Microsoft Defender for Servers
45 TopicsIntroducing the new File Integrity Monitoring with Defender for Endpoint integration
As the final and most complex piece of this puzzle is the release of File Integrity Monitoring (FIM) powered by Defender for Endpoint, marks a significant milestone in the Defender for Servers simplification journey. The new FIM solution based on Defender for Endpoint offers real-time monitoring on critical file paths and system files, ensuring that any changes indicating a potential attack are detected immediately. In addition, FIM offers built-in support for relevant security regulatory compliance standards, such as PCI-DSS, CIS, NIST, and others, allowing you to maintain compliance.Agentless scanning for virtual machines in the cloud – technical deep dive
Over the past three years, a notable shift has unfolded in the realm of cloud security. Increasingly, security vendors are introducing agentless scanning solutions to enhance the protection of their customers. These solutions empower users with visibility into their security posture and the ability to detect threats — all achieved without the need to install any additional software, commonly referred to as an agent, onto their workloads.8.2KViews10likes3CommentsMicrosoft Defender for Cloud - strategy and plan towards Log Analytics Agent (MMA) deprecation
Log Analytics agent (also known as MMA) is on a deprecation path and will be retired in Aug 2024. The purpose of this blogpost is to clarify how Microsoft Defender for Cloud will align with this plan and what is the impact on customers.84KViews2likes28CommentsMicrosoft Defender for Cloud PoC Series - Defender for Servers
2024-06-27: Blog updated to keep it current with latest improvements in Defender for Servers. Introduction This article is part of our Microsoft Defender for Cloud PoC Series which provides you with guidelines on how to perform a successful proof of concept for a specific Defender for Cloud plan. For a more holistic approach where you need to validate Defender for Cloud please readHow to Effectively Perform a Microsoft Defender for Cloud PoC. Microsoft Defender for Cloud is a Cloud Native Application Protection Platform (CNAPP), providing end-to-end security for hybrid and multi-cloud platforms withDefender for Servers being Microsoft's server protection offering under this CNAPP umbrella. Planning As part of your Defender for Servers PoC, you need to identify the use case scenarios you want to validate. While Defender for Servers Plan 1 mainly focuses on integration with Microsoft Defender for Endpoint, Defender for Servers Plan 2 will offer all capabilities of Plan 1 plus enhanced scenarios for multi-cloud machines. Therefore, we will focus on Defender for Servers Plan 2 use cases in this article. Please also see this documentation to learn more about differences between Defender for Servers plans If you decide to make your on-premises servers or machines hosted on other clouds, e.g. AWS or GCP, part of the PoC, you need to choose how you are going to connect them to Azure so that Defender for Cloud can discover them and start protecting. For multi-cloud machines, you can refer to our multi-cloud onboarding guide. For onprem machines,using Azure Arcis the recommended option. Please keep in mind that certain Defender for Servers capabilities such as agentless machine scanning or Just-In-Time (JIT) VM Access are not available for onprem machines. Remember that you have 30-day free trial to test Defender for Servers. Any usage beyond 30 days will be automatically charged as per the pricing schemehere. Preparation and Implementation In order to enable Defender for Servers in your environment, you need a user account that has at least theSecurity Adminrole. For more information about roles and privileges, readthis article. Your first step is to enableMicrosoft Defender for Cloud on the subscription(s) you are conducting the PoC in and make sure that Defender for Servers plan is selected. By enabling Defender for Servers on your subscription, all relevant settings for server protection on your subscription will automatically be enabled. However, by selecting the "Settings" link, you can also disable configurations depending on your scenarios. Validation Since Defender for Servers has many capabilities, we are going to group them based on different use case scenarios. Scenario 1: Attack Surface Reduction Threat actors actively look for accessible machines with open management ports, like RDP or SSH.As a matter of fact, just by leaving your VM with such ports open to the Internet for a day or two (sometimes even a couple of hours) is enough to become a victim of a brute-force or password spray attack and receive a security alert like the one below (make sure you use strong passwords): Note: Do not forget to configure email notifications to get a notification when Defender for Cloud detects new suspicious activities or attacks. JIT VM access locks down the inbound traffic to your Azure VMs or AWS EC2 instances, reducing exposure to attacks while providing easy access to connect to VMs when needed. To configure and validate JIT VM access feature please follow this guidance. Scenario 2: Integration with an EDR solution If you have properly enabled and configured the integration with Microsoft Defender for Endpoint (MDE), all new servers connected to Defender for Cloud will automatically be onboarded to MDE. Scenario 3: Vulnerability Assessment Once you have deployed Microsoft Defender for Endpointto your servers, Microsoft Defender Vulnerability Management, the VA scanner used as part of the integration, will automatically start scanning your machines every 4 hours and report findings to Defender for Cloud and Defender XDR. Learn more about howto analyze and remediate vulnerabilities. As an alternative to using MDVM powered by MDE agent, you can also use agentless machine scanning to get vulnerability findings highlighted. Scenario 4: Agentless Scanning Agentless machine scanning is enabled by default when enabling Defender for Servers Plan 2 on a subscription. For all machines running on Azure, AWS, and GCP, agentless scanning will provide vulnerability, secret and malware findings once a day. Please note that deallocated machines are not scanned; the machine needs to be up and running for agentless scanning to create corresponding findings. Malware that is detected will be shown as a security alert, similar to the ones shown below: In order to stimulate a malware alert, you can use an Eicar test file. You can learn more about agentless secret scanning and malware detection in our documentation. Conclusion By the end of this PoC, you should be able to determine the value of this solution and the importance to have this level of threat detection for your servers. P.S.Subscribeto ourMicrosoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases andjoinourTech Communitywhere you can be one of the first to hear the latest Defender for Cloud news, announcements and get your questions answered by Microsoft Cloud Security experts.Defender for Cloud unified Vulnerability Assessment powered by Defender Vulnerability Management
We are thrilled to announce that Defender for Cloud is unifying our vulnerability assessment engine to Microsoft Defender Vulnerability Management (MDVM)across servers and containers. Security admins will benefit from Microsoft’s unmatched threat intelligence, breach likelihood predictions and business contexts to identify, assess, prioritize, and remediate vulnerabilities - making it an ideal tool for managing an expanded attack surface and reducing overall cloud risk posture.29KViews4likes15CommentsMicrosoft Defender for Endpoint for Linux and Microsoft Defender for Servers
When it comes to protecting servers in hybrid and multicloud environments, Microsoft Defender for Servers as part of Microsoft Defender for Cloud is the solution you might be looking for. However, with all the features, dependencies, and complexity, it might become challenging to always make the right decision when planning, integrating, and deploying Defender for Servers across your environment. With this blog, we are focusing on deployment and integration of Microsoft Defender for Endpoint with Microsoft Defender for Servers on Linux machines.Prepare for upcoming transitions in Defender for Servers
Last summer, within the scope of the upcoming Log Analytics agent deprecation, we announced a new agent strategy for Defender for Servers with the goal to simplify the onboarding and reduce external dependencies in our offering while improving existing and adding new capabilities. As part of that new strategy, we encourage our customers to enable both, agentless scanning as part of Defender for Servers Plan 2, and integration with Microsoft Defender for Endpoint in both Defender for Servers plans as a unified security agent. With this blog, we are sharing a thorough approach that you can use to make sure you are prepared for upcoming changes and that you can track your progress across your environment.Security posture management and server protection for AWS and GCP are now generally available
We’re excited to announce that Microsoft Defender for Cloud’s multi cloud capabilities for posture management and server protection for both Amazon Web Services (AWS) and Google Cloud Platform (GCP) workloads are generally available. Organizations can now easily manage and track their security state across the three largest cloud providers, as well as on-premises environments, in one centralized experience.