Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Ignite 2021: Microsoft Defender for Cloud news
Published Nov 02 2021 08:02 AM 28.6K Views
Microsoft

According to the 2021 State of the Cloud report, 92% of organizations now have a multi-cloud strategy. At Microsoft, our goal is to centralize security across these environments and help security teams work more effectively with Microsoft Defender for Cloud.

Defender for Cloud (formerly known as Azure Security Center and Azure Defender) is a Cloud Security Posture Management (CSPM) and workload protection solution that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment, and protects workloads across multi-cloud and hybrid environments.

 

For Ignite 2021, our top news include:

  • Azure Security Center and Azure Defender are now unified as Microsoft Defender for Cloud
  • Native CSPM for AWS and threat protection for Amazon EKS, and AWS EC2.
  • Prioritization of sensitive data in cloud workloads, using Azure Purview
  • Microsoft Sentinel integration enhancements
  • Release of Azure Security Benchmark v3

 

Last year at Ignite, we shared our vision to create the most complete approach for securing your digital estate and integrating XDR technologies under the Microsoft Defender brand.

Unifying Azure Security Center and Azure Defender under the new name Microsoft Defender for Cloud now better reflects the integrated capabilities of our security offering that help you secure any cloud platform.

 

Native support for AWS - secure your multicloud environments centrally

Today, we’re excited to announce native CSPM support and threat protection for compute workloads in Amazon Web Services (AWS). We implemented an agentless approach to connect AWS environments, that leverages the AWS API and has no dependencies on cloud vendor offerings such as AWS Security Hub. The onboarding experience is designed to work easily at scale, by simply connecting your AWS master account, which automatically onboards existing and future accounts.

 

To give you a central view across the security state of your multi-cloud environments, AWS security recommendations are now integrated in the Defender for Cloud portal, alongside Azure recommendations. We implemented more than 160 out-of-the-box recommendations across IaaS and PaaS services and three regulatory standards including CIS, PCI, and AWS foundational security best practices, to help strengthen your AWS security posture. Finally, security teams can also create their own recommendations and standards to meet internal requirements by either customizing existing templates or building entirely new ones.

 

Image 1: View of AWS security recommendation in Microsoft Defender for CloudImage 1: View of AWS security recommendation in Microsoft Defender for Cloud

 

 

In addition to our multi-cloud CSPM improvements, we also extended container protection capabilities in Microsoft Defender for Cloud to support Amazon EKS Kubernetes clusters and have extended the Defender for Server capabilities to AWS EC2.

 

To make it easier to leverage these and other capabilities in Defender for Cloud, we overhauled the onboarding experience to be seamless. You can now onboard your AWS accounts to leverage CSPM, as well as server and container workload protection capabilities with a single, simple onboarding flow. It takes care of all required provisioning steps across existing and all newly created resources.

 

Lastly, you can now enable workload protections at scale and ensure that your security requirements are met whenever a new resource is created in your environment. We implemented a new “enforce” capability within our recommendations that when enabled, will automatically apply the relevant protection to all newly created resources. It’s an easy-button to give security teams peace of mind and prevent weak configurations from the start.

 

 

New product integrations

With the accelerating use of cloud workloads, it’s essential that security tools work together seamlessly, make data flow easy and provide information to security teams in a central location. That’s why we are integrating our solutions to work seamlessly together, while creating more capabilities and use cases for security teams. Today, we are announcing three new and enhanced product integrations.

 

Prioritize cloud resources with sensitive data – an integration with Azure Purview

Data resources remain a popular target for malicious actors, making it crucial for security teams to identify, prioritize, and secure sensitive data resources across their cloud environments.

 

To address this challenge, we’re excited to announce the integration between Microsoft Defender for Cloud and Azure Purview in public preview. Azure Purview is a unified data governance service that provides rich insights into the sensitivity of your data within multi-cloud, and on-premises workloads.

 

The integration with Azure Purview extends your security visibility in Defender for Cloud from infrastructure resources down into your data, enabling an entirely new way to prioritize resources for security teams.

 

Image 2: The new Information protection tile in Defender for Cloud, integrated with Azure PurviewImage 2: The new Information protection tile in Defender for Cloud, integrated with Azure Purview

 

For an enriched CSPM experience, we included an Information protection tile in Defender for Cloud that shows your current scan coverage and a graph with the number of recommendations and alerts by classified resource types. In addition, we created two new filters in the Defender for Cloud Inventory experience and within Security alerts called Data sensitivity classifications and Data sensitivity labels. These new options allow security teams to filter specifically for sensitive data and more effectively prioritize the enforcement of security policies and the investigation of alerts across the most sensitive resources.

Lastly, the Resource Health blade now provides additional metadata classification details at the resource level, giving you with an easy way to view the number of assets that contain sensitive information across your environment.

 

Image 3: A view of unhealthy resources that have been identified as containing sensitive informationImage 3: A view of unhealthy resources that have been identified as containing sensitive information

 

 

Keep incidents in sync across Microsoft Sentinel and Defender for Cloud

In July, we announced key capabilities for the integration between Microsoft Sentinel and Microsoft Defender for Cloud as part of our broader efforts to seamlessly connect our XDR and SIEM tools and create an industry leading toolset for SecOps teams.

We’re excited to share that our bi-directional sync, which aligns the status of incidents between Defender for Cloud and Microsoft Sentinel, is now generally available.

 

In addition, we have enhanced the integration with new recommendations in Defender for Cloud that highlight Azure Kubernetes Service (AKS) and SQL workloads that are not sending log data to Microsoft Sentinel. SecOps teams can now choose the relevant Microsoft Sentinel workspace directly from the recommendation page and immediately enable the streaming of raw logs in the new experience. This seamless connection between the two products makes it easy for security teams to ensure complete logging coverage across their workloads and stay on top of their entire environment.

 

Image 4: Notification in Defender for Cloud that highlights when Microsoft Sentinel logging is not enabledImage 4: Notification in Defender for Cloud that highlights when Microsoft Sentinel logging is not enabled

For a demo of these new capabilities, watch the SIEM + XDR: Automate Threat Detection and Response Ignite session.

 

 

Detect and assess vulnerabilities with Microsoft threat and vulnerability management

A key aspect of effective workload protection is visibility of vulnerabilities and the ability to manage those that expose your workloads and pose a security risk to your organization.

 

Today we are excited to announce the general availability of Microsoft threat and vulnerability management as a new vulnerability assessment provider.

 

While Microsoft Defender for Cloud already includes a set of vulnerability discovery and management tools, the integration with Microsoft threat and vulnerability management allows frictionless onboarding for existing and new server workloads, so you can detect vulnerable software without the need to install additional agents or scanners.

 

As part of this integration, we also added new software inventory filters to the Inventory experience, so you can easily search for and filter by software products that are installed on your workloads. Learn more about the software inventory.

 

Image 5: New software inventory filters in the Defender for Cloud Inventory experienceImage 5: New software inventory filters in the Defender for Cloud Inventory experience

 

 

Cloud Security Posture Management enhancements

CSPM solutions are designed to help organizations identify and manage security and compliance risks in the cloud. Microsoft Defender for Cloud provides a centralized experience to ensure your multicloud environments are configured securely and align with industry best practices and established regulatory standards.

 

Security recommendations map to the MITRE ATT&CK® framework

For security analysts, it’s essential to identify the potential risks associated with security recommendations and understand the attack vectors, so they can prioritize more effectively.

 

To make prioritization easier, Microsoft Defender for Cloud now maps its security recommendations against the MITRE ATT&CK® framework, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations.

 

Using the new capability, customers can strengthen the secure configuration of their environment with recommendations that are mapped to the MITRE ATT&CK® framework and prioritize based on the potential risk across the cyber kill chain.

 

Starting today, the MITRE ATT&CK® framework is integrated in three ways:

  • Recommendations map to MITRE ATT&CK® tactics and techniques.
  • Filter recommendations by MITRE ATT&CK® tactic.
  • Query MITRE ATT&CK® tactics and techniques on recommendations using the Azure Resource Graph.

 

Image 6: View of the new “Tactics and techniques” mapping section within Defender for Cloud recommendationsImage 6: View of the new “Tactics and techniques” mapping section within Defender for Cloud recommendations

 

Enhanced security control assessments with Azure Security Benchmark v3

The Azure Security Benchmark (ASB) is a collection of high-impact security recommendations that are  aligned with common industry and compliance frameworks, to help secure services in Azure. Starting today, ASB v3 is available in the Regulatory Compliance Dashboard within Microsoft Defender for Cloud and enabled as the new default. Enhancements include:

 

  • Additional mappings to industry frameworks PCI-DSS v3.2.1 and CIS Controls v8
  • More granular and actionable guidance for controls with the introduction of Security Principles and Azure Guidance. Security Principles give you insight into the overall security objectives that build the foundation for our recommendations, while Azure Guidance is the technical “how-to” on meeting these objectives when implementing something in the cloud.
  • Brand new controls including DevOps Security as a new control family that covers topics such as threat modeling and software supply chain security, as well as Key and certificate management for best practices in Azure.

 

Image 7: Azure Security Benchmark as the new default compliance framework in the Microsoft Defender for Cloud portalImage 7: Azure Security Benchmark as the new default compliance framework in the Microsoft Defender for Cloud portal

 

Related recommendations

The last piece of news is a new feature that gives security teams insight into the relationships and context between different recommendations. Many recommendations in Defender for Cloud now include a new  Related recommendations area on the details page. The aim is to help security teams more easily ensure that all prerequisites are met. A relevant example is the various Azure Kubernetes Service (AKS) recommendations.

 

The three relationship types that are shown on these pages are:

  • Prerequisite - A recommendation that must be completed before the selected recommendation.
  • Alternative – An alternative to achieve the same goal of the selected recommendation.
  • Dependent - A recommendation for which the selected recommendation is a prerequisite.

 

For each related recommendation, the number of unhealthy resources is shown in the "Affected resources" column, making it easy to navigate and address them. Learn more about this feature.

 

Image 8: The new “Related recommendations” section within the existing recommendations view that highlightImage 8: The new “Related recommendations” section within the existing recommendations view that highlight

 

Get started and improve your cloud security today with Defender for Cloud!

 

For more information and a demo of the latest capabilities, check out the resources below:

2 Comments
Version history
Last update:
‎Nov 02 2021 04:49 PM
Updated by: