C!0ud Posture Management and Workload Protection with Azure Sentinel
It’s known to have a pre-defined perspective when you hear the word “cloud security.” Some people think of apps being configured correctly.
Some people think of infrastructure concepts like networking and VPNs. Others think of identity concepts like password spray attacks, phishing, or multi-factor authentication. Cloud Security is all of these – and much more.
This post focus on C!0ud Posture Management and Workload Protection with Azure Sentinel.
This blog post focuses on cloud posture management, workload protection, the cloud security perspective, and risks, including integrating Azure Sentinel, Azure Defender, and Azure Security Center.
Cloud security is a responsibility that is shared between the cloud provider and the customer. There are three categories of responsibilities in the Shared Responsibility Model:
Cloud Provider – Responsibilities that are always the providers.
Customer – Responsibilities that are always the customers.
Service Model – Responsibilities that vary depending on the service model: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
The security responsibilities that are always the providers are related to safeguarding the infrastructure and access to, patching, and configuration of the physical hosts and the physical network on which the compute instances run and the storage and other resources reside.
The security responsibilities that are always the customers include managing users and their access privileges, safeguarding cloud accounts from unauthorized access, the encryption and protection of cloud-based data assets, and managing its security posture.
The following Shared responsibility model provides the responsibility for each service by Microsoft.
More information for Shared responsibility in the cloud – Microsoft Azure.
Cloud Security Challenges
Because the public cloud does not have clear perimeters, it presents a fundamentally different security reality.
This becomes even more challenging when adopting modern cloud approaches such as automated Continuous Integration and Continuous Deployment (CI/CD) methods, distributed serverless architectures, and ephemeral assets like Functions as a Service and containers.
Some of the advanced cloud-native security challenges and the multiple layers of risk faced by today’s cloud-oriented organizations include:
Misconfiguration – This is one of the most common challenges of the cloud. In 2017, a misconfigured AWS S3 exposed detailed and private data of 123 million American households. The data set belonged to Experian, a credit bureau, which sold the data to an online marketing and data analytics company called Alteryx. It was Alteryx that exposed the file. Such instances can be disastrous.
Increased Attack Surface – The public cloud environment has become a significant and excellent attack surface for hackers who exploit poorly secured cloud ingress ports to access and disrupt workloads and data in the cloud. Malware, Zero-Day, Account Takeover, and many other malicious threats have become day-to-day reality.
Visibility and Tracking – In the IaaS model, the cloud providers have complete control over the infrastructure layer and do not expose it to their customers. The lack of visibility and control is further extended in the PaaS and SaaS cloud models. Cloud customers often cannot effectively identify and quantify their cloud assets or visualize their cloud environments.
Ever-Changing Workloads – Cloud assets are provisioned and decommissioned dynamically at scale and velocity. Traditional security tools cannot enforce protection policies in such a flexible and dynamic environment with its ever-changing and ephemeral workloads.
DevOps (and DevSecOps) – Organizations that have embraced the highly automated DevOps CI/CD culture must ensure that appropriate security controls are identified and embedded in code and templates early in the development cycle. Security-related changes implemented after a workload has been deployed in production can undermine the organization’s security posture and lengthen the time to market.
Complex Environments – Managing security consistently in the hybrid and multi-cloud environments favored by enterprises these days requires methods and tools that work seamlessly across public cloud providers, private cloud providers, and on-premise deployments, including branch office edge protection for geographically distributed organizations.
Privilege and Keys – Usually, cloud user roles are configured very loosely, granting extensive rights beyond what is intended or required. One typical example is giving database delete or writes permissions to untrained admin or privilege users who have no business need to delete or add database assets. At the app level, poorly configured keys and privileges expose sessions to security risks.
Compliance and Governance – All the leading cloud providers have aligned themselves with the most well-known accreditation programs such as NIST, HIPAA, and GDPR. But, customers are responsible for ensuring that their workload and data processes are compliant.
Given weak visibility and the dynamic cloud environment, the compliance audit process becomes nearly impossible unless tools are used to achieve continuous compliance checks and issue real-time alerts about misconfigurations.
Cloud Migration Issues – Cloud migration happens in droves, but it has to be handled properly; otherwise, it exposes the business to unnecessary risk. The four most significant challenges facing businesses are visibility into infrastructure security, compliance, setting security policies and security failing to keep up with the pace of change in applications.
Unsecured APIs – The tricky thing about the cloud is many possible entry points for attacks. So while the surface attack area may be smaller in totality, it’s much more fragmented. Perhaps this can be seen most clearly in micro-service architecture and the increasing trend around Serverless functions.
APIs are great, but you have to consider how they impact the more extensive system. Even if the cloud is technically safe and sound, intruders can hijack data by hacking into less-secure APIs. This is problematic! The proper cloud security solutions can help you carefully vet each application to protect against weak points like these.
Open Source – Use of open source to develop applications. Open-source packages are vulnerable. Hackers often poison the well in the Git repo, waiting for developers to use the packages and later compromise the application through a well-prepared attack vector.
Expertise – According to the Cloud Security Alliance “Cloud Adoption Practices & Priorities Survey Report,” 34 percent of companies are currently avoiding the cloud because they don’t believe their IT and business managers have the knowledge and experience to handle the demands of cloud computing. This makes it one of the top-four concerns businesses have in regards to cloud security.
The average enterprise now has between three and four clouds. This creates added layers of complexity that require technical competence and relevant experience.
Architecture and Strategy – organizations are migrating parts or more of their IT infrastructure to public clouds. One of the biggest challenges during this transition is the implementation of appropriate security architecture to withstand cyberattacks.
Unfortunately, this process is still a puzzle for many companies. Data are exposed to different threats when organizations assume that cloud migration is a “lift-and-shift” endeavor of simply porting their existing IT stack and security controls to a cloud environment. A lack of understanding of the shared security responsibility model is also another contributing factor.
Cloud Protect Models
When it comes to cloud security, there are various ways to protect and manage security. Each one of them depends on the cloud service model and the shared responsibility model. The cloud protection models are based on many terms, technologies, and methodology.
Confidential computing – one of 33 technologies on the Gartner Hype Cycle for Cloud Security, 2020, protects code and data from the host system. Making critical information invisible to third parties, including the host, potentially removes the remaining barrier to cloud adoption for highly regulated businesses in the financial services, insurance, and healthcare sectors.
For more information, Top Actions From Gartner Hype Cycle for Cloud Security, 2020
As you can see, there are many technologies to protect the cloud, and some of them provide value and some of them less, and the reason is that each technology point to a specific service. The most valuable technology is the following:
Cloud Security Posture Management (CSPM) is determined in response to companies growing need to correctly configure public cloud IaaS and PaaS services and address cloud risks. CSPM is a class of security tools defined by Gartner, include use cases for compliance monitoring, DevOps integration, incident response, risk assessment, and risk visualization.
For enterprises with a multi-cloud strategy, cloud security posture management (CSPM) assures business and security leaders that their services are implemented in a secure and compliant way across multiple cloud infrastructure as a service (IaaS) providers.
Cloud Workload Platform Protection is defined by workload-centric security protection solutions, which are typically agent-based. They address server workload protection’s unique requirements in modern hybrid data center architectures that span on-premises, physical and virtual machines (VMs), and multiple public cloud infrastructure as a service (IaaS) environments.
Ideally, they also support container-based application architectures—vendors competing in this market offer one of the following capabilities for hybrid cloud workload protection.
Advanced threat protection for PaaS allows you to prevent threats and detect unusual activities on PaaS workloads, including App Service plans, Storage accounts, and SQL servers.
Azure Defender and Security Center Perspective
Cloud Security Posture Management with Azure Security Center allows you to manage your cloud security posture to help prevent misconfigurations and strengthen your security posture for different workloads deployed in Azure or on-premises. When talking about cloud security posture management, we are referring to three central pillars:
- Compliance assurance
Azure Security Center looks across all these pillars. It provides capabilities to discover new and existing workloads, identify misconfigurations, provide recommendations to enhance cloud workloads’ security posture, and assess cloud workloads to compare against regulatory standards and benchmarks. According to Gartner, a typical deployment pattern for CSPM has the layers shown in the figure.
Cloud Workload Platform Protection with Azure Security Center extends its threat protection capabilities to counter sophisticated threats on cloud platforms to protect against cyber threats for workloads deployed in Azure, on-premises, or 3rd party cloud services GCP, AWS, etc.
Azure Sentinel can have intelligent security analytics and threat intelligence for alert detection, threat visibility, proactive hunting, and threat response for advanced and sophisticated cyber-attacks.
You can have Azure Security center enabled in your subscription to ingest security alerts to Azure Sentinel from Azure Security Center. Azure Sentinel leverages machine learning (ML) and AI (Artificial Intelligence) to more brilliant threat hunting.
Advanced Workload Protection with Azure Defender Prevent threats and detect unusual PaaS workloads, including App Service plans, Storage accounts, and SQL servers.
Azure Defender adds additional security alerts and advanced threat detection. Azure Defender can also monitor certain types of resources. The Azure Defender pane inside the Azure Security Center shows you which workloads are protected by Azure Defender or not.
Azure Defender is available for servers, app service, Storage, SQL, Key Vault, Resource Manager, DNS, Kubernetes, and container registries. It can also apply to non-Azure servers on-premises and in other clouds via Azure Arc
features you’d get for your Windows Server (as an example) by adding Azure Defender for servers:
Security alerts: Appearing in Azure Security Center, security alerts detail the suspicious process executed, start time, and MITRE ATT&CK tactic
Vulnerability assessment – Your VM is scanned for artifacts analyzed by Qualys’ cloud service, and the results are sent back to Azure Security Center.
Just-in-time access – JIT VM access enables you to lock down standard inbound management ports and easily open them when requested by an appropriate user, to their connection only, for a limited time.
Adaptive application controls – This feature provides an intelligent and automated allow list of known-safe applications for your VM.
Integrate Azure Sentinel with Defender and Security Center
Azure Sentinel, Azure Security Center, and Azure Defender’s integration process is typical with simple actions on each platform.
For Azure Security Center integration with Azure Sentinel to ingest the logs for investigations, you need to have the following requirements:
Microsoft Azure Subscription is essential and necessary because we assume that you already have Azure Sentinel or Azure Security Center (ASC). You already have an Azure subscription in place. If not, you can start a free trial of the Azure subscription here.
Log Analytics Workspace is a must to ingest the logs to Azure Sentinel. You can follow the instructions mentioned here to create a new workspace for Azure Sentinel.
The Azure Defender standard tier must be enabled, and Microsoft Monitoring Agent installed on all Azure Security Center monitors objects.
Ensure Azure Defender is turned on with Standard TIER, and resources are monitored via Azure Defender and Azure Security Center.
Selective resources – You can turn off or turn on each resource based on your requirements.
TIP: Make sure your Azure Defender provides coverage and data
Another way to make sure that everything is configured well on the Security Center and fully covered.
Once you have all the requirements completed, you can start integrating Azure Security Center and Azure Sentinel. Follow the following instructions below to integrate Azure Defender, Security Center with Azure Sentinel.
From the Azure Sentinel portal, go to “Data connectors.”
Search for “Azure Defender” connectors, and choose the “open connector page.”
On the connector, the page makes sure the “Workspace” has the correct permissions and makes sure the relevant subscription is “Connected” and turn on.
TIP: Make sure your Azure Defender connector is connected and provide data
Once all the settings and configurations are done on Azure Sentinel, Azure Defender, and Azure Security Center, you can simulate few attacks from the Security Center portal.
The simulation is based on “sample alerts” available on the Azure Security Center portal’s security alerts.
Currently, a sample alert provides dedicated alerts to check a few scenario’s, such as:
- App Services
- Key Vaults
- Azure SQL
Once you choose a sample scenario, the Security Center will run a playbook in the background. Once it finishes, you will get alerts on the Security Center portal and the Azure Sentinel incident portal.
From Azure Sentinel, you can view the alerts and investigate each signal.