Azure Security Center- Your Security Is Our Pride (Part 2)

By Ashwin Venugopal -

 
To read part 1 please click here

Azure Security Center Policies

Security Center can always automatically creates a default security policy for each of your Azure subscriptions. You can:

  •  Edit Azure policies
  • Assign policies across management groups and subscriptions, which can represent an entire          organization or a business unit within the organization.
  •  Monitor policy compliance.

   An Azure policy consists of following components:

  •  A policy is a rule.
  • An initiative is a collection of policies.
  • An assignment is the application of an initiative or a policy to a specific scope.

The recommendations helps to provide complete assessment into the security health of your environment. The various types of recommendations are as follows:

·         System Updates- It retrieves the list of available security and critical updates daily from Windows           Update or Windows Server Update Services (WSUS).

·         OS Vulnerabilities- It analyzes OS configurations daily to determine issues that might make the VM       vulnerable to attack.

·         Endpoint Protection- It is recommended to be provisioned for all Windows VMs to help identify and      remove viruses, spyware, and other malicious software.

·         Disk Encryption- It is recommended to enable disk encryption in all VMs to enhance the data                 protection.

·         Network Security Groups- These are being configured to control inbound and outbound traffic to VMs   having public endpoints. This policy also assess the inbound security rules.

·         Web Application Firewall- It extends the network protection beyond NSGs. This one allows Security      Center to discover deployments for which a next generation firewall is recommended and help you to     provision a virtual appliance.

·         Next Generation Firewall- Azure Security Center may recommend you to add a partner’s Next               Generation Firewall (NGFW) from a Microsoft partner to increase your security protections.

·         Vulnerability Assessment- This one is recommended to install on your VM.

·         SQL Auditing &Threat Detection- It is recommended to enable the auditing of access to Azure SQL       Database for advanced threat detection and investigation purposes.

·         SQL Encryption- It is recommended to enable this one to prevent your data from being readable even     if it’s breached.

 

Who can edit security policies?

Security Center uses Role-Based Access Control (RBAC), which means built-in roles are assigned to the users, groups and services in Azure and whenever user opens the Security Center, they will only be greeted by the information related to the resources they have access to. This implies that the users are assigned the role of owner, contributor, or reader to the subscription or resource group that a resource belongs to. There are other two specific Security Center roles:

·         Security reader- Who have the rights which includes recommendations, alerts, policy, and health, but     they are not allowed to make any changes.

·         Security Admin- Who have the same view rights as that of a security reader, but they can also update     the security policy and dismiss recommendations and alerts.

An introduction to Secure Score

Security Center always works on two main goals- first to help you understand the current security situation and second to help you to improve your security to a greater extent; and the central aspect that enables you to achieve those goals is called Secure Score.

All the assessed resources, subscriptions, and organization for security issues done by the Security Center are aggregated into a single score so that you can tell the current security situation at one glance. Higher score ensures the lower identified risk level and the secure score page of security center includes:

·         The Score- It is always shown as a percentage value but the underlying values are also clear.

·         Security Controls- A control is asset of security recommendation, with instructions that helps to              implement them. The score can only be improved when all the recommendations are remedied for a        single resource within a control.

 You should always review the scores for each security control to immediately determine the situation     of your organization in securing each individual attack surface.

How the secure score is calculated & improved?

To get more points for a security control you must ensure that all of your resources are complying with all the recommendations within the security control and the remediation of the security recommendations from your recommendations list will easily improve your secure score. The recommendations can be remedied manually or by using the Quick Fix option (when available) to apply for remediation to a group of resources quickly.

 Brute Force Attacks

Attack Scenario

This type of attack is always targeted in which a hacker will go after specific users and cycles via as many passwords as possible by using either a full dictionary or the one that’s edited to common passwords. The more targeted password guessing attack can be considered as the one when a hacker select a person and conducts an experiment or research to guess the user’s password, for example by discovering the family names through social media posts and the trying those variants against an account to gain access.

The attackers always target RDP users who uses weak passwords and are without multifactor authentication, Virtual Private Networks (VPNs), and other security protections. Through RDP brute force, the threats can get easy access to target machines and conduct many activities like ransomware and coin mining operations.

Azure Security Center borrows the Microsoft Intelligent security graph to detect and subdue the threats or attacks. Following are the indications of an attack:

·       Extreme counts of failed sign-ins from many unknown usernames.

·       Never previously successfully authenticated from multiple RDP connections or from new source IP        addresses.

Practices to blunt a Brute Force Attack

·         Disable the public IP address immediately by using a Bastion host.

·         Always use point-to-site VPN, site-to-site VPN, or Azure ExpressRoute.

·         Require two-factor authentication.

·         Use complex passwords

·         Limit the time that the ports are open

Just-In-Time (JIT) VM (Virtual Machine) Access

It can be conveniently used to lock down inbound traffic to your Azure VMs, reducing the risk of attacks while providing easy access to connect to VMs when needed.

When the JIT VM Access is enabled, you can create a policy that allow you to determine how long the ports can remain open, and what will be the approved IP addresses that can access these ports. The policy will also help you to quickly identify the existing VMs that have JIT VM Access enabled and also those where there access is recommended.

 

How does JIT VM Access works?

  • To use this Azure Defender must be enabled first after which JIT configured VMs can be viewed. JIT should be enabled on every VM which is not healthy.
  • After that recommended ports and access are provided for each virtual machine.
  • One can either accept the recommendations or add other ports of your choice easily.
  • Once everything is in place, users must request access to the VMs and monitor the usage of each VM.

Hence Azure Security Center is capable of providing a complete solution to all types of security threats detection and investigation with the help of its various marvelous tools.


To read part 1 please click here

Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more

Threat Hunting in Microsoft Sentinel (part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Introducing the Microsoft Sentinel Hunting Page Threat hunting is a series activities performed while investigating and as there are no guidelines to perform it, the available tools on the Microsoft Sentinel can be introduced to perform better in your investigations. Firstly, you have to choose the Hunting link in the Microsoft Sentinel navigation menu to get to the Hunting page which is divided into the following sections: The header bar- It is located at the top of the page as usual and contains Refresh as well as timespan drop down menu. The New Query button can help you with creating a new query and the Run all queries button can run all the hunting queries in the background while also updating the hunting query list section with the number of results found.  The summary bar- Here, you can view the total number of queries available to run, the total number of bookmarks, the number of results from running live
Read more