Azure Security Center- Your Security Is Our Pride (Part 2)
Security Center can always automatically creates a default security policy for each of your Azure subscriptions. You can:
- Edit Azure policies
- Assign policies across management groups and subscriptions, which can represent an entire organization or a business unit within the organization.
- Monitor policy compliance.
An Azure policy consists of following components:
- A policy is a rule.
- An initiative is a collection of policies.
- An assignment is the application of an initiative or a policy to a specific scope.
The recommendations helps
to provide complete assessment into the security health of your environment.
The various types of recommendations are as follows:
·
System Updates- It
retrieves the list of available security and critical updates daily from
Windows Update or Windows Server Update Services (WSUS).
·
OS Vulnerabilities-
It analyzes OS configurations daily to determine issues that might make the VM vulnerable to attack.
·
Endpoint Protection-
It is recommended to be provisioned for all Windows VMs to help identify and remove viruses, spyware, and other malicious software.
·
Disk Encryption-
It is recommended to enable disk encryption in all VMs to enhance the data protection.
·
Network Security Groups-
These are being configured to control inbound and outbound traffic to VMs having public endpoints. This policy also assess the inbound security rules.
·
Web Application Firewall-
It extends the network protection beyond NSGs. This one allows Security Center
to discover deployments for which a next generation firewall is recommended and
help you to provision a virtual appliance.
·
Next Generation Firewall-
Azure Security Center may recommend you to add a partner’s Next Generation Firewall
(NGFW) from a Microsoft partner to increase your security protections.
·
Vulnerability Assessment-
This one is recommended to install on your VM.
·
SQL Auditing &Threat Detection-
It is recommended to enable the auditing of access to Azure SQL Database for
advanced threat detection and investigation purposes.
·
SQL Encryption-
It is recommended to enable this one to prevent your data from being readable
even if it’s breached.
Who
can edit security policies?
Security Center uses
Role-Based Access Control (RBAC), which means built-in roles are assigned to
the users, groups and services in Azure and whenever user opens the Security
Center, they will only be greeted by the information related to the resources
they have access to. This implies that the users are assigned the role of
owner, contributor, or reader to the subscription or resource group that a
resource belongs to. There are other two specific Security Center roles:
·
Security reader- Who have the rights which
includes recommendations, alerts, policy, and health, but they are not allowed
to make any changes.
·
Security Admin- Who have the same view
rights as that of a security reader, but they can also update the security
policy and dismiss recommendations and alerts.
An
introduction to Secure Score
Security Center always
works on two main goals- first to help you understand the current security
situation and second to help you to improve your security to a greater extent;
and the central aspect that enables you to achieve those goals is called Secure
Score.
All the assessed
resources, subscriptions, and organization for security issues done by the
Security Center are aggregated into a single score so that you can tell the
current security situation at one glance. Higher score ensures the lower
identified risk level and the secure score page of security center includes:
·
The Score- It
is always shown as a percentage value but the underlying values are also clear.
·
Security Controls-
A control is asset of security recommendation, with instructions that helps to implement them. The score can only be improved when all the recommendations are
remedied for a single resource within a control.
You should always review the scores for each
security control to immediately determine the situation of your organization in
securing each individual attack surface.
How
the secure score is calculated & improved?
To get more points for a
security control you must ensure that all of your resources are complying with
all the recommendations within the security control and the remediation of the
security recommendations from your recommendations list will easily improve
your secure score. The recommendations can be remedied manually or by using the
Quick Fix option (when available) to apply for remediation to a group of
resources quickly.
Attack
Scenario
This type of attack is
always targeted in which a hacker will go after specific users and cycles via
as many passwords as possible by using either a full dictionary or the one
that’s edited to common passwords. The more targeted password guessing attack
can be considered as the one when a hacker select a person and conducts an
experiment or research to guess the user’s password, for example by discovering
the family names through social media posts and the trying those variants
against an account to gain access.
The attackers always
target RDP users who uses weak passwords and are without multifactor
authentication, Virtual Private Networks (VPNs), and other security
protections. Through RDP brute force, the threats can get easy access to target
machines and conduct many activities like ransomware and coin mining
operations.
Azure Security Center
borrows the Microsoft Intelligent security graph to detect and subdue the
threats or attacks. Following are the indications of an attack:
· Extreme counts of failed sign-ins from
many unknown usernames.
· Never previously successfully
authenticated from multiple RDP connections or from new source IP addresses.
Practices
to blunt a Brute Force Attack
·
Disable the public IP address immediately
by using a Bastion host.
·
Always use point-to-site VPN, site-to-site
VPN, or Azure ExpressRoute.
·
Require two-factor authentication.
·
Use complex passwords
·
Limit the time that the ports are open
Just-In-Time
(JIT) VM (Virtual Machine) Access
It can be conveniently
used to lock down inbound traffic to your Azure VMs, reducing the risk of
attacks while providing easy access to connect to VMs when needed.
When the JIT VM Access is
enabled, you can create a policy that allow you to determine how long the ports
can remain open, and what will be the approved IP addresses that can access
these ports. The policy will also help you to quickly identify the existing VMs
that have JIT VM Access enabled and also those where there access is
recommended.
How does JIT VM Access works?
- To use this Azure Defender must be enabled first after which JIT configured VMs can be viewed. JIT should be enabled on every VM which is not healthy.
- After that recommended ports and access are provided for each virtual machine.
- One can either accept the recommendations
or add other ports of your choice easily.
- Once everything is in place, users must
request access to the VMs and monitor the usage of each VM.
Hence Azure Security Center is capable of providing a complete solution to all types of security threats detection and investigation with the help of its various marvelous tools.
To read part 1 please click here
Comments
Post a Comment