Explain Cloud Workload Protections in Azure Defender (part 1 of 4)

By Ashwin Venugopal -

 


To read part 2 please click here
To read part 3 please click here
To read part 4 please click here


Azure Defender for Servers

Azure Defender for servers adds threat detection and advanced defenses for your Windows in which Azure Defender integrates with Azure services to monitor and protect your windows-based machines as well as Linux machines where it collects the audit records from Linux machines by using audited, one of the common Linux auditing frameworks. 

What are the benefits of Azure Defender for servers?

The threat detection and protection capabilities provided with Azure Defender for servers includes:

  • Integrated license for Microsoft Defender for Endpoint (Windows only)- Azure Defender for servers includes Microsoft Defender for Endpoint and together they can provide comprehensive Endpoint Detection and Response (EDR) capabilities.

         When Defender for Endpoint detects a threat, it triggers an alert which is shown in Security                     Center. From the Security Center, you can also pivot to the Defender for Endpoint console and                perform a detailed investigation to uncover the scope of the attack.

         The Microsoft Defender for Endpoint sensor is automatically enabled on Windows servers to                  represent the Security Center.

  • Vulnerability assessment scanning for VMs- The vulnerability scanner included with the Azure Security Center is powered by Qualys whose scanner is one of the leading tools for real-time identification of vulnerabilities in your  Azure VMs.  A Qualys license or a Qualys account is not needed as everything's handled seamlessly inside the Security Center.

  • Just-in-Time (JIT) VM access- Threat actors can actively hunt accessible machines with open management ports, like RDP or SSH. When a VM is successfully compromised, it's used as the entry point to attack further resources within your environment. But if you enable the Azure Defender for servers, you can use JIT VM access to lock down the inbound traffic to your VM, which helps in reducing the exposure to attacks while providing an easy access to  connect to the VMs when needed.

  • File Integrity Monitoring (FIM)- FIM, also known as change monitoring, examines files and registries of the operating system, application software, and others for changes that might indicate an attack.

          When you enable the Azure Defender for servers, you can use FIM to validate the integrity of the            Windows files, your Windows registries, and Linux files.

  • Adaptive Application Controls (AAC)- These are an intelligent and automated solutions for defining allow lists of known-safe applications for your machines. 

          When you have enabled and configured AAC, you'll get the security alerts if any application runs            other than the ones you've defined as safe. 

  • Adaptive Network Hardening (ANH)- Applying the Network Security Groups (NSG) to filter traffic to and from resources improves your network security posture. However, there can still be some cases in which the actual traffic flowing through the NSG is a subset of the NSG rules defined. In these cases, further improving the security posture can be achieved by hardening the NSG rules based on the actual traffic patterns. ANH helps the recommendations to further harden the NSG rules by using a machine learning algorithm that factors in the actual traffic, known trusted configuration, threat, intelligence and the other indicators of compromise while providing recommendations to allow traffic only from the specific IP/port tuples. 

  • Docker host hardening- Azure Security Center identifies unmanaged containers hosted on IaaS, Linux VMs, or the other Linux machines running docker containers. It includes the entire ruleset of the CIS Docker Benchmark and alerts you if your containers don't satisfy any of the controls.

  • Fileless attack detection (Windows only)- Fileless attacks injects malicious payload into the memory to avoid detection by risk-based scanning techniques. The attacker's payload then persists within the memory of the compromised processes and performs a wider range of malicious activities.  

         With fileless attack detection, automated memory forensic techniques identify fileless attack                    toolkits, technique, and behaviors. This solution periodically scans your machine at runtime and              extracts the insights directly from the memory of the processes.

         It generates detailed security alerts containing the descriptions with the more processed metadata,          such as network activity. This accelerates alert triage, correlation, and downstream response time.       This approach complements event-based EDR solutions and provides increased detection coverage.  

  • Linux auditd alerts and Log Analytics agent integration (Linux only)- The auditd system consists of a kernel-level subsystem responsible for monitoring system calls. Security Center integrates with the functionalities from the auditd package within Log Analytics agent to enable the collection of the auditd events to the all supported Linux distributions, without any prerequisites. 
          Auditd records are collected, enriched, and aggregated into the events by using the Log Analytics           agent for Linux agent. Similar to Windows capabilities, these analytics span across suspicious                 processes, dubious sign-in attempts, kernel module loading, and other activities. These activities             can indicate a machine is either under attack or has been breached.
    


To read part 2 please click here
To read part 3 please click here
To read part 4 please click here

Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more