Azure Security: how to do a Vulnerability Assessment using azure Security Center

Azure Security Center, the cloud solution that helps prevent, detect and respond to security threats affecting Azure resources and workloads in hybrid environments, recently enhanced with the ability to integrate a Vulnerability Assessment for Virtual Machines in Azure. This article explains how you can complete a vulnerability assessment process by using the Azure Security Center, examining the characteristics of the solution.

Vulnerability scanning included in Azure Security Center (ASC) is done through the solution Qualys, which is recognized as a leading tool for real-time identification of potential vulnerabilities in the systems. In order to use this feature you must adhere to the standard tier of Security Center, and in this case you will need to not incur additional licensing fees. The Standard tier also adds advanced threat detection (including threat intelligence), behavioral analysis, anomaly detection and security incidents and reports of conferral of threats.

If you wish to keep the tier free of ASC you can still make the deployment of solutions to perform a vulnerability assessment, which Qualys and Rapid7, but it is necessary to provide the management of the licensing costs, the distribution and configuration. For more details about the cost of Azure Security Center and for a comparison between the Free and the Standard tier, see the Microsoft's official documentation.

The most immediate and rapid method to scan for vulnerabilities in Azure is using the integrated solution Qualys in the Standard Tier of Azure Security Center. To enable it, simply go to the ASC Recommendations and select “Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys)“, come mostrato dall’immagine seguente:

Figure 1 - Recommendation of Azure Security Center to enable vulnerability assessment solution

Selecting this option Azure virtual machines are divided into the following categories:

  • Healthy resources: systems where the extension has been deployed to complete a vulnerability scan.
  • Unhealthy resources: machines where you can enable the extension to scan for vulnerabilities.
  • Not applicable resources: systems where the extension is not present and that it is not possible to enable it because they belong to the ASC tier free or because the operating system is among those not supported. Among the supported operating systems are: RHEL 6.7/7.6, Ubuntu 14.04/18.04, Centos 6.10/7/7.6, Oracle Linux 6.8/7.6, SUSE 12/15, and Debian 7/8.

Figure 2 - Enabling the solution

Selecting the machines of interest and pressing the button Remediate will be onboarded to the built-in Vulnerability Assessment solution. As a result, the specific extension will be installed on the systems and the first scan will be automatically started at the end of the installation.. The extesion is based on the Azure Virtual Machine agent and therefore runs in the Local Host context on Windows systems, and Root on Linux ones.

The names of the extension that will be present on the enabled systems are listed, for which the provider will always be Qualys:

  • Linux Machines: “LinuxAgent.AzureSecurityCenter”
  • Windows Machines: “WindowsAgent.AzureSecurityCenter”

As for extension updates, the same rules apply to other extensions, so the fewest versions of Qualys' scanner will be automatically deployed following an in-depth testing phase.. In some cases, you may need manual actions to complete the upgrade.

After the scan is complete, any vulnerabilities detected on the systems will be reported in the Recommendations by ASC.

Figure 3 – ASC notification reporting the presence of recommendations for intercepted vulnerabilities

Selecting the recommendation provides details of all vulnerabilities detected, severity and its status:

Figure 4 – List of detected security vulnerabilities

By selecting the single vulnerability you can see the details, potential impacts, remediation actions and affected systems.

Figure 5 – Information reported for each individual vulnerability detected

Conclusions

To strengthen the security posture of your environment you definitely should consider adopting Azure Security Center in the standard tier, that among the various functionality it allows to check that they are applied in a strict manner all safety criteria and allows to constantly monitor the compliance criteria. The inclusion in the solution of a vulnerability assessment tool, provided by Qualys, industry leader, adds further value to the solution, also be able to draw on the knowledge gained by this vendor in the discovery of vulnerabilities.