Understanding the current state of your environment is the first step towards improving its security posture. Microsoft Defender for Cloud is designed to strengthen the three pillars every enterprise relies on which is Protection, Detection & Response providing you CSPM & CWPP functionalities.
In Defender for Cloud, the posture management features provide Visibility and hardening guidance and the central feature that enables you to achieve these goals is Secure Score. Defender for Cloud continually assesses your resources, subscriptions and organization for security issues, and it aggregates all the findings into a single score by providing you list of recommendations. Typically, these are gaping holes that need to be fixed ASAP, while some recommendations are more long-term or just less critical and some more critical.
Current Challenge
One of the questions we constantly get asked is, How do I ensure that the Security posture will not start deteriorating again after the fixes have been made (or) how do I ensure I apply guardrails at the beginning of deployment phase for every service in Azure. It is often the case that development teams have full control of their subscriptions/resources. As a result, the configurations start to drift. The cure is simple, we need to have a security baseline defined.
Before you start reading about the proposed solution, it is important to understand, Defender for Cloud and Azure policies work together to help monitor and report on compliance in your environment. Like security policies, Defender for Cloud initiatives are also created in Azure Policy. You can use Azure policy to manage your policies, build initiatives, and assign initiatives to multiple subscriptions or for entire management groups. The default initiative automatically gets assigned to every subscription in Defender for Cloud and that is Azure Security Benchmark.
Azure Security Benchmark (ASB) consolidates Microsoft security best practices in Azure. It’s a great resource for design decisions, and the controls are mapped to industry standards. We have also created a policy set in Azure which can be used for monitoring resource compliance against the baseline. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. Almost every recommendation from Defender for Cloud has an underlying policy that is derived from a requirement in the benchmark. To learn about the built-in policies that are monitored by Defender for Cloud, check this out. Here you can find all the Azure Policy definitions in the Defender for Cloud category.
Proposed Solution
Up until now, there was no single view with which you could visualize all the policies you have assigned to monitor compliance of your environment. You had to browse through many different blades in Azure to assess and obtain this information. With this blog, I’m introducing you to a workbook that acts as a single pane of glass representing the policies and baselines across multiple subscriptions in Azure, in your environment as the first crucial step is to inventory and gain visibility.
What’s in the Dashboard
The new Policy Distribution Dashboard for Microsoft Defender for Cloud provides a unified view and deep visibility into the configuration of your overall policy structure in Azure.
The dashboard is powered by Azure Resource Graph (ARG) queries and divided into different sections.
The workbook can be edited, and all queries can be modified to meet your needs.
The workbook provides different sections like:
- Initiatives that’s assigned to the subscriptions
- The recommendations that are exempted and that are policy disabled
- List of Custom policies
- Regulatory Compliance Assessment State
- Policies by effect
- Compliance by policy assignment
How to Deploy
The Policy Distribution Dashboard is available in the Microsoft Defender for Cloud GitHub Repo page, under Workbooks and can be accessed directly with its direct URL
The workbook can be deployed quickly in the Azure Commercial and Gov cloud environments by clicking the respective “Deploy to Azure” buttons on the workbook page.
How to Use
To use this dashboard, you need at least Reader permission at the subscription level. Assuming you have the required permissions, watch the screen capture below to learn about how to navigate through and use the dashboard.
Conclusion
The Policy Distribution dashboard provides valuable information about your policy assignments and it’s status. The workbook is available to all customers free of charge and does not require you to be a paid customer of Microsoft Defender for Cloud.
Additional Resources
- To learn more about Microsoft Defender for Cloud, visit: https://aka.ms/ascninja
- To learn about Microsoft Defender for Cloud workbooks, visit: https://docs.microsoft.com/en-us/azure/security-center/custom-dashboards-azure-workbooks
Acknowledgements
- Special thanks to @Lior Arviv for the partnership in reviewing and providing feedbacks on the artifact and reviewing article.
- Many thanks to @Rebecca Halla & @Yuri Diogenes in supporting this initiative and suggesting feedbacks.