Defender for Cloud – Part 3: Security Posture

Table of Contents

Overview of Security posture

Security posture and it’s proper management in public clouds is a hot potato (in finnish kuuma peruna).

It’s very rare that it is properly managed at least I  haven’t seen environments where I could say at first glance that asset security posture is in good state.

I think the biggest reason is that customer IT have too much on their table and they have not:

  • figured out what kind of resources they have in their cloud platforms if for example third-parties have not “opened” the solutions or
  • it’s possible that they don’t even know that they have cloud resources in use
  • even if they know they don’t understand the idea that there might be assets which needs security
  • they don’t know the product called Defender for Cloud.
  • Defender for Cloud is messed up with tens of other “Defender” products
  • And if they know MDC aka Defender for Cloud it might costs too much.

Well the security ain’t cheap  but it’s A lot of cheaper when it’s in good shape and safe than your assets have compromised and there’s a cloud attack in progress. But that’s a different story.

My idea with this post is to educate and introduce the Defender for Cloud Security Posture.

Microsoft Defender for Cloud = later MDC.

And you can click some of images below to see them better.  Let’s start.

When you open Defender for Cloud you can find Security posture section like this:

And when clicking the section name MDC opens the overwiew page of Security posture:

It’s also possible to group environments (checkbox in upper right corner):

Click image to enlarge it.

Section 1 shows you couple of workbooks: Secure Score over time where you can see the history data how your asset security has evolved and the Governance report if you have assigned assets to different owners how they have remediated the asset security. There are also links to guides and other useful blogs to read about the Security Posture.

Section 2 shows the environments which are connected to MDC.

Section 3 shows you the Total AVG secure score of your chosen environments. In my case there are three Azure subscriptions and the formula = SUM(subscriptions)/subscription count.

And because I don’t have resources in other clouds (AWS/GCP) or connectors this shows only Azure secure score. (Well there is AWS connector but there are no resources in that account so that’s why the AWS account is shown but it’s secure score is N/A and it’s not included in the formula.)

Section 4 shows the Environment risk where number of Critical recommendations and Attack Paths are lifted to the top and all recommendations are  colored  by the risk criticality. 

Section 5 shows the governance status of defined rules that has assigned owner and a due date for addressing recommendations for specific resources. I’ll cover this later. 

Section 6 shows selected environments and their Name, Secure Score, Unhealthty resources, number of Attack Paths and link to recommendations. 

What's included in MDC Security posture

There are “functions” to enhance the Security posture within MDC:

  • Cloud Security Posture Management (CSPM)
  • Security policies
  • Risk prioritization
  • Governance rules
  • Secure score
  • Regulatory compliance standards
  • Microsoft Cloud Security Benchmark (MCSB)
  • Investigating risks with security explorer/attack paths
  • External attack surface management in Defender for Cloud
  • Critical assets protection
  • Permissions management (CIEM)
  • Agentless machine scanning
  • Secrets protection

Cloud Security Posture Management (CSPM)

One of MDC’s main pillars is cloud security posture management (CSPM). CSPM provides detailed visibility into the security state of your assets and workloads, and provides hardening guidance to help you efficiently and effectively improve your security posture.

CSPM has two plans:

  • Foundational CSPM – MDC offers foundational multicloud CSPM capabilities for free. These capabilities are automatically enabled by default for subscriptions and accounts that onboard to MDC.

  • Defender Cloud Security Posture Management (CSPM) plan – The optional, but recommended paid plan.

In the table below the feature name is actually a link which opens to new windows.

CSPM Plan availability

Feature

Foundational CSPM

MDC CSPM

Cloud Availability

X

X

Azure, AWS, GCP, on-premises

X

X

Azure, AWS, GCP, on-premises

X

X

Azure, AWS, GCP, on-premises

Data visualization and reporting with Azure Workbooks

X

X

Azure, AWS, GCP, on-premises

X

X

Azure, AWS, GCP, on-premises

X

X

Azure, AWS, GCP, on-premises

Tools for remediation

X

X

Azure, AWS, GCP, on-premises

X

X

Azure, AWS, GCP


X

Azure, AWS

X

Azure, AWS, GCP

X

Azure, AWS, GCP

X

Azure, AWS, GCP

X

Azure, AWS, GCP

X

Azure, AWS, GCP

X

GitHub, Azure DevOps

X

Azure DevOps

X

GitHub, Azure DevOps

Internet exposure analysis

X

Azure, AWS, GCP

X

Azure, AWS, GCP

X

Azure, AWS, GCP

X

Azure, AWS, GCP

X

Azure, AWS, GCP

X

Azure, AWS, GCP

X

Azure, AWS, GCP

X

Azure, AWS, GCP(1)

X

Azure, AWS, GCP

X

Azure, AWS, GCP

(1): GCP sensitive data discovery supports only Cloud Storage.

Security policies

Security policies in MDC consist of security standards and recommendations that help to improve your cloud security posture.

Security standards define rules, compliance conditions for those rules, and actions (effects) to be taken if conditions aren’t met. Defender for Cloud assesses resources and workloads against the security standards enabled in your Azure subscriptions, Amazon Web Services (AWS) accounts, and Google Cloud Platform (GCP) projects. Based on those assessments, security recommendations provide practical steps to help you remediate security issues.

I’ll write more of security policies in the future coming post.

Risk priorization

MDC performs a risk assessment of your security issues, the engine identifies the most significant security risks while distinguishing them from less risky issues. The recommendations are then sorted based on their risk level.

MDC analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. It also highlights the security recommendations that need to be resolved to mitigate these risks. This approach helps you focus on urgent security concerns and makes remediation efforts more efficient and effective. Although risk prioritization doesn’t affect the secure score, it helps you to address the most critical security issues in your environment.

This is new (preview) Recommendations view

And if you switch the “Group by title” the screen looks like this:

NOTE. Risk prioritization and governance are supported only with the Defender CSPM plan.

And if your environment is not protected by the Defender CSPM plan the columns with the risk prioritization features will appear blurred out.

Secure score

The secure score in MDC can help you to improve your cloud security posture. The secure score aggregates security findings into a single score so that you can assess, at a glance, your current security situation. The higher the score, the lower the identified risk level is. More info here.

Governance rules

MDC continuously assesses your hybrid and multi-cloud workloads and provides you with recommendations to harden your assets and enhance your security posture. Central security teams often experience challenges when driving the personnel within their organizations to implement recommendations. The organizations’ security posture can suffer as a result.

You can define rules that assign an owner and a due date for addressing recommendations for specific resources. This provides resource owners with a clear set of tasks and deadlines for remediating recommendations.

For this blog post I made a test rule (link to MS Learn):

You can watch Microsoft Security video about this

Regulatory compliance standards

MDC continually assesses the environment-in-scope against any compliance controls that can be automatically assessed. Based on assessments, it shows resources as being compliant or non-compliant with controls.

MCSB aka Microsoft Cloud Security Benchmark is the default standard in MDC which is always available.

In the Regulatory compliance dashboard, you manage and interact with compliance standards. You can see which compliance standards are assigned, turn standards on and off for Azure, AWS, and GCP, and review the status of assessments against standards.

You can also integrate compliance data from MDC with Microsoft Purview Compliance Manager, allowing you to centrally assess and manage compliance across your organization’s entire digital estate.

I’ll write more of regulatory compliance standards in the future coming post.

Microsoft Cloud Security Benchmark

When you onboard subscriptions and accounts to MDC, the Microsoft cloud security benchmark automatically starts to assess resources in scope.

This benchmark builds on the cloud security principles defined by the Azure Security Benchmark and applies these principles with detailed technical implementation guidance for Azure, for other cloud providers (such as AWS and GCP), and for other Microsoft clouds.

I’ll write more of MCSB in the future coming post.

Investigating risks with security explorer/attack paths

Cloud Security Explorer

I wrote a post of Cloud Security Explorer when it came to public preview on January 2023. You can read it if you want to. This has developed since then.

The cloud security graph is a graph-based context engine that exists within MDC. The cloud security graph collects data from your multicloud environment and other data sources. For example, the cloud assets inventory, connections and lateral movement possibilities between resources, exposure to internet, permissions, network connections, vulnerabilities and more. The data collected is then used to build a graph representing your multicloud environment.

MDC then uses the generated graph to perform an attack path analysis and find the issues with the highest risk that exist within your environment. You can also query the graph using the cloud security explorer.

You can create a query what you like to search or you can use templates.

Self-made query
Example of query templates

I’ll write more of Cloud Security Explorer in the future coming post.

Attack path analysis

Attack path analysis is a graph-based algorithm that scans the cloud security graph. The scans expose exploitable paths that attackers might use to breach your environment to reach your high-impact assets. Attack path analysis exposes attack paths and suggests recommendations as to how best remediate issues that will break the attack path and prevent successful breach.

When you take your environment’s contextual information into account, attack path analysis identifies issues that might lead to a breach on your environment, and helps you to remediate the highest risk ones first. For example its exposure to the internet, permissions, lateral movement, and more.

I’ll write more of Attack path analysis in the future coming post.

External attack surface management in Defender for Cloud

MDC has the capability to perform external attack surface management (EASM), (outside-in) scans on multicloud environments. MDC accomplishes this through its integration with Microsoft Defender EASM. NOTE: You need to have EASM implemented to make this work.

Defender EASM applies Microsoft’s crawling technology to discover assets that are related to your known online infrastructure, and actively scans these assets to discover new connections over time. Attack Surface Insights are generated by applying vulnerability and infrastructure data to showcase the key areas of concern for your organization, such as:

  • Discover digital assets, always-on inventory.
  • Analyze and prioritize risks and threats.
  • Pinpoint attacker-exposed weaknesses, anywhere and on-demand.
  • Gain visibility into third-party attack surfaces.

Defender EASM integration to provide the following capabilities within the MDC portal:

  • Discover of all the internet facing cloud resources through the use of an outside-in scan.
  • Attack path analysis which finds all exploitable paths starting from internet exposed IPs.
  • Custom queries that correlate all internet exposed IPs with the rest of MDC data in the cloud security explorer.
To leverage EASM integration in MDC you need to first create EASM.

Critical assets protection

MDC now has business criticality concept added to its security posture management capabilities. This feature helps you to identify and protect your most important assets. It uses the critical assets engine created by Microsoft Security Exposure Management (MSEM). You can define critical asset rules in MSEM, and MDC can then them in scenarios such as risk prioritization, attack path analysis, and cloud security explorer. MSEM is found in Microsoft Defender portal (security.microsoft.com)

The setup is done in Defender portal and but you can access it also through MCD via Environment Settings:

The actual setup is done in Defender portal:

I’ll write more of Critical Asset management in the future coming post.

Permissions management (CIEM)

MDC’s integration with Microsoft Entra Permissions Management provides a Cloud Infrastructure Entitlement Management (CIEM) security model that helps organizations manage and control user access and entitlements in their cloud infrastructure. CIEM is a critical component of the Cloud Native Application Protection Platform (CNAPP) solution that provides visibility into who or what has access to specific resources. CIEM ensures that access rights adhere to the principle of least privilege (PoLP), where users or workload identities, such as apps and services, receive only the minimum levels of access necessary to perform their tasks. CIEM also helps organizations to monitor and manage permissions across multiple cloud environments, including Azure, AWS, and GCP.

Integrating Permissions Management with Defender for Cloud (CNAPP) strengthens cloud security by preventing security breaches caused by excessive permissions or misconfigurations. Permissions Management continuously monitors and manages cloud entitlements, helping to discover attack surfaces, detect threats, right-size access permissions, and maintain compliance. This integration enhances the capabilities of Defender for Cloud in securing cloud-native applications and protecting sensitive data.

The integration feature comes as part of Defender CSPM plan and doesn’t require a Permissions Management license. To learn more about other capabilities that you can receive from Permissions Management, refer to the feature matrix:

Source: MS Learn

Agentless machine scanning

Agentless scanning for virtual machines (VM) in Azure, AWS and GCP provides:

  • Broad, frictionless visibility into your software inventory using Microsoft Defender Vulnerability Management.
  • Deep analysis of operating system configuration and other machine meta data.
  • Vulnerability assessment using Defender Vulnerability Management.
  • Secret scanning to locate plain text secrets in your compute environment.
  • Threat detection with agentless malware scanning, using Microsoft Defender Antivirus.

Agentless scanning assists you in the identification process of actionable posture issues without the need for installed agents, network connectivity, or any effect on machine performance. Agentless scanning is available through both the Defender Cloud Security Posture Management (CSPM) plan and Defender for Servers P2 plan.

Source: MS Learn

Secrets protection

MDC provides secrets scanning for virtual machines, and for cloud deployments, to reduce lateral movement risk.

MDC discovery of the types of secrets summarized in the table.

Here’s Microsoft Defender for Cloud’s aka MDC’s Security posture described in short. Let’s go to the next part soon!

The parts of the MDC blog series

 
Picture of Jussi Metso
Jussi Metso
Author is a a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future.

Discover more from Jussi Metso

Subscribe to get the latest posts sent to your email.

DEFENDER FOR CLOUD

Related Posts