusted and SOC triage and investigation workflows evolve to keep pace with changing threat actor tactics, it’s critical to continually re-evaluate how your team is using ingested data and keep a watchful eye on data costs. It is important to continually take an active role in managing your data ingestion and the associated costs.
  5. Are we taking advantage of all free data sources that apply to our organization? Microsoft offers multiple free alert and log sources in Sentinel. It’s important to understand what those are, their insights and limitations, and take advantage where possible.
  6. Are we in the right pricing tier? It’s a common-sense question but paying attention to your data usage and ensuring you’re in the pricing tier most appropriate for your needs can save you a great deal of money.

By carefully monitoring the signals that Sentinel is ingesting and analyzing their respective cost and security value, you can continually harden your security posture while keeping your data costs reasonable.

Ontinue ION is the MXDR Service to Optimize Your Microsoft Security Investments

Only Ontinue has the expertise to fully operationalize Microsoft Security while ensuring Sentinel remains cost effective. Whether you’re considering adopting Microsoft Sentinel, or you want to optimize your existing implementation, Ontinue’s SecOps Cost Optimization capabilities ensure you get the most security value for every dollar you spend.

Ontinue optimizes your log ingestion strategy from day one, ensuring the right balance of security relevance and cost-effectiveness for your organization. We continually monitor Sentinel usage and alert you if data rates from any log source exceed thresholds suitable for the log source so there are no surprises at the end of the month. And our Cyber Advisors are regularly reviewing and making tuning recommendations to keep your security spend in line.

Ontinue SecOps Cost Optimization delivers the information you need to manage your Sentinel costs and predict your security budget with confidence.

For more on how our SecOps Cost Optimization capabilities can help you save on your Microsoft Sentinel data costs, read Optimizing SecOps Costs in 3 Steps.

Article By

Dave Martin
Vice President, Product Management, MXDR Services

As vice president of product management, managed extended detection and response (MXDR) services for Ontinue, Dave is responsible for all aspects of the company’s product management product strategy, roadmap and full life-cycle management.