Category Archives: Enterprise Security

Azure Security: Best Practices to improve Security Posture

The tendency to have more frequently solutions in the cloud and hybrid architectures requires you to adopt high security standards for your environment. But how do you get effective cloud security for Azure and what best practices you should follow? This article summarizes the key practices that you should use in Azure to ensure a high level of security and improve security postures.

MFA activation and restrictions for administrative access

For users with administrative rights, authentication should be enabled using administrative Multi-factor Authentication (MFA). In this regard it is very interesting to evaluate passwordless authentication mechanisms that require that the password be replaced with something that you own more something that you are or that you know.

Microsoft currently offers three distinct passwordless authentication scenarios:

Azure Active Directory provides the ability to enable MFA mechanisms, including passwordless authentication. MFA mechanisms based on text messages are easier to bypass, so it's good to target different Multi-factor authentication mechanisms or passwordless.

Minimize the number of people and their time, for administrative access to Azure resources, it is a practice to be adopted because it reduces the possibility of an attacker obtaining administrative access or an authorized user inadvertently affecting a specific resource. To enable authorized users to perform administrative actions, you can offer just-in-time privileged access (JIT) Azure and Azure AD resources. To do this, the Azure Active Directory service is adopted (Azure AD) Privileged Identity Management (PIM) which allows you to manage, controlling and monitoring access to company resources is a good practice to take.

Another key aspect to consider is the use of secure and isolated workstations for sensitive roles. In this official Microsoft document you can get to obtain more details about it.

Segmentation and adoption of the Zero Trust model

The security model, definedZero trust and in contrast with the conventional models based on perimeter security, involves adopting an approach to micro-segmentation and the definition of granular perimeters in your network architecture. To contain security risks, it is good to adopt a clear and simple segmentation strategy, allowing stakeholders with a clear understanding, to facilitate and monitor effective management. It will also be useful to assign the necessary permissions and appropriate network controls.

In this regard, we report a reference design regarding the Azure administrative model:

Figure 1 – Reference Design – Azure Administration Model

The following illustration shows the typical Hub-Spoke network model, where theHub is a virtual network in Azure that serves as a point of connectivity to the on-premises network andSpoke are virtual networks running the peering with the Hub and can be used to isolate workloads.

Figure 2 – Reference Enterprise Design – Azure Network Security

Adoption of an appropriate "Firewall Strategy"

Adopting a firewall solution in the Azure environment to better protect and segregate network flows is now mandatory.

The choice may involve the adoption of:

  • Microsoft solutions fully integrated into the platform, such as Azure Firewall, flanked by Web App Firewall (WAF) of the Application Gateway, an application load balancer (OSI layer 7) for web traffic, that allows you to govern HTTP and HTTPS applications traffic. The Web Application Firewall Module (WAF) for web publications achieves an application protection, based on OWASP Core Rule sets rules. The WAF protects applications from vulnerabilities and common attacks , such as X-Site Scripting and SQL Injection attacks. These solutions are suitable for most of the scenarios and offer intrinsic high availability and scalability functionality as well as a simple configuration and centralized management.
  • Solutions provided by third-party vendors that are available in the Azure Marketplace. The Network Virtual Appliances (NVA's) are numerous, and can provide advanced features and provide continuity in the user experience compared to solutions already active in the on-premises environment. Typically the configuration of these solutions is more complex and the cost tends to be higher than Microsoft solutions.

Choosing a DDoS Mitigation Solution for critical applications

Very important is the protection of all critical applications from distributed denial-of-service cyberattacks (DDoS – Distributed Denial of Service). These attacks are aimed at deliberately to exhaust the resources of a given system that provides a service to clients, such as a website that is hosted on web servers, to the point that it will no longer be able to provide these services to those who require it in a legitimate way.

In Azure, DDoS protection is available in two different tiers: Basic oppure Standard.

Figure 3 - Comparison of the features available in different tiers for DDoS Protection

The protectionBasic is enabled by default in the Azure platform, which constantly monitors traffic and applies mitigations to the most common network attacks in real time. This tier provides the same level of protection adopted and tested by Microsoft's online services and is active for Azure Public IP addresses (Pv4 and IPv6). No configuration is required for the Basic tier.

Typology Azure DDoS ProtectionStandard provides additional mitigation features over the Basic tier, that are specifically optimized for resources located in Azure virtual networks. The protection policies are self-configured and are optimized by carrying out specific monitoring of network traffic and applying machine learning algorithms, that allow you to profile your application in the most appropriate and flexible way by studying the traffic generated. When the thresholds set in the DDoS policy are exceeded, the DDoS mitigation process is automatically started, which is suspended when it falls below the established traffic thresholds. These policies are applied to all public IP of Azure (IPv4) associated with resources present in the virtual network, like: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances.

Azure Security Center Adoption

Azure Security Center is a cloud solution that helps prevent, detect and respond to security threats that affect the resources and workloads on hybrid environments. To improve the security posture of your Azure environment is essential to assess the adoption of this solution, it is offered in two different tiers:

  • Free tier. In this tier Azure Security Center is totally free and it will do a continuously assessment, providing recommendations relating to the security of the Azure environment.
  • Standard tier. Compared to tier free adds enhanced threat detection, using behavioral analysis and machine learning to identify zero-day attacks and exploits. Through machine learning techniques and through the creation of whitelist is possible to control the execution of applications to reduce exposure to network attacks and malware. Furthermore, the standard level adds the ability to perform in an integrated manner a Vulnerability Assessment for virtual machines in Azure. Azure Security Center Standard supports several resources including: VMs, Virtual machine scale sets, App Service, SQL servers, and Storage accounts.

Figure 4 - Comparison between the tiers of Azure Security Center

Azure Security Center assigns a score to your environment, useful for monitoring the risk profile and for try to constantly improve the security postures, applying remediation actions. Good rule is to verify on a regular basis (least monthly) the security score provided by Azure Security Center and program initiatives aimed at improving specific areas. Furthermore, it is recommended to carefully check the alert that Security Center Standard generates when it detects potential security threats on its resources. Security Center sets priorities, lists the alerts, provides the information needed to quickly examine the problems and provides advice on how to resolve any attacks.

Introduce security in development and release stages

The adoption of DevOps models to deploy Azure applications and services enable, as well as providing maximum agility, to obtain benefits in terms of security. In DevOps models can be engaged in development and management stages the teams dedicated to quality control and security throughout the application lifecycle. Using Infrastructure-as-Code processes(IaC) it is possible to define and monitor the compliance on a large scale.

Do not use legacy technologies

In Azure environment it is not recommended the adoption of classical Network Intrusion Detection System (NIDS) and Network Intrusion Prevention Systems (NIPS) since the platform is able to filter out malformed packets natively. The solutions NIDS / NIPS are generally based on outdated signature-based approaches that can be easily removed during attempted attacks and generally produce a high false positive rate.

Conclusions

Achieve a high level of security in Azure environments is a major challenge that needs to be won and it requires constant monitoring, review and updating of security postures. This article have been reported those that are considered the main best practices of security offered by a direct field experience, which it is always good to enrich them by taking further precautions.

Azure Security: how to do a Vulnerability Assessment using azure Security Center

Azure Security Center, the cloud solution that allows you to prevent, detect and respond to security threats affecting Azure resources and workloads in hybrid environments, recently enhanced with the ability to integrate a Vulnerability Assessment for Virtual Machines in Azure. This article explains how you can complete a vulnerability assessment process by using the Azure Security Center, examining the characteristics of the solution.

Vulnerability scanning included in Azure Security Center (ASC) is done through the solution Qualys, which is recognized as a leading tool for real-time identification of potential vulnerabilities in the systems. In order to use this feature you must adhere to the standard tier of Security Center, and in this case you will need to not incur additional licensing fees. The Standard tier also adds advanced threat detection (including threat intelligence), behavioral analysis, anomaly detection and security incidents and reports of conferral of threats.

If you wish to keep the tier free of ASC you can still make the deployment of solutions to perform a vulnerability assessment, which Qualys and Rapid7, but it is necessary to provide the management of the licensing costs, the distribution and configuration. For more details about the cost of Azure Security Center and for a comparison between the Free and the Standard tier, see the Microsoft's official documentation.

The most immediate and rapid method to scan for vulnerabilities in Azure is using the integrated solution Qualys in the Standard Tier of Azure Security Center. To enable it, simply go to the ASC Recommendations and select “Enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys)“, come mostrato dall’immagine seguente:

Figure 1 - Recommendation of Azure Security Center to enable vulnerability assessment solution

Selecting this option Azure virtual machines are divided into the following categories:

  • Healthy resources: systems where the extension has been deployed to complete a vulnerability scan.
  • Unhealthy resources: machines where you can enable the extension to scan for vulnerabilities.
  • Not applicable resources: systems where the extension is not present and that it is not possible to enable it because they belong to the ASC tier free or because the operating system is among those not supported. Among the supported operating systems are: RHEL 6.7/7.6, Ubuntu 14.04/18.04, Centos 6.10/7/7.6, Oracle Linux 6.8/7.6, SUSE 12/15, and Debian 7/8.

Figure 2 - Enabling the solution

Selecting the machines of interest and pressing the button Remediate will be onboarded to the built-in Vulnerability Assessment solution. As a result, the specific extension will be installed on the systems and the first scan will be automatically started at the end of the installation.. The extesion is based on the Azure Virtual Machine agent and therefore runs in the Local Host context on Windows systems, and Root on Linux ones.

The names of the extension that will be present on the enabled systems are listed, for which the provider will always be Qualys:

  • Linux Machines: “LinuxAgent.AzureSecurityCenter”
  • Windows Machines: “WindowsAgent.AzureSecurityCenter”

As for extension updates, the same rules apply to other extensions, so the fewest versions of Qualys' scanner will be automatically deployed following an in-depth testing phase.. In some cases, you may need manual actions to complete the upgrade.

After the scan is complete, any vulnerabilities detected on the systems will be reported in the Recommendations by ASC.

Figure 3 – ASC notification reporting the presence of recommendations for intercepted vulnerabilities

Selecting the recommendation provides details of all vulnerabilities detected, severity and its status:

Figure 4 – List of detected security vulnerabilities

By selecting the single vulnerability you can see the details, potential impacts, remediation actions and affected systems.

Figure 5 – Information reported for each individual vulnerability detected

Conclusions

To strengthen the security posture of your environment you definitely should consider adopting Azure Security Center in the standard tier, that among the various functionality it allows to check that they are applied in a strict manner all safety criteria and allows to constantly monitor the compliance criteria. The inclusion in the solution of a vulnerability assessment tool, provided by Qualys, industry leader, adds further value to the solution, also be able to draw on the knowledge gained by this vendor in the discovery of vulnerabilities.

[Video] – Architecting and Implementing Azure Networking

To implement hybrid clouds securely and functionally, an in-depth understanding of the various aspects of Azure networking is crucial. Recently I had the pleasure of participating in the Italian Cloud Conference where I held a session related to the Azure Networking. In this regard, I report the video of the session where 360-degree exploration of the key elements to be considered in order to build hybrid network architectures, taking advantage of the various services offered by Azure, in order to achieve the best integration with the on-premises environment, without ever neglecting security. Advanced hybrid network architecture scenarios were explored during the session, showing real-world examples, result of a’direct experience in the field.

Data encryption in Azure

One of the areas related to the improvement of Security Posture of the corporate information system is certainly encryption, through the adoption of specific techniques, that makes the data readable only to those who have the solution to decrypt it. This article provides an overview of how encryption is used in Azure and provides references to further studies.

To protect your data in the cloud, you must first consider the possible states in which the data can be located and evaluate the related controls that can be implemented. Best practices for data security and encryption, particularly in Azure, concern the following states:

  • At rest: includes all information that statically resides on physical storage media, both magnetic and optical.
  • In transit: when data is transferred between components, locations or services, are defined in transit. For example,, transferring data across the network, service bus or during processes of input / output.

Encryption at Rest

Encryption at Rest is a highly recommended technique and is a priority requirement for many organizations to comply with data governance and compliance policies. Different industry-specific and government-specific regulations, require the presence of data protection and encryption measures. Encryption at Rest encrypts the data when it is persistent and is used, in addition to meeting compliance and regulatory requirements, also to have a high level of protection for data. The Azure platform natively involves the adoption of advanced physical security mechanisms, data access control and auditing. However, It is important to take overlapping security measures to deal with potential bankruptcies, and encryption at Rest is a great way to ensure confidentiality, compliance and data sovereignty.

Server-Side Data Encryption Models

Server-side data encryption models refer to encryption performed by Azure services. In this model, it is the Azure Resource Provider that performs encryption and decryption. There are several Encryption at Rest templates at Server Side available in Azure, each of which has different characteristics in key management, these can be applied to different Azure resources:

  • Server-Side Encryption using Service-Managed Keys. In this scenario, the encryption keys are managed by Microsoft and proves to be a good combination of control and convenience.
  • Server-side encryption using customer-managed keys in Azure Key Vault. In this mode, the encryption keys are controlled by the customer through Azure Key Vault, and includes support for using your keys (BYOK).
  • Server-side encryption that uses customer-managed keys on customer-controlled hardware. This methodology allows the customer to check the keys that reside on a repository controlled by the customer, outside of Microsoft's control. This feature is called Host Your Own Key (HYOK). However, configuration is articulated and most Azure services do not support this model at this time.

Figure 1 – Server-side encryption model

Client-side data encryption models

The client-side data encryption model refers to encryption performed outside Azure and is performed directly by the calling service or application. When you use this encryption model, the Resource Provider in Azure receives encrypted data without the ability to decrypt it or access the encryption keys. In this model, key management is performed by the calling service or application and is obscure for the Azure service.

Figure 2 – Client-side encryption model

Encryption at Rest for top Azure services

Azure Storage

Azure Storage provides on automatically encrypts the data when they are made persistent in the cloud environment. In fact,, all Azure Storage services (Blob storage, Queue storage, Table storage, and Azure Files) support server side encryption of data at rest and some of them also support encryption client-side of data and encryption keys managed by the customer.

  • Server-side: all default Azure storage services have enabled by default the server-side encryption using keys managed by the service. For Azure Blob storage and Azure Files is also supported using encryption keys managed by the customer in Azure Key Vault. The technology used is called Azure Storage Service Encryption, in automatically able to encrypt the data before being stored and decode them when they are accessed. This process is completely transparent to the user and involves the use of AES encryption 256 bit, one of the most powerful block ciphers currently available. Azure Storage encryption is similar to BitLocker encryption in a Windows environment. Azure Storage encryption is enabled by default for all new storage accounts and cannot be disabled. Storage accounts are encrypted regardless of performance level (standard or premium) or from the deployment model (Azure Resource Manager or classic). All redundancy options provided for storage accounts support encryption and all copies of a storage account are always encrypted. Encryption does not affect the performance of storage accounts and there is no additional cost.
  • Client-side: this encryption is currently supported by Azure Blobs, Tables, and Queues. When used the data is encrypted by the customer managing their keys and is uploaded as an encrypted blob.

Virtual Machines

All Managed Disks, Snapshots and virtual machine images in Azure are encrypted using Storage Service Encryption via keys managed by the service. When processing data on a virtual machine, data can be kept in the Windows paging file or in the Linux swap file, in a crash dump or an application log. Therefore, to obtain a solution of Encryption at Rest more complete on IaaS virtual machines and virtual disks, which ensures that data is never kept in an unencrypted form, you need to use Azure Disk Encryption . This feature helps you protect Windows virtual machines, using the technology Windows BitLocker, and Linux virtual machines through DM-Crypt. Relying on Azure Disk Encryption you get a full protection of the operating system disks and data volumes. The Encryption keys and the secrets are protected within their own Azure Key Vault. Encrypted virtual machine protection is supported by the Azure Backup service. For more information about Azure Disk Encryption you can see the Microsoft's official documentation.

Azure SQL Database

Azure SQL Database currently supports encryption at rest in the following ways:

  • Server-side: server-side encryption is guaranteed through a SQL feature named Transparent Data Encryption (TDE) and it can be activated either at the database server level. Starting in June 2017 this feature is on by default for all new database. TDE protects SQL data and log files, using AES encryption algorithms and Triple Data Encryption Standard (3DES). Database files are encrypted at the page level, they are encrypted before being written to disk and de-encrypted when read into memory.
  • Client-side: client-side encryption of data to SQL Azure Database is supported through the functionality Always Encrypted, that uses keys that are generated and stored on the client side. By adopting this technology it is possible to encrypt data within the client applications before storing in the Azure SQL database.

As with Azure Storage and Azure SQL Database, also for many other Azure services (Azure Cosmos DB, Azure Data Lake, etc.) the data encryption at rest occurs by default, but for other services it can be optionally activated.

Encryption in Transit in Azure

The protection of data in transit must be an essential element to be considered in your data protection strategy. It is generally recommended to protect the movement and exchange of data always using SSL protocols / TLS. Under certain circumstances, it may be appropriate to isolate the entire channel of communication between the on-premises environment and the cloud using a VPN. Microsoft uses the TLS protocol (Transport Layer Security) to protect data when traveling between cloud services and customers. In fact,, a TLS connection is negotiated between the Microsoft datacenter and client systems that connect to the Azure Services. The TLS protocol provides strong authentication, privacy and message integrity (allows detection of tampering, interception and message forgery).

Conclusions

The issue of protection through encryption of the data stored in Azure environment is seen as very important for those who decide to rely on the services in the cloud. Knowing that all Azure services provide encryption at rest options and that basic services encryption is enabled by default, is certainly very comforting. Some services also support the control of the encryption keys from the customer and the client side encryption to provide a greater level of control and flexibility. Microsoft is constantly improving its services to ensure greater control of the encryption at rest options and aims to enable encryption at rest as the default for all customer data.

How to control the execution of applications using Azure Security Center

Azure Security Center provides several mechanisms to prevent security threats and reduce the attack surfaces of your environment. One of these mechanisms is theAdaptive Application Controls, a solution that can control which applications are running on the systems. Azure Security Center uses the machine learning engine to analyze applications running on virtual machines and leverages artificial intelligence to provide a list of allowed applications. This article lists the benefits that can be achieved by adopting this solution and how to perform the configuration.

Adopting this solution, available using the tier Standard of Azure Security Center, you can do the following:

  • Be alerted to attempts to run malicious applications, that may potentially not be detected by antimalware solutions. For Windows systems on Azure, you can also apply execution locks.
  • Respect corporate compliance, allowing the execution of only licensed software.
  • Avoid using unwanted or obsolete software in your infrastructure.
  • Control access to sensitive data that takes place using specific applications.

Figure 1 – Azure Security Center Free vs Standard Tier

Adaptive application controls can be used on systems regardless of their geographic location. Currently for systems not located in Azure and Linux VMs, only audit mode is supported.

This feature can be activated directly from the portal by accessing the Azure Security Center.

Figure 2 – Adaptive application controls in the "Advanced cloud defense" of Security Center

Security Center uses a proprietary algorithm to automatically create groups of machines with similar characteristics, to help enforce Application Control policies.

From the management interface, the groups are divided into three types:

  • Configured: list groups containing VMs where this feature is configured.
  • Recommended: there are groups of systems where enabling application control is recommended. Security Center uses machine learning mechanisms to identify VMs on which the same applications are always regularly running, and therefore are good candidates to enable application control.
  • Unconfigured: list of groups that contain the VMs for which there are no specific recommendations regarding the application control. For example, VMs that systematically run different applications.

Figure 3 – Types of groups

By clicking on the groups of virtual machines, you will be able to manage the Application control rules, that will allow you to create rules that evaluate the execution of applications.

Figure 4 – Configuring Application control rules

For each individual rule, you select the machines on which to apply it and the applications that you want to allow. For each application, the detail information is provided, in particular, the "Expoitable" column indicates whether it is an application that can potentially be used maliciously to bypass the list of allowed applications. For this type of application, you should pay close attention before allowing.

This configuration, for Windows systems, involves creating specific rules inApplocker, and it govern the execution of applications.

By default, Security Center enables application control in modeAudit, only to control activity on protected virtual machines without applying any locks on application execution. For each individual group, after verifying that the configuration you have made does not result in any malfunctions on the workloads on the systems, you can bring application control to application mode Enforce, as long as they are Windows virtual machines in the Azure environment, to block the execution of applications that are not expressly allowed. You can always change the name of the group from the same interface.

Figure 5 – Change the name and protection mode

At the end of this configuration, you will see, in the main Security Center panel, notifications concerning potential violations in the execution of applications than allowed.

Figure 6 - Violation notifications of applications Securiy Center

Figure 7 – Full list of the violations found

Figure 8 - Sample of violation

Conclusions

The functionality of Adaptive application controls allows with few easy steps to quickly enable a thorough check on the applications that run on systems. The configuration is simple and intuitive, especially thanks to functionality that allows to group the systems that have similar characteristics with regard to the execution of the application. It is therefore an important mechanism that helps prevent potential security threats and to minimize the attack surfaces of the environment. Added to the additional features, Adaptive application controls helps make Security Center a complete solution for the protection of workloads.

How to remote access virtual machines in Azure

Being able to access via RDP (Remote Desktop Protocol) or via SSH (Secure SHel) to virtual machines present in Azure is a basic requirement for system administrators. Direct exposure of these protocols on Intenet is definitely a practice to be avoided as a high risk security. This article shows the different methodologies that can be taken to gain remote access to systems present in Azure and the characteristics of each of it.

Recently Microsoft has released a security update rated critical and directed to resolution of the vulnerability CVE-2019-0708 identified on the Remote Desktop service for different operating systems. The vulnerability allows code execution via RDP protocol allowing you to take full control of the remote system. This vulnerability is taken as an example to highlight how is actually risky to publish on Internet these access protocols. For this reason you should consider adopting one of the solutions below for even more security.

Figure 1 – RDP/SSH attack

VPN access

To have an easy administrative access to the Azure Virtual Network you can enable a Point-to-Site VPN (P2S). Through the P2S VPN can establish connectivity from one location to the Azure environment, easily and securely. When the VPN connection is established you will have the ability to remotely access to systems in Azure. For more information on VPN P2S I invite you to read the article Azure Networking: Point-to-Site VPN access and what's new. Adopting this methodology you should take into consideration the maximum number of connections for each Azure VPN Gateway.

Figure 2 - Protocols available for P2S VPN

Just-in-Time VM Access

It is a feature available in Azure Security Center Standard Tier, allowing you to apply the necessary configurations to the Network Security Groups (NSG) and more recently to Azure Firewall to allow administrative access to systems, properly filtered for source IP and for a certain period of time. Just-in-Time VM Access allows to perform the configurations needed to access remotely to systems quickly, targeted and only for a very specific time period. Without the use of this feature you would need to manually create the appropriate rules within the NSG or Azure Firewall (NAT Rule), and remember to remove them when no longer needed.

Figure 3 - Request access via Just-in-Time VM Access

Jumpbox

A scenario that is used in some situations is the presence of a virtual machine (Jumpbox) accessible remotely and dislocated in a suitably isolated subnet, that is used to access several other systems in communication with that subnet. In a network architecture that reflects the hub-and-spoke topology, typically this system is positioned in the hub network, but it is recommended to apply filters to make sure that this system is only accessible from certain public IP addresses, without exposing it directly on the Internet. In this scenario you should take into consideration that you will have a maximum of two remote connections simultaneously for single JumpBox.

Figure 4 - Positioning of the JumpBox in a hub-spoke architecture

Azure Bastion

It is a PaaS service, recently announced by Microsoft in preview, offering a safe and reliable SSH and RDP access to virtual machines, directly through the Azure portal. The provisioning of Azure Bastion service is carried out within a Virtual Network of Azure and it supports access to all the virtual machines on it attested, without exposing the public IP addresses.

Figure 5 - Azure Bastion Architecture

For more details on this please read the article Azure Bastion: a new security model created by Silvio Di Benedetto.

Azure Bastion is a paid service, to get cost details you can access the page Azure Bastion pricing.

At the time you should take into account that Azure Bastion and Just-in-Time VM Access can not be used to access the same systems.

SSL Gateway

A very valid solution in terms of security is an implementation of a Remote Desktop Services environment in Azure, which includes the use of Remote Desktop Gateway role, specially designed to be directly exposed to the Internet (TCP port 443). With this component you can encapsulate RDP traffic in an HTTP over TLS / SSL tunnel. The Remote Desktop Gateway also supports Multi-Factor Authentication that allows to further increase the level of security for remote access to resources. A similar solution is also available in Citrix environment. In this area you will need to consider, in addition to the costs associated with Azure components, also the license costs.

Figure 6 - Possible Remote Desktop Services architecture in Azure environment

Conclusions

There are several possibilities for providing a secure remote access to virtual machines in the Azure environment. The new Azure Bastion service is a safe and simple method, but that needs to be expanded with more features, the most important are certainly support for Virtual Networks in peering and for multi-factor authentication. These features probably will be available when the solution will be globally available. Waiting to use Azure Bastion in a production environment you can use the other methods listed, thus avoiding having to expose unprotected systems to the Internet.

Security in the cloud with Azure Sentinel solution

Microsoft recently announced a new cloud solution called Azure Sentinel. It is a service that aims to expand the capabilities and potential of the products SIEM (Security Information and Event Management) traditional, going to use the power of the cloud and artificial intelligence to be able to quickly identify and manage security threats affecting your infrastructure. This article lists the main features of the solution.

Azure Sentinel is a solution that allows real-time analysis of security events and information generated within their own hybrid infrastructure, from server, applications, devices and users. It is a cloud-based service, it follows that one can easily scale and have high-speed processing of information, without the need to implement and manage a dedicated infrastructure, to intercept potential security threats.

Azure Sentinel service can be activated directly from the Azure Portal:

Figure 1 - Creation of service Azure Sentinel

Operating principles of Azure Sentinel

Collect data within the infrastructure

Azure Sentinel leans to Azure Monitor that, using the proven and scalable repository of Log Analytics, is able to accommodate a high volume of data, which it is possible to process them effectively thanks to an engine that ensures high performance.

Figure 2 - Adding Azure Sentinel to an existing Log Analytics workspace

With Azure Sentinel you can aggregate different security data from many sources, using the appropriate connectors embedded in the solution. Azure Sentinel is able to connect, in addition to the different platform solutions, even the most widespread and popular network solutions of third-party vendors, including Palo Alto Networks, F5, Symantec, Fortinet and Check Point. Azure Sentinel also has a native integration with logs that meet the standard formats, as common event and syslog.

Figure 3 -Data Connectors

Using this solution, you also have the ability to easily import data from Microsoft Office 365 and combine them with other security data, in order to get a detailed analysis of your environment and have visibility into the entire sequence of an attack.

Figure 4 – Office 365 Connector

Azure Sentinel also integrates with’Microsoft Graph Security API, which allows you to import your own threat intelligence feeds and customize detection rules of potential security incidents and notification.

Analyze and quickly identify the threats by using artificial intelligence

Azure Sentinel uses scalable machine learning algorithms, able to correlate a high amount of security data, to present to the analyst only potential security incidents, all with a high level of reliability. Thanks to this mechanism Azure Sentinel differs from other SIEM solutions, adopting traditional correlation engines, drastically reducing noise and consequently the effort for the analysis required in detecting threats.

Figure 5 – Azure Sentinel Overview

After enabling the Data Collectors required, you will begin to receive data in the workspace of Log Analytics and setting up ofAlert Rules, it can generateCases to report potential security threats. For more details on how to detect threats with Azure Sentinel, see the Microsoft's official documentation.

Investigate suspicious security activities

The data processed by the solution can be found using the dashboards, customizable to suit your needs. Dashboards allow you to conduct investigations by reducing the time needed to understand the scope of an attack and its impact.

Figure 6 – Dashboards available in Azure Sentinel

Figure 7 – Azure Network Watcher dashboard

If security threats are detected, against the Alert Rules set, it is generated a Case, for which you can set the severity, the status and its assignment.

Figure 8 – Cases

Using the console, you can proceed with the investigation of the case:

Figure 9 – Case Investigation

In the same dashboard you can also perform actions. Proactive research activities of suspicious transactions are a fundamental aspect for security analysts, that with Azure Sentinel can be made through two specific features that allow you to automate the analysis: search query (hunting queries) and Azure Notebooks (based on notebook Jupyter), that are constantly updated.

Figure 10 – Hunting queries

Figure 11 -Example of an Azure Notebook

Automate common tasks and response to threats

Azure Sentinel provides the ability to automate and orchestrate the response to common problems, so you don't have to manually perform repetitive tasks. By means of predefined and customizable playbooks you can quickly respond to security threats.

Figure 12 – Alert playbooks

Figure 13 – Logic Apps Designer

Microsoft also announced that more defense and investigation tools will be integrated in the solution increased.

Conclusions

Azure Sentinel is a complete solution that provides native SIEM in the cloud and introduces significant benefits over traditional SIEM solutions, which require to sustain high costs for the maintenance of the infrastructure and for data processing. Azure Sentinel enables customers to simplify the tasks required to maintain high security in the infrastructure and to scale gradually to suit your needs, providing a wide integration with third party solutions.

Azure management services and System Center: What's New in February 2019

The month of February was full of news and there are different updates that affected the Azure management services and System Center. This article summarizes to have a comprehensive overview of the main news of the month, in order to stay up to date on these topics and have the necessary references to conduct further exploration.

Azure Monitor

Multi-resource support for metric alerts

With this new feature, you can configure a single metric alert rule to monitor:

  • A list of virtual machines in an Azure region.
  • All virtual machines in one or more resource groups in an Azure region.
  • All virtual machines of a subscription, present in a given Azure region.

Azure Automation

The runbook Update Azure Modules is open source

Azure Automation allows you to update the Azure PowerShell modules imported into an automation account with the latest versions available in the PowerShell Gallery. This possibility is provided through the actionUpdate Azure Moduleson the page Modules of the Automation Account, and is implemented through a hidden runbook. In order to improve diagnostics and troubleshooting activity and provide the ability to customize the module, this has been made open source.

Support for the Azure PowerShell module Az

Azure Automation introduces support for the PowerShell module Az, thanks to which you can use the updated Azure modules within runbooks, to manage the various Azure services.

Azure Log Analytics

New version of the agent for Linux

This month the new OMS Agent version for Linux systems solves a specific bug during installation. To obtain the updated OMS agent version you can access at the GitHub official page.

Availability in new region of Azure

It is possible to activate a Log Analytics workspace also in the Azure regions of West US 2, Australia East and Central Australia. In this way the data is kept and processed in this regions.

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 33 introducing new versions of the following components:

  • Microsoft Azure Site Recovery Unified Setup (version 9.22.5109.1): used for replication scenarios from VMware to Azure.
  • Microsoft Azure Site Recovery Provider (version 5.1.3900.0): used for replication scenarios from Hyper-V to Azure or to a secondary site.
  • Microsoft Azure Recovery Services Agent (version 2.0.9155.0): used for replication scenarios from Hyper-V to Azure.

The installation of this update rollup is possible on all systems running Microsoft Azure Site Recovery Service providers, by including:

  • Microsoft Azure Site Recovery Provider for System Center Virtual Machine Manager (3.3.x. x).
  • Microsoft Azure Site Recovery Hyper-V Provider (4.6.x. x).
  • Microsoft Azure Site Recovery Provider (5.1.3500.0) and later.

The Update Rollup 33 for Microsoft Azure Site Recovery Unified Setup applies to all systems that have installed the version 9.17.4860.1 or later.

For more information on the issues resolved, on improvements from this Update Rollup and to get the procedure for its installation is possible to consult thespecific KB 4489582.

Protection of Storage Space Direct cluster

In Azure Site Recovery (ASR) is introduced, with the Update Rollup 33, also the support for the protection of Storage Space Direct cluster, used to realize Guest Cluster in Azure environment.

Azure Backup

In Azure Backup has been released the feature of Instant Restorefor the virtual machines in Azure, that allows using the stored snapshots for the VMs recovery. Also it is given the option to configure the time of retention for the snapshots in the backup policy (from one to five days, the default is two days). This increases control over the protection of the resources, adapting it to specific requirements and depending on the criticality of the same.

Figure 1 – Retention period of the snapshot

System Center Configuration Manager

Released versions 1902 and 1902.2 for the Technical Preview Branch

Among the main new features of this release is included the ability to manage more effectively the restart notifications on systems managed by Configuration Manager.

For full details of what's new in this release you can consult this document. Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

System Center Operations Manager

Management Packs

Following, are reported the news about the SCOM Management Packs:

  • Microsoft System Center 2016 Management Pack for Microsoft Azure version 1.6.0.7
  • Microsoft System Center Management Pack for SQL Server 2017+ Reporting Services version 7.0.12.0
  • Log Analytics Management Pack forSCOM 1801 version7.3.13288.0 and SCOM 2016 version7.2.12074.0
  • System Center Management Pack for Windows DNS Server version 10.0.9.3

Evaluation of Azure and System Center

To test and evaluate free of charge the services offered by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Azure management services and System Center: What's New in January 2019

The new year has begun with several announcements by Microsoft regarding what happened to Azure management services and System Center. The Cloud Community releases a monthly basis article, allowing you to have a general overview of the main new features of the month, in order to stay up to date on these news and have the necessary references to conduct further study.

As already announced in the past few months, monitoring capabilities, management, and security functionality of Operations Management Suite (OMS) have been included in the Azure portal. Since 15 January 2019 the OMS portal has been officially retired, and all the features are accessible from Azure portal.

Azure Monitor

Azure Monitor logs in Grafana

For Monitor Azure was announced a new pluging to integrate with Grafana. Thanks to this pluging you can see in a simple and intuitive way any data collected in Log Analytics. The plugin requires at least version 5.3 of Grafana and by the Log Analytics API retrieves information directly from the workspace, making them available directly from the Grafana dashboard. For more information, please visit the Microsoft's official documentation.

Figure 1 – Log Analytics integration in Grafana

Azure Monitor for containers

During the month of January, the agent of Azure Monitor for Containers (build version 01/09/19) has been updated to introduce improvements in stability and performance. Agent in cluster environments Azure Kubernetes Service (AKS) will be automatically updated. For further details please consult the release notes of the agent.

Azure Security Center

New dashboard on regulatory compliance

In Azure Monitor was made available a new dashboard that shows the status of environmental compliance with respect to specific standards and regulations. Currently supported standards are: Azure CIS, PCI DSS 3.2, ISO 27001, and SOC TSP. The dashboard showsthe overall score of compliance and the detail of the evaluations that reports the status of compliance with respect to each standard.

Figure 2 – Regulatory compliance dashboard in Azure Security Center

Azure Backup

Added support for PowerShell and ACLs for Azure Files

In the scenario of protection ofAzure file shares using Azure Backup the following features have been introduced:

Azure Site Recovery

New Update Rollup

For Azure Site Recovery was released theUpdate Rollup 32 introducing new versions of the following components:

  • Microsoft Azure Site Recovery Unified Setup (version 9.21.5091.1): used for replication scenarios from VMware to Azure.
  • Microsoft Azure Site Recovery Provider (version 5.1.3800.0): used for replication scenarios from Hyper-V to Azure or to a secondary site.
  • Microsoft Azure Recovery Services Agent (version 2.0.9144.0): used for replication scenarios from Hyper-V to Azure.

The installation of this update rollup is possible on all systems running Microsoft Azure Site Recovery Service providers, by including:

  • Microsoft Azure Site Recovery Provider for System Center Virtual Machine Manager (3.3.x. x).
  • Microsoft Azure Site Recovery Hyper-V Provider (4.6.x. x).
  • Microsoft Azure Site Recovery Provider (5.1.3400.0) and later.

The Update Rollup 31 for Microsoft Azure Site Recovery Unified Setup applies to all systems that have installed the version 9.17.4860.1 or later.

For more information on the issues resolved, on improvements from this Update Rollup and to get the procedure for its installation is possible to consult thespecific KB 4485985.

New statement of support

In Azure Site Recovery have recently included the following improvements:

  • Support for physical servers with UEFI boot type. Although Azure VMs are not supported with UEFI boot disks, ASR can handle the migration of these systems by performing a conversion of the type of BIOS boot, also for the physical servers, not just virtual ones. This feature is only for Windows virtual machines (Windows Server 2012 R2 and later).
  • Support for systems that have the system directory ( /[root], /boot, /usr, etc.) even on different disks than the OS and supporting /boot on LVM volume.
  • Extended support for server migration by AWS for the following OSS: RHEL 6.5+, RHEL 7.0+, CentOS 6.5+ and CentOS 7.0+

System Center

System Center Configuration Manager

Version 1901 for the branch Technical Preview of System Center Configuration Manager.

Among the main new features of this release there is a new interactive client health dashboard will report an overview of the client's health and common mistakes in their environment, with the ability to apply filters to exclude obsolete and offline clients.

Figura 3 – New Client Health Dashboard

For full details of what's new in this release you can consult this document. Please note that the Technical Preview Branch releases help you to evaluate new features of SCCM and it is recommended to apply these updates only in test environments.

System Center Operations Manager

Management Packs

Following, are reported the news about the SCOM Management Packs:

  • Microsoft System Center 2016 Management Pack for Microsoft Azure version 1.6.0.7
  • Microsoft System Center Management Pack for SQL Server 2017+ Reporting Services version 7.0.12.0
  • Log Analytics Management Pack forSCOM 1801 version7.3.13288.0 and SCOM 2016 version7.2.12074.0

Evaluation of Azure and System Center

To test and evaluate free of charge the services offered by Azure you can access this page, while to try the various System Center components you must access theEvaluation Center and, after registering, you can start the trial period.

Protection from DDoS attacks in Azure

A cyber attack of type distributed denial-of-service (DDoS attack – Distributed Denial of Service) is intended to exhaust deliberately the resources of a given system that provides a service to clients, such as a website that is hosted on web servers, to the point that it will no longer be able to provide these services to those who require it in a legitimate way. This article will show the security features that you can have in Azure for this type of attacks, in order to best protect the applications on the cloud and ensure their availability against DDoS attacks.

DDoS attacks are becoming more common and sophisticated, to the point where it can reach sizes, in bandwidth, increasingly important, which make it difficult to protect and increase the chances of making a downtime to published services, with a direct impact on company business.

Figure 1 – DDoS Attack Trends

Often this type of attack is also used by hackers to distract the companies and mask other types of cyber attacks (Cyber Smokescreen).

 

Features of the solution

In Azure, DDoS protection is available in two different tiers: Basic oppure Standard.

Figure 2 - Comparison of the features available in different tiers for DDoS Protection

The protection Basic is enabled by default in the Azure platform, which constantly monitors traffic and applies mitigations to the most common network attacks in real time. This tier provides the same level of protection adopted and tested by Microsoft's online services and is active for Azure Public IP addresses (Pv4 and IPv6). No configuration is required for the Basic tier.

Typology Azure DDoS Protection Standard provides additional mitigation features over the Basic tier, that are specifically optimized for resources located in Azure virtual networks. The protection policies are self-configured and are optimized by carrying out specific monitoring of network traffic and applying machine learning algorithms, that allow you to profile your application in the most appropriate and flexible way by studying the traffic generated. When the thresholds set in the DDoS policy are exceeded, the DDoS mitigation process is automatically started, which is suspended when it falls below the established traffic thresholds. These policies are applied to all public IP of Azure (IPv4) associated with resources present in the virtual network, like: virtual machines, Azure Load Balancer, Azure Application Gateway, Azure Firewall, VPN Gateway and Azure Service Fabric instances. This protection does not apply to App Service Environments.

Figure 3 – Overview of Azure DDoS Protection Standard

The Azure DDoS Protection Standard is able to cope with the following attacks:

  • Volumetric attacks: the goal of these attacks is to flood the network with a considerable amount of seemingly legitimate traffic (UDP floods, amplification floods, and other spoofed-packet floods).
  • Protocol attacks: These attacks are aiming to make inaccessible a specific destination, exploiting a weakness that is found in the layer 3 and in the layer 4 of the stack (for example SYN flood attacks and reflection attacks).
  • Resource (application) layer attacks: These attacks are targeting the Web application packages, in order to stop transmitting data between systems. Attacks of this type include: violations of the HTTP protocol, SQL injection, cross-site scripting and other attacks in level 7. To protect themselves from attacks of this type is not sufficient DDoS protection standard, but you must use it in conjunction with the Web Application Firewall (WAF) available in Azure Application Gateway, or with third-party web application firewall solution, available in the Azure Marketplace.

 

Enabling DDoS protection Standard

The DDoS protection Standard is enabled in the virtual network and is contemplated for all resources that reside in it. The activation of the Azure DDoS Protection Standard requires you to create a DDoS Protection Plan which collects the virtual networks with DDoS Protection Standard active, cross subscription.

Figure 4 – Creating a DDoS Protection Plan

The protection Plan is created in a particular subscription, which will be associated with the cost of the solution.

Figure 5 – Enabling DDoS protection Standard on an existing Virtual Network

The Standard tier provides a real-time telemetry that can be consulted via views in Azure Monitor.

Figure 6 – DDoS Metrics available in Azure Monitor

Any DDoS protection metrics can be used to generate alerts. Using the metric "Under DDoS attack"you can be notified when an attack is detected and DDoS mitigation action is applied.

DDoS Protection Standard applies three auto-tuned mitigation policies (TCP SYN, TCP & UDP) for each public IP address associated with a protected resource, so that resides on a virtual network with active the DDoS standard service.

Figure 7 – Monitor mitigation metrics available in Azure

To report generation, regarding the actions undertaken to mitigate DDoS attacks, you must configure the diagnostics settings.

Figure 8 – Diagnostics Settings in Azure Monitor

Figure 9 - Enable diagnostics of Public IP to collect logs DDoSMitigationReports

In the diagnostic settings it is possible to also collect other logs relating to mitigation activities and notifications. For more information about it you can see Configure DDoS attack analytics in the Microsoft documentation. The metrics for the DDoS protection Standard are maintained in Azure for Moniotr 30 days.

Figure 10 – Attack flow logs in Azure Log Analytics

How to test the effectiveness of the solution

Microsoft has partnered withBreakingPoint Cloud and, thanks to a very intuitive interface, it allows you to generate traffic, towards the public IPs of Azure, to simulate a DDoS attack. In this way you can:

  • Validate the effectiveness of the solution.
  • Simulate and optimize responses against incident related to DDoS attacks.
  • Document the compliance level for attacks of this type.
  • Train the network security team.

Costs of the solution

The Basic tier foresees no cost, while enabling the DDoS Protection Standard requires a fixed monthly price (not negligible) and a charge for data that are processed. The fixed monthly price includes protection for 100 resources, above which there is an additional unit cost for each protected resource. For more details on Azure DDoS Protection Standard costs you can see the Microsoft's official page.

Conclusions

The protection from DDoS attacks in Azure allows us to always have active a basic protection to deal with such attacks. Depending on the application criticality, can be evaluated the Standard protection, which in conjunction with a web application firewall solution, allows you to have full functionality to mitigate distributed denial-of-service attacks.