Learn more about Microsoft Azure Security Center and Azure Defender
3rd November 2021
In this blog, we’ll look at some of the major features of Azure Defender
Transformation to the Microsoft Azure Cloud is a fast and simple method to deploy and manage applications. Many organisations CSI work with are already enjoying the advantages, however, it is critical to continue to secure these applications and services, as you would do with on-premises workloads.
Microsoft recently re-launched Azure Security Center which is now offered in the following two modes:
- Azure Defender OFF (Free)
- Azure Defender ON
At a minimum, Microsoft Azure comes with the Free tier which is automatically enabled on all Azure subscriptions. The Free tier is a starting point for non-critical requirements and helps you protect your Azure resources through:
- security policy,
- continuous security assessment, and
- actionable security recommendations.
Which Microsoft Azure Security Center mode do I choose?
CSI recommends using Azure Defender ON (standard tier) which extends the capabilities to provide unified security management and threat protection across your hybrid cloud workloads.
This tier also provides advanced threat protection through behavioural analytics, machine learning, and application controls (to name a few extras), which reduces exposure to network attacks, malware and identifies attacks including zero-day exploits.
Built-in Virtual Machine Security: Azure Defender OFF (Free Tier +)
Just turning on Security Centre will help protect your hybrid cloud environment. By performing continuous security assessments of your connected resources, it’s able to provide detailed security recommendations for the discovered vulnerabilities.
While you can take explicit steps to configure security options, having a default security policy that is automatically applied to all new VMs protects your company from other projects where security may be overlooked.
Customisation of the policy can be achieved to protect features important to your project for instance securing ports, services, and applications. These policies can then be applied to all new VMs without any admin intervention at all.
The policies can also be deployed across existing or to be migrated VMs to provide detailed insights into what protection may be missing, what risks there are, and find anomalies that would normally not be found.
Enhanced Security Center features: Azure Defender ON
- 1. Adaptive Application Controls
This brilliant feature is based on machine learning. It recommends applications that should be whitelisted and generates alerts when anything else is executed. This increases your oversight of apps and assists with achieving compliance goals.
You can also group VMs based on the similarity of applications running on them making it easy to block unwanted applications and malware.
It helps to identify unsupported versions of software, licensing compliance and you can further customise to your business application needs.
In summary, adaptive application controls are an intelligent and automated solution for defining allow lists of known-safe applications for your machines.
- 2. File Integrity Monitoring (FIM)
Azure Security Centre and Log Analytics together provide a powerful base for continually comparing the current states of registry and configuration files to protect the integrity of your system and application software.
FIM examines any abnormal changes to operating system files, Windows registries, application software, Linux system files, and more.
Security Centre will then create alerts to the administrator allowing your team to investigate and take remedial action.
Security Centre also integrates with many Azure marketplace resources for example Fortigate Next-Generation firewalls providing additional threat detection and unified health monitoring across your environments.
- 3. Just-in-Time (JIT) Access
Connecting a VM with a public IP address to the internet immediately puts it at risk of brute force attacks. These attacks commonly target management ports like RDP or SSH to try and gain access to the VM.
By locking down inbound traffic to your VM with Azure Security Center’s just-in-time (JIT) virtual machine access feature, you reduce exposure to attacks while providing easy access when you need to connect to a VM.
You can enable JIT through Security Center with your own custom options or use default hard-coded parameters for any number of VM’s.
When enabled, JIT locks down the inbound traffic to your VM by rules created in your network security groups. Then you can request access to a VM via Security Center, Azure virtual machines, PowerShell or REST API.
In summary, ports are only opened when you need them and when finished, they automatically shut off again, reducing the vector for security attacks.
Hybrid cloud protection with Azure Defender
As well as defending your Azure environment, you can add Azure Defender capabilities to your hybrid cloud environment in order to:
- Protect your non-Azure servers
- Protect your virtual machines in other clouds (such as AWS and GCP)
To extend protection to virtual machines and SQL databases that are in other clouds or on-premises, deploy Azure Arc and enable Azure Defender.
While these are just a few security features available in Microsoft Azure, they provide some advanced security capabilities to enhance the deployment and management of your Azure solutions.
Get in touch
For more information please contact us. A member of the Azure Practice will be happy to talk through your challenges and project requirements.
Blog by Mike Bellido, Service Architect