Azure Security Center
Azure Security Center is a centralized security management system/dashboard that provides security related information of your Hybrid infrastructure. Azure security works in conjunction with you, the customer, which provides recommendations to you in making your environment secure. It’s the customer’s responsibility to work on these recommendations and make infrastructure secure. The security center’s remarkable feature is the recommendations tab; This view provides an overall security score and recommendations on how to increase the score. Recommendations are provided along with the number of potential security points.
Shared responsibility in the cloud
In an on-prem infrastructure, you own end-to-end security, i.e., data center access to individual applications/data access. In cloud infra, some of the responsibilities are transferred to cloud service provider.
Azure security Center License
Azure security licensing comes in two tiers, free and Defender. The free version is active by default. You need to onboard a subscription to enable the Defender plan. Pricing is based on resource type and consummation.
Defender tier is enabled by following either of below options
Security -> Management -> Pricing & Settings ->Azure defender Plan
Security -> Management -> Coverage ->edit plan
Log analytic workspace needs onboarding to defender tier along with subscriptions.
Note: when you enable the free trial for 30 days, Defender is auto charged based on consumption post 30 days
Once the defender plan is enabled, you need to install the agent to collect the data. Azure security center collects the data using Log Analytics agent on the VM, Log analytic workspace stores the data for further analysis.
You can enable the agent’s auto-provisioning using – Security Center-> Pricing& Settings -> Your subscription -> Auto Provisioning.
Log Analytics agent for Azure VMs – collects event logs and related security configurations
Microsoft Dependency agent - The Dependency agent collects discovered data about processes running on the machine and external process dependencies. Used for Service Map and VM insights
Policy Add-on for Kubernetes – Enables reporting of auditing and compliance details of Kubernetes cluster to Azure Policies.
You can enable or disable the auto agent installation for all three extensions or select only those relevant to you.
You can use your organization-specific software distribution tool to install the agents. To add a non-azure system, use the below option
- Security Center -> General -> inventory -> add non azure servers
- Security Center ->Security Solutions -> non azure servers add
Note: Charges will be based on per Node per month.
Azure Security Centre cloud security has four components.
- Secure score – here, you can see the overall security score of your subscriptions
- Regulatory Compliance – Regulatory compliance is the inbuilt standard policies that are applied to Azure subscriptions. You can add additional Microsoft pre-defined regulatory compliance under security policies.
- Firewall manager - Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.
- Azure Defender allows you to configure advanced protections options
VM vulnerability assessment
Just in time access
Adaptive application access
Container image scanning
Adaptive network hardening
SQL vulnerability assessment
File integrity monitoring
VM vulnerability assessment – In the background, the Defender uses Qualys’s powered agent, which identifies the system’s threat. You don’t need any additional Qualys licenses to use this feature. You can even install your own vulnerability solution like Rapid 7. However, license needs to be taken care by customer. Post the agent installation;It would take a minimum of 30 mins to reflect the agent installation status in the security center. Vulnerabilities are assed once in 24 hours; even if you remediate, it takes 24 hours to clear from the dashboard.
Adaptive application access – Allows admins to white-list the applications to be run on a VM rather than blacklisting. App sense is used in the background to learn the applications and white list the applications
Container image scanning (Qualys) – Scans Azure container registry for security vulnerabilities and exposes detailed findings for each image.
Adaptive network hardening- Analyses the virtual machines' internet traffic communication patterns and determines if the existing rules in the NSGs associated are overly permissive, resulting in an increased potential attack surface. This typically occurs when this IP address doesn’t communicate regularly with this resource. Alternatively, the IP address has been flagged as malicious by Security Center’s threat intelligence sources.
SQL vulnerability assessment - Scans database for security vulnerabilities and exposes any deviations from best practices such as misconfigurations, excessive permissions, and unprotected sensitive data.
File integrity monitoring - Log Analytics workspace is used to monitor the file integrity. You need to enable this feature on a log analytics work space explicitly. This feature monitors the changes to the registry, operating system files, and application software for any potential attack. The checksum comparison method is used to find the difference from the last scan to the files' current state. It can also write the changes to a storage account so that an admin can compare the old and new files. Storage cost needs to be considered before enabling the feature .
Network Map – Creates network map, showing the topology and workload.
Just in Time – Popularly known as JIT, this feature works on the back of an NSG. The pre-requisite to enable this feature is NSG. In a nutshell, the JIT adds a deny rule on top of existing NGS rules attached to a VM. Allow rule in NSG is created only when a user requests access. JIT configuration contains the ports, source IP address, and allowed duration. The minimum allowed time is 1 hour, and the default is 03 hours; post this interval the NSG allow rule is removed.
Access level required to request JIT access to a VM .
The security center’s management section allows you to manage licenses, connect to third party solutions , configure agent auto installation, and automate workflows.
Pricing and settings allow you to
- Change the license tier of your subscription
- Enable / Disable auto-provisioning of extensions ( agents)
- Configure Email notifications along with notification types
- Integrate with other Microsoft security services like cloud security.
- Automate the workflows based on the type of threat detected; also available directly under the security center’s management pane.
- Continuous export of security center data – recommendations/scores/alerts / regulatory compliance to Event hub or Log analytic workspace
- Connect to other clouds – AWS / GCP; also available directly under the security center’s management pane.
Security Policy allows you to add or modify security policies / regulatory compliances and custom initiatives. By default, standard ASC default policies are applied to your subscription.
Security Solutions allows you to view the connected security solutions (auto-discovered security solutions) and configure data sources. Data sources can be a non-azure machine, SIEM, and Azure App gateway with firewall enabled.
SIEM – Data is exported to Third party SIEM via – Security Center -> Azure monitor-> azure event hub ->azure functions ->SIEM
Email notifications of the security center have the following limitations; you can use workflow automation to get around the limitation.
· a maximum of one email per 6 hours (4 emails per day) for high-severity alerts
· a maximum of one email per 12 hours (2 emails per day) for medium-severity alerts
· a maximum of one email per 24 hours for low-severity alerts