Understanding the current state of your environment is the first step towards improving its security posture. Microsoft Defender for Cloud is designed to strengthen the three pillars every enterprise relies on which is Protection, Detection & Response providing you CSPM & CWPP functionalities.
In Defender for Cloud, the posture management features provide Visibility and hardening guidance and the central feature that enables you to achieve these goals is Secure Score. Defender for Cloud continually assesses your resources, subscriptions and organization for security issues, and it aggregates all the findings into a single score by providing you list of recommendations. Typically, these are gaping holes that need to be fixed ASAP, while some recommendations are more long-term or just less critical and some more critical.
One of the questions we constantly get asked is, How do I ensure that the Security posture will not start deteriorating again after the fixes have been made (or) how do I ensure I apply guardrails at the beginning of deployment phase for every service in Azure. It is often the case that development teams have full control of their subscriptions/resources. As a result, the configurations start to drift. The cure is simple, we need to have a security baseline defined.
Before you start reading about the proposed solution, it is important to understand, Defender for Cloud and Azure policies work together to help monitor and report on compliance in your environment. Like security policies, Defender for Cloud initiatives are also created in Azure Policy. You can use Azure policy to manage your policies, build initiatives, and assign initiatives to multiple subscriptions or for entire management groups. The default initiative automatically gets assigned to every subscription in Defender for Cloud and that is Azure Security Benchmark.
Azure Security Benchmark (ASB) consolidates Microsoft security best practices in Azure. It’s a great resource for design decisions, and the controls are mapped to industry standards. We have also created a policy set in Azure which can be used for monitoring resource compliance against the baseline. This widely respected benchmark builds on the controls from the Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST) with a focus on cloud-centric security. Almost every recommendation from Defender for Cloud has an underlying policy that is derived from a requirement in the benchmark. To learn about the built-in policies that are monitored by Defender for Cloud, check this out. Here you can find all the Azure Policy definitions in the Defender for Cloud category.
Up until now, there was no single view with which you could visualize all the policies you have assigned to monitor compliance of your environment. You had to browse through many different blades in Azure to assess and obtain this information. With this blog, I’m introducing you to a workbook that acts as a single pane of glass representing the policies and baselines across multiple subscriptions in Azure, in your environment as the first crucial step is to inventory and gain visibility.
The new Policy Distribution Dashboard for Microsoft Defender for Cloud provides a unified view and deep visibility into the configuration of your overall policy structure in Azure.
The dashboard is powered by Azure Resource Graph (ARG) queries and divided into different sections.
The workbook can be edited, and all queries can be modified to meet your needs.
The workbook provides different sections like:
The Policy Distribution Dashboard is available in the Microsoft Defender for Cloud GitHub Repo page, under Workbooks and can be accessed directly with its direct URL
The workbook can be deployed quickly in the Azure Commercial and Gov cloud environments by clicking the respective “Deploy to Azure” buttons on the workbook page.
To use this dashboard, you need at least Reader permission at the subscription level. Assuming you have the required permissions, watch the screen capture below to learn about how to navigate through and use the dashboard.
The Policy Distribution dashboard provides valuable information about your policy assignments and it’s status. The workbook is available to all customers free of charge and does not require you to be a paid customer of Microsoft Defender for Cloud.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.