Category Archives: Microsoft Defender Advanced Threat Protection

Microsoft Defender ATP: the protection of Linux systems

Many companies have infrastructures consisting of heterogeneous server operating systems and the difficulty of having to adopt and manage different security platforms to ensure protection of the entire machine fleet is known.. Microsoft recently announced the availability of Microsoft Defender Advanced Threat Protection (ATP), the security platform for enterprise endpoints designed to prevent, detect, investigate and respond to security threats, also for Linux systems. This article describes how to protect Linux machines with this solution and provides an overview of how Microsoft Defender Security Center enables you to monitor and manage the security of the entire spectrum of client and server platforms in enterprise environments (Windows, Windows Server, macOS and Linux).

Microsoft has steadily evolved its endpoint security platform in recent years Microsoft Defender Advanced Threat Protection (ATP), to the point of being recognized as a leader, also getting the highest positioning in the execution capacity, in the last Gartner quadrant of "Endpoint Protection Platforms".

Figure 1 – Gartner Magic Quadrant "Endpoint Protection Platforms" (2019)

The ability to protect Linux systems also makes it an even more complete solution, able to offer:

  • Powerful preventive features. The solution provides real-time protection for the following types of file systems: btrfs, ecryptfs, ext2, ext3, ext4, fuse, fuseblk, jfs, nfs, overlay, ramfs, reiserfs, tmpfs, udf, and vfat.
  • A complete command-line experience to configure and manage the agent, initiate scans and manage threats.
  • An integration into alert monitoring within the Microsoft Defender Security Center.

System Requirements

Before you deploy the solution, you should verify that all the requirements of Microsoft Defender ATP in the Linux environment are met.

The Linux distributions and their versions currently supported are as follows:

  • Red Hat Enterprise Linux 7.2 or higher
  • CentOS 7.2 or higher
  • Ubuntu 16.04 LTS or higher
  • Debian 9 or higher
  • SUSE Linux Enterprise Server 12 or higher
  • Oracle Linux 7.2 or higher

The minimum supported kernel version is the 3.10.0-327 and the feature that must be enabled is fanotify. Fanotify is a file access notification system built into many Linux kernels that allows Microsoft Defender ATP to scan files and, if necessary, block access to threats. The use of this feature must be totally dedicated to Microsoft Defender ATP, as the joint use of this feature by other security solutions, can lead to unpredictable results, including blocking the operating system.

Network Requirements

For Microsoft Defender ATP to work correctly on Linux systems, you must allow proper network communication to specific URLs. In this spreadsheet Microsoft lists the associated services and URLs that the protected system must be able to connect to. For more details on this, see this Microsoft-specific document.

Microsoft Defender ATP uses the following proxy systems:

  • Transparent Proxy
  • Manual configuration of the static proxy

However, are not supported PAC files, WPAD and authenticated proxies. Please also note that SSL inspection mechanisms are not supported for security reasons.

Deployment methods

Microsoft Defender ATP activation on Linux systems can be done manually or through third-party management tools, including Ansible and Puppet, Microsoft documents in detail the steps to follow. Both tools have the following steps::

  • Download the onboarding package from the Microsoft Defender Security Center.

Figure 2 – Download the onboarding package from the Microsoft Defender Security Center portal

  • Creating the manifest (Puppet) or the YAML file (Ansible).
  • Deployment that involves the enrollment of the agent and its configurations.

At the end of the installation process, you can fully manage the Microsoft Defender ATP component directly through bash.

Figure 3 – Running the mdadp command from a Linux machine with the component installed

Once the onboarding process is complete, you can manage Linux machines from the Microsoft Defender Security Center portal, as is the case with other operating systems.

Figure 4 – Linux devices in the Microsoft Defender Security Center portal

In the face of malware detections, alerts are reported within the Microsoft Defender Security Center:

Figure 5 – Detection timeline with Eicar test file on Linux machine

Software updates

Microsoft regularly publishes software updates to improve performance, security and provide new features for Microsoft Defender ATP for Linux. One thing to watch out for is that each version of Microsoft Defender ATP for Linux has an expiration date, after which it will no longer continue to protect the system, therefore, you must update the product before that date. For the procedure to update the solution, you can consult this document of Microsoft.

When you upgrade your Linux operating system to a new major release, you must first uninstall Microsoft Defender ATP for Linux, install the update and then reconfigure Microsoft Defender ATP on the system.

Configuring the solution

In enterprise environments that have multiple systems, Microsoft Defender ATP for Linux can be easily managed through configuration profiles. The configuration profile is nothing more than a file with an extension ".json" composed of different voices, identified by a key (denoted the name of the preference) followed by a value. Values can be simple, as a numeric value, or complex, as a nested list of preferences.

These profiles can be distributed by the management tool available to you, going to manage it centrally. Distributed preferences will take precedence over locally set preferences on the system so that you can better govern the different settings. For more details on the structure of this profile and the methodologies to be used for its distribution, see this article of Microsoft.

Conclusions

Although there are those who say that Linux machines do not need security solutions, I personally believe that linux systems should also be properly protected as with any other operating system. Microsoft Defender ATP for Linux is constantly expanding and exciting new features are expected in the coming months to enrich the solution with new and advanced protection features. The addition of Linux to the platforms natively supported by Microsoft Defender ATP marks an important turning point for all customers who need to also include these systems in a unified protection strategy. The Microsoft Defender Security Center provides a centralized solution for monitoring and managing the security of the entire server and client machine fleet.

Integration between Azure Security Center and Microsoft Defender ATP

Microsoft Defender Advanced Threat Protection (MDATP) is a security platform for enterprise endpoints designed to prevent, detect, investigate and respond to security threats. This article discusses how Azure Security Center (ASC) is able to integrate with this platform and what are the aspects to consider to combine the different potentials and effectively contemplate the protection of servers.

Microsoft Defender Advanced Threat Protection (MDATP)

The main characteristics of the solution Microsoft Defender Advanced Threat Protection:

  • Advanced post-breach detection sensors: Thanks to sensors from Microsoft Defender ATP for Windows Servers, a wide range of behavioral signals can be collected.
  • Ability to perform post-breach checks by leveraging the power of the cloud: Microsoft Defender ATP is able to quickly adapt to changing threats as it uses the Intelligent Security Graph with signals from Windows, Azure and Office. With this powerful mechanism, you can respond quickly to unknown threats.
  • Threat intelligence: Microsoft Defender ATP generates alerts when it identifies tools, techniques and procedures used by attackers. The solution uses data generated by Microsoft 'hunters' and security teams, enriched by the intelligence provided by collaboration with different security partners.

The Microsoft Defender Advanced Threat Protection console (MDATP) is accessible to this link.

Features and benefits of integration

ASC integrates with MDATP to provide comprehensive Endpoint Detection and Response (EDR). With this integration, you can take advantage of the following features:

  • Automated Onboarding: the integration automatically activates the Microsoft Defender ATP sensor for Windows servers monitored by Security Center (except for systems Windows Server 2019, for which it is necessary to make specific configurations). Windows Server systems monitored by Azure Security Center will also be present in the Microsoft Defender ATP console.
  • Windows Defender ATP alerts will also appear in the Azure Security Center console, in order to keep all reports in a single centralized console. However, to perform a detailed analysis of the reports, please log on to the Microsoft Defender ATP console, which provides more information such as incident charts. From the same console, you can also view the timeline of all detected behaviors for a specific system, for a historical period of up to six months.

Enabling integration between ASC and MDATP

To enable this integration, you must use Azure Security Center (ASC) standard tier, which includes the license to activate MDATP on server systems.

  • For virtual machines in Azure you need to have the ASC standard tier at the subscription level:

Figure 1 – Activating ASC standard tier at subscription level for VMs in Azure

  • For virtual machines that don't reside in Azure, but on-premises or in other clouds, simply enable the ASC standard tier at the workspace level:

Figure 2 – Standard tier activation of ASC at the workspace level for non-Azure VMs

Furthermore, you must enable the following setting from Azure Security Center:

Figure 3 – Enabling integration between ASC and MDATP

To see the different ways to onboard servers, you can access this Microsoft's document.

When you use Azure Security Center to monitor servers, a Microsoft Defender ATP tenant is also automatically created (by default in Europe). If the Microsoft Defender ATP solution is used before using Azure Security Center, the data will be stored in the location specified when creating the tenant, even if you integrate with ASC later. The location where the data is stored cannot be changed post-deployment, but if you need to move your data to another geographic location, you should contact Microsoft Support.

Figure 4 – Data Storage retention

 

Threat Detection

In the presence of this integration, against a threat detection by MDATP, an alerts is also generated in the Azure Security Center, which becomes the centralized console for the collection of security reports.

Figure 5 – SecurityAlert present in the ASC workspace

Alert information can also be sent by email via Action Group:

Figure 6 - Report received by email from ASC in response to a detection of a threat

You can access the Microsoft Defender Security Center portal to investigate the alert in depth, where you will find the details.

Figure 7 – Alert details from the Microsoft Defender Security Center portal

Conclusions

Azure Security Center (ASC) and Microsoft Defender Advanced Threat Protection (MDATP) are two distinct solutions, but with important relationships, both as regards the aspects relating to licensing and for the operational management of the security of server systems. Thanks to this simple integration you can manage systems onboarding and also include MDATP reports in ASC, so you can effectively monitor your environment and respond to security threats on server systems.