Blog Post

Microsoft Defender for Cloud Blog
5 MIN READ

Introducing Microsoft Defender for Containers

mahersko's avatar
mahersko
Icon for Microsoft rankMicrosoft
Dec 09, 2021

Container adoption is booming - production deployments of Kubernetes clusters and containers continue to soar as organizations increasingly containerize applications to meet their needs for scalability, portability, and more. Since 2016, the use of containers in production has increased by 300%.

 

In line with these widespread adoption trends, the security & threat landscape has shown a rapid increase in the number and sophistication of attacks targeting containers and Kubernetes as shown in image 1.

 

Image 1: Growth overview of attack trends between June 2019 and December 2020 as seen in the 2020 Cloud Native Threat Report.

 

Traditional security tools aren’t setup to provide visibility into container usage and monitor traffic flows, making it challenging to stay on top of secure configurations drifts. Unlike traditional compute, containerized applications are elastic, spawn, and are often short lived – creating the need to fix vulnerabilities early and often and making a dedicated container security strategy essential.

 

Advanced threat protection for container solutions

To address the evolving security challenges surrounding container solutions, we are excited to announce Microsoft Defender for Containers – a new cloud workload protection plan designed around the unique needs of container-based solutions including Azure Kubernetes Service, Amazon EKS, and on-prem environments. It is part of Microsoft Defender for Cloud. 

 

Critical capabilities include native at-scale onboarding for Kubernetes, hardening controls, vulnerability assessment, and run-time protection. The new plan merges the capabilities of the two existing Microsoft Defender for Cloud plans, Microsoft Defender for Kubernetes and Microsoft Defender for container registries, and adds a new set of critical features shown in image 2.

 

Image 2: Overview of the added capabilities in Defender for Containers

 

 

For a live demo of the new capabilities, watch the latest episode of Defender for Cloud in the field.

 

 

Getting started

Starting today, Microsoft Defender for Containers is available as a new plan in Microsoft Defender for Cloud. You can onboard any of your Azure subscriptions or AWS accounts and start protecting your container solutions with a broad set of capabilities.

 

 

Kubernetes-native deployment

We understand how critical it is to protect containers as soon as they are deployed into your environment. That’s why we developed an automatic deployment capability, so you can easily enable Microsoft Defender for Containers across all Kubernetes resources in your organization, in the Microsoft Defender for Cloud portal.

The solution is designed to support any Kubernetes, Azure & non-Azure workloads with a DaemonSet, that is deployed and maintained on the Kubernetes control plane. This gives customers visibility and management capabilities directly via Kubernetes-native tooling. It is also integrated into the Azure Kubernetes Service (AKS) as a Security profile and into Azure Arc connected clusters as a cluster extension for both multi-cloud and on-prem scenarios.

 

Image 3: Onboarding to the Microsoft Defender for Containers with automatic at scale deployment

 

Advanced Threat Detection

To expand threat detection beyond the Kubernetes management layer, Microsoft Defender for Containers now offers host level threat detection with over 60 (!) new Kubernetes-aware analytics, AI, and anomaly detections based on your runtime workload. The solution monitors the growing attack surface of multi-cloud Kubernetes deployments and tracks the MITRE ATT&CK® matrix for Containers, a framework that was developed by the Center for Threat-Informed Defense in close partnership with Microsoft and others.

The full list of available threat detection alerts can be found here.

 

 

Image 4: Examples of container specific threat detection alerts in Microsoft Defender for Cloud

 

To make investigations easier by providing runtime context, we have added new entities to Kubernetes security alerts including image, registry, pod, service, namespace, and more. In addition, the new entities can be used to provide more granularity for customers' suppression logic to fine tune alerts and reduce alert fatigue.

 

 

Image 5: Examples of new entities to Kubernetes security alerts

 

Coming soon: Fileless attack detection. Fileless attacks are typically used by attackers to execute code without presence on the filesystem; thereby preventing detection by traditional anti-virus software. With the new Fileless Attack Detection capability, automated memory forensic techniques will identify fileless attack toolkits, techniques, and behaviors. The detection mechanism periodically scans your nodes at runtime and extracts insights directly from the memory of the running processes. It can find evidence of exploitation, code injection and execution of malicious payloads. Fileless attack detection generates detailed security alerts to accelerate alert triage, correlation, and downstream response time.

 

 

Vulnerability Assessment

A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Microsoft Defender for Cloud provides out of the box vulnerability assessment capabilities and integrates with the tools of your choice to regularly check your resources for vulnerabilities.

 

As part of the Microsoft Defender for Containers plan, we added a new detection for Runtime visibility of vulnerabilities. This new recommendation shows only running images with vulnerabilities, enabling customers to better prioritize and focus on the vulnerabilities that pose the highest risk to their organization.

 

Image 6: Vulnerability security alert specific to containers

 

We also enhanced the periodic scanning of images that have been pulled from Azure Container registry (ACR) during the last 30 days, with a continuous image scan for all ACR images running on a Kubernetes cluster.

 

 

Planning your container security spend

We know that understanding cost across your workloads and protections is critical. That’s why we created a cost estimation workbook that allows you to estimate the anticipated costs for Microsoft Defender for Containers across all your subscriptions. The workbook estimates costs for your Kubernetes clusters based on your average usage over the last 30 days. In addition, it shows the number of container images that are included for vulnerability assessment scanning based on your configuration. You can deploy the workbook to your Defender for Cloud environment using the ARM template and learn more in the Defender for Cloud GitHub repository.

 

Image 7: Overview of the cost estimation workbook for Microsoft Defender for Containers.

 

The new Microsoft Defender for Containers plan provides organizations with a streamlined way to enable advanced threat protection for all their container workloads across Azure, AWS, and in hybrid cloud environments and keep their critical resources secure.

 

More information

  • Sign up for our live webinar on January 12 where we will walk through the new plan, demo the capabilities and open up for Q&A.
  • Check out our documentation and learn how to protect your container solutions with the new Defender for Containers offering
  • Subscribe to our blog and stay up to date with the latest Defender for Cloud news

 

  • How much does Microsoft Defender for Containers cost? - The price for Microsoft Defender for Containers is $7/ Kubernetes vCore/month. It includes 20 free scans per vCore. Every subsequent scan will be charged at $0.29 per image digest. We expect that >90 of customers will not require additional scans. Furthermore, we removed the cost-incurring dependency on Microsoft Defender for Servers to enable host-level protection of Kubernetes clusters through the addition of native, node-level protection capabilities in Microsoft Defender for Containers.
Updated Dec 09, 2021
Version 1.0
  • DietZilz's avatar
    DietZilz
    Copper Contributor

    Hello,

     

    It is not 100% clear to me whether or not I need Microsoft Defender for Cloud for servers for the servers in the VMSS Scaleset. 

    Looking at your article and given the fact that it is vCore based it almost looks like it replaces it. 

     

    However, technically it would be possible to install other systems and services and Qualys vulnerability scan only comes with Defender for Servers. 

    So in a practical example. 

    I am looking at

    1. Microsoft Defender for Servers Plan 2
    2. Microsoft Defender for Containers



    Let's say I have 8 user node servers with 4vCores each and 2 system node servers, i.e. 2 VMSS Scalesets.

    So what is my Defender for Cloud licensing? 

    40 vCore for Containers? 

     

    Do I also need to accomodate server plans? Or is this superfluous as the container protection is adequate for server in Scalesets created through AKS provisioning?

    If I had manually created the servers I would think I need 10 server plans? But then also since we only have 2 VMSS Scalesets this seems wrong as technically we only have 2 images to scan.

     

    Can you give any clear example on how Microsoft envisions Microsoft Defender for Cloud to be configured for servers in the VMSS Scalesets of the AKS clusters? 

    Many thanks for your kind help.
    Dietmar

  • sachincloud99's avatar
    sachincloud99
    Copper Contributor

    Thank you mahersko for posting this content. Can you help me understand if AKS CIS for Kubenertes are supported currently or a roadmap item?

  • akssingh_shs's avatar
    akssingh_shs
    Copper Contributor

    Is there an API to query the "SecurityResources" tabel in the resource graph?

     

    Specifically, I need to send the information of an Azure Container Registry (ACR) vulnerability report to the appropriate (ACR) owner. I looked for an API that would assist us retrieve the ACR vulnerability report but unfortunately I did not find it , however we have a resource graph query that will provide the ACR vulnerability report. To automate the procedure, I opted to create a logic app. However, the problem is that we haven't been able to locate an API that get  the data from "SecurityResources" table in the same way that we have for "Resources."

     

    Like – https://management.azure.com/providers/Microsoft.ResourceGraph/resources -

     

    ARG Query for ACR Vulnerability - https://docs.microsoft.com/en-us/azure/defender-for-cloud/resource-graph-samples?tabs=azure-powershell#list-container-registry-vulnerability-assessment-results

     

    Any recommendations or other best practises, or if you've previously implemented such logic to automatically deliver ACR vulnerability reports to the appropriate ACR owner? It would be helpful.

     

    Thanks !!

     

    mahersko @Kim Kischel

  • archieborse For Defender for Cloud, there is already a native data connector in Sentinel. It means you will receive alerts from Defender for Cloud in Sentinel, can create incidents from them or allow for correlation using fusion rules and entities.

    If you want results of the scans from the registries or other details from AKS or ACR, you can simply enable diagnostic settings and forward to the Sentinel Log Analytics workspace. You can then also use that in your Sentinel instance directly. 

  • archieborse's avatar
    archieborse
    Copper Contributor

    Good read.. How does this integrate with Sentinel.. and how can we enable SIEM for ACR