Thanks for tuning back into our Microsoft Defender for Cloud Security Control Series, where we dive into different Secure Controls within Defender for Cloud's Secure Score. This post is dedicated to the Remediate Security Configurations Secure Control. As previously mentioned, organizations face different kinds of threats and the need to keep infrastructure, apps and devices secure is essential across the business. Misconfigurations at any level in infrastructure, operating systems (OS) and network appliances lead to a heightened risk of attack. This security control enables Defender for Cloud to list possible misconfigurations within your environment. Remediate Security Configurations can provide a maximum four-point score increase to your secure score.
By the time this blog was written, Remediate Security Configurations includes the following recommendations:
- Log Analytics agent should be installed on your virtual machines
- Log Analytics agent health issues should be resolved on your machines
- Vulnerabilities in security configuration on your machines should be remediated.
- Log Analytics agent should be installed on virtual machine scale sets
- Vulnerabilities in security configuration on your virtual machine scale sets should be remediated
- Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters(preview)
- Overriding or disabling of containers AppArmor profile should be restricted (preview)
- Log Analytics agent should be installed on your Linux-based Azure Arc machines (Preview)
- Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview)
Explanation of recommendations
Every organization’s environment is made up of resources that need to be kept secure to maintain the security hygiene of the company. For a more in-depth look at how Defender for Cloud can help you maintain those resources, keep reading!
Log Analytics Agent should be installed on your virtual machine
Defender for Cloud monitors and collects data from virtual machines (VMs) using the Log Analytics Agent. The agent reads security-related configurations and event logs from the machines, then copies only the necessary data to your Log Analytics workspace. Data collection from the agent is essential in giving Defender for Cloud visibility into missing updates, misconfigured OS security settings, endpoint protection status and health, and threat protection. Data collection is only needed for compute resources. Configuring auto-provisioning on these machines is recommended. By turning auto provisioning Defender for Cloud deploy the Log Analytics Agent on all Azure VMs and any VMs that are created in the future within the same subscription.
While it is recommended that the agent’s installation is to be done automatically, it can also be installed manually. When manually installing the agent on an Azure VM, make sure to download the latest version of the agent to ensure that it functions properly.
Log analytics agent health issues should be resolved on your machines.
Aside from just installing the agent, it also needs to be configured correctly to make sure that your machines are being properly monitored. In case you’re wondering how you would know if the agent is set up correctly, this recommendation is here to tell you! When viewing this recommendation, click the Unhealthy Resources tab to see which VMs do not have the Agent properly installed. If any agents were manually installed, you must verify that the latest version of the agent is in use. After confirming that you’re using the latest version of the agent, check the "Reason" column to guide you in remediating your machine.
Vulnerabilities in security configuration on your machines should be remediated.
This recommendation covers the security configuration of your machines. Here we are focusing on the vulnerability of the machine’s operating system (OS).
Clicking on this recommendation will take you to the screen below. This page gives you information about the specific VMs in your environment and their OS configurations that do not align with Defender for Cloud’s recommended settings. VMs in the environment below have failed 246 total OS configuration rules. The number of failed rules are provided by each type of machine, Linux or Windows. The rules are also broken down into severity and type.
In the Operating System tab, the column titled "State" shows the state of the OS’s vulnerability. The state here will be listed as "open" because the vulnerability has not yet been resolved. Defender for Cloud uses Common Configuration Enumeration (CCE) which assigns a unique identifier, as shown in the CCeId tab, to different security-related system configuration issues.
Log Analytics agent should be installed on virtual machine scale sets
We have encountered our good friend, the Log Analytics Agent, once again. If you’re looking to bypass the redundancy of updating numerous virtual machines in your environment one by one, virtual machine scale sets are the way to go! Virtual machine scale sets enable you to manage, update and configure multiple virtual machines as a unit. Scale sets can support up to 1,000 VM instances and up to 600 instances if you choose to create and upload your own custom virtual machine images. In order to give Defender for Cloud access into the security configurations of your scale sets and an accurate look into your environment’s security hygiene, the Log Analytics agent should also be installed on your virtual machine scale sets. Auto-provisioning of the agent for Azure virtual machine scale sets is currently not available.
Vulnerabilities in security configuration on your machines should be remediated.
Remediating security configurations on VMs doesn’t stop at the machine itself. Vulnerabilities in the security configuration of VM scale sets are also significant to prevent them from attacks. By clicking on the unhealthy scale set, Defender for Cloud will then give you a list of rules and descriptions that your scale sets did not meet.
Azure Policy Add-on for Kubernetes should be installed and enabled on your clusters (Preview)
Azure Policy for Kubernetes clusters safeguards your clusters by managing and reporting their compliance state. The Add-on policy uses Gatekeeper v3 of Open Policy Agent (OPA) to communicate any policies that have been assigned to the clusters, apply those policies to your Kubernetes cluster and report the details back to Azure Policy.
This remediation comes with a Quick Fix button that allows you to deploy Azure Policy Add on for AKS with only a couple of clicks. The installation can also be completed manually. Azure policy provides the option to assign built-in policy definitions to you Kubernetes clusters where you see fit.
Overriding or disabling of containers AppArmor profile should be restricted (Preview)
Application Armor, or AppArmor, is a Linux security module which protects an OS and its applications from both external and internal security threats. A system administrator can restrict a program’s capabilities by associating it with an AppArmor security profile. The security profile protects against attacks by limiting access and privileges of different resources. In order to protect your containers running on your Kubernetes cluster, they need to be limited to allowed AppArmor profiles only.
Log Analytics agent should be installed on your Linux-based Azure Arc machines (Preview)
Linux-based machines onboarded through Azure Arc should also have the Log Analytics Agent. Although the machine uploaded through Azure Arc may be a VM hosted on-premises or in another Cloud Solution Provider (CSP), it still needs the Log Analytics Agent fornDefender for Cloud monitor its security configuration and workloads. The Quick Fix button can install the agent through a single click, or you can manually install the agent by following the remediation steps.
Log Analytics agent should be installed on your Windows-based Azure Arc machines (Preview)
Like Linux-based machines, Windows-based machines onboarded through Azure Arc also need to have the Log Analytics Agent. A Quick Fix button is also available here to install the agent as well as the option to manually install it on Windows-based machines.
Conclusion
The Remediate security configurations control is not a one-time fix. As you continue to onboard machines into your environment, these recommendations should be re-visited to make sure you’re keeping up with the security hygiene of your machines. Improving the security hygiene of your VMs and infrastructure is another great step forward in improving your overall security posture and increasing your secure score.
P.S. Consider joining our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.
Acknowledgements
Reviewer: Yuri Diogenes, Principal PM for ASC CxE Team
Contributor: @Kerinne Browne
Thank you so much for assisting me in writing this blog post!