Chapter 4 Mitigating security issues

Recent ransomware outbreaks, such as WannaCry and Petya, reinforced the importance of having a vulnerability-management system. But they also reinforced the fact that many computers are not fully updated and do not use the most secure configuration.

To enhance your overall security posture, you need to increase your protection. A security assessment is critical to identifying the current security state of your assets—and what you need to do to improve it. Azure Security Center can perform a security assessment for all major workloads: compute, network, storage, and applications. The result of this security assessment is a set of recommendations that will help you enhance the security posture of your workloads.

In this chapter, you will learn how to use Security Center to perform a security assessment for major workloads, and how to use the result of this assessment to improve your defense system.

Compute recommendations

In Chapter 2, you learned about the Security Center agent and how it performs an initial security assessment. As part of your onboarding process, you should make sure to address all critical (high-priority) recommendations first, evaluate all other recommendations, and apply the recommendations according to your environment’s needs.

Some recommendations may require system downtime—for example, to apply certain security updates. This means that after you identify the changes that need to be made in the target system, you may need to start a change-control process to maintain compliance with the security assessment.

TIP

Recommendations are applicable only for operating systems that are sup-ported in Security Center. Visit the latest version of supported operating systems at https://aka.ms/ASCSupportedOS.

Compute recommendations include recommendations for Azure virtual machines (VMs) and non-Azure computers. These recommendations vary depending on the environment. For this reason, it is important to be aware of the full list of recommendations that might apply to your environment:

Images Endpoint Protection Issues This shows a list of computers that are missing an endpoint protection. Alternatively, it can serve as a warning about endpoint protection not being fully updated in a target system.

Images Missing Scan Data This shows the systems that are missing the most current scan data collected by the agent.

Images Remediate Security Configurations This shows a list of computers (Windows and Linux) that are not using the most secure configuration according to Common Configuration Enumeration (CCE) standards.

Images Missing System Updates This shows a list of computers that are missing security and critical updates.

Images Missing Disk Encryption This shows a list of Azure VMs that don’t have disk encryption enabled.

Images Vulnerability Assessment Not Installed In some scenarios Security Center may recommend the installation of a vulnerability-assessment solution, such as Qualys, on one or more Azure VMs.

Images VM Agent Is Missing or Not Responding When Security Center recognizes that a VM is missing the agent, or that the agent is installed but not responding, Security Center will list all Azure VMs that are exhibiting this behavior.

Images Restart Pending This appears when Security Center identifies that there is a restart pending in one or more Azure VMs.

Images Apply a Just-in-Time Network Access Control This suggests that you apply just-in-time network access for one or more Azure VMs.

Images OS Version Not Updated This is specifically for Platform as a Service (PaaS). It recommends that you update the operating system (OS) version for your cloud service to the most recent version available for your OS family.

TIP

Keep in mind that new recommendations may be included without further notice. For the latest list of compute recommendations, see https://aka.ms/ASCComputeRec.

The following sections cover the implementation of some of these recommendations.

Setting up endpoint protection

Security Center can detect whether your VM or computer has endpoint protection installed on it, and whether this endpoint protection is up to date. However, this capability will detect only a certain number of supported endpoint protection partners. At the time of this writing, the supported partners are as follows:

Images Windows Defender (Microsoft Antimalware)

Images System Center Endpoint Protection (Microsoft Antimalware)

Images Trend Micro – All versions

Images Symantec v12.1.1100+

TIP

The list of partners is always in revision, and new partners may be included without further notice. For the latest list of supported endpoint protection, visit https://aka.ms/ASCPartners.

If a recommendation suggests the installation of endpoint protection in non-Azure VMs and computers, you will need to do this manually, following the instructions from the antimalware vendor of your choice. For VMs in Azure, System Center will guide you through the installation process, and you can choose the endpoint protection based on the options available in the Azure marketplace. Follow these steps to remediate a compute recommendation by deploying Windows Defender (Microsoft Antimalware) in an Azure VM:

  1. Open the Azure Portal and sign in as a user who has Security Admin privileges.

  2. In the left pane, click Security Center.

  3. In the left pane of the Security Center window, under Prevention, click Compute.

  4. Click the Endpoint Protection Issues recommendation. The dashboard shown in Figure 4-1 appears.

    Screenshot of the Endpoint Protection Issues dashboard in Security Center.

    FIGURE 4-1 The Endpoint Protection Issues dashboard.

  5. Click the Endpoint Protection Not Installed on Azure VMs recommendation. The blade shown in Figure 4-2 appears.

    Screenshot of VMs without endpoint protection installed, with the option to install the endpoint protection from there.

    FIGURE 4-2 List of Azure VMs that need endpoint protection.

  6. Leave the VM selected and click Install on 1 VMs.

    NOTE

    If there is more than one VM in the list, select only the ones for which you want to install an endpoint protection solution.

  7. The Select Endpoint Protection blade opens. (See Figure 4-3.) It contains two options:

    Images Microsoft Antimalware This is a free solution from Microsoft.

    Images Deep Security Agent This is a fee-based solution from TrendMicro. If you select this option, you’ll need to provide your license information.

    In this case, click Microsoft Antimalware.

    Screenshot of the endpoint protection solutions integrated with Security Center.

    FIGURE 4-3 Endpoint protection solutions that are integrated with Security Center.

  8. The Microsoft Antimalware blade appears, with a description of this service. Click Create to add this extension to your VM.

    The Install Microsoft Antimalware blade appears. (See Figure 4-4.) It contains the following options:

    Images Excluded Files and Locations Here, you can specify any paths or locations to exclude from the scan. To add multiple paths or locations, separate them with semicolons. This is an optional setting.

    Images Excluded Files and Extensions This box lets you specify file names or extensions to exclude from the scan. Again, to add multiple names or extensions, you separate them with a semicolon. Note that you should avoid using wildcard characters.

    Images Excluded Processes Use this box to specify any processes that should be excluded from the scan—again, using semicolons to separate multiple processes.

    Images Real-Time Protection By default, this check box is enabled. Unless you have a good business reason to do otherwise, you should leave it that way.

    Images Run a Scheduled Scan Selecting this check box enables you to run a scheduled scan.

    Images Scan Type If you selected the Run a Scheduled Scan check box, you can use this drop-down list to specify the type of scan. (A quick scan is run by default.)

    Images Scan Day If you selected the Run a Scheduled Scan check box, you can use this drop-down list to specify the day that the scan will run.

    Images Scan Time If you selected the Run a Scheduled Scan check box, you can use this drop-down list to specify what time the scan will run. The time is indicated in increments of 60 minutes (60 = 1 AM, 120 = 2AM, and so on).

    Screenshot of the Microsoft Antimalware pre-deployment settings.

    FIGURE 4-4 Options to customize the Microsoft Antimalware installation.

  9. Leave the default selections and click the Create button. In the upper-right corner of the dashboard, you will see a notification that the installation has started in the target system, as shown in Figure 4-5.

    Screenshot of the endpoint protection installation notification that appears in the upper-right corner of the Azure portal.

    FIGURE 4-5 Notification that endpoint protection installation has started.

  10. Close all blades and go back to the main Security Center dashboard. The installation time varies depending on the environment.

  11. To verify whether the Microsoft Antimalware extension was installed, open the VM properties in Azure and click the Extensions options. (See Figure 4-6.)

Screenshot of the Azure VM properties, showing the Extensions screen, to validate that the antimalware extension was successfully installed.

FIGURE 4-6 Validation that the antimalware extension was installed.

Remediate Security Configurations

Security Center uses Common Configuration Enumeration (CCE) standards to validate the security state of a VM or computer’s configuration. If a VM or computer is not compliant with the CCE standard that was tested, Security Center will generate a security recommendation. Follow these steps to get a sense of how these recommendations work:

  1. Open the Azure Portal and sign in as a user who has Security Admin privileges.

  2. In the left pane, click Security Center.

  3. In the left pane of the Security Center window, under Prevention, click Compute.

  4. Click Remediate security configurations. The Remediate security configurations blade appears. (See Figure 4-7.)

    Screenshot of the OS Vulnerabilities blade in Security Center.

    FIGURE 4-7 List of OS vulnerabilities according to CCE standards.

  5. In this blade, you can quickly see the number of resources that do not comply with various CCE standards, and the type of standard in question (registry, security policy, or audit policy). For more information on any of these vulnerabilities, click the associated resource to view a comprehensive description. (See Figure 4-8.)

    Screenshot of the details of a vulnerability, including the potential impact and any applicable countermeasures.

    FIGURE 4-8 Details about a vulnerability and how to mitigate it.

  6. Read the description to better understand the vulnerability, gauge its potential impact, and identify suggested countermeasures.

  7. Click the Search button to identify which computers are not compliant with this rule. Azure launches Log Analytics and displays the query result. (See Figure 4-9.)

Screenshot of the Log Analytics search results showing a list of computers that are not compliant with the rule in question.

FIGURE 4-9 A list of computers that are not compliant with this rule.

This is an example of a recommendation that cannot be remediated directly from Security Center. The intent here is to bring awareness that some machines are missing the security best practices and to help you identify these machines. From there, you will need to deploy the countermeasure using other tools. Most of these recommendations can be addressed using Group Policy in Active Directory if you are using Windows-based, domain-joined virtual machines.

TIP

For information about which CCE rules are tested, visit https://gallery.technet.microsoft.com/Azure-Security-Center-a789e335.

Networking recommendations

An Azure virtual network is a logical isolation of the Azure cloud dedicated to your subscription. Security Center identifies the Azure virtual networks available in your subscription and provides recommendations to improve overall security. Networking recommendations vary depending on the environment. For this reason, it is important to be aware of the full list of recommendations that might apply to your environment:

Images Add a Next Generation Firewall After scanning your virtual network, Security Center may recommend that you install a Next Generation Firewall (NGFW) in your environment. Because this option is not natively available, Security Center will recommend various partners that can help you with this.

Images Route Traffic Through NGFW Only This setting suggests that you configure network security group (NSG) rules to force inbound traffic to your VM through your NGFW.

Images NSGs on Subnets Not Enabled After scanning your virtual network, Security Center may recommend that you enable an NSG on subnets or VMs.

Images Restrict Access Through Internet Facing Endpoint After scanning your virtual network, Security Center may recommend that you configure inbound traffic rules for NSGs.

The following sections cover the implementation of some of these recommendations.

NSGs on subnets not enabled

An NSG contains a list of security rules that allow or deny network traffic to resources connected to Azure Virtual Networks (VNets). You can associate NSGs with VMs, NICs, and subnets. Security Center will verify whether your subnet needs to have an NSG to be more secure. If so, it will create a network recommendation for it. Follow these steps to access the network recommendations:

  1. Open the Azure Portal and sign in as a user who has Security Admin privileges.

  2. In the left pane, click Security Center.

  3. In the left pane of the Security Center window, under Prevention, click Networking. The Networking blade appears. (See Figure 4-10.)

    Screenshot of the Networking recommendations in Security Center.

    FIGURE 4-10 Networking recommendations vary depending on the Azure Virtual Network environment.

    The top of the blade features a list of recommendations specifically for your Azure VNet environment. Below that are recommendations pertaining to endpoints that are exposed to the internet. Finally, the bottom of the blade shows the virtual network topology.

  4. Click the NSGs on Subnet Not Enabled recommendation. The Configure Missing Network Security Groups for Subnets blade appears. (See Figure 4-11.)

    Screenshot of the Configure Missing Network Security Groups for Subnets blade.

    FIGURE 4-11 Subnets that are currently missing network security groups.

  5. Select the subnet for which you want to enable the security group. The Choose Network Security Group blade appears. (See Figure 4-12.)

    Screenshot of the Choose Network Security Group blade.

    FIGURE 4-12 Usable NSGs.

  6. You can select an NSG from the list or click Create New to create a new one. In this case, click ASCDEMOVM-nsg. You’ll see a notification like the one in Figure 4-13.

    Screenshot of the Creating NSG Resource notification that appears in the Azure Portal after the Security Center recommendation is applied.

    FIGURE 4-13 The Creating NSG Resource notification.

    When this process is complete, the recommendation will disappear, and you can move on to the next one.

Restrict access through internet-facing endpoint

Security management and control are imperative when dealing with cloud resources. When new VMs are provisioned in your IaaS environment, you need to ensure that these VMs are not fully exposed to the internet. This can be difficult in a large environment. Fortunately, Security Center provides full visibility of internet-facing endpoints in a single location. Follow these steps to access this network recommendation:

  1. Open the Azure Portal and sign in as a user who has Security Admin privileges.

  2. In the left pane, click Security Center.

  3. In the left pane of the Security Center window, under Prevention, click Networking. The Networking blade appears.

  4. Click the Restrict Access Through Internet Facing Endpoint recommendation. The Restrict Access Through Internet Facing Endpoint blade appears. (See Figure 4-14.)

    Screenshot of the Restrict Access Through Internet Facing Endpoint blade, showing VMs that are currently exposed to the Internet.

    FIGURE 4-14 The Restrict Access Through Internet Facing Endpoint blade.

  5. Click a VM in the list. The NSG blade appears. (See Figure 4-15.) Notice that the current inbound rule allows any source (*) to connect to this VM using TCP.

    Screenshot of the NSG blade and the related inbound rules.

    FIGURE 4-15 The NSG blade with the current inbound rules.

  6. Click Edit Inbound Rules (at the top of the page). The Inbound Security Rules page opens. (See Figure 4-16.)

    Screenshot of the Inbound Security Rules page, showing every entry and its priority, name, port, protocol, source, destination, and action (allow or deny).

    FIGURE 4-16 Current list of inbound security rules.

  7. You can change the default rule (default-allow-rdp) by altering the source port to a specific IP or IP range. To do so, click default-allow-rdp. The default-allow-rdp blade appears. (See Figure 4-17.) The settings that you will harden in this page will vary depending on your organization’s needs.

    Screenshot of the default-allow-rdp rule properties.

    FIGURE 4-17 Creating an inbound rule.

  8. To address the Security Center recommendation, you should at least change the value in the Source field to a specific IP address or an IP address range.

  9. Click Save, and close all other blades.

Storage and data

One of the ultimate goals of an attacker is to gain access to a target’s data. Therefore, it is important to address all security recommendations for storage (where the data is located) and for the data itself. Security Center meets these requirements by providing security recommendations for Azure SQL databases and for Azure Storage, which includes each VM’s virtual hard disk (VHD). Storage and data recommendations vary depending on the environment. For this reason, it is important to be aware of the full list of recommendations that might apply to your environment:

Images Server Auditing and Threat Detection Not Enabled This setting is specific for Azure SQL and is available only if you currently have an Azure SQL workload. It recommends that you enable auditing and threat detection on the server level.

Images Database Auditing and Threat Detection Not Enabled This setting recommends that you turn on auditing and threat detection for Azure SQL databases.

Images TDE Not Enabled This setting recommends that you turn on Transparent Data Encryption (TDE) for your Azure SQL database. TDE protects your data and helps you meet compliance requirements by encrypting your database.

Images Healthy Databases This setting shows which Azure SQL databases are healthy. (It offers no further security recommendations.)

Images Storage Encryption Not Enabled This setting shows which storage accounts do not have encryption enabled.

Images Healthy Storage Accounts This setting shows which storage accounts are healthy. (It offers no further security recommendations.)

NOTE

After you enable Storage Encryption, only new data will be encrypted. Any existing files in this storage account will remain unencrypted. Once encryption is en-abled, it cannot be disabled.

The following sections cover the implementation of some of these recommendations.

Server auditing and threat detection not enabled

Security Center can perform a security assessment to verify whether you are leveraging Azure SQL auditing and threat detection security capabilities. Auditing and threat detection can assist you in the following tasks:

Images Maintaining regulatory compliance

Images Understanding database activity

Images Gaining insight into discrepancies and anomalies

Images Identifying security violations

After you turn on auditing, you can configure threat detection settings and set up email security alerts. Threat detection detects anomalous database activities indicating potential security threats to the database. This enables you to detect and respond to potential threats as they occur. Follow these steps to address this recommendation:

  1. Open the Azure Portal and sign in as a user who has Security Admin privileges.

  2. In the left pane, click Security Center.

  3. In the left pane of the Security Center window, under Prevention, click Storage and Data. The Data Resources blade appears. (See Figure 4-18.)

    Screenshot of the Data Resources blade, showing recommendations for Azure SQL and storage.

    FIGURE 4-18 The Data Resources blade.

  4. Click the Server Auditing & Threat Detection Not Enabled recommendation. The Enable Auditing & Threat Detection on SQL Servers blade appears. (See Figure 4-19.)

    Screenshot of the Enable Auditing & Threat Detection on SQL Servers blade, showing the list of SQL Servers that currently do not comply with this rule.

    FIGURE 4-19 List of Azure SQL Servers that are not using the most secure configuration.

  5. Click the server for which you want to change this setting. The Auditing & Threat Detection blade appears. (See Figure 4-20.)

    Screenshot of the Auditing & Threat Detection blade with the options to turn these options on or leave them off.

    FIGURE 4-20 The Auditing & Threat Detection blade.

    TIP

    Be sure to read the information about the charges that will apply if you enable these options.

  6. Under Auditing, click ON.

  7. Under Threat Detection, click ON.

  8. Click Save and close all pages.

    TIP

    For more information about Azure SQL database threat detection, visit https://aka.ms/AzureSQLTD.

Storage encryption not enabled

Security Center can perform a security assessment to verify whether your Azure Storage account is encrypted. Azure Storage Service Encryption (SSE) for Data at Rest can help you protect and safeguard your data in Azure. When this feature is enabled, Azure Storage automatically encrypts your data before persisting to storage and decrypts it before retrieval. Follow these steps to address this recommendation:

  1. Open the Azure Portal and sign in as a user who has Security Admin privileges.

  2. In the left pane, click Security Center.

  3. In the left pane of the Security Center window, under Prevention, click Storage and Data. The Data Resources blade appears.

  4. Click the Storage Encryption Not Enabled recommendation. The Enable Storage Encryption blade appears. (See Figure 4-21.)

    Screenshot of the Enable Storage Encryption blade, showing storage accounts that have not been encrypted.

    FIGURE 4-21 List of storage accounts that are not using encryption.

  5. Click the storage account that needs to be encrypted. The Encryption page opens. (See Figure 4-22.)

    Screenshot of the Encryption page that allows you to enable storage service encryption in your Azure storage account.

    FIGURE 4-22 Enabling storage service encryption for your storage account.

  6. Click Enabled. Then click Save.

    TIP

    For more information about Azure Storage Service Encryption for Data at Rest, visit https://aka.ms/AzureSSE.

Applications

Many customers host their web applications in VMs running on Azure, which means they need to ensure that the security states of these VMs are well configured. This should be done not only on the operating system side (which was done under the compute recommendations) but also at the web application level.

Application recommendations include security recommendations for Internet Information Services (IIS) web applications running on Azure VMs. Application recommendations vary depending on the environment. For this reason, it is important to be aware of the full list of recommendations that might apply to your environment:

Images Web Application Firewall Not Installed When Security Center detects a web application that needs advanced protection, it will recommend that you install a web application firewall (WAF) from a Microsoft partner.

Images Finalize Application Protection After you install the WAF, Security Center will generate another recommendation to finalize the protection of your web application. Here you will see a list of additional recommendations, such as changing the web application DNS record to match the WAF IP address, and will also suggest traffic restriction using NSGs.

Images Healthy Web Applications This shows you which web applications are healthy. (It includes no further security recommendations.)

The following section covers the implementation the web application firewall recommendation in more detail.

Web application firewall not installed

Web applications are increasingly becoming targets of cyberattacks such as SQL injection, cross-site scripting (XSS), and many others documented at the OWASP Top 10. (For more information, see www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.) Although many of these attacks are preventable via code that has been put through a full Security Development Lifecycle, or SDL (www.microsoft.com/en-us/sdl/), it can be hard to prevent some of these attacks in the application code itself, as it may require rigorous maintenance, patching, and monitoring on multiple layers. A web application firewall can enhance the protection of your web application from web vulnerabilities and attacks without modification to application code. Follow these steps to address this recommendation:

  1. Open the Azure Portal and sign in as a user who has Security Admin privileges.

  2. In the left pane, click Security Center.

  3. In the left pane of the Security Center window, under Prevention, click Applications. The Applications blade appears. (See Figure 4-23.)

    Screenshot of the Applications blade, showing a list of web applications that require attention.

    FIGURE 4-23 The Applications blade.

  4. Click the Web Application Firewall Not Installed recommendation to open the Web Application Firewall Not Installed page. (See Figure 4-24.)

    Screenshot of the Web Application Firewall Not Installed page showing a list of applications that need a web firewall.

    FIGURE 4-24 List of web applications that need a web application firewall.

  5. Click an application that needs a WAF. The Add a Web Application Firewall blade appears. (See Figure 4-25.)

    Screenshot of the Add a Web Application Firewall page, where you have the option to add a new WAF solution from a Microsoft partner.

    FIGURE 4-25 Adding a Web Application Firewall.

  6. Click Create New. The Create a New Web Application Firewall Solution blade appears. (See Figure 4-26.) From this point forward, the steps may vary depending on the solution you choose. Consult the partner’s solution documentation for further information.

    Screenshot of the Create a New Web Application Firewall Solution page, where you have a list of partners that provide a WAF solution.

    FIGURE 4-26 Adding a new web application firewall.

Real World: The Importance of Prevention

In today’s age of cybersecurity, prevention is just as important as detection and response. One of 2017’s largest attacks, WannaCry, could have been prevented with patching. Mitigating vulnerabilities—including applying patches—can significantly reduce the likelihood of an attack.

Azure Security Center provides recommendations across compute, network, data, and apps that you can easily remediate from right inside the Security Center blades. These recommendations cover security best practices, missing configurations and patches, and other vulnerable areas of datacenter work-loads. Security Center provides a simple way to identify risks and to resolve them quickly, reducing your attack surface.

Nicholas DiCola, Principal Program Manager, C+E Security Engineering

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.188.152.157