The News: At its Ignite conference, Microsoft introduced in private preview a unified security operations (SecOps) platform that combines the company’s Sentinel cloud-native Security Information and Event Management (SIEM), Defender extended detection and response (XDR), and Security Copilot tools. The platform is expected to enter public preview next year. Additional detail is available on Microsoft’s website.
Microsoft Unifies Security Ops with Copilot AI-Augmented Platform
Analyst Take: Today’s average enterprise uses dozens of security tools in an effort to comprehensively address the variety of cyberattacks that are occurring across the broad range of applications and infrastructure resources relied upon by businesses and in an effort to meet compliance requirements. Such defense-in-depth strategies have merits, but they also have the downside of adding complexity and fragmentation that impedes the visibility and responsiveness required by SecOps teams to mitigate business downtime and data loss following an attack. Compounding this issue, attackers need to successfully exploit only one vulnerability. Simply put, traditional security tools result in blind spots and a deluge of alarms, both of which inhibit SecOps teams’ ability to keep up with the modern threat landscape and the unprecedented volume and variety of data being created.
Against this backdrop, over the past few years, SIEM tools have grown in value and the market for XDR tools has emerged. More recently, the market has started to further evolve with the integration of SIEM and XDR data to enhance aggregation and correlation of insights. As a result, the ability to identify and triage threats across the data and technology estate has also evolved.
Microsoft’s new SecOps center addresses this trend by adding a centralized plane for visibility into, and triaging of, threats spanning SIEM and XDR data. To accelerate investigative tasks such as analyzing malicious code, and to speed time to resolution, the new operations center also adds playbooks that can be executed with rules-based automation. Also notable is the solution’s incorporation of generative AI – for example, allowing users to ask Copilot in natural language to generate an incident report summarizing investigative and remedial actions. This feature addresses the staffing and skills gaps that plague security and IT operations teams alike and that have become a material threat to organizations’ cyber-resiliency.
To this point, The Futurum Group expects the new SecOps center to serve as a tailwind to the momentum that Microsoft has already been demonstrating in the security space. According to Microsoft, it counts 860,000 security customers, a figure that has more than doubled since early 2021. Sentinel specifically has accumulated more than 25,000 customers since its launch in 2019, up from 15,000 one year ago, and annual recurring revenue (ARR) of more than $1 billion.
From a portfolio perspective, CEO Satya Nadella pointed out on Tuesday in the company’s most recent earnings call that Microsoft has wide-spanning capabilities across identity, security, compliance, device management, and privacy. While robust, a point of consolidation is needed for the security team; otherwise, it only serves to perpetuate issues around solution fragmentation and limited staff resources impeding the ability to uncover and respond to breaches more quickly, and the ability to ensure compliance with security regulations across sprawling application and IT infrastructure environments (both of which are topics that come up in The Futurum Group’s conversations with security and IT operations professionals). The new SecOps center represents an important starting point; broad visibility is achieved through integrating SIEM and XDR technology, and operations for incident investigation and response can be greatly streamlined, especially with the addition of Microsoft’s Copilot AI.
This market is competitive with a lot of moving pieces, and Microsoft’s success around SecOps will be in no small way influenced by its ability to position unique value, such as its close tie-ins to Azure and Windows for shops that rely heavily on those environments, and its ability to use its visibility into over 65 trillion threat signals per day (per Microsoft) to refine its threat detection. As Microsoft drives toward an “end-to-end” security strategy, The Futurum Group will still be watching for the company’s support for third-party security tools, so as to still provide comprehensive threat visibility and remediation and its ability to keep pace with helping customers to uncover newer and emerging threats, such as zero-day attacks.
Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.
Other Insights from The Futurum Group:
Under The Hood: How Microsoft Copilot Tames LLM Issues
Microsoft Ignites Teams with a Shift in Digital Collaboration
Microsoft Copilot Will Be the AI Inflection Point
Author Information
Krista Case brings over 15 years of experience providing research and advisory services and creating thought leadership content. Her vantage point spans technology and vendor portfolio developments; customer buying behavior trends; and vendor ecosystems, go-to-market positioning, and business models. Her work has appeared in major publications including eWeek, TechTarget and The Register.
