Category Archives: Enterprise Security

How to extend Azure Security Center protection to all resources through Azure Arc

Azure Security Center (ASC) was originally developed with the intention of becoming the reference tool for protecting resources in the Azure environment. The much felt need of customers to protect the resources located in environments other than Azure has led to an evolution of the solution that, thanks to integration with Azure Arc, allows you to extend the protection and security management tools to any infrastructure. This article explains how Azure Security Center and Azure Arc allow you to protect non-Azure resources located on-premises or on other cloud providers, as virtual machines, Kubernetes services and SQL resources.

The adoption of Azure Defender using the principles of Azure Arc

Azure Arc allows you to manage workloads residing outside Azure, on the on-premises corporate network or at another cloud provider. This management experience is designed to provide consistency with native Azure management methodologies.

Thanks to the fact thatAzure Security Center and Azure Arc can be used jointly, you have the ability to offer advanced protection for three different scenarios:

Figure 1 - Protection scenarios

By enabling the Azure Defender protection of workloads at the subscription level in the Azure Security Center, it is also possible to consider the resources and workloads residing in hybrid and multicloud environments, all in an extremely simple way thanks to Azure Arc.

Azure Defender for Arc-enabled server systems

By connecting a server machine to Azure via Arc, it is considered to all intents and purposes as an Azure resource. Each connected machine has a specific ID, is included in a resource group and benefits from standard Azure constructs such as Azure Policies and tagging. This applies to both Windows and Linux systems.

To offer this experience, the installation of the specific Azure Arc agent is required on each machine that is planned to connect to Azure ("Azure Connected Machine").

The Azure Arc Connected Machine agent consists of the following logical components:

  • TheHybrid Instance Metadata service (HIMDS) that manages the connection to Azure and the Azure identity of the connected machine.
  • TheGuest Configurationagent that provides in-guest policy and guest configuration features.
  • TheExtension Manageragent that manages installation processes, uninstalling and updating machine extensions.

Figure 2 – Azure Arc Agent Components

The Connected Machine agent requires secure outbound communication to Azure Arc on TCP port 443.

This agent provides no other features and does not replace the Azure Log Analytics agent, which remains necessary when you want to proactively monitor the operating system and workloads running on the machine.

For more information about installing Azure Arc, seethis Microsoft Official Document.

Azure Arc-enabled servers can benefit from several Azure Resource Manager-related features such as Tags, Policies and RBAC, as well as some features related to Azure Management.

Activating Azure Defender for Server with Azure Arc

The projection of server resources in Azure using Arc is a useful step to ensure that all the machines in the infrastructure are protected by Azure Defender for Server. Similar to an Azure VM, it will also be necessary to deploy the Log Analytics agent on the target system. To simplify the onboarding process this agent is deployed using the VM extension, and this is one of the advantages of using Arc.

Once the Log Analytics agent has been installed and connected to a workspace used by ASC, the machine will be ready to use and benefit from the various security features offered in the Azure Defender for Servers plan.

For each resource, it is possible to view the status of the agent and its current security recommendations:

Figure 3 – Azure Arc Connected Machine in ASC

In case there is a need to onboard a non-Azure server in Azure Defender with an operating system version not yet supported by the Azure Arc agent, however, it is possible to perform onboarding by installing only the Log Analytics agent on the machine.

The icons in the Azure portal allow you to easily distinguish the different resources:

Figure 4 - Icons of the different resources present in ASC

 

Azure Defender for Arc-enabled Kubernetes resources

Azure Defender for Kubernetes also allows you to protect clusters located on-premises with the same threat detection features offered for Azure Kubernetes Service clusters (AKS).

For all Kubernetes clusters other than AKS, is necessary connect the cluster environment to Azure Arc. Once the cluster environment is connected, Azure Defender for Kubernetes can be activated as cluster extension on Azure Arc-enabled Kubernetes resources.

Figure 5 - Interaction between Azure Defender for Kubernetes and the Kubernetes cluster enabled for Azure Arc

The extension components collect the Kubernetes audit logs from all the nodes of the cluster control plane and send them to the back-end of Azure Defender for Kubernetes in the cloud for further analysis. The extension is registered with a Log Analytics workspace that is used for the data pipeline, but the audit logs are not stored in the Log Analytics workspace.

The extension also allows you to protect Kubernetes clusters located at other cloud providers, but it does not allow you to contemplate their managed Kubernetes services.

Azure Defender for Arc-enabled SQL Server resources

Azure Defender for SQL allows you to constantly monitor SQL Server implementations for known threats and vulnerabilities. These features are also usable not only for virtual machines in Azure, but also for SQL Server activated in an on-premises environment and in multicloud deployment. Azure Arc-enabled SQL Servers are also part of Azure Arc for servers. To enable Azure services, the’SQL Server instance must be registered with Azure Arc using the Azure portal and a special registration script. After registration, the instance will be represented on Azure as a resource SQL Server – Azure Arc. The properties of this resource reflect a subset of the SQL Server configuration settings.

Figure 6 - Diagram illustrating the Azure Arc architecture for SQL Server resources


Conclusions

Manage security and maintain control of workloads running on-premises, in Azure and on other cloud platforms it can be particularly challenging. Thanks to Azure Arc, it is possible to easily extend Azure Defender coverage to workloads residing outside the Azure environment. Furthermore, Azure Security Center allows you to obtain detailed information on the security of your hybrid environment in a single centralized console, useful for effectively controlling the security of your IT infrastructure.

How to improve security postures by adopting Azure Security Center

Optimal adoption of cloud solutions, useful for accelerating the digital transformation of businesses, must include a process capable of ensuring and maintaining a high degree of security of its IT resources, regardless of the deployment models implemented. Have a single infrastructure security management system, that strengthens your environment's security postures and provides enhanced threat protection for workloads, wherever they reside, becomes an indispensable element. The Azure Security Center solution achieves these goals and can address key security challenges. This article describes the features of the solution that allow you to improve and control the security aspects of the IT environment.

The challenges of cloud security

Among the main challenges that must be faced in the security field by adopting cloud solutions we find:

  • Always rapidly changing workloads. This aspect is certainly a double-edged sword of the cloud in that on the one hand, end users have the ability to get more out of solutions, on the other hand, it becomes complex to ensure that the constantly evolving services live up to their standards and that they follow all the best security practices.
  • Increasingly sophisticated attacks. No matter where your workloads are running, security attacks adopt sophisticated and advanced techniques that require you to implement reliable procedures to counter their effectiveness.
  • Resources and skills in the security field are not always up to par to address security alerts and ensure that environments are protected. Security is an evolving front and staying up to date is a constant and difficult challenge to achieve.

Azure Security Center can effectively respond to the challenges listed above by enabling you to prevent, detect and address security threats affecting Azure resources and workloads in hybrid and multicloud environments. Everything runs at the speed of the cloud, as the solution is fully natively integrated into the Azure platform and is able to ensure simple and automatic provisioning.

The security pillars covered by Azure Security Center

Azure Security Center features (ASC) are able to sustain two great pillars of cloud security:

  • Cloud Security Posture Management (CSPM): ASC is available for free for all Azure subscriptions. Enabling takes place when you visit the ASC dashboard for the first time in the Azure portal or by enabling it programmatically via API. In this mode (Azure Defender OFF) features related to the CSPM area are offered, including:
    • A continuous assessment that reports recommendations related to the security of the Azure environment. ASC continually discovers new resources that are deployed and assesses whether they are configured based on security best practices. If not,, resources are flagged and you get a priority list of recommendations for what you should fix to get them protected. This list of recommendations is taken and supported by Azure Security Benchmark, the Azure-specific set of guidelines created by Microsoft, this contains security and compliance best practices based on common frameworks. This benchmark is based on the controls of the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST), with a focus on cloud-centric security.
    • Assigning a global score to your environment, that allows you to assess the risk profile and take action to take remediation actions.
  • Cloud workload protection (CWP): Azure Defender is the CWP platform integrated in ASC that offers advanced and intelligent protection of resources and workloads residing in Azure and in hybrid and multicloud environments. Enabling Azure Defender offers a range of additional security features as described in the following paragraphs.

Figure 1 – Pillars of Azure Security Center

What types of resources can be protected with Azure Defender?

Enabling Azure Defender extends the functionality of the free mode, also to workloads running in private clouds, at other public clouds and hybrid environments, providing comprehensive management and unified security.

Figure 2 – Azure Security Center security scopes

Among the main features of Azure Defender we find:

  • Microsoft Defender for Endpoint. ASC integrates with Microsoft Defender for Endpoint to provide comprehensive functionality of Endpoint Detection and Response(EDR). With this integration, you can take advantage of the following features:
    • Automated Onboarding: Once the integration is activated, the Microsoft Defender for Endpoint sensor is automatically enabled for the servers monitored by the Security Center, except for Linux and Windows Server systems 2019, for which it is necessary to make specific configurations. Server systems monitored by ASC will also be present in the Microsoft Defender for Endpoint console.
    • Microsoft Defender for Endpoint alerts will also be displayed in the ASC console, in order to keep all reports in a single centralized console.
  • Vulnerability Assessment for Virtual Machines and Container Registries. Vulnerability scanning included in ASC is done through the solutionQualys, This is recognized as a leader to identify in real time any vulnerabilities present on the systems. No additional license is required to take advantage of this feature.
  • Hybrid cloud and multicloud protection. Thanks to the fact that Azure Defender for Servers take advantage of Azure Arc you can simplify the onboarding process, and enable the protection of virtual machines running in AWS environments, GCP or hybrid cloud. All of which includes several features, including, automatic provisioning of agents, policy management, vulnerabilities and EDR (Endpoint Detection and Response) integrated. Furthermore, thanks to the multicloud support of Azure Defender for SQL, it is possible to constantly monitor SQL Server implementations for known threats and vulnerabilities. These features are also usable for SQL Server activated in an on-premises environment, on virtual machines in Azure and also in multicloud deployments, contemplating Amazon Web Services (AWS) e Google Cloud Platform (GCP).
  • Access and application controls (AAC). It is a solution that can control which applications run on systems, this allows you to do the following:
    • Be alerted to attempts to run malicious applications, that may potentially not be detected by antimalware solutions.
    • Respect corporate compliance, allowing the execution of only licensed software.
    • Avoid using unwanted or obsolete software in your infrastructure.
    • Control access to sensitive data that takes place using specific applications.

All this is made possible thanks to machine learning policies, adapt to your workloads, which are used to create authorization and denial lists.

  • Threat protection alerts. Thanks to the integrated behavioral analysis features, the Microsoft Intelligent Security Graph and machine learning can identify advanced attacks and zero-day exploits. When Azure Defender detects a threat anywhere in your environment, generates a security alert. These alerts describe the details of the affected resources, the suggested correction steps and in some cases the possibility is provided to activate Logic Apps in response. All security alerts can be exported to Azure Sentinel, in third-party SIEM or other SOAR tools (Security Orchestration, Automation and Response) or IT Service Management.
  • Network map. To continuously monitor the security status of the network, ASC provides a map that allows you to view the topology of the workloads and evaluate if each node is configured correctly. By checking how the nodes are connected, you can more easily block unwanted connections which could potentially make it easier for an attacker to attack your network.

Azure Defender dashboard in ASC allows you to have visibility and undertake specific controls on CWP features for your environment:

Figure 3 – Azure Defender Dashboard

Azure Defender is free for the first 30 days, at the end of which if you choose to continue using the service, charges will be charged as reported in this document.

Conclusions

Azure Security Center helps you strengthen the security posture of your IT infrastructure. Thanks to the features offered, it is possible to implement best practices globally and obtain an overview in the security field. The solution combines the knowledge gained by Microsoft in the management of its services with new and powerful technologies suitable for dealing with and managing the issue of security in a conscious and effective way..

Protection of multi-cloud environments with Azure Security Center

The tendency of companies to adopt a multi-cloud strategy is increasingly widespread, but this operating model makes it particularly challenging to achieve high safety standards for your environment. To meet this need, Microsoft has officially made multi-cloud security support available in the Azure Security Center solution, allowing you to also contemplate amazon web services resources (AWS) and Google Cloud Platform (GCP). this article describes the features of this solution that provides a high degree of security and improves security postures in multi-cloud environments.

Azure Security Center (ASC) was originally developed as the best tool to protect resources in an azure environment. However, the need for customers to protect resources located on multiple public clouds is widespread and for this reason the product team has decided to expand the capacity for action, simplifying security management tools in multi-cloud environments. Azure Security Center can protect not only resources in hybrid environments but also contemplate multi-cloud architectures, including AWS and GCP.

Figure 1 – Multi-cloud and hybrid protection in Azure Security Center

These are the features that are made available to users to cover multi-cloud scenarios:

  • Connecting your AWS or GCP accounts to Azure Security Center provides a unified multi-cloud view of your environment's security postures. In particular, if the solutions AWS Security Hub or GCP Security Command Center detect incorrect configurations, these reports are included in the Secure Score template and in the compliance assessment against specific regulations (Regulatory Compliance), present in Azure Security Center.
  • Thanks to the fact that Azure Defender for Servers take advantage of Azure Arc you can simplify the onboarding process, and enable the protection of virtual machines running in AWS environments, GCP or hybrid cloud. All of which includes several features, including, automatic provisioning of agents, policy management, vulnerabilities and EDR (Endpoint Detection and Response) integrated. In particular, for vulnerability assessment functionality it is possible to perform manual or large-scale scans, and analyze the vulnerabilities detected, on scanned systems, through a unified experience.

These features complement multi-cloud support, also recently announced, of Azure Defender for SQL, this allows you to constantly monitor sql server implementations to detect known threats and vulnerabilities. these features are usable for sql server enabled in an on-premises environment, on virtual machines in Azure and also in multi-cloud deployment, contemplating Amazon Web Services (AWS) e Google Cloud Platform (GCP).

The solutionAzure Arc plays a fundamental role in all this and allows you to extend azure management services and principles to any infrastructure. To achieve this, Microsoft has decided to extend the model Azure Resource Manager to support hybrid and multi-cloud environments, this makes it easier to implement the security features in Azure on all infrastructure components.

Figure 2 – Azure Arc for hybrid and multi-cloud environments

The onboarding process and capabilities offered vary depending on the public cloud you intend to incorporate into Azure Security Center. the following paragraphs provide features for both amazon web services (AWS) that for Google Cloud Platform (GCP).

Amazon Web Services (AWS)

The onboarding process of your AWS account integrates the solution AWS Security Hub with Azure Security Center. In this way it is possible to obtain complete visibility and protection of these cloud environments to provide:

  • Automatic agent provisioning. ASC uses Azure Arc to deploy Log Analytics agent on board AWS instances.
  • Policy management.
  • Vulnerability management.
  • EDR (Endpoint Detection and Response) integrated.
  • Detecting security-impacting configuration errors.
  • A single view that can show ASC recommendations and AWS Security Hub.
  • An ASC score that also includes AWS resources.
  • Regulatory compliance assessments also for AWS resources.

The moment the connection with AWS Security Hub is configured correctly:

  • ASC scans AWS environment for EC2 instances, onboarding is done in Azure Arc, allowing log analytics agent to be installed. This gives you threat protection and gets security advice.
  • The ASC service scans new AWS EC2 instances each 6 hours and integrates them according to the configuration made.
  • The AWS CIS standard is shown in asc's regulatory compliance dashboard.
  • If the AWS Security Hub are enabled, recommendations will appear in the asc portal and regulatory compliance dashboard, after a few minutes after the completion of the onboarding process.

Figure 3 – AWS recommendations displayed in the ASC portal

To view active recommendations for your resources by type, you can use the security center asset inventory page and apply the specific filter for the type of aws resource that interests you:

Figure 4 – Display filters for AWS resources

Google Cloud Platform (GCP)

The onboarding mechanism of your GCP account allows you to integrate GCP Security Command with Azure Security Center and to have complete visibility and protection, in particular by providing:

  • Detecting security-impacting configuration errors.
  • A single view that can show ASC recommendations and GCP Security Command Center.
  • An ASC score that also includes GCP resources.
  • Integration of boards of GCP Security Command Center CIS-based within the Azure Security Center regulatory compliance dashboard.

The moment the connection with GCP Security Command completes:

  • The CIS GCP standard is shown in asc's regulatory compliance dashboard.
  • Security recommendations for resources located in GCP will appear in the Azure Security Center portal and regulatory compliance dashboard within minutes of completing onboarding.

Figure 5 – GCP recommendations displayed in the ASC portal

GCP virtual machine onboarding is currently manual, but you can adopt scripts to do it on a large scale.

On the Azure Security Center recommendations page, you can view all azure resource security recommendations along with AWS and GCP recommendations, thus obtaining a multi-cloud view.

Conclusions

The ability to adopt Azure Security Center as a centralized control solution, where security information from other public clouds also converges, combined with the possibilities given by integration with Azure Arc, to extend the protection of your systems, allows you to achieve a high degree of security and improve security postures in multi-cloud environments. Multi-cloud strategy adoption will become increasingly widespread, and Microsoft will continue to expand Azure Security Center to provide the best solutions to protect Azure, hybrid environments and multi-cloud operating models.

Microsoft Defender ATP: the protection of Linux systems

Many companies have infrastructures consisting of heterogeneous server operating systems and the difficulty of having to adopt and manage different security platforms to ensure protection of the entire machine fleet is known.. Microsoft recently announced the availability of Microsoft Defender Advanced Threat Protection (ATP), the security platform for enterprise endpoints designed to prevent, detect, investigate and respond to security threats, also for Linux systems. This article describes how to protect Linux machines with this solution and provides an overview of how Microsoft Defender Security Center enables you to monitor and manage the security of the entire spectrum of client and server platforms in enterprise environments (Windows, Windows Server, macOS and Linux).

Microsoft has steadily evolved its endpoint security platform in recent years Microsoft Defender Advanced Threat Protection (ATP), to the point of being recognized as a leader, also getting the highest positioning in the execution capacity, in the last Gartner quadrant of "Endpoint Protection Platforms".

Figure 1 – Gartner Magic Quadrant "Endpoint Protection Platforms" (2019)

The ability to protect Linux systems also makes it an even more complete solution, able to offer:

  • Powerful preventive features. The solution provides real-time protection for the following types of file systems: btrfs, ecryptfs, ext2, ext3, ext4, fuse, fuseblk, jfs, nfs, overlay, ramfs, reiserfs, tmpfs, udf, and vfat.
  • A complete command-line experience to configure and manage the agent, initiate scans and manage threats.
  • An integration into alert monitoring within the Microsoft Defender Security Center.

System Requirements

Before you deploy the solution, you should verify that all the requirements of Microsoft Defender ATP in the Linux environment are met.

The Linux distributions and their versions currently supported are as follows:

  • Red Hat Enterprise Linux 7.2 or higher
  • CentOS 7.2 or higher
  • Ubuntu 16.04 LTS or higher
  • Debian 9 or higher
  • SUSE Linux Enterprise Server 12 or higher
  • Oracle Linux 7.2 or higher

The minimum supported kernel version is the 3.10.0-327 and the feature that must be enabled is fanotify. Fanotify is a file access notification system built into many Linux kernels that allows Microsoft Defender ATP to scan files and, if necessary, block access to threats. The use of this feature must be totally dedicated to Microsoft Defender ATP, as the joint use of this feature by other security solutions, can lead to unpredictable results, including blocking the operating system.

Network Requirements

For Microsoft Defender ATP to work correctly on Linux systems, you must allow proper network communication to specific URLs. In this spreadsheet Microsoft lists the associated services and URLs that the protected system must be able to connect to. For more details on this, see this Microsoft-specific document.

Microsoft Defender ATP uses the following proxy systems:

  • Transparent Proxy
  • Manual configuration of the static proxy

However, are not supported PAC files, WPAD and authenticated proxies. Please also note that SSL inspection mechanisms are not supported for security reasons.

Deployment methods

Microsoft Defender ATP activation on Linux systems can be done manually or through third-party management tools, including Ansible and Puppet, Microsoft documents in detail the steps to follow. Both tools have the following steps::

  • Download the onboarding package from the Microsoft Defender Security Center.

Figure 2 – Download the onboarding package from the Microsoft Defender Security Center portal

  • Creating the manifest (Puppet) or the YAML file (Ansible).
  • Deployment that involves the enrollment of the agent and its configurations.

At the end of the installation process, you can fully manage the Microsoft Defender ATP component directly through bash.

Figure 3 – Running the mdadp command from a Linux machine with the component installed

Once the onboarding process is complete, you can manage Linux machines from the Microsoft Defender Security Center portal, as is the case with other operating systems.

Figure 4 – Linux devices in the Microsoft Defender Security Center portal

In the face of malware detections, alerts are reported within the Microsoft Defender Security Center:

Figure 5 – Detection timeline with Eicar test file on Linux machine

Software updates

Microsoft regularly publishes software updates to improve performance, security and provide new features for Microsoft Defender ATP for Linux. One thing to watch out for is that each version of Microsoft Defender ATP for Linux has an expiration date, after which it will no longer continue to protect the system, therefore, you must update the product before that date. For the procedure to update the solution, you can consult this document of Microsoft.

When you upgrade your Linux operating system to a new major release, you must first uninstall Microsoft Defender ATP for Linux, install the update and then reconfigure Microsoft Defender ATP on the system.

Configuring the solution

In enterprise environments that have multiple systems, Microsoft Defender ATP for Linux can be easily managed through configuration profiles. The configuration profile is nothing more than a file with an extension ".json" composed of different voices, identified by a key (denoted the name of the preference) followed by a value. Values can be simple, as a numeric value, or complex, as a nested list of preferences.

These profiles can be distributed by the management tool available to you, going to manage it centrally. Distributed preferences will take precedence over locally set preferences on the system so that you can better govern the different settings. For more details on the structure of this profile and the methodologies to be used for its distribution, see this article of Microsoft.

Conclusions

Although there are those who say that Linux machines do not need security solutions, I personally believe that linux systems should also be properly protected as with any other operating system. Microsoft Defender ATP for Linux is constantly expanding and exciting new features are expected in the coming months to enrich the solution with new and advanced protection features. The addition of Linux to the platforms natively supported by Microsoft Defender ATP marks an important turning point for all customers who need to also include these systems in a unified protection strategy. The Microsoft Defender Security Center provides a centralized solution for monitoring and managing the security of the entire server and client machine fleet.

Integration between Azure Security Center and Microsoft Defender ATP

Microsoft Defender Advanced Threat Protection (MDATP) is a security platform for enterprise endpoints designed to prevent, detect, investigate and respond to security threats. This article discusses how Azure Security Center (ASC) is able to integrate with this platform and what are the aspects to consider to combine the different potentials and effectively contemplate the protection of servers.

Microsoft Defender Advanced Threat Protection (MDATP)

The main characteristics of the solution Microsoft Defender Advanced Threat Protection:

  • Advanced post-breach detection sensors: Thanks to sensors from Microsoft Defender ATP for Windows Servers, a wide range of behavioral signals can be collected.
  • Ability to perform post-breach checks by leveraging the power of the cloud: Microsoft Defender ATP is able to quickly adapt to changing threats as it uses the Intelligent Security Graph with signals from Windows, Azure and Office. With this powerful mechanism, you can respond quickly to unknown threats.
  • Threat intelligence: Microsoft Defender ATP generates alerts when it identifies tools, techniques and procedures used by attackers. The solution uses data generated by Microsoft 'hunters' and security teams, enriched by the intelligence provided by collaboration with different security partners.

The Microsoft Defender Advanced Threat Protection console (MDATP) is accessible to this link.

Features and benefits of integration

ASC integrates with MDATP to provide comprehensive Endpoint Detection and Response (EDR). With this integration, you can take advantage of the following features:

  • Automated Onboarding: the integration automatically activates the Microsoft Defender ATP sensor for Windows servers monitored by Security Center (except for systems Windows Server 2019, for which it is necessary to make specific configurations). Windows Server systems monitored by Azure Security Center will also be present in the Microsoft Defender ATP console.
  • Windows Defender ATP alerts will also appear in the Azure Security Center console, in order to keep all reports in a single centralized console. However, to perform a detailed analysis of the reports, please log on to the Microsoft Defender ATP console, which provides more information such as incident charts. From the same console, you can also view the timeline of all detected behaviors for a specific system, for a historical period of up to six months.

Enabling integration between ASC and MDATP

To enable this integration, you must use Azure Security Center (ASC) standard tier, which includes the license to activate MDATP on server systems.

  • For virtual machines in Azure you need to have the ASC standard tier at the subscription level:

Figure 1 – Activating ASC standard tier at subscription level for VMs in Azure

  • For virtual machines that don't reside in Azure, but on-premises or in other clouds, simply enable the ASC standard tier at the workspace level:

Figure 2 – Standard tier activation of ASC at the workspace level for non-Azure VMs

Furthermore, you must enable the following setting from Azure Security Center:

Figure 3 – Enabling integration between ASC and MDATP

To see the different ways to onboard servers, you can access this Microsoft's document.

When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is also automatically created (by default in Europe). If the Microsoft Defender ATP solution is used before using Azure Security Center, the data will be stored in the location specified when creating the tenant, even if you integrate with ASC later. The location where the data is stored cannot be changed post-deployment, but if you need to move your data to another geographic location, you should contact Microsoft Support.

Figure 4 – Data Storage retention

 

Threat Detection

In the presence of this integration, against a threat detection by MDATP, an alerts is also generated in the Azure Security Center, which becomes the centralized console for the collection of security reports.

Figure 5 – SecurityAlert present in the ASC workspace

Alert information can also be sent by email via Action Group:

Figure 6 - Report received by email from ASC in response to a detection of a threat

You can access the Microsoft Defender Security Center portal to investigate the alert in depth, where you will find the details.

Figure 7 – Alert details from the Microsoft Defender Security Center portal

Conclusions

Azure Security Center (ASC) and Microsoft Defender Advanced Threat Protection (MDATP) are two distinct solutions, but with important relationships, both as regards the aspects relating to licensing and for the operational management of the security of server systems. Thanks to this simple integration you can manage systems onboarding and also include MDATP reports in ASC, so you can effectively monitor your environment and respond to security threats on server systems.

Azure Security Center: exports of alerts and recommendations to other solutions

Azure Security introduces an interesting feature that allows you to send security information generated by your environment to other solutions. This is done through a continuous export mechanism of alerts and recommendations to Azure Event Hubs or to Azure Monitor Log Analytics workspaces. This feature opens up new integration scenarios for Azure Security Center. This article describes how to use this feature and delves into its features.

Azure Security Center (ASC) carries out a continuous assessment of the environment and is able to provide the recommendations concerning the security of the environment. As described in this article you can customize the solution to meet your own security requirements and the recommendations that are generated. In the standard tier, these recommendations may not be limited to the Azure environment alone, but it will also be possible to contemplate hybrid environments and on-premises resources.

Standard Security Center also generates alert when potential security threats are detected on resources in your environment. ASC sets priorities, lists the alerts, provides the information you need to quickly investigate issues and provides recommendations on how to resolve attacks.

Azure Event Hubs is a streaming platform for big data and a service for the ingestion of events. Can receive and process millions of events per second. The data sent to a Event Hub can be transformed and stored using any real-time analytics provider or batch or storage adapters.

The new feature that was introduced in the Azure Security Center is called Continuos Export, supports enterprise scenarios and allows you to do the following:

  • Export to Azure Event Hubs to gain integration with third-party SIEMs and Azure Data Explorer.
  • Export to a Log Analytics workspace to have an integration with Azure Monitor, useful to better analyze data, use Alert rule, Microsoft Power BI and customized dashboards.
  • Export in a CSV file, for individual data exports (one shot).

The configuration is simple and can be carried out using the following procedure.

In Azure Security Center, you select the subscription for which you want to configure data export, and in the settings sidebar you select Continuos Export:

Figure 1 – Continuous export in ASC's subscription settings

In this case you chose to configure the export to a Log Analytics workspace. You can select which recommendations to export and their severity level. Also for security alerts you can choose for which level to export. Export creates an object, therefore, you should specify which resource group to place it in.. Finally, you will need to select the Log Analytics target workspace.

Figure 2 - Configuring parameters to make the Continuous Export

The link for integration with Azure Monitor provides the ability to automatically create Alert rule already pre-configured.

Figure 3 - Automatically create alert rules in Azure Monitor

By default these alert rules do not constitute the Action Group, therefore it is advisable to modify them to do a trigger to suit your needs.

These are the two default alert rules created:

Figure 4 – Default Alert rules of Azure Monitor

Alternatively, having gone into the recommendations and the ASC alerts in a workspace, you can configure in the Azure Monitor Alert rule customized based on Log Analytics query.

The security alerts and the ASC recommendations are stored in tables SecurityAlert and SecurityRecommendations of the workspace. The name of the Log Analytics solution that contains these tables is relative to the ASC tier, which can then be Security and Audit (standard tier) or SecurityCenterFree (tier free).

Figure 4 – Tables in Log Analytics

The configuration of Continuos Export towards Event Hubs is similar and it is the best methodology to incorporate the recommendations and the Azure Security Center alerts with third-party SIEM solutions. Following, shows the connectors for the main third-party SIEM solutions:

In Azure Sentinel is instead available Data connector , it is native to contemplate the Azure Security Center alerts.

To configure exports to Azure Data Explorer you can use the procedure in this Microsoft documentation.

Conclusions

With this new feature introduced in Azure Security Center, you can consolidate all the alerts and recommendations generated by the solution to other tools, opening up new possible integration scenarios even with third-party solutions. All this is made possible through an easily configurable mechanism, allowing you to be notified immediately and quickly take action. These aspects are crucial when dealing with security information.

Azure Security Center: how to customize the solution to meet your security requirements

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect resources in the Azure environment and workloads in hybrid environments. By assigning a global score to your environment, you can assess your risk profile and act to take remediation action in order to improve the security posture. The solution is based on general recommendations, but in some cases it is appropriate to customize it to better contemplate your security policies. This article describes how you can introduce this level of customization in order to increase the value provided by Azure Security Center.

Using custom security policies

The default recommendations in the solution are derived from general industry best practices and specific regulatory standards.

Figure 1 – Standard score and recommendations in Azure Security Center

Recently was introduced the ability to add your own Initiatives custom, to receive recommendations if security policies specifically set for your environment are not met. The custom initiatives that are created are fully integrated into the solution and will be covered in Secure Score and in compliance dashboards.

To create a initiative you can follow the steps below:

Figure 2 – Starting the process of creating a custom initiative

Within the Initiatives you can include Azure Policies built into your solution or your own custom policies.

In the example below, theinitiative includes the following two policies:

  • A custom that prevents peering against a Hub network that is in a given resource group.
  • A bult-in that verifies that Network Security Groups are applied to all subnets.

Figure 3 – Creating a custom initiative

Following, you need to proceed with the assignment of theinitiative custom:

Figure 4 – Starting the assignment process

 

Figure 5 – Assigning the custom initiative

 

Figure 6 – Displaying the assigned custom initiative

The display of the recommendations in Security Center is not immediate, but currently it takes about 1 hour and you can see it in the following section:

Figure 7 - Custom initiative in the Regulatory Compliance section

 

Disable default security policy

Under certain circumstances it may be desirable to disable certain controls present by default in the Azure Security Center solution, as they are not appropriate for your environment and you do not want to unnecessarily generate the events. To do this, you can take the following steps::

Figure 8 - Access to the Security Center default policy

 

Figure 9 – Selecting the default Security Center policy assignment

 

Figure 10 – Disabling a specific policy that is present by default

 

Conclusions

Azure Security Center natively provides a series of controls to constantly check for conditions that are considered anomalous and can have a direct impact on the security of your environment. The ability to introduce a level of customization into your solution, makes it more flexible and allows you to verify and apply security compliance policies on a large scale that are specific to your environment. To improve security postures it is essential to evaluate the adoption of this solution and applying a good level of customization it greatly increases its value.

Microsoft Always On VPN: transparent access to the corporate network suitable in smart working scenarios

Technology can play an important role in reducing the impact of COVID-19 on people and business realities, helping staff stay productive when it is not able to be physically at his workplace. In these days of emergency, companies have been forced to adopt effective solutions quickly to allow their employees to work remotely without sacrificing collaboration, productivity and security. The solutions that can be adopted in this area are different, each with its own characteristics and peculiarities, able to meet different needs. This article presents the main features of the technology Microsoft Always On VPN, to assess the benefits and what are the main use cases of the solution.

Key Features of Always On VPN

Starting with Windows Server 2016 and later Microsoft introduced a new remote access technology for endpoints called Always On VPN that allows transparent access to the corporate network, making it particularly suitable in smart working scenarios. It is the evolution of the technology DirectAccess and, however effective, it presented some limitations that made it difficult to adopt.

As the name tell, VPN is “always active”, In fact, a secure corporate network connection is established automatically whenever an authorized client has Internet connectivity, all without requiring user input or interaction, unless a multi-factor authentication mechanism is enabled. Remote users access business data and applications in the same way, just as if they were in the workplace.

Always On VPN connections include the following types of tunnels:

  • Device Tunnel: the device connects to the VPN server before users log on to the device.
  • User Tunnel: it activates only after users have logged on to the device.

Using Always On VPN you can have a user connection, a device connection, or a combination of both. Both the Device Tunnel that the User Tunnel they work independently and can use different authentication methods. It appears therefore possible to enable the device authentication to manage it remotely through the Device Tunnel, and enable user authentication for connectivity to internal resources through the User Tunnel. The User Tunnel supports SSTP, and IKEv2, while the Device Tunnel only supports IKEv2.

Supported scenarios

Technology Always On VPN is a solution only for systems Windows 10. However, unlike DirectAccess, client devices don't have to run the Enterprise edition, but all versions of Windows 10 support this technology, adopting the tunnel type defined User Tunnel. In this scenario, the devices can be members of an Active Directory domain, but this is not strictly necessary. The Always On VPN client can be nondomain-joined (workgroup), therefore also owned by the user. To take advantage of certain advanced features, clients may be to join Azure Active Directory. Only for use Device Tunnel systems are required to join a domain and must have Windows 10 Enterprise or Education. In this scenario, the recommended version is 1809 or later.

Infrastructure requirements

The following infrastructure components are required to implement an Always On VPN architecture, many of which are typically already active in the business realities:

  • Domain Controllers
  • DNS Servers
  • Network Policy Server (NPS)
  • Certificate Authority Server (CA)
  • Routing and Remote Access Server (RRAS)

Figure 1 – Overview of VPN Always On technology

In this context it is appropriate to specify that Always On VPN is infrastructure-independent and can be activated by using the Windows Routing and Remote Access role (RRAS) or by adopting any third-party VPN device. Authentication can also be provided by the Windows Network Policy Server role (NPS) or from any third-party RADIUS platform.

For more details on the requirements, please refer to the Microsoft's official documentation.

Always On VPN in Azure environment?

In general,, it is advisable to establish VPN connections to endpoints as close as possible to the resources that must be accessed. For hybrid realities, there are several options for positioning the architecture Always On VPN. Deploying the Remote Access role on a virtual machine in Azure environment is not supported, however, you can use Azure VPN Gateway with Windows 10 Always On, to establish tunnels of both type Device Tunnel and User Tunnel. In this regard it should be noted that it is appropriate to make the correct assessments of the type and of the SKU to deploy Azure VPN Gateway.

Deployment types

For Always On VPN there are two deployment scenarios:

The deployment of Always On VPN can predict optionally, for client Windows 10 joined to domain, to configure conditional access to adjust how VPN users access company resources.

Figure 2 – Workflow for the deployment of Always On VPN for Windows 10 client domain-joined

The client Always On VPN can be integrate with the platform Azure Contitional Access to force multi-factor authentication (MFA), device compliance or a combination of these two aspects. If meets the Contitional Access criteria, Azure Active Directory (Azure AD) issues a short-lived IPsec authentication certificate that can be used to authenticate to the VPN gateway. Device compliance uses Microsoft Endpoint Manager compliance policies (Configuration Manager / Intune), which may include the status of integrity attestation of the device, as part of the compliance check for the connection.

Figure 3 – Client-side connection workflow

For more details on this deployment method you can refer to this Microsoft documentation.

Provisioning of the solution on the client
Always On VPN is designed to be deployed and managed using a mobile device management platform such as Microsoft Endpoint Manager, but you can also use Mobile Device Management solutions (MDM) of third party. For Always On VPN there is no support for the configuration and management via Group Policy in Active Directory, but if you do not have a MDM solution it is possible to proceed with a manual deploy of the configuration via PowerShell.

Integration with other Microsoft solutions

Besides the cases specified in the preceding paragraphs, technology Always On VPN can be integrated with the following Microsoft technologies:

  • Azure Multifactor Authentication (MFA): when combined with RADIUS services (Remote Authentication Dial-In User Service) and the extension NPS (Network Policy Server) for Azure MFA, VPN authentication can exploit multi-factor authentication mechanisms.
  • Windows Information Protection (WIP): thanks to this integration is permitted the application of network criteria for determining if traffic is permitted to pass through the VPN tunnel.
  • Windows Hello for Business: in Windows 10, this technology replaces passwords, providing authentication mechanism with two strong factors. This authentication is a type of user credentials related to a device and use a PIN (Personal Identification Number) biometric or personal.

Conclusions

Prepare your infrastructure to allow the endpoint to access the corporate network through technology Always On VPN it does not require any additional cost for software licenses and the necessary investments both in terms of effort and resources are minimal. Thanks to this connectivity method you can ensure the best user experience on the move, providing a transparent and automatic access to the corporate network while maintaining a high level of security. For the aspects listed above technology Always On VPN is not suitable for all usage scenarios, but it is certainly to be considered in the presence of systems Windows 10 that need remote access to corporate resources.

Azure Security: Best Practices to improve Security Posture

The tendency to have more frequently solutions in the cloud and hybrid architectures requires you to adopt high security standards for your environment. But how do you get effective cloud security for Azure and what best practices you should follow? This article summarizes the key practices that you should use in Azure to ensure a high level of security and improve security postures.

MFA activation and restrictions for administrative access

For users with administrative rights, authentication should be enabled using administrative Multi-factor Authentication (MFA). In this regard it is very interesting to evaluate passwordless authentication mechanisms that require that the password be replaced with something that you own more something that you are or that you know.

Microsoft currently offers three distinct passwordless authentication scenarios:

Azure Active Directory provides the ability to enable MFA mechanisms, including passwordless authentication. MFA mechanisms based on text messages are easier to bypass, so it's good to target different Multi-factor authentication mechanisms or passwordless.

Minimize the number of people and their time, for administrative access to Azure resources, it is a practice to be adopted because it reduces the possibility of an attacker obtaining administrative access or an authorized user inadvertently affecting a specific resource. To enable authorized users to perform administrative actions, you can offer just-in-time privileged access (JIT) Azure and Azure AD resources. To do this, the Azure Active Directory service is adopted (Azure AD) Privileged Identity Management (PIM) which allows you to manage, controlling and monitoring access to company resources is a good practice to take.

Another key aspect to consider is the use of secure and isolated workstations for sensitive roles. In this official Microsoft document you can get to obtain more details about it.

Segmentation and adoption of the Zero Trust model

The security model, definedZero trust and in contrast with the conventional models based on perimeter security, involves adopting an approach to micro-segmentation and the definition of granular perimeters in your network architecture. To contain security risks, it is good to adopt a clear and simple segmentation strategy, allowing stakeholders with a clear understanding, to facilitate and monitor effective management. It will also be useful to assign the necessary permissions and appropriate network controls.

In this regard, we report a reference design regarding the Azure administrative model:

Figure 1 – Reference Design – Azure Administration Model

The following illustration shows the typical Hub-Spoke network model, where theHub is a virtual network in Azure that serves as a point of connectivity to the on-premises network andSpoke are virtual networks running the peering with the Hub and can be used to isolate workloads.

Figure 2 – Reference Enterprise Design – Azure Network Security

Adoption of an appropriate "Firewall Strategy"

Adopting a firewall solution in the Azure environment to better protect and segregate network flows is now mandatory.

The choice may involve the adoption of:

  • Microsoft solutions fully integrated into the platform, such as Azure Firewall, flanked by Web App Firewall (WAF) of the Application Gateway, an application load balancer (OSI layer 7) for web traffic, that allows you to govern HTTP and HTTPS applications traffic. The Web Application Firewall Module (WAF) for web publications achieves an application protection, based on OWASP Core Rule sets rules. The WAF protects applications from vulnerabilities and common attacks , such as X-Site Scripting and SQL Injection attacks. These solutions are suitable for most of the scenarios and offer intrinsic high availability and scalability functionality as well as a simple configuration and centralized management.
  • Solutions provided by third-party vendors that are available in the Azure Marketplace. The Network Virtual Appliances (NVAs) are numerous, and can provide advanced features and provide continuity in the user experience compared to solutions already active in the on-premises environment. Typically the configuration of these solutions is more complex and the cost tends to be higher than Microsoft solutions.

Choosing a DDoS Mitigation Solution for critical applications

Very important is the protection of all critical applications from distributed denial-of-service cyberattacks (DDoS – Distributed Denial of Service). These attacks are aimed at deliberately to exhaust the resources of a given system that provides a service to clients, such as a website that is hosted on web servers, to the point that it will no longer be able to provide these services to those who require it in a legitimate way.

In Azure, DDoS protection is available in two different tiers: Basic or Standard.

Figure 3 - Comparison of the features available in different tiers for DDoS Protection

The protectionBasic is enabled by default in the Azure platform, which constantly monitors the traffic and enforces real-time mitigation of the most common network attacks. This tier provides the same level of protection adopted and tested by Microsoft online services and operates for the public IP addresses of Azure (IPv4 and IPv6). No configuration is required for the Basic tier.

The Azure DDoS ProtectionStandard provides additional mitigation capabilities compared to Basic tier, which are optimized specifically for the resources in Azure virtual network. Security policies are auto-configured and are optimized by a specific network traffic monitoring and by applying machine learning algorithms, that allow you to profile in the most appropriate and flexible way your application studying the traffic generated. In the moment in which the thresholds set in the policy of DDoS are exceeded, DDoS mitigation process is automatically started, and it is suspended when it falls below the traffic thresholds established. These policies are applied to all public IP of Azure (IPv4) associated with resources present in the virtual network, such as: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances.

Azure Security Center Adoption

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect the resources and workloads on hybrid environments. To improve the security posture of your Azure environment is essential to assess the adoption of this solution, it is offered in two different tiers:

  • Free tier. In this tier Azure Security Center is totally free and it will do a continuously assessment, providing recommendations relating to the security of the Azure environment.
  • Standard tier. Compared to tier free adds enhanced threat detection, using behavioral analysis and machine learning to identify zero-day attacks and exploits. Through machine learning techniques and through the creation of whitelist is possible to control the execution of applications to reduce exposure to network attacks and malware. Furthermore, the standard level adds the ability to perform in an integrated manner a Vulnerability Assessment for virtual machines in Azure. Azure Security Center Standard supports several resources including: VMs, Virtual machine scale sets, App Service, SQL servers, and Storage accounts.

Figure 4 - Comparison between the tiers of Azure Security Center

Azure Security Center assigns a score to your environment, useful for monitoring the risk profile and for try to constantly improve the security postures, applying remediation actions. Good rule is to verify on a regular basis (least monthly) the security score provided by Azure Security Center and program initiatives aimed at improving specific areas. Furthermore, it is recommended to carefully check the alert that Security Center Standard generates when it detects potential security threats on its resources. Security Center sets priorities, lists the alerts, provides the information needed to quickly examine the problems and provides advice on how to resolve any attacks.

Introduce security in development and release stages

The adoption of DevOps models to deploy Azure applications and services enable, as well as providing maximum agility, to obtain benefits in terms of security. In DevOps models can be engaged in development and management stages the teams dedicated to quality control and security throughout the application lifecycle. Using Infrastructure-as-Code processes(IaC) it is possible to define and monitor the compliance on a large scale.

Do not use legacy technologies

In Azure environment it is not recommended the adoption of classical Network Intrusion Detection System (NIDS) and Network Intrusion Prevention Systems (NIPS) since the platform is able to filter out malformed packets natively. The solutions NIDS / NIPS are generally based on outdated signature-based approaches that can be easily removed during attempted attacks and generally produce a high false positive rate.

Conclusions

Achieve a high level of security in Azure environments is a major challenge that needs to be won and it requires constant monitoring, review and updating of security postures. This article have been reported those that are considered the main best practices of security offered by a direct field experience, which it is always good to enrich them by taking further precautions.

Azure Security: how to do a Vulnerability Assessment using azure Security Center

Azure Security Center, the cloud solution that allows you to prevent, detect and respond to security threats affecting Azure resources and workloads in hybrid environments, recently enhanced with the ability to integrate a Vulnerability Assessment for Virtual Machines in Azure. This article explains how you can complete a vulnerability assessment process by using the Azure Security Center, examining the characteristics of the solution.

Vulnerability scanning included in Azure Security Center (ASC) is done through the solution Qualys, which is recognized as a leading tool for real-time identification of potential vulnerabilities in the systems. In order to use this feature you must adhere to the standard tier of Security Center, and in this case you will need to not incur additional licensing fees. The Standard tier also adds advanced threat detection (including threat intelligence), behavioral analysis, anomaly detection and security incidents and reports of conferral of threats.

If you wish to keep the tier free of ASC you can still make the deployment of solutions to perform a vulnerability assessment, which Qualys and Rapid7, but it is necessary to provide the management of the licensing costs, the distribution and configuration. For more details about the cost of Azure Security Center and for a comparison between the Free and the Standard tier, see the Microsoft's official documentation.

The most immediate and rapid method to scan for vulnerabilities in Azure is using the integrated solution Qualys in the Standard Tier of Azure Security Center. To enable it, simply go to the ASC Recommendations and select “Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys)“, come mostrato dall’immagine seguente:

Figure 1 - Recommendation of Azure Security Center to enable vulnerability assessment solution

Selecting this option Azure virtual machines are divided into the following categories:

  • Healthy resources: systems where the extension has been deployed to complete a vulnerability scan.
  • Unhealthy resources: machines where you can enable the extension to scan for vulnerabilities.
  • Not applicable resources: systems where the extension is not present and that it is not possible to enable it because they belong to the ASC tier free or because the operating system is among those not supported. Among the supported operating systems are: RHEL 6.7/7.6, Ubuntu 14.04/18.04, Centos 6.10/7/7.6, Oracle Linux 6.8/7.6, SUSE 12/15, and Debian 7/8.

Figure 2 - Enabling the solution

Selecting the machines of interest and pressing the button Remediate will be onboarded to the built-in Vulnerability Assessment solution. As a result, the specific extension will be installed on the systems and the first scan will be automatically started at the end of the installation.. The extesion is based on the Azure Virtual Machine agent and therefore runs in the Local Host context on Windows systems, and Root on Linux ones.

The names of the extension that will be present on the enabled systems are listed, for which the provider will always be Qualys:

  • Linux Machines: “LinuxAgent.AzureSecurityCenter”
  • Windows Machines: “WindowsAgent.AzureSecurityCenter”

As for extension updates, the same rules apply to other extensions, so the fewest versions of Qualys' scanner will be automatically deployed following an in-depth testing phase.. In some cases, you may need manual actions to complete the upgrade.

After the scan is complete, any vulnerabilities detected on the systems will be reported in the Recommendations by ASC.

Figure 3 – ASC notification reporting the presence of recommendations for intercepted vulnerabilities

Selecting the recommendation provides details of all vulnerabilities detected, severity and its status:

Figure 4 – List of detected security vulnerabilities

By selecting the single vulnerability you can see the details, potential impacts, remediation actions and affected systems.

Figure 5 – Information reported for each individual vulnerability detected

Conclusions

To strengthen the security posture of your environment you definitely should consider adopting Azure Security Center in the standard tier, that among the various functionality it allows to check that they are applied in a strict manner all safety criteria and allows to constantly monitor the compliance criteria. The inclusion in the solution of a vulnerability assessment tool, provided by Qualys, industry leader, adds further value to the solution, also be able to draw on the knowledge gained by this vendor in the discovery of vulnerabilities.