Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Security Control: Apply System Updates
Published Feb 26 2021 08:10 AM 7,046 Views
Microsoft

As part of our recent Microsoft Defender for Cloud Blog Series, we are diving into the different controls within Secure Score.  In this post we will be discussing the security control Apply System Updates.

Image 1Image 1

 

System updates bring fresh and enhanced features, deliver security fixes, greater compatibility and in general a better user experience that help improving your security posture. Microsoft Defender for Cloud takes this and transforms it in several recommendations – depending on the resource types you have – that have Quick Fixes and easily shows you the big picture in your environment so you can act. Let’s drill into some of the recommendations for this control.

 

Note
There are two recommendations from this security control that are being deprecated. Learn more about it in this article Important changes coming to Azure Security Center | Microsoft Docs.

 

 

Log Analytics agent should be installed on…

Microsoft Defender for Cloud collects data using the Log Analytics agent (formerly known as Microsoft Monitoring Agent - MMA), which reads security-related configurations and event logs and then sends them to a Log Analytics workspace. Depending on the resource types you have, you may come across this recommendation for your virtual machines, virtual machine scale sets, Windows-based and Linux-based Azure Arc machines (Preview). The mapped policies audits if the Log Analytics agent is not installed.

Image 2Image 2

 

This comes with a Quick Fix button that will install the MMAExtension. The workspaceID will be requested once the remediation script is triggered. 

 

 

 

"parameters": {
      "vmName": {
        "value": "resourceName"
      },
      "location": {
        "value": "resourceLocation"
      },
      "logAnalytics": {
        "value": "workspaceId"
      }
    }

 

 

 

You can also use ARM template or Azure Policies to manage the extension deployment to Arc servers. Learn more about Log Analytics agent for Linux or Log Analytics agent for Windows. For multiple ways to install and configure your Log Analytics agent please see this article.

 

 

System updates should be installed on your virtual machines

This recommendation doesn’t come with a Quick Fix button, but it does come with the Exempt feature; that way you can set an exemption for specific resources either if you have already mitigated it through a third-party service or accept the risk and give a waiver. From Microsoft Defender for Cloud you will be able to see the outstanding updates of the unhealthy resources. The KB ID is provided as well for you to track down specs and the impact it may have.

Image 3Image 3

 

System updates on virtual machine scale sets should be installed

The information brought in this recommendation is like the one of VMs, but there are a few differences (see Image 4). To check the security updates, you will have to click o the VMSS that will take you to its Log Analytics Workspace query dashboard. Automatically, a query is deployed and will display the update and its count, because we are talking about scale sets (see Image 5). At this point, there are only manual remediation steps to follow, and that’s taking into consideration the corresponding Knowledge Base (KB) article ID. Nevertheless, there’s a Trigger Logic App option available in case you want to create an automation to remediate that.

Image 4Image 4

 

Image 5Image 5

 

 

OS version should be updated for your cloud service roles

If you happen to have a cloud service role (classic), you might come across this recommendation. The Exempt feature is also available. By default, Azure periodically updates your guest OS to the latest supported image within the OS family that you've specified in your service configuration; but choosing a specific OS version disables automatic OS updates, and here is when this comes handy. To learn more about how to solve this follow this article.

 

 

Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version

This recommendation will appear if you must upgrade your Kubernetes service cluster to a later Kubernetes version (at the time this article was written the latest was 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+) to protect against known vulnerabilities in your current Kubernetes version. For a tutorial on how to accomplish this, go to this article.

Image 6Image 6

 

 

Next Steps

As with all security controls, you need to make sure to remediate all recommendations within the control that apply to a particular resource to gain a potential score increase for your security posture. Check out our GitHub repo for artifacts that may help you achieve your 100% Secure Score. For more content like this join the Microsoft Security Community at https://aka.ms/SecurityCommunity

 

P.S. Consider joining our Tech Community where you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by experts.

 

Reviewer:

@Yuri Diogenes , Principal PM Manager - CxE Microsoft Defender for Cloud

Co-Authors
Version history
Last update:
‎Oct 28 2021 01:56 PM
Updated by: