So in my previous post we discussed how to approach your cloud project and how everything starts from a correct and secured architect. In this post I am going to address Microsoft Defender for Cloud and also touch on the added capabilities of Defender for workloads.
So what is Defender for Cloud (previously Azure Security Center)? Well in Microsoft’s words Defender for Cloud is a solution for cloud security posture management (CSPM). But what does this actually mean? Well it’s actually a “big brother” that will constantly look at your environment and flag potential security misconfigurations. The idea being that the system helps keep you compliant and running to both Microsoft and your own Best Practices. I say Microsoft and your own as behind the senses there is a policy that by default is set to a baseline recommended by Microsoft, this can of course be edited, you can even configure multiple policies for multiple environments tailored to your requirements. Oh and the system is also multi-cloud, so you can monitor not only your Azure environment but also your AWS and GCP environments.
Some examples of what Defender for cloud has to offer:
- Identify threats and misconfigurations across IaaS, PaaS, AWS, GCP & On-Prem
- Identify VM’s with exposed management ports such as RDP & SSH
- Identify VM’s with out disc encryption
- Identify VM’s with no Virus protection
- Identify unpatched operating systems
- Identify web services not protected by WAF
- Alerts for management users not using MFA
- Alert for lack of hardening on Azure Key Vaults
Of course once configured the system can also send all alerts to E-mail or to your organization SIEM/SOC such as Azure Sentinel. Oh and the major selling point. Microsoft Defender for cloud is free for your Azure environment. So there is no excuse not to use the system.
So to briefly summaries the use of Defender for cloud, the idea is to Harden, Track your posture, protect and streamline. All this will help you Assess, Secure and Defend your cloud while meeting regulatory compliance.
Now taking it a step forward Microsoft also offers Cloud Workload Protection (CWP) Cloud workload protection takes things forward by not not only looking at configuration but at the actual workloads themselves. Think of it as an Anti-Virus but aimed directly at a service and not an OS and not just hunting for viruses. The service can offer protection for
- Virtual Machines
- Azure App Service
- Databases (Both On VM and PaaS)
- Azure Storage
- AKS (Kubernetes)
- Azure DNS
Some examples of what Defender for workload has to offer:
- Service accessed by malicious IP
- Event log cleared
- Anti-Malware disabled
- Brute force login attacks
- Suspicious login (unexpected region, unexpected user)
- Large data extraction (possibly a data leak)
- Unusual change of service permissions
- Guest account with elevated privilege’s
For the full list you can take a look over here
So, to fully summaries, the use of Microsoft Defender for cloud will allow you better posture management and insights into your cloud configuration while the added layer of Defender for workloads can help keep an eye directly on your services.
IN the next and final post on this subject we will address some final points such as Infra as code and why this is also a a point that can help address security
Gil Gross on Microsoft Azure 