What is Microsoft Intelligent Security Graph?

Microsoft Intelligent Security Graph overview

At the most basic level, the Microsoft Intelligent Security Graph is the “data plane” that collects all the telemetry from every Microsoft application. From there, using everyone’s current favorite buzzword “machine learning,” it provides actionable alerts in an easy to review format, as well as remediation options should action need to be taken. The Intelligent Security Graph is part of Microsoft Graph, which serves as a control plane for Microsoft data and came from Office 365 APIs.

In a 2018 Ignite video, Microsoft called it a “gateway” that connects customer security and organizational data and explained that it came about due to challenges of integrating with customers’ existing security tools and workflows. While seeing opportunities for connecting customers’ security technologies to streamline operations and improve threat defense.

It’s a similar product, overall, to Citrix Analytics and VMware Workspace ONE Intelligence, but precedes the two as it was announced at Ignite 2016. Customers have access to data collected from over 200 Microsoft products; and then data collected from the Microsoft Intelligent Security Graph is then used in other products, like Windows Hello, SecureBoot, and DeviceGuard. When originally announced, Brad Anderson boasted about how Microsoft takes in trillions of pieces of data per month, from billions of devices; so that’s a lot of data for customers to play with.

In addition to getting access to all that data, IT administrators can create conditional policies and alerts, and then remediate issues through Microsoft Intelligent Security Graph. They will do this through a dashboard experience of their choosing as there’s no console designed specifically for Intelligent Security Graph. Customers decide how they wish to access it, whether that’s via PowerShell, an existing Microsoft console like Azure, or an in-house app.

Since its announcement in 2016, the Graph has seen regular updates. At Ignite 2017, Microsoft revealed that they were now leveraging it with their other solutions, like Office 365 Advanced Threat Protection and Windows Defender Application Control. Then in October 2018, they announced the release of the Microsoft Security Graph API (which is available for no extra cost for customers with an Azure subscription) that connects to third-party integrations, providing additional security alerts from one centralized experience. The API also led to partnerships with numerous security vendors (think VMware’s Trust Network) including Lookout, Illumio, Symantec, and others. Previously announced integrations with Palo Alto Networks and Anomali also hit GA.

Similarities/differences to Citrix Analytics and Workspace ONE Intelligence

Basically, all three are like policy engines on steroids: When you have so many sources of data and things you can control, you have some huge amounts of data. So, you need modern ways of storing that data, processing it, analyzing it, accessing it, integrating with other products, etc. That’s what Microsoft, VMware, and Citrix are all doing with these products.

While all three vendors use this as a way to provide access to their lakes of data (as VMware likes to call it), Microsoft lets you access via a console of your choosing. Intelligence and Citrix Analytics both feature pre-designed dashboards where admins manage alerts and more, while Microsoft allows customers to decide how they will view this data.

They all take in data from a variety of places (devices, apps, infrastructure… basically anything you can monitor) for security, performance, and more and sit atop of some Workspace-styled offering: EMS, Citrix Digital Workspace, and Workspace ONE. Each one will have some proprietary data points: Microsoft can see how every Windows machine in the world is working, plus all your Office 365 data; Citrix can see activity in Sharefile; etc.

Microsoft Intelligent Security Graph is most similar to Workspace ONE Intelligence, because Citrix Analytics has a larger focus on performance insights. Security Graph and Intelligence also provide performance alerts; their focus just is more emphasized on security. Additionally, Citrix Analytics does not yet appear to have any security partner integration like the other two tout, but maybe that will come later (perhaps we’ll see an announcement at Synergy?).

Microsoft’s terminology makes it all a little confusing

Microsoft has so much data and now you can access it to better secure your endpoints and data, as well as use it to remediate alerts (e.g., ban an IP that signs into an account that normally only sees log-in attempts from a closer, local IP).

And that’s what you get at the end of the day, but unfortunately they wrap it all up under several terms (both official and merely descriptive) that I feel like they half-heartedly use and feel swappable. Just go to Microsoft’s site and see if you can decipher what the Microsoft Intelligent Security Graph is compared to the Microsoft Security API, which has led to customer confusion (even took me awhile before I felt comfortable explaining it).

I kind of wonder why they bothered introducing the Microsoft Intelligent Security Graph when most documentation and videos pivot to focusing on the Microsoft Graph and Microsoft Graph Security API. That’s not to say it’s a bad product; I actually like how there’s not a specific dashboard for it, allowing customers to connect it to their Azure console or a custom-made one. Also, if it’s the same data and same platform underneath, then in a way it’s all just branding and packaging. Either way, they just need to clarify their messaging.