As businesses switch to digital platforms, the risk of cyber-attacks has increased. IT teams have the enormous task of keeping servers secure from adversaries who are continuously finding new ways to break into systems and abuse vulnerabilities, a task that becomes exponentially more difficult to effectively perform as enterprise environments increase their complexity. Automation and optimization must be implemented if a team aims to be successful in their vulnerability management efforts against an ever-changing threat landscape. This post will discuss how Microsoft Defender for Servers, Microsoft Defender for Endpoint, Azure Automation Services and Azure Arc can automate and work together to simplify these efforts, concentrating on the gains of using these tools and providing tangible steps to implement an effective solution.
Challenges Associated with Traditional Vulnerability Management
In the past, vulnerability management was a manual activity involving discovering, estimating, and prioritizing vulnerabilities, which led to patching and modernizing. This approach can be a lengthy, exhausting and difficult to perform effectively, leaving many organizations fighting to stay ahead of the pace of emerging threats. Major factors for this include the level of experience required to analyze and repair security problems, the higher chance of making mistakes, and the possibility of inconsistent remediation and coverage. These challenges led traditional vulnerability management becoming more reactive than proactive, where the main driving force were cyber-attacks, major news, or complying with legal requirements.
The Toolkit to a New Approach
We can automate and simplify vulnerability management with Microsoft Defender for servers and Azure Automation Services. Microsoft Defender for servers, part of Microsoft Defender for cloud, provides a range of functionality designed to protect your servers, including file integrity monitoring, adaptive application control, just-in-time access, along with advanced protection thanks to its integration with Defender for Endpoint. Coverage includes the most common enterprise scenarios, such as Windows and Linux servers, both on-premises and deployed to cloud platforms, such as Azure, AWS, and GCP.
Microsoft's Azure Automation Services offers a cloud-based solution to help organizations streamline their workflows and repetitive tasks by providing a centralized platform for managing changes across various environments, including on-premises and cloud-based systems. One of its most powerful features, Update Management, allows organizations to manage updates for Windows and Linux systems while also providing detailed reporting and analytics, allowing IT teams to track compliance and monitor update deployment progress.
To extend the solution capabilities to environments where non-Azure servers exist, Azure Arc can be used as a hybrid cloud management solution that extends Azure management functions to on-premises, multi-cloud, and edge scenarios. By leveraging Azure Arc, organizations can maintain uniformity in managing their servers no matter their location. This includes managing updates, implementing policies, and verifying compliance, all while providing a single view for controlling servers in various contexts, making management more efficient and decreasing the chance of configuration divergence.
Building the Solution
To successfully automate and streamline server vulnerability management, organizations can use these steps:
For non-Azure servers, deploy the Azure Arc agent: With Azure Arc, you can manage and oversee servers that are not located in Azure in the same manner as Azure servers, thus providing a much easier experience and the capability to manage them all from the Azure portal. Guidance for deploying Azure Arc can be found here.
Enable and configure Microsoft Defender for Servers: Log on to the Azure portal and confirm that Defender for Servers is enabled in Defender for cloud along with verifying the automatic deployment of the Log Analytics agent or Azure Monitor agents. Finally, verify that Microsoft Defender Vulnerability Management is being used. Allow for some hours to guarantee all components are installed on the servers and these show up in the Defender for Cloud inventory section. Guidance on planning the Defender for Servers deployment can be found here.
Create an Azure Automation account: An automation account and a runbook will make it possible to plan, run and track update installation activities. As of September 20, 2023, Azure Automation Run As accounts will be retired our options moving forward are system assigned or user assigned managed identities. Using a system assigned managed identities that are specific to one resource and that follow the server’s life cycle is highly recommended. Guidance for the creation of an automation account can be found here and guidance on the creation of system-assigned managed identities can be found here.
Deploy and Configure the Azure Update Management solution: Azure Update Management is a key part of the automation process and will use the Azure Automation Account and runbooks for discovery and patching vulnerabilities. Set up the Azure Update Management solution and make sure it is connected to your Automation account. Set up different configurations, like when you want to update, how many deployment rings, and when you can do maintenance. Patches should be applied in accordance with their enterprise impact, starting with the assets with the lowest impact, and having a back-up asset of the same position to limit the risk of downtime. Guidance on enabling azure update management can be found here.
Generate and export vulnerability management reports: It is advised to use the workbooks found in the Azure Update management center or the recommendations in Defender for Cloud to follow the progress of vulnerability management. Environments that call for reports can either export the details given by the Azure Update Management Center workbook or make use of Kusto queries to create a personalized workbook, which can be exported and changed to PDF, CSV, or HTML for circulation.
Setting up a reliable vulnerability management system doesn't have to be challenging. With implementing the proposed solution discussed in this post, security teams can focus on increasing the value of the business rather than dealing with monotonous tasks, thus reducing the chances of a successful attack. All this and more, while benefiting from a unified management solution with reporting.