Announcing new CNAPP capabilities in Defender for Cloud
Published Nov 15 2023 07:58 AM 19K Views

In the fast-paced world of cloud computing, security teams are facing unprecedented challenges. As organizations increasingly adopt multicloud environments and prioritize the development of cloud-native applications, the complexity of ensuring robust security has grown exponentially. To tackle these evolving cloud security needs, a powerful solution has emerged – Cloud-Native Application Protection Platforms (CNAPP).

CNAPP platforms are designed to consolidate multicloud threat prevention and detection, offering comprehensive security from code to cloud. They cover vital aspects of cloud security, including Cloud Security Posture Management (CSPM), Cloud Infrastructure Entitlement Management (CIEM), and Cloud Workload Protection (CWP).

Customers are at the heart of our strategy and product development. We are honored to team up with thousands of security experts, hear about their cloud security issues, and provide robust multicloud security solutions. It is gratifying to receive positive feedback from customers and be recognized by industry analysts for our innovative contributions. Microsoft Defender for Cloud is recognized as a tech leader in the CNAPP category on PeerSpot, a prominent peer review site. KuppingerCole recognized Defender for Cloud as an Overall Leader, Market Champion, Product Leader, and Innovation Leader in its 2023 CSPM Leadership Compass, noting “Organizations looking for a CSPM which provides multi-cloud capabilities including data aware security posture should consider Microsoft Defender for Cloud.”   



Figure 1: Microsoft Defender for Cloud


New Innovations in Microsoft Defender for Cloud

At Ignite 2023, we are excited to announce new innovations in Microsoft Defender for Cloud that will help security admins strengthen their CNAPP deployment, improve the cloud security posture through additional code to cloud insights, and protect cloud-native applications across multicloud environments in a unified solution. Here are some of the highlights of the new features and capabilities that we are announcing today:

  • Unified insights from Microsoft Entra Permissions Management (CIEM) to enable comprehensive risk mitigation: Security admins can now get a centralized view of the unused or excessive access permissions within Defender for Cloud. This enables teams to drive the least privilege access controls for cloud resources and receive actionable recommendations for resolving permissions risks across Azure, AWS, and Google Cloud –as part of Defender Cloud Security Posture Management (CSPM), without additional licensing requirements. This integration also enriches attack path analysis, enabling teams to visualize how identity and access issues can be exploited by attackers to compromise your cloud resources.


  • Enhanced attack path analysis engine to swiftly pinpoint critical risks across clouds: Defender CSPM’s attack path analysis engine is enhanced with path-finding AI algorithms to detect even more complex and sophisticated attack paths in your cloud environment – such as attack paths crossing cloud boundaries. Security admins can also reduce recommendation fatigue and take a risk-based approach to remediation with the public preview of risk prioritization for recommendations and attack path analysis. Recommendations and attack paths are now assigned a risk level based on both their exploitability and potential business impact, taking factors like internet exposure, data sensitivity, lateral movement potential into account.

    To enable security teams to better understand the context of potential threats with Defender CSPM, attack paths are now mapped to MITRE techniques and offer exporting capabilities to CSV, Log Analytics, and Event Hub. To help streamline remediation efforts, attack paths are now enriched with granular recommendations to disrupt the potential attack chain. Additionally, security admins can increase productivity with the new ServiceNow ITSM integration to create and view service tickets from the Defender for Cloud portal. This approach helps you efficiently address the most critical security issues, enhancing the effectiveness of your security efforts.


Figure 2: cross-cloud attack path analysis example


  • Accelerated critical risk remediation with Microsoft Security Copilot integration: We're excited to bring Microsoft's industry leading generative AI capabilities to Defender CSPM. Security Copilot is the only security AI product that combines a specialized language model with security-specific capabilities from Microsoft. With this integration, security admin can leverage the power of generative AI to accelerate their approach to identifying and remediating critical risks across their multicloud environment, now in private preview available to Early Access Program customers.

    With assisted risk exploration, security admins can use Security Copilot to reduce recommendation fatigue and identify critical risks and vulnerabilities in the cloud, drill down to specific contextual insights and resources more efficiently to understand the context and potential impact of multiple risk factors.

    With assisted risk remediation, security admins can use Security Copilot to accelerate remediation of specific risks. It generates remediation and impact summaries, and proactively identifies key resource users that can help remediate the risk. Auto generated step-by-step remediation actions enriched with specific scripts help security admins to directly implement recommendations quickly using the script language of their choice. To streamline remediation actions, security admins can seamlessly delegate the generated remediation action to key resource users over email or create assignments via ticketing systems. With the new Security Copilot integration in Defender for Cloud, organizations can strengthen their cloud security posture more efficiently, all from the comfort of the Defender for Cloud portal.



Figure 3: Assisted remediation with Security Copilot in Defender for Cloud


  • Integrated security across multiple DevOps platforms: To expand the DevOps security coverage beyond the Microsoft ecosystem, we are announcing the new public preview of GitLab integration. Defender for Cloud already has robust integrations with GitHub Advanced Security and GitHub Advanced Security for Azure DevOps, security admins now get a full view into their application security posture across all major developer platforms – GitHub, Azure DevOps and GitLab – as part of foundational CSPM.  We’re equally excited to unveil new code to cloud remediation workflows that enriches the cloud security graph to trace CVEs, secrets, and misconfigurations back easily and efficiently to the related repository where they started and collaborate more effectively with the development teams – included in Defender Cloud Security Posture Management.

    To simplify how our customers benefit from code to cloud security value, DevOps security capabilities will now be included in Defender CSPM and the Defender for DevOps plan (previously in public preview) will be retired.


  • Extended protection for cloud workloads: Security admins can get ahead of containerized application risks and prioritize misconfigurations and exposures in their Kubernetes deployments of Amazon EKS and Google GKE clusters – both via with the expansion of Defender CSPM’s contextual graph-based capabilities and Defender for Containers. Additionally, Security admins can easily discover and remediate vulnerabilities for Linux container images in Azure Container Registries with the general availability of agentless vulnerability assessments for container images powered by Microsoft Defender Vulnerability Management. With this change, we are unifying our vulnerability assessment engine to Microsoft Defender Vulnerability Management (MDVM) across servers and containers. Security admins will benefit from Microsoft’s unmatched threat intelligence, breach likelihood predictions and business contexts to identify, assess, prioritize, and remediate vulnerabilities - making it an ideal tool for managing an expanded attack surface and reducing overall cloud risk posture.

    We’re also excited to announce the general availability of secrets scanning for all Azure, AWS and GCP servers. Security admins can discover and remediate plaintext secrets in servers to preempt credential exploits and minimize the risk of lateral movement, all without affecting servers’ performance with the general availability of agentless secret scanning for Azure, AWS and GCP servers.


  • Improved API Security Posture: With the general availability of Defender for APIs, security admins can gain visibility of business-critical APIs, prioritize vulnerability fixes, and quickly detect active real-time threats for APIs published in Azure API Management. Defender for APIs fills a crucial gap in the CNAPP category by providing insights into vital APIs, assessing their security posture, prioritizing vulnerability fixes, and swiftly detecting runtime threats. We’re also excited to announce new public preview capabilities in Defender for APIs to seamlessly integrate with Defender CSPM. This integration incorporates API security insights into the overall cloud security risk prioritization and helps you quickly identify and rectify misconfigured APIs that pose a significant threat to your cloud environment. Additionally, Microsoft Information Protection (MIP) Purview Integration enriches API data security, enabling data classification and supporting compliance objectives. We're also excited to announce our partnership with 42Crunch, helping customers assess and address API threats across the entire cloud application lifecycle. This integration empowers developers to test their APIs for security during development and empowers security admins to gain full lifecycle visibility into the security posture of their APIs within Defender for Cloud.


  • Go beyond workload protection – detect and respond to threats across the enterprise in a unified platform: Microsoft’s security researchers are seeing an increasing trend of attackers crossing the lines from end-user assets into cloud workloads. In cyberattacks observed by Microsoft over the last few months, targeted organizations incurred more than $300,000 in computing fees due to crypto-jacking related attacks. To help security teams defend against this evolving threat and risk landscape and gain ground by responding at machine speed, with an end-user-to-cloud XDR where multicloud alerts, signals, and asset information for Azure, AWS, and GCP from Microsoft Defender for Cloud are now natively integrated into Microsoft Defender XDR (formerly Microsoft 365 Defender).

More innovations from Defender for Cloud

  • General Availability of GCP capabilities in Defender CSPM
  • General Availability of the data security dashboard provides a centralized view of risks to sensitive data across datastores.
  • General Availability of sensitive data discovery for Azure SQL databases and AWS RDS instances in Defender CSPM.
  • General Availability of the Azure Monitoring Agent (AMA) auto provisioning process for Defender for SQL servers on machines plan.
  • Public preview of malware download detection in Defender for Storage alerts of malware distribution events where an infected blob has been detected.

Next steps

From code to cloud, Defender for Cloud helps you start secure with proactive posture hardening and stay secure with advanced threat protection across multicloud apps, infrastructure, and data. To get started today with these new innovations in Microsoft Defender for Cloud, you can:

  • Watch the Microsoft Mechanics video: Cloud Security Posture Management with Microsoft Defender
  • Visit the Microsoft Defender for Cloud website
  • Sign up for a free trial of Microsoft Defender for Cloud  
  • Watch our Ignite session on cloud security
  • Engage with us at the tech accelerator
Version history
Last update:
‎Nov 16 2023 10:58 AM
Updated by: