June 22, 2024July 7, 2024 Defender for Cloud – Part 3: Security Posture Overview of Security posture Table of Contents Security posture and it’s proper management in public clouds is a hot potato (in finnish kuuma peruna).It’s very rare that it is properly managed at least I haven’t seen environments where I could say at first glance that asset security posture is in good state.I think the biggest reason is that customer IT have too much on their table and they have not:figured out what kind of resources they have in their cloud platforms if for example third-parties have not “opened” the solutions orit’s possible that they don’t even know that they have cloud resources in useeven if they know they don’t understand the idea that there might be assets which needs securitythey don’t know the product called Defender for Cloud.Defender for Cloud is messed up with tens of other “Defender” productsAnd if they know MDC aka Defender for Cloud it might costs too much.Well the security ain’t cheap but it’s A lot of cheaper when it’s in good shape and safe than your assets have compromised and there’s a cloud attack in progress. But that’s a different story.My idea with this post is to educate and introduce the Defender for Cloud Security Posture.Microsoft Defender for Cloud = later MDC.And you can click some of images below to see them better. Let’s start. When you open Defender for Cloud you can find Security posture section like this: And when clicking the section name MDC opens the overwiew page of Security posture: It’s also possible to group environments (checkbox in upper right corner): Click image to enlarge it. Section 1 shows you couple of workbooks: Secure Score over time where you can see the history data how your asset security has evolved and the Governance report if you have assigned assets to different owners how they have remediated the asset security. There are also links to guides and other useful blogs to read about the Security Posture.Section 2 shows the environments which are connected to MDC.Section 3 shows you the Total AVG secure score of your chosen environments. In my case there are three Azure subscriptions and the formula = SUM(subscriptions)/subscription count.And because I don’t have resources in other clouds (AWS/GCP) or connectors this shows only Azure secure score. (Well there is AWS connector but there are no resources in that account so that’s why the AWS account is shown but it’s secure score is N/A and it’s not included in the formula.)Section 4 shows the Environment risk where number of Critical recommendations and Attack Paths are lifted to the top and all recommendations are colored by the risk criticality. Section 5 shows the governance status of defined rules that has assigned owner and a due date for addressing recommendations for specific resources. I’ll cover this later. Section 6 shows selected environments and their Name, Secure Score, Unhealthty resources, number of Attack Paths and link to recommendations. What's included in MDC Security posture There are “functions” to enhance the Security posture within MDC:Cloud Security Posture Management (CSPM)Security policiesRisk prioritizationGovernance rulesSecure scoreRegulatory compliance standardsMicrosoft Cloud Security Benchmark (MCSB)Investigating risks with security explorer/attack pathsExternal attack surface management in Defender for CloudCritical assets protectionPermissions management (CIEM)Agentless machine scanningSecrets protection Cloud Security Posture Management (CSPM) One of MDC’s main pillars is cloud security posture management (CSPM). CSPM provides detailed visibility into the security state of your assets and workloads, and provides hardening guidance to help you efficiently and effectively improve your security posture.CSPM has two plans:Foundational CSPM – MDC offers foundational multicloud CSPM capabilities for free. These capabilities are automatically enabled by default for subscriptions and accounts that onboard to MDC.Defender Cloud Security Posture Management (CSPM) plan – The optional, but recommended paid plan.In the table below the feature name is actually a link which opens to new windows. CSPM Plan availability FeatureFoundational CSPMMDC CSPMCloud AvailabilitySecurity recommendationsXXAzure, AWS, GCP, on-premisesAsset inventoryXXAzure, AWS, GCP, on-premisesSecure scoreXXAzure, AWS, GCP, on-premisesData visualization and reporting with Azure WorkbooksXXAzure, AWS, GCP, on-premisesData exportingXXAzure, AWS, GCP, on-premisesWorkflow automationXXAzure, AWS, GCP, on-premisesTools for remediationXXAzure, AWS, GCP, on-premisesMicrosoft Cloud Security BenchmarkXXAzure, AWS, GCPAI security posture managementXAzure, AWSAgentless VM vulnerability scanningXAzure, AWS, GCPAgentless VM secrets scanningXAzure, AWS, GCPAttack path analysisXAzure, AWS, GCPRisk prioritizationXAzure, AWS, GCPRisk hunting with security explorerXAzure, AWS, GCPCode-to-cloud mapping for containersXGitHub, Azure DevOpsCode-to-cloud mapping for IaCXAzure DevOpsPR annotationsXGitHub, Azure DevOpsInternet exposure analysisXAzure, AWS, GCPExternal attack surface management (EASM)XAzure, AWS, GCPPermissions Management (CIEM)XAzure, AWS, GCPRegulatory compliance assessmentsXAzure, AWS, GCPServiceNow IntegrationXAzure, AWS, GCPCritical assets protectionXAzure, AWS, GCPGovernance to drive remediation at-scaleXAzure, AWS, GCPData security posture management (DSPM), Sensitive data scanningXAzure, AWS, GCP(1)Agentless discovery for KubernetesXAzure, AWS, GCPAgentless code-to-cloud containers vulnerability assessmentXAzure, AWS, GCP (1): GCP sensitive data discovery supports only Cloud Storage. Security policies Security policies in MDC consist of security standards and recommendations that help to improve your cloud security posture.Security standards define rules, compliance conditions for those rules, and actions (effects) to be taken if conditions aren’t met. Defender for Cloud assesses resources and workloads against the security standards enabled in your Azure subscriptions, Amazon Web Services (AWS) accounts, and Google Cloud Platform (GCP) projects. Based on those assessments, security recommendations provide practical steps to help you remediate security issues.I’ll write more of security policies in the future coming post. Risk priorization MDC performs a risk assessment of your security issues, the engine identifies the most significant security risks while distinguishing them from less risky issues. The recommendations are then sorted based on their risk level.MDC analyzes which security issues are part of potential attack paths that attackers could use to breach your environment. It also highlights the security recommendations that need to be resolved to mitigate these risks. This approach helps you focus on urgent security concerns and makes remediation efforts more efficient and effective. Although risk prioritization doesn’t affect the secure score, it helps you to address the most critical security issues in your environment. This is new (preview) Recommendations view And if you switch the “Group by title” the screen looks like this: NOTE. Risk prioritization and governance are supported only with the Defender CSPM plan.And if your environment is not protected by the Defender CSPM plan the columns with the risk prioritization features will appear blurred out. Secure score The secure score in MDC can help you to improve your cloud security posture. The secure score aggregates security findings into a single score so that you can assess, at a glance, your current security situation. The higher the score, the lower the identified risk level is. More info here. Governance rules MDC continuously assesses your hybrid and multi-cloud workloads and provides you with recommendations to harden your assets and enhance your security posture. Central security teams often experience challenges when driving the personnel within their organizations to implement recommendations. The organizations’ security posture can suffer as a result.You can define rules that assign an owner and a due date for addressing recommendations for specific resources. This provides resource owners with a clear set of tasks and deadlines for remediating recommendations.For this blog post I made a test rule (link to MS Learn): You can watch Microsoft Security video about this Regulatory compliance standards MDC continually assesses the environment-in-scope against any compliance controls that can be automatically assessed. Based on assessments, it shows resources as being compliant or non-compliant with controls.MCSB aka Microsoft Cloud Security Benchmark is the default standard in MDC which is always available.In the Regulatory compliance dashboard, you manage and interact with compliance standards. You can see which compliance standards are assigned, turn standards on and off for Azure, AWS, and GCP, and review the status of assessments against standards.You can also integrate compliance data from MDC with Microsoft Purview Compliance Manager, allowing you to centrally assess and manage compliance across your organization’s entire digital estate.I’ll write more of regulatory compliance standards in the future coming post. Microsoft Cloud Security Benchmark When you onboard subscriptions and accounts to MDC, the Microsoft cloud security benchmark automatically starts to assess resources in scope.This benchmark builds on the cloud security principles defined by the Azure Security Benchmark and applies these principles with detailed technical implementation guidance for Azure, for other cloud providers (such as AWS and GCP), and for other Microsoft clouds.I’ll write more of MCSB in the future coming post. Investigating risks with security explorer/attack paths Cloud Security Explorer I wrote a post of Cloud Security Explorer when it came to public preview on January 2023. You can read it if you want to. This has developed since then.The cloud security graph is a graph-based context engine that exists within MDC. The cloud security graph collects data from your multicloud environment and other data sources. For example, the cloud assets inventory, connections and lateral movement possibilities between resources, exposure to internet, permissions, network connections, vulnerabilities and more. The data collected is then used to build a graph representing your multicloud environment.MDC then uses the generated graph to perform an attack path analysis and find the issues with the highest risk that exist within your environment. You can also query the graph using the cloud security explorer.You can create a query what you like to search or you can use templates. Self-made query Example of query templates I’ll write more of Cloud Security Explorer in the future coming post. Attack path analysis Attack path analysis is a graph-based algorithm that scans the cloud security graph. The scans expose exploitable paths that attackers might use to breach your environment to reach your high-impact assets. Attack path analysis exposes attack paths and suggests recommendations as to how best remediate issues that will break the attack path and prevent successful breach.When you take your environment’s contextual information into account, attack path analysis identifies issues that might lead to a breach on your environment, and helps you to remediate the highest risk ones first. For example its exposure to the internet, permissions, lateral movement, and more.I’ll write more of Attack path analysis in the future coming post. External attack surface management in Defender for Cloud MDC has the capability to perform external attack surface management (EASM), (outside-in) scans on multicloud environments. MDC accomplishes this through its integration with Microsoft Defender EASM. NOTE: You need to have EASM implemented to make this work.Defender EASM applies Microsoft’s crawling technology to discover assets that are related to your known online infrastructure, and actively scans these assets to discover new connections over time. Attack Surface Insights are generated by applying vulnerability and infrastructure data to showcase the key areas of concern for your organization, such as:Discover digital assets, always-on inventory.Analyze and prioritize risks and threats.Pinpoint attacker-exposed weaknesses, anywhere and on-demand.Gain visibility into third-party attack surfaces.Defender EASM integration to provide the following capabilities within the MDC portal:Discover of all the internet facing cloud resources through the use of an outside-in scan.Attack path analysis which finds all exploitable paths starting from internet exposed IPs.Custom queries that correlate all internet exposed IPs with the rest of MDC data in the cloud security explorer. To leverage EASM integration in MDC you need to first create EASM. Critical assets protection MDC now has business criticality concept added to its security posture management capabilities. This feature helps you to identify and protect your most important assets. It uses the critical assets engine created by Microsoft Security Exposure Management (MSEM). You can define critical asset rules in MSEM, and MDC can then them in scenarios such as risk prioritization, attack path analysis, and cloud security explorer. MSEM is found in Microsoft Defender portal (security.microsoft.com) The setup is done in Defender portal and but you can access it also through MCD via Environment Settings: The actual setup is done in Defender portal: I’ll write more of Critical Asset management in the future coming post. Permissions management (CIEM) MDC’s integration with Microsoft Entra Permissions Management provides a Cloud Infrastructure Entitlement Management (CIEM) security model that helps organizations manage and control user access and entitlements in their cloud infrastructure. CIEM is a critical component of the Cloud Native Application Protection Platform (CNAPP) solution that provides visibility into who or what has access to specific resources. CIEM ensures that access rights adhere to the principle of least privilege (PoLP), where users or workload identities, such as apps and services, receive only the minimum levels of access necessary to perform their tasks. CIEM also helps organizations to monitor and manage permissions across multiple cloud environments, including Azure, AWS, and GCP.Integrating Permissions Management with Defender for Cloud (CNAPP) strengthens cloud security by preventing security breaches caused by excessive permissions or misconfigurations. Permissions Management continuously monitors and manages cloud entitlements, helping to discover attack surfaces, detect threats, right-size access permissions, and maintain compliance. This integration enhances the capabilities of Defender for Cloud in securing cloud-native applications and protecting sensitive data.The integration feature comes as part of Defender CSPM plan and doesn’t require a Permissions Management license. To learn more about other capabilities that you can receive from Permissions Management, refer to the feature matrix: Source: MS Learn Agentless machine scanning Agentless scanning for virtual machines (VM) in Azure, AWS and GCP provides:Broad, frictionless visibility into your software inventory using Microsoft Defender Vulnerability Management.Deep analysis of operating system configuration and other machine meta data.Vulnerability assessment using Defender Vulnerability Management.Secret scanning to locate plain text secrets in your compute environment.Threat detection with agentless malware scanning, using Microsoft Defender Antivirus.Agentless scanning assists you in the identification process of actionable posture issues without the need for installed agents, network connectivity, or any effect on machine performance. Agentless scanning is available through both the Defender Cloud Security Posture Management (CSPM) plan and Defender for Servers P2 plan. Source: MS Learn Secrets protection MDC provides secrets scanning for virtual machines, and for cloud deployments, to reduce lateral movement risk.Virtual machines (VMs): Agentless secrets scanning on multicloud VMs.Cloud deployments: Agentless secrets scanning across multicloud infrastructure-as-code deployment resources.Azure DevOps: Scanning to discover exposed secrets in Azure DevOps.MDC discovery of the types of secrets summarized in the table. Here’s Microsoft Defender for Cloud’s aka MDC’s Security posture described in short. Let’s go to the next part soon! The parts of the MDC blog series View all the parts of the MDC blog seriesPart 0: Microsoft Defender for Cloud – The EPIC blog series – introductionPart 1: Getting started Part 2: The Asset Inventory Part 3: Security posture (this post)Part 4: Security recommendationsPart 5: Security alertsPart 6: Attack path analysisPart 7: Cloud security explorerPart 8: WorkbooksPart 9: Regulatory compliancePart 10: Workload protectionsPart 11: Data securityPart 12: Firewall managerPart 13: DevOps securityPart 14: Environment settingsPart 14A: Defender PlansPart 14B: Security PoliciesPart 14C: Email notificationsPart 14D: Workflow automationPart 14E: Continuous ExportPart 15: Security solutionsPart 16: Community Jussi Metso Author is a a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future. Share on Social Media x facebook linkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Subscribe DEFENDER FOR CLOUD
DEFENDER FOR CLOUD Defender for Cloud – Part 2: The Asset Inventory June 22, 2024June 23, 2024 Asset Inventory The asset inventory page shows the security posture of the resources you’ve connected… Read More
DEFENDER FOR CLOUD Defender for Cloud – Part 5: Security Alerts August 31, 2024August 31, 2024 Defender for Cloud helps you to detect and prevent threats to your hybrid cloud environment. When a threat is detected, Defender for Cloud raises security alerts. On this security alerts page, you can triage your alerts, investigate the findings, and quickly respond manually or with predefined automated workflows. Read More
DEFENDER FOR CLOUD Defender for Cloud – Part 4: Security Recommendations August 24, 2024August 26, 2024 Resources and workloads protected by Microsoft Defender for Cloud are assessed against built-in and custom security standards enabled in your Azure subscriptions, AWS accounts, and GCP projects. Based on those assessments, security recommendations provide practical steps to remediate security issues, and improve security posture. Read More