As digital transformation accelerates, many organizations are moving their data to the cloud at an exponential rate, taking advantage of the cost and operational efficiencies cloud deployments offer. The dynamic and complex nature of an organization's cloud data estate – storage and database resources, where data is stored and processed – along with the increased multicloud adoption and cloud-native application development, have multiplied the data security blind spots for security teams. 

 

As a result, security teams often lack comprehensive visibility into their cloud data estate, leaving organizations with an unaccounted-for attack surface. Malicious actors are increasingly taking advantage of these blind spots and targeting “low hanging fruit”, such as misconfigured object stores, SQL instances and virtual machines, to carry out a data breach. With the growing number of data breaches, organizations need to gain control of their cloud data estate.

 

Cloud data security begins with proactively strengthening the security posture of the cloud data estate and maintaining continuous threat protection against active data breaches. Last week at Microsoft Secure, we announced new cloud data security enhancements for Microsoft Defender for Cloud, our cloud-native application platform (CNAPP) offering a comprehensive multicloud data security solution, enabling organizations to start secure with data-aware security posture and stay secure with threat protection for their cloud storage and database resources. Customers are now able to:

 

• Discover your data estate and pressing risks to sensitive data with data-aware security posture integrated in Defender Cloud Security Posture Management (CSPM)

Gain visibility into your multicloud data estate with automatic discovery and evaluate where sensitive data resides, how data resources are accessed, and related data flows. Powered by the cloud security graph, security teams can uncover their latest data risks and identify possible points of data exposure by running queries on their object stores, managed and hosted databases. To prioritize direct and indirect risks to sensitive data, security teams can also leverage attack path analysis to understand and remediate high risks to the cloud data estate.

 

• Detect malware upon content upload and threats to sensitive data with Defender for Storage

Malware Scanning for Defender for Storage enables security teams to scan content upon upload and detect polymorphic and metamorphic malware in near real-time. With agentless and simple at-scale enablement, security teams can block the distribution of malware across their Azure Blob Storage. With the sensitive data threat detection capability, security teams can prioritize and respond to sensitive data exposure and data exfiltration events. To stop these breaches earlier, Defender for Storage now also has new activity monitoring detections, to provide visibility on key leaks and SAS token abuse so security teams can stop bad actors in early stages. 

 

Integrated Data-Aware Security Posture in Defender CSPM

With Defender CSPM's new data-aware security posture management, security teams can get ahead of their data risks and prioritize security issues that could result in data breach.

 

Automatic cloud data estate discovery

Cloud data security begins with visibility. The new data-aware security posture capabilities enable security teams to automatically discover managed and shadow data resources in use across clouds, including different types of objects stores and databases. Security teams can take a deeper look into their data resources by leveraging the Cloud Security Explorer to run queries to determine who can access them, their network setting, access controls, and configured data flows. 

Organizations need to understand their cloud data estate and their resource attributes.

In addition to automatic cloud data estate discovery, data-aware security posture capabilities offer sensitive data discovery, to automatically identify data resources that contain sensitive data such as personally identifiable information (PII), financial data, and credentials. The new sensitive data discovery engine offers out-of-the-box agentless, sample-based data scanning for dozens of highly sensitive information types with the option to select hundreds of additional sensitive information types within the data sensitivity options under the Defender for Cloud environment settings. 

 

Microsoft Purview customers can also leverage existing custom data classifiers using Purview information types, labels, and data context to identify data resources that contain sensitive data with existing organizational data practices.

 

Customers can configure the appropriate data sensitivity setting from Environment settings within Microsoft Defender for Cloud

Identify and remediate cloud data at-risk

Our new data-aware security posture capabilities introduce data-layer context to the cloud security graph, a graph-based context engine that exists within Defender for Cloud to proactively identify and remediate risks to the cloud data estate.

Data-aware security offers coverage across object storage, managed databases, hosted databases, database copies, and data flows.

Explore risks to your data resources using the Cloud Security Explorer

Powered by the cloud security graph, security teams can run queries using the Cloud Security Explorer to find and misconfigured data resources across their multicloud data estate that are publicly accessible and contain sensitive data. Query results inform security teams of network and access controls applied to the exposed data resources, along with examples of sensitive data within the identified resource.

   

Surface data exposure risks with attack path analysis

Data-aware security posture capabilities introduce two new data risks categories to the Defender for Cloud attack paths tool to identify direct and lateral movement risks to data in the cloud. Selecting “Data Exposure” or “Sensitive Data Exposure” risk categories will surface risks to databases, object stores, or copies of data resources.

 

New attack path risk categories: "Sensitive data exposure" and "Data exposure"

 

In the example below, an attack path that involves an internet-exposed virtual machine (VM) with access to a data store that contains sensitive data indicates there is a risk of costly data breach, as a result of a lateral movement attack technique. In this scenario, attackers could exploit the vulnerable VM that is exposed to the internet and has permissions to move laterally to access an object store that contains sensitive data. 

 

Attack path example showing an internet-exposed VM containing sensitive data

"Prioritizing data security is a must for Icertis because we manage more than 2 billion metadata elements across 10 million contracts, delivering the only enterprise-grade contract lifecycle solution built on the Microsoft Azure Cloud. The new data-aware security posture capabilities in Microsoft Defender for Cloud support our end-to-end approach to ethical data management, enabling us to proactively identify and address potential security risks. Features including attack path analysis and cloud security explorer, combined with Defender’s data-aware security posture capabilities, support our efforts as Icertis continues to safeguard customer data with the utmost care and diligence.”  Subodh Patil, Principal Architect, Information Security, Icertis

 

Optimizing cloud data security with posture visibility and threat protection

Cloud data security begins with proactively managing your sprawled cloud data estate and maintaining continuous threat protection against data breaches. Microsoft Defender for Cloud is a unique cloud-native application platform (CNAPP) that offers comprehensive data security consisting of two layers of security to protect the cloud data estate.

1. Data security posture management - the first layer is the newly introduced data security posture management that prioritize security issues that may result in data breaches.
2. Data threat protection - the second layer is advanced threat protection for detecting and responding to early signs of ongoing data breaches in the form of suspicious or potentially harmful attempts to upload, access or exploit data in object stores and databases.

Customers who have both Defender CSPM and Defender for Cloud’s workload protection plans enabled will be able to view their existing security alerts on the cloud resources that are related to the attack path. By clicking the security alerts indicator on the cloud resources that appear in above attack path example, we can see early attempts to brute force access the vulnerable VM that has permission to access an object store that contains sensitive data.

 

View of active security alerts related to attack paths

 

Leverage Defender for Storage to detect malware in near real-time and prevent sensitive data breaches

 

With Defender for Storage new malware scanning and data-aware threat detection, security teams will be able to detect and respond to malware distribution and sensitive data breaches in Azure Storage.

 

As part of Microsoft Defender for Cloud’s Cloud Workload Protection (CWP) offering, Defender for Storage analyzes telemetry streams and synthesizes cloud object store activity against Microsoft’s threat intelligence research to detect anomalous and potentially malicious activity such as suspicious access and data exfiltration. Customers benefit from contextual security alerts that deliver investigation details, security recommendations, and automated response workflows to protect storage resources.

 

Defender for Storage now offers enhancements in public preview to help customers enhance their Azure Storage protection. The first is Malware Scanning, enabling security teams to detect metamorphic and polymorphic malware upon content upload in near real-time. The second is integrated sensitive data threat detection, a new set of detections based on sensitive data discovery engine.

 

“Protecting storage accounts from untrusted content is one of our top security concerns.  Now that Defender for Storage has extended its malware scanning capabilities and provided us with built-in near real-time full scanning, it allows us to replace our custom solutions meaning lower TCO and lower risk. We can now meet compliance regulations and stay secure with simple setup and zero maintenance.”  Pete van Blerk, Security Lead at NewOrbit

 

Malware Scanning upon content upload in near-real time.

Cloud storage resources have become a common point of malware entry and distribution with industry standards and regulations requiring malware scanning upon new content upload, it’s critical for organizations to have strong security controls in place.  

 

Many website and mobile applications today allow end users to upload files to a shared backend cloud storage. If the storage is not protected, attackers can exploit those applications to quickly spread malware-infected files throughout an organization's infrastructure, affecting compute resources, applications, and other end-user devices that use the cloud storage. To prevent malware distribution through shared cloud object stores, organizations must protect its distribution point within the cloud storage. This requires a proactive approach to detect and remediate malicious files upon upload to the cloud storage.

New Malware Scanning for Defender for Storage offer simple agentless setup, near real-time malware scanning across file types, metamorphic and polymorphic malware detection, and faster response with configurable workflows

 

Defender for Storage now offers Malware Scanning in public review that enables security teams to detect and prevent malware distribution events with near real-time malware scanning upon content upload. Powered by Defender Antivirus technologies, Malware Scanning offers rich detection for both metamorphic and polymorphic malware for Azure Blob Storage. Malware Scanning is an agentless solution that can be implemented at-scale across an organization's cloud storage estate without requiring configuration changes.

 

When a new blob is uploaded to an Azure Blob container, Defender for Storage scans the blob for malware and produces scans results in near real-time. The scan results, including the malware findings and the time of the scan, are then added to the Blob's Index Tags.

If the scan results indicate malware, Defender for Storage will also generate a security alert to inform security teams’ response with additional details on the incident, the malware type, and links to threat research on the malware found powered by Microsoft Security Intelligence. Security teams can also set up automations to send their Malware Scanning security alerts for further investigation with Defender for Cloud’s built-in Microsoft Sentinel integration.

 

Malware Scanning security alert within Defender for Cloud includes information on the malicious file source and related resources.

 

Additionally, developers and security teams can build seamless automations such as sending scan results to Azure Event Grid to trigger actions such as automatic deletion of file quarantine. Scan results can also be logged within Log Analytics to demonstrate evidence of regulatory compliance.

 

Malware Scanning price

The public preview of Malware Scanning is offered free of charge as an add-on, exclusive to the new Defender for Storage plan and can be enabled at the subscription level or at the resource level. In the future, Malware Scanning will be priced at USD $0.15/GB of data ingested. To accommodate better cost management, customers can set a limit of GB scanned per month. Billing for Malware Scanning as an add-on for Defender for Storage is not enabled during public preview and users will be notified in advance before billing begins.

 

Detect data breaches that involve sensitive data

As more organizations store more data in the cloud, cloud storage resources are the popular resource type to house sensitive data such as financial information and personal identifiable information (PII). According to a recent report on data breaches, cloud storage resources are lucrative targets for cybercriminals seeking to compromise sensitive data. 

 

Defender for Storage provides ongoing activity monitoring of Azure Storage resources across data and control planes. It uses behavioral modeling to identify suspicious attempts to access or exploit data and configuration changes that indicate early signs of a data breach and generates a security alert, which allows security teams to enable quick investigation, response, and mitigation. 

 

We have extended our sensitive data discovery engine to enable sensitive data threat detection for Microsoft Defender for Storage generating new security alerts on active data breaches that involve malicious access, exfiltration, or corruption of sensitive data stored within Azure Blob Storage. 

Get started today 

We encourage you to enable Microsoft Defender for Cloud comprehensive cloud data security solution by enabling Defender CSPM, Defender for Storage, and Defender for Databases plans across your cloud data estate. 

• About data-aware security posture
• Microsoft Defender for Storage
• Malware Scanning in Defender for Storage
• Defender for Cloud database protection
• Defender for Cloud pricing

 

For more information on Defender for Cloud, please visit Defender for Cloud web page.