11. Lesson Summary
By this time, you already know about the different kinds of services that Microsoft Azure provides to protect your systems. You know that the traditional network security perimeter model to protect your assets, resources, and data is very essential. Azure provides a wide range of security tools that will secure your data while also allowing you to control access to it while meeting the needs of your organization. We’ve explored here various things like network security groups, Azure Firewalls, the web, and application protection as well. And you also understand the importance and use of encryption of data, which is not only stored but also transmitted.
You’ve explored the nature of DDoS and how Azure helps protect your systems against that form of attack. Finally, the Azure Bastion host allows you to secure connections to any virtual machine in your server state. You can imagine what will happen without these security tools. The organisation would be left bare, open, and vulnerable to data theft. You will have a hard time responding swiftly to those malicious attacks on your web and data services, and you will not be able to meet any kind of security obligations. So Azure here provides a one-stop shop for your secure solutions as well. And there’s a lot we need to know when it comes to cloud security and protecting your entire cloud security posture. Let’s go ahead and talk about that in the next lesson. This lesson should have been useful to you. Thanks for watching so far, and I’ll see you there. You.
12. Cloud Security Posture management
It is common knowledge that many organisations are rapidly adopting cloud computing. Miss configurations are unavoidable when dealing with rapid and scale. When that happens, accidents happen. Public cloud infrastructure is programmable through APIs, so misconfiguration will put your entire organisation at major risk, which the auditors or the folks really do not like. Misconfigurations are often caused by the mismanagement of multiple connected resources. Maybe you’re trying to configure Kubernetes, serverless functions, or containers, and there will be some kind of misconfiguration that will eventually lead to a threat. Cloud security posture management is all about identifying those risks and then remediating them with the help of security assessments and automated compliance monitoring so that when you move to the cloud, you still have your infrastructure safe at a certain level. Several organisations think that after you move to the cloud, it is entirely the cloud hosting provider’s responsibility, Microsoft’s responsibility, or Amazon’s responsibility. But that’s not the case. Based on the shared responsibility model, the story is different.
And if you’re thinking that it’s entirely the cloud hosting provider’s responsibility, well, that’s a mistake. And this mistaken belief will lead to data breaches and several security mishaps. And that’s why cloud security breaches are a commonplace event even today, with most breaches happening as a result of errors involving cloud misconfigurations. Cloud Security Pusher Management, or CSPM, is a relatively new class of tools designed to improve your cloud security management. It will assess your systems and automatically alert your security staff in your IT department. So when a vulnerability is found, your staff knows what to do. The CSPM will use a set of tools and services in your cloud environment so that you have monitoring in place. You can also prioritise the security enhancements and features. Let’s take a look at what tools and services CSPM uses in order to achieve this. Well, there’s zero trust based on access control. That means it considers the active-threat level during access control decisions.
Real-time risk scoring provides visibility into the top risks. There’s TVM, which stands for Threat and Vulnerability Management, which is establishing a holistic view of the organization’s attack surface and risk as well. And it integrates into operations and engineering decision-making. Not only that, you will be able to share the discovered risks. In order to understand the data exposure of enterprise intellectual property, you need to have the data shared with cloud services. Guardrails can be used to audit and enforce the organization’s standards and policies on technical systems. And that comes under the Technical Policy section. And of course, you can do threat modelling and define the architectures.
Well, the main goal of the cloud security team working on posture management is to continuously report on and also improve the organization’s security posture by focusing on disrupting a potential attacker’s return on investment. The function of the CSPM in your organisation might be spread across multiple teams, or there may be a dedicated team as well. So what will that team do, and which organisations will be involved? Well, it could be your threat intelligence team. It could be your IT compliance and risk management teams, business leaders and subject matter experts, the people who made the security architecture and defined the operations, and also the audit team. So everybody is responsible for that. And within the organizations, multiple teams will take care of the CSPM duties. In short, you will use CSPM to improve your cloud’s security management, and thereby you’ll be assessing the environment and automatically alerting your security staff for any kind of vulnerability found.
13. Azure Security Center
The posture of network security is ever-changing. The battleground between the attackers and the defenders is shifting. Cybercriminals are breaching the security perimeter. They try to steal valuable assets and resources. We need a tool that will protect infrastructure-level security while also protecting your data. Within Microsoft Azure, there is a tool called the Azure Security Center that will do just that. It will provide advanced threat protection for not only your cloud systems but also your hybrid workloads. Yes, it means it can protect your on-premises infrastructure, whether it’s in Azure or not. Azure Security Center is providing you a lot of tools that will help you harden your network, secure your services, and ensure that you have a top-of-the-line security posture.
At this moment, we have urgent security challenges. Let’s talk about it now that we’re in the cloud, where workloads are constantly changing. So the organisations will be empowering users to do more and more. There are lots of challenges. And the challenge here is to ensure that the ever-changing services people use and create meet your security standards and follow the best practices. So there are rapidly changing workloads. There are increasingly sophisticated attacks. the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the of the Securing your public Internet-facing services is very essential. Otherwise, you will be even more vulnerable. On top of that, security skills are in short supply.
The total number of administrators with the necessary background and experience to ensure your environments are protected far outnumbers the total number of security alerts and alerting systems. So that’s the challenge. And how does the Security Center or the Azure Security Center protect us against these challenges? Well, the Security Center will be assessing your environment and enabling you to understand the status of your resources, whether they are secure or not. And that’s how they’ll know the security posture of the entire environment. It could be virtual machines, it could be app services, or it could be your virtual network as well. Plus, it will also protect you against threats.
So the Security Center is working to identify and assess your workloads and raise certain threat prevention recommendations and security alerts for you so that you can then take actions to improve the security posture. With all of these features, I really feel that you’ll have your security implemented faster since everything is done in the cloud. The Security Center is also in the cloud, so the security tool can match the cloud speed. Basically, the Azure Security Center is a natively integrated tool. At the deployment stage, that is very easy. It is automatically provisioned to protect your Azure services. In a nutshell, the Azure Security Center protects not only your Azure servers and virtual machines but also your on-premises networks and infrastructure. It could be for Windows or Linux machines. All you have to do is install an agent known as a Log Analytics agent. And then Azure virtual machines are automatically provisioned in the Security Center. As a result, using Azure Security Center provided them with numerous advantages. And this is how you can strengthen the security posture of your machines, your data, and your applications, and you can perform a lot of hardening across these services.
14. Azure Security Center – Features
We discussed Azure Security Center’s capabilities. In summary, let’s go over it further and show you some interfaces in Azure Security Center. Now, as we already know, it strengthens your security posture, right? As a result, you can use Azure Security Center to improve the security posture of your Azure infrastructure estate. And when you do that, you will be identifying the resources in your organisation and also performing certain hardening tasks across, let’s say, your machines, your data services, like your Blob Storage or maybe in your Storage account, and also the applications hosted on App Services. Now, with Azure Security Center, you can manage and enforce a lot of security policies to ensure compliance is prevalent across your virtual machines, your non-Azure services, and also the Azure Pass Services. One important thing is continuous improvement, which happens as a result of continuous assessment.
Security Center provides this continuous assessment for your entire estate of infrastructure, discovering and reporting whether there are new or existing resources or assets discovered, as well as whether they are configured in accordance with security compliance requirements. You’ll get an ordered list of how you can improve the Porsche, which means that you’ll be getting recommendations of what needs to be fixed to maintain that maximum protection. The recommendations will be grouped into security controls, and each control will be assigned a security score value. There are several controls, and we’ll talk about that in a minute. And this whole process is crucial in enabling you to prioritise your security work. Now, let’s talk about one of the most powerful tools in the Security Center. It’s called a network map.
Now, this is something that’s continuously monitoring the security status of your network. And you can then use the map it creates to look at the topology of your workloads. so you can see if each node is properly configured. You will see how your nodes are connected, which helps block unwanted connections that could potentially make it easier for an attacker to creep along your network. Right? Now, with all of these capabilities, the Azure Security Center can, of course, protect and detect threats to your infrastructure service, the non-Azure service, the Platform as a Service, and your resources as well. But the best part is that it has integration capabilities. This can integrate with Microsoft Defender to protect your platform as a service, not just your virtual machines.
The things that fall under “Platform as a Service” are resources like Azure App Services, Azure SQL, Azure Storage Account, and several other data services. It can protect you against the brute force attacks, so it’s blocking the brute force attacks. And it does that by reducing access to virtual machine ports using something called Justintime Virtual Machine Access. So that means that you can harden your network by preventing unnecessary access. With all of this, you get assessments for possible vulnerabilities—the potential vulnerabilities across the virtual machines and the databases from, say, Azure SQL and Storage services as well. And it will also recommend ways you can mitigate those vulnerabilities. So Security Center is automatically correlating alerts in your environment based on something called a “cyber kill chain analysis.” And what it will eventually do is help you better understand the full story of an attack campaign, where it started, and what kind of resources were all impacted. As a result of its integration capabilities, Azure SecurityCenter allows you to onboard security faster and secure organisations faster.
15. Azure Security Center – Security Score.
I did mention the security score a few minutes ago in the previous lesson when we were talking about the Azure Security Center features and what Azure Security Center is. Now, we know that Azure Security Center is continuously assessing your resources, your subscriptions, and your organisations for various security issues. So what it’s going to do is aggregate all its findings into a single score, so you can look at that security score and assess the current security situation.
So what does the score mean? Well, the higher the score, the lower the identified risk level is. So it’s inversely proportional. The security score is shown on the Azure Portal pages as a certain percentage value. So, what do you do to improve your score while you go ahead and look at the recommendations page for any outstanding actions? Each recommendation will include instructions as to how you can remediate that specific issue. So, how is the security score calculated?
Now, we were talking about certain controls in the previous lesson, and it mentioned that you will have groups of controls and that points are given against each control. Now, every control in the Recommendations list will show the potential security score, and you need to increase that by following the remediations. You need to address the underlying problem. To obtain every possible security control point, all of your resources must adhere to all of the security recommendations contained within that security control. For example, the Security Center has multiple recommendations for how to secure your management ports. You must remediate them all to make a difference to your score. So it’s important to improve your score. And in order to improve your score, like I said, you need to remediate the security recommendations from the Recommendations list. You can also manually remediate each recommendation for every resource. Or there is a “quick fix” button as well. Now with this, all the remedies are applied automatically. By pressing a single button, you can achieve a secure posture. So, in short, to summarize, you will use your Azure Security Score to monitor your security posture. You can easily implement the actions that will help you remediate your environment. Let’s talk about Azure Defender in the next section.
16. Azure defender
We need some kind of tool that will do threat protection for all your workloads, regardless of where they are located. could be in Azure, on premises, or in other clouds. Azure Defender is a Microsoft tool that does that extended detection and response, often called XDR, and it’s integrated with Azure Security Center. It will protect you against hybrid data and cloud-native services servers and also integrate with your existing security flows. There are lots of built-in policies that Azure Defender comes with, but you can also add your own custom policies and different initiatives. There are different regulatory standards such as NISD, Azure CIS, and Azure Security Benchmark, and the Azure Defender is truly compliant with each of these regulatory standards. You will find the Azure Defender dashboard inside the Azure Security Center, and it provides visibility and control of your organization’s cloud workload protection across the networks; that’s about Azure Defender. Let’s go ahead and understand the scope of Azure Defender, and what are the different plans available in it? Can it protect your servers? Can it protect your app services? Of course, it goes beyond that. Let’s go and talk about them and their integration capabilities one by one.
So you got Azure Defender for servers, which means that you can have thread detection and advanced defences for your Windows and Linux machines. Not only that, but it is also available as a service for platforms. For example, app services You can use the cloud scale to identify attacks targeting applications that run over the App Service. Azure Defender is also available for your storage, so any kind of potentially harmful activities that are happening on your storage account could be files, tables, queues, blobs, or even data lakes. Azure Defender is there to keep you safe. Then there is Azure Defender for SQL. So it comes as a security package to secure your database and their data, wherever they are located. Cloud-native security is becoming a big buzzword, so Azure Defender is available for Kubernetes as well. So it provides the best cloud-native Kubernetes security environment, hardening workload protection, and runtime protection for your Kubernetes clusters. Organizations would like to keep all their images inside container registries, so Azure Defender is available for container registries, and all the images that are pushed to the registry are scanned by Azure Defender.
Azure Defender is also available for the key vault. So you get advanced threat protection for KeyVault, which is again cloud native, and it provides an extra layer of security intelligence. So with Azure Defender, you are also able to provide services, which are security services, not only to cloud environments but also for your hybrid workloads, which are possibly not in Azure. So you can protect your non-Azure servers, possibly the virtual machines in Amazon Web Services or Google Cloud, so you can focus on what matters. With Azure Defender, you can customise threat intelligence and prioritise alerts according to your specific environment in the cloud and the ones not in the cloud. Not just that, you can have alerts configured with Defender.
These alerts are also exportable to Azure Sentinel. We’ll be talking a lot about Azure Sentinel in the next chapter. Azure Sentinel will be covered in detail in the following section, but for now, focus on Azure Defender. With Azure Defender, you can also have advanced analytics for tailored recommendations as they relate to your resources. These analytics might include securing the management ports of your virtual machines with something called “just-in-time access,” which we learned about in the first chapter. But there’s also something called “adaptive application controls,” and this will allow you to create a list of what apps people should access and what they should not run on their machines.
Then finally, Azure Defender will include vulnerability scanning for your virtual machines and your container registries. You can also review the results of these vulnerability scanners and respond to them using a single console known as the Azure Security Center. So that’s about an overview of Azure Defender and what it can do now, which is extended detection and response, and why it’s called an XDR. And the good news is that you can protect not only your cloud-based infrastructures, but also your on-premises infrastructure, which is referred to as “hybrid cloud protection.” Well, thanks for watching so far. I’ll see you in the next section, where we talk about something interesting: what’s called “security benchmarks” in Azure. Thanks for watching again.
17. Azure Security Benchmark
Azure security benchmark Before we begin discussing ABS, let us first define CIS. The CIS stands for Center for Information Security, and this is distributed for free in PDF format to propagate worldwide usage. Now, what’s there inside that PDF? Well, there are good recommendations when it comes to recommending security for desktops, webbrowsers, mobile devices, network devices, security, and the list just goes on. But what is the CIS benchmark? Now, the CIS benchmark is published by the Center for Information Security, so you can go to Ciscurity. I’d like to get more information about it. But to be precise, we are just talking about the documentation, which lists the best practises for securing IT systems, software, and networks. So you’ve received all of the recommendations for various categories. Now, to be more precise about what those categories are, Well, they are the operating system benchmarks, which talk about how the operating system configuration should be and how the security configuration of Windows, Linux, and Apple OS X should look like.
There are also server software benchmarks. For example, how should the Microsoft SQL-based security benchmarks, the VMware Docker, and even Kubernetes-based benchmarks be there? Now, with the addition of the cloud, there are benchmarks for cloud providers, for example, Amazon Web Services, Microsoft Azure, Google, or IBM. Then there are mobile device benchmarks that include iOS and Android. How the developer options should look and what the settings for each should be Then there are network device benchmarks, which talk about vendor-specific security configurations and the hardware that comes from Cisco, Palo Alto, Juniper, or others. The next one is the desktop software benchmarks, which talk about how software applications, desktops, and client-based operating systems should behave.
Microsoft Office, Exchange Server, Google Chrome, Firefox, Safari Browser, and so on. And finally, the multifunction print device benchmarks, which outline the security best practises for configuring multifunction printers in office settings, So talk about how the firmware update should happen, the TCP/IP configurations, the wireless access configurations, user management, and file sharing. Now, that’s about CIS benchmarks, and I would recommend that you go ahead and take a look at CIS security to get more detailed information about it. Now, how does it relate to the Azure security benchmark? Well, what is a benchmark? Well, a benchmark is something that provides recommendations for a specific technology, for example, Azure in this case. So ASB is providing benchmarks and possible best practises and recommendations to help improve the security of your workloads, your data, and all the services that you will possibly host on Azure. Now, ASB is focusing on cloud-centric control areas and not everything that CIS does, but most of these controls are consistent with well-known security benchmarks. For example, CIS.
The areas covered are network security, identity management, posture and vulnerability management, as well as enterprise security. So there are several recommendations that you will get from ASB, specifically the Azure ID, recommendation level, guidance, and responsibility. So, who is in charge of putting the control in place? So possible scenarios include customer responsibility, Microsoft responsibility, or a shared responsibility. Then you also get recommendations from the Azure Security Center’s monitoring. The security baselines are included in some of these Azure services. You can take a look at the Azure security benchmark for Security Center, and you’ll get a lot of content that is grouped by security controlled, defined by the Azure security benchmark, and the related guidance applicable to Azure Security Center.
18. Azure Security Center – Pricing Tier
We spoke about cloud security posture management a few minutes ago, and you understand how essential it is for your organization. Microsoft Azure lets you decide how much you need to meet your regulatory, compliance, and corporate security needs. When you select Azure SecurityCenter, you have two choices. You can keep the Azure Defender in the alternative mode off the Azure SecurityCenter without the Defender being enabled for all of your subscriptions. And when you visit your Azure Security Dashboard, you will have that on for the first time. You can also enable it programmatically by using APIs. The Azure Defender on function is also there, which extends the free mode capabilities to workloads running in private clouds as well as public clouds. And this will provide unified security management as well as threat protection across your hybrid cloud workloads. That’s all for now, folks. Now, this is a small section where we spoke about the Azure pricing tier. So your pricing tier depends on whether you’re turning the Defender on or off. But regardless of that, think about your compliance regions. Think about all the regulatory and corporate security needs, whether you need to turn them on or off.
19. Chapter Summary
Let’s circle back to this chapter and understand what we learned. So we learned about Azure security centres, and you understood your security posture using an Azure security score. You’ve learned about Azure Defender’s features and the various versions available. You also looked at cloud security posture management and how it can benefit your security posture. Finally, we also looked at the Azure Security Baselines and how they align with CIS benchmarks. Security is essential for every organization, and without these tools, specifically when you’re using Azure, protecting your organization’s data resources would become really difficult. You would require multiple layers of overlapping software that would be an overhead or extra maintenance, and there would be no guarantee of complete protection. As a result, it’s simple to keep your system secure without having overlapping licences for third-party software. So you can secure your Azure tools and the various services that you will provision in Azure. Thanks for watching so far. Hopefully, this lesson has been informative to you. Let’s go ahead and jump into Azure Sentinel in the next lesson.
20. Describe the security capabilities of Azure Sentinel
Organizations come in different shapes and sizes. They are big ones, they are small ones, and the other ones are small and medium businesses. Regardless of their size, they are susceptible to security threats and attacks. Being able to collect the data in order to gain visibility into their digital estate and then detect, investigate, and respond to threats is central to any network security strategy. What you need is a visualization to see how much data has been accumulated. This lesson is all about collecting and understanding the different security defenses that are available to protect your company’s digital data. Here we’ll explore Azure Sentinel, which is a single solution for alert detection, threat visibility, proactive monitoring, hunting, and threat response. Finally, you will have a high-level understanding of Azure Sentinel costs. So what are we going to do in this lesson? Throughout this lesson, we’ll talk about the security concepts of SIM, SOAR, and XDR. SORT stands for Security Orchestration Automated Response, and XDR stands for Extended Detection and Response. We also talk about how Azure Sentinel provides integrated threat protection, and then the various capabilities of Azure Sentinel will be covered in the end. I hope this particular lesson will kindle your interest in information security in Azure. Thanks for watching so far. I hope this will be informative to you as well.