Introduction
Security posture refers to the current state of an organization’s security—that is, its overall state of protection to its identities, endpoints, user data, apps and infrastructure. An organization’s security posture is not static, it changes constantly in response to emerging new threats and variabilities in the environment. Enabling protections, like multi-factor authentication (MFA) for administrators, strengthens a company’s posture. A lack of vigilance, such as failing to update endpoints or use available protections can weaken an organizations security posture.
Microsoft Defender for Cloud can assist you in this journey to strengthening your security posture and it does that by bringing visibility and control for your workloads. By using Microsoft Defender for Cloud Secure Score as the Key Performance Indicator (KPI) for security of your cloud workloads, you will be able to constantly monitor your resources and track your progress towards a more secure environment. Watch the video below for a brief intro to this subject:
The intent of this post is to provide the essential list of resources that you can use to use Secure Score as your KPI and remediate the security recommendations in order to drive your secure score up, as shown in the diagram below:
Foundation
To correctly use Secure Score you need to understand what the Secure Score is. Use the resources below to learn more about that:
Improve your secure score in Microsoft Defender for Cloud
Microsoft Defender for Cloud Strengthen your security posture with Microsoft Defender for Cloud
Security Recommendations
Microsoft Defender for Cloud has a list of all recommendations for each workload. Read the articles below for more information about these recommendations:
Best Practices for Security Recommendations
Remediating security recommendations can be overwhelm in some situations, mainly when the team that manages Microsoft Defender for Cloud does not have privileges to remediate the workloads, in this case they will need to interact with the workload owner via a change request process and ask them to remediate the security recommendation in their workloads. Below you have an example of a typical workflow:
- The team that is responsible for Microsoft Defender for Cloud identifies that there is a security recommendation that needs to be addressed and which resources are affected.
- A ticket is open and assigned to the workload owner. In this ticket they have details about the security recommendation and the suggested steps to remediate.
- The workload owner reviews the ticket, and identify that there is a quick fix for this recommendation. They can use the View remediation logic button to understand what changes will be made to the system.
- Once they few comfortable with the changes, they start a change management process to schedule the remediation.
- The remediation is applied on the day that was schedule.
While this workflow may change according to the company's policies and procedures, the core foundation is the same. When planning to address your security recommendations, you can use the following approach:
- Identify the low hanging fruits: in other words, identify which recommendations will be quick wins, and easy to fix without any impact.
- Go after the recommendations that are going to impact your secure score more AND are easy to fix: not all recommendations are equal, and some recommendations will have a bigger impact on your secure score, go after those and prioritize the ones that you will take less effort to implement.
Once you finish that initial phase, evaluate the remaining ones, and prioritize accordingly. Keep in mind that this is an ongoing process. Once you finish remediating all recommendations, you need to ensure that you have good governance to lower the amount of security recommendations in the future.
Note: Make sure to also watch this webinar about the best practices to improve your secure score.
Azure Governance
Driving security posture enhancement by remediating security recommendations triggered by Microsoft Defender for Cloud, and using Secure Score to track your progress is great, but there are more that needs to be done in order to keep positively progressing towards a better secure posture. When a company doesn't have a very mature Azure Governance, chances are that they will experience a fluctuation in the secure score (ups and downs), and this can happen if you continue provisioning new resources that are not secure by default.
Having a solid Azure Governance enables you to ensure that new resources that are deployed, are going to have certain standards, patterns and configurations. To ensure proper governance you can leverage Azure Policy and Azure Blueprints. This will allow you to enforce policies and reject deployment of resources that are not following certain standards. Watch the video below about Azure Policy Enforcement:
Frequently Asked Questions (FAQ)
Throughout the process of identifying the security recommendations and remediating them, there are some common questions that are always asked. The list below has some common questions and if you have a question on this topic that is not here, ask in the comment section:
Q1) How can I export the list of all security recommendations that I have in my Microsoft Defender for Cloud subscriptions to a CSV file?
A1: You can use this sample PowerShell script to accomplish that.
Q2) There are some recommendations that are not applicable to my environment. For example, we use a third-party MFA solution and I would like to disable the MFA recommendation in Microsoft Defender for Cloud. How can I do that?
A2: You can use the instructions from this post or this article.
Q3) I’m not sure if all my VMs are monitored with Microsoft Defender for Cloud. I would like to identify the list of VMs that are monitored and export it to a CSV file. Is that possible?
A3: Yes. Read the instructions from this post.
Q4) Is there any way to automate the remediation of some of these recommendations?
A4: Yes. For some recommendations you can use Azure Policy, for others you can use PowerShell or even Azure Logic Apps. Our team create a repository in GitHub that provides a series of examples for some of the most common recommendations. You can download the samples from here and make the appropriate change to fit your needs.
Q5) Can I quickly remediate a security recommendation from Microsoft Defender for Cloud dashboard?
A5: Yes. The new "One-click fix" feature enables you to remediate a recommendation on a bulk of resources, with a single click. It is an option only available for specific recommendations. One-click fix simplifies remediation and enables you to quickly improve your secure score and increase the security in your environment. Read more about this feature here.
Q6) I don't want to disable the entire recommendation, but I want to exclude some resources that I know that I'm not going to remediate from a recommendation, is that possible?
A6: Yes. You can use the Exemption feature. Read more about it here.