Defender for Cloud – Part 10: Cloud Workload protection (CWP)

Overview

Table of Contents

Workload Protection in Microsoft Defender for Cloud refers to cloud-native security posture management (CSPM) and threat protection for workloads running in Azure, hybrid, and multi-cloud environments (including AWS, GCP, GitHub, Azure DevOps and others). It helps protect various cloud resources such as virtual machines, containers, databases, and applications from security threats, vulnerabilities, and misconfigurations.

I decided to split this topic to two posts since writing only one would have been too long and no one would have interest to read it. TL:DR.

 

SOURCE: MS Learn

Main view

The main view of Workload protection look like this.

Click to enlarge

Numbers 1 and 2 are combined. Section number 1 tells how many procent of resources are covered with some Defender plan or not.  In my case All resources are covered.

Section number 2 shows the resource types and amount of them which are covered with certain Defender plan.

Under resource type name there is a word “Upgrade“. In my case it’s greyd since all resources are covered but if it would be black the resource type would miss a protection and it could be upgraded with the plan.

Number 3 shows the amount of security alerts within Defender for Cloud with three severities (High, Medium, Low) in the last 30 days.

Number 4 shows the options for Advanced protection and number 5 shows other insights for example the most prevalent security alerts.

I’m not sure why many customers are not using defender plans. Ok plans cost money but they can also show how their environment health is and have an opportunity to do something before the security risk realizes. And then those couple of hundreds euros/dollars are the small fraction of cost which the possible security attack/breach would cost.

And yes I always think the worst scenario but I have seen the results.

Defender for Cloud (plan) coverage

I will introduce some of Defender plans here with the same time with functionalities.

SQL Servers on machines

Microsoft Defender for Cloud’s Defender for Databases plan provides protection for SQL servers on machines. Defender for SQL servers on machines protects SQL servers hosted on Azure, Amazon Web Service (AWS), Google Cloud Project (GCP), and on premises machines. Defender for SQL servers on machines helps you identify and mitigate potential database vulnerabilities and detect anomalous activities that could indicate threats to your databases.

SQL Servers on machines is part of Databases plan. First you need to enable the Databases plan and then select the needed option and press continue:

Next in Monitoring coverage settings you need to enable Azure Monitoring Agent for SQL servers on machines option ja press Edit configuration button where you need to select a proper log analytics workspace for AMA (Azure Monitoring Agent) requirements.  Also you choose if you want to register Azure SQL Server instances by enabling SQL IaaS extension automatic registration.

Azure SQL database servers

The Azure SQL Databases plan within Defender for Databases helps you discover and mitigate potential database vulnerabilities. It alerts you to anomalous activities that might indicate a threat to your databases.

Azure SQL Databases uses Advanced Threat Protection to continuously monitor your SQL servers for threats like:

  • Potential SQL injection attacks: For example, vulnerabilities detected when applications generate a faulty SQL statement in the database.
  • Anomalous database access and query patterns: For example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attack).
  • Suspicious database activity: For example, a legitimate user accessing a SQL server from a breached computer that communicated with a crypto-mining command and control (C&C) server.

Azure SQL Databases provides action-oriented security alerts which can be forwarded to your cloud SIEM for example Microsoft Sentinel.

There are also SQL Vulnerability assessments available

SQL vulnerability assessment provides visibility into your security state. It includes actionable steps to resolve security issues and enhance your database security. It helps you monitor a dynamic database environment where changes are difficult to track and improve your SQL security posture.

ons for SQL Services

App Service

Azure App Service is a fully managed platform for building and hosting your web apps and APIs. Since the platform is fully managed, you don’t have to worry about the infrastructure. It provides management, monitoring, and operational insights to meet enterprise-grade performance, security, and compliance requirements.

Defender for Cloud recommendations for App Service

 

It provides services like

  • Secure – Defender for App Service assesses the resources covered by your App Service plan and generates security recommendations based on its findings. To harden your App Service resources, use the detailed instructions in these recommendations.

  • Detect – Defender for App Service detects a multitude of threats to your App Service resources by monitoring:

    • the Virtual Machine (VM) instance in which your App Service is running, and its management interface
    • the requests and responses sent to and from your App Service apps
    • the underlying sandboxes and VMs
    • App Service internal logs – available thanks to the visibility that Azure has as a cloud provider

App Service with Defender plan also detect threats like MITRE ATT&CK tactics:

  • Pre-attack threats – Defender for Cloud can detect the execution of multiple types of vulnerability scanners that attackers frequently use to probe applications for weaknesses.

  • Initial access threatsMicrosoft Defender Threat Intelligence powers these alerts that include triggering an alert when a known malicious IP address connects to your Azure App Service FTP interface.

  • Execution threats – Defender for Cloud can detect attempts to run high privilege commands, Linux commands on a Windows App Service, fileless attack behavior, digital currency mining tools, and many other suspicious and malicious code execution activities.

and Dangling DNS & Subdomain takeover:

When you remove a website and don’t remove its custom domain from your DNS registrar, the DNS entry is pointing to a nonexistent resource, and your subdomain is vulnerable to a takeover. Defender for Cloud doesn’t scan your DNS registrar for existing dangling DNS entries; it alerts you when an App Service website is decommissioned and its custom domain (DNS entry) isn’t deleted. (SOURCE: MS LEARN)

Subdomain takeovers are a common, high-severity threat for organizations. When a threat actor detects a dangling DNS entry, they create their own site at the destination address. The traffic intended for the organization’s domain is then directed to the threat actor’s site, and they can use that traffic for a wide range of malicious activity. (SOURCE: MS LEARN)

Subdomain takeover. Source: MS Learn.

Containers

Protection for different container assets are in public preview at the moment.  Those are Kubernetes clusters, nodes, workloads, registries, images, and applications across multicloud and on-premises environments.

In the main view there are shown the amount of Security findings and their classes like:

  • Alerts
  • Vulnerabilities
  • Misconfigurations
  • Compliance issues

And if you toggle those tabs you can see the matched components.

Protection for the Containers are set in Subscription level.

More info about Container protection in Defender for Cloud. Click here.

 

Container protection in through Defender for Cloud. Click to enlarge.

Key Vault

Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts. This layer of protection helps you address threats even if you’re not a security expert, and without the need to manage third-party security monitoring systems.

When anomalous activities occur, Defender for Key Vault shows alerts, and optionally sends them via email to relevant members of your organization. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats.

Defender for Key vault shows Recommendations and alerts. It’s enabled on subscription level.

The alert list is available here.

Key Vault protection in Defender for Cloud. Click to enlarge.

Storage

Defender for Storage prevents malicious file uploads, sensitive data exfiltration, and data corruption, ensuring the security and integrity of your data and workloads.

SOURCE: MS LEARN

It provides comprehensive security by analyzing the data plane and control plane telemetry generated by Azure Blob Storage,Azure Files, and Azure Data Lake Storage services. It uses advanced threat detection capabilities powered by Microsoft Defender Threat Intelligence, Microsoft Defender Antivirus, and sensitive data discovery to help you identify and mitigate potential threats. (SOURCE: MS LEARN)

Provides in short:

  • Activity monitoring

  • Sensitive data threat detection

  • Malware scanning

Defender for Storage. Click to enlarge.

Servers

The Defender for Servers plan in Microsoft Defender for Cloud reduces security risk and exposure for machines in your organization. It provides recommendations to improve and remediate security posture. Defender for Servers also protects machines against real-time security threats and attacks. (SOURCE: MS LEARN)

Defender for Servers offers two plans:

  • Defender for Servers Plan 1 is entry-level and focuses on the EDR capabilities provided by the Defender for Endpoint integration.
  • Defender for Servers Plan 2 provides the same features as Plan 1 and other capabilities for example vulnerability management.

In most cases server alerts are forwarded to Microsoft Sentinel which is a SIEM solution. (Security Information and Event Management).

Read more here.

Sample of Defender for Servers. Click to enlarge.

Resource Manager subscriptions

Microsoft Defender for Resource Manager protects against issues including:

  • Suspicious resource management operations, such as operations from malicious IP addresses, disabling antimalware, and suspicious scripts running in VM extensions
  • Use of exploitation toolkits like Microburst or PowerZure
  • Lateral movement from the Azure management layer to the Azure resources data plane

It automatically monitors the resource management operations in your organization, whether they’re performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients

Alerts from Resource Manager is listed here.

Defender for Azure Resource Manager
Defender for Resource Manager.

Security alerts

The Security alerts section shows alerts. When Defender for Cloud detects a threat in any area of your environment, it generates an alert. These alerts describe details of the affected resources, suggested remediation steps, and in some cases an option to trigger a logic app in response. Selecting anywhere in this graph opens the Security alerts page.

Security alerts graph shows the amount of high / medium / low alerts in the last 30 days.

Last 30 days of security alerts. Click to enlarge.

I will end this post here and continue with the next post with CWP Advanced protection.

The parts of the MDC blog series

 
Picture of Jussi Metso
Jussi Metso

Author is a a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future.

Discover more from Jussi Metso

Subscribe to get the latest posts sent to your email.

DEFENDER FOR CLOUD

Related Posts

Discover more from Jussi Metso

Subscribe now to keep reading and get access to the full archive.

Continue reading