Defend your Azure environment with Microsoft Defender for Cloud
You have your Azure environment set up and now you are wondering what you can do to protect your deployed resources. Well, I’m here to help you answer that question.
Defender for Cloud Overview
Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) that is made up of security measures and practices that are designed to protect cloud-based applications from various cyber threats and vulnerabilities.
It combines the capabilities of:
- DevSecOps — development security operations that unify security management at the code level across cloud, multicloud, and multiple-pipeline environments.
- Cloud Security Posture Management (CSPM) — a solution that surfaces actions that you can take to prevent breaches.
- Cloud Workload Protection Platform (CWPP) — specific protections for servers, containers, databases, storages, and other workloads
Key benefits of Microsoft Defender for Cloud
Planning Multicloud security
Defender for Cloud helps you to protect your multicloud environment by strengthening your security posture and protecting your workloads. Defender for Cloud provides a single dashboard to manage protection across all environments.
You can connect Amazon Web Services (AWS), and Google Cloud Platform (GCP) to your Defender for Cloud by selecting Environment settings and clicking on Add Environment.
Similarly, you can also connect GitHub and GitLab environments to benefit from the DevOps security tab which is part of the Defender for Cloud. DevOps security tab also provides you with vulnerability findings by severity, exposed secrets, code scanning vulnerabilities, OSS vulnerabilities, and recommendations on how you can remediate them.
Improving security posture through Cloud Security Posture Management (CSPM)
CSPM comes in 2 variations:
- Foundational CSPM — Defender for Cloud offers foundational multicloud CSPM capabilities for free. These capabilities are automatically enabled by default for subscriptions and accounts that onboard to Defender for Cloud.
- Defender Cloud Security Posture Management (CSPM) plan — The optional, paid Defender for Cloud Secure Posture Management plan provides more, advanced security posture features.
Differences between the plans can be found on the Microsoft CSPM Plan availability page.
The most important parts of Defender for Cloud CSPM are:
Security policies and standards
Security standards and recommendations that help to improve your cloud security posture. They come from these sources:
- Microsoft Cloud security benchmark (MCSB) — The MCSB standard is applied by default when you onboard Defender for Cloud to a management group or subscription. Your secure score is based on an assessment against some MCSB recommendations.
- Regulatory compliance standards — When you enable one or more Defender for Cloud plans, you can add standards from a wide range of predefined regulatory compliance programs.
- Custom standards — You can create custom security standards in Defender for Cloud, and then add built-in and custom recommendations to those custom standards as needed.
Secure score
The secure score in Microsoft Defender for Cloud can help you improve your cloud security posture. The secure score aggregates security findings into a single score so that you can assess, at a glance, your current security situation. The higher the score, the lower the identified risk level is.
When you turn on Defender for Cloud in a subscription, the Microsoft Cloud security benchmark (MCSB) standard is applied by default in the subscription. Assessment of resources in scope against the MCSB standard begins.
The MCSB issues recommendations based on assessment findings. Only built-in recommendations from the MCSB affect the secure score. Currently, risk prioritization doesn’t affect the secure score.
When you view the Defender for Cloud Overview dashboard, you can view the secure score for all of your environments. The dashboard shows the secure score as a percentage value and includes the underlying values.
Defender External Attack Surface Management (EASM)
Continuously discovers and maps your digital attack surface to provide an external view of your online infrastructure. This visibility enables security and IT teams to identify unknowns, prioritize risk, eliminate threats, and extend vulnerability and exposure control beyond the firewall.
Protecting your workloads — CWPP
Defender for Cloud collects data from your Azure virtual machines (VMs), Virtual Machine Scale Sets, IaaS containers, and non-Azure (including on-premises) machines to monitor for security vulnerabilities and threats. Some Defender plans require monitoring components to collect data from your workloads.
Data collection is required to provide visibility into missing updates, misconfigured OS security settings, endpoint protection status, and health and threat protection. Data collection is only needed for compute resources such as VMs, Virtual Machine Scale Sets, IaaS containers, and non-Azure computers.
Data is collected using:
- Azure Monitor Agent (AMA)
- Microsoft Defender for Endpoint (MDE)
- Log Analytics agent
- Security components, such as the Azure Policy for Kubernetes
Defender Plans
As mentioned above there are plans that you need to enable to have your workloads secure. I won’t go into details here because there are a lot of them and they could be an article on their own so I will just list them and put references below.
- Defender for Servers
- Defender for Containers
- Defender for Databases
- Defender for Storage
- Defender for App Service
- Defender for Key Vault
- Defender for Resource Manager
- Defender for APIs
Investigation and remediation of security posture
A proactive approach to tackle vulnerabilities, security scores, and alert/incident investigation can be done in multiple ways. The best approach would be to do all those things in parallel to make the vulnerability gap as low as possible.
Security recommendations
Resources and workloads protected by Microsoft Defender for Cloud are assessed against built-in and custom security standards enabled in your Azure subscriptions, AWS accounts, and GCP projects. Based on those assessments, security recommendations.
Microsoft Defender Recommendations can be accessible as shown on the screenshot above.
Identify and remediate attack paths
Attack path analysis helps you to address the security issues that pose immediate threats with the greatest potential of being exploited in your environment. It also highlights the security recommendations that need to be resolved to mitigate it.
Investigate and respond to security alerts and incidents
Defender for Cloud collects, analyzes, and integrates log data from your Azure, hybrid, and multicloud resources, the network, and connected partner solutions, such as firewalls and endpoint agents. Defender for Cloud uses the log data to detect real threats and reduce false positives. A list of prioritized security alerts is shown in Defender for Cloud along with the information you need to quickly investigate the problem and the steps to take to remediate an attack.
Best practice: Prioritize alerts based on alert severity, addressing higher severity alerts first.
From the Security Alerts tab, you can check all the alerts on your environment, and if you filter them and click on View full details you can get a lot of information that can help you investigate the issue.
If you have alerts for a resource that aligns with kill chain (progression of a cyberattack from reconnaissance to data exfiltration) patterns, you will have them all aggregated in a single incident.
The way to respond to those incidents is shown in the Take Action tab on top of the Security incident alert. From there, steps are shown to Mitigate the threat, prevent future attacks, and automatically respond through Logic Apps.
Conclusion
If you are looking for a comprehensive cloud security solution that can help you protect your organization from a wide range of threats, Microsoft Defender for Cloud is a great option. With its ability to reduce your attack surface, stop threats in their tracks, gain visibility into your cloud security posture, and simplify your security operations, Defender for Cloud can help you achieve a more secure and compliant cloud environment.
In conclusion, Microsoft Defender for Cloud is a powerful cloud security solution that can help organizations of all sizes protect their cloud environments from a wide range of threats. With its comprehensive set of features and its integration with other security solutions, Defender for Cloud is a valuable asset for any organization that is looking to improve its cloud security posture. If you are not already using Defender for Cloud, I encourage you to learn more about it and consider implementing it in your organization.
As always thank you for reading the article, I hope it was useful and comprehensive. If you’ve liked the article, give me a few claps and share it around. It would mean a lot. On the same note, check out the articles written by Martina on the EDR/MDR/XDR topics.
For all the questions and all the feedback on the subject, you can find me on LinkedIn and read the rest of our articles on Cyberdnevnik.
Cheers,
Vedran.
