2020 has been a transitional year, ushering in broad changes in how, and where, we work. Security operations (SecOps) teams face more significant challenges than ever as they protect the organization in this rapidly changing environment. These teams need a flexible, cost-effective, and efficient solution to empower their employees, improve security, and optimize costs against rapidly-changing demands. As a unified, scalable, cloud-native, security information event management (SIEM), Forrester Consulting found that Azure Sentinel delivers on these needs. Providing alert detection, threat visibility, proactive hunting, and threat response across your enterprise, the commissioned study, The Total Economic Impact of Microsoft Azure Sentinel, conducted by Forrester Consulting shows that Azure Sentinel delivers:
- A three-year 201 percent return on investment (ROI) with a payback period of less than six months.
- A 48 percent reduction in costs compared to legacy SIEM solutions, saving on expenses like licensing, storage, and infrastructure costs.
- A 79 percent reduction in false positives and 80 percent reduction in the amount of labor associated with investigation, reducing mean time to resolution (MTTR) over three years.
- A 67 percent decrease in time to deployment compared to legacy on-premises SIEMs.
The Forrester study provides an accessible framework for organizations wanting to evaluate the financial impact of Azure Sentinel relative to an on-premises cybersecurity solution. Forrester concluded that Azure Sentinel reduces SIEM costs at scale, simplifies SIEM management, and improves the efficiency and effectiveness of the Security Operations Center (SOC).
Organizational benefits
Forester interviewed four organizations who, before switching to Azure Sentinel, were using an on-premises SIEM or an internal, custom-built solution with a managed service provider (MSP) to replicate SIEM infrastructure. These four organizations serve global markets in the industries of IT services, big data, financial services, and e-commerce. To give readers a clear comparison, Forrester aggregated the results for all four into a single composite organization. According to the aggregated data, Azure Sentinel demonstrated:
- Increased SOC efficiency by cutting false positives up to 79 percent and reducing the amount of labor needed for advanced investigations by 80 percent—leading to $2 million in efficiency gains.
- A 48 percent reduction in costs compared to the legacy SIEM solution, including savings on licensing, storage, and infrastructure totaling $4.9 million.
- Reduced management efforts by 56 percent, saving $1.2 million. Automatic updates, an intuitive centralized platform, and reduced maintenance meant organizations could shift talent away from servicing infrastructure and concentrate on value-adding initiatives.
- Accelerated deployment by 67 percent with out-of-the-box functionality, simple connections to data sources, and pre-built SIEM content saving $602K.
Cost savings
Most vendors offer annual or multi-year contracts with capped ingestion and storage limits. This forces organizations to choose between paying more for capacity or putting a cap on the amount of data ingested, limiting visibility into their network.
By moving to Azure Sentinel’s cloud-based SIEM, organizations could eliminate their legacy SIEM vendor, reducing licensing expenditures and eliminating costly on-premises infrastructure needed to store security log data. And with Azure Sentinel’s flexible, consumption-based pricing, they were no longer locked into long-term contracts or capacity limits.
Azure Sentinel users experienced cost savings of $4.9 million when moving from legacy SIEM—a 48 percent decrease. Forrester found that an organization experienced benefits of $8.7 million over three years versus costs of $2.9 million. As mentioned earlier, this adds up to an ROI of 201 percent with payback in less than 6 months. Management efficiencies saved $1.2 million, with Azure Sentinel’s reduced time to deploy saving an additional $602K.
“If you take costs for Azure Sentinel and compare it to the costs that we had to simply run our legacy solution, we are seeing a 15 percent savings with Azure Sentinel and we are getting more.”—Sr. Director of Security Technology and Operations, IT services
Efficiency gains
The organizations in Forrester’s study reported that, with legacy SIEM solutions, alerts were previously not well correlated; meaning, a single event could trigger multiple others with no easy way for the SOC analyst to resolve false positives.
With Azure Sentinel, SOC teams can view all security logs, alerts, and incidents through a single pane of glass. Azure Sentinel’s AI-powered correlation engine and user-behavior analytics give analysts a prioritized view of the alerts, elevating high-priority threats and reducing false positives—enabling the SOC team to respond more efficiently.
Azure Sentinel’s cloud-based SIEM reduces the size and complexity of on-premises infrastructure. This enabled organizations in the study to reallocate infrastructure professionals and legacy solution specialists, reducing management efforts by 56 percent while freeing staff to serve business interests with value-added tasks.
“Thanks to the management efficiencies with Azure Sentinel, I was able to reprogram the work effort of around four FTEs. They no longer had to be firefighters—and we got to cancel a managed operations and maintenance contract simply because we now have the resources to do it ourselves.”—Senior VP of Global Threat Management, financial services
Ease of deployment
All four organizations reported that deploying Azure Sentinel was faster and easier than deploying legacy SIEM. Because Azure Sentinel features a pre-built playbook, queries, and data connections—along with free ingestion for Office 365 audit logs, Azure activity logs, and alerts from Microsoft Threat Protection (MTP) solutions—most organizations can start for free and scale up.
Using Azure Sentinel, organizations were able to add more data connections and sources, allowing them to ingest more data faster, covering a larger percentage of their network compared to legacy solutions. Azure Sentinel supports open standards such as Common Event Format (CEF) and broad partner connections, including Check Point, Cisco, F5, Fortinet, Palo Alto Networks, and Symantec, as well as ecosystem partners such as ServiceNow.
“Azure Sentinel today covers far more, 400 percent more of our network than our legacy solution ever did.”—CISO, e-commerce
Modernize your security operations today
Azure Sentinel helps defenders to combat rapidly evolving threats with increased efficiency. Its performance across all metrics deployed in the Forrester TEI study lets us know we’re executing on our vision to streamline and strengthen our customers’ security. Getting started with Azure Sentinel is easy. If you are not using Azure Sentinel, we welcome you to start a trial.
More recently, we shared our unique approach that empowers security professionals to get ahead of today’s complex threat landscape with integrated SIEM and Extended Detection and Response (XDR) solutions from a single vendor. With this combination, you get the best of both worlds—end-to-end threat visibility across all of your resources; correlated, prioritized alerts based on Microsoft’s deep understanding of specific resources with AI that stitches that signal together; and coordinated action across the organization.
To help you take advantage of this integrated security approach, Microsoft is currently running a new Azure Sentinel benefit for Microsoft 365 E5 customers.
From November 1, 2020, through May 1, 2021, Microsoft 365 E5 and Microsoft 365 E5 Security customers can get Azure credits for the cost of up to 100MB per user per month of included Microsoft 365 data ingestion into Azure Sentinel. Data sources included in this benefit include:
- Azure Active Directory (Azure AD) sign-in and audit logs.
- Microsoft Cloud App Security shadow IT discovery logs.
- Microsoft Information Protection logs.
- Microsoft 365 advanced hunting data (including Microsoft Defender for Endpoint logs).
With these credits, a standard 3,500 seat deployment can see estimated savings of up to $1,500 per month1. This offer is available to new and existing customers who have Enterprise (EA) or Enterprise Subscription (EAS) Agreements and Enrollments, and you can begin accruing credits in your first month of eligibility. You can learn more about the offer here.
Download the full Forrester Total Economic Impact of Microsoft Azure Sentinel study. Get started and learn more about Azure Sentinel.
To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
1 Calculation based on pay-as-you-go prices for Azure Sentinel and Azure Monitor Log Analytics for US East region.