Home
%3CLINGO-SUB%20id%3D%22lingo-sub-516874%22%20slang%3D%22en-US%22%3EHow%20to%20Effectively%20Perform%20an%20Azure%20Security%20Center%20PoC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-516874%22%20slang%3D%22en-US%22%3E%3CP%3EOrganizations%20are%20starting%20to%20realize%20that%20they%20need%20to%20closely%20monitor%20their%20cloud%20security%20posture%2C%20and%20protect%20their%20cloud%20workloads%20against%20threats.%20Azure%20Security%20Center%20covers%20scenarios%20by%20offering%20Cloud%20Security%20Posture%20Management%20(CSPM)%20and%20Cloud%20Workload%20Protection%20Platform%20(CWPP)%20capabilities%20(read%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Identity%2FIntegrating-Azure-Security-Center-with-Azure-Sentinel%2Ftd-p%2F482847%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Ethis%20article%3C%2FA%3E%20for%20more%20details).%3C%2FP%3E%0A%3CP%3ETo%20effectively%20determine%20the%20benefits%20of%20adopting%20Security%20Center%2C%20you%20should%20perform%20a%20Proof%20of%20Concept%20(PoC).%20Even%20before%20enabling%20Security%20Center%20in%20your%20subscription%20and%20start%20validating%20your%20scenarios%2C%20you%20should%20go%20through%20a%20planning%20process%20to%20determine%20a%20series%20of%20tasks%20that%20must%20be%20accomplished%20in%20this%20PoC.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EPlanning%20Each%20Phase%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EUse%20following%20schedule%20to%20perform%20their%20Security%20Center%20PoC.%20Keep%20in%20mind%20that%20this%20is%20an%20example%2C%20and%20each%20organization%20may%20adequate%20this%20according%20to%20their%20needs.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F111773iC2E571EE7500EEE7%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Fig1.PNG%22%20title%3D%22Fig1.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3EThe%20sections%20that%20follow%20will%20explain%20each%20phase%20in%20more%20details.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EPlanning%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EDuring%20the%20planning%20phase%20you%20will%20organize%20a%20meeting%20with%20key%20stakeholders%20of%20this%20PoC.%20At%20minimum%2C%20you%20should%20have%20representatives%20from%20IT%20(mainly%20the%20ones%20that%20are%20responsible%20for%20your%20Cloud%20workloads)%2C%20Security%20Operations%2C%20and%20Security%20Governance.%20The%20intent%20of%20this%20phase%20is%20to%20determine%20the%20answers%20for%20the%20following%20items%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3EScope%20of%20the%20PoC%3C%2FSTRONG%3E%3A%20what%20are%20you%20going%20to%20validate%20on%20this%20PoC%3F%20What%20scenarios%20do%20you%20want%20to%20test%3F%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3ERequirements%3C%2FSTRONG%3E%3A%20based%20on%20the%20scope%2C%20you%20can%20start%20determining%20the%20requirements%20for%20this%20PoC.%20This%20includes%20at%20least%20the%20following%20items%3A%3CUL%3E%0A%3CLI%3EDetermine%20which%20users%20should%20have%20administrative%20and%20read%20access%20to%20the%20subscriptions%20that%20Security%20Center%20will%20be%20enabled.%20Use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-permissions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E%20as%20a%20reference%20to%20review%20the%20roles%20(RBAC)%20available%20for%20Security%20Center.%3C%2FLI%3E%0A%3CLI%3EIf%20you%20are%20going%20to%20use%20multiple%20subscriptions%2C%20define%20the%20workspace%20model%20(centralized%20or%20distributed).%20In%20Security%20Center%2C%20this%20is%20defined%20using%20the%20%3CEM%3EData%20Collection%3C%2FEM%3E%20tier%2C%20visit%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-enable-data-collection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E%20for%20more%20information%20about%20the%20options%20available.%3CUL%3E%0A%3CLI%3EIn%20the%20same%20%3CEM%3EData%20Collection%3C%2FEM%3E%20option%2C%20define%20if%20you%20are%20going%20to%20use%20%3CEM%3EAuto%20Provision%3C%2FEM%3E%20or%20not.%20By%20using%20auto%20provision%2C%20the%20MMA%20agent%20will%20be%20automatically%20installed%20in%20the%20VMs%20that%20are%20under%20the%20selected%20subscription%20(preferred%20option).%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EIf%20you%20are%20going%20to%20use%20multiple%20subscriptions%2C%20consider%20using%20Management%20Group%20to%20manage%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Ftutorial-security-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESecurity%20Policy%3C%2FA%3E%20across%20all%20subscriptions.%20For%20more%20information%20about%20this%2C%20read%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-management-groups%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EIf%20you%20are%20going%20to%20use%20multiple%20subscriptions%20and%20want%20to%20automate%20the%20onboarding%20process%2C%20use%20the%20PowerShell%20examples%20described%20in%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Fprogrammatically-onboard-and-manage-your-subscriptions-in-azure-security-center%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E.%3C%2FLI%3E%0A%3CLI%3EDefine%20which%20resources%20will%20be%20monitored%20during%20the%20POC%20to%20define%20which%20resources%20should%20be%20enabled%20in%20Standard%20Tier%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F111778iBA0ECA4E7BB69CBA%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22Fig2.PNG%22%20title%3D%22Fig2.PNG%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CEM%3ENote%3A%20you%20can%20use%20Standard%20Tier%20free%20for%2030%20days%2C%20therefore%20only%20upgrade%20to%20Standard%20when%20you%20are%20ready%20to%20work%20on%20the%20PoC.%3C%2FEM%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLI%3E%0A%3CLI%3EDetermine%20which%20PaaS%20workloads%20will%20be%20tested.%20Use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-os-coverage%23supported-paas-features%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E%20to%20determine%20which%20PaaS%20workloads%20are%20supported%20by%20Security%20Center.%3C%2FLI%3E%0A%3CLI%3EDefine%20which%20VMs%20will%20be%20available%20through%20the%20Internet%20(via%20RDP%20or%20SSH)%20to%20test%20functionalities%20such%20as%20JIT%20VM%20Access%2C%20Network%20Map%20and%20Network%20Hardening.%3C%2FLI%3E%0A%3CLI%3EDetermine%20the%20Operating%20System%20for%20the%20VMs%20that%20will%20be%20deployed%20for%20this%20PoC.%20Use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-os-coverage%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E%20to%20obtain%20the%20list%20of%20supported%20operating%20systems.%20These%20VMs%20can%20be%20in%20Azure%2C%20or%20on-premises.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3EMeasure%20success%3C%2FSTRONG%3E%3A%20this%20is%20something%20very%20important%20to%20establish%20before%20starting%20your%20PoC%2C%20because%20this%20will%20help%20you%20to%20set%20the%20right%20expectation%20and%20based%20on%20that%20expectation%2C%20measure%20if%20your%20PoC%20was%20a%20success%20or%20not.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EAt%20the%20end%20of%20this%20phase%20you%20have%20the%20first%20checkpoint%20(A).%20On%20this%20checkpoint%20you%20should%20document%20the%20following%20items%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EScope%20of%20the%20PoC%2C%20the%20requirements%2C%20timeline%20and%20the%20decision%20of%20how%20you%20will%20measure%20success.%3C%2FLI%3E%0A%3CLI%3ENext%20steps%20of%20the%20PoC%3CUL%3E%0A%3CLI%3EIf%20there%20are%20requirements%20that%20needs%20to%20be%20in%20place%20before%20the%20implementation%2C%20these%20requirements%20must%20be%20listed%20and%20planned%20for%20implementation%3C%2FLI%3E%0A%3CLI%3EThe%20timeline%20for%20implementation%20of%20those%20requirements%20needs%20to%20be%20established%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3EPreparation%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThis%20phase%20will%20focus%20on%20the%20implementation%20of%20the%20requirements.%20When%20going%20through%20those%20requirements%2C%20make%20sure%20to%20document%20everything%20that%20needs%20to%20be%20changed%20in%20the%20environment.%20One%20classic%20example%20is%20when%20the%20members%20of%20the%20Team%20that%20are%20implementing%20Security%20Center%20don%E2%80%99t%20have%20the%20right%20level%20of%20permission%20in%20all%20subscriptions.%20This%20can%20cause%20delays%20if%20the%20team%20that%20is%20implementing%20Security%20Center%20is%20not%20the%20same%20team%20that%20manages%20Azure%20Identity.%20For%20this%20reason%2C%20it%20becomes%20critical%20to%20involve%20the%20right%20stakeholders%20since%20the%20planning%20phase.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20the%20end%20of%20this%20phase%20you%20have%20the%20second%20checkpoint%20(B).%20On%20this%20checkpoint%20you%20should%20document%20the%20following%20items%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EChanges%20that%20were%20performed%20in%20the%20environment%20to%20adequate%20with%20the%20PoC%20requirements.%3C%2FLI%3E%0A%3CLI%3EDefine%20when%20the%20implementation%20phase%20will%20start%3CUL%3E%0A%3CLI%3EThis%20is%20critical%20because%20once%20you%20upgrade%20from%20Free%20to%20Standard%20Tier%2C%20you%20have%2030%20days%20free%20trial%2C%20and%20you%20should%20ensure%20that%20you%20utilize%20those%20days%20to%20validate%20all%20scenarios.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EImplementation%20and%20validation%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3ENow%20you%20are%20ready%20to%20flip%20the%20switch%20and%20upgrade%20from%20Free%20to%20Standard%20tier%2C%20and%20once%20you%20do%20that%20the%20next%20step%20is%20the%20implementation%20of%20the%20scenarios%20that%20you%20established%20during%20the%20planning%20phase.%20Here%20are%20the%20most%20common%20scenarios%20that%20are%20covered%20during%20a%20PoC%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3EScenario%201%3A%20Security%20Posture%20Management%3C%2FU%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEnsure%20that%20you%20are%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Identity%2FUsing-Azure-Security-Center-Secure-Score-to-Strength-your%2Ftd-p%2F461308%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3Edriving%20your%20secure%20score%20up%3C%2FA%3E%20by%20addressing%20the%20recommendations%20raised%20by%20ASC.%20Use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-secure-score%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E%20for%20more%20information%20about%20%3CEM%3ESecure%20Score%3C%2FEM%3E.%3CUL%3E%0A%3CLI%3ETo%20drive%20your%20secure%20score%20up%2C%20you%20need%20to%20review%20security%20recommendations%20for%20the%20different%20workloads%20and%20follow%20the%20remediation%20steps%20to%20address%20them.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3EReview%20your%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-network-recommendations%23understanding-the-network-map%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ENetwork%20Map%3C%2FA%3E%20to%20ensure%20that%20you%20are%20addressing%20network%20related%20recommendations%20for%20the%20Internet%20facing%20endpoints.%3C%2FLI%3E%0A%3CLI%3EIf%20the%20workloads%20that%20are%20going%20to%20be%20tested%20in%20this%20PoC%20need%20to%20be%20compliant%20with%20PCI%20DSS%203.2%2C%20ISO%2027001%20or%20SOC%20TSP%2C%20make%20sure%20to%20review%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-compliance-dashboard%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ERegulatory%20Compliance%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3EScenario%202%3A%20Reducing%20the%20Attack%20Surface%3C%2FU%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEnable%20JIT%20VM%20access%20for%20Internet%20facing%20VMs%20and%20test%20the%20functionality.%20Use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-just-in-time%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E%20as%20a%20reference%20to%20perform%20the%20configuration%2Fvalidation.%3C%2FLI%3E%0A%3CLI%3EUse%20Adaptive%20Application%20Control%20to%20review%20the%20list%20of%20apps%20that%20should%20be%20whitelisted.%20Use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-adaptive-application%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E%20as%20a%20reference%20to%20understand%20and%20implement%20this%20feature.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3EScenario%203%3A%20Threat%20Detection%20%26amp%3B%20Response%3C%2FU%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEnable%20File%20Integrity%20Monitoring%20in%20your%20workspace%20to%20track%20changes%20to%20files%20and%20registry%20keys.%20Use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsecurity-center%2Fsecurity-center-file-integrity-monitoring%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E%20as%20a%20reference%20to%20configure%20this%20feature.%3C%2FLI%3E%0A%3CLI%3EYou%20can%20use%20the%20following%20guides%20to%20simulate%20attacks%20against%20the%20VMs%20and%20see%20how%20Azure%20Security%20Center%20will%20trigger%20Security%20Alerts%3A%3CUL%3E%0A%3CLI%3EFor%20Windows%20%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2FAzure-Security-Center-549aa7a4%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgallery.technet.microsoft.com%2FAzure-Security-Center-549aa7a4%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3EFor%20Linux%20%3CA%20href%3D%22https%3A%2F%2Fgallery.technet.microsoft.com%2FAzure-Security-Center-0ac8a5ef%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgallery.technet.microsoft.com%2FAzure-Security-Center-0ac8a5ef%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3ECreate%20workflow%20automation%20using%20Playbooks%20to%20run%20once%20you%20receive%20an%20alert.%20You%20can%20use%20the%20examples%20below%20as%20a%20reference%3A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Identity%2FAutomate-Azure-Security-Center-actions-with-Playbooks-and%2Ftd-p%2F264843%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EAutomate%20Azure%20Security%20Center%20actions%20with%20Playbooks%20and%20ServiceNow%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FSecurity-Identity%2FAzure-Security-Center-amp-automatic-creation-of-an-incident-in%2Ftd-p%2F264875%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3EAzure%20Security%20Center%20%26amp%3B%20automatic%20creation%20of%20an%20incident%20in%20ServiceNow%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20the%20end%20of%20this%20phase%20you%20have%20the%20third%20checkpoint%20(C).%20On%20this%20checkpoint%20you%20should%20document%20the%20following%20items%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EEach%20scenario%20that%20was%20tested%20and%20its%20results%3C%2FLI%3E%0A%3CLI%3EThe%20learnings%20from%20each%20scenario.%20These%20learning%20can%20be%20used%20to%20determine%20if%20you%20foresee%20any%20roadblock%20that%20can%20delay%20the%20Security%20Center%20adoption%20in%20the%20production%20environment%20and%20how%20to%20overcome%20those%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EConclusion%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EThis%20is%20the%20final%20phase%20of%20the%20PoC%2C%20and%20it%20is%20strategically%20done%205%20days%20before%20you%20reach%20the%2030%20days%20trial%2C%20and%20the%20reason%20for%20that%20is%20because%20you%20want%20to%20have%20a%20spare%20time%20to%20make%20your%20final%20decision%20if%20you%20want%20to%20keep%20using%20Security%20Center%20Standard%20Tier%20or%20not%2C%20and%20if%20not%20you%20can%20rollback%20to%20Free%20tier.%20This%20is%20the%20time%20to%20re-engage%20the%20stakeholders%2C%20present%20the%20results%2C%20and%20the%20benefits%20of%20adopting%20Security%20Center%20in%20production.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAt%20the%20end%20of%20this%20phase%20you%20have%20the%20last%20checkpoint%20(D).%20On%20this%20checkpoint%20you%20should%20document%20the%20following%20items%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EFinal%20PoC%20report%3C%2FLI%3E%0A%3CLI%3EFinal%20decision%20regarding%20Security%20Center%20Standard%20Tier%20adoption%3C%2FLI%3E%0A%3CLI%3ESummary%20of%20the%20next%20steps%2C%20which%20needs%20to%20include%20the%20final%20considerations%20of%20Security%20Center%20adoption%20in%20production%20and%20across%20all%20subscriptions%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-516874%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20Center%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-741479%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Effectively%20Perform%20an%20Azure%20Security%20Center%20PoC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-741479%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F124214%22%20target%3D%22_blank%22%3E%40Yuri%20Diogenes%3C%2FA%3E%2C%20just%20wondering%20if%20you%20might%20have%20anyone%20along%20at%20the%20RSA%20Conference%20in%20Singapore%20in%20a%20few%20weeks%3F%20I'll%20be%20there%20focusing%20on%20the%20Microsoft%20side%20of%20things...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-752615%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Effectively%20Perform%20an%20Azure%20Security%20Center%20PoC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-752615%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E-%20sorry%20the%20delay%2C%20I%20checked%20but%20I%20don't%20have%20any%20contact%20going%20to%20this%20conference.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Organizations are starting to realize that they need to closely monitor their cloud security posture, and protect their cloud workloads against threats. Azure Security Center covers scenarios by offering Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) capabilities (read this article for more details).

To effectively determine the benefits of adopting Security Center, you should perform a Proof of Concept (PoC). Even before enabling Security Center in your subscription and start validating your scenarios, you should go through a planning process to determine a series of tasks that must be accomplished in this PoC.

 

Planning Each Phase

Use following schedule to perform their Security Center PoC. Keep in mind that this is an example, and each organization may adequate this according to their needs.

 

Fig1.PNG

The sections that follow will explain each phase in more details.

 

Planning

During the planning phase you will organize a meeting with key stakeholders of this PoC. At minimum, you should have representatives from IT (mainly the ones that are responsible for your Cloud workloads), Security Operations, and Security Governance. The intent of this phase is to determine the answers for the following items:

 

  • Scope of the PoC: what are you going to validate on this PoC? What scenarios do you want to test?
  • Requirements: based on the scope, you can start determining the requirements for this PoC. This includes at least the following items:
    • Determine which users should have administrative and read access to the subscriptions that Security Center will be enabled. Use this article as a reference to review the roles (RBAC) available for Security Center.
    • If you are going to use multiple subscriptions, define the workspace model (centralized or distributed). In Security Center, this is defined using the Data Collection tier, visit this article for more information about the options available.
      • In the same Data Collection option, define if you are going to use Auto Provision or not. By using auto provision, the MMA agent will be automatically installed in the VMs that are under the selected subscription (preferred option).
    • If you are going to use multiple subscriptions, consider using Management Group to manage Security Policy across all subscriptions. For more information about this, read this article.
    • If you are going to use multiple subscriptions and want to automate the onboarding process, use the PowerShell examples described in this article.
    • Define which resources will be monitored during the POC to define which resources should be enabled in Standard Tier:

      Fig2.PNG
      Note: you can use Standard Tier free for 30 days, therefore only upgrade to Standard when you are ready to work on the PoC.

    • Determine which PaaS workloads will be tested. Use this article to determine which PaaS workloads are supported by Security Center.
    • Define which VMs will be available through the Internet (via RDP or SSH) to test functionalities such as JIT VM Access, Network Map and Network Hardening.
    • Determine the Operating System for the VMs that will be deployed for this PoC. Use this article to obtain the list of supported operating systems. These VMs can be in Azure, or on-premises.
  • Measure success: this is something very important to establish before starting your PoC, because this will help you to set the right expectation and based on that expectation, measure if your PoC was a success or not.

At the end of this phase you have the first checkpoint (A). On this checkpoint you should document the following items:

 

  • Scope of the PoC, the requirements, timeline and the decision of how you will measure success.
  • Next steps of the PoC
    • If there are requirements that needs to be in place before the implementation, these requirements must be listed and planned for implementation
    • The timeline for implementation of those requirements needs to be established

Preparation

This phase will focus on the implementation of the requirements. When going through those requirements, make sure to document everything that needs to be changed in the environment. One classic example is when the members of the Team that are implementing Security Center don’t have the right level of permission in all subscriptions. This can cause delays if the team that is implementing Security Center is not the same team that manages Azure Identity. For this reason, it becomes critical to involve the right stakeholders since the planning phase.

 

At the end of this phase you have the second checkpoint (B). On this checkpoint you should document the following items:

  • Changes that were performed in the environment to adequate with the PoC requirements.
  • Define when the implementation phase will start
    • This is critical because once you upgrade from Free to Standard Tier, you have 30 days free trial, and you should ensure that you utilize those days to validate all scenarios.

 

Implementation and validation

Now you are ready to flip the switch and upgrade from Free to Standard tier, and once you do that the next step is the implementation of the scenarios that you established during the planning phase. Here are the most common scenarios that are covered during a PoC:

 

Scenario 1: Security Posture Management

  • Ensure that you are driving your secure score up by addressing the recommendations raised by ASC. Use this article for more information about Secure Score.
    • To drive your secure score up, you need to review security recommendations for the different workloads and follow the remediation steps to address them.
  • Review your Network Map to ensure that you are addressing network related recommendations for the Internet facing endpoints.
  • If the workloads that are going to be tested in this PoC need to be compliant with PCI DSS 3.2, ISO 27001 or SOC TSP, make sure to review the Regulatory Compliance

 

Scenario 2: Reducing the Attack Surface

  • Enable JIT VM access for Internet facing VMs and test the functionality. Use this article as a reference to perform the configuration/validation.
  • Use Adaptive Application Control to review the list of apps that should be whitelisted. Use this article as a reference to understand and implement this feature.

 

Scenario 3: Threat Detection & Response

 

At the end of this phase you have the third checkpoint (C). On this checkpoint you should document the following items:

  • Each scenario that was tested and its results
  • The learnings from each scenario. These learning can be used to determine if you foresee any roadblock that can delay the Security Center adoption in the production environment and how to overcome those

 

Conclusion

This is the final phase of the PoC, and it is strategically done 5 days before you reach the 30 days trial, and the reason for that is because you want to have a spare time to make your final decision if you want to keep using Security Center Standard Tier or not, and if not you can rollback to Free tier. This is the time to re-engage the stakeholders, present the results, and the benefits of adopting Security Center in production.

 

At the end of this phase you have the last checkpoint (D). On this checkpoint you should document the following items:

  • Final PoC report
  • Final decision regarding Security Center Standard Tier adoption
  • Summary of the next steps, which needs to include the final considerations of Security Center adoption in production and across all subscriptions

 

2 Comments
Frequent Contributor

Hi @Yuri Diogenes, just wondering if you might have anyone along at the RSA Conference in Singapore in a few weeks? I'll be there focusing on the Microsoft side of things...

Microsoft

Hi @David Caddick - sorry the delay, I checked but I don't have any contact going to this conference.