Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Meeting the Cybersecurity Executive Order requirements with Microsoft Defender for Cloud
Published Aug 25 2021 07:11 AM 12.2K Views

In May 2021, the Biden Administration signed Executive Order (EO) 14028, placing cloud security at the forefront of national security. Federal agencies are at different stages in their digital transformations yet are all facing similar challenges: rapidly changing workloads, insecure configurations, shortages of skilled professionals, and increase in sophistication of cyber attacks.


The Azure Security suite helps federal agencies and partners improve their cloud security posture and stay compliant with the recent EO. While there are many areas Azure Security can support, this blog will focus on how Microsoft Defender for Cloud and Microsoft Sentinel can empower federal agencies to address the following EO goals:

Microsoft applies its industry-leading practices to Azure Security products, generating meaningful insights about security posture that simplify the process of protecting federal agencies and result in cost and time savings.


Microsoft Defender for Cloud is a unified infrastructure security management system that strengthens the security posture of your data centers. 


Microsoft Sentinel, our cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution, is deeply integrated with Microsoft Defender for Cloud and provides security information event management and security orchestration automated response. 


Note: For more information on products and features available in Azure Government, please refer to: Azure service cloud feature availability for US government customers | Microsoft Docs


Modernize and Implement Stronger Cybersecurity Standards in the Federal Government

There are significant security benefits when using the cloud over traditional on-premises data centers by centralizing data and providing continuous monitoring and analytics. The Shared Responsibility model guides security in the cloud. As a cloud service provider, Microsoft invests over a billion dollars annually on security, including securing the Azure platform.


Section three of the EO emphasizes the push toward cloud adoption and the need for proper cloud security. It highlights the necessity of a federal cloud security strategy, governance framework, and reference architecture to drive cloud adoption.


For federal agencies beginning their digital transformations, Microsoft Defender for Cloud provides robust features out of the box to secure your environment and accelerate secure cloud adoption by leveraging existing best practices and guardrails. Defender for Cloud continuously scans your hybrid cloud environment and provides recommendations to help you harden your attack surface against threats. Azure Security Benchmark (ASB) is the baseline and driver for these recommendations. ASB is a Microsoft-authored, Azure-specific set of guidelines for security and compliance best practices based on common compliance frameworks. Azure Security Benchmark builds on the controls from the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) with a focus on cloud-centric security.  ASB empowers teams to leverage the dynamic nature of the cloud and continuously deploy new resources by providing the needed visibility into the posture of these resources as well as easy to follow steps for remediation. With over 150+ built-in recommendations, ASB evaluates Azure resources across 11 controls, including network security, data protection, logging and threat detection, incident response, governance and strategy, and more.


Government agencies have complex compliance requirements that can be streamlined through Azure Security Benchmark. ASB provides federal agencies with a strong baseline to assess the health of their Azure resources. Teams can complement this visibility by including additional regulatory compliance standards or their own custom policy. Microsoft Defender for Cloud’s regulatory compliance dashboard provides insights into compliance posture against compliance requirements, including NIST SP 800-53, SWIFT CSP CSCF-v2020, Azure CIS 1.3.0 and more.


We recently released Regulatory Compliance in Workflow Automation, where changes in regulatory compliance standards can trigger real time responses, such as notifying relevant stakeholders, launching a change management process, or applying specific remediation steps. Building in automation allows organizations to improve security posture by ensuring the proper steps are completed consistently and automatically, according to predefined requirements. Automation also reduces the burden on your security teams by streamlining repeatable tasks. Read more about how to build in automation for regulatory compliance.


With visibility and remediation all from the same dashboard, ASB and other out of the box regulatory compliance initiatives empower security teams to get immediate, actionable insights into their security posture. Leveraging Microsoft best practices, built with Azure in mind, federal agencies can tap into the security of the cloud without committing resources to building new frameworks.

Microsoft Sentinel contains workbooks, visual representations of data, that help federal agencies gain insight into their security posture. Section three of the EO mandates Zero Trust planning as a requirement, which can be daunting to implement. The Zero Trust (TIC3.0) Workbook provides a visualization of Zero Trust principles mapped to the Trusted Internet Connections (TIC) framework. After aligning TIC 3.0 Security Capabilities to Zero Trust Principles and Pillars, this workbook shares easy to implement recommendations, log sources, automations, and more to empower federal agencies looking to build Zero Trust into cloud readiness. Read more about the Zero Trust (TIC3.0) Workbook.


Using Microsoft Defender for Cloud’s regulatory compliance feature and workbooks in Microsoft Sentinel, federal agencies can tap into Microsoft best practices and existing frameworks, regardless of where they may be in their cloud journeys, to get and stay secure. These products not only provided heightened visibility into cloud security posture, but they also provide steps for remediation to harden your attack surface and prevent attacks. These tools harness the power of automation, AI/ML, and more to reduce the burden on your security teams and allow them to focus on what matters.


Improve Detection of Cybersecurity Incidents on Federal Government Networks

The objective of section seven of the EO is to promote cross-government collaboration and information sharing by enabling a government-wide endpoint detection and response (EDR) system.


Integrating Microsoft Defender for Cloud and Microsoft Sentinel provides federal agencies with increased visibility to proactively identity threats and build in automated responses. Through Microsoft Sentinel, agencies can ensure they have the appropriate tools, whether that be automated responses or access to logs, to contain and remediate threats.


In addition to providing cloud security posture management, Microsoft Defender for Cloud provides a cloud workload protection platform. Defender for Cloud provides advanced, intelligent protection for a variety of resource types, including servers, Kubernetes, container registries, app service, SQL database servers, key vault, storage, and more. Read more about resource types covered Defender for Cloud.


When Microsoft Defender for Cloud detects an attempt to compromise your environment, it generates a security alert. Security alerts contain details of the affected resource, suggested remediation steps, and refer to recommendations to help harden your attack surface to protect against similar alerts in the future. In some scenarios, logic apps can also be triggered. Like automated responses to deviations in regulatory compliance standards, logic apps allow for consistent responses to Microsoft Defender for Cloud alerts.


Defender for Cloud not only has a breadth of coverage across many resource types, but also depth in coverage by resource type. Given the increase in frequency and complexity of attacks, organizations require dynamic threat detections. Defender for Cloud benefits from security research and data science teams at Microsoft who are continuously monitoring the threat landscape, leading to constant tuning of detections as well as the inclusion of additional detections for greater coverage. Defender for Cloud incorporates integrated threat intelligence, behavioral analytics, and anomaly detection to identify threats across your environment.


Microsoft Sentinel is a central location to collect data at scale – across users, devices, applications, and infrastructure – and to conduct investigation and response.


There are two ways that Microsoft Sentinel can ingest data: data connectors and continuous export.


Microsoft Sentinel comes with built-in connectors for many Microsoft products, allowing for out of the box, real-time integration. The Defender for Cloud connector facilitates the streaming of Defender for Cloud security alerts into Microsoft Sentinel, where you can view, analyze, and respond to alerts in a broader organizational threat context.


In addition to bringing Defender for Cloud alerts, organizations can stream alerts from other Microsoft products, including Microsoft 365 sources such as Office 365, Azure Active Directory, Microsoft Defender for Identity, or Microsoft Cloud App Security. We have also built-in connectors for third-party products.


Continuous export in Defender for Cloud allows for the streaming of not only Azure Defender alerts but also secure score and regulatory compliance insights. For customers leveraging both the cloud security posture management and cloud workload protection platform aspects of Defender for Cloud, it is recommended to use continuous export to take advantage of all the data available in Defender for Cloud.

After connecting data sources to Defender for Cloud, out-of-the-box, built-in templates guide the creation of threat detection rules. Our team of security experts created rule templates based on known threats, common attack vectors, and suspicious activity escalation chains. Creating rules based on these templates will continuously scan your environment for suspicious activity and create incidents when alerts are generated. You can couple built-in fusion technology, machine learning behavioral analytics, anomaly rules, or scheduled analytics rules with your own custom rules to ensure Microsoft Sentinel is scanning your environment for relevant threats.  


Automation rules in Microsoft Sentinel help triage incidents. These rules can automatically assign incidents to the right team, close noisy incidents or known false positives, change alert severity, or add tags.


Automation rules are also used to run playbooks in response to incidents. Playbooks, which are based on workflows built in Azure Logic Apps, are a collection of processes that are run in response to an alert or incident. This feature allows for predefined, consistent, and automated responses to Microsoft Sentinel activity, reducing the burden on your security team and allowing for close to real time responses to alerts or incidents.


Due to the integrated nature of our threat protection suite, completing investigation and remediation of an Defender for Cloud alert in Microsoft Sentinel will still update the alerts status in the Defender for Cloud portal. For example, when an alert is closed in Microsoft Sentinel, that alert will display as closed in Defender for Cloud as well (and visa versa)!


Federal agencies can tap into Microsoft’s comprehensive cloud security strategy to navigate the EO requirements with ease. The integration between Defender for Cloud and Microsoft Sentinel allows agencies to leverage an existing, cohesive architecture of security products rather than attempting to blend various offerings. Our security products, which operate at cloud-speed, provide the needed visibility into cloud security posture while also offering remediation from the same pane of glass. Built in automation reduces the burden on security professionals and encourages consistent, real-time responses to alerts or incidents.


At Microsoft, we are excited about the opportunity to expand our partnerships with federal agencies as we work to improve cloud security, and in doing so, improve national security.


For more information, please visit our Cyber EO resource center.

1 Comment
Version history
Last update:
‎Nov 02 2021 10:49 AM
Updated by: