August 24, 2024August 26, 2024 Defender for Cloud – Part 4: Security Recommendations My Azure Security career started with Security recommendations. Five years ago it was almost the only way to see what you need to do to find and mitigate misconfigurations and that way enhance the security score in Defender for Cloud (of course, The Inventory showed also something and regulatory compliances). In those days I usually asked someone to download this report from the customer Azure since I didn’t have user accounts and then sorted it out and made a roadmap how to mitigate these. After that we had a meeting with a potential customer and I usually got the job. And the rest is history. So let’s start with Security Recommendations. Table of Contents Overview of Security Recommendations Microsoft Defender for Cloud’s aka MDC resources and workloads are assessed against built-in and custom security standards enabled in your Azure subscriptions, AWS accounts, and GCP projects. Based on those assessments, security recommendations provide practical steps to remediate security issues, and improve security posture.There are different features in Security Recommendations plane depending which CSPM plan you use. Security Recommendations are included as default with free Foundational plan but in that case you might see some results blurred (for example risk priorization). So if you want to have all of it you need to use Defender CSPM plan.An overview of Security Recommendations (with Defender CSPM plan enabled): I’ll open these selections below. Click to enlarge Sections 1 - Reports & guides Download CSV report As the link says you can download the selected Security recommendations as a CSV report. Thera are more information but here's just few to demonstrate. Open query Open query link opens Azure Resource Graph Explorer where you can use pre-made templates to query Security recommendations or you can made your own queries. The query languge is KQL (Kusto Query Language) Governance report Governance report is a report where you see Security recommendations tracked by scope, display name, priority, remediation timeframe, owner type, owner details, grace period and selected cloud (azure, aws, gcp). And if you want to define Goverance rules you can go to Environment Settings and select the Governance rules box.In rule set you assign an owner and a due date for Security recommendations for specific resources. This provides resource owners with a clear set of tasks and deadlines for remediating Security recommendations. Guides & feedback Guides & feedback only opens side panel to the right where you can read about remediation by risk and link to ms learn.You can give feedback to Azure development team how this feature works. Switch to classic view As the title says it’s still possible to use the classic view of Security recommendations but I don’t elaborate it in this blog. 2 - Scopes You can scope which connections you want to show in Security recommendations results. Those are:Azure subscriptionsAWS accountsGCP projectsGitHub connectionsAzureDevOps connectionsGitLab connections 3 - Plans Defender CSPM If Defender CSPM plan is enabled on environment settings Defender for Cloud performs a risk assessment of your security issues, the engine identifies the most significant security risks while distinguishing them from less risky issues. The recommendations are then sorted based on their risk level, allowing you to address the security issues that pose immediate threats with the greatest potential of being exploited in your environment. Other metrics are the attack paths and overdue recommendations:Attack paths are the routes which attackers could use to breach your environment. It also highlights the security recommendations that need to be resolved to mitigate these risks. This approach helps you focus on urgent security concerns and makes remediation efforts more efficient and effective. Although risk prioritization doesn’t affect the secure score, it helps you to address the most critical security issues in your environment.Overdue recommendations means if you have governance rules defined and those remediation time has ended because assigned owner have not done their duties, Foundational CSPM Foundational CSPM includes core posture management capabilities covering Multi-Cloud and hybrid environments with continuous assessments, security recommendations, and a unified Secure Score.Foundational CSPM is enabled by default and it’s free plan. 4 - Search & Filters Search You can write to Search box what would you like to find. Status Status filter includes:AllUnassignedOverdueCompleted Risk factors Risk factors include:All(Blank)Critical ResourceExposure to the InternetLateral MovementVulnerabilities Risk level Risk level include:AllNot evaluatedLowMediumHighCritical Recommendation maturity Recommendation maturity include:AllGAPreview Other filters The following filters are also available to select:SubscriptionAWS accountGCP projectEnvironmentResource groupResource typeOwnerInitiativeTacticsRecommendation typeTagsResource name 5 - Results Recommedations results are based on what you choose above. In my case and the default columns are Title, Affected resource, Risk level, Risk factors, Attack paths, Owner, Status, Insights. And if you click the title you can drill in the chosen recommendation. But that’s a totally different story. An example of recommendation details. So here was the overview of Defender for Cloud’s Security recommendations. I hope you got some information. This is a very useful and quick tool. The parts of the MDC blog series View all the parts of the MDC blog series: Part 0: Microsoft Defender for Cloud – The EPIC blog series – introduction Part 1: Getting started Part 2: The Asset Inventory Part 3: Security posture Part 4: Security recommendations (this post) Part 5: Security alerts Part 6: Attack path analysis Part 7: Cloud security explorer Part 8: Workbooks Part 9: Regulatory compliance Part 10: Workload protections Part 11: Data security Part 12: Firewall manager Part 13: DevOps security Part 14: Environment settings Part 14A: Defender Plans Part 14B: Security Policies Part 14C: Email notifications Part 14D: Workflow automation Part 14E: Continuous Export Part 15: Security solutions Part 16: Community Share on Social Media x facebook linkedinwhatsapp Discover more from Jussi Metso Subscribe to get the latest posts sent to your email. Type your email… Subscribe DEFENDER FOR CLOUD
DEFENDER FOR CLOUD Microsoft Defender for DevOps December 21, 2022December 30, 2022 Table of Contents What is Microsoft Defender for DevOps? Microsoft Defender for DevOps adds additional security capabilities to… Read More
DEFENDER FOR CLOUD Defender for Cloud – Part 1: Getting Started (The blog series) January 25, 2024June 23, 2024 Table of Contents Getting started with Defender for Cloud When you first time open Microsoft… Read More
DEFENDER FOR CLOUD Defender for Cloud – Part 2: The Asset Inventory June 22, 2024June 23, 2024 Asset Inventory The asset inventory page shows the security posture of the resources you’ve connected… Read More