Category Archives: Enterprise Security

Proactive Cloud Protection: Experiences and Strategies for Cloud Security

With the growing adoption of cloud platforms, organizations face new security challenges that require a structured and proactive approach. Field experience has shown how critical it is to implement effective Cloud Security Posture Management (CSPM) solutions to continuously monitor and protect cloud infrastructures. These tools enable the detection and resolution of risks before they can evolve into critical threats. In this article, I will share practical advice for tackling these challenges, exploring the importance of CSPM, key risks to consider, and how Microsoft Defender for Cloud (MDfC) stands out as a comprehensive solution for managing cloud security. Additionally, we will review the essential steps for effectively implementing a CSPM solution and best practices to maximize security.

Understanding CSPM and Its Importance

Cloud Security Posture Management (CSPM) refers to a suite of tools and practices that continuously monitor and protect cloud infrastructures. Through direct experience with various projects, I have observed how organizations increasingly rely on cloud platforms, often exposing themselves to misconfigurations, compliance violations, and vulnerabilities. CSPM acts as a continuous supervisor, detecting and mitigating risks before they become critical threats, providing constant oversight over cloud environments.

The main risks that a CSPM solution helps to address include:

  • Data Breaches: Misconfigurations can inadvertently expose sensitive data, making it vulnerable to external threats.
  • Compliance Violations: Non-compliance with regulations can result in legal penalties and financial losses.
  • Reputational Damage: A security breach can undermine customer trust, negatively impacting the company’s reputation.

Microsoft Defender for Cloud: A Comprehensive CSPM Solution

Microsoft Defender for Cloud (MDfC) is an advanced Cloud Security Posture Management (CSPM) solution that excels in protecting heterogeneous cloud environments. Working directly on various projects, I have seen how MDfC, operating as a Cloud Native Application Protection Platform (CNAPP), offers comprehensive protection throughout the application lifecycle, from development to deployment. Its scalability allows it to adapt to the evolving needs of organizations, supporting platforms like Azure, AWS, and GCP.

Figures 1 – Microsoft Cloud-Native Application Protection Platform (CNAPP)

MDfC stands out by managing various security areas in addition to CSPM:

  • Cloud Workload Protection Platform (CWPP): This feature provides real-time threat detection and response for virtual machines, containers, Kubernetes, databases, and more, helping to reduce the attack surface.
  • Multi-Pipeline DevOps Security: It offers a centralized console to manage security across all DevOps pipelines, preventing misconfigurations and ensuring vulnerabilities are detected early in the development process.
  • Cloud Infrastructure Entitlement Management (DIES): It centralizes the management of permissions across cloud and hybrid infrastructures, preventing the misuse of privileges.

Additionally, Cloud Security Network Services (CSNS) solutions integrate with CWPP to protect cloud infrastructure in real-time. A CSNS solution may include a wide range of security tools, such as distributed denial-of-service (DDoS) protection and web application firewalls.

Implementing CSPM: Planning and Strategies

To implement a CSPM solution effectively, a detailed plan is essential to ensure alignment with business needs. Here are some practical suggestions:

  1. Assess Security Objectives: Organizations should start by evaluating their cloud environments, identifying critical resources, and understanding their exposure to risks. This requires a thorough analysis of the IT security landscape, including identifying any gaps in infrastructure and compliance requirements.
  2. Define Security Requirements: Once the cloud environment is understood, the next step is to establish security policies that protect high-value workloads and sensitive data. It’s crucial to outline risk management strategies that include preventive measures, such as audits and vulnerability scans, as well as reactive measures like breach response plans.
  3. Select the Appropriate CSPM Solution: MDfC offers various levels of CSPM services. Organizations can start with basic functionalities, such as compliance controls and vulnerability assessments, and then evolve toward advanced capabilities, including in-depth security analysis, threat management, and governance tools.

Figures 2 – CSPM Plans (Foundational VS Defender CSPM)

Turning Strategy into Action

Once the planning phase is complete, it’s time to operationalize CSPM, translating strategic security objectives into concrete actions integrated into daily operations. Based on my experience, the key steps include:

  • Defining Roles and Responsibilities: Clearly assigning roles to team members is critical to ensuring accountability and effective management of CSPM tools. For example, security architects can focus on the overall strategy, while IT administrators handle the configuration and daily management of CSPM tools.
  • Establishing Solid Processes: Implementing workflows for regular security assessments, managing compliance, and resolving issues is crucial. Automation plays a key role at this stage, simplifying operations and reducing the risk of human error.
  • Continuous Monitoring and Improvement: Effective use of CSPM requires ongoing monitoring to identify new vulnerabilities and threats. Real-time monitoring tools, such as those provided by Defender for Cloud, enable organizations to respond swiftly to security incidents, ensuring a high level of protection.

Best Practices for Maximizing CSPM Effectiveness

To get the most out of CSPM, organizations should follow some best practices that I have found to be particularly effective:

  • Align with Industry Standards: Ensure that CSPM implementation complies with industry standards and best practices, such as the CIS Benchmarks and the NIST Cybersecurity Framework. This ensures that the security measures adopted meet the required levels of protection and compliance.
  • Shift-Left Security: Integrate security into every phase of IT operations, from application design and development to deployment and maintenance. This approach, known as “shift-left,” reduces the risk of vulnerabilities being introduced into systems from the earliest stages.
  • Automate Security Processes: Automating tasks such as compliance checks, threat detection, and issue resolution significantly improves the efficiency of security operations, freeing up resources to address more complex threats.
  • Cultivate a Security Awareness Culture: Security must be a shared responsibility, not limited to the IT department. All employees should be trained and aware of their role in maintaining organizational security. Regular training sessions and workshops help to promote this culture of awareness.

Best Practices Specific to Defender CSPM

To optimize the use of Microsoft Defender for Cloud (MDfC) as a CSPM solution, it is useful to follow these best practices:

  • Customize MDfC Settings: Tailor MDfC configurations to the organization’s specific needs and risk profile, implementing targeted security policies, custom threat detection rules, and compliance benchmarks.
  • Prioritize Alerts: Configure MDfC to categorize and prioritize alerts based on severity, resource sensitivity, and potential impact on business activities, ensuring a prompt response to critical threats.
  • Customize Dashboards: Adapt MDfC dashboards to highlight the most relevant security metrics, compliance status, and operational insights, facilitating monitoring and management of security.

Conclusion

Cloud Security Posture Management (CSPM) solutions are essential to ensure security and compliance in evolving cloud environments. With advanced tools like Microsoft Defender for Cloud, organizations can monitor and protect their data and infrastructures, minimizing risks and maintaining a robust security posture. Implementing a CSPM solution properly requires strategic planning and continuous adaptation to new threats, but the benefits in terms of protection and resilience are significant. By following best practices and integrating security into every phase of IT operations, companies can ensure proactive and enduring protection while preserving customer trust and corporate reputation.

Microsoft Defender for Cloud: a summer of innovations to reshape corporate security

In an era where data security and efficient management of cloud resources have become essential priorities, Microsoft Defender for Cloud emerges as a strategic tool for modern businesses. This solution, integrated into the Azure environment, offers advanced protection, facilitating enterprise-wide security and compliance management. In this article, will be explored the main innovations that characterized Defender for Cloud in the summer 2023, outlining how these innovations can represent added value for companies.

The benefits of adopting Defender for Cloud

Adopting Defender for Cloud in a business context is not just a strategic choice, but a growing need. This solution allows you to centralize and simplify security management, offering a holistic view that facilitates continuous monitoring and rapid response to security threats. Furthermore, helps optimize the security posture of hybrid and multi-cloud environments, while ensuring advanced protection and compliance with different regulatory compliances.

Summer news 2023

Ability to include Defender for Cloud in business cases made with Azure Migrate

For companies intending to move their resources to cloud platforms such as Azure, migration planning is key. With the integration of Defender for Cloud in Azure Migrate, it is now possible to guarantee advanced protection right from the initial migration phase. This integration ensures that security strategies are well integrated into the migration plan, providing a more secure and seamless transition to the cloud.

Defender for Cloud, increasingly agentless

Many Defender for Cloud features are now available without the need to install an agent:

  • Container protection in Defender CSPM: discovery agentless. The transition from agent-driven discovery to agentless discovery, for protecting containers in Defender CSPM, represents a notable qualitative leap towards more streamlined and effective security management. This new feature eliminates the need to install agents on each container, thus simplifying the discovery process and reducing resource usage.
  • Defender for Containers: agentless discovery per Kubernetes. Defender for Containers has launched agentless discovery for Kubernetes, representing a notable step forward in container security. This feature provides a detailed view and comprehensive inventory capability of Kubernetes environments, ensuring an unparalleled level of security and compliance.
  • Defender for Servers P2 & Defender CSPM: agentless secret scanning for Virtual Machines. The functionality of scanning secrets without the use of agents, inside in Defender for Server P2 and Defender CSPM, allows you to discover unsupervised and vulnerable secrets stored on virtual machines. This tool is essential to prevent lateral movement actions in the network and reduce the related risks.

Data Aware Security Posture

Adopting a conscious security posture for data is essential and now Microsoft Defender for Cloud is able to satisfy this need too. This feature allows companies to minimize data risks, providing tools that automatically identify sensitive information and assess related threats, improving response to data breaches. In particular, sensitive data identification for PaaS databases is currently being previewed. This allows users to catalog critical data and recognize types of information within their databases, proving fundamental for the effective management and protection of sensitive data.

GCP support in Defender CSPM

Introducing support for Google Cloud Platform (GCP) in Defender CSPM, currently in preview, marks a significant step towards more integrated and versatile security management, extending Defender CSPM capabilities to a wide range of services in Google's public cloud.

Malware scanning in Defender for Storage

Defender for Storage introduces malware scanning functionality, overcoming traditional malware protection challenges and providing an ideal solution for highly regulated industries. This function, available as an add-on, represents a significant enhancement of Microsoft Defender for Storage security solutions. With malware scanning you get the following benefits.

  • Protection, in near real time, without agent: ability to intercept advanced malware such as polymorphic and metamorphic ones.
  • Cost Optimization: thanks to flexible pricing, you can control costs based on the amount of data examined and with resource-level granularity.
  • Enablement at scale: without the need for maintenance, supports automated responses at scale and offers several options for activation via tools and platforms such as Azure policy, Bicep, ARM, Terraform, REST API and the Azure portal.
  • Application versatility: based on feedback from beta users over the last two years, Malware scanning has proven useful in a variety of scenarios, as web applications, content protection, compliance, integrations with third parties, collaborative platforms, data streams and datasets for machine learning (ML).

Express Configuration for Vulnerability Assessments in Defender for SQL

The configuration option 'express’ for vulnerability assessments in Defender for SQL, now available for everyone, facilitates the recognition and management of vulnerabilities, ensuring a timely response and more effective protection.

GitHub Advanced Security per Azure DevOps

It is now possible to view GitHub Advanced Security for Azure DevOps alerts (GHAzDO) related to CodeQL, secrets and dependencies, directly in Defender for Cloud. The results will appear in the DevOps section and Recommendations. To see these results, you need to integrate your GHAzDO-enabled repositories into Defender for Cloud.

New auto-provisioning process for SQL Server plan(preview)

The Microsoft Monitoring Agent (MMA) will be deprecated in August 2024. Defender for Cloud has updated its strategy by replacing MMA with the release of an Azure Monitor agent auto-provisioning process targeted at SQL Server.

Revisiting the business model and pricing structure

Microsoft has revised the business model and pricing structure of Defender for Cloud plans. These changes, aimed at offering greater clarity in expenses and making the cost structure more intuitive, were made in response to customer feedback to improve the overall user experience.

Conclusion

Summer 2023 marked a period of significant innovation for Microsoft Defender for Cloud. These new things, oriented towards more integrated and simplified security management, they promise to bring tangible benefits to companies, facilitating data protection and compliance in increasingly complex cloud environments.

How to extend Azure Security Center protection to all resources through Azure Arc

Azure Security Center (ASC) was originally developed with the intention of becoming the reference tool for protecting resources in the Azure environment. The much felt need of customers to protect the resources located in environments other than Azure has led to an evolution of the solution that, thanks to integration with Azure Arc, allows you to extend the protection and security management tools to any infrastructure. This article explains how Azure Security Center and Azure Arc allow you to protect non-Azure resources located on-premises or on other cloud providers, as virtual machines, Kubernetes services and SQL resources.

The adoption of Azure Defender using the principles of Azure Arc

Azure Arc allows you to manage workloads residing outside Azure, on the on-premises corporate network or at another cloud provider. This management experience is designed to provide consistency with native Azure management methodologies.

Thanks to the fact thatAzure Security Center and Azure Arc can be used jointly, you have the ability to offer advanced protection for three different scenarios:

Figure 1 - Protection scenarios

By enabling the Azure Defender protection of workloads at the subscription level in the Azure Security Center, it is also possible to consider the resources and workloads residing in hybrid and multicloud environments, all in an extremely simple way thanks to Azure Arc.

Azure Defender for Arc-enabled server systems

By connecting a server machine to Azure via Arc, it is considered to all intents and purposes as an Azure resource. Each connected machine has a specific ID, is included in a resource group and benefits from standard Azure constructs such as Azure Policies and tagging. This applies to both Windows and Linux systems.

To offer this experience, the installation of the specific Azure Arc agent is required on each machine that is planned to connect to Azure ("Azure Connected Machine").

The Azure Arc Connected Machine agent consists of the following logical components:

  • TheHybrid Instance Metadata service (HIMDS) that manages the connection to Azure and the Azure identity of the connected machine.
  • TheGuest Configurationagent that provides in-guest policy and guest configuration features.
  • TheExtension Manageragent that manages installation processes, uninstalling and updating machine extensions.

Figure 2 – Azure Arc Agent Components

The Connected Machine agent requires secure outbound communication to Azure Arc on TCP port 443.

This agent provides no other features and does not replace the Azure Log Analytics agent, which remains necessary when you want to proactively monitor the operating system and workloads running on the machine.

For more information about installing Azure Arc, seethis official Microsoft document.

Azure Arc-enabled servers can benefit from several Azure Resource Manager-related features such as Tags, Policies and RBAC, as well as some features related to Azure Management.

Activating Azure Defender for Server with Azure Arc

The projection of server resources in Azure using Arc is a useful step to ensure that all the machines in the infrastructure are protected by Azure Defender for Server. Similar to an Azure VM, it will also be necessary to deploy the Log Analytics agent on the target system. To simplify the onboarding process this agent is deployed using the VM extension, and this is one of the advantages of using Arc.

Once the Log Analytics agent has been installed and connected to a workspace used by ASC, the machine will be ready to use and benefit from the various security features offered in the Azure Defender for Servers plan.

For each resource, it is possible to view the status of the agent and its current security recommendations:

Figure 3 – Azure Arc Connected Machine in ASC

In case there is a need to onboard a non-Azure server in Azure Defender with an operating system version not yet supported by the Azure Arc agent, however, it is possible to perform onboarding by installing only the Log Analytics agent on the machine.

The icons in the Azure portal allow you to easily distinguish the different resources:

Figure 4 - Icons of the different resources present in ASC

 

Azure Defender for Arc-enabled Kubernetes resources

Azure Defender for Kubernetes also allows you to protect clusters located on-premises with the same threat detection features offered for Azure Kubernetes Service clusters (AKS).

For all Kubernetes clusters other than AKS, is necessary connect the cluster environment to Azure Arc. Once the cluster environment is connected, Azure Defender for Kubernetes can be activated as cluster extension on Azure Arc-enabled Kubernetes resources.

Figure 5 - Interaction between Azure Defender for Kubernetes and the Kubernetes cluster enabled for Azure Arc

The extension components collect the Kubernetes audit logs from all the nodes of the cluster control plane and send them to the back-end of Azure Defender for Kubernetes in the cloud for further analysis. The extension is registered with a Log Analytics workspace that is used for the data pipeline, but the audit logs are not stored in the Log Analytics workspace.

The extension also allows you to protect Kubernetes clusters located at other cloud providers, but it does not allow you to contemplate their managed Kubernetes services.

Azure Defender for Arc-enabled SQL Server resources

Azure Defender for SQL allows you to constantly monitor SQL Server implementations for known threats and vulnerabilities. These features are also usable not only for virtual machines in Azure, but also for SQL Server activated in an on-premises environment and in multicloud deployment. Azure Arc-enabled SQL Servers are also part of Azure Arc for servers. To enable Azure services, the’SQL Server instance must be registered with Azure Arc using the Azure portal and a special registration script. After registration, the instance will be represented on Azure as a resource SQL Server – Azure Arc. The properties of this resource reflect a subset of the SQL Server configuration settings.

Figure 6 - Diagram illustrating the Azure Arc architecture for SQL Server resources


Conclusions

Manage security and maintain control of workloads running on-premises, in Azure and on other cloud platforms it can be particularly challenging. Thanks to Azure Arc, it is possible to easily extend Azure Defender coverage to workloads residing outside the Azure environment. Furthermore, Azure Security Center allows you to obtain detailed information on the security of your hybrid environment in a single centralized console, useful for effectively controlling the security of your IT infrastructure.

How to improve security postures by adopting Azure Security Center

Optimal adoption of cloud solutions, useful for accelerating the digital transformation of businesses, must include a process capable of ensuring and maintaining a high degree of security of its IT resources, regardless of the deployment models implemented. Have a single infrastructure security management system, that strengthens your environment's security postures and provides enhanced threat protection for workloads, wherever they reside, becomes an indispensable element. The Azure Security Center solution achieves these goals and can address key security challenges. This article describes the features of the solution that allow you to improve and control the security aspects of the IT environment.

The challenges of cloud security

Among the main challenges that must be faced in the security field by adopting cloud solutions we find:

  • Always rapidly changing workloads. This aspect is certainly a double-edged sword of the cloud in that on the one hand, end users have the ability to get more out of solutions, on the other hand, it becomes complex to ensure that the constantly evolving services live up to their standards and that they follow all the best security practices.
  • Increasingly sophisticated attacks. No matter where your workloads are running, security attacks adopt sophisticated and advanced techniques that require you to implement reliable procedures to counter their effectiveness.
  • Resources and expertise in the field of security not always up to par to address security alerts and ensure that environments are protected. Security is an evolving front and staying up to date is a constant and difficult challenge to achieve.

Azure Security Center can effectively respond to the challenges listed above by enabling you to prevent, detect and address security threats affecting Azure resources and workloads in hybrid and multicloud environments. Everything runs at the speed of the cloud, as the solution is fully natively integrated into the Azure platform and is able to ensure simple and automatic provisioning.

The security pillars covered by Azure Security Center

Azure Security Center features (ASC) are able to sustain two great pillars of cloud security:

  • Cloud Security Posture Management (CSPM): ASC is available for free for all Azure subscriptions. Enabling takes place when you visit the ASC dashboard for the first time in the Azure portal or by enabling it programmatically via API. In this mode (Azure Defender OFF) features related to the CSPM area are offered, including:
    • A continuous assessment that reports recommendations related to the security of the Azure environment. ASC continually discovers new resources that are deployed and assesses whether they are configured based on security best practices. If not,, resources are flagged and you get a priority list of recommendations for what you should fix to get them protected. This list of recommendations is taken and supported by Azure Security Benchmark, the Azure-specific set of guidelines created by Microsoft, this contains security and compliance best practices based on common frameworks. This benchmark is based on the controls of the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST), with a focus on cloud-centric security.
    • Assigning a global score to your environment, that allows you to assess the risk profile and take action to take remediation actions.
  • Cloud workload protection (CWP): Azure Defender is the CWP platform integrated in ASC that offers advanced and intelligent protection of resources and workloads residing in Azure and in hybrid and multicloud environments. Enabling Azure Defender offers a range of additional security features as described in the following paragraphs.

Figure 1 – Pillars of Azure Security Center

What types of resources can be protected with Azure Defender?

Enabling Azure Defender extends the functionality of the free mode, also to workloads running in private clouds, at other public clouds and hybrid environments, providing comprehensive management and unified security.

Figure 2 – Azure Security Center security scopes

Among the main features of Azure Defender we find:

  • Microsoft Defender for Endpoint. ASC integrates with Microsoft Defender for Endpoint to provide comprehensive functionality of Endpoint Detection and Response(EDR). With this integration, you can take advantage of the following features:
    • Automated Onboarding: Once the integration is activated, the Microsoft Defender for Endpoint sensor is automatically enabled for the servers monitored by the Security Center, except for Linux and Windows Server systems 2019, for which it is necessary to make specific configurations. Server systems monitored by ASC will also be present in the Microsoft Defender for Endpoint console.
    • Microsoft Defender for Endpoint alerts will also be displayed in the ASC console, in order to keep all reports in a single centralized console.
  • Vulnerability Assessment for Virtual Machines and Container Registries. Vulnerability scanning included in ASC is done through the solutionQualys, This is recognized as a leader to identify in real time any vulnerabilities present on the systems. No additional license is required to take advantage of this feature.
  • Hybrid cloud and multicloud protection. Thanks to the fact that Azure Defender for Servers take advantage of Azure Arc you can simplify the onboarding process, and enable the protection of virtual machines running in AWS environments, GCP or hybrid cloud. All of which includes several features, including, automatic provisioning of agents, policy management, vulnerabilities and EDR (Endpoint Detection and Response) integrated. Furthermore, thanks to the multicloud support of Azure Defender for SQL, it is possible to constantly monitor SQL Server implementations for known threats and vulnerabilities. These features are also usable for SQL Server activated in an on-premises environment, on virtual machines in Azure and also in multicloud deployments, contemplating Amazon Web Services (AWS) and Google Cloud Platform (GCP).
  • Access and application controls (AAC). It is a solution that can control which applications run on systems, this allows you to do the following:
    • Be alerted to attempts to run malicious applications, that may potentially not be detected by antimalware solutions.
    • Respect corporate compliance, allowing the execution of only licensed software.
    • Avoid using unwanted or obsolete software in your infrastructure.
    • Control access to sensitive data that takes place using specific applications.

All this is made possible thanks to machine learning policies, adapt to your workloads, which are used to create authorization and denial lists.

  • Threat protection alerts. Thanks to the integrated behavioral analysis features, the Microsoft Intelligent Security Graph and machine learning can identify advanced attacks and zero-day exploits. When Azure Defender detects a threat anywhere in your environment, generates a security alert. These alerts describe the details of the affected resources, the suggested correction steps and in some cases the possibility is provided to activate Logic Apps in response. All security alerts can be exported to Azure Sentinel, in third-party SIEM or other SOAR tools (Security Orchestration, Automation and Response) or IT Service Management.
  • Network map. To continuously monitor the security status of the network, ASC provides a map that allows you to view the topology of the workloads and evaluate if each node is configured correctly. By checking how the nodes are connected, you can more easily block unwanted connections which could potentially make it easier for an attacker to attack your network.

Azure Defender dashboard in ASC allows you to have visibility and undertake specific controls on CWP features for your environment:

Figure 3 – Azure Defender Dashboard

Azure Defender is free for the first 30 days, at the end of which if you choose to continue using the service, charges will be charged as reported in this document.

Conclusions

Azure Security Center helps you strengthen the security posture of your IT infrastructure. Thanks to the features offered, it is possible to implement best practices globally and obtain an overview in the security field. The solution combines the knowledge gained by Microsoft in the management of its services with new and powerful technologies suitable for dealing with and managing the issue of security in a conscious and effective way..

Protection of multi-cloud environments with Azure Security Center

The tendency of companies to adopt a multi-cloud strategy is increasingly widespread, but this operating model makes it particularly challenging to achieve high safety standards for your environment. To meet this need, Microsoft has officially made multi-cloud security support available in the Azure Security Center solution, allowing you to also contemplate amazon web services resources (AWS) and Google Cloud Platform (GCP). this article describes the features of this solution that provides a high degree of security and improves security postures in multi-cloud environments.

Azure Security Center (ASC) was originally developed as the best tool to protect resources in an azure environment. However, the need for customers to protect resources located on multiple public clouds is widespread and for this reason the product team has decided to expand the capacity for action, simplifying security management tools in multi-cloud environments. Azure Security Center can protect not only resources in hybrid environments but also contemplate multi-cloud architectures, including AWS and GCP.

Figure 1 – Multi-cloud and hybrid protection in Azure Security Center

These are the features that are made available to users to cover multi-cloud scenarios:

  • Connecting your AWS or GCP accounts to Azure Security Center provides a unified multi-cloud view of your environment's security postures. In particular, if the solutions AWS Security Hub or GCP Security Command Center detect incorrect configurations, these reports are included in the Secure Score template and in the compliance assessment against specific regulations (Regulatory Compliance), present in Azure Security Center.
  • Thanks to the fact that Azure Defender for Servers take advantage of Azure Arc you can simplify the onboarding process, and enable the protection of virtual machines running in AWS environments, GCP or hybrid cloud. All of which includes several features, including, automatic provisioning of agents, policy management, vulnerabilities and EDR (Endpoint Detection and Response) integrated. In particular, for vulnerability assessment functionality it is possible to perform manual or large-scale scans, and analyze the vulnerabilities detected, on scanned systems, through a unified experience.

These features complement multi-cloud support, also recently announced, of Azure Defender for SQL, this allows you to constantly monitor sql server implementations to detect known threats and vulnerabilities. these features are usable for sql server enabled in an on-premises environment, on virtual machines in Azure and also in multi-cloud deployment, contemplating Amazon Web Services (AWS) and Google Cloud Platform (GCP).

The solutionAzure Arc plays a fundamental role in all this and allows you to extend azure management services and principles to any infrastructure. To achieve this, Microsoft has decided to extend the model Azure Resource Manager to support hybrid and multi-cloud environments, this makes it easier to implement the security features in Azure on all infrastructure components.

Figure 2 – Azure Arc for hybrid and multi-cloud environments

The onboarding process and capabilities offered vary depending on the public cloud you intend to incorporate into Azure Security Center. the following paragraphs provide features for both amazon web services (AWS) that for Google Cloud Platform (GCP).

Amazon Web Services (AWS)

The onboarding process of your AWS account integrates the solution AWS Security Hub with Azure Security Center. In this way it is possible to obtain complete visibility and protection of these cloud environments to provide:

  • Automatic agent provisioning. ASC uses Azure Arc to deploy Log Analytics agent on board AWS instances.
  • Policy management.
  • Vulnerability management.
  • EDR (Endpoint Detection and Response) integrated.
  • Detecting security-impacting configuration errors.
  • A single view that can show ASC recommendations and AWS Security Hub.
  • An ASC score that also includes AWS resources.
  • Regulatory compliance assessments also for AWS resources.

The moment the connection with AWS Security Hub is configured correctly:

  • ASC scans AWS environment for EC2 instances, onboarding is done in Azure Arc, allowing log analytics agent to be installed. This gives you threat protection and gets security advice.
  • The ASC service scans new AWS EC2 instances each 6 hours and integrates them according to the configuration made.
  • The AWS CIS standard is shown in asc's regulatory compliance dashboard.
  • If the AWS Security Hub are enabled, recommendations will appear in the asc portal and regulatory compliance dashboard, after a few minutes after the completion of the onboarding process.

Figure 3 – AWS recommendations displayed in the ASC portal

To view active recommendations for your resources by type, you can use the security center asset inventory page and apply the specific filter for the type of aws resource that interests you:

Figure 4 – Display filters for AWS resources

Google Cloud Platform (GCP)

The onboarding mechanism of your GCP account allows you to integrate GCP Security Command with Azure Security Center and to have complete visibility and protection, in particular by providing:

  • Detecting security-impacting configuration errors.
  • A single view that can show ASC recommendations and GCP Security Command Center.
  • An ASC score that also includes GCP resources.
  • Integration of boards of GCP Security Command Center CIS-based within the Azure Security Center regulatory compliance dashboard.

The moment the connection with GCP Security Command completes:

  • The CIS GCP standard is shown in asc's regulatory compliance dashboard.
  • Security recommendations for resources located in GCP will appear in the Azure Security Center portal and regulatory compliance dashboard within minutes of completing onboarding.

Figure 5 – GCP recommendations displayed in the ASC portal

GCP virtual machine onboarding is currently manual, but you can adopt scripts to do it on a large scale.

On the Azure Security Center recommendations page, you can view all azure resource security recommendations along with AWS and GCP recommendations, thus obtaining a multi-cloud view.

Conclusions

The ability to adopt Azure Security Center as a centralized control solution, where security information from other public clouds also converges, combined with the possibilities given by integration with Azure Arc, to extend the protection of your systems, allows you to achieve a high degree of security and improve security postures in multi-cloud environments. Multi-cloud strategy adoption will become increasingly widespread, and Microsoft will continue to expand Azure Security Center to provide the best solutions to protect Azure, hybrid environments and multi-cloud operating models.

Microsoft Defender ATP: the protection of Linux systems

Many companies have infrastructures consisting of heterogeneous server operating systems and the difficulty of having to adopt and manage different security platforms to ensure protection of the entire machine fleet is known.. Microsoft recently announced the availability of Microsoft Defender Advanced Threat Protection (ATP), the security platform for enterprise endpoints designed to prevent, detect, investigate and respond to security threats, also for Linux systems. This article describes how to protect Linux machines with this solution and provides an overview of how Microsoft Defender Security Center enables you to monitor and manage the security of the entire spectrum of client and server platforms in enterprise environments (Windows, Windows Server, macOS and Linux).

Microsoft has steadily evolved its endpoint security platform in recent years Microsoft Defender Advanced Threat Protection (ATP), to the point of being recognized as a leader, also getting the highest positioning in the execution capacity, in the last Gartner quadrant of "Endpoint Protection Platforms".

Figure 1 – Gartner Magic Quadrant "Endpoint Protection Platforms" (2019)

The ability to protect Linux systems also makes it an even more complete solution, able to offer:

  • Powerful preventive features. The solution provides real-time protection for the following types of file systems: btrfs, ecryptfs, ext2, ext3, ext4, fuse, fuseblk, jfs, nfs, overlay, ramfs, reiserfs, tmpfs, udf, and vfat.
  • A complete command-line experience to configure and manage the agent, initiate scans and manage threats.
  • An integration into alert monitoring within the Microsoft Defender Security Center.

System Requirements

Before you deploy the solution, you should verify that all the requirements of Microsoft Defender ATP in the Linux environment are met.

The Linux distributions and their versions currently supported are as follows:

  • Red Hat Enterprise Linux 7.2 or higher
  • CentOS 7.2 or higher
  • Ubuntu 16.04 LTS or higher
  • Debian 9 or higher
  • SUSE Linux Enterprise Server 12 or higher
  • Oracle Linux 7.2 or higher

The minimum supported kernel version is the 3.10.0-327 and the feature that must be enabled is fanotify. Fanotify is a file access notification system built into many Linux kernels that allows Microsoft Defender ATP to scan files and, if necessary, block access to threats. The use of this feature must be totally dedicated to Microsoft Defender ATP, as the joint use of this feature by other security solutions, can lead to unpredictable results, including blocking the operating system.

Network Requirements

For Microsoft Defender ATP to work correctly on Linux systems, you must allow proper network communication to specific URLs. In this spreadsheet Microsoft lists the associated services and URLs that the protected system must be able to connect to. For more details on this, see this Microsoft-specific document.

Microsoft Defender ATP uses the following proxy systems:

  • Transparent Proxy
  • Manual configuration of the static proxy

However, are not supported PAC files, WPAD and authenticated proxies. Please also note that SSL inspection mechanisms are not supported for security reasons.

Deployment methods

Microsoft Defender ATP activation on Linux systems can be done manually or through third-party management tools, including Ansible and Puppet, Microsoft documents in detail the steps to follow. Both tools have the following steps::

  • Download the onboarding package from the Microsoft Defender Security Center.

Figure 2 – Download the onboarding package from the Microsoft Defender Security Center portal

  • Creating the manifest (Puppet) or the YAML file (Ansible).
  • Deployment that involves the enrollment of the agent and its configurations.

At the end of the installation process, you can fully manage the Microsoft Defender ATP component directly through bash.

Figure 3 – Running the mdadp command from a Linux machine with the component installed

Once the onboarding process is complete, you can manage Linux machines from the Microsoft Defender Security Center portal, as is the case with other operating systems.

Figure 4 – Linux devices in the Microsoft Defender Security Center portal

In the face of malware detections, alerts are reported within the Microsoft Defender Security Center:

Figure 5 – Detection timeline with Eicar test file on Linux machine

Software updates

Microsoft regularly publishes software updates to improve performance, security and provide new features for Microsoft Defender ATP for Linux. One thing to watch out for is that each version of Microsoft Defender ATP for Linux has an expiration date, after which it will no longer continue to protect the system, therefore, you must update the product before that date. For the procedure to update the solution, you can consult this document of Microsoft.

When you upgrade your Linux operating system to a new major release, you must first uninstall Microsoft Defender ATP for Linux, install the update and then reconfigure Microsoft Defender ATP on the system.

Configuring the solution

In enterprise environments that have multiple systems, Microsoft Defender ATP for Linux can be easily managed through configuration profiles. The configuration profile is nothing more than a file with an extension ".json" composed of different voices, identified by a key (denoted the name of the preference) followed by a value. Values can be simple, as a numeric value, or complex, as a nested list of preferences.

These profiles can be distributed by the management tool available to you, going to manage it centrally. Distributed preferences will take precedence over locally set preferences on the system so that you can better govern the different settings. For more details on the structure of this profile and the methodologies to be used for its distribution, see this article of Microsoft.

Conclusions

Although there are those who say that Linux machines do not need security solutions, I personally believe that linux systems should also be properly protected as with any other operating system. Microsoft Defender ATP for Linux is constantly expanding and exciting new features are expected in the coming months to enrich the solution with new and advanced protection features. The addition of Linux to the platforms natively supported by Microsoft Defender ATP marks an important turning point for all customers who need to also include these systems in a unified protection strategy. The Microsoft Defender Security Center provides a centralized solution for monitoring and managing the security of the entire server and client machine fleet.

Integration between Azure Security Center and Microsoft Defender ATP

Microsoft Defender Advanced Threat Protection (MDATP) is a security platform for enterprise endpoints designed to prevent, detect, investigate and respond to security threats. This article discusses how Azure Security Center (ASC) is able to integrate with this platform and what are the aspects to consider to combine the different potentials and effectively contemplate the protection of servers.

Microsoft Defender Advanced Threat Protection (MDATP)

The main characteristics of the solution Microsoft Defender Advanced Threat Protection:

  • Advanced post-breach detection sensors: Thanks to sensors from Microsoft Defender ATP for Windows Servers, a wide range of behavioral signals can be collected.
  • Ability to perform post-breach checks by leveraging the power of the cloud: Microsoft Defender ATP is able to quickly adapt to changing threats as it uses the Intelligent Security Graph with signals from Windows, Azure and Office. With this powerful mechanism, you can respond quickly to unknown threats.
  • Threat intelligence: Microsoft Defender ATP generates alerts when it identifies tools, techniques and procedures used by attackers. The solution uses data generated by Microsoft 'hunters' and security teams, enriched by the intelligence provided by collaboration with different security partners.

The Microsoft Defender Advanced Threat Protection console (MDATP) is accessible to this link.

Features and benefits of integration

ASC integrates with MDATP to provide comprehensive Endpoint Detection and Response (EDR). With this integration, you can take advantage of the following features:

  • Automated Onboarding: the integration automatically activates the Microsoft Defender ATP sensor for Windows servers monitored by Security Center (except for systems Windows Server 2019, for which it is necessary to make specific configurations). Windows Server systems monitored by Azure Security Center will also be present in the Microsoft Defender ATP console.
  • Windows Defender ATP alerts will also appear in the Azure Security Center console, in order to keep all reports in a single centralized console. However, to perform a detailed analysis of the reports, please log on to the Microsoft Defender ATP console, which provides more information such as incident charts. From the same console, you can also view the timeline of all detected behaviors for a specific system, for a historical period of up to six months.

Enabling integration between ASC and MDATP

To enable this integration, you must use Azure Security Center (ASC) standard tier, which includes the license to activate MDATP on server systems.

  • For virtual machines in Azure you need to have the ASC standard tier at the subscription level:

Figure 1 – Activating ASC standard tier at subscription level for VMs in Azure

  • For virtual machines that don't reside in Azure, but on-premises or in other clouds, simply enable the ASC standard tier at the workspace level:

Figure 2 – Standard tier activation of ASC at the workspace level for non-Azure VMs

Furthermore, you must enable the following setting from Azure Security Center:

Figure 3 – Enabling integration between ASC and MDATP

To see the different ways to onboard servers, you can access this Microsoft's document.

When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is also automatically created (by default in Europe). If the Microsoft Defender ATP solution is used before using Azure Security Center, the data will be stored in the location specified when creating the tenant, even if you integrate with ASC later. The location where the data is stored cannot be changed post-deployment, but if you need to move your data to another geographic location, you should contact Microsoft Support.

Figure 4 – Data Storage retention

 

Threat Detection

In the presence of this integration, against a threat detection by MDATP, an alerts is also generated in the Azure Security Center, which becomes the centralized console for the collection of security reports.

Figure 5 – SecurityAlert present in the ASC workspace

Alert information can also be sent by email via Action Group:

Figure 6 - Report received by email from ASC in response to a detection of a threat

You can access the Microsoft Defender Security Center portal to investigate the alert in depth, where you will find the details.

Figure 7 – Alert details from the Microsoft Defender Security Center portal

Conclusions

Azure Security Center (ASC) and Microsoft Defender Advanced Threat Protection (MDATP) are two distinct solutions, but with important relationships, both as regards the aspects relating to licensing and for the operational management of the security of server systems. Thanks to this simple integration you can manage systems onboarding and also include MDATP reports in ASC, so you can effectively monitor your environment and respond to security threats on server systems.

Azure Security Center: exports of alerts and recommendations to other solutions

Azure Security introduces an interesting feature that allows you to send security information generated by your environment to other solutions. This is done through a continuous export mechanism of alerts and recommendations to Azure Event Hubs or to Azure Monitor Log Analytics workspaces. This feature opens up new integration scenarios for Azure Security Center. This article describes how to use this feature and delves into its features.

Azure Security Center (ASC) carries out a continuous assessment of the environment and is able to provide the recommendations concerning the security of the environment. As described in this article you can customize the solution to meet your own security requirements and the recommendations that are generated. In the standard tier, these recommendations may not be limited to the Azure environment alone, but it will also be possible to contemplate hybrid environments and on-premises resources.

Standard Security Center also generates alert when potential security threats are detected on resources in your environment. ASC sets priorities, lists the alerts, provides the information you need to quickly investigate issues and provides recommendations on how to resolve attacks.

Azure Event Hubs is a streaming platform for big data and a service for the ingestion of events. Can receive and process millions of events per second. The data sent to a Event Hub can be transformed and stored using any real-time analytics provider or batch or storage adapters.

The new feature that was introduced in the Azure Security Center is called Continuos Export, supports enterprise scenarios and allows you to do the following:

  • Export to Azure Event Hubs to gain integration with third-party SIEMs and Azure Data Explorer.
  • Export to a Log Analytics workspace to have an integration with Azure Monitor, useful to better analyze data, use Alert rule, Microsoft Power BI and customized dashboards.
  • Export in a CSV file, for individual data exports (one shot).

The configuration is simple and can be carried out using the following procedure.

In Azure Security Center, you select the subscription for which you want to configure data export, and in the settings sidebar you select Continuos Export:

Figure 1 – Continuous export in ASC's subscription settings

In this case you chose to configure the export to a Log Analytics workspace. You can select which recommendations to export and their severity level. Also for security alerts you can choose for which level to export. Export creates an object, therefore, you should specify which resource group to place it in.. Finally, you will need to select the Log Analytics target workspace.

Figure 2 - Configuring parameters to make the Continuous Export

The link for integration with Azure Monitor provides the ability to automatically create Alert rule already pre-configured.

Figure 3 - Automatically create alert rules in Azure Monitor

By default these alert rules do not constitute the Action Group, therefore it is advisable to modify them to do a trigger to suit your needs.

These are the two default alert rules created:

Figure 4 – Default Alert rules of Azure Monitor

Alternatively, having gone into the recommendations and the ASC alerts in a workspace, you can configure in the Azure Monitor Alert rule customized based on Log Analytics query.

The security alerts and the ASC recommendations are stored in tables SecurityAlert and SecurityRecommendations of the workspace. The name of the Log Analytics solution that contains these tables is relative to the ASC tier, which can then be Security and Audit (standard tier) or SecurityCenterFree (tier free).

Figure 4 – Tables in Log Analytics

The configuration of Continuos Export towards Event Hubs is similar and it is the best methodology to incorporate the recommendations and the Azure Security Center alerts with third-party SIEM solutions. Following, shows the connectors for the main third-party SIEM solutions:

In Azure Sentinel is instead available Data connector , it is native to contemplate the Azure Security Center alerts.

To configure exports to Azure Data Explorer you can use the procedure in this Microsoft documentation.

Conclusions

With this new feature introduced in Azure Security Center, you can consolidate all the alerts and recommendations generated by the solution to other tools, opening up new possible integration scenarios even with third-party solutions. All this is made possible through an easily configurable mechanism, allowing you to be notified immediately and quickly take action. These aspects are crucial when dealing with security information.

Azure Security Center: how to customize the solution to meet your security requirements

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect resources in the Azure environment and workloads in hybrid environments. By assigning a global score to your environment, you can assess your risk profile and act to take remediation action in order to improve the security posture. The solution is based on general recommendations, but in some cases it is appropriate to customize it to better contemplate your security policies. This article describes how you can introduce this level of customization in order to increase the value provided by Azure Security Center.

Using custom security policies

The default recommendations in the solution are derived from general industry best practices and specific regulatory standards.

Figure 1 – Standard score and recommendations in Azure Security Center

Recently was introduced the ability to add your own Initiatives custom, to receive recommendations if security policies specifically set for your environment are not met. The custom initiatives that are created are fully integrated into the solution and will be covered in Secure Score and in compliance dashboards.

To create a initiative you can follow the steps below:

Figure 2 – Starting the process of creating a custom initiative

Within the Initiatives you can include Azure Policies built into your solution or your own custom policies.

In the example below, theinitiative includes the following two policies:

  • A custom that prevents peering against a Hub network that is in a given resource group.
  • A bult-in that verifies that Network Security Groups are applied to all subnets.

Figure 3 – Creating a custom initiative

Following, you need to proceed with the assignment of theinitiative custom:

Figure 4 – Starting the assignment process

 

Figure 5 – Assigning the custom initiative

 

Figure 6 – Displaying the assigned custom initiative

The display of the recommendations in Security Center is not immediate, but currently it takes about 1 hour and you can see it in the following section:

Figure 7 - Custom initiative in the Regulatory Compliance section

 

Disable default security policy

Under certain circumstances it may be desirable to disable certain controls present by default in the Azure Security Center solution, as they are not appropriate for your environment and you do not want to unnecessarily generate the events. To do this, you can take the following steps::

Figure 8 - Access to the Security Center default policy

 

Figure 9 – Selecting the default Security Center policy assignment

 

Figure 10 – Disabling a specific policy that is present by default

 

Conclusions

Azure Security Center natively provides a series of controls to constantly check for conditions that are considered anomalous and can have a direct impact on the security of your environment. The ability to introduce a level of customization into your solution, makes it more flexible and allows you to verify and apply security compliance policies on a large scale that are specific to your environment. To improve security postures it is essential to evaluate the adoption of this solution and applying a good level of customization it greatly increases its value.

Microsoft Always On VPN: transparent access to the corporate network suitable in smart working scenarios

Technology can play an important role in reducing the impact of COVID-19 on people and business realities, helping staff stay productive when it is not able to be physically at his workplace. In these days of emergency, companies have been forced to adopt effective solutions quickly to allow their employees to work remotely without sacrificing collaboration, productivity and security. The solutions that can be adopted in this area are different, each with its own characteristics and peculiarities, able to meet different needs. This article presents the main features of the technology Microsoft Always On VPN, to assess the benefits and what are the main use cases of the solution.

Key Features of Always On VPN

Starting with Windows Server 2016 and later Microsoft introduced a new remote access technology for endpoints called Always On VPN that allows transparent access to the corporate network, making it particularly suitable in smart working scenarios. It is the evolution of the technology DirectAccess and, however effective, it presented some limitations that made it difficult to adopt.

As the name tell, VPN is “always active”, In fact, a secure corporate network connection is established automatically whenever an authorized client has Internet connectivity, all without requiring user input or interaction, unless a multi-factor authentication mechanism is enabled. Remote users access business data and applications in the same way, just as if they were in the workplace.

Always On VPN connections include the following types of tunnels:

  • Device Tunnel: the device connects to the VPN server before users log on to the device.
  • User Tunnel: it activates only after users have logged on to the device.

Using Always On VPN you can have a user connection, a device connection, or a combination of both. Both the Device Tunnel that the User Tunnel they work independently and can use different authentication methods. It appears therefore possible to enable the device authentication to manage it remotely through the Device Tunnel, and enable user authentication for connectivity to internal resources through the User Tunnel. The User Tunnel supports SSTP, and IKEv2, while the Device Tunnel only supports IKEv2.

Supported scenarios

Technology Always On VPN is a solution only for systems Windows 10. However, unlike DirectAccess, client devices don't have to run the Enterprise edition, but all versions of Windows 10 support this technology, adopting the tunnel type defined User Tunnel. In this scenario, the devices can be members of an Active Directory domain, but this is not strictly necessary. The Always On VPN client can be nondomain-joined (workgroup), therefore also owned by the user. To take advantage of certain advanced features, clients may be to join Azure Active Directory. Only for use Device Tunnel systems are required to join a domain and must have Windows 10 Enterprise or Education. In this scenario, the recommended version is 1809 or later.

Infrastructure requirements

The following infrastructure components are required to implement an Always On VPN architecture, many of which are typically already active in the business realities:

  • Domain Controllers
  • DNS Servers
  • Network Policy Server (NPS)
  • Certificate Authority Server (CA)
  • Routing and Remote Access Server (RRAS)

Figure 1 – Overview of VPN Always On technology

In this context it is appropriate to specify that Always On VPN is infrastructure-independent and can be activated by using the Windows Routing and Remote Access role (RRAS) or by adopting any third-party VPN device. Authentication can also be provided by the Windows Network Policy Server role (NPS) or from any third-party RADIUS platform.

For more details on the requirements, please refer to the Microsoft's official documentation.

Always On VPN in Azure environment?

In general,, it is advisable to establish VPN connections to endpoints as close as possible to the resources that must be accessed. For hybrid realities, there are several options for positioning the architecture Always On VPN. Deploying the Remote Access role on a virtual machine in Azure environment is not supported, however, you can use Azure VPN Gateway with Windows 10 Always On, to establish tunnels of both type Device Tunnel and User Tunnel. In this regard it should be noted that it is appropriate to make the correct assessments of the type and of the SKU to deploy Azure VPN Gateway.

Deployment types

For Always On VPN there are two deployment scenarios:

The deployment of Always On VPN can predict optionally, for client Windows 10 joined to domain, to configure conditional access to adjust how VPN users access company resources.

Figure 2 – Workflow for the deployment of Always On VPN for Windows 10 client domain-joined

The client Always On VPN can be integrate with the platform Azure Contitional Access to force multi-factor authentication (MFA), device compliance or a combination of these two aspects. If meets the Contitional Access criteria, Azure Active Directory (Azure AD) issues a short-lived IPsec authentication certificate that can be used to authenticate to the VPN gateway. Device compliance uses Microsoft Endpoint Manager compliance policies (Configuration Manager / Intune), which may include the status of integrity attestation of the device, as part of the compliance check for the connection.

Figure 3 – Client-side connection workflow

For more details on this deployment method you can refer to this Microsoft documentation.

Provisioning of the solution on the client
Always On VPN is designed to be deployed and managed using a mobile device management platform such as Microsoft Endpoint Manager, but you can also use Mobile Device Management solutions (MDM) of third party. For Always On VPN there is no support for the configuration and management via Group Policy in Active Directory, but if you do not have a MDM solution it is possible to proceed with a manual deploy of the configuration via PowerShell.

Integration with other Microsoft solutions

Besides the cases specified in the preceding paragraphs, technology Always On VPN can be integrated with the following Microsoft technologies:

  • Azure Multifactor Authentication (MFA): when combined with RADIUS services (Remote Authentication Dial-In User Service) and the extension NPS (Network Policy Server) for Azure MFA, VPN authentication can exploit multi-factor authentication mechanisms.
  • Windows Information Protection (WIP): thanks to this integration is permitted the application of network criteria for determining if traffic is permitted to pass through the VPN tunnel.
  • Windows Hello for Business: in Windows 10, this technology replaces passwords, providing authentication mechanism with two strong factors. This authentication is a type of user credentials related to a device and use a PIN (Personal Identification Number) biometric or personal.

Conclusions

Prepare your infrastructure to allow the endpoint to access the corporate network through technology Always On VPN it does not require any additional cost for software licenses and the necessary investments both in terms of effort and resources are minimal. Thanks to this connectivity method you can ensure the best user experience on the move, providing a transparent and automatic access to the corporate network while maintaining a high level of security. For the aspects listed above technology Always On VPN is not suitable for all usage scenarios, but it is certainly to be considered in the presence of systems Windows 10 that need remote access to corporate resources.