Do you remember that on release in Feb 2010, Azure was known as Windows Azure? It took four years before it was renamed to Microsoft Azure, to more accurately reflect that it wasn’t just for Windows workloads. This November, some Azure security products also got a name upgrade!
Instead of What’s the difference between Azure Security Center, Azure Defender and Azure Sentinel, I’d now need to re-write it as What’s the difference between Microsoft Defender for Cloud, Microsoft Defender for Cloud and Azure Sentinel! We also have Azure Defender for IoT now known as Microsoft Defender for IoT, and Microsoft Cloud App Security is Microsoft Defender for Cloud Apps.
Given the Windows Azure to Microsoft Azure evolution above, it makes sense to align these Azure-based security products with the Microsoft brand more than the cloud platform they run from. This is because of our ongoing investment in hybrid environments and providing capabilities in these tools (sometimes via Azure Arc) to manage the security posture of and signals from non-Azure workloads. Why would you look at an Azure security product if you thought it just protected stuff in Azure, when you might also have on-premises infrastructure or things in other people’s clouds?
Microsoft Defender for Cloud (formerly known as Azure Security Center) is your tool for overall security posture management and threat protection. It’s going to give you recommendations on how to improve the secureness (or “hardening”) of your workloads running in Azure (e.g. PaaS services, networks and data in Azure SQL) and visibility into other cloud environments (like AWS-specific security recommendations).
Next, add advanced features for specific workload types, like Microsoft Defender for Servers (formerly under the Azure Defender name).
Whether those servers are in Azure or elsewhere, this license them for Microsoft Defender for Endpoint and picks up those alerts. It also includes features like operating system level assessments, adaptive application controls, file integrity monitoring and more.
Microsoft Defender also offers advanced workload protection for App Service, Storage, SQL, Kubernetes, container registries, Key Vault, Resource Manager, DNS and open-source relational databases.
While this didn’t have a name change this year (it’s been formerly known as Windows Defender Advanced Threat Protection and Microsoft Defender ATP), it’s worth mentioning as it's also a component of Microsoft Defender for Servers. Microsoft Defender for Endpoint collects a vast array of behavioural signals from your server, surfaces vulnerability assessments and uses advanced analytics and big data to adapt to changing threats. It also uses our Intelligent Security Graph with signals from across Windows, Azure and Office, as well as data generated by Microsoft threat hunters, security teams and partners, to generate alerts when it identifies attacker tools, techniques and patterns. This is light-years ahead of legacy anti-virus software only comparing threats to their virus definition files.
While technically not a Microsoft Defender for Cloud workload protection product, Microsoft Defender for IoT provides an agentless solution for discovery of IoT devices, identification of risks and vulnerabilities (such as open ports, unpatched devices and unauthorized applications, and detection of IoT anomalies and advanced threats. It integrates into Microsoft Sentinel and other third-party security tools. Learn more about how Microsoft Defender for IoT can secure your IoT devices.
Next, consider the security information event management (SIEM) and security orchestration automate response (SOAR) capabilities of Microsoft Sentinel. It takes events from Microsoft Defender for Cloud (and by default it’s workload protection products too), and lets you add other data sources about users, devices, applications, and infrastructure, whether on-premises or in other clouds. This can range from Microsoft 365 sources to non-Microsoft products that use Syslog, Common Event Format, or REST APIs. Now you’re really seeing the bigger picture across your environment, where you can investigate threats with artificial intelligence, hunt for suspicious activities and respond to incidents rapidly with built-in orchestration and automation of common tasks.
Finally, Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security) helps you discover what cloud apps people in your organization are using, that you didn’t know were being used (a term called “shadow IT”). Humans are like water, they will find the path of least resistance. If they think it’s too hard or too restrictive to use only the apps you’ve provided for them, they’ll spin up something else with a few clicks and a credit card. Microsoft Defender for Cloud App Security will analyse your network to see exactly which cloud applications are in use and the risk factor of those apps (are they well-known, do they have good security controls etc). You’ll get information about their usage and whether those apps are compliant with regulations like HIPAA or GDPR and you’ll see if those apps could be used with Azure Active Directory for single sign-on. Finally, the app discovery policies can monitor app usage and alert you to things like spikes in uploads or downloads.
Hopefully this gives you a picture of some of the Microsoft security products and how they fit together, though we haven’t covered things like Azure Purview (for data governance), Microsoft 365 Defender or Azure AD Identity Protection – to name a few! End-to-end security is a big topic, but now you know if a talk, slide deck or website references Azure security something, it might now be called Microsoft security something!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.