Category Archives: Microsoft Defender for Cloud

How to strengthen security posture in the public cloud, in hybrid and multi-cloud environments thanks to Defender for Cloud

The adoption of infrastructures and services in cloud environments, useful for businesses to accelerate the digital transformation process, it requires us to adapt the solutions as well, the processes and practices that are adopted to ensure and maintain a high degree of security of IT resources. Everything must be done independently of the deployment models used, strengthening the overall security posture of your environment and providing advanced threat protection for all workloads, wherever they reside. This article reports how the Defender for Cloud solution is able to control and improve the security aspects of the IT environment where resources are used in the public cloud, in hybrid and multi-cloud environments.

The challenges of security in modern infrastructures

Among the main challenges that must be faced in the security field by adopting modern infrastructures that use components in the cloud we find:

  • Rapid and constantly evolving workload. This aspect is certainly a double-edged sword of the cloud in that, on the one hand, end users have the ability to get more from solutions in cloud environments, on the other hand, it becomes complex to ensure that rapidly and constantly evolving services are always up to their standards and that they follow all security best practices.
  • Increasingly sophisticated security attacks. Regardless of where your workloads are running, security attacks adopt sophisticated and advanced techniques that require reliable protections to be implemented to counter their effectiveness.
  • Resources and expertise in the field of security not always up to par to intervene in the face of security alerts and to ensure that the environments are adequately protected. Indeed, IT security is an ever-changing front and staying up-to-date is a constant and difficult challenge to achieve.

The pillars of security covered by Microsoft Defender for Cloud

The capabilities of Microsoft Defender for Cloud are able to contemplate two great pillars of security for modern architectures that adopt cloud components: Cloud Security Posture Management (CSPM) e Cloud workload protection (CWP).

Figure 1 – The pillars of security covered by Microsoft Defender for Cloud

Cloud Security Posture Management (CSPM)

In the field of Cloud Security Posture Management (CSPM) Defender for Cloud can provide the following features:

    • Visibility: to assess the current security situation.
    • Hardening Guide: to be able to improve security efficiently and effectively

Thanks to a continuous assessment, Defender for Cloud is able to continuously discover new resources that are distributed and evaluate if they are configured according to security best practices. If not,, the resources are flagged and you get a priority list of advice related to what should be corrected to improve their protection. This list of recommendations is taken and supported by Azure Security Benchmark, the Azure-specific set of guidelines created by Microsoft, this contains security and compliance best practices based on common frameworks, with a focus on cloud-centric security. This benchmark may cover the controls of the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) and it can be customized according to the standards to be respected.

Figure 2 - Examples of recommendations

Defender for Cloud assigns a global score to the environment, defined Secure Score, which allows you to evaluate the risk profile (the higher the score, the lower the level of risk identified) and to take action to take remediation actions.

Figure 3 - Secure score example

Cloud workload protection (CWP)

Regarding this area, Defender for Cloud delivers security alerts based on Microsoft Threat Intelligence. Furthermore, includes a wide range of advanced and intelligent protections for workloads, provided through specific Microsoft Defender plans for the different types of resources present in the subscriptions and in hybrid and multi-cloud environments:

Figure 4 – Workloads protected by Defender for Cloud

Defender for Cloud therefore allows you to meet the following three needs, considered essential when managing the security of resources and workloads residing in the cloud and in on-premises environments:

Figure 5 - Security needs covered by Microsoft Defender for Cloud

Defender for Cloud also includes, as part of the advanced security features, vulnerability assessment solutions for virtual machines, container registry and SQL server. Some scans are done using the Qualys solution, that can be used without specific licenses and without dedicated accounts, but everything is included and managed through Defender for Cloud.

Which environments can be protected with Defender for Cloud?

Defender for Cloud is an Azure native service, which allows you to protect not only the resources present in Azure, but also hybrid and multi-cloud environments.

Figure 6 - Cross protection on different environments

Azure environment protection

  • Azure IaaS and services Azure PaaS: Defender for Cloud can detect threats targeting virtual machines and services in Azure, including Azure App Service, Azure SQL, Azure Storage Account, and others. Furthermore, allows you to detect anomalies in Azure activity logs (Azure activity logs) through native integration with Microsoft Defender for Cloud Apps (known as Microsoft Cloud App Security).
  • Azure data services: Defender for Cloud includes features that allow you to automatically classify data in Azure SQL. Furthermore, it is possible to carry out assessments to detect potential vulnerabilities in Azure SQL and Storage services, accompanied by recommendations on how to mitigate them.
  • Network: the application of the Network Security Group (NSG) to filter the traffic to and from the resources attested on the Azure virtual networks, is essential to guarantee network security. However, there may be some cases where the actual traffic passing through the NSGs affects only a subset of the defined NSG rules. In these cases, the functionality of Adaptive network hardening allows to further improve the security posture by strengthening the NSG rules. Using a machine learning algorithm that takes into account actual traffic, the configuration, threat intelligence and other indicators of compromise, is able to provide advice to adjust the configuration of the NSG to allow only the strictly necessary traffic.

Hybrid Environment Protection

In addition to protecting the Azure environment, Defender for Cloud functionality can also be extended to hybrid environments to protect in particular servers that do not reside on Azure. Through Azure Arc Microsoft Defender plans can be extended to non-Azure machines.

Protection of resources running on other public clouds

Microsoft Defender for Cloud may also include resources present in Amazon Web Services (AWS) and Google Cloud Platform (GCP). To protect resources on other public clouds with this solution, a new native mechanism and, through an approach agentless, allows you to connect to AWS and GCP environments. This new method of interfacing take advantage of the AWS and GCP APIs and it has no dependence on other solutions, for example AWS Security Hub.

Real case of protection with Defender for Cloud

Assuming a customer environment with resources located in Azure, on-premises and in AWS, with Defender for Cloud you can extend protection to all resources, independently of where they reside.

Indeed, by connecting an Amazon Web Services account (AWS) to an Azure subscription, it is possible to enable the following protections:

  • The functionalities CSPM di Defender for Cloud are also extended to AWS resources, allowing you to evaluate the resources present in the Amazon cloud, according to AWS specific security recommendations. Furthermore, resources are evaluated for compliance with AWS specific standards such as: AWS CIS, AWS PCI DSS e AWS Foundational Security Best Practices. All of this is considered by influencing the overall security score.
  • Microsoft Defender for Servers offers threat detection and enables advanced defenses for EC2 Windows and Linux instances as well.
  • Microsoft Defender for Kubernetes extends advanced defenses to Amazon EKS Linux clusters and enables the detection of threats on containers present in those infrastructures.

These protections will be added to the features listed above available for Azure environments and for resources residing on-premises.

Conclusions

Defender for Cloud is able to respond effectively to challenges, in the security field, given by the adoption of modern infrastructures. In fact, thanks to the use of Microsoft Defender for Cloud, you have a solution capable of identifying the weaknesses in the security field in cloud configurations, strengthen the overall security posture of the environment and protect workloads in hybrid and multi-cloud environments.

How to increase the security of container-based application architectures

Modern applications based on microservices are increasingly widespread and containers are an interesting building block for the creation of agile application architectures, scalable and efficient. Microservices offer great benefits, thanks to the presence of well-known and proven software design models that can be applied, but they also generate new challenges. One of these is certainly linked to the security of these architectures, which require the adoption of cutting-edge solutions to achieve a high level of protection. In this article is reported as the cloud-native solution for container security, called Microsoft Defender for Containers, is able to guarantee the protection of container-based application architectures, offering advanced capabilities for detecting and responding to security threats.

Functionality offered by the solution

Thanks to Microsoft Defender for Containers it is possible to improve, monitor and maintain the security of clusters, of containers and related applications. Indeed, this plan allows you to obtain the following benefits:

  • Hardening of the environment
  • Vulnerability Scanning
  • Run-time threat protection for the cluster environment and for the nodes

The benefits listed above are detailed in the following paragraphs.

Hardening of the environment

Through a continuous assessment of cluster environments, Defender for Containers provides complete visibility into any misconfigurations and compliance with guidelines. By generating recommendations it helps mitigate potential security threats.

Furthermore, thanks to the use of Kubernetes admission control it is possible ensure that all configurations are done in accordance with security best practices. Indeed, adopting the Azure Policy for Kubernetes you have a bundle of useful recommendations to protect the Kubernetes container workloads. By default, enabling Defender for Containers, these policies are automatically provisioned. In this way, every request to the Kubernetes API server will be monitored against the predefined set of best practices, before being made effective on the cluster environment. You can therefore use this method to apply best practices and enforce them for new workloads that will be activated.

Vulnerability Scanning

Defender for Containers includes an integrated vulnerability scanner for analyzing the images present in Azure Container Registry (ACR). Defender for Containers includes an integrated vulnerability scanner for analyzing the images present in:

  • In case of push: each time an image is sent to the ACR, scan is automatically performed.
  • In case of recent extraction: because new vulnerabilities are discovered every day, comes analyzes, on a weekly basis, Defender for Containers includes an integrated vulnerability scanner for analyzing the images present in 30 days.
  • When importing: Azure Container Registry has import tools to merge images from Docker Hub into it, Microsoft Container Registry or other ACR. All imported images are readily analyzed by the solution.

If vulnerabilities are detected, a notification will be generated in the Microsoft Defender for Cloud dashboard. This alert will be accompanied by a severity classification and practical guidance on how to correct the specific vulnerabilities found in each image.

Furthermore, Defender for Containers expands these scanning capabilities by introducing the ability to get visibility into running images. Through the new recommendation, called “Vulnerabilities in running images should be remediated (powered by Qualys)", groups running images that have vulnerabilities, providing details on the problems found and how to fix them.

Run-time threat protection for the cluster environment and for the nodes

Microsoft Defender for Containers provides real-time threat protection for containerized environments and generates alerts if threats or malicious activity are detected, both at the host level and at the AKS cluster level.

Protection from security threats occurs at several levels:

  • Cluster level: at the cluster level, threat protection is based on the analysis of Kubernetes audit logs. It is a monitor that allows you to generate alerts, monitoring AKS managed services, such as the presence of exposed Kubernetes dashboards and the creation of roles with elevated privileges. To see the complete list of alerts generated by this protection, you can access this link.
  • Host level: with over sixty types of analyzes, through artificial intelligence algorithms and with the detection of anomalies on running workloads, the solution is able to detect suspicious activities. A team of Microsoft security researchers constantly monitors the threat landscape and container-specific alerts and vulnerabilities are added as they are discovered. Furthermore, this solution monitors the growing attack surface of multi-cloud Kubernetes deployments and tracks the matrix MITRE ATT&CK for container, a framework developed by the Center for Threat-Informed Defense in close collaboration with Microsoft and others.

The complete list of alerts that can be obtained by enabling this protection can be consulted in this document.

Architectures for the different Kubernetes environments

Defender for Containers can protect Kubernetes clusters regardless of whether they are running on Azure Kubernetes Service, Kubernetes on-premise / IaaS oppure Amazon EKS.

Azure Kubernetes Service (AKS) Cluster

When enabling Defender for Cloud for clusters activated through Azure Kubernetes Service (AKS), audit log collection takes place without having to install agents. The Defender profile, distributed on each node, provides runtime protection and collects signals from nodes using the eBPF technology. The Azure Policy add-on for Kubernetes component collects cluster and workload configurations, as explained in the previous paragraphs.

Figure 1 - Defender for Cloud architecture for AKS clusters

Azure Arc-enabled Kubernetes

For all clusters hosted outside Azure it is necessary to adopt the Azure Arc-enabled Kubernetes solution to connect the clusters to Azure and provide the related services, come Defender for Containers. By connecting Kubernetes clusters to Azure, an Arc extension collects Kubernetes audit logs from all cluster control plane nodes and sends them in the cloud to the back-end of Microsoft Defender for Cloud for further analysis. The extension is registered with a Log Analytics workspace used as a data pipeline, but the audit data is not stored in Log Analytics. Information about workload configurations is managed by the Azure Policy Add-on.

Figure 2 – Defender for Cloud architecture for Arc-enabled Kubernetes clusters

Amazon Elastic Kubernetes Service (Amazon EKS)

Also for this type of cluster, activated in the AWS environment, it is necessary to adopt Azure Arc-enabled Kubernetes to be able to project them in the Azure environment. Furthermore, you must connect the AWS account to Microsoft Defender for Cloud. Plans needed are Defender for Containers and CSPM (for the configuration monitor and for recommendations).

A cluster based on EKS, Arc and the Defender extension are the components needed for:

  • collect policy and configuration data from cluster nodes;
  • get runtime protection.

Azure Policy add-on for Kubernetes collects the configurations of the cluster environment and workloads to ensure that all configurations are respected. Furthermore, the AWS CloudWatch solution is used to collect log data from the Control plane.

Figure 3 – Defender for Cloud architecture for AWS EKS clusters

Solution upgrade and costs

This Microsoft Defender plan merges and replaces two existing plans, “Defend for Kubernetes” and “Defender for Container Registries“, providing new and improved features, without deprecating any of the features of those plans. Subscriptions on which previous plans have been activated do not need to be upgraded to the new plan Microsoft Defender for Containers. However, to take advantage of new and improved features, must be updated and to do so you can use the update icon displayed next to them in the Azure portal.

The activation of these protection plans are subject to specific costs that can be calculated using the tool Azure Pricing calculator. In particular, the cost of Microsoft Defender for Containers is calculated on the number of cores of the VMs that make up the AKS cluster. This price also includes 20 free scans for vCore, and the calculation will be based on the consumption of the previous month. Each additional scan has a charge, but most customers should not incur any additional cost for scanning images.

Conclusions

Microservices-based architectures allow you to easily scale and develop applications faster and easier, allowing to promote innovation and accelerate the time-to-market of new features. The presence of a solution such as Microsoft Defender for Containers is essential to enable an adequate level of protection with regards to security threats, more and more advanced to attack these types of application architectures.

The security of AWS environments with Microsoft Defender for Cloud

Microsoft Defender for Cloud, previously known as Azure Security Center and Azure Defender, is a solution of Cloud Security Posture Management (CSPM) and for the protection of workloads, able to identify security weaknesses in cloud configurations, strengthen the overall security posture of the environment and protect workloads in hybrid and multi-cloud environments. For those who are adopting a multi-cloud strategy and who need high security standards for their environment, it is important to know that Microsoft Defender for Cloud can also include resources present in Amazon Web Services (AWS) and Google Cloud Platform (GCP). This article describes how to secure AWS environments using Microsoft Defender for Cloud.

The pillars of security covered by Microsoft Defender for Cloud

The capabilities of Microsoft Defender for Cloud are capable of contemplating two great pillars of cloud security:

  • Cloud Security Posture Management (CSPM) capable of providing the following features:
    • Visibility: to assess the current security situation.
    • Hardening Guide: to be able to improve security efficiently and effectively

Thanks to a continuous assessment, Defender for Cloud is able to continuously discover new resources that are distributed and evaluate if they are configured according to security best practices. If not,, assets are flagged and you get a priority list of recommendations on what to fix to improve their security. This list of recommendations is taken and supported by Azure Security Benchmark, the Azure-specific set of guidelines created by Microsoft, this contains security and compliance best practices based on common frameworks, with a focus on cloud-centric security. This benchmark may cover the controls of theCenter for Internet Security (CIS) and theNational Institute of Standards and Technology (NIST).

Defender for Cloud assigns a global score to the ambient environment, defined Secure Score, which allows you to evaluate the risk profile (the higher the score, the lower the level of risk identified) and to take action to take remediation actions.

  • Cloud workload protection (CWP): Defender for Cloud delivers security alerts based on Microsoft Threat Intelligence. Furthermore, includes a wide range of advanced and intelligent protections for workloads, provided through specific Microsoft Defender plans for the different types of resources present in the subscriptions and in hybrid and multi-cloud environments.

Defender for Cloud therefore allows you to meet the following three needs, considered essential when managing the security of resources and workloads residing in the cloud and locally:

Figure 1 - Security needs covered by Microsoft Defender for Cloud

AWS resource protection

To protect resources on other public clouds with this solution, there has been a mechanism for some time now that involves the use of interfacing connectors with AWS and GCP accounts. The onboarding process of your AWS account was based on the integration of the solution AWS Security Hub, as detailed in this article.

Now a new native mechanism and, through an approach agentless, allows you to connect to AWS environments. This new method of interfacing take advantage of the AWS API and it has no dependence on other solutions, come AWS Security Hub. The onboarding experience is designed to work easily on a large scale, simply by connecting your AWS master account, which allows you to automatically onboard existing and future accounts.

Figure 2 - Connect AWS to Microsoft Defender for Cloud

This mechanism easily extends Defender for Cloud's advanced security capabilities to your AWS resources and includes the following areas.

Figure 3 - Protection plans available

Cloud Security Posture Management (CSPM) for AWS

Defender for Cloud CSPM capabilities are extended to your AWS resources. This agentless plan evaluates AWS resources against AWS specific security recommendations and these are included in the calculation of the global security score. To provide an overall view on the security status of your multi-cloud environments, AWS security recommendations are also integrated into the Defender for Cloud portal, along with Azure recommendations. Have been implemented by Microsoft beyond 160 ready-to-use recommendations for IaaS and PaaS services and three regulatory standards including AWS CIS, AWS PCI DSS e AWS Foundational Security Best Practices. All this allows you to strengthen your security posture while also contemplating AWS resources in the best possible way. Furthermore, you can customize existing models or create new ones that contain your own recommendations and standards to verify compliance with internal requirements.

Figure 4 - Recommendations for AWS integrated in Defender for Cloud

Cloud workload protection (CWP) for AWS

AWS currently provides enhanced security for the following workloads:

  • Server protection: Microsoft Defender for server offers advanced threat detection and defense for EC2 instances as well, for both Windows and Linux systems. This plan includes the integrated license for Microsoft Defender for Endpoint and several features, including: Security baselines and assessment at the OS level, Vulnerability assessment, Adaptive Application Controls (AAC) and File Integrity Monitoring (FIM).
  • Container protection: Microsoft Defender for Containers extends container threat detection and advanced defenses of Defender for Kubernetes to Amazon EKS Clusters (Elastic Kubernetes Service). For Defender for Kubernetes to be able to protect AWS EKS clusters, Azure Arc-enabled Kubernetes and Defender extension are required.

Figure 5 – Alerts and recommendations for EKS clusters

Note: For those who have already set up an AWS connector using classic cloud connectors, it is recommended to connect the account again using the new mechanism.

The Cost of the Solution

If you decide to activate this integration, the following information on costs applies:

  • The CSPM plan is free. To provide recommendations, the CSPM plan queries the AWS resource APIs multiple times a day. These read-only API calls incur no charge, but they are logged in CloudTrail in case you have enabled the trail for reading events. As noted in the AWS documentation, this does not involve additional costs for maintenance. However, it is necessary to be careful and possibly filter these events if data exports are expected (for example to make them flow into an external SIEM).
  • The Defender for Containers plan will be billed at the same price as the plan Defend for Kubernetes for Azure resources.
  • For each AWS machine connected to Azure through Azure Arc, the Defender per server plan is billed at the same price as the Microsoft Defender for server plan for Azure machines.

Conclusions

Microsoft Defender for Cloud, originally developed with the claim of being the best tool to protect resources in an Azure environment, extend and refine its capabilities to cover other public clouds as well. In particular, Thanks to the new integration mechanism with AWS, you can natively adopt a CSPM solution and enable threat protection for your computing workloads in Amazon Web Services (AWS). This allows to obtain a high degree of security, to improve security postures in multi-cloud environments and to simplify the management of tools useful for governing security.