This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month. In this edition, we are looking at all the goodness from July 2023.
Docs on Microsoft
Blogs on Microsoft
Microsoft Defender for Cloud
Secret scanning is now available as part of the agentless scanning in Defender for Servers P2 and Defender CSPM. This capability helps to detect unmanaged and insecure secrets saved on virtual machines, both in Azure or AWS resources, that can be used to move laterally in the network. If secrets are detected, Defender for Cloud can help to prioritize and take actionable remediation steps to minimize the risk of lateral movement, all without affecting your machine's performance.
We’re excited to pre-announce the upcoming general availability of Malware Scanning in Defender for Storage with billing starting September 1, 2023. Existing customers that have Malware Scanning enabled in public preview received an Azure Service Notification on Thursday, July 27, 2023. Malware Scanning in Defender for Storage helps protect Blob storage accounts from malicious content by performing a full, built-in, agentless malware scan on uploaded content in near real-time, using Microsoft Defender Antivirus capabilities. The add-on will be priced at $0.15 USD/GB of data scanned and only available under the new Defender for Storage plan. The pricing page will reflect the changes on August 10, ahead of the GA date.
To agent or not to agent? Few debates in cloud security have attracted more attention in recent years. In this blog, we will investigate the different scenarios that involves agent-based /agentless security, analyze the arguments for and against both sides and give implementation recommendations for your environment with Microsoft Defender for Cloud. Microsoft's Defender for Cloud leverages both agent-based and agentless security, offering a robust and flexible solution for a range of cloud security needs. The solution can adapt to the context, optimizing its use of agent-based or agentless security as needed. This makes it a versatile and powerful tool for securing cloud environments, embodying Microsoft's commitment to providing top-tier, adaptable cloud security solutions.
By default, Defender for Cloud attempts to update your Defender for Endpoint for Linux agents onboarded with the MDE.Linux extension. With this release, you can manage this setting and opt-out from the default configuration to manage your update cycles manually. Learn how to manage automatic updates configuration for Linux.
Data-aware security posture in Microsoft Defender for Cloud is now Generally Available. It helps customers to reduce data risk and respond to data breaches. Using data-aware security posture you can:
Automatically discover sensitive data resources across Azure and AWS.
Evaluate data sensitivity, data exposure, and how data flows across the organization.
Proactively and continuously uncover risks that might lead to data breaches.
Detect suspicious activities that might indicate ongoing threats to sensitive data resources.
There are two Defender for Cloud plans with features relying on the Log Analytics agent: Defender for Servers Plan 2 and Defender for SQL server on machines. As part of an updated strategy, Azure monitoring Agent (also known as AMA), won’t be a requirement as part of our Defender for Servers offering, but will remain required as part of Defender for SQL server on machines. As a result, Defender for Servers’ features and capabilities outlined below, as well as the auto-provisioning process that provides the installation and configuration of both agents (MMA/AMA), will be adjusted accordingly. In this blogpost we will explain the deprecation/replacement plan of the features and product capabilities that depend on the Log Analytics agent and Azure Monitoring agent for each of the Defender for Cloud plans.
Agentless security works by leveraging existing cloud APIs and services, removing the need to install software agents on individual hosts. This simplifies the deployment process and reduces operational complexity. It presents a compelling alternative to traditional agent-based security, which involves installing lightweight agents on each virtual machine or host within the cloud environment. In this article, we will outline how integrating the agentless approach into Defender for CSPM fosters a more robust and efficient cloud security posture. By utilizing agentless features, organizations can enhance visibility of their cloud resources, simplify deployment, maintain compatibility with diverse cloud platforms, and ensure thorough security coverage.
Release of support for disabling vulnerability findings for your container registry images or running images as part of agentless container posture. If you have an organizational need to ignore a vulnerability finding on your container registry image, rather than remediate it, you can optionally disable it. Disabled findings don't affect your secure score or generate unwanted noise. Learn how to disable vulnerability assessment findings on Container registry images.
Alerts in Microsoft Defender for Cloud are notifications generated when potential security threats and anomalous activities are detected within your cloud environment. These alerts provide crucial information and insights, enabling SecOps teams to effectively identify, prioritize, and respond to potential malicious activity. Learn more about Defender for Cloud alerts here: https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference. Too many alerts, however, can overwhelm security teams with a high volume of notifications, leading to alert fatigue. SecOps teams may struggle to prioritize and address genuine threats effectively. Additionally, due to the limited resources available to SecOps teams, alert fatigue may take time away from true threat investigations, potentially leaving critical cyber threats unaddressed. This is why prioritization matters. In this blog, we will talk about the mechanisms of security alerts and incidents and explain incident templatization with recent research on crypto mining as an example.
Databases contain some of your most sensitive data, which makes them an obvious target for attackers. Most attackers are usually looking for data, whether it is to acquire sensitive data for their own use (to sell), to encrypt it (to sell back to you), or to destroy it (to cause you reputational and operational harm). Databases have an extended attack surface and are often misconfigured which can lead to an attacker gaining access, elevating permissions, and wreaking havoc. This recommendation is generated by Defender for SQL on machines Vulnerability Assessment. The rules that we check for are a set of possible misconfigurations that should be addressed. When you have findings for this recommendation, you have four options on how to handle it. We’ll go into depth on each of them in this blog.
In recent years, cloud identity-related security issues in supply chain attacks have gained significant attention. A supply chain attack occurs when attackers infiltrate a target organization by gaining access to its trusted suppliers or third-party service providers. Although supply chain attacks are not exclusive to the cloud environment, the advent of cloud computing has introduced unique considerations and risks to this type of attack. In this blog, we will demonstrate the mechanisms of identity-based supply chain attacks in the cloud and discuss how service providers’ cloud access can be used by attackers for identity-based supply chain attacks. We will also show how a new alert enrichment in Microsoft Defender for Cloud can help to detect and remediate those threats.