Introduction
As organizations rapidly migrate applications and infrastructure to public hosted cloud services, traditional security monitoring and management models often don’t work, or at least require some rethinking and redesign. As with on-premises systems, visibility is crucial. You can’t secure what you don’t know about, and the cloud complicates that greatly. To address the specific needs of security management in the Azure public cloud, Microsoft recently introduced the Azure Security Center.
Azure Security Center
Azure Security Center is a service available to Azure customers that provides critical visibility in to Azure-hosted applications, services, and systems. With increased visibility, security administrators can prevent, detect, and respond to threats proactively. In addition, features in Azure Security Center allow administrators to exercise great control over the security configuration of their various resources residing in Azure.
Monitoring and Management
Azure Security Center not only monitors the security state of all provisioned assets in Azure, it also allows the administrator to define policies across the subscription to define, and importantly enforce, your organization’s specific security requirements. This ensures that any new services or infrastructure will be deployed in a secure fashion and in accordance with prescribed security configuration parameters.
Threat Detection
Azure Security Center continuously collects security information from all deployed resources in Azure, such as applications, services, storage, infrastructure, and more. In addition, Azure Security Center also collects data from antimalware software and third-party security devices deployed in Azure. All of this information is analyzed using Microsoft’s advanced machine learning and behavioral analysis.
Incident Response
All of the data collected and analyzed by Azure Security Center is then used to provide important alerting for identified security incidents. It is used to provide crucial information on the source of the attack as well as resources that are impacted by the attack. In addition, Azure Security Center offers guidance for stopping current attacks, as well as preventing attacks from occurring again in the future.
Using Azure Security Center
The Azure Security Center is accessed using the new Azure management portal at portal.azure.com. In the navigation tree click Browse and then scroll down to Security Center (Figure 1).
Figure 1: Open the Azure Security Center.
Using the Azure Security Center, the security administrator can define security policies, monitor security configuration, and view security-related alerts.
Define Policies
On the Security Center blade click Policy. Choose an Azure Subscription to set policies for and then ensure that data collection is enabled (Figure 2).
Figure 2: Enable data collection.
Choose a storage account and click Ok. Under Policy Components click Prevention Policy and choose the security policies you wish to enforce (Figure 3).
Figure 3: Select prevention policies.
Once a security policy has been defined and enabled, Azure Security Center will analyze the security configuration of your Azure deployed assets to identify potential security configuration errors or vulnerabilities. It will provide the administrator with a list of recommendations and guide them through the process of deploying additional controls to remediate these vulnerabilities. The following is an example list of security recommendations Azure Security Center can make.
- Provision antimalware software to servers deployed in Azure.
- Restrict network communication for Azure services using network security groups.
- Provision web application firewalls to protect web sites and services hosted in Azure.
- Deploy patches to servers that are not up to date.
- Make recommendations for baseline security configurations for various operating systems deployed in Azure resources.
Resource Health
The Resources Security Health window provides an instant visual cue to the overall security posture of your Azure-hosted resources. This includes applications, infrastructure, and more. The administrator can quickly and easily identify resources that are not healthy from a security perspective.
Clicking on a resource allows the administrator to drill down to see additional detail on the security health of the resource in question. For example, clicking on Virtual Machines exposes detailed information on the security status of all virtual machines currently provisioned (Figure 4).
Figure 4: Virtual machine security health.
Clicking on an individual virtual machine shows even more detail about the configuration and current security health status of the resource (Figure 5).
Figure 5: Detailed individual virtual machine security health.
Security Alerts
Azure Security Center integrates log data from a variety of sources, including Azure provisioned resources, third-party network security solutions, and deployed antimalware software. When data indicates a threat has been detected, this information is raised in the form of a security alert. Examples of threat detection are as follows.
- Potentially compromised VM that has been identified as communicating with known malicious IP addresses.
- Signs of malware detected via Windows error reporting.
- Brute force attacks against Azure virtual machines.
- Security alerts generated by third-party network security devices or antimalware software installed on virtual machines.
Clicking on the security alert allows the administrator to view additional detailed information about the alert, along with remediation guidance.
Third Party Solution Monitoring
Azure supports the integration of myriad third-party solutions from a wide variety of vendors to meet the specific needs and requirements for organizations of all sizes. For example, Citrix NetScaler load balancers could be deployed for enhanced load balancing, or Fortinet Fortigate Next Generation Firewalls could be deployed to improve security for Azure virtual machines. In addition, auditing solutions such as Netwrix Auditor or popular SEIM solutions like Splunk might also be provisioned in Azure. All of these solutions can be integrated with Azure Security Center to improve visibility and enhance the overall monitoring and alerting experience in Azure.
Summary
Azure Security Center provides unrivaled visibility for security health and enhanced monitoring and alerting that is sure to make every security administrator’s job much easier. Using Azure Security Center, you have the assurance of knowing that resources provisioned in Azure are done so in a secure manner and in accordance with defined policy. You also get the added benefit of advanced threat protection and detection using Microsoft’s state of the art analytics and behavioral threat analysis. If you’re using Azure today, don’t miss out on Azure Security Center. Give it a try now!
