Cloud architectures often involve distributed deployments spanning multiple services. This makes it difficult to set up proper safety controls with traditional security solutions. Unified security management platforms, however, provide a single-pane of glass for distributed, dynamic environments including hybrid and multi-cloud.
Microsoft Defender for Cloud (MDC), the new name for Azure Security Center and Azure Defender, is an Azure-native security platform that simplifies threat detection and security posture management for hybrid cloud workloads.
In this article, we’ll discuss Defender for Cloud (focusing especially on the parts formerly known as Azure Security Center), as follows:
- Security Challenges in Azure Cloud
- Reasons to Adopt Microsoft Defender for Cloud (MDC)
- How to Set Up MDC
- Inherent Security Gaps in Microsoft Azure
- How to Fill the Gaps
Security Challenges in Azure Cloud
While Azure offers a highly scalable, feature-rich platform for the deployment of dynamic applications, there are inherent security challenges that require a pragmatic approach to reducing vulnerabilities. Here are some common issues.
Rapidly Changing Workloads
One of the benefits of hosting applications on Azure is that your infrastructure can scale to handle changing workloads. However, as instances are replicated, web security infrastructure might not necessarily scale accordingly. This is especially true with hybrid cloud architectures, because traditional security platforms often lack the flexibility to implement consistent security controls (e.g., change and access control mechanisms) when cloud workloads scale up and down..
Attack Surface Spanning Multiple Services
Azure typically relies on the integration of several internal/external services to host an application. Hackers study the usage patterns of these services, identify security gaps, and then attempt to perform breaches. A security gap in one service, or in the connection between two services, can leave the entire architecture open to attack. (Examples of recent Azure vulnerabilities include the ChaosDB exploit and potential abuse of the VMAccess extension.) Additionally, the integration between multiple services also makes it difficult to create a single observability platform for them all.
High Level of Required Expertise
One of the greatest hindrances to the adoption of a hybrid cloud architecture is the lack of knowledge and expertise to implement security for distributed workloads. According to a Hashicorp survey, over 76% of organizations are already using multicloud, which raises the level of complexity and the specialized expertise required.
Reasons to Adopt Microsoft Defender for Cloud
Defender for Cloud offers a solution to the above challenges, with a single platform to manage threats and the security posture of dynamic workloads on Azure. Some benefits of MDC include the following.
Vulnerability Detection and Threat Management
Defender for Cloud offers a comprehensive security mitigation platform to detect and prevent threats on Azure PaaS services, Azure data services, and network connections. This includes vulnerability assessment and management for various cloud resources, providing security recommendations and a benchmark for hardening services and resources.
MDC relies on Microsoft’s threat intelligence service to provide a wide range of data-driven protection solutions for workloads. The service amasses logs, events, and signals to provide a holistic view of your entire infrastructure, helping prevent security threats and generating alerts to notify security teams of upcoming issues.
Improved Cloud Security Posture
Defender for Cloud includes visibility and a hardening guide to manage the security posture of your cloud workloads. It also gives your infrastructure a secure score after evaluating your active subscriptions, organization, and resources for security issues. A high secure score means a good security posture, while a low score means your system requires hardening.
MDC offers advanced controls to track a deployment’s security posture, streamline security management, and prevent security incidents. The platform comes with Microsoft’s Defender plans, which protect all of your workloads running on the Azure cloud, including hybrid and multi-cloud setups. While the platform integrates automatically with Azure machines, it can also be extended to non-Azure machines using Azure Arc.
Agile Security Measures
As an Azure-native solution, MDC easily integrates with other Azure services for automatic monitoring and protection. For services that are marked critical, MDC autonomously deploys telemetry agents to collect security and performance information.
How to Set Up Microsoft Defender for Cloud
Follow the steps below to configure and run Azure Security Center for both vanilla or hybrid cloud workloads.
Prerequisites: Completing this procedure requires an active subscription to Microsoft Azure. Furthermore, to enable enhanced security features, you must sign in as the subscription’s owner, security admin, or contributor.
Step 1: Enabling Azure Security Center
To enable the Defender for Cloud service, first sign in to the Azure portal. This grants you access to various Microsoft Azure services and features via a simple web UI.
In the search bar, find and select Microsoft Defender for Cloud. Click on Upgrade below the dashboard to enable Microsoft Defender for Cloud on the current subscription, which automatically activates Azure Defender.
Quick tip: Once launched, MDC offers suggestions on how to improve the security of connected resources, which you can use to harden the security posture of your cloud workload. The dashboard also assesses your inventory of resources, displaying each one’s security posture for easier management.
Step 2: Configuring Auto-Provisioning
Auto-provisioning eliminates management overhead by installing all required agents without manual effort, ensuring rapid security coverage for hybrid cloud resources. While auto-provisioning is disabled by default, Azure recommends enabling it for easier collection of monitoring data.
To do this, click on Environment settings on the Microsoft Defender menu, as shown below.
Select the relevant subscription; then, on the auto-provisioning page, click Enable all extensions.
This brings up an Extensions pop-up. Click Apply to confirm all default auto-provisioning settings for the workspace configuration, workspace selection, and vulnerability assessment. Next, click Save to activate them for your subscription.
This procedure installs extensions that automatically collect data to provide visibility into the security status for various compute resources, such as IaaS containers, VMs, and scale sets, as well as non-Azure machines.
Step 3: Setting Up Security Notifications
MDC enables the configuration of email alerts for users with specific Azure roles or individual email addresses. The platform also allows teams to define email preferences, such as security levels for notifications and who gets notified.
Quick tip: To avoid alert fatigue, it is recommended to limit the volume of outgoing emails depending on the severity level of the alert. You can do this during the configuration of email preferences using the steps outlined below.
On the Auto provisioning menu, click Email notifications.
Next, click on the desired roles for the recipients, and input individual email addresses (optional) in the Additional email addresses field, each separated by a comma. Select the severity level of notifications to be sent to the selected users, then click Save to confirm the selection.
Step 4: Connecting Azure VMs
The rebranded version of Microsoft Defender for Cloud automatically connects with Azure VMs once auto-provisioning is enabled. For non-Azure machines, you can connect with Microsoft Defender plans using Azure Arc. You can also use Defender for Cloud to monitor and secure workloads in AWS or GCP. Microsoft has helpful documentation to connect your AWS or GCP accounts as standalone environments in just a couple of simple steps.
Step 5: Creating Auto-Response for Alerts
Azure allows operations teams to set up automatic responses to specific security alerts using Azure Resource Management (ARM) templates. You can use these templates, which are JSON files, to define your project’s infrastructure and configuration, creating a workflow automation that initiates a logic app when Defender receives specific security alerts.
Step 6: Using the Overview Dashboard
Besides offering an overview of connected resources and their security posture, Microsoft Defender can scan resource configurations and compare them with regulatory standards and frameworks.
To add a standard to the dashboard, click on Regulatory compliance from the platform’s menu.
The next page displays the compliance status of various security aspects within a hybrid environment, enabling teams to improve their security posture.
This can be narrowed down based on root cause by selecting a specific standard and analyzing different sets of assessments. The Azure Security Benchmark v3, for instance, displays the following fields.
Administrators can expand each item on the menu to identify the potential causes of issues (highlighted in red).
Step 7: Analyzing Azure Secure Score
The Microsoft Defender dashboard also offers a secure score as a critical metric to simplify assessing a deployment’s security posture. On the Defender menu, select Secure Score.
Then, click on Recommendations to view the specific scores for all resources, as shown.
Step 8: Integrating Azure Security Center into a CI/CD Pipeline
Microsoft’s Defender for Cloud provides various partner security solutions out of the box so administrators can monitor the health of workloads and access advanced configurations for efficient pipeline management.
One such feature is Azure Defender’s support of various third-party security information and event management (SIEM) platforms. To connect with these, DoC offers an export option for teams to send alerts to popular SIEM platforms like IBM QRadar XDR and Splunk.
First, click on the Security solutions option on the Microsoft Defender for Cloud menu, as shown below.
Next, on the Security solutions page, navigate to the Add data sources section, and click ADD under the SIEM option.
Step 9: Configuring an Event Hub
The SIEM solutions can now ingest log data from the Event Hub—a namespace that collects all of Azure’s monitoring data—enabling seamless integration with the monitoring platform.
On the SIEM integration page, click on Create an Event Hub.
This redirects to a Create Namespace page. Give the namespace a name, then click Review + create.
Once the namespace is configured, the dashboard displays Requests, Messages, and Throughput for Azure resources. The namespace is a logical grouping of event hubs with a similar access policy.
Back in the SIEM integrations page, click on Export Activity Log to export Azure logs to the event hub.
This brings in all the information collected by Azure Monitor into the Event hub, as shown below.
Going even further, you can also install a specific SIEM collector that accesses data from the event hub and exports it to a monitoring service. You can find additional details on the list of supported SIEM connectors here.
Inherent Security Gaps in Microsoft Azure
Microsoft Defender for Cloud provides a unified security management platform for cloud workloads. It’s a good service for assessing and improving the security of Azure and hybrid cloud workloads.
Of course, vulnerability assessment and monitoring are only one part of a robust security posture. The most important component is a robust web security solution to detect threats in incoming requests and block attack traffic. For this, Microsoft Azure’s native tools are insufficient.
Azure’s primary service for traffic filtering is Azure WAF. This is a good tool as far as it goes, but it does not provide full protection. There are many threats that it cannot mitigate.
How to Fill the Gaps
Reblaze provides complete web security for Microsoft Azure. It keeps hackers out of your single-, multi-, and hybrid cloud environments, blocking attack traffic and protecting sites, services, web applications, and APIs.
Reblaze is a unified, all-in-one web security platform; it includes a next-gen WAF, multi-layer DoS/DDoS protection, advanced bot management, precise ACL, API security, real time reporting, full traffic transparency, ATO prevention, and more, all fully integrated with Azure. The platform is fully managed, always up-to-date, and includes continual machine learning for accurate, adaptive threat recognition.Reblaze deploys in minutes, and runs on your choice of Microsoft Azure and/or other clouds. For more information or to get a demo, contact us here.