This is part two of a three-part series on product infrastructure security.
- Part 1: How to assess your product infrastructure security
- Part 3: How to defend your product infrastructure security
Startup organizations often face a challenge in implementing the right products for enabling security for hybrid and multi-cloud deployments. The most common reason is the complexity of security solutions, which is compounded by the lack of a specialized security team. With Microsoft Defender for Cloud the process of ensuring security of your cloud assets is simplified, so that you get to focus on solutions that add value to your business without worrying about your security posture.
In the first part of this blog series, we explored the basics of product security posture management. We also explored how Microsoft Defender for Cloud helps defend your cloud deployments from infiltrations and threats and give a unified view of the state of security of your cloud deployments across different cloud platforms. In this second part, we’ll look at how to use Microsoft Defender for Cloud to secure your cloud infrastructure step by step.
Harden security using enhanced security features
While the free plan of Microsoft Defender for Cloud provides continuous security assessments and hardening recommendations, the enhanced security features offered by the service can be a definite game changer in enabling security of your workloads. Let’s take a deeper look at these capabilities.
Microsoft Defender for Endpoint
For robust endpoint detection and response (EDR), Microsoft Defender for Endpoint is incorporated in Microsoft Defender for Servers. It helps with real time detection of attacks in a range of devices like Windows, Linux, macOS, Android, etc. Powered by best-in-class intelligent threat management algorithms, you can automate the remediation of identified threats at scale.
Microsoft Defender for Cloud provides vulnerability assessment for resources like virtual machines, SQL resources and container registries. You can configure auto provisioning to onboard the resources to Microsoft Defender for Cloud. The findings will be consolidated in Defender for cloud and can be investigated directly from the service console.
Multi-cloud and hybrid cloud security
Startups with resources deployed in AWS and Google cloud can connect those environments to Microsoft Defender for Cloud and monitor the security posture from a single pane. Non-Azure windows and Linux machines can be boarded by installing log analytics agents that communicate with Microsoft Defender for Cloud. Another option is to connect them to Azure Arc, Microsoft’s hybrid and multi-cloud management solution, that provides machine policy management in addition to security hardening provided by Microsoft Defender for Cloud.
Threat protection alerts
Microsoft Defender for Cloud provides next-generation protection against ever evolving threat vectors like polymorphic and metamorphic malwares. The behavioral analytics and machine learning based approach helps in early detection and mitigation of attacks. It helps identify zero-day exploits for machines, networks, SQL servers, Azure storage, etc. Microsoft Defender for Cloud’s contextual threat intelligence alerts assist you in tracking the attack vector, conducting deeper investigations, and implementing faster remedies.
With enhanced security features enabled, you can assess the hybrid and multi-cloud deployments against several industry leading compliance standards and benchmarks. It provides a clear view of how many controls have passed or failed the assessment in your deployments. Remediation guidance for failed controls is also provided by the service. This makes life easier for startups working in highly regulated industries.
Access and application control
Adaptive application controls help you to control the type of applications that you want to run in your environment. You can create an allow list and a blocklist depending on your organization’s regulations, or you can use Microsoft Defender for Cloud’s machine learning-powered recommendations. To protect against brute force attacks that target allowed ports and services on virtual machines, you can leverage the just-in-time access control mechanisms that allow access only during a defined time period.
Microsoft Defender for Containers provides a comprehensive security solution for your Kubernetes workloads running in Microsoft Azure as well as other cloud platforms. The service provides run time protection for your Linux nodes and Kubernetes clusters, alerting you of any malicious activity in these systems. Container images stored are scanned in real time for any vulnerabilities before they are stored in the container registry.
Azure resource threat detection
Microsoft Defender for Cloud provides native threat detection and protection for your Microsoft Azure cloud resources. The resources like Azure networks, Key Vault, Azure DNS, Azure Resource Manager are automatically onboarded and protected by the service against possible threats.
Enable enhanced security features of Microsoft Defender for Cloud
To enable enhanced security features, browse to Azure portal > Microsoft Defender for cloud > Environment settings:
- Sign in to the Azure portal
- Search for and select Microsoft Defender for Cloud
- From the Defender for Cloud’s main menu, select Environment settings
- Select the subscription or workspace that you want to protect
- The Microsoft Defender plans page will open up
- Select individual enhanced security features that you want to enable for the subscription and click on “Enable all” to enable all the features together. Click “Save”.
Once the enhanced features are enabled, you can see notifications that confirm that the process is completed.
Multi-cloud and hybrid cloud protection
To add non-Azure machines in hybrid cloud deployments and to protect multi-cloud resources, browse to Microsoft Defender for cloud > Getting started.
- Under “Protect multi-cloud environments,” click on Configure.
- From the drop down select either AWS or Google Cloud Platform to start the configuration process
- To add a new AWS environment, follow the steps outlined here: https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws
- To add a Google Cloud Project, follow the steps outlined here: https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-gcp
- To onboard non-Azure machines, browse to Microsoft Defender for Cloud > Getting started > “Add non-Azure Servers” > Configure
- Click on “Create New Workspace”. Provide details of the workspace or resource group name, workspace name and region. Click on “Review + Create”.
- Click on “Create” to complete the provisioning process
- Now you can onboard servers by installing the log analytics agent as outlined here: https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines
Auto provisioning of Microsoft Defender for agents and extensions
Auto provisioning will install Microsoft Defender for Cloud agents in target resources so that any new or existing resource is automatically onboarded to the service. This helps with speedier security management for all cloud resources supported.
- From the Azure portal, browse to Microsoft Defender for cloud > Environment settings and select the target subscription.
- Click on “Auto provisioning.” Select the extensions that you want to auto provision or click on “Enable all extensions.”
- You can configure the log analytics agent workspace to collect System security related event logs and configuration. From the “Log Analytics for Azure VM” extension configuration options, update the workspace and “Windows security events” raw data storage settings.
The default setting is “None” i.e., the security events are not stored in workspace. For a full audit trail, the optimal configuration to use is “Common”. Other options available are “Minimal” and “All events”. One of these options can be selected as per your logging requirements. Click “Apply”
- Click on Save to complete the configuration
Threat detection and protection for your workloads in AWS, Azure, GCP or on-premises are provided by Microsoft Defender for Servers.
By default, in enhanced security settings, Microsoft Defender for Servers Plan 2 is enabled, which provides the following capabilities:
- Microsoft Defender for Endpoint
- Microsoft threat and vulnerability management
- Automatic agent onboarding, alert, and data integration
- Just-in-time VM access for management ports
- Network layer threat detection
- Adaptive application controls
- File integrity monitoring
- Adaptive network hardening
- Integrated vulnerability assessment powered by Qualys
- Log Analytics 500MB free data ingestion
- To deploy integrated vulnerability scanning for your onboarded machines, browse to Microsoft Defender for Cloud->Workload protections-> VM vulnerability assessment:
- Machines where a vulnerability assessment solution is not detected will be listed as an unhealthy resource. Select the resource and click on fix.
- Select from one of the following options to implement the vulnerability assessment solution
You can either choose from one of the following integrated solutions – Threat and vulnerability management solution by Microsoft Defender for Endpoint or the vulnerability scanner powered by Qualys. If you already have the license to a third party scanner, you can use that as well in a BYOL model. Click on Proceed.
- In the next screen provide confirmation to fix the resource
- Once the deployment is successfully completed, you will get a notification
Note: Integrated vulnerability management solution is available for the following set of supported operating systems:
By default, Azure Security Benchmark based compliance assessment is enabled and you can view the status from Microsoft Defender for Cloud > Overview.
- To add additional compliance standards for assessment, click on Microsoft Defender for Cloud > Environment settings > Select the target subscription > Security policy. You can view additional compliance standards listed under “Industry & regulatory standards.”
You can choose to enable standard from this view or Click on “Add more standards” to see additional compliance standards.
- Select the standard you want to assess your environment against and click Add.
For example, if your organization is focused on the healthcare vertical and want to measure compliance against HITRUST/HIPAA, you can select the standard from the list as shown here.
- From the next screen, provide the scope of the policy initiative to be assigned, Assignment name and policy enforcement status. Click on Next
- Provide policy specific parameters in the next window such as application names, diagnostic storage, resource group, certificate thumbprints, etc. Click on Next.
- Select the remediation options in the next window. Click on Next.
- In the next window, you can select/edit specific non-compliance messages related to the standard or add a default non-compliance message. Click Next.
- Click on create to complete the configuration
- You will get notifications once the compliance standard is added
- The standard will now be listed in the Security policy page
Access and application control
- To enable just-in-time access for machines, browse to workload protection and select the “Just-in-time” access tile.
- In the just-in-time VM access configuration page, click the tab ‘Not configured’ and Select the machine for which you want to enable JIT access. Click on the Enable JIT button.
- Click save to accept the recommended policies or click on “Add” to create a custom policy
- While creating custom policy, add details like port number, protocol, allowed source IPs and maximum duration for which the access should be enabled. Click ‘OK’ to add the access rule.
- Click ‘Save’ to complete the configuration
- To enable adaptive application controls, browse to Workload protections > Adaptive application control.
- View the group of recommended allowlist machines from the “Recommended” tab
- Select the group for which you want to enable adaptive application control. From the next window, select the machines and review the list of recommended applications that you want to allow list. Click on “Audit” to apply the rule.
- You can view the list of configured rules from Workload protections dashboard > Adaptive application controls. To add additional custom rules, click on “Add rule’ and add the rule data
Enabling Microsoft Defender for cloud protection for your multi-cloud resources is just a matter of a few clicks. You can use the details outlined in the blog to get started with strengthening your security posture with Microsoft Defender for Cloud. In the final part of this blog series, we will do a deep dive on the concept of secure score and how you can leverage it and the threat detection capabilities provided by Microsoft Defender for Cloud to protect your infrastructure from malicious attacks.
To get access to Azure Cloud and much more for your startup, sign up today to Microsoft for Startups Founders Hub.