Microsoft Defender for Cloud - part 1

Table Of Contents

Credits and sources

Microsoft Learn

https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-cloud-introduction

TechTarget

https://www.techtarget.com/searchsecurity/definition/Cloud-Security-Posture-Management-CSPM

Intro

In this blog series, I want to focus on how Microsoft Defender for Cloud (MDFC) can help secure your Azure environment. MDFC is a collection of Defender products that provides security and visibility into your security posture in Azure. Still, many security features can also cover on-premises and other public clouds. MDFC offers free features and a range of paid features for your cloud workloads. I will go into each feature in this series to cover what it does and ensure you know if it is a paid feature. Any pricing mentioned in this series is from the Microsoft Azure pricing calculator, but there are other ways to buy the licenses, so you must find the best deal for your environment.

Below is a picture of a tenant I have created for this guide. The secure score right now is 34! So, during this series, this should change dramatically.

This part of the series will be an intro to MDFC, so let us start with an overview of what Microsoft provides in this product family. As mentioned earlier, each of the following parts will be on each product so I will cover any configurations in those posts.

Cloud Security Posture Management

Cloud Security Posture Management (CSPM) is a term used for an IT tool that will continuously monitor your cloud security posture and report any misconfigurations or compliance issues. MDFC provides visibility into the environment and hardening suggestions based on the scanning.

The secure score is the first thing you will notice in the CSPM part of MDFC. This number goes from 1-100 and indicates how safe your environment is. The higher the number, the more secure your environment is. Microsoft uses its benchmark for this score, but you can also select other benchmarks like NIST and Azure CIS.

An exciting feature of MDFC is the feature the cloud security graph. The cloud security graph collects data from multiple clouds and data sources, which MDFC will then analyze. The collected data can be everything from networks, software inventory, and exposure to the public internet. All the data collected is built into the graph, and depending on which environments you have connected, it will show those pieces of information in the cloud portal. Attack path analysis uses the graph and displays compromises or vulnerabilities for you to take the appropriate action.

One of the nice things about Microsoft CSPM is that it offers a free version, and even with this, there are a lot of great information and action points to help secure your IT environment. There will also be a paid version that goes a step deeper, but this is a preview feature right now. I will briefly examine what the paid version brings to the table.

The picture below shows an overview of subscription recommendations that only have a secure score of 19%. As we can see, there is a lot we can do, and under each of the recommendations in the list are sub-recommendations. We can use this information to prioritize the work we need to do. We could raise the secure score from 19% to 42% by enabling MFA for accounts with access to this subscription. This seems like a lot, but securing the identities with access to your resources is essential.

The above picture recommendations only use the free version of CSPM, so as mentioned, there is a lot of value in looking into Defender without spending any money on it. I won’t make any changes in this part of the series, but the goal is to get as close to 100% on the secure score while still having an environment that serves the purpose I have.

Cloud Workload Protection Platform

Cloud Workload Protection Platform (CWPP) is protection for each of your workloads. Microsoft has a wide range of protection for workloads, and each of them will get a separate post in this blog series. Below is a list of services that exist at the moment.

  • Microsoft Defender for Servers
  • Microsoft Defender for Storage
  • Microsoft Defender for SQL
  • Microsoft Defender for Containers
  • Microsoft Defender for App Service
  • Microsoft Defender for Key Vault
  • Microsoft Defender for Resource Manager
  • Microsoft Defender for DNS
  • Microsoft Defender for open-source relational databases
  • Microsoft Defender for Azure Cosmos DB
  • Defender Cloud Security Posture Management (CSPM)
  • Security governance and regulatory compliance
  • Cloud security explorer
  • Attack path analysis
  • Agentless scanning for machines
  • Defender for DevOps

It is often unnecessary to deploy any agents or push configurations if you want to enable Defender for Azure resources. For many Azure resources, activating the Defender SKU is only a click. Microsoft will start scanning, collecting, and publishing information into the Defender page for you to view and take any needed action. If the Azure resources need an agent, Microsoft will often deploy that in the background, so you still get a smooth way of getting started with Defender. As mentioned in the CSPM part, MDFC is not limited to Azure resources. There are connectors for both Amazon Cloud and Google Cloud. With Azure Arc, you can install agents in any public or private cloud (data center) you use. MDFC collects all the information and displays it in the same portal view. It can split the collected data into each cloud so you can prioritize any remediations or optimizations.

The cloud workload protection areas are in place to secure each Azure component and spread to other public clouds with either connectors or Azure Arc. Defender for DevOps is still in preview, but it offers to scan both GitHub and Azure DevOps. Defender for DevOps might also be extended to other products that the customers and the community request. MDFC for data services can help automate data classification for Azure SQL and assess for vulnerabilities for SQL and storage accounts.

Some of the hardening recommendations come with built-in Azure policies to help protect and remediate settings on resources. An example is blocking public access to blob storage.

Conclusion

This short overview of Microsoft Defender for Cloud aims to grasp what MDFC can do for your company no matter where you host your resources. The Cloud Security Posture Management ensures you have visibility into your environment and will provide you with hardening guidance, which goes for both the free and paid version of Defender for Cloud. The CSPM will constantly monitor your environment and update any recommendations it might have for you.

The Cloud workload protection ensures your resources are kept safe, and together with the CSPM, it will also help you harden those resources even further. The way Microsoft provides policies and recommendations for hardening ensures you can get started quickly and efficiently. However, understanding how Azure policies work is essential before hitting the deploy button. If you don’t know what you are doing, you might break the services you are trying to protect.

Please join me in the next post in this series, where I will start looking into each.

Comments