One of the more cloud-focused tools within the Microsoft 365 Defender suite is Microsoft Defender for Cloud. In this chapter, we will be covering numerous topics around Microsoft Defender for Cloud, including ASC, so that you can get a better understanding of how to properly leverage this tool in your role as the Microsoft security operations analyst for your enterprise.
In this chapter, we will cover the following topics:
By the end of this chapter, you will be able to fully understand all of the steps you need to take to not only be successful in deployment and implementation but also properly plan and utilize Microsoft Defender for Cloud in your role as a Microsoft security operations analyst. Let's go!
During this chapter, we will be using shortened terms and acronyms we want to ensure you can understand throughout. The following list outlines a few of these terms for your reading and understanding:
Okay! Now that we have covered the shortened terms and acronyms we expect you to encounter within this chapter, let's dive into what Microsoft Defender for Cloud is! Ready? Let's roll!
Think about, for a moment, how vast the Microsoft Azure platform can be in your enterprise. Think about all the different resource types, locations, security controls, configurations, baselines, attack vectors, access requirements, authentication methods, and authorization methods. Then, add in the fact that the best practices around securing everything that exists within Azure (and, technically, Google Cloud Platform (GCP) and Amazon Web Services (AWS) as well) is ever-changing. How can an organization stay up to date with all of this, on top of what exists on-premises? Microsoft Defender for Cloud and ASC are here to help you with this!
Note
We will no longer be adding in formerly ASC Standard tier going forward—we will merely refer to this solution by its current name of Microsoft Defender for Cloud.
So, what is Microsoft Defender for Cloud? We believe, before diving into what Microsoft Defender for Cloud is, you must first know what ASC is. Microsoft Defender for Cloud is integrated into ASC, so let's first dive into ASC a bit so that you have a better understanding of the differences, integration, and enterprise use cases for the solution.
ASC is Microsoft's CSPM offering. This offering in and of itself is free for you to consume in your enterprise. ASC enables you to truly strengthen the security of your Azure environment by identifying where you can potentially perform tasks that will harden your security posture on resources you may or may not even know exist! Each item that has been identified on various resources is a recommendation that is continually evolving as security evolves. This is a living recommendations list that looks at your data, compute, services, and applications in the cloud. Events that are collected from native or installed agents (potentially on-premises or in another cloud) and those that come from assets that live in Azure are correlated on the backend of the tool and are customized and tailored to provide recommendations on how you can improve your security posture on every resource in your environment. These recommendations are designed to secure your workloads and detect threats accordingly. See the following screenshot for an overview of the Security Center portal:
In summary, ASC provides a solution for the three most prevalent and difficult-to-manage security challenges, which we explore in more detail here:
With all these challenges present, ASC can help you and your organization prepare against these challenges by providing you with tools to do the following:
In addition to addressing the most challenging and prevalent issues that are present in your enterprise for you and your team, ASC also provides the following features that can easily be implemented to quickly assist your team:
Note
We do recommend you begin looking into Azure Policy—there are numerous resources out there for your reading. You will find out that in the cloud, Azure Policy is huge for security administrators and operation teams!
ASC is continually assessing your workloads and subscriptions for any added resources that have been deployed, reviewing existing resources, and assessing whether they are configured according to various security best practices. See the following screenshot for an example of security policy management:
What is great is that if any resources are not configured with best practices, they will be flagged and shown as an object that will have recommendations on how to become more aligned with security best practices. Within Azure, there is a specific security benchmark that resources are compared against; this benchmark is called the Azure Security Benchmark (ASB). This is a benchmark designed and authored by Microsoft and is specifically designed for Azure architecture. This was derived from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) and compiled into a single, easy-to-follow benchmark that resources are assessed against.
ASC can monitor the security status of your Azure network. Whether you have an infrastructure-as-a-service (IaaS) or a platform-as-a-service (PaaS) cloud environment, networking will be a requirement! See the following screenshot for an overview of ASC Secure Score:
ASC will analyze any network component in your workload architecture and call out any flaws that lead to security vulnerabilities or implementations that go against best security practices.
One of the core features within ASC is the native ability to provide recommendations that are customized and specific to your workload resources. This is normally a task that is taken up by someone on the security operations team, but the wonderful thing about ASC is that it does this administrative task for you. See the following screenshot for an example of a network map:
What is even better is that these recommendations and actions can tie into other parts of the Microsoft 365 Defender stack of tools such as Microsoft Sentinel and Microsoft Defender for Endpoint (MDE). These recommendations help you reduce improper configurations in your workloads and reduce the attack surface across all your resources. Some examples would be Azure Virtual Machines (Azure VMs), any PaaS resource, storage accounts, and Structured Query Language (SQL) resources. Instead of manually doing this review and putting together a list of recommended security tasks for your enterprise, let ASC do this for you!
Bonus Note
There are many one-click-fix options with these recommendations that allow you to remediate these configurations through the single click of a button! Check them out!
Now let's learn about integration with MDE in your enterprise (when paired with Microsoft Defender for Cloud). One thing you will learn about throughout this book is the incredible integration capabilities of the Microsoft 365 Defender stack—this includes integration capabilities of ASC and MDE. See the following screenshot for an example of an alert:
You can onboard devices to either service from either portal/tool. You can also view and close out alerts that are generated from either service to the other. This is a great integration capability that proves to be super helpful for security operations teams and analysts alike to ensure you have a single pane of glass to manage and view alerts from both solutions!
See the following screenshot for an example of integration settings:
So, back to the original question—what is Microsoft Defender for Cloudr?
Remember when we talked about ASC being a CSPM tool? Well, Microsoft Defender for Cloud is integrated into ASC, but it serves a different purpose for your enterprise! Microsoft Defender for Cloud is Microsoft's CWP offering. Microsoft Defender for Cloud integrates into ASC and provides advanced, ever-changing, cloud-driven protection of your Azure and hybrid cloud workloads. In addition to the built-in policies that come with ASC, with Microsoft Defender for Cloud you can enable other custom security policies and compliances (such as NIST, Payment Card Industry (PCI), PCI Data Security Standard (PCI DSS), and Azure CIS. In theory, as with ASC, you can enable and extend the capabilities of Microsoft Defender for Cloud into your on-premises environment as well as into multi-cloud environments (AWS and GCP as an example).
Note
Microsoft Defender for Cloud is a paid offering that you can enable on resources. There is a different cost of CWP capability coverage (also referred to as ATP) per resource type you want to deploy this on. We will dive into which types of resources support Microsoft Defender for Cloud here in a moment.
Considering Microsoft Defender for Cloud is a part of ASC, to administer it within your enterprise, you will be navigating through ASC, as shown in the following screenshot:
First, let's start with which types of resources support Microsoft Defender for Cloud, thus allowing you to enable this capability upon such resources within your workloads.
The following resource types support Microsoft Defender for Cloud (as of August 2021 from Microsoft Docs):
Important Note
ASC will still provide proactive assessment and recommendations for all of the preceding services for free, but if you want protection elements to defend against threat actors, you will need to enable Microsoft Defender for Cloud, which is paid per resource type for such protection.
In short: ASC (CSPM) = free; Microsoft Defender for Cloud (CWP) = paid
We want to take some time, as it is something that will come up a lot when applying Microsoft Defender for Cloud in your enterprise, to cover what Microsoft Defender for Cloud brings to the table for each supported resource type. Let's go!
Microsoft Defender for Cloud for Servers is a feature that will add deep threat-detection capabilities and advanced defense mechanisms for your enterprise Windows and Linux workloads. Whenever you onboard servers to Microsoft Defender for Cloud, ASC will present alerts that Microsoft Defender for Cloud finds and give you suggestions on how to rectify known security issues. Remember, Microsoft Defender for Cloud and ASC work together as they are integrated with one another.
Here are some added benefits of Microsoft Defender for Cloud for Servers:
Microsoft Defender for Cloud for App Service is a feature available for enrollment that is designed to deeply protect your App Service deployment in your enterprise. Any application that you have running on Azure App Service will be fully protected by Microsoft Defender for Cloud if you enable it to do so. Learning from already existing processes that Azure possesses around general and deep threat-learning activities, that information is then fed to Microsoft Defender for Cloud for App Service to ensure protection and monitoring are in place to defend against these ever-changing attacks on App Service-based applications.
Here are some added benefits of Microsoft Defender for Cloud for App Service:
a. The VM instance that your App Service resource is running on under the hood
b. Requests to and from your App Service applications
c. Underlying sandboxes and VMs that your app services might be using
d. All internal logs of your app service
DNS dangling is something that is often overlooked from a process perspective; so, whenever you decommission a site but keep the DNS entry present in your registrar, that can easily be used by a threat actor in a malicious way. Microsoft Defender for Cloud for App Service will alert you whenever you decommission a site and the DNS entry is still present and registered! The following screenshot shows an example of a DNS dangling alert in ASC from Microsoft Defender for Cloud for App Service:
Microsoft Defender for Cloud for Storage is a feature that will add an extra layer of security to your storage accounts within Azure. We see far too often that an exposed storage account has been compromised or scanned with data being exfiltrated by threat actors. Microsoft Defender for Cloud for Storage is here to solve that for your enterprise.
Here is an overview of Microsoft Defender for Cloud for Storage:
Here are some added benefits of Microsoft Defender for Cloud for Storage:
Microsoft Defender for Cloud for SQL is a feature that brings a deep and cloud-backed level of threat protection to your SQL workloads in Azure. This can be either Azure SQL, SQL on an IaaS VM, Azure SQL managed instances, a dedicated SQL pool in Azure Synapse, Azure Arc-enabled SQL servers, and—when configured and supported—even your SQL servers running on Windows on-premises! You might wonder which threat protection features this brings to your enterprise. Let's dive into those a little bit!
Here are some added benefits of Microsoft Defender for Cloud for SQL:
Some alert types are listed here:
Microsoft Defender for Cloud for Kubernetes is a feature that comes with Microsoft Defender for Cloud, should you choose to enable it. Microsoft Defender for Cloud for Kubernetes provides you protection for your Kubernetes clusters, but guess what? It can provide protection wherever they are running, not just within Azure! This includes the following:
Microsoft Defender for Cloud for Kubernetes will assist you in identifying additional ways to harden your Kubernetes environment, as well as providing real-time protection. When this is combined with Microsoft Defender for Cloud for Servers, information on your Linux AKS nodes will also be available! Pretty cool to see these features combine forces to provide you clarity, protection, and best practices to ensure your containerized applications are backed with the ultimate protection and security!
Microsoft Defender for Cloud for container registries is a feature that works alongside Azure Container Registry (ACR), which is a quite common solution used by organizations to manage container images in a centralized manner! If you use ACR in your cloud workloads, you can take advantage of Microsoft Defender for Cloud for container registries. This is a feature that will scan your images whenever they are pushed to your registry, giving you instant visibility into your images and information on any vulnerabilities found. What is great is that this is powered by Qualys, which—as discussed before—is an industry leader in the vulnerability scanning world! Whenever issues are identified by Qualys or ASC, you will get a notification within your ASC dashboard that will provide detailed information about that issue, such as the severity classification, the potential MITRE mapping, and guidance on how to fix the security issue within your images.
When are these images scanned? Great question—the scanning happens here:
The following screenshot gives you a better visual understanding of how ASC and ACR work together behind the scenes for this protection:
The preceding screenshot provides an example of Defender for Containers.
Microsoft Defender for Cloud for Key Vault is a feature that will provide ATP for any Azure Key Vault instance you have in your environment. When enabled, Microsoft Defender for Cloud for Key Vault will detect any potentially harmful attempts to access or even exploit Key Vault accounts. This is all powered by a vast machine learning (ML) engine within Microsoft Defender for Cloud. Whenever Microsoft Defender for Cloud suspects any anomalous activities, you will see alerts (such as the one shown in Figure 5.11), and if you enable it to do so, Microsoft Defender for Cloud can send emails to whoever needs to be notified about the key vault with this behavior! Considering Azure Key Vault is a critical solution to manage your keys, secrets, and passwords in the cloud, this feature will be well used and appreciated within your security team!
Here is an example of an Azure Key Vault alert in Microsoft Defender for Cloud:
All your Azure deployments go through an engine called Azure Resource Manager (ARM), no matter whether you are doing this manually through the Azure portal or programmatically through the command-line interface (CLI), PowerShell, or even Terraform. ARM is a foundational element within Azure that your deployments rely on. Microsoft Defender for Cloud for Resource Manager is a feature that will automatically monitor all resource management operations that go through ARM. Microsoft Defender for Cloud will run advanced analytics and inspection on this for you, detect any suspicious activity, and follow that up with an alert in ASC.
Here is a screenshot showing how all deployments go through ARM and where Microsoft Defender for Cloud sits within this process:
What does it detect? Great question! Here are a few of the most important things:
This feature will be beneficial to your organization to automate the security analysis of every deployment and every ARM operation in your Azure environment. Go check it out!
Many organizations take advantage of Azure DNS, which is a hosting service for DNS domains that provide name resolution. Whenever organizations host domains in Azure, you can manage your DNS records and zones, leveraging the same credentials as you would use to manage other Azure resources. If your organization uses Azure DNS, then Microsoft Defender for Cloud for DNS will be a great security feature for you! Microsoft Defender for Cloud for DNS will continually monitor all DNS requests and queries to your Azure resources and provide additional security analytics to allow you to have visibility into any suspicious activity.
Microsoft Defender for Cloud for DNS will protect your resources that are tied to Azure DNS against issues such as the following:
Microsoft Defender for Cloud for open-source relational databases is much like Microsoft Defender for Cloud for SQL—however, it is intended for open source databases specifically. Microsoft Defender for Cloud for open-source relational databases supports the following database types:
Here are some added benefits of Microsoft Defender for Cloud for open-source relational databases:
Some threat intelligence (TI) alert types are listed here:
Now that we have covered each of these rich features within both ASC and Microsoft Defender for Cloud, let's move on to discuss how to implement both solutions in your environment. This information will be crucial for the SC-200 exam but, more importantly, will enable you to possess the required knowledge to be the best Microsoft security operations analyst in your environment, today!
One of the more important parts of your role as a Microsoft security operations analyst, outside of simply knowing what the tools are that make up the overall solution, is to understand the effort and requirements to implement these solutions. We want to take some time and walk through with you how to implement ASC in your enterprise. You will be glad to know that implementing ASC is a simple task—however, we highly recommend that you effectively communicate all the previously shared information to the appropriate parties within your enterprise to ensure you have full alignment on the value this adds to your organization. Often, technology makes implementation so simple that we forget to communicate and follow internal processes. We want you to be successful, so go bridge that communication gap before continuing!
First, to implement ASC, you must have the proper permissions within Azure to do so. This can be applied to your own account, an administrative account, or even a service account you leverage for Azure administration.
You will need one of the following permissions to implement ASC on a subscription:
All three of these are built-in Azure roles that can be applied to an account. Once you have verified you have these permissions available to you, we can proceed with the remaining steps.
Now, let's look at the steps to implement ASC. Here they are:
Microsoft has made ASC enablement simple by enabling it on all your subscriptions by default. Any subscription that is created by any user in your tenant will automatically be included in all the rich features ASC provides. All you must do is open Security Center once, and within minutes, you will begin seeing the following:
That is it! Simply launch and let the data load!
Technical Note
One neat technical item to know is that enabling ASC is technically done by Azure Policy.
Here is a screenshot of the Azure Policy initiative that controls ASC enablement:
To take advantage of the additional threat protection features, we will move into showing you how to implement Microsoft Defender for Cloud on supported resource types within your subscriptions, next!
Having ASC enabled in your environment is a great start to strengthen your security posture; however, to protect your environment, you will lean on Microsoft Defender for Cloud. We want to walk through with you how to enable Microsoft Defender for Cloud in your enterprise.
Reminder
Microsoft Defender for Cloud is a solution that comes with various costs, so please review these before enabling.
Enabling Microsoft Defender for Cloud can be either a carte blanche task or a very granular task, down to the resource types you want protection on. Just as when you enabled ASC, some prerequisites exist before enablement is an option.
Permissions are needed within Azure for you to enable Microsoft Defender for Cloud for your enterprise. Here is an outline of the available permission options that must be assigned to your user account, administrative account, or service account:
Outside of the required permissions, we want to state the importance of gaining alignment once again with proper teams. Microsoft Defender for Cloud will come with a charge that varies based on resource types. We do not want you to be shocked by a monthly bill!
So, what's next? Now that you have the proper permissions and alignment internally, we can move on to enabling Microsoft Defender for Cloud for your single subscription and then cover the steps for multiple subscriptions.
Now, let's take a look at the implementation steps, as follows:
Here is a screenshot of Pricing and Settings | Microsoft Defender for Cloud on:
Take note of the slider options you have! You can independently select per preferred resource type which plan each supported resource will have—either the free version of ASC or the paid plan option of Microsoft Defender for Cloud. Discuss these options with your team once again to ensure everyone is aligned on which resource types within your subscription you want to enable Microsoft Defender for Cloud on. You will see the pricing per resource type here as well for your rough cost calculations. Another thing to keep in mind is that what you are seeing from a resource count standpoint is what is currently deployed in your subscription. When you enable Microsoft Defender for Cloud for a specific resource type and you have automatic provisioning turned on (which we will cover a bit later), every new resource that is that same type will also be included in the Microsoft Defender for Cloud plan.
Okay—that was easy enough! But what if you wanted to enable Microsoft Defender for Cloud on multiple subscriptions? Let's cover that quickly.
Many enterprises have multiple subscriptions within an Azure tenant—it would become quite a tedious task if you had to go into each subscription simply to enable Microsoft Defender for Cloud plans. Good news—you do not have to! Here, we outline the effortless steps to enable Microsoft Defender for Cloud at a higher level on all subscriptions, as follows:
Once this happens, the necessary changes will happen automatically on your selected resources, and charges will begin.
Pretty easy, right? So, what other considerations should be taken into account when you plan to enable ASC and Microsoft Defender for Cloud in your enterprise? You must consider a plan for provisioning the agents and extensions required on resources to have ASC collect data for analysis. Normally, enterprises prefer to do this in an automatic manner through ASC automatic provisioning. Next, we outline a few key points and steps you should consider before enabling automatic provisioning.
Here is a quick set of steps for the prerequisites:
Note
All the previous prerequisites exist for this step as well.
Here is a screenshot of the Auto provisioning settings:
If you previously either intentionally or accidentally configured agents for monitoring on VMs, you will be asked to reconfigure them to be connected to your new workspace. In that case, simply click Yes:
Okay! You did it! You have successfully learned what ASC brings to the table from a feature standpoint, as well as learning what Microsoft Defender for Cloud brings to the table in terms of protection of your various supported workloads. Not only have you learned this, but you have also learned how to deploy both tools in your enterprise! Now, let's move on to paint a picture of how ASC and Microsoft Defender for Cloud fit into the security mold of your enterprise!
As a Microsoft security operations analyst, you will be required to have tools deployed and operational in your enterprise that serve the greater security operations center (SOC) need. ASC with Microsoft Defender for Cloud enabled provides you the ultimate security posture management and workload protection where supported resource types allow. Think about this for a second—you have this amazing solution that is doing continual assessments and pointing out vulnerabilities as well as sending you alerts on threats present or detected, along with remediation activities. This is invaluable data to have at your fingertips. This data is then able to be simply maintained in ASC, or it can be piped into a security information and event management (SIEM) tool such as Microsoft Sentinel. You can see where we are going with this—ASC and Microsoft Defender for Cloud will be connected to your Microsoft Sentinel instance for you and your team to have a view into such feeds and alerts. Later, we will get into how to set up Microsoft Sentinel and connect data sources such as Microsoft Defender for Cloud and ASC.
In summary, Microsoft Defender for Cloud is simply awesome! In this chapter, we were able to cover very important aspects of Microsoft Defender for Cloud to ensure you are not only ready to pass the SC-200 exam on these topics but can also immediately apply this in your role as the Microsoft security operations analyst in your enterprise, from understanding what Microsoft Defender for Cloud is and how it integrates into ASC to knowing the prerequisites for deployment and implementation, and, finally, fully understanding how this truly fits into the security mold of your enterprise. This chapter is here for you to re-read and review as needed to prepare yourself to implement and utilize this tool in your enterprise today!
Next, we will be diving into chapters that are designed to ensure you can familiarize yourself with dashboards and alerts. Let's go!
18.221.53.5