Microsoft Azure Sentinel vs Darktrace Enterprise Immune System: Who's on top in AI security?
Microsoft uses AI to operate a traditional SIEM, but Darktrace takes a very different approach to threat hunting
Cybersecurity is one of the fastest-growing areas of technology and is constantly evolving, but new tools threaten to outclass traditional manual approaches. Attackers are increasingly turning to AI to achieve their objectives, and the defenders must do the same. In this article, using data drawn from Computing's market intelligence service, Delta, we'll compare two of the leaders in this space: Microsoft's Azure Sentinel versus Darktrace's Enterprise Immune System.
As part of our ongoing research into Microsoft vs Darktrace - and other AI security (AIS) tools - our research team surveyed 150 senior IT professionals about their preferences to help you answer the question, ‘Which AI security tool should I choose?'
What's the difference between Microsoft's Azure Sentinel and Darktrace's Enterprise Immune System?
- Approach: Azure Sentinel is a cloud SIEM, using AI to expand security event visibility; the Enterprise Immune System uses machine learning to establish a baseline ‘normal' for an IT environment, and detects and responds to deviations.
- Deployment: Azure Sentinel is a cloud-native SIEM, while the Enterprise Immune System is deployed on-premise - but both work in a hybrid fashion across all environments and devices.
- Ease of use: Darktrace's Enterprise Immune System is seen as significantly easier to use than Microsoft's Azure Sentinel.
- Pricing: Azure Sentinel costs scale based on data ingested. The Enterprise Immune System uses a flat price and may not be cost-effective for small firms. Neither solution performed well on cost metrics in our survey.
- Adoption: Both solutions have similar levels of awareness, but more than twice as many IT leaders use Microsoft's Azure Sentinel over Darktrace's Enterprise Immune System.
Microsoft Azure Sentinel vs Darktrace Enterprise Immune System: The background
Most cyberattacks are either widespread but easy to detect, or bespoke and targeted, with a low volume. An attacker using an AI-based framework can collapse that spectrum, launching bespoke attacks on a massive scale. The need for AI on the defenders' part is clear.
AI-enhanced security goes beyond simple automation: unlike a rules-based system, AIS tools learn and evolve over time to become more accurate and produce fewer false positives. Efficiency gains are a key driver for AIS adoption, cited by half of respondents.
However, the definition of AI in the wider security space is still unclear. Many vendors claim to be using artificial intelligence, when they are really only automating processes. Only eight per cent of Azure Sentinel customers felt that AI had revolutionised Microsoft's offering, compared to 25 per cent of Darktrace users.
How much has AI really changed the vendor's solution?
N = 150
One IT leader we talked to said, "The question about what sets aside people who are doing what we would consider genuine machine learning and security from those who aren't is the degree to which they have built a technology around a machine learning concept, rigorously, from the ground up, so that it's actually core to the way it works, rather than some kind of bolt on to it."
To an extent, Azure Sentinel's AI is still seen as a bolt-on to the original SIEM product, with one respondent saying it feels "a bit cobbled-together." On the other hand, Darktrace's Enterprise Immune System was built with AI from the start and is perceived as a much more fully featured tool.
In brief:
- Microsoft's Azure Sentinel is a cloud-native SIEM built on the Log Analytics platform. It is relatively resource-light compared to other SIEM products, and uses AI to analyse large volumes data and detect suspicious activity. The platform detects and responds to threats in Microsoft or third-party apps (via CEF, Syslog or REST APIs) by orchestrating and automating of up to 80 per cent of common tasks.
- Darktrace's Enterprise Immune System uses AI and autonomous machine learning to detect and act against cyber threats in a company's infrastructure, including the cloud, on-prem devices and the network edge. After establishing a ‘normal' baseline following a monitoring period, it can detect and respond to anomalies using Darktrace's Antigena technology, while maintaining business as usual.
Microsoft vs Darktrace - at a glance
Microsoft vs Darktrace - pricing
Microsoft is very forthcoming with its pricing information, but Darktrace plays its cards much closer to its chest, generally only discussing price after the proof of concept is complete. The company justifies this by saying that it needs a view of the network to calculate a cost.
Microsoft
Microsoft prices Azure Sentinel based on data ingested for analysis in Azure Sentinel and stored in the Azure Monitor Log Analytics workspace. It is free to store and analyse Office 365 data. There are two ways to pay for the service: Capacity Reservations and Pay-as-you-go.
Capacity Reservations bills a fixed fee based on the selected tier, for a predictable total. Prices range from £93.17 per day for 100GB data per day, to £372.66 per day for 500GB data. Above 500GB, Microsoft adds £74.54 for each additional 100GB. These prices represent a 50-60 per cent saving over Pay-as-you-go.
There are additional charges of £182.61 - £805.87 per day for data ingested into Log Analytics.
Pay-as-you-go pricing is billed per GB for data ingested for analysis in Azure Sentinel and stored in the Azure Monitor Log Analytics workspace. Data ingestion into Log Analytics costs about £2.15 per GB after the first 5GB (free), while data analytics cost £1.87 per GB.
Darktrace
Darktrace does not publicly reveal any pricing information, but respondents said that it is one of the most expensive AIS solutions on the market today, and may not be cost-effective for SME firms.
Reports from firms that have negotiated with Darktrace (mostly American) said prices tend to be at least $10,000 per month, although there is room for flexibility by introducing "competitive tension" or negotiating at the end of Darktrace's fiscal year in June; one firm achieved a price of $2,500 a month in this way.
In UK terms, the government's own Digital Marketplace lists the price at £1,200 - £15,000 per device, per month. However, this is likely to be a special price for the public sector.
Conclusion
Microsoft and Darktrace are both well-known AIS firms: the former for its reputation and legacy, the latter for its aggressive marketing and advanced AI implementation. Both claim to do the same thing - autonomous detection and response - but in different ways, making the Microsoft vs Darktrace question hard to answer.
Both products have excellent integrations with other applications, including third parties in the case of Azure Sentinel; a cross-network reach to on-premise, edge and cloud environments; and good technical support.
Where they differ is in their technical capabilities, with Darktrace rated higher across the board in areas like speed of detection, level of autonomy and monitoring. However, Microsoft's came out as an easier solution to use overall, with significantly lower and more transparent costs.
Ultimately it is likely that any choice between Microsoft and Darktrace will come down to the business systems you have in place, the features you need and even personal preference.
You may also like
/news/4340185/chatgpt-maker-openai-lose-usd5bn-2024-report
Finance
ChatGPT maker OpenAI could lose $5bn in 2024, report
Another round of funding may be needed to keep it afloat
/news/4340182/crowdstrike-outage-cost-usd44m-fortune-500-company-report
Corporate
CrowdStrike outage to cost $44m per Fortune 500 company, report
A quarter of top US firms were hit by the update blunder
/news/4339044/crowdstrike-thousands-typosquatting-domains-registered-global-outage
Threats and Risks
CrowdStrike: Thousands of typosquatting domains registered after global outage
CrowdStrike says cybercriminals are attempting to install a new infostealer malware through fake fixes