Category Archives: Microsoft Defender for Cloud

Proactive Cloud Protection: Experiences and Strategies for Cloud Security

With the growing adoption of cloud platforms, organizations face new security challenges that require a structured and proactive approach. Field experience has shown how critical it is to implement effective Cloud Security Posture Management (CSPM) solutions to continuously monitor and protect cloud infrastructures. These tools enable the detection and resolution of risks before they can evolve into critical threats. In this article, I will share practical advice for tackling these challenges, exploring the importance of CSPM, key risks to consider, and how Microsoft Defender for Cloud (MDfC) stands out as a comprehensive solution for managing cloud security. Additionally, we will review the essential steps for effectively implementing a CSPM solution and best practices to maximize security.

Understanding CSPM and Its Importance

Cloud Security Posture Management (CSPM) refers to a suite of tools and practices that continuously monitor and protect cloud infrastructures. Through direct experience with various projects, I have observed how organizations increasingly rely on cloud platforms, often exposing themselves to misconfigurations, compliance violations, and vulnerabilities. CSPM acts as a continuous supervisor, detecting and mitigating risks before they become critical threats, providing constant oversight over cloud environments.

The main risks that a CSPM solution helps to address include:

  • Data Breaches: Misconfigurations can inadvertently expose sensitive data, making it vulnerable to external threats.
  • Compliance Violations: Non-compliance with regulations can result in legal penalties and financial losses.
  • Reputational Damage: A security breach can undermine customer trust, negatively impacting the company’s reputation.

Microsoft Defender for Cloud: A Comprehensive CSPM Solution

Microsoft Defender for Cloud (MDfC) is an advanced Cloud Security Posture Management (CSPM) solution that excels in protecting heterogeneous cloud environments. Working directly on various projects, I have seen how MDfC, operating as a Cloud Native Application Protection Platform (CNAPP), offers comprehensive protection throughout the application lifecycle, from development to deployment. Its scalability allows it to adapt to the evolving needs of organizations, supporting platforms like Azure, AWS, and GCP.

Figures 1 – Microsoft Cloud-Native Application Protection Platform (CNAPP)

MDfC stands out by managing various security areas in addition to CSPM:

  • Cloud Workload Protection Platform (CWPP): This feature provides real-time threat detection and response for virtual machines, containers, Kubernetes, databases, and more, helping to reduce the attack surface.
  • Multi-Pipeline DevOps Security: It offers a centralized console to manage security across all DevOps pipelines, preventing misconfigurations and ensuring vulnerabilities are detected early in the development process.
  • Cloud Infrastructure Entitlement Management (DIES): It centralizes the management of permissions across cloud and hybrid infrastructures, preventing the misuse of privileges.

Additionally, Cloud Security Network Services (CSNS) solutions integrate with CWPP to protect cloud infrastructure in real-time. A CSNS solution may include a wide range of security tools, such as distributed denial-of-service (DDoS) protection and web application firewalls.

Implementing CSPM: Planning and Strategies

To implement a CSPM solution effectively, a detailed plan is essential to ensure alignment with business needs. Here are some practical suggestions:

  1. Assess Security Objectives: Organizations should start by evaluating their cloud environments, identifying critical resources, and understanding their exposure to risks. This requires a thorough analysis of the IT security landscape, including identifying any gaps in infrastructure and compliance requirements.
  2. Define Security Requirements: Once the cloud environment is understood, the next step is to establish security policies that protect high-value workloads and sensitive data. It’s crucial to outline risk management strategies that include preventive measures, such as audits and vulnerability scans, as well as reactive measures like breach response plans.
  3. Select the Appropriate CSPM Solution: MDfC offers various levels of CSPM services. Organizations can start with basic functionalities, such as compliance controls and vulnerability assessments, and then evolve toward advanced capabilities, including in-depth security analysis, threat management, and governance tools.

Figures 2 – CSPM Plans (Foundational VS Defender CSPM)

Turning Strategy into Action

Once the planning phase is complete, it’s time to operationalize CSPM, translating strategic security objectives into concrete actions integrated into daily operations. Based on my experience, the key steps include:

  • Defining Roles and Responsibilities: Clearly assigning roles to team members is critical to ensuring accountability and effective management of CSPM tools. For example, security architects can focus on the overall strategy, while IT administrators handle the configuration and daily management of CSPM tools.
  • Establishing Solid Processes: Implementing workflows for regular security assessments, managing compliance, and resolving issues is crucial. Automation plays a key role at this stage, simplifying operations and reducing the risk of human error.
  • Continuous Monitoring and Improvement: Effective use of CSPM requires ongoing monitoring to identify new vulnerabilities and threats. Real-time monitoring tools, such as those provided by Defender for Cloud, enable organizations to respond swiftly to security incidents, ensuring a high level of protection.

Best Practices for Maximizing CSPM Effectiveness

To get the most out of CSPM, organizations should follow some best practices that I have found to be particularly effective:

  • Align with Industry Standards: Ensure that CSPM implementation complies with industry standards and best practices, such as the CIS Benchmarks and the NIST Cybersecurity Framework. This ensures that the security measures adopted meet the required levels of protection and compliance.
  • Shift-Left Security: Integrate security into every phase of IT operations, from application design and development to deployment and maintenance. This approach, known as “shift-left,” reduces the risk of vulnerabilities being introduced into systems from the earliest stages.
  • Automate Security Processes: Automating tasks such as compliance checks, threat detection, and issue resolution significantly improves the efficiency of security operations, freeing up resources to address more complex threats.
  • Cultivate a Security Awareness Culture: Security must be a shared responsibility, not limited to the IT department. All employees should be trained and aware of their role in maintaining organizational security. Regular training sessions and workshops help to promote this culture of awareness.

Best Practices Specific to Defender CSPM

To optimize the use of Microsoft Defender for Cloud (MDfC) as a CSPM solution, it is useful to follow these best practices:

  • Customize MDfC Settings: Tailor MDfC configurations to the organization’s specific needs and risk profile, implementing targeted security policies, custom threat detection rules, and compliance benchmarks.
  • Prioritize Alerts: Configure MDfC to categorize and prioritize alerts based on severity, resource sensitivity, and potential impact on business activities, ensuring a prompt response to critical threats.
  • Customize Dashboards: Adapt MDfC dashboards to highlight the most relevant security metrics, compliance status, and operational insights, facilitating monitoring and management of security.

Conclusion

Cloud Security Posture Management (CSPM) solutions are essential to ensure security and compliance in evolving cloud environments. With advanced tools like Microsoft Defender for Cloud, organizations can monitor and protect their data and infrastructures, minimizing risks and maintaining a robust security posture. Implementing a CSPM solution properly requires strategic planning and continuous adaptation to new threats, but the benefits in terms of protection and resilience are significant. By following best practices and integrating security into every phase of IT operations, companies can ensure proactive and enduring protection while preserving customer trust and corporate reputation.

Cloud Security Posture Management (CSPM) in Defender for Cloud: protect your assets with an advanced security solution

In the context of today's digital landscape, the adoption of cloud computing has opened up new opportunities for organizations, but at the same time new challenges have emerged in terms of security of cloud resources. The adoption of a Cloud Security Posture Management solution (CSPM) is critical to ensuring that cloud resources are configured securely and that security standards are properly implemented. Microsoft Azure offers Defender for Cloud, a complete solution that combines the power of a CSPM platform with advanced security features to help organizations protect their cloud resources effectively. This article dives into the CSPM features offered by Defender for Cloud.

The pillars of security covered by Microsoft Defender for Cloud

The features of Microsoft Defender for Cloud are able to contemplate three major pillars of security for modern architectures that adopt cloud components:

  • DevOps Security Management (DevSecOps): Defender for Cloud helps you incorporate security best practices early in the software development process. In fact,, helps secure code management environments (GitHub and Azure DevOps), the development pipelines and allows to obtain information on the security posture of the development environment. Defender for Cloud currently includes Defender for DevOps.
  • Cloud Security Posture Management (CSPM): it is a set of practices, processes and tools aimed at identifying, monitor and mitigate security risks in cloud resources. CSPM offers broad visibility into the security posture of assets, enabling organizations to identify and correct non-compliant configurations, vulnerabilities and potential threats. This proactive approach reduces the risk of security breaches and helps maintain a secure cloud environment.
  • Cloud Workload Protection Platform (CWPP): Proactive security principles require implementing security practices that protect workloads from threats. Defender for Cloud includes a wide range of advanced and intelligent protections for workloads, provided through specific Microsoft Defender plans for the different types of resources present in the Azure subscriptions and in hybrid and multi-cloud environments.

Figure 1 – The security pillars covered by Microsoft Defender for Cloud

CSPM in Defender for Cloud

Defender for Cloud is the advanced security solution from Microsoft Azure that contemplates the CSPM scope to offer a wide range of security features and controls for cloud resources. With Defender for Cloud, organizations can get complete visibility into their assets, identify and resolve vulnerabilities and constantly monitor the security posture of resources. Some of the key features offered by Defender for Cloud include:

  • Configuration analysis: Defender for Cloud examines cloud resource configurations for non-compliant settings and provides recommendations to fix them. This ensures that resources are configured securely and that security standards are met.
  • Identification of vulnerabilities: the solution continuously scans cloud resources for known vulnerabilities. Recommendations and priorities are provided to address these vulnerabilities and reduce the risk of exploitation by potential threats.
  • Continuous monitoring: Defender for Cloud constantly monitors the security posture of cloud resources and provides real-time alerts in the event of insecure configurations or suspicious activity. This enables organizations to respond promptly to threats and maintain a secure cloud environment.
  • Automation and orchestration: Defender for Cloud automates much of the process of managing the security posture of cloud environments, allowing organizations to save valuable time and resources.

Defender for Cloud offers core CSPM capabilities for free. These features are automatically enabled on any subscription or account that has onboarded Defender for Cloud. If deemed necessary, it is possible to expand the set of features by activating the plan Defender CSPM.

Figure 2 – Comparison between CSPM plans

For a complete comparison you can refer to Microsoft's official documentation.

The optional Defender CSPM plan offers advanced security posture management capabilities, among the main ones we find:

  • Security Governance: security teams are responsible for improving the security posture of their organizations, but they may not have the resources or authority to actually implement the security recommendations. Assigning managers with expiration dates and defining governance rules create accountability and transparency, so you can lead the process of improving your organization's security.
  • Regulatory compliance: with this feature, Microsoft Defender for Cloud simplifies the process of meeting regulatory compliance requirements, providing a specific dashboard. Defender for Cloud continuously assesses the environment to analyze risk factors based on the controls and best practices of the standards applied to the subscriptions. The dashboard reflects your compliance status with these standards. The Microsoft cloud security benchmark (MCSB) instead it is automatically assigned to subscriptions and accounts when you sign in to Defender for Cloud (foundational CSPM). This benchmark builds on the cloud security principles defined by the Azure Security Benchmark and applies them with detailed technical implementation guidance for Azure, for other cloud providers (such as AWS and GCP) and for other Microsoft clouds.
  • Cloud Security Explorer: allows you to proactively identify security risks in your cloud environment by graphically querying the Cloud Security Graph, which is the context definition engine of Defender for Cloud. Requests from the security team can be prioritized, taking into account the context and the specific rules of the organization. With the Cloud Security Explorer it is possible to interrogate the security problems and the context of the environment, such as resource inventory, Internet exposure, the permissions and the “lateral movement” across resources and across multiple clouds (Azure and AWS).
  • Attack path analysis: analyzing attack paths helps address security issues, related to the specific environment, which represent immediate threats with the greatest potential for exploitation. Defender for Cloud analyzes which security issues are part of potential attack paths that attackers could use to breach the specific environment. Furthermore, highlights security recommendations that need to be addressed to mitigate them.
  • Agentless scanning for machines: Microsoft Defender for Cloud maximizes coverage of OS posture issues and goes beyond the coverage provided by specific agent-based assessments. Get instant visibility with agentless scanning for virtual machines, wide and unobstructed regarding potential posture problems. All without having to install agents, meet network connectivity requirements or impact machine performance. Agentless scanning for virtual machines provides vulnerability assessment and software inventory, both through Microsoft Defender Vulnerability Management, in Azure and Amazon AWS environments. Agentless scanning is available in both Defender Cloud Security Posture Management (CSPM) both in Defender for Servers P2.

Conclusions

In the increasingly complex context of IT asset security, especially in the presence of hybrid and multi-cloud environments, the Cloud Security Posture Management (CSPM) has become an essential component of an organizations security strategy. Defender for Cloud in Microsoft Azure offers an advanced CSPM solution, which combines configuration analysis, identification of vulnerabilities, continuous monitoring and automation to ensure that IT assets are adequately protected. Investing in a CSPM solution like Defender for Cloud enables organizations to mitigate security risks and protect IT assets.

How to strengthen network protection with Defender for Cloud

In the networking field, Microsoft Azure provides a series of solutions, native to the platform, which allow to obtain a high degree of security if they are adopted in the appropriate way. An important added value to refine and strengthen the security posture of the network is given by Microsoft Defender for Cloud, as it allows you to contemplate, through specific features, also certain aspects of networking. This article explores how Microsoft Defender for Cloud lets you verify, achieve and maintain an Azure networking best practice configuration.

Defender for Cloud overview

The Microsoft Defender for Cloud solution provides a set of features that cover two important pillars of security for modern architectures that adopt cloud components: Cloud Security Posture Management (CSPM) e Cloud workload protection (CWP).

Figure 1– The pillars of security covered by Microsoft Defender for Cloud

Within Cloud Security Posture Management (CSPM) Defender for Cloud can provide the following features:

  • Visibility: to assess the current security situation.
  • Hardening Guide: to be able to improve security efficiently and effectively.

Thanks to a continuous assessment, Defender for Cloud is able to continuously discover new resources that are distributed and evaluate if they are configured according to security best practices. If not,, assets are flagged and you get a priority list of recommendations on what to fix to improve their security. This process occurs specifically also for network resources and the recommendations focus on various networking solutions such as: next generation firewall, Network Security Group e JIT VM access. A complete list of recommendations and related corrective actions, Defender for Cloud recommended for the network, you can consult it in this document.

Figure 2 - Examples of networking recommendations

As regards the scope Cloud Workload Protection (CWP), Defender for Cloud delivers security alerts based onMicrosoft Threat Intelligence. Furthermore, includes a wide range of advanced and intelligent protections for workloads, provided through specific Microsoft Defender plans for the different types of resources present in the subscriptions and in hybrid and multi-cloud environments.

Defender for Cloud specific networking features

What about networking, Defender for Cloud in addition to making a continuous assessment of resources and generating any recommendations, includes other specific features:

Figure 3 - Microsoft Defender for Cloud networking features

Adaptive network hardening

Network Security Groups (NSG) are the main tool to control network traffic in Azure, through which, through deny and permit rules, it is possible to filter the communications between different workloads attested on the Azure virtual networks. However, there may be situations in which the actual network traffic that crosses an NSG corresponds only to a subset of the rules that have been defined within the NSG itself. In these cases, to further improve the security posture it is possible to refine the rules present in the NSG, based on actual network traffic patterns. The functionality of adaptive network hardening of Defender for Cloud verifies just that and generates recommendations to further strengthen the rules present in the NSG. To achieve this result, a machine learning algorithm is used that takes into account the actual network traffic, of the present configuration, threat intelligence and other indicators of compromise.

Figure 4 - Recommendations relating to the adaptive network hardening functionality

Network Map

To continuously monitor the security status of the network, Defender for Cloud provides an interactive map that allows you to graphically view the network topology, including tips and recommendations for hardening network resources. Furthermore, using the map you can check the connections between virtual machines and subnets, until evaluating if each node is configured correctly from the point of view of the network. By checking how the nodes are connected, you can more easily identify and block unwanted connections that could potentially make it easier for an attacker to attack your network. For more information on this feature, you can consult the Microsoft's official documentation.

Figure 5 - Defender for Cloud generated network map

In order to take advantage of these specific features it is necessary to license the plan Defender for Servers Plan 2.

Conclusions

A winning strategy in Azure networking, capable of also supporting the Zero Trust model, it can be obtained by applying a mix-and-match of the different network security services to have protection on multiple levels. At the same time, it is very useful to be able to rely on the features of Defender for Cloud, also to contemplate the aspects related to networking, that through continuous assessment and in-depth visibility allow to obtain environments configured according to best practices even over time.

How to strengthen security posture in the public cloud, in hybrid and multi-cloud environments thanks to Defender for Cloud

The adoption of infrastructures and services in cloud environments, useful for businesses to accelerate the digital transformation process, it requires us to adapt the solutions as well, the processes and practices that are adopted to ensure and maintain a high degree of security of IT resources. Everything must be done independently of the deployment models used, strengthening the overall security posture of your environment and providing advanced threat protection for all workloads, wherever they reside. This article reports how the Defender for Cloud solution is able to control and improve the security aspects of the IT environment where resources are used in the public cloud, in hybrid and multi-cloud environments.

The challenges of security in modern infrastructures

Among the main challenges that must be faced in the security field by adopting modern infrastructures that use components in the cloud we find:

  • Rapid and constantly evolving workload. This aspect is certainly a double-edged sword of the cloud in that, on the one hand, end users have the ability to get more from solutions in cloud environments, on the other hand, it becomes complex to ensure that rapidly and constantly evolving services are always up to their standards and that they follow all security best practices.
  • Increasingly sophisticated security attacks. Regardless of where your workloads are running, security attacks adopt sophisticated and advanced techniques that require reliable protections to be implemented to counter their effectiveness.
  • Resources and expertise in the field of security not always up to par to intervene in the face of security alerts and to ensure that the environments are adequately protected. In fact,, IT security is an ever-changing front and staying up-to-date is a constant and difficult challenge to achieve.

The pillars of security covered by Microsoft Defender for Cloud

The capabilities of Microsoft Defender for Cloud are able to contemplate two great pillars of security for modern architectures that adopt cloud components: Cloud Security Posture Management (CSPM) e Cloud workload protection (CWP).

Figure 1 – The pillars of security covered by Microsoft Defender for Cloud

Cloud Security Posture Management (CSPM)

In the field of Cloud Security Posture Management (CSPM) Defender for Cloud can provide the following features:

    • Visibility: to assess the current security situation.
    • Hardening Guide: to be able to improve security efficiently and effectively

Thanks to a continuous assessment, Defender for Cloud is able to continuously discover new resources that are distributed and evaluate if they are configured according to security best practices. If not,, the resources are flagged and you get a priority list of advice related to what should be corrected to improve their protection. This list of recommendations is taken and supported by Azure Security Benchmark, the Azure-specific set of guidelines created by Microsoft, this contains security and compliance best practices based on common frameworks, with a focus on cloud-centric security. This benchmark may cover the controls of the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) and it can be customized according to the standards to be respected.

Figure 2 - Examples of recommendations

Defender for Cloud assigns a global score to the environment, defined Secure Score, which allows you to evaluate the risk profile (the higher the score, the lower the level of risk identified) and to take action to take remediation actions.

Figure 3 - Secure score example

Cloud workload protection (CWP)

Regarding this area, Defender for Cloud delivers security alerts based on Microsoft Threat Intelligence. Furthermore, includes a wide range of advanced and intelligent protections for workloads, provided through specific Microsoft Defender plans for the different types of resources present in the subscriptions and in hybrid and multi-cloud environments:

Figure 4 – Workloads protected by Defender for Cloud

Defender for Cloud therefore allows you to meet the following three needs, considered essential when managing the security of resources and workloads residing in the cloud and in on-premises environments:

Figure 5 - Security needs covered by Microsoft Defender for Cloud

Defender for Cloud also includes, as part of the advanced security features, vulnerability assessment solutions for virtual machines, container registry and SQL server. Some scans are done using the Qualys solution, that can be used without specific licenses and without dedicated accounts, but everything is included and managed through Defender for Cloud.

Which environments can be protected with Defender for Cloud?

Defender for Cloud is an Azure native service, which allows you to protect not only the resources present in Azure, but also hybrid and multi-cloud environments.

Figure 6 - Cross protection on different environments

Azure environment protection

  • Azure IaaS and services Azure PaaS: Defender for Cloud can detect threats targeting virtual machines and services in Azure, including Azure App Service, Azure SQL, Azure Storage Account, and others. Furthermore, allows you to detect anomalies in Azure activity logs (Azure activity logs) through native integration with Microsoft Defender for Cloud Apps (known as Microsoft Cloud App Security).
  • Azure data services: Defender for Cloud includes features that allow you to automatically classify data in Azure SQL. Furthermore, it is possible to carry out assessments to detect potential vulnerabilities in Azure SQL and Storage services, accompanied by recommendations on how to mitigate them.
  • Network: the application of the Network Security Group (NSG) to filter the traffic to and from the resources attested on the Azure virtual networks, is essential to guarantee network security. However, there may be some cases where the actual traffic passing through the NSGs affects only a subset of the defined NSG rules. In these cases, the functionality of Adaptive network hardening allows to further improve the security posture by strengthening the NSG rules. Using a machine learning algorithm that takes into account actual traffic, the configuration, threat intelligence and other indicators of compromise, is able to provide advice to adjust the configuration of the NSG to allow only the strictly necessary traffic.

Hybrid Environment Protection

In addition to protecting the Azure environment, Defender for Cloud functionality can also be extended to hybrid environments to protect in particular servers that do not reside on Azure. Through Azure Arc Microsoft Defender plans can be extended to non-Azure machines.

Protection of resources running on other public clouds

Microsoft Defender for Cloud may also include resources present in Amazon Web Services (AWS) and Google Cloud Platform (GCP). To protect resources on other public clouds with this solution, a new native mechanism and, through an approach agentless, allows you to connect to AWS and GCP environments. This new method of interfacing take advantage of the AWS and GCP APIs and it has no dependence on other solutions, for example AWS Security Hub.

Real case of protection with Defender for Cloud

Assuming a customer environment with resources located in Azure, on-premises and in AWS, with Defender for Cloud you can extend protection to all resources, independently of where they reside.

In fact,, by connecting an Amazon Web Services account (AWS) to an Azure subscription, it is possible to enable the following protections:

  • The functionalities CSPM di Defender for Cloud are also extended to AWS resources, allowing you to evaluate the resources present in the Amazon cloud, according to AWS specific security recommendations. Furthermore, resources are evaluated for compliance with AWS specific standards such as: AWS CIS, AWS PCI DSS e AWS Foundational Security Best Practices. All of this is considered by influencing the overall security score.
  • Microsoft Defender for Servers offers threat detection and enables advanced defenses for EC2 Windows and Linux instances as well.
  • Microsoft Defender for Kubernetes extends advanced defenses to Amazon EKS Linux clusters and enables the detection of threats on containers present in those infrastructures.

These protections will be added to the features listed above available for Azure environments and for resources residing on-premises.

Conclusions

Defender for Cloud is able to respond effectively to challenges, in the security field, given by the adoption of modern infrastructures. In fact, thanks to the use of Microsoft Defender for Cloud, you have a solution capable of identifying the weaknesses in the security field in cloud configurations, strengthen the overall security posture of the environment and protect workloads in hybrid and multi-cloud environments.

How to increase the security of container-based application architectures

Modern applications based on microservices are increasingly widespread and containers are an interesting building block for the creation of agile application architectures, scalable and efficient. Microservices offer great benefits, thanks to the presence of well-known and proven software design models that can be applied, but they also generate new challenges. One of these is certainly linked to the security of these architectures, which require the adoption of cutting-edge solutions to achieve a high level of protection. In this article is reported as the cloud-native solution for container security, called Microsoft Defender for Containers, is able to guarantee the protection of container-based application architectures, offering advanced capabilities for detecting and responding to security threats.

Functionality offered by the solution

Thanks to Microsoft Defender for Containers it is possible to improve, monitor and maintain the security of clusters, of containers and related applications. In fact,, this plan allows you to obtain the following benefits:

  • Hardening of the environment
  • Vulnerability Scanning
  • Run-time threat protection for the cluster environment and for the nodes

The benefits listed above are detailed in the following paragraphs.

Hardening of the environment

Through a continuous assessment of cluster environments, Defender for Containers provides complete visibility into any misconfigurations and compliance with guidelines. By generating recommendations it helps mitigate potential security threats.

Furthermore, thanks to the use of Kubernetes admission control it is possible ensure that all configurations are done in accordance with security best practices. In fact,, adopting the Azure Policy for Kubernetes you have a bundle of useful recommendations to protect the Kubernetes container workloads. By default, enabling Defender for Containers, these policies are automatically provisioned. In this way, every request to the Kubernetes API server will be monitored against the predefined set of best practices, before being made effective on the cluster environment. You can therefore use this method to apply best practices and enforce them for new workloads that will be activated.

Vulnerability Scanning

Defender for Containers includes an integrated vulnerability scanner for analyzing the images present in Azure Container Registry (ACR). Defender for Containers includes an integrated vulnerability scanner for analyzing the images present in:

  • In case of push: each time an image is sent to the ACR, scan is automatically performed.
  • In case of recent extraction: because new vulnerabilities are discovered every day, comes analyzes, on a weekly basis, Defender for Containers includes an integrated vulnerability scanner for analyzing the images present in 30 days.
  • When importing: Azure Container Registry has import tools to merge images from Docker Hub into it, Microsoft Container Registry or other ACR. All imported images are readily analyzed by the solution.

If vulnerabilities are detected, a notification will be generated in the Microsoft Defender for Cloud dashboard. This alert will be accompanied by a severity classification and practical guidance on how to correct the specific vulnerabilities found in each image.

Furthermore, Defender for Containers expands these scanning capabilities by introducing the ability to get visibility into running images. Through the new recommendation, called “Vulnerabilities in running images should be remediated (powered by Qualys)", groups running images that have vulnerabilities, providing details on the problems found and how to fix them.

Run-time threat protection for the cluster environment and for the nodes

Microsoft Defender for Containers provides real-time threat protection for containerized environments and generates alerts if threats or malicious activity are detected, both at the host level and at the AKS cluster level.

Protection from security threats occurs at several levels:

  • Cluster level: at the cluster level, threat protection is based on the analysis of Kubernetes audit logs. It is a monitor that allows you to generate alerts, monitoring AKS managed services, such as the presence of exposed Kubernetes dashboards and the creation of roles with elevated privileges. To see the complete list of alerts generated by this protection, you can access this link.
  • Host level: with over sixty types of analyzes, through artificial intelligence algorithms and with the detection of anomalies on running workloads, the solution is able to detect suspicious activities. A team of Microsoft security researchers constantly monitors the threat landscape and container-specific alerts and vulnerabilities are added as they are discovered. Furthermore, this solution monitors the growing attack surface of multi-cloud Kubernetes deployments and tracks the matrix MITRE ATT&CK for container, a framework developed by the Center for Threat-Informed Defense in close collaboration with Microsoft and others.

The complete list of alerts that can be obtained by enabling this protection can be consulted in this document.

Architectures for the different Kubernetes environments

Defender for Containers can protect Kubernetes clusters regardless of whether they are running on Azure Kubernetes Service, Kubernetes on-premise / IaaS oppure Amazon EKS.

Azure Kubernetes Service (AKS) Cluster

When enabling Defender for Cloud for clusters activated through Azure Kubernetes Service (AKS), audit log collection takes place without having to install agents. The Defender profile, distributed on each node, provides runtime protection and collects signals from nodes using the eBPF technology. The Azure Policy add-on for Kubernetes component collects cluster and workload configurations, as explained in the previous paragraphs.

Figure 1 - Defender for Cloud architecture for AKS clusters

Azure Arc-enabled Kubernetes

For all clusters hosted outside Azure it is necessary to adopt the Azure Arc-enabled Kubernetes solution to connect the clusters to Azure and provide the related services, like Defender for Containers. By connecting Kubernetes clusters to Azure, an Arc extension collects Kubernetes audit logs from all cluster control plane nodes and sends them in the cloud to the back-end of Microsoft Defender for Cloud for further analysis. The extension is registered with a Log Analytics workspace used as a data pipeline, but the audit data is not stored in Log Analytics. Information about workload configurations is managed by the Azure Policy Add-on.

Figure 2 – Defender for Cloud architecture for Arc-enabled Kubernetes clusters

Amazon Elastic Kubernetes Service (Amazon EKS)

Also for this type of cluster, activated in the AWS environment, it is necessary to adopt Azure Arc-enabled Kubernetes to be able to project them in the Azure environment. Furthermore, you must connect the AWS account to Microsoft Defender for Cloud. Plans needed are Defender for Containers and CSPM (for the configuration monitor and for recommendations).

A cluster based on EKS, Arc and the Defender extension are the components needed for:

  • collect policy and configuration data from cluster nodes;
  • get runtime protection.

Azure Policy add-on for Kubernetes collects the configurations of the cluster environment and workloads to ensure that all configurations are respected. Furthermore, the AWS CloudWatch solution is used to collect log data from the Control plane.

Figure 3 – Defender for Cloud architecture for AWS EKS clusters

Solution upgrade and costs

This Microsoft Defender plan merges and replaces two existing plans, “Defend for Kubernetes” and “Defender for Container Registries“, providing new and improved features, without deprecating any of the features of those plans. Subscriptions on which previous plans have been activated do not need to be upgraded to the new plan Microsoft Defender for Containers. However, to take advantage of new and improved features, must be updated and to do so you can use the update icon displayed next to them in the Azure portal.

The activation of these protection plans are subject to specific costs that can be calculated using the tool Azure Pricing calculator. In particular, the cost of Microsoft Defender for Containers is calculated on the number of cores of the VMs that make up the AKS cluster. This price also includes 20 free scans for vCore, and the calculation will be based on the consumption of the previous month. Each additional scan has a charge, but most customers should not incur any additional cost for scanning images.

Conclusions

Microservices-based architectures allow you to easily scale and develop applications faster and easier, allowing to promote innovation and accelerate the time-to-market of new features. The presence of a solution such as Microsoft Defender for Containers is essential to enable an adequate level of protection with regards to security threats, more and more advanced to attack these types of application architectures.

The security of AWS environments with Microsoft Defender for Cloud

Microsoft Defender for Cloud, previously known as Azure Security Center and Azure Defender, is a solution of Cloud Security Posture Management (CSPM) and for the protection of workloads, able to identify security weaknesses in cloud configurations, strengthen the overall security posture of the environment and protect workloads in hybrid and multi-cloud environments. For those who are adopting a multi-cloud strategy and who need high security standards for their environment, it is important to know that Microsoft Defender for Cloud can also include resources present in Amazon Web Services (AWS) and Google Cloud Platform (GCP). This article describes how to secure AWS environments using Microsoft Defender for Cloud.

The pillars of security covered by Microsoft Defender for Cloud

The capabilities of Microsoft Defender for Cloud are capable of contemplating two great pillars of cloud security:

  • Cloud Security Posture Management (CSPM) capable of providing the following features:
    • Visibility: to assess the current security situation.
    • Hardening Guide: to be able to improve security efficiently and effectively

Thanks to a continuous assessment, Defender for Cloud is able to continuously discover new resources that are distributed and evaluate if they are configured according to security best practices. If not,, assets are flagged and you get a priority list of recommendations on what to fix to improve their security. This list of recommendations is taken and supported by Azure Security Benchmark, the Azure-specific set of guidelines created by Microsoft, this contains security and compliance best practices based on common frameworks, with a focus on cloud-centric security. This benchmark may cover the controls of theCenter for Internet Security (CIS) and theNational Institute of Standards and Technology (NIST).

Defender for Cloud assigns a global score to the ambient environment, defined Secure Score, which allows you to evaluate the risk profile (the higher the score, the lower the level of risk identified) and to take action to take remediation actions.

  • Cloud workload protection (CWP): Defender for Cloud delivers security alerts based on Microsoft Threat Intelligence. Furthermore, includes a wide range of advanced and intelligent protections for workloads, provided through specific Microsoft Defender plans for the different types of resources present in the subscriptions and in hybrid and multi-cloud environments.

Defender for Cloud therefore allows you to meet the following three needs, considered essential when managing the security of resources and workloads residing in the cloud and locally:

Figure 1 - Security needs covered by Microsoft Defender for Cloud

AWS resource protection

To protect resources on other public clouds with this solution, there has been a mechanism for some time now that involves the use of interfacing connectors with AWS and GCP accounts. The onboarding process of your AWS account was based on the integration of the solution AWS Security Hub, as detailed in this article.

Now a new native mechanism and, through an approach agentless, allows you to connect to AWS environments. This new method of interfacing take advantage of the AWS API and it has no dependence on other solutions, like AWS Security Hub. The onboarding experience is designed to work easily on a large scale, simply by connecting your AWS master account, which allows you to automatically onboard existing and future accounts.

Figure 2 - Connect AWS to Microsoft Defender for Cloud

This mechanism easily extends Defender for Cloud's advanced security capabilities to your AWS resources and includes the following areas.

Figure 3 - Protection plans available

Cloud Security Posture Management (CSPM) for AWS

Defender for Cloud CSPM capabilities are extended to your AWS resources. This agentless plan evaluates AWS resources against AWS specific security recommendations and these are included in the calculation of the global security score. To provide an overall view on the security status of your multi-cloud environments, AWS security recommendations are also integrated into the Defender for Cloud portal, along with Azure recommendations. Have been implemented by Microsoft beyond 160 ready-to-use recommendations for IaaS and PaaS services and three regulatory standards including AWS CIS, AWS PCI DSS e AWS Foundational Security Best Practices. All this allows you to strengthen your security posture while also contemplating AWS resources in the best possible way. Furthermore, you can customize existing models or create new ones that contain your own recommendations and standards to verify compliance with internal requirements.

Figure 4 - Recommendations for AWS integrated in Defender for Cloud

Cloud workload protection (CWP) for AWS

AWS currently provides enhanced security for the following workloads:

  • Server protection: Microsoft Defender for server offers advanced threat detection and defense for EC2 instances as well, for both Windows and Linux systems. This plan includes the integrated license for Microsoft Defender for Endpoint and several features, including: Security baselines and assessment at the OS level, Vulnerability assessment, Adaptive Application Controls (AAC) and File Integrity Monitoring (FIM).
  • Container protection: Microsoft Defender for Containers extends container threat detection and advanced defenses of Defender for Kubernetes to Amazon EKS Clusters (Elastic Kubernetes Service). For Defender for Kubernetes to be able to protect AWS EKS clusters, Azure Arc-enabled Kubernetes and Defender extension are required.

Figure 5 – Alerts and recommendations for EKS clusters

Note: For those who have already set up an AWS connector using classic cloud connectors, it is recommended to connect the account again using the new mechanism.

The Cost of the Solution

If you decide to activate this integration, the following information on costs applies:

  • The CSPM plan is free. To provide recommendations, the CSPM plan queries the AWS resource APIs multiple times a day. These read-only API calls incur no charge, but they are logged in CloudTrail in case you have enabled the trail for reading events. As noted in the AWS documentation, this does not involve additional costs for maintenance. However, it is necessary to be careful and possibly filter these events if data exports are expected (for example to make them flow into an external SIEM).
  • The Defender for Containers plan will be billed at the same price as the plan Defend for Kubernetes for Azure resources.
  • For each AWS machine connected to Azure through Azure Arc, the Defender per server plan is billed at the same price as the Microsoft Defender for server plan for Azure machines.

Conclusions

Microsoft Defender for Cloud, originally developed with the claim of being the best tool to protect resources in an Azure environment, extend and refine its capabilities to cover other public clouds as well. In particular, Thanks to the new integration mechanism with AWS, you can natively adopt a CSPM solution and enable threat protection for your computing workloads in Amazon Web Services (AWS). This allows to obtain a high degree of security, to improve security postures in multi-cloud environments and to simplify the management of tools useful for governing security.