January 11, 2023January 16, 2023 Cloud Security Posture Management (CSPM) and some of it’s features Table of Contents What is Cloud Security Posture Management in Azure? Cloud Security Posture Management (CSPM) is a new plan in Microsoft Defender for Cloud. It provides a lot of new security management tools for Azure. CSPM provides you with hardening guidance that helps you efficiently and effectively improve your security. CSPM also gives you visibility into your current security situation. Defender for Cloud continually assesses your resources, subscriptions, and organization for security issues and shows your security posture in secure score, an aggregated score of the security findings that tells you, at a glance, your current security situation: the higher the score, the lower the identified risk level. Defender for CSPM options The Defender CSPM plan comes with two options, foundational CSPM capabilities and Defender CSPM. When you deploy Defender for Cloud to your subscription and resources, you’ll automatically gain the basic coverage offered by the CSPM plan. To gain access to the other capabilities provided by Defender CSPM, you’ll need to enable Defender CSPM plan in your environment settings. CSPM feature list Image grabbed from Overview of Defender CSPM page. What is Cloud Security Explorer? Using the cloud security explorer, you can proactively identify security risks in your multicloud environment by running graph-based queries on the cloud security graph. Your security team can use the query builder to search for and locate risks, while taking your organization’s specific contextual and conventional information into account.Cloud security explorer provides you with the ability to perform proactive exploration features. You can search for security risks within your organization by running graph-based path-finding queries on top the contextual security data that is already provided by Defender for Cloud, such as cloud misconfigurations, vulnerabilities, resource context, lateral movement possibilities between resources and more. How to enable it? To use Cloud Security Explorer you need to enable the following: -Enable agentless scanning -Enable Defender for CSPM -Enable Defender for Containers, (and install the relevant agents in order to view attack paths that are related to containers. This will also give you the ability to query containers data plane workloads in security explorer.) How to use it? You can build queries or use pre-made templates to get the results if there are any. But first you need to login to Azure portal. Go with your browser to https://portal.azure.com Navigate go to the Defender for Cloud and click Cloud Security Explorer (preview). First you see only one dropdown list which is actually the starting point of query editor. Under that you can see pre-made query templates which you click and get the query results. An example query: Search virtual machines which are exposed to internet: The results are shown below the search button. And if you click some of the results, the new blade opens which shows more information about the current virtual machine. At this point of the public preview you can’t export the results anywhere but I hope it is possible in the coming versions. Result details: More details at Microsoft learn. What is Attack path analysis and how to use it? Attack path analysis is a graph-based algorithm that scans the cloud security graph. The scans expose exploitable paths that attackers may use to breach your environment to reach your high-impact assets. Attack path analysis exposes those attack paths and suggests recommendations as to how best remediate the issues that will break the attack path and prevent successful breach. By taking your environment’s contextual information into account such as internet exposure, permissions, lateral movement, and more, attack path analysis identifies issues that may lead to a breach on your environment, and helps you to remediate the highest risk ones first. To enable attack path analysis you need to enable the same options as with cloud security explorer which are CSPM plan. defender for containers and agentless scanning (or defender for servers P1 or defender for servers P2 in the Defender for servers plans). Navigate to Defender for Cloud and choose recommendations and you see the screen like this: Now click the attack path button and the new blade opens which shows the attack path, environment, path counts, risk categories and affected resources (sorry about small image). For each attack path you can see all of risk categories and any affected resources. The potential risk categories include credentials exposure, compute abuse, data exposure, subsciption and account takeover. For example I clicked of those paths (Interned exposed EC2). It opens a blade which has a lot of information and recommended actions to remediate the threat: More details at Microsoft learn. Agentless scanning for machines Microsoft Defender for Cloud maximizes coverage on OS posture issues and extends beyond the reach of agent-based assessments. With agentless scanning for VMs, you can get frictionless, wide, and instant visibility on actionable posture issues without installed agents, network connectivity requirements, or machine performance impact. Agentless scanning for VMs provides vulnerability assessment and software inventory, both powered by Defender vulnerability management, in Azure and Amazon AWS environments. Agentless scanning is available in both Defender Cloud Security Posture Management and Defender for Servers P2 plans. How does it work? While agent-based methods use OS APIs in runtime to continuously collect security related data, agentless scanning for VMs uses cloud APIs to collect data. Defender for Cloud takes snapshots of VM disks and does an out-of-band, deep analysis of the OS configuration and file system stored in the snapshot. The copied snapshot doesn’t leave the original compute region of the VM, and the VM is never impacted by the scan. After the necessary metadata is acquired from the disk, Defender for Cloud immediately deletes the copied snapshot of the disk and sends the metadata to Microsoft engines to analyze configuration gaps and potential threats. For example, in vulnerability assessment, the analysis is done by Defender vulnerability management. The results are displayed in Defender for Cloud, seamlessly consolidating agent-based and agentless results. The scanning environment where disks are analyzed is regional, volatile, isolated, and highly secure. Disk snapshots and data unrelated to the scan aren’t stored longer than is necessary to collect the metadata, typically a few minutes. More details at Microsoft learn. Cloud Security Posture Management and all the features which I have presented are in Public Preview at the moment and they will develop in the future. So the images I have taken as screenshots from Azure might change. Share on Social Media x facebook linkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Type your email… Subscribe CSPM DEFENDER FOR CLOUD
DEFENDER FOR CLOUD Defender for Cloud – Part 4: Security Recommendations August 24, 2024August 26, 2024 Resources and workloads protected by Microsoft Defender for Cloud are assessed against built-in and custom security standards enabled in your Azure subscriptions, AWS accounts, and GCP projects. Based on those assessments, security recommendations provide practical steps to remediate security issues, and improve security posture. Read More
DEFENDER FOR CLOUD Defender for Cloud – Part 1: Getting Started (The blog series) January 25, 2024June 23, 2024 Table of Contents Getting started with Defender for Cloud When you first time open Microsoft… Read More
DEFENDER FOR CLOUD Microsoft Defender for DevOps December 21, 2022December 30, 2022 Table of Contents What is Microsoft Defender for DevOps? Microsoft Defender for DevOps adds additional security capabilities to… Read More