Trustwave Blog

How to Limit Extra Costs When Implementing Microsoft E5 Security Products

Written by | Aug 7, 2024

The Microsoft 365 E5 license gives you access to a slew of valuable Microsoft Security products that will cover you quite well for all your enterprise security monitoring needs. However, monitoring is only part of the security equation; the resources and services you add to it will help you get real value from E5.

In a recent webinar, "5 Steps to Maximizing a Microsoft E5 License", David Broggy, senior solutions architect for implementation services at Trustwave and a Microsoft MVP, laid out several keys to making the most of E5's security solutions.

He explained how the Microsoft cybersecurity solutions under E5 collectively provide services and protection that every company needs, including for:

  • Identity management
  • Workload and application protection on-premises and in the cloud
  • Cloud resource protection
  • Threat monitoring and alerting
  • Compliance features
  • Attack path analysis
  • Logging, monitoring, and reporting with a security and information event management (SIEM) tool
  • Some threat intelligence

A common denominator among most of those offerings is that they mainly observe what's going on in your environment rather than taking any action, which means you don't have to worry that they'll open up new security holes.

"The good thing about jumping fast into E5-related security features is they only do read access. They're just monitoring," Broggy said. "So, you can jump into a lot of these features without affecting operations or production and with minimal concern about change requests and things affecting the environment."

 

Alert Data Can Drive Up Costs

He said that in terms of cost because Microsoft uses a per-user pricing model, the base fee for E5 is easy to determine.

Broggy also provided sound advice on being mindful of extra costs, most of which comes down to how much data you want to send to the Microsoft Sentinel SIEM. "Microsoft Sentinel is free to turn on, but there's a cost to ingesting logs," he said.

In general, there's no charge for sending alerts from Microsoft Security products, including the various Defender tools (XDR, Endpoint, Identity, Office 365, Cloud Apps), Microsoft Entra ID, Azure Information Protection, and others. However, Microsoft makes clear that this applies only to alerts.

According to Microsoft, "Although alerts are free, the raw logs for some Microsoft Defender XDR, Defender for Endpoint/Identity/Office 365/Cloud Apps, Microsoft Entra ID, and Azure Information Protection (AIP) data types are paid." That includes data types "such as the Advanced hunting tables DeviceInfo, DeviceFileEvents, EmailEvents, and so on."

 

How Security Professionals Can Help

Limiting the amount of data you send to Microsoft Sentinel, especially from third-party security tools, will reduce your costs. On the other hand, you want to keep all alert and log data that can help you detect security issues.

What you need is a Microsoft security partner who knows how to tune your various Microsoft security solutions so that they report on relevant issues but not all the noise that results in alert fatigue and increased costs.

With issues like this in mind, Trustwave created a series of offerings to help clients get the most out of their Microsoft investments. They include a trio of Accelerators for Microsoft Defender XDR, Sentinel, and Copilot for Security. The Accelerators give customers step-by-step instructions on replacing various existing security solutions with relevant Microsoft offerings so they can more quickly derive value from their E5 investments.

Trustwave, one of the first Microsoft Global MSSP Partners to offer Managed Security Services for Microsoft Sentinel, also provides implementation and optimization services that help you create roadmaps and best practices to unlock the full value of your Microsoft E5 investment. That includes tuning all the security solutions to limit noise, false positives, and costs.

There's also a series of managed security services, such as the Trustwave Managed Extended Detection and Response (MXDR) for Microsoft, an MDR service specifically geared toward the Microsoft Security environment. MXDR puts a team of security experts on your side to help vet and respond to the security alerts that reach Microsoft Defender XDR and Microsoft Sentinel SIEM.

The Microsoft E5 license offers significant security value on its own, but even more so when you enlist security professionals to help you configure and optimize the tools and respond to the alerts they raise. For more information, please see the webinar, "5 Steps to Maximizing a Microsoft E5 License."