Microsoft Defender for Cloud
Microsoft Defender for Cloud helps you find and fix security vulnerabilities, block malicious activity by applying access and application controls, detect threats by using analytics, and if you are under attack, helps you respond. Microsoft Defender for Cloud has two main pillars for cloud security: Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP).
Microsoft Defender for Cloud covers three important needs so that you can manage the security of workloads and resources both in the cloud and on- premises:
Continuously Assess This allows you to know your security posture and identify and track vulnerabilities. It will provide you with a secure score, vulnerability assessments, assess inventory, regulatory compliance, and file integrity monitoring.
Secure This allows you to harden resources and services using Azure Security Benchmarks and AWS Security Best Practices. It will provide you with security recommendations, just- in- time VM access, adaptive network hardening, and adaptive application control. It will provide you with step- by- step actions that need to be taken in order to protect your workloads from known security risks.
Defend This allows you to detect and resolve threats to your resources and services. It will provide you with Microsoft Defender, security alerts, and integration with Microsoft Sentinel.
Pricing
Microsoft Defender for Cloud is free for the first 30 days, and the free features provide only limited security for your Azure resources only. Any usage beyond 30 days will be automatically charged. For more information on pricing, check out Microsoft’s website at http://azure.microsoft.com/en- us/pricing/details/defender- for- cloud.
Prerequisites
In order to use Microsoft Defender for Cloud, you need to have an Azure subscription. You will only be able to see the information for resources that you have been assigned the Owner, Contributor, or Reader role for the subscription or for the resource group the resource is in.
To Enable Microsoft Defender for Cloud
To enable Microsoft Defender for Cloud, perform the following:
- Sign into the Azure portal at https://portal.azure.com.
- From the portal’s menu, select Microsoft Defender for Cloud. The Overview page will open, as shown in Figure 17.7.
FIGURE 17.7 Microsoft Defender for Cloud Overview page
The Overview page is an interactive dashboard that provides a look at the security posture of your workloads and shows security alerts, coverage information, and more. You can select any section on the page to get more information. You can also view and filter the list of subscriptions by selecting the Subscriptions menu item. After launching Microsoft Defender for Cloud the first time, you will see a secure score, a list of hardening recommendations, which will show you ways in which you can improve the security of your connected resources, and an inventory of all the resources being assessed, along with a security posture of each one.
With Cloud Security Posture Management (CSPM), you can remediate security issues and improve your security posture using Microsoft Defender for Cloud. The CSPM posture management feature provides hardening assistance to help you enhance your security and visibility. As I mentioned earlier, Microsoft Defender for Cloud constantly measures your resources, subscriptions, and company for security issues and shows your security posture in secure score. The score will tell you your current security situation, the higher the score, the lower the identified risk level. CSPM has two different options that you can use: a free option and a premium option. Microsoft recommends enabling the premium option so that you can have full coverage and benefits.
There is a graph- based algorithm that scans the cloud security graph; this is called an attack path analysis. This will show you possible paths that an attacker may use to breach your workload. The attack path analysis will expose the paths and make recommendations on how to best remediate the problems to prevent the breach.
Many Azure services are monitored and protected without needing any deployment on Microsoft Defender for Cloud because it’s an Azure- native service. However, you can add resources that are on- premises or in other public clouds. For Azure machines the deployment is directly managed, but for hybrid and multicloud environments, plans may be extended to non- Azure machines by using Azure Arc. Azure Arc is a bridge that expands the Azure platform in order to help build applications and services that have the flexibility to run across different platforms such as working on new and existing hardware, virtualization and Kubernetes platforms, IoT devices, and integrated systems.
Manage and Respond to Security Alerts
Microsoft Defender for Cloud gathers, evaluates, and integrates log data from your Azure resources such as firewalls and endpoint agents to detect threats and reduce false positives. With Microsoft Defender for Cloud’s enhanced security features enabled, you can have Advanced Detection, which triggers security alerts.
Security alerts are the notifications that are produced by Microsoft Defender for Cloud and Defender for Cloud plans when threats are recognized in your cloud, hybrid, or on- premises environment.
Now, let’s take a look at how you can manage your security alerts using Microsoft Defender for Cloud.
Manage Your Security Alerts
To manage your security alerts on Microsoft Defender for Cloud, perform the following:
- From Defender for Cloud’s overview page, at the top of the page, select the Security Alerts tile. You can also click the link on the sidebar. The Security Alerts page will open.
- From here you can filter the alerts list by selecting any of the relevant filters. You can also add additional filters using the Add Filter option.