Which microsoft defender for cloud feature enables you to see the topology of your workloads?
In the second of this blog series, I’ll take you through the remaining workload protection features in ‘Microsoft Defender for Cloud’. If you have not read part 1, here is the link. Show
In my previous blog, I could not cover all the features under ‘Workload Protection’; So, I’ll cover rest of them below in this blog.
Just-In Time VM Access:Security is a major challenge for organizations running mission critical applications on cloud. One of the biggest risks from hackers come via open ports, and Microsoft Defender for Cloud provides a great option to manage this threat using Just-in-Time VM access. With Just-in-Time VM access, you can define what VM and what ports can be opened and controlled and for certain duration. Just-in-Time (JIT) access locks down and limits the ports of Azure VMs in order to overcome malicious attacks on the virtual machine, therefore only providing access to a port for a limited amount of time. Basically, you block all inbound traffic at the network level. When JIT access is enabled, each user access request will be through Azure role based access control (RBAC), and access will be granted only to users with the right credentials. Once a request is approved, the Defender for Cloud automatically configures the network security groups (NSGs) to allow inbound traffic to these ports – only for the requested amount of time, after which it restores the NSGs to their previous states. How to enable JIT?Just-In-Time VM access can be enabled in 2 ways, 1. Using Microsoft
Defender for Cloud
2. Using Virtual Machine blade
Once you select either of the options, it will then show a list of recommended ports. It is possible to add additional ports as per requirement. The default port list is show below. Now click on the port that you want to restrict. A new tab will appear with information on the protocol to be allowed, allowed source IP (per IP address, or a CIDR range). An important thing to note is the request time. The default time is 3 hours; it can be increased or decreased as per the requirement. Then click,
OK.
Changes observed at NSG when JIT is enabled:JIT will create a new Deny rule with a priority less than the original Management port’s Allow rule in the Network security group’s (NSG) Inbound security rule. If the VM is behind an Azure firewall, the same rule overwrite occurs in the Azure firewall as well. Connect to JIT enabled VMs:
This will take you to the next page where additional details need to be provided for connectivity such as,
Request access from VM blade:This process will overwrite the NSG Deny rule and create a new Allow rule with less priority than the Deny All inbound rule or the selected port. File Integrity Monitoring (FIM):FIM also known as Change Monitoring, helps you monitor Windows registry, operating system files, application software, system files and all the changes that might indicate an attack How FIM works?
Enable FIM:
Network Map:Network Map provides a graphical view with security overlays giving you recommendations and insights for hardening your network resources. Network Map provides a default view of
topology only for the resources that have network recommendations with a high or medium severity. Map is optimized for the subscriptions you selected in the portal. If you modify your selection, the map is regenerated with the new selections. Network Map topology view:
Traffic view:It provides you with a map of all the possible traffic between your resources. This provides you with a visual map of all the rules you configured that define which resources can communicate with whom. This enables you to see the existing configuration of the network security groups as well as quickly identify possible risky configurations within your workloads.
Container Image Scanning:Vulnerability scanning for Container images is powered by Qualys, a leading provider of information security. This is very similar to vulnerability assessment of VM. When you push an image to Container Registry, Defender for Cloud automatically scans it, then checks for known vulnerabilities in packages or dependencies defined in the file. When the scan completes, Defender for Cloud provides details and a security classification for each vulnerability detected, along with guidance on how to remediate issues and protect vulnerable attack surfaces. If you don’t have an Azure Container Registry (ACR) deployed in Azure, please follow below steps to create one: #! Create a dedicated Resource Group for Azure Container Registry az account set --subscription " 12ec4b14-c098-499d-bf56-584f0b926fe9" az group create --name rg-acr-demo --location southeastasia
Once the container registry is deployed, you can get the details and then log in with the following commands: It takes more than 30 min. for Defender for Cloud to provide any vulnerability remediation suggestion. SQL Vulnerability Scanning:Security is at the top of the list as data breaches are increasing year on year and there is a need to protect sensitive data stored in the databases. Microsoft Defender for Cloud database security allows you to protect your entire database estate, by detecting common attacks, supporting enablement, and threat response for the most popular database types in Azure.
For any existing database server, it can be enabled by navigating to the Advanced Data Security under the Security heading. This will ask a storage account to be connected for storing the scan results. You can use any existing storage account or create a new one, but a storage account is mandatory as it will store the scan results. Run a Scan:
This marks the end of Workload protection with advanced protections features of ‘Microsoft Defender for Cloud’. Hope this is helpful and reach out to me for any queries. Happy reading! What is included in Microsoft Defender for Cloud?This plan includes the integrated license for Microsoft Defender for Endpoint, security baselines and OS level assessments, vulnerability assessment scanning, adaptive application controls (AAC), file integrity monitoring (FIM), and more.
What are three uses of Microsoft Defender for Cloud apps?Explore our top use cases. Detect and manage suspicious activities.. Investigate risky users.. Investigate risky OAuth apps.. Protect any app in your organization in real time.. Block download of sensitive information.. Manage cloud platform security.. Protect files with admin quarantine.. Which security feature is available in the free mode of Microsoft Defender for Cloud?The free offering from Microsoft Defender for Cloud offers the secure score and related tools. Enabling enhanced security turns on all of the Microsoft Defender plans to provide a range of security benefits for all your resources in Azure, hybrid, and multicloud environments.
Is Microsoft Defender for Cloud can monitor Azure resources and onMicrosoft Defender for Cloud helps you protect resources across Azure, other clouds, and on-premises through its Free tier and enhanced security capabilities. The Microsoft Defender for Cloud Free Tier includes continuous assessment and security recommendations, as well as Secure Score for Azure and AWS environments.
|