XQ Zero-Trust vs Microsoft SIEM
XQ Overview
Enforce data-centric protection and privacy from the edge of the internet to the cloud.
XQ is an API-based zero-trust data platform that focuses on protecting data rather than networks. XQ is very scalable, interoperable, and crypto-agile.
XQ creates unique benefits for data across systems providing data provenance and making it ideal for protecting personally identifiable information in regulated industries.
Fundamental Differences and Benefits
1. Data Control
XQ never has the client’s data and can never read it. The client retains control of their data at all times. Fundamentally,
Microsoft is a vertically integrated solution storing the data and keys in one system. The Microsoft system is built for network protection when the network is owned. It does not help monitor and control data outside the network after the data leaves the network. XQ does.
Data ingestion for on-prem Microsoft sources or Azure cloud sources is relatively easy. Ingestion from all other 3rd-party sources requires sending data to Log Analytics via Syslog in the common event format (CEF). Data is stored in the Azure
SQL Database, a fully-managed database service. This means any data that is not in the CEF, such as custom application logs, is not ingestible by Sentinel unless it is first converted to CEF. And since custom application logs are always changing, this would be a difficult maintenance task. If your custom application logs, especially custom applications living in other cloud environments, are important to you then Sentinel is not a good choice. Sentinel comes with 90 days of storage included in the price, just like Log Analytics. Extra storage is available at an additional cost. The maximum retention time for storage inside of Azure is 730 days.
2. Worldwide Data Provenance
XQ data is only accessible in authorized geo-locations by authorized entities.
Microsoft does not provide geolocation information and data control
3. Security Strength
XQ’s data-centric zero-trust solution is designed for distributed key generation and multi-node internet-scale interoperability.
Microsoft uses traditional HSM based encryption and key generation
4. Interoperability
XQ allows point to multipoint secure data interoperability outside of the client network.
Microsoft is focused on Microsoft tools. It is not a valid solution for multi-cloud and multi-environment systems. Sentinel can only be deployed on Azure.
Sentinel plays well with anything inside the Azure stack. Microsoft includes a SOAR as part of the solution and uses playbooks to automate tasks and responses to alerts and detections. This is done using Azure Logic Apps as the connectors between Sentinel and other components or services. Pre-built playbooks exist with more than 200+ connectors so you can build your own actions. However, automating tasks for anything outside of Azure, such as AWS or Google Cloud Platform (GCP), will be much more difficult and require a great deal of effort and coding. For customers that are 100% Azure, Sentinel has a great deal of flexibility, but for customers with a multi-cloud environment, it may not be the best fit.
5. Edge
XQ works from edge applications and can be embedded in any app. Microsoft still offers no comparable approach.
6. Scalability
XQ can scale to millions and billions of transmissions each with its own key generated at the edge from quantum entropy.
Sentinel is a traditional central HSM solution.
For organizations with a broad mix of Microsoft and non-Microsoft technologies, Sentinel could be more trouble than it’s worth. Onboarding custom application logs will be especially difficult. And automating tasks and responses in other cloud providers such as AWS and GCP will be equally troublesome.
COSTS
Sentinel comes with all features enabled. But Sentinel alone isn’t all you need to purchase. First, you must pay for the data to be ingested into a Log Analytics workspace, which has its own pricing: https://azure.microsoft.com/en-us/pricing/details/monitor.
After you pay for data ingestion and storage of your Log Analytics workspace, you’re not finished. You then must pay Sentinel’s ingest pricing and storage costs. You’ll find Sentinel costs (separate and additive to the Log Analytics costs) here:
https://azure.microsoft.com/en-us/pricing/details/azuresentinel.
While Sentinel’s license includes all features, it does have some pricing pitfalls you need to consider. The biggest charge to watch for is the additional cost associated with exceeding your reserve pricing. Since Sentinel pricing is reserve-based, exceeding your reserve puts you into an “on-demand” pricing structure, which can quickly escalate if you significantly exceed your reserve. This model presents a challenge for customers with bursty data needs—either you over-provision for the majority of the time, or you pay occasional penalties for exceeding your reserve. It’s challenging
Is Microsoft Azure Sentinel a Next-Gen SIEM worthy of consideration?
Yes, if your organization is exclusively or predominantly in the Microsoft ecosystem. No, if your organization relies on a broad mix of technologies and cloud services.
From a VWAN perspective, XQ offers a completely expanded level of applicability - non-Azure WANs and systems and an order of magnitude reduction in management complexity. Also, the ability to use Microsoft VWAN but own the keys and keep them in a separate location reduces risk dramatically.
Express Route is interesting but requires the ownership of a private network for Operation. XQ creates private connections over public networks as well as private networks.
XQ Technical OvervIew
The XQ platform focuses on protecting data rather than the network or link as is normally the case. XQ is a highly scalable, interoperable, crypto-agile, and zero-trust solution. XQ uses application endpoint identity authentication and quantum entropy to seed applications at the edge. In this implementation, each piece of data knows who can read it, when it can be read, where it can be read and how long it is active for and logs each interaction. This provides instant insights into adversary and policy violations and records logs for complete data compliance. More importantly, it empowers the systems to ingest data from sources over untrusted networks.