Microsoft Defender for Cloud is a multicloud application protection platform (CNAPP) designed to protect your cloud-based applications from code-to-cloud. A key component of cloud security is continuously monitoring and managing new vulnerabilities across your cloud workloads. Vulnerability management helps organizations improve their security posture, reduce the attack surface, and prevent security breaches.
We are thrilled to announce that Defender for Cloud is unifying our vulnerability assessment engine to Microsoft Defender Vulnerability Management (MDVM) across servers and containers. Security admins will benefit from Microsoft’s unmatched threat intelligence, breach likelihood predictions and business contexts to identify, assess, prioritize, and remediate vulnerabilities - making it an ideal tool for managing an expanded attack surface and reducing overall cloud risk posture.
Introducing a unified Vulnerability Management for Defender for Cloud – powered by Microsoft Defender Vulnerability Management (MDVM):
Microsoft Defender Vulnerability Management is a powerful in-house vulnerability assessment solution natively integrated in Defender for Cloud. Our goal is to enable our customers to have one solution for vulnerability assessments (VA) for all their different cloud and hybrid workloads, then have seamless integration to Defender for Cloud using the same tools and user experience. Its vulnerability assessments are automatically populated in the Defender for Cloud portal as recommendations. With Microsoft Defender Vulnerability Management, Defender for Cloud customers will have access to both agent-based and agentless scans. Here are the benefits of Defender for Cloud’s unified vulnerability assessment offering with MDVM:
- Consistency: unified solution ensures that the results are comparable and reliable across different platforms and technologies. It also simplifies the management of security tools and configurations, reducing complexity and confusion.
- Efficiency: It saves time and resources by avoiding duplication of efforts and streamlining the assessment process. It can also help automate and integrate the assessment with other security processes, such as patch management and incident response and leading to faster response times, enabling organizations to make informed decisions and prioritize remediation efforts effectively.
- Reduced cost: eliminates the need to purchase multiple solutions for scanning different types of cloud resources.
- Compliance: It helps organizations comply with the cybersecurity standards and regulations that are relevant to their industry and region. It also demonstrates due diligence and accountability to stakeholders, such as customers, partners, and regulators.
- Prioritized vulnerability results: using contextual risk analysis provided by Defender Cloud Security Posture Management, we are helping customers prioritize remediation of vulnerabilities that pose a great risk to their cloud environments. Rather than rely solely on the documented severity associated with vulnerabilities, we can evaluate actual risk level posed by vulnerabilities by understanding the full security context of the vulnerable resource. For example, a high severity vulnerability of a host exposed to the internet with access to sensitive data, will pose greater risk than a critical vulnerability on a machine isolated from the outside world, and is therefore of higher priority to remediate.
MDVM for server security
When it comes to server protection, robust server vulnerability scanning plays a crucial role. Servers, often accessible from the internet, are an entry point for attackers to get access to an enterprise’s network environment, which is why vulnerability scanning (and remediation!) are crucial parts of reducing your organization’s attack surface. Servers’ vulnerability assessment solution powered by MDVM is available through both Defender for Servers and Defender Cloud Security Posture Management plans, and includes the following key benefits:
- Hybrid approach: offers flexible deployments options, by utilizing a consistent vulnerability scanner across a variety of use cases. It is applicable in multi-cloud environments and different host runtimes:
- Agentless vulnerability assessment: enabling agentless scanning on a subscription will automatically scan all virtual machines in Azure, AWS, and GCP for software inventory and vulnerabilities, powered by MDVM.
- Consolidated agent: MDVM uses the same agent as Microsoft Defender for Endpoints (MDE) to protect servers, so, if you are an existing MDE customer, you are automatically covered by MDVM.
- Software vulnerability evidence (coming soon): the MDVM scanner identifies vulnerable software and provides the corresponding file path and/or registry key as evidence.
- Software inventory: The MDVM scanner detects applications installed on virtual machines and establishes a correlation between the software and its associated known vulnerabilities.
- MDVM premium capabilities: Customers of Defender for Servers P2 will have the added benefit of access to premium capabilities of Microsoft Defender’s vulnerability management. These include Certificate Assessment, Baseline Assessment, App Blocker, and more. Click here for more information.
MDVM for container security
Vulnerability assessment scanning for containers, powered by Microsoft Defender Vulnerability Management (MDVM), is an integrated solution that empowers security teams to easily discover and remediate vulnerabilities for container images. This offering is now generally available in Azure and will soon be released for AWS and GCP containers. Container vulnerability assessment scanning powered by MDVM is available through both the Microsoft Defender for Containers and Defender Cloud Security Posture Management plans, and retains all existing capabilities of our current vulnerability assessment offering, while adding new and improved capabilities:
Capability |
Current offering |
New offering powered by MDVM |
Agentless vulnerability assessment for container images in registry |
Support environments: Azure Container Registry (ACR) |
Supported environments: Azure Container Registry (ACR), Elastic Container Registry (ECR), Google Container Registry (GCR) Google Artifact Registry (GAR)
|
Runtime vulnerability assessment for container images |
Agent-based
Supported environments: Azure Kubernetes Services (AKS) |
Agent-based and agentless
Supported environments: Azure Kubernetes Services (AKS), Elastic Kubernetes Services (EKS), Google Kubernetes Engine (GKE)
|
One click onboarding with zero configuration |
Supported environments: Azure Container Registry (ACR) Azure Kubernetes Services (AKS)
|
Supported environments: Azure Kubernetes Services (AKS), Elastic Kubernetes Services (EKS)*, Google Kubernetes Engine (GKE) Azure Container Registry (ACR), Elastic Container Registry (ECR), Google Container Registry (GCR) Google Artifact Registry (GAR) |
Quick scan of new images |
Neal real-time scan in Azure |
Neal real-time scan in Azure Typically, within few hours in AWS and GCP
|
Rescan frequency |
Once every 7 days |
Daily |
Scan criteria |
Scan on push Scan images pulled in last 30 days Scan running images indefinitely |
Scan on push Scan images pulled in last 30 days. Scan running images indefinitely. Scan images pushed in last 90 days |
Supported OS packages |
• Alpine Linux 3.12-3.16 • Ubuntu 10.10-22.04 • FreeBSD 11.1-13.1 |
• Alpine Linux 3.12-3.16 |
Language specific packages |
• Python |
• Python |
Real-world exploitability insights |
N/A |
Uses threat intelligence to provide real-world exploitability information for CVEs, helping customers to prioritize remediation of vulnerabilities with known exploit methods and exploitability tools. Exploit sources including CISA kev, exploit DB ,Microsoft Security Response Center, and more. |
Software vulnerability evidence: |
N/A |
Each reported vulnerability OS package is provided with commands that can be used to find the vulnerable package on the image.
|
Support for private links |
Azure Container Registry (ACR)
|
Azure Container Registry (ACR)
|
See what our customers are already saying about container VA scanning powered by MDVM:
“Our AI-powered Icertis Contract Intelligence (ICI) platform manages more than 2 billion metadata elements across 10 million contracts, delivering the only enterprise-grade contract lifecycle management solution built on Microsoft Azure. To promote the responsible and secure use of contract data, our security team prioritizes staying up to date on container security posture for various container technologies that ICI uses on the backend. The new Microsoft Defender for Cloud container scanning capabilities using Microsoft Defender Vulnerability Management (MDVM) enable us to do this more effectively by onboarding images for vulnerability assessment without any agents or configurations, while also providing us with actionable insights to help better protect data and bolster our security.”
- Vishwas Dhanawade, Lead Information Security Analyst, Icertis
- Subodh Patil, Principal Architect, Information Security, Icertis
“Defender for Containers vulnerability assessment scanning powered by Microsoft Defender Vulnerability Management has been invaluable in identifying risks in published containers but also enabling platform engineers to drive change to security processes and in collaboration with application developers to ensure these risks are identified earlier: “shifting left”. The frequent scanning on a clearly defined schedule has further driven confidence in the service.”
- Simon Day, Azure DevOps Technical Lead, Telefónica Tech UK&I
Conclusion
Vulnerability assessment offering powered by Microsoft Defender Vulnerability Management is available for both Servers and Containers. To start enjoying this new offering, ensure that agentless scanning for servers and containers is enabled and use the vulnerability assessments results provided for servers and containers as recommendations. You can also benefit from improved refresh times, for servers, by enabling endpoint protection and selecting MDVM for the vulnerability assessment in the Defender for Servers settings, and for container runtime scanning by deploying the Containers’ agent.
Lastly, if you are consuming vulnerability assessments results through API, you should update your API calls to the new API schema for Servers and Containers.