The Challenge: Balancing Security and Cost in Azure Sentinel
In healthcare data security is paramount, especially for Dutch health insurance companies. Security solutions like MicrosoftSentinel are invaluable, providing intelligent security analytics and threat intelligence across the organization. However, their costs can be a concern due to the pricing model based on data ingestion volume and retention duration. Organizations with extensive logging or long-term retention needs can face high costs. Additionally, connecting third-party tools can further increase expenses.
This blog explores how a leading Dutch health insurance company achieved a remarkable 20% cost reduction on Microsoft Sentinel, all while maintaining robust security.
Phase 1: Optimizing Sentinel in the Azure Cloud
Just like any powerful tool, Microsoft Sentinel’s effectiveness relies on efficient use. Here’s how the Dutch health insurer optimized Sentinel within their Microsoft Azure environment:
- Prioritizing Security-Relevant Logs: They focused on ingesting only critical security logs from Azure resources, Microsoft Defender products, and other sources. This eliminated unnecessary storage and analysis costs associated with irrelevant data.
- Leveraging Sentinel Workspaces: Data was segregated based on department or security focus using workspaces. This allowed for cost-effective analysis of specific data sets, avoiding the need to ingest everything into a single, expensive workspace.
- Filtering Out Noise: Built-in filtering capabilities helped exclude low-risk events that wouldn’t generate high-value security alerts. This reduced unnecessary alerts and the associated investigation costs.
- Optimizing Log Retention: Data retention policies were established based on compliance needs and security best practices. Unnecessary long-term storage was minimized by utilizing Azure’s tiered storage options. Less frequently accessed data was moved to colder storage tiers, significantly reducing costs. Non-security data was archived in a separate, cost-effective storage solution outside of Sentinel.
- Managing Alerts Effectively: Alert logic was regularly reviewed and tuned to minimize false positives. This reduced the security team’s workload and the time spent investigating non-critical alerts. Additionally, Sentinel’s automation capabilities were leveraged to correlate and suppress redundant or low-priority alerts, further streamlining the process.
- Utilizing Native Integrations: The company took advantage of pre-built integrations between Sentinel and Microsoft Defender for Cloud (MDC) and Microsoft Defender for Endpoint (MDE). This eliminated the need for custom configurations and reduced management overhead. Existing Log Analytics workspaces were also utilized for security data alongside Sentinel, avoiding duplicate data ingestion and maximizing cost efficiency.
- Monitoring and Optimizing Costs: Azure cost management tools were used to track Sentinel-related costs, identify potential outliers, and optimize overall usage. Additionally, Sentinel pricing tiers were regularly reviewed to ensure they aligned with the company’s data ingestion volume. With these insights we where able to get the right capacity commitments.
Collaboration is Key
These steps required collaboration between the CISO, Architecture team, Engineers, Risk team, and the FinOps team played a crucial role in coordinating this effort.
Looking Ahead: Extending Security Efficiency
Many organizations, like this Dutch health insurer, operate in hybrid and/or multi-cloud environments. Having optimized Microsoft Sentinel, they are now exploring ways to extend security efficiency to this broader landscape.
Want to Learn More?
If you’d like to know more about how to optimize Microsoft Sentinel costs or explore further optimization opportunities, please reach out to us!
