Microsoft Defender for Cloud PoC Series - Microsoft Defender for Containers

Introduction

In this blog, I continue the Microsoft Defender PoC series by providing you with guidelines and considerations for how to successfully perform a proof of concept for the new Microsoft Defender for Containers plan. With the release of the new Microsoft Defender for Containers plan, we have merged the previous Microsoft Defender for Kubernetes and Microsoft Defender for Container Registries into one offering.  Aside from combining the features of the two previous plans, this offering brings new and improved features including multi-cloud support and host level threat detection. For a more holistic approach on Microsoft Defender for Cloud as a whole, check out How to Effectively Perform a Microsoft Defender for Cloud PoC.

Planning

Defender for Containers protects your Kubernetes clusters in both Azure, Amazon Web Services (AWS), Google Cloud Project (GCP), as well as on-prem/IaaS. For Kubernetes clusters hosted outside of Azure, Azure Arc-enabled Kubernetes is required to connect the clusters to Azure and provide threat protection from Microsoft Defender for Containers. Once the Kubernetes cluster is connected to Azure, an Arc extension collects Kubernetes audit logs data. For clusters hosted in AWS or GCP, you’ll need to connect your AWS accounts to Microsoft Defender for Cloud or connect your GCP project to Microsoft Defender for Cloud. Defender for Containers also leverages a Kubernetes native agent, the Defender Profile, for run-time protection and collection of node signals. 

The Defender for Containers plan also includes an integrated vulnerability scanner for scanning images in Azure Container Registries and Elastic Container Registries (AWS). T The results from the vulnerability assessment scanning are visible in the recommendations "Container images should have vulnerability findings resolved" and "Elastic container registry images should have vulnerability findings resolved". With the addition of the Defender Profile, customers using Azure Kubernetes Service also have visibility into vulnerability assessments for running images. Before deploying Microsoft Defender for Containers, please be sure to check that your registries and images as well as Kubernetes distributions are supported by this plan.

• Container security with Microsoft Defender for Cloud | Microsoft Docs

At the time of publication, the current price of Microsoft Defender for Containers is $7 per vCore per month. This price includes 20 free scans per vCore where the count will be based on the previous month’s consumption.

• Pricing—Microsoft Defender | Microsoft Azure
• Microsoft Defender for Containers Cost Estimation Dashboard

You can enable Microsoft Defender for Containers on the subscription level, with a 30-day free trial. Keeping that in mind, you should plan to execute your PoC prior to this expiration and, based on the results, decide to keep it enabled or not.

Preparation

To enable Microsoft Defender for Containers, you will need the Security Admin role. To enable this plan, you simply switch the toggle from “off” to “on” as pictured below.

Defender for Containers pricing

The Security Admin role is also needed to dismiss alerts and the Security Reader role is needed to view findings. To familiarize yourself with the alerts you may receive with this plan, review the Alerts Reference Guide.

To make sure you have a complete understanding of Microsoft Defender for Containers, please be sure to also check out the following resources:

• Microsoft launches dedicated Container protection plan
• Overview of Azure Arc-enabled Kubernetes - Azure Arc | Microsoft Docs
• How to use Microsoft Defender for container registries | Microsoft Docs
• Workload protections for your Kubernetes workloads | Microsoft Docs
• How to enable Microsoft Defender for Containers in Microsoft Defender for Cloud | Microsoft Learn
• Microsoft Defender for Containers | Defender for Cloud in the Field #3 - YouTube

Implementation and Validation

Once enabled, the vulnerability assessment scanner will automatically start scanning existing subscriptions for Azure Container Registries. After scanning the images, the recommendation “Container registry images should have vulnerability findings resolved” will appear to show all unhealthy registries with all unhealthy images in them. The “Affected Resources” tab shows you vulnerable container registries while the “Security Checks” tab shows you the vulnerabilities. Clicking on a specific “Security Check” will open a pane that gives you more information the security finding and how to remediate it. Vulnerabilities can be exported using Continuous Export or accessed via our Sub Assessments REST API.

Container registry scanning

You can also check to see if Microsoft Defender for Containers is running properly by simulating an alert. 

• Alert validation in Microsoft Defender for Cloud | Microsoft Docs

If you find alerts that are not relevant to your environment, you can either manually dismiss them or create suppression rules to automatically dismiss them in the future.

Conclusion

By the end of this PoC, you should be able to determine the value of Microsoft Defender for Containers and the significance of this level of threat detection on your workloads.

Reviewers: Tom Janetscheck, Senior Program Manager