Microsoft Sentinel VS Blackpoint Cyber Response

 Microsoft Sentinel and Blackpoint Cloud Protection are two leading solutions designed to safeguard Microsoft 365 environments from cyber threats, but they offer vastly different approaches. Blackpoint Cloud Protection is a closed system, designed with minimal flexibility—offering a straightforward set of preconfigured monitoring and detection capabilities. This makes it a more controlled environment but leaves little room for customization or adapting it to specific organizational needs.

On the other hand, Microsoft Sentinel is an open platform that allows admins to fully customize their security monitoring by leveraging KQL. There are many templates available, but analytic rules can be hand-built, offering greater control over threat detection, incident response, and data analysis. There are over a dozen of connectors available that can import data from various sources, such as M365, Azure, Intune, Firewalls, Routers, but also LOB Apps.

What is KQL?

In Microsoft Sentinel, Kusto Query Language (KQL) is the powerful, flexible language used to write custom queries for log data analysis. With KQL, security analysts can sift through vast amounts of cloud data, creating precise and complex rules that detect specific patterns or anomalies. This flexibility allows Sentinel admins to create tailored detections based on unique security requirements, giving it a significant advantage over fixed, pre-built solutions.

KQL queries are simple to create, this is an example of an analytics rule to detect MFA rejections:

SigninLogs
| where ResultType == 500121
| extend additionalDetails_ = tostring(Status.additionalDetails)
| where additionalDetails_ =~ "MFA denied; user declined the authentication"

Security Orchestration and Response

Blackpoint operates as a closed system, providing incident alerts primarily via email and potentially mitigating threats, though we were unable to find specific details on its security orchestration capabilities. In contrast, Microsoft Sentinel does not include built-in security orchestration; however, its automation functionality allows users to leverage Azure Logic Apps to implement automation during incidents and alerts effectively.

Each customer’s tenant can be setup with a Microsoft Sentinel workspace and an Azure Logic App, enabling the transmission of incident data in JSON format to a central automation platform (in MSP tenant). This platform can centrally analyze the data, and determine if a threat requires mitigation, such as isolating a device or user.

Costs

When comparing the costs of Microsoft Sentinel and Blackpoint Cloud Protection, it’s important to consider several factors, including pricing models, scalability, and the specific features included.

Microsoft Sentinel typically operates on a pay-as-you-go model based on the volume of data ingested and stored. This means costs can vary significantly depending on the size of the organization, the amount of log data processed, and any additional features or services utilized, such as advanced analytics or integrations with other Azure services. Sentinel’s pricing structure allows for scalability, which can be beneficial for organizations that expect to grow or have fluctuating security needs. Average costs for users is +- $1 to $2 per user per month.

Blackpoint Cloud Protection, on the other hand, often uses a subscription-based pricing model, which includes a flat fee based on the number of users. This can provide a more predictable cost structure, but it may also come with limitations on flexibility and customization compared to Sentinel.

Sentinel VS Blackpoint Comparision

We conducted a comparison of the functions for M365 analytics between Blackpoint and our setup with Microsoft Sentinel. While both solutions have their strengths, Microsoft Sentinel stands out as the more advanced option, offering greater customization and flexibility. However, it requires a certain level of expertise to fully leverage its capabilities. In contrast, Blackpoint provides a more straightforward approach, which may be easier to manage for organizations with limited resources or expertise in security analytics.

FeatureBlackpointMicrosoft Sentinel
Response to suspicious activityAlways responds to suspicious activityVarious severity filters for responses (High, Medium, Low)
Consented to Unverified AppNotifies when an admin consents to an unverified appAlerts for unusual app consent (e.g., similar to attack toolkits)​
Impossible Travel DetectionAlerts when a user logs in from geographically distant locations within an impossible travel timeDetection of suspicious logins using Azure AD Identity Protection​
Login from New Device/IPAlerts when a new device or IP is used for loginSentinel monitors new device and IP activities​
Login from Unapproved CountryNotifies based on login from unapproved countriesNo explicit rule for this scenario, but geographic anomalies can be tracked​ and blocked leveraging Conditional Access rules
MFA Device AddedEmail notification sent for new MFA devicesSentinel provides MFA-related alerts (e.g., MFA rejections by users, new MFA devices, etc)​
Role ManagementAlerts for role assignment and removalSentinel provides in-depth monitoring of role assignment, including role escalation outside of PIM (Privileged Identity Management)​
User Account ManagementNotifications for user creation, deletion, and lockoutTracks user account creations and deletions over short timeframes​, equal alerts can be created
Mailbox MonitoringAlerts for mailbox access and rule changes (e.g., forwarding rules)Tracks suspicious mailbox rule changes, forwarding rules, and grants of mailbox access​
Anonymous Share LinkSends alerts for anonymous SharePoint file sharingSharePoint site creation and deletion are monitored along with file-sharing activities​

Monitors exclusive to Microsoft Sentinel:

Additional Sentinel MonitorsMicrosoft Sentinel
Bulk Changes to Privileged Account PermissionsDetects bulk changes to privileged accounts, indicating potential insider or external threats​
Admin Promotion via App Role AssignmentDetects app role assignment used to elevate an account to admin roles​
Cross-tenant Access Settings Organization AddedDetects new organizations added in cross-tenant access settings trough GDAP and DAP, potentially indicating a security breach​
Microsoft Partner Customer Access Group ChangesMonitors for changes to security groups that provide access to customer tenants.
Intune Non-Compliance DeviceAlerts as soon as devices are non-complaint
Modified domain federation trust settingsAlerts for changes to M365 registered domains
User MFA RejectionSentinel alerts for users that reject MFA authentications, possibly indicating a compromised password
External guest invitation followed by Azure AD PowerShell signinCan indicate an external user recon of the tenant, possibly scanning for privileged accounts, lateral movement paths
Malformed user agentCan indicate a compromised user by MITM attacks with frameworks such as EvilGinx
Microsoft Defender Threat Intelligence AnalyticsMatch M365 activity (not sign in logs), to IP addresses known in Defender Threat Intelligence Analytics. Indicating possible session hijacking.
SharePointFileOperation via devices with previously unseen user agentsCan indicate crypto ware activity
Certificates and secrets managementNew secrets and certificates for existing applications can be used to compromise existing applications and their privileges
Office policy tamperingIdentifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or DLP policy.

A Holistic Security Approach

it’s essential to remember to not rely too heavily on any single solution. By combining Sentinel or Blackpoint with Intune and other security measures, we establish a comprehensive, resilient defense that effectively responds to emerging threats. ​

Read more about our Microsoft 365 security recommendations in this blog Microsoft 365 Security / Necessities / Checklist – Prof-IT Services

Stay safe, stay secure!

Tags:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *