Explain Cloud Workload Protections in Azure Defender (part 2 of 4)

By Ashwin Venugopal -

 


To read part 1 please click here
To read part 3 please click here
To read part 4 please click here



Azure Defender for App Service

Azure App Service is a fully managed platform for building and hosting your web apps as well as APIs without worrying about having to manage the infrastructure while providing management, monitoring, and operational insights to meet the enterprise-grade performance, security as well as compliance requirements. 

Azure Defender for App Service widely uses the scale of the cloud to identify the attacks targeting the applications running over the App Service. Generally attackers probe web applications to find and exploit weaknesses, so before being routed to the specific environments, you should first request to the applications running in Azure to go through  the various gateways, where they can be inspected and logged and can then further be used to identify exploits as well as attackers and learn new patterns that will be used later.

What does Azure Defender for App Service protects?

If the App Service plan is enabled, then the Security Center assesses the resources covered by the App Service plan and generates security recommendations based on its findings. Security Center protects the VM instance in which your App Service is running and the management interface while also monitoring the requests as well as responses sent to and from your apps running in the App Service.

The log data mentioned above basically helps the infrastructure to tell the story, from a new attack circulating into the wild to the compromises in the customer machines, without leaving any information behind. Therefore, even if the Security Center is deployed after a web app has been exploited, it might be easily able to detect the ongoing attacks.

Protect your Azure App Service web apps and APIs

To protect your Azure App Service plan with Azure Defender for App Service you should:
  • Ensure that you have a supported App Service plan which is associated with dedicated machines. 
  • Ensure Azure Defender on your subscription (you can optionally enable only the Azure Defender for App Service plan).

Security Center is natively integrated with the App Service, which eliminates the need for deployment and onboarding- as the integration is transparent.

 Azure Defender for Storage

Azure Defender for Storage is an Azure native-layer of security intelligence that can detect unusual and potentially harmful attempts to access or exploit your storage accounts. Generally, security alerts are triggered when anomalies in an activity occur and are integrated with the Azure Security Center as well as sent via email to subscription administrators with details of all the suspicious activities and recommendations including the investigate and remediate threats methods.

What are the benefits of Azure Defender for Storage?

Azure Defender for Storage provides:
  • Azure-native security- With 1-click enablement, Defender for Storage protects the data stored in Azure Blob, Azure Files, and Data Lakes while providing centralized security across all the data assets managed by Azure and is integrated with the other Azure Security services such as Azure Sentinel. 

  • Rich detection suite- Powered by the Microsoft Threat Intelligence, the detections in Defender for Storage covers the top storage threats such as anonymous access, compromised credentials, social engineering, privilege abuse, and malicious content.

  • Response at scale- Security Center's automation tools makes it easier to prevent and respond to the identified threats. 

What kind of alerts does Azure Defender for Storage provides?

Security alerts are triggered when there's:
  • Suspicious access patterns- such as the successful access from a Tor exit node or from an IP considered suspicious by the Microsoft Threat Intelligence.
  • Suspicious activities- such as anomalous data extraction or unusual change of the access permissions.
  • Uploads of malicious contents- such as potential malware files (based on hash reputation analysis) or hosting phishing content. 

Alerts includes the details of the incident that triggered them, and recommendations on how to investigate as well as remediate threats. 

What is hash reputation analysis for malware?

If you want to determine whether an uploaded file is suspicious, you can use Azure Defender for Storage which in turn uses hash reputation analysis supported by the Microsoft Threat Intelligence. Whenever a file is suspected of containing malware, Security Center displays an alert and can optionally email the storage owner for approval to delete the suspicious file. To set up this automatic removal of files containing malware indicated by hash reputation analysis, you can deploy a workflow automation to trigger on the alerts containing "Potential malware uploaded to a storage account".


To read part 1 please click here
To read part 3 please click here
To read part 4 please click here





Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different groups of computers, re
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning of alert rule parameter
Read more