Take control of cloud security with Azure Security Center

Article

Updated August 2016

Download

Article, 408KB, Microsoft Word file

 

Get a brief overview of Azure Security Center (1 min, 31 seconds)
Get a brief overview of Azure Security Center (1 min, 31 seconds)

Cloud computing and cloud security are top-of-mind across all enterprises. Chief information security officers and teams responsible for cloud deployments need to plan for and provide the required level of security that's relevant to their cloud resource needs.

How can you help protect your cloud assets and be compliant with security policies? How do you get targeted information about threats and incidents in real time, without investing in new infrastructure and IT capabilities?

At Microsoft IT, we use Azure Security Center as part of our mission to assess and help protect our cloud resources in Microsoft Azure across hundreds of subscriptions and apps. Azure Security Center gives us analytics-based threat detection and provides alerts that help us prevent and respond to threats and attacks in real time.

We use security intelligence from Azure Security Center to get visibility into our security state, prevent and tackle threats in our cloud ecosystem, and provide configuration and operational cloud-security knowledge to DevOps teams that manage cloud deployments at Microsoft.

Challenges related to cloud security

Helping protect cloud resources isn't without its challenges. Let's first look at a few of these potential challenges, and then how we use Azure Security Center to address these barriers and help protect security of cloud resources—from an IT perspective.

Getting visibility into your security state

It can be hard to assess the security level of cloud resources. In part, this is because the cloud is a vast ecosystem, with the potential to change very rapidly: More specifically, getting visibility can be difficult because:

  • Cloud management is distributed across the company.

  • Cloud resources can extend across cloud subscriptions and services.

  • Cloud resources (for example, virtual machines) are elastic in nature, meaning that it can be difficult for traditional configuration management tools to keep track of the security state with any level of accuracy.

Finding deep knowledge of cloud security

Having security professionals with a deep knowledge about cloud security is crucial, and you can face a few challenges because:

  • Cloud security experts in your company might be limited.

  • Those with deep security-related knowledge are likely to be in your central security organization.

How Azure Security Center helps us

We use Azure Security Center to help us proactively assess our security ecosystem, enhance the security expertise of teams, learn about new threats, and get Azure alerts. With the information we get from Azure Security Center, both IT and DevOps teams can proactively help protect the security of virtual machines, applications, databases, networks, and other cloud assets. Azure Security Center gives us:

  • Broad visibility into the security state of our Azure resources. We get a broad, contextualized view through the Azure Security Center dashboard in the Azure portal and through the Power BI Content Pack. Suppose that we have information about security events that are happening on our local virtual machines, in addition to events on the network and with our global-partner solutions. All this information is correlated to provide a bigger picture, with more context to help us see whether there are potential vulnerabilities. We can also take logs and raw events that occur on our Azure resources and bring them to an on-premises correlation engine.

  • IT policy management. We're responsible for defining security policies and ensuring that they're consistently applied within each subscription. We can configure these policies according to the needs and criticality of the application. Azure Security Center assesses Azure resources against the policy, and identifies resources that are out of compliance—for example, systems that are missing updates or anti-malware, or networks that are misconfigured.

  • DevOps assistance using deep knowledge. Microsoft successfully uses its DevOps teams to manage cloud deployments, meet compliance standards, and help secure the cloud environment. With Azure Security Center, the intelligence that's gained from analytics can:

    • Transfer a lot of cloud-security knowledge to DevOps teams, eliminating the need for them to be cloud-security experts. For instance, it gives alerts to threats as they occur and information about risks. It also provides a dashboard view of what's happening, so that we don't necessarily need to bring in security experts to cull through vast logs looking for anomalies. It gives suggestions on actions to take on an alert, based on best practices, machine learning, and expertise from across the company to help secure assets.

    • Transfer that intelligence knowledge at scale, so that a single cloud-security expert doesn't have to train the organization. For instance, Azure Security Center identifies vulnerabilities and provides recommendations on how to mitigate them. Often, team members can use a single click to apply the recommended control or to make the recommended configuration change, including deploying partner solutions.

    • Having standard and enforceable policies, robust threat intelligence, and near real-time reporting can inform and direct decision making, and helps our DevOps teams operate successfully by giving them expert-level security guidance. Azure Security Center helps prioritize, monitor, and actively manage security of Azure subscriptions.

  • Real-time, analytics-based incident and threat detection. We're notified when malicious and suspicious events (such as when a virus is installed) occur. Azure Security Center analyzes data from virtual machines, the Azure network, and alerts from partners. The threat intelligence, machine learning, anomaly detection, and rule-based analytics in Azure Security Center reduce the number of false positives. For instance, because Azure Security Center can analyze behavioral patterns of typical network traffic, we can get a better idea of which connection attempts are legitimate, and which are suspicious or malicious.

  • Prioritized alerts and recommendations. This information is based on best practices, machine learning, and other expertise from across Microsoft and from partners. In many ways, it's like having a trusted expert close by, giving a snapshot of our security state, and advising us.

Examples of alerts

We can see if someone has tried to use frequently guessed passwords and common credential names to try and attack our resources. We also get alerts about brute force attacks on services such as remote desktop protocol, secure shell, and file transfer protocol, and alerts about computers that are infected with malware.

Examples of recommendations

From a prevention standpoint, Azure Security Center might recommend that we should apply system updates, run Azure Disk Encryption, or reconfigure how often users are required to change their domain passwords.  

From a response standpoint, if a suspicious process is found, Azure Security Center might recommend steps such as running Process Explorer, running an anti-malware scan, and then running the Microsoft Windows Malicious Software Removal tool.

The following image shows an example of a dashboard with recommendations to help protect our Azure resources.

Title: Dashboard in Azure Seucrity Center that shows recommendations on how to help protecting Azure resources - Description: Examples of recommendations to help prevent incidents related to Azure resources
Figure 1. Examples of recommendations to help prevent security incidents related to Azure resources

Security monitoring: past vs. present

Past: With on-premises solutions, if we were monitoring a full application stack, we had to piece together logs and security events from Microsoft Internet Information Services, the middle tier, back end, and from the operating systems themselves. It was harder to tell what the real (and most critical) issues were.

Present: A user interface lets us quickly see security health, with prioritized alerts, recommendations, rule-based analytics, and reduced false positives. We no longer have to pore over logs, or assemble all the information ourselves, which can take a lot of time.

Level of usage

IT and DevOps teams at Microsoft are familiar with using Azure Security Center. They need to know how to set security policies for Azure subscriptions, and how to use operational aspects of the data. Through dashboards, IT and DevOps can get an idea of overall usage and compliance state. (To get this information, the service principal that we own must have read-only permission to the Azure subscriptions.)

Operational tasks and considerations

Azure Security Center is available with an Azure subscription. There's a simple walkthrough to set up Azure Security Center, enable a storage account and data collection, and do other tasks. But from an enterprise standpoint, what's challenging is setting it up consistently and at scale in a complex environment, and making operational decisions like:

  • Which policies do we configure, and how do we make them consistent?

  • How do we set up storage accounts, and where should they be?

  • How do we factor in costs of extra storage?

  • If we use an app firewall, which one should we use?

  • Where should we route the information from our Security Information Event Monitoring (SIEM) Integrator

What we do from an IT perspective

We set up and monitor things on a high level from a security, management, and network standpoint. (DevOps, in turn, can then take charge of their own part of the overall landscape of whichever applications and services they use.)

  • Within each security policy for a subscription, we turn on Data collection, which lets us collect information from virtual machines about security health, check the configuration of our virtual machines, and get security-event logs. We can also specify where we store data that's collected.

  • We also get visibility about security health through Azure Security Center APIs. We built a custom Power BI dashboard that shows the security state across Azure subscriptions.

  • We use the SIEM Integrator, which we configure from the subscription side. We can tap into previous investments made in an on-premises SIEM, such as alerts or incident-response capabilities, and can integrate this information in one place. With the SIEM Integrator, we get Windows security events from Windows-based virtual machines, in addition to audit logs from Azure subscriptions. Events and logs are sent to an on-premises platform that monitors security events.

What we do to enable DevOps

We provide configuration and operational guidance to DevOps teams that implement the actual apps and services. For instance, we advise on configuring the Power BI Content Pack. We show DevOps teams which types of issues to pay attention to and prioritize; for example, items that appear in red in the Azure Security Center dashboard.

Conclusion

Azure Security Center makes it much easier and more efficient for us to detect, protect, and respond to malicious and suspicious threats to our Azure resources. It also helps us support DevOps teams with critical, analytics-based guidance as they manage cloud deployments. We're confident that it can benefit your organization in similar ways.

For more information

Microsoft IT Showcase

microsoft.com/itshowcase

Azure Security Center

Azure Security Center Planning and Operations Guide

Auditing the cloud

The cloud security mindset

Get insights from Azure Security Center data with Power BI

 

©2016 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Show: