Defender for Cloud – Part 10.5: CWP Advanced protection

Table of Contents

Advanced protection

Defender for Cloud includes many advanced threat protection capabilities for virtual machines, SQL databases, containers, web applications, your network, and more. In this advanced protection section, you can see the status of the resources in your selected subscriptions for each of these protections. Select any of them to go directly to the configuration area for that protection type.

VM vulnerability assessment

opens Machines should have a vulnerability assessment solution which means regularly checks your connected machines to ensure they’re running vulnerability assessment tools. 

Easiest way to implement the assessment to virtual machine is to user Quick fix function in the solution page.

The sample of vulnerability assessment looks like this (image below and the details (the second image below).

Security checks from VM assessment. Click to enlarge.
Details of security issue. Click to enlarge.

Pre-reqs for VM vulnerability assessment

  • Agentless vulnerability scanning. Defender for Cloud provides agentless vulnerability scanning as part of its agentless scanning capabilities. Agentless scanning is available in Defender for Servers Plan 2 only.
  • Agent-based vulnerability scanning. The Defender for Endpoint integration in Defender for Servers provides vulnerability scanning using the Defender for Endpoint sensor. This integration is available in Defender for Servers Plan 1 and Plan 2.
  • Defender for Servers Plan 2 includes Defender Vulnerability Management premium add-on capabilities that provide consolidated inventories, new assessments, and mitigation tools to further enhance your vulnerability management program. Learn more about premium capabilities.

 

  • NOTE: Instead of using integrated Defender Vulnerability Management scanning, you can use your own privately licensed BYOL vulnerability scanner. Qualys and Rapid7 scanners are supported.

Link to start

Defender for Servers vulnerability assessment starts here.

Just-in-time VM access

MDC’s Defender for Servers Plan 2 offers the just-in-time machine access feature. Just-in-time protects your resources from threat actors actively hunting for machines with open management ports, such as Remote Desktop Protocol (RDP) or Secure Shell (SSH). All machines are potential targets for attacks. Once compromised, a machine can serve as an entry point to further (lateral movement) attack  resources in the environment.

This feature locks down inbound traffic to your virtual machines (VMs), reducing exposure to attacks while ensuring easy access ONLY when needed.

Just-in-time function. Click to enlarge.

There are three dots in the VM line. When pressing it the page opens the list of functions:

  • Properties take you to the VM overview page
  • Activity log opens the VM activity log
  • Edit opens the rule page where you can also add new rules
  • Remove deletes the pre-made configuration

And now if you click the checkbox in front of VM (1) then request access (2) button enables and when clicking it you can request access to the network ports you need.

Click to enlarge.
Request access. Click to enlarge.

In this example there’s a windows laptop which I need to access with RDP 3389. I can toggle it on and then the open ports button enables. You can set as source IP: my ip or ip range and the time for the access. Maximum time is three (3) hours. You can also  write a justification for the request but it’s optional.

JIT access granted. Click to enlarge.

Now if you look the network settings for that VM:

VM network settings after jit. Click to enlarge.

Thats about it.

I mentioned above the EDIT function. Here’s a picture of it. Press +Add if you want to add a JIT access configuration for the VM.

Note. In this function you can set the parameters more freely for example the maximum access time.

Add JIT access configuration. Click to enlarge.

Pre-reqs for VM JIT

Microsoft Defender for Servers Plan 2 must be enabled on the subscription.

More info here.

Link to start

Virtual machines Just-in-time documentation starts here.

Container image scanning

Defender for Containers scans the cluster node OS and application software, container images in Azure Container Registry (ACR), Amazon AWS Elastic Container Registry (ECR), Google Artifact Registry (GAR), Google Container Registry (GCR), and supported external image registries to provide agentless vulnerability assessment. (SOURCE: MS Learn)

Capture from Azure portal of ACR scanning results.

Pre-reqs for Container Image scanning

You need to enable Defender for Containers plan first. And in case of AWS and GCP resources you need first enable account connectors for them in Defender for Cloud’s Environment settings function.

And after enabling the plan make some plan settings configuration.

Defender for Containers plan. Click to enlarge.
Defender for Containers plan - Settings. Click to enlarge.

Link to start

Defender for Containers in MS Learn starts here.

SQL vulnerability assessment

The SQL Vulnerability Assessment scanner identifies security vulnerabilities in databases. These vulnerabilitiess include misconfigurations, excessive permissions, and unprotected sensitive data.
If these vulnerabilities are not addressed, they could potentially be exploited, leading to unauthorized access or data breaches.

An example taken from Azure about SQL vulnerability assessment. Click to enlarge.

You can also Exempt or Disable rules:

If you exempt:

a recommendation from any scope doesn’t affect your secure score. The resources’ status will change to “not applicable”.

You need to name the Exemption, you could set the expiradion date.

Also the exemption category need to select and description for that.

If you disable rule:

You can define a rule to disable one or more findings for this recommendation. Disabled findings won’t be counted towards your secure score.

You need to select the subscription, disable finding that match any of the following criteria and select ID parameters (for example VA1234), select the severity from none to high, and benchmark you want to exclude (for example CIS).

Also justification which is optional.

Now when you select the certain security check finding you get the detailed information.

Description tells what the finding actually means.

General information tells the ID, the Severity of the finding and the Status in the database.

Remediation tells shortly what you can with the finding.

Impact tells how the finding can effect to the database.

NOTE:

Vulnearabity Assessment Reference Guide tells what different VA-values mean.

Pre-reqs for SQL vulnerability assessment

You need to enable Defender for Database plan and configure your database to use it.

Defender for Databases plan. Click to enlarge.

Link to start

SQL vulnerability assessment in MS Learn.

Arc-enabled SQL Servers

SQL Server enabled by Azure Arc extends Azure services to SQL Server instances hosted outside of Azure: in your data center, in edge site locations like retail stores, or any public cloud or hosting provider.

So now if you see SQL Servers enabled by Azure Arc in your Defender for Cloud you could add protection for it. Unfortunately I don’t have on-prem servers in my environment.

A non-existed example of Azure Arc SQL Server. Click to enlarge.

Here’s an architecture image of SQL Server enabled by Azure Arc.

You download the Hi-res image from Azure Jumpstart.

SOURCE for the image: MS LEARN. Click to enlarge.

Pre-reqs for Arc-enabled SQL Servers

First you need to onboard on-prem SQL servers to Azure then enable Defender for Database plan and make sure that you select SQL servers on machines option.

And then from Azure Arc start configure addional settings.

Link to start

Here are the setup guidance for on-prem SQL servers.

File integrity monitoring

The file integrity monitoring feature in Defender for Servers Plan 2 in Microsoft Defender for Cloud helps to keep enterprise assets and resources secure by scanning and analyzing operating system files, Windows registries, application software, and Linux system files for changes that might indicate an attack.

Defender for Cloud recommends entities to monitor with FIM, and you can exclude some of those entities from monitoring. FIM informs you about suspicious activity such as:

  • File and registry key creation or removal
  • File modifications (changes in file size, and hash of the content, user
    responsible for the change)
  • Registry modifications (changes in size, access control lists, type, and
    the content)
  • Information about the change includes change source information-
    Account details (who made the changes) and Initiating process details.
FIM example in Defender for Cloud. Click to enlarge.

Here’s a table of items which are recommended to monitor.

To start using File integrity monitoring you need to enable Defender for Servers plan 2 and from additional settings enable FIM switch.

FIM switch in Defender for Servers plan addiotional settings. Click to enlarge.

When you enable FIM, portal opens new blade where you need to start to configure settings.

First there are some actions to do if your MDE client version is too old.  Then some common info for using FIM.

Then you need to select log analytics workspace and then there are example files which could be monitored.  (I’ll list some of them here).

Suggested file & registry monitoring selections.

Link to start

Start using VM JIT with this MS LEARN guidance.

Network map

Network map in Defender for Cloud Advanced protection. I have really used this. But I think it has a purpose and audience.

The interactive network map provides a graphical view with security overlays giving you recommendations and insights for hardening your network resources. Using the map you can see the network topology of your Azure workloads, connections between your virtual machines and subnets, and the capability to drill down from the map into specific resources and the recommendations for those resources. (Source: MS LEARN).

 

Network map in advance workload protection. Click to enlarge.

If you click the nodes they give you insight about the resource for example devops-vm gives common information and recommendations.

Pre-reqs for Network map

Network map requires Microsoft Defender for Servers Plan 2.

Link to start

How to use and understand the network map.

IoT security

Microsoft Defender for IoT delivers agentless, network-layer security for continuous IoT/OT asset discovery, vulnerability management, and threat detection in operational and enterprise networks. No changes to existing environments are required. In addition, the solution integrates with Microsoft Sentinel and 3rd-party SOC tools such as Splunk, IBM QRadar, ServiceNow, and others. Defender for IoT has zero impact on network performance and can be deployed fully on-premises or in Azure-connected environments.

Defender for IoT is kind of it’s own portal inside Azure. So this is not actually part of Defender of Cloud but integrates to it.

In this I demonstrate only the Device inventory because this is a big function and could actually have it’s own post.

Device inventory

Device inventory shows the sensor assets and clicking the assets portal open the details:

Defender for IoT - Device inventory. Click to enlarge.
Details of chosen asset.

And then there are the vulnerabilities section and there’s a note which you should really READ!

Legal Notice – The vulnerability data provided and shown as part of your Microsoft Defender for IoT (MDIoT) services is made available to you in its raw form, “AS IS”, and may not be up to date. You bear the risk in using this data. Microsoft and its third party suppliers disclaim any and all liability for consequential and other indirect damages and implied warranties, including implied warranties of non-infringement, merchantability and fitness for a particular purpose. Vulnerability data may not be used separate from ADIoT.

Defender for IoT - Resource vulnerabilities. Click to enlarge.

Pre-req for IoT

Using agentless patented technology, sensors quickly discover and continuously monitor network devices, providing deep visibility into OT/ICS/IoT risks within minutes of being connected. Sensors carry out data collection, analysis and alerting on-site, making them ideal for locations with low bandwidth or high latency.

For the setup you need switches installed to your network environment but here’s a short guide and screenshots.

Register IoT sensors step 1 and 2. Click to enlarge.
Step 2 in IoT Sensor registering. Click to enlarge.

Link to start

Start here. There’s the whole library section available for Defender for IoT in MS Learn.

API protection

Defender for APIs helps you gain visibility into business-critical APIs. You can investigate and improve security posture, prioritize vulnerability fixes, and detect against the top OWASP API and active real-time threats. 

Defender for APIs currently provides security for APIs published in Azure API Management. Defender for APIs can be onboarded in the Defender for Cloud portal, or within the API Management instance in the Azure portal.

There are also workbook for API protection available.

Defender for API main view. Click to enlarge.
Defender for API workbook. Click to enlarge.

Pre-reqs for API protection

You need to enable API’s  plan first. Then there are selections made how many API calls you are using. The plan price are calculated based on API call amount per month.

Defender for API details. Click to enlarge.

Link to start

An overview of Defender for API.

Register your protected API.

Insights

Insights provide you with latest news, suggested reading, and high priority alerts that are relevant in your environment.

Conclusion

This post took a while to write. Workload protection and advanced workload protection is the largest section within Defender for Cloud. There are integrations to many asset security functions and it is basicly related to almost all main resources in Azure at least for those which also has something to do with Defender plans.

I was planning to make an own Defender plan post but I think I don’t do that because this post covered almost all of them.

The parts of the MDC blog series
 
Picture of Jussi Metso
Jussi Metso

Author is a a lifelong IT enthusiast, Microsoft Security MVP and interested in Cloud Security, XDR, SIEM and AI. Motto: Learning is the key for your future.

Discover more from Jussi Metso

Subscribe to get the latest posts sent to your email.

DEFENDER FOR CLOUD

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Jussi Metso

Subscribe now to keep reading and get access to the full archive.

Continue reading