top of page
  • Writer's pictureTimmy Malmgren

Defender for Cloud, your friend amongst the clouds | SEDC Blog

Updated: Apr 12



Microsoft Defender for Cloud has been around for a long time, so it might seem as a strange choice for my first blogpost! However as I have meet with several customers that are taking or have taken their first steps into Azure, there are far too many that is unaware of either its existence at all or how they actually can benefit greatly from working with it! Not only should you get used to working with it, Microsoft Defender for Cloud should always be one of your closest friends during your stay in Azure!


So what is Microsoft Defender for Cloud? Well in short Microsoft Defender for Cloud in its basic form is a collection of policies spanning across your subscriptions and Azure infrastructure to make sure it is compliant with different regulations and security configurations, this is then presented back to you in a score based system that represent your Security posture.


With security posture you get a good overview of your Azure resources resistance to different threats and on top of that these recommendations are always being evaluated and updated by Microsoft, so constantly working with defender will make sure your always on top of your security posture!





Microsoft Defender for Cloud then compiles a list of recommendations for the resources in your subscription. Each category in the list is presented with your current score and also a potential score for remediating vulnerabilities and misconfigurations. These remediations vary in priority, benefit to your environment and also in the amount of work and time it takes to implement them, some might take a few days while others may be project for months to come. Some of these remediations can even have a “fix now” button that takes you to the setting that does not follow the current policies applied for that subscription, do be cautious as always when changing security configuration in an production environment as this can severely impact your applications.



A simple overview of your current score for each category and a potential max score with easy to use filtering and priority management!



So where does these recommendations originate from and why should we trust them? I did mention that they are based of policies but that itself might not be to helpful as policies is kind of a broad term. Microsoft Defender for Cloud uses a baseline policy framework called Azure security benchmark V3 (version at the time of writing) that are implemented on your subscriptions by default and measures compliances. Azure security benchmark is a compilation of controls from well-known and world recognized security benchmarks such as CIS (Center for internet Security). NIST (National Institute of Standards and Technology) and PCI-DSS, we will not get in to details about these different benchmarks but I do want to mention them and that there are many more that can be used in Microsoft Defender for Cloud. If you have other needs that are not meet by any of all security benchmarks supported by defender you can also configure your own recommendation/compliance checks.



Enhanced Security mode

So everything mentioned so far is all completely free for all your subscriptions! That does not however mean that this is defenders full capabilities, far from it actually! By enabling Microsoft Defender for Cloud’s enhanced security features on your subscription you will have access to more advance capabilities, this however comes at a monthly cost and needs to be evaluated if its needed for your organization (“spoiler alert” almost all cases I have experienced, the benefits easily outweighs the cost), however there are of course exceptions to every rule and that’s why this needs to be evaluated by people with the right competence. If you are interested in trying out these features Microsoft does offers a 30-day trail that you can activate for your subscription(s).


Now let us have a quick look at what capabilities enhanced security features offer!


The big features activated with enhanced mode is listed below, a few contains more functionality but I want to keep it short in this post! Also note that this is not a deep technical dive so configuration of these might need agents and more configurations.


Vulnerability assessment for your virtual machines, container registries and SQL resources helps you look into your configuration inside your virtual machines, SQL resources and container registries and helps protect them from different threats.


Container security features for your containerized environment defender offers things such as real-time threat protection, vulnerability management and image scanning!


Integration for Endpoint detection and response (EDR) with Defender for Cloud gives you the benefits of automatic onboarding for Defender for endpoint and the benefit of only using one portal for them together.



Some sample alerts from the security alerts dashboard!



Threat protection alerts offers great behavioral analytics for an ever growing threat from cyber-attacks by using machine learning that can identify attacks and even catch zero-day exploits.


Multicloud and Hybrid security makes it possible to connect your other cloud account for Amazon and Google to protect workloads in those platforms to. It also makes it possible to span from the clouds down to your on-premise servers, firewalls and other resources to apply security policies and keep them compliant as well!


Adaptive application controls offers some more machine learning power together with allow and blocklists. It helps block malware but also other unwanted applications you don’t want running in your environment. It even have an alert mode only, so you can activated it without the risk to impact your environment but still getting the knowledge from alerts of what’s running on your virtual machines.


Just-in-time VM access offers the capability to set up temporary port openings on demand, making the attack surface for RDP protocols slimer. There is however today another option to protect your VM and still offer RDP capabilities called “Bastion” that I myself would prefer, they can however be used together.


Threat protection for resources connected to Azure will be my last point of the list and will include several things. Since defender is connected to both Azure management layer and Azure DNS layer it is granted a different visibility into things connected to these layers. Working together with machine learning it offers Adaptive network hardening, monitor VMs, data stores, Azure SQL including managed instance and many more cloud services including (in preview) IoT devices.





So do I have to pay for all these things if I am only interested in one? No you can customize this in the portal to some extent, while you cant mix and match on the deepest levels there is some flexibility offered here.


But how do we keep our environments compliant with all these settings and configurations? Well the most obvious would be to start working with all these remediations right? Well yes, maybe, the problem here is that some if these can have large impact on a production environment and might take months to implement. There is another way to make sure you become compliant and to actually help you stay compliant and resistant to threats in the future! That is adopting the “Cloud Adoption Framework”, a secure and flexible platform and method of working in Azure infrastructure (it’s a little more complex than that) but next week I will blog an introduction to Cloud Adoption Framework be sure to check it out!

Working with the remediations however is never wrong but should be done by a person with the right competence that does an assessment before implementing! However depending on the amount of configuration suggested (and actually needed) it might not be the best way for your environment! Instead you might want to look at setting up a new environment according to Cloud Adoption Framework and migrate there.


Summary

Defender for cloud offers great insight into your Azure infrastructure and for a price, even into your workloads and networks! It offers a streamline interactive portal with alerts, tools, threat intelligence, investigation and post-action capabilities. Even if you do not opt in for any of the enhanced security mode features there is no excuse to not be working with Microsoft defender for cloud during your stay in Azure!



257 views0 comments

Comments


bottom of page