Microsoft Defender for Cloud PoC Series – Microsoft Defender for SQL
[Post updated on 8/22/2024] by Yura Lee Introduction This article is a continuation of Microsoft Defender PoC Series which provides you guidelines on how to perform a proof of concept for a specific Microsoft Defender plan. For a more holistic approach where you need to validate Microsoft Defender for Cloud, please read How to Effectively Perform a Microsoft Defender for Cloud PoC article. There can be many security vulnerabilities in databases that are sometimes taken advantage of by malicious actors. According to the Github 2020 report, a vulnerability typically goes undetected for 218 weeks (just over four years) before being disclosed and fixed. Injection attacks, such as those on SQL and NoSQL, are among the most popular types of cyberattacks for web applications (as per OWASP Top 10). SQL Injection attacks, brute-force attacks, SQL shell OS attacks leading to crypto-mining and ransomware, can be detected and remediated by the Microsoft Defender for SQL plan. Microsoft Defender for SQL has two main capabilities that together will protect your SQL environments from cyberattacks. These capabilities are: Vulnerability Assessment, which is a service that helps you identify and remediate vulnerabilities in your database environments to improve your security posture Advanced Threat Protection, which detects suspicious activities related to your databases and alerts you with details and recommended actions. There are other types of databases that will be protected via the advanced threat protection feature. Planning So, what actually gets protected through Microsoft Defender for SQL? There are two Microsoft Defender plans that are comprised as part of Microsoft Defender for SQL: Microsoft Defender for Azure SQL database serversprotects: Azure SQL Database Azure SQL Managed Instance Dedicated SQL pool in Azure Synapse. Microsoft Defender for SQL servers on machinesextends the protections for your to fully support hybrid environments and protects SQL servers hosted in Azure, other cloud environments, and even on-premises machines. It does this by protecting: SQL Server on Virtual Machines, On-premises SQL servers of Azure Arc enabled SQL Server SQL Server running on Windows machines without Azure Arc There is a third plan called Microsoft Defender for open-source relational databases that brings threat protection for: Azure Database for PostgreSQL Azure Database for MySQL Azure Database for MariaDB The final plan, Defender for Cosmos DB provides advanced threat detection capabilities for: Azure Cosmos DB, NoSQL API. Preparation You will need to first enable Microsoft Defender for SQL, and for this you need to have the role of Security Admin. For more information about roles and privileges, visit thisarticle. You can enable the three plans for Microsoft for SQL (for Azure SQL database servers, SQL servers on machines, and open-source relational databases) by following the instructions here. If you are conducting this PoC in partnership with the SOC Team, make sure they are familiar with the alerts that may appear once you enable this plan. Review all alerts available at ourAlerts Reference Guide. From the readiness perspective, make sure to review the following resources to better understand Microsoft Defender for SQL: Microsoft Defender for SQL Documentation Defender for SQL and the Vulnerability Assessment | Defender for Cloud in the Field #1 Microsoft Defender for Cloud webinar: Microsoft Defender for SQL Anywhere (new!) Enhancements in Defender for SQL Vulnerability Assessment | Defender for Cloud in the Field #24 - YouTube Special Note for Defender for SQL servers on machines Microsoft Defender for SQL servers on machines requires Azure Montior Agent (AMA) installed, as well as a SQL Iaas extension for discovery and registration and it should report to a workspace to hold data collection rules (DCR). This workspace can be specified or you can allow MDC to create a default one for you. For machines that are not in Azure, all the above are required in addition to Arc installation. Read more about Arc-enabled servers here. Workspace configuration and automatic SQL server instance registration (recommended) can be done in Settings & monitoring. Make sure that Log analytics deployment is turned OFF, and AMA for SQL server on machines is turned ON. Implementation and Validation There are two ways to validate alerts. First, you can use the out of boxsample alertfeature to validate. To create these sample alerts, you will need to have the role Security Admin or Subscription Contributor. To create sample alerts for Defender for SQL, go to Microsoft Defender for Cloud in the Security alerts section, click Sample alerts. Select your subscription, choose Azure SQL Database and SQL Server on machines on the MicrosoftDefender plans, and click Create sample alerts. The other way is to run simulations against the server itself. Instructions for this is available on Github, as part of MDC labs here. Prevention Microsoft Defender for SQL allows you to remediate SQL vulnerabilities and prevent SQL incidents and alerts using SQL vulnerability assessment. To configure it on your Azure SQL databases and Azure SQL ManagedInstance, go to the Recommendations page in Microsoft Defender for Cloud, and select one of the following recommendations under the control Remediate security configurations: For Azure SQL databases, select the recommendation Vulnerability assessment should be enabled on your SQL servers. For Azure SQL Manage Instances, select the recommendation Vulnerability assessment should be enabled on your SQL managed instances. When Microsoft Defender for SQL is enabled on your SQL Server on machines, SQL vulnerability assessment does not require initial configuration, as it is included with SQL Server. In this article, we will demo SQL vulnerability assessment for Azure SQL database. Select the recommendation SQL servers should have vulnerability assessment configured. From here, select the unhealthy resource that you’d like to configure vulnerability assessment on, and click Fix. In the pane that appears, click Fix 1 resource. Next, to remediate vulnerability findings from your SQL databases and SQL Server on machines, go to the Recommendations page in Microsoft Defender for Cloud. Under the control Remediate security configurations, select one of the following recommendations: For Azure SQL databases and Azure SQL Manage Instances, select the recommendation SQL databases should have vulnerability findings resolved. For SQL Server on machine, select the recommendation SQL servers on machines should have vulnerability findings resolved. In this article, we will demo SQL databases should have vulnerability findings resolved. From here, select any of the unhealthy resources. Then select the finding you wish to remediate. In this example, we’ll be selecting Auditing should be enabled at the server level. Then select the database. Once again, click the finding you wish to remediate, which in our case is Auditing should be enabled at the server level. Select Click here to remediate. Alternatively, you may decide that this finding does not pose a security risk for your environment. In this case, you should create an acceptable baseline, which is essentially a customisation that tells the Vulnerability Assessment what is expected in your environment. To do this, select Approve as Baseline, and follow the subsequent instructions. Vulnerability Assessment recurring scans in your environment, and in upcoming scans after this, any results that match the baseline you established are considered as passes. Only reports on deviations from this baseline will appear as findings in the Vulnerability Assessment dashboard. This allows you to focus your attention only on the relevant issues.Learn more about this here. Continue remediating and/or setting baselines across all the findings and databases to improve your SQL security posture. Automations Instead of following the manual process above to remediate recommendations on SQL databases, you can use the automated ways to remediate recommendations related to SQL like, Vulnerability assessment should be enabled on your SQL servers, Enable auditing on SQL server, Enable transparent data encryption on SQL databases and many more like these in our Microsoft Defender for Cloud Github repository. This repository gives you access to numerous sample security playbooks that will help in automating remediation for a recommendation. You can also utilize workflow automation feature in Microsoft Defender for Cloud which can trigger Logic Apps on Security alerts, recommendations, and changes to regulatory compliance. For example, when Microsoft Defender for Cloud detects a brute force attack, you may want this to be automatically taken care off, you can use this playbook as a starting point. To understand how to remediate security alerts using Microsoft Defender, make sure you check outthis chapterfrom SC-200 certification exam learning guide. You can also create an automatic response to a specific security alert using an ARM template, read more about it in ourdocumentation. Further Resources How Microsoft Defender for SQL can protect SQL servers anywhere - YouTube (new!) Defender for Open-Source Relational Databases Multicloud | Defender for Cloud in the Field #51 (youtube.com) Latest Updates (new!) Microsoft Defender for Open-Source Relational Databases Now Supports Multicloud (AWS RDS) (new!)Microsoft Defender for Cloud Adds Full Coverage for Azure Open-Source Relational Databases - Microsoft Community Hub (new!) Better Together = Defender CSPM + Database Protections - Microsoft Community Hub (new!) Microsoft Defender for SQL is now available on the SQL Virtual Machine blade. - Microsoft Tech Community Conclusion By the end of this PoC you should be able to determine the value proposition of Microsoft Defender for SQL and the importance to have this level of threat detection to your workloads. Stay tuned for more Microsoft Defender for Cloud PoC Series! P.S.Subscribeto our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases andjoinourTech Communitywhere you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts. Reviewers Special Thanks to Yuri Diogenes, Safeena Begum, David Trigano and Michael Makhlevich for reviewing this article.Microsoft Defender for Cloud PoC Series – Microsoft Defender for Key Vault
[Post updated on 06/27/2024] by Fernanda Vela Introduction This Microsoft Defender for Cloud PoC Series provides guidelines on how to perform a proof of concept for a specific Microsoft Defender plan. For a more holistic approach where you need to validate Microsoft Defender for Cloud, please readHow to Effectively Perform a Microsoft Defender for Cloud PoCarticle. Azure Key Vault is used to store and access secrets, such as API keys, passwords, certificates, or cryptographic keys. Having critical data makes it a priority to maximize the threat protection of the vaults that can be provided with the security intelligence of Microsoft Defender for Key Vault. Planning As part of yourMicrosoft Defender forKey VaultPoC you need to identify the use case scenarios that you want to validate. Some common scenarios includeaccessfrom an IP that was identified by Microsoft Threat Intelligence as suspicious, a user/service principal performing anomalous changes in policies, a user or service principal attempting to access to an anomalously high volume of key vaults in the last 24 hours, among others. You can use theAlertsidentified by Microsoft Defender for Key Vault as your starting point to plan which actions you want to execute. Enabling this bundle at the subscription level will not affect the performance of your Azure Key Vaults since there are no agents and it is performed in Azure’s backend. To enable Microsoft Defender for Key Vault, you can do it at the subscription level. Go to the Azure portal Click on Microsoft Defender for Cloud Go to Environment Settings Select the subscription where you want to enable the plan In the Cloud Workload Protection section, you can enable/disable Key Vault As of June 2024, Defender for Key Vault is offered in two plans: Per-transaction model and Per-Key-Vault model. To determine which plan is best for you, we strongly encourage you to reference your bill and thepricing calculator. Preparation You need at leastSecurity Admin roleto enable Microsoft Defender for Key Vault. For more information about roles and privileges, visitthis article. From the readiness perspective, make sure to review the following resources to better understand Azure Defender for Key Vault: Microsoft Defender for Key Vault | Azure Security Center in the Field #13 Microsoft Defender for Key Vault Documentation Implementation and validation You can use thesample alertfeature to validate Microsoft Defender for Key Vault alerts, or you can simulate Microsoft Defender for Key Vault alerts by following the instructions inValidating Azure Key Vault threat detection in Microsoft Defender for Cloud. Understanding the alerts for Key Vault can help you identify suspicious activities and eliminate noise if necessary. When you receive an alert from Microsoft Defender for Key Vault, we recommend you investigate the alert, because even if you're familiar with the application or user that triggered the alert, it's important to verify the context of every alert. If you also have Defender CSPM enabled, you can take advantage of attack paths to see if there is a risk of a lateral movement in your environment that exploits vulnerabilities on servers to gain access to Key Vaults. To explore more of these use-case exercises, visit the Microsoft Defender for Cloud GitHub repository where there’s a lab on Defender CSPM. Conclusion By the end of this PoC you should be able to determine the value of this solution and the importance to have this level of threat detection to your workloads. P.S.Subscribeto our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases andjoinourTech Communitywhere you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by experts. Reviewers Walner Dort - Product Manager II, Microsoft Defender for Cloud CXE @Yuri Diogenes- Principal PM Manager, Microsoft Defender for Cloud CXEMicrosoft Defender for DevOps Azure DevOps Connector - Microsoft Defender for Cloud PoC Series
Introduction This article is a continuation of Microsoft Defender PoC Series which provides you guidelines on how to perform a proof of concept for a specific Microsoft Defender plan. For a more holistic approach where you need to validate Microsoft Defender for Cloud, please read How to Effectively Perform an Microsoft Defender for Cloud PoC article. There are two DevOps platforms currently covered by Defender for DevOps- GitHub and Azure DevOps. This article will go into detail about Azure DevOps Services. If you'd like to also learn about the GitHub connector with Microsoft Defender for DevOps, then check out this article here. Importance of Defender for DevOps Microsoft Defender for DevOps with Azure DevOps provides security teams with visibility into the security posture of their Azure DevOps environments, while also giving developers and DevOps teams a simplified remediation experience for pre-production vulnerabilities and misconfigurations. With Defender for DevOps, security administrators get full visibility in a single view from DevOps inventory and the security posture of pre-production application code. Based on the Microsoft Security DevOps extension, you can leverage a collection of static analysis tools to scan code for security issues in Azure DevOps using Azure Pipelines. These static analysis tools include ESLint which scans Javascript code for security issues, Bandit for scanning Python code, Infrastructure as Code (IaC) scanning for Terraform (among others) using Terrascan, IaC scanning for ARM and Bicep files using Template Analyzer, and AntiMalware scanning on Windows agents from Windows Defender (not open source, and requires Windows Defender to be enabled on the Windows agent in order to run). See more here. Teams can gather comprehensive code to cloud contextual insights within Defender for Cloud. Security admins can also help developers prioritize critical code fixes with Pull Request annotations. Planning & Pre-Requisites To start a POC (proof of concept) for Microsoft Defender for DevOps, you need to have the correct setup in Azure DevOps and in Microsoft Defender for Cloud. Create an Azure DevOps Trial subscription in the same tenant as your Azure subscription where you use Microsoft Defender for Cloud. See here. Then create an organization in Azure DevOps. Next, you need to have the necessary permissions: Project Collection Admin role enabled in Azure DevOps in order to enable the connector from within Azure DevOps, as here. Admin privileges in order to enable the Microsoft Security DevOps extension (the Microsoft Security Devops extension installs all the security scanning tools) as per here Defender for Cloud permissions here (Defender for DevOps specific): Azure Account- with permissions to sign into Azure portal Contributor role- on the relevant Azure subscription Security Administrator role- on the relevant subscription OAuth enabled in the Azure DevOps Organization Settings, which you can find by looking at the Organization Settings in Azure DevOps as shown the image below. If you are using the free version of Azure DevOps and you're trying to execute a pipeline, you will receive an error message when trying to execute the pipeline. This message will ask you to visit here and request increased parallelism in Azure DevOps. This can take 2-4 days. If you don’t want to wait this time, or your PoC schedule can’t afford this time, an alternative to create a pipeline is by using a Hosted Build Agent, which you can do by following these steps. Preparation For beginning the preparation of the POC, you will need to first create the Azure DevOps connector in Microsoft Defender for Cloud. Follow the guidance for enabling the Azure DevOps connector in Microsoft Defender for Cloud to authorize the connection. Note: You will need to have an Azure subscription and Azure DevOps organization in the same tenant to enable the Azure DevOps connector in Microsoft Defender for Cloud. Follow the guidance here to create a new organization in Azure DevOps. See the troubleshooting guide here. Then, switch over to Azure DevOps, by going to https://dev.azure.com/ . You will need to enable two extensions in Azure DevOps- the Microsoft Security DevOps extension to run the security scans, and the SARIF SAST Scans Tab extension to view the results of the Security DevOps extension in simplified manner in a new tab in the Azure DevOps build results. Next in the Azure DevOps organization, you should create a new Azure DevOps project. Then, you’ll be installing a new empty Git repository in that ADO project, which should include some sample code that you want to test. The two Microsoft Defender for DevOps extensions in Azure DevOps. You can run security scans via the Security DevOps extension on the Azure pipeline builds. For this reason, you need to configure a pipeline using YAML code. You can follow the guidance to create a new pipeline and to include the required YAML code to the Microsoft Security DevOps task and the dotnet dependencies here. This includes the yaml code with the necessary tasks for the build to run with the security scans. Note: In the yaml file, if you would like to break the build from succeeding if any security scanning tool in the Security DevOps extension has found issues in the Build, then include the necessary category and break: true to the Security DevOps task in the yaml file. Here is an example of a configuration that will break the build if a secret is detected by Microsoft Security DevOps. trigger: - main pool: vmImage: windows-latest steps: - task: MicrosoftSecurityDevOps@1 displayName: 'Security DevOps' inputs: break: true Note: There are dotnet dependencies when using the Microsoft Security DevOps task if using a self-hosted agent to be included in the yaml (see the docs here or the Github lab 14). The dotnet dependencies are not required if using the default Azure DevOps agents of windows-latest or ubuntu-latest. Implementation and Validation In order to validate the implementation was successful for Azure DevOps, developers can run the Azure Pipelines with the Microsoft Security DevOps extension as above, and see the security scan results during the Azure pipeline build runs. Your security team can manage secrets, code scanning findings and infrastructure as code findings found in Azure DevOps directly from Microsoft Defender for Cloud. The other validation in Azure DevOps for developers involves seeing secrets at the pull request stage as pull request annotations, before they’re merged into the main branch, usually the main/master repository. For DevOps teams, it’s useful for them to be able to see the security scan results, such as secrets, during the Azure pipeline build runs, as they are used to interacting in Azure DevOps. To validate this, go to the Pipelines in Azure DevOps. Select your pipeline that you enabled with the Security DevOps extension, and click Run pipeline. After a few minutes, you will see if your run has succeeded or failed. Click on the pipeline run, and see the Summary of the run. Notice the Errors tab and the Warnings tab, which include security issues found in the repo. Beside Summary, go to the Scans tab, which appears due to the SARIF SANS Scans Tab extension you enabled. This scans tab will show the security scan findings per scanning tools. This is one view of the security scans that your developers can see from Azure DevOps. However, Defender for DevOps crucially allows customers to manage the secrets, code scanning finding results and infrastructure as code findings found in Azure DevOps directly from Microsoft Defender for Cloud. This means that your security team can view these ADO security issues across the Azure DevOps organizations, projects and repos from one centralised location of Microsoft Defender for Cloud. To see the credentials in Microsoft Defender for Cloud, go to the portal.azure.com and to Microsoft Defender for Cloud. Go to Recommendations. Under Remediate vulnerabilities, select the recommendation Code repositories should have secret scanning findings resolved. See the secrets found under Findings. Select the secret to get more information about it, including the Build URL and the Repo URL in Azure DevOps. Pull Request Annotations The other task you can do is to see pull request annotations which contain the secrets and Infrastructure As Codesecurity issues found in the Azure DevOps repos. See here to enable ADO pull request annotations in MDC and in ADO In Microsoft Defender for Cloud, go to DevOps Security in the side bar. Tick the box beside the Azure DevOps project. and Configure pull request annotations. Select Configure at the top. In the new screen, turn on pull request annotations. Now pull request annotations are enabled for all branches in that repository. Then you need to enable pull request annotations in Azure DevOps, by following the guidance here. See the process for validating pull request annotations in Azure DevOps for secrets here. See the pull request annotations then in Azure DevOps, by going under Repos, in Pull Requests. Click on the pull request to see the high severity pull request annotations showing Secret Access Keys discovered. Now, the developers can take action on these secrets (by removing them from the repository, and having them in a key vault such as Azure Key Vault). The guidance for this can be found here and in the recommendation in Microsoft Defender for Cloud. Workbook In Microsoft Defender for Cloud, you can view workbooks which are essentially reports specific to Defender for Cloud. To see these, go to Microsoft Defender for Cloud, and from the left-hand navigation blade, under the General section, select Workbooks. From here, under the Defender for Cloud section, you can select the workbook DevOps Security Workbook, specifically focused on allowing you to focus on Defender for DevOps, to see an overview of security findings from Azure DevOps. There are several tabs that you click through. See more information about this workbook here. Further Resources MDC Ninja Training:Become an Azure Security Center Ninja (microsoft.com)module 9 is DfD MDC Labs:https://aka.ms/MDFCLabsadded DfD in module 14...working on module 15in progress for the GitHub connector the latest episode of Defender for Cloud in the Field features DfD:https://www.youtube.com/watch?v=wYCOyFUMRPk DfD Interactive Guide:Unify DevOps security management with Microsoft Defender for Cloud (cloudguides.com) DfD Ignite On-Demand session:https://ignite.microsoft.com/en-US/sessions/418befd8-a7ee-4f46-a6a8-8b522b120135?source=sessions Blogs Pre-Deployment Protection for Infrastructure as Code - Microsoft Community Hub DevOps Security Workbook - Microsoft Community Hub Compliance for Exposed Secrets Discovered by Defender for DevOps - Microsoft Community Hub Automate Defender for DevOps Recommendation Remediation - Microsoft Community Hub Automate SecOps to Developer Communication with Defender for DevOps - Microsoft Community Hub Integrate security into your developer workflow with GitHub Advanced Security for Azure DevOps - Azure DevOps Blog (microsoft.com) Download(free) a special Appendix about Defender for DevOps from the latest Microsoft Defender for Cloud book published by Microsoft Press Defender for DevOps Documentation Microsoft Defender for DevOps - the benefits and features | Microsoft Learn Quickstart: Connect your GitHub repositories to Microsoft Defender for Cloud | Microsoft Learn Quickstart: Connect your Azure DevOps repositories to Microsoft Defender for Cloud | Microsoft Learn Configure the Microsoft Security DevOps GitHub action | Microsoft Learn Configure the Microsoft Security DevOps Azure DevOps extension | Microsoft Learn Discover misconfigurations in Infrastructure as Code - Defender for Cloud | Microsoft Learn Detect exposed secrets in code - Defender for Cloud | Microsoft Learn Tutorial Enable pull request annotations in GitHub or in Azure DevOps | Microsoft Learn Conclusion By the end of this article, you should have been able to understand the value proposition of Microsoft Defender for DevOps and now have the knowledge of how to run a PoC for it on Azure DevOps. Thanks to the following teammates for reviewing this article: Charles Oxyer, Microsoft Defender for DevOps Product Manager Yuri Diogenes, Principal Microsoft Defender for Cloud Product Manager P.S.Subscribeto our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases andjoinourTech Communitywhere you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.Microsoft Defender for DevOps GitHub Connector - Microsoft Defender for Cloud PoC Series
Introduction This article is a continuation of Microsoft Defender PoC Series which provides you guidelines on how to perform a proof of concept for a specific Microsoft Defender plan. For a more comprehensive approach where you need to validate Microsoft Defender for Cloud, please readHow to Effectively Perform an Microsoft Defender for Cloud PoCarticle. Importance of DevSecOps There are two Source Code Management platforms currently supported by Defender for DevOps – GitHub Enterprise Cloud and Azure DevOps Services. This article will go into detail about GitHub Enterprise Cloud. Microsoft Defender for DevOps with GitHub allows security teams to determine how secure the GitHub environments are, while also empowering developers and DevOps teams to protect these environments. With Defender for DevOps, security administrators get full visibility in a single view from DevOps inventory and the security posture of pre-production application code, which includes findings from code, secret, and open-source dependency vulnerability scans via GitHub Advanced Security. Microsoft Defender for DevOps, using GitHub Advanced Security, finds security issues with third party dependencies through Dependabot, code scanning through CodeQL and secret scanning and presents the results back to Microsoft Defender for Cloud on one centralized platform. Developers or DevOps teams can enable security of Infrastructure as Code (IaC) templates and container images to minimize cloud misconfigurations reaching production environments, allowing security administrators to focus on any critical evolving threats. There are several other capabilities which are based on the Microsoft Security DevOps extension. Using this extension, you can leverage a collection of static analysis tools to scan code for security issues in GitHub during the GitHub Actions. Teams can gather comprehensive code to cloud contextual insights within Defender for Cloud. Security admins can help developers prioritize critical code fixes with Pull Request annotations and assign developer ownership by triggering custom workflows feeding directly into the tools developers use and love. Planning & Pre-Requisites To start a POC (proof of concept) for Microsoft Defender for DevOps , you need to have the correct setup in GitHub and in Microsoft Defender for Cloud. The necessary requirements and permissions: A GitHub account. To create a new account, go here. If you would like to use a trial GitHub account for this POC, go to https://github.com/join . To have all the features associated with Defender for DevOps, you need to enable GitHub Advanced Security. You can get GitHub Advanced Security via a GitHub Enterprise. See more about these licenses and about their billing. GitHub Advanced Security Reqs (see here) 30-day Trial of Github Enterprise Cloud here is necessary to get Github Advanced Security which enables all DfD scans. Note: Alternatively, in a POC, you can get all the GitHub Advanced Security functionality for public repositories. An Azure subscription Defender for Cloud permissions here (Defender for DevOps specific): Azure Account- with permissions to sign into Azure portal Contributor role- on the relevant Azure subscription Security Administrator role- on the relevant subscription GitHub permissions: Organisation Administrator- in GitHub Preparation Create the GitHub Connector in Microsoft Defender for Cloud For beginning the preparation of the POC, you will need to first create the GitHub connector in Microsoft Defender for Cloud. Follow the guidance for enabling the GitHub connector in Microsoft Defender for Cloud to create and authorise the connection. When creating the connector, in step 3, you should ensure to confirm if all the GitHub Advanced Security features are enabled of secret scanning, code scanning with CodeQL and open-source dependency scanning with Dependabot. After you authorize Defender for DevOps, when you click Install under the Install Defender for DevOps, you can select the organisation you want to protect and then select the repositories you want to protect. Then from the left navigation bar, under Security, go to Code security and analysis. From here, enable Dependabot and Secret scanning (if it wasn’t enabled already on the repository). Once you have enabled this functionality, go back to Defender for Cloud, click Review and create on the GitHub connector, and then finalising the connect creation. Once you do this, then your GitHub connector will appear in the Environment Settings in a few moments. Enable the GitHub Advanced Security Functionality of CodeQL As you enabled the connector, then you should enable CodeQL (a feature of GitHub Advanced Security) which does code scanning to find security issues in your code. To do this, go to the repository you want to enable CodeQL on, and on the top navigation bar, select Security, and then click Code scanning from the left navigation bar. From here, you are brought to the GitHub Settings blade, and you can set up CodeQL analysis, using either the Default or Advanced settings depending on your code. Once you have done this, now CodeQL, Dependabot and Secret scanning have all been enabled on the repository. Implementation and Validation To validate the implementation for GitHub, there are two personas that need to be involved: the developer and the security admin. The Developer Implementation in GitHub The developer can see the GitHub Advanced Security results from the Security tab in the repository. Next, the developer also needs to enable MSDO (Microsoft Security DevOps extension) by using GitHub Actions. MSDO contains several capabilities such as ESLint which scans Javascript code, Bandit scanning from Python code, Infrastructure as Code (IaC) scanning for Terraform (among others) using Terrascan, IaC scanning for ARM and Bicep files using Template Analyzer, and AntiMalware scanning on Windows agents from Windows Defender (not open source and requires Windows Defender to be enabled on the Windows agent to run). The guidance to enable MSDO scanning with GitHub actions is found here. Next, the developer should also enable Pull Request annotations, which is where security findings are exposed. Any exposed issues can then be remedied by developers. This process can prevent and fix potential security vulnerabilities and misconfigurations before they enter the production stage. GitHub Advanced Security annotates the vulnerabilities within the differences in the file rather than all the vulnerabilities detected across the entire file. The guidance to enable pull request annotations in GitHub is found here. Developers can see pull request annotations in GitHub, and Security operators can see any unresolved findings in Microsoft Defender for Cloud. The Security Admin in Microsoft Defender for Cloud As stated above, Defender for DevOps allows security operators to manage the security scan results from GitHub directly from Microsoft Defender for Cloud. This means that your security team can manage this across the GitHub organisations, projects, and repos from one centralised location of Microsoft Defender for Cloud. There are several recommendations that allow security admins to get visibility into security scan results from GitHub Advanced Security and MSDO. These recommendations are found under the Remediate vulnerabilities control in the Recommendation page in Microsoft Defender for Cloud. Under Remediate vulnerabilities, select the recommendation Code repositories should have secret scanning findings resolved. If you select the secret (such as Amazon S3 Client Secret Access Key) then you get more information about it, including the HTML URL, the Location URL, and the Repo URL in GitHub. Prevention Now the security operator can ensure that all these findings are managed by the developers or DevOps teams. The security operator can also do proactive threat hunting of the GitHub environments, by enabling the Defender CSPM plan, and they can then get additional contextual information about the GitHub environments with the Security Graph functionality. The guidance for creating these queries for getting additional GitHub context is here. If there are any potential attack paths that an attacker can take to gain access to critical environments, then these are also tracked, as per here. The developers should act on the findings (whether secrets, code scanning findings, open-source dependency scanning findings or IaC scanning findings). The guidance for how to remediate secrets can be found here, as well as in the recommendation in Microsoft Defender for Cloud. Workbook In Microsoft Defender for Cloud, you can view workbooks which are reports specific to Defender for Cloud. To see these, go to Microsoft Defender for Cloud, and from the left-hand navigation blade, under the General section, select Workbooks. From here, under the Defender for Cloud section, you can select the workbook DevOps Security Workbook, specifically focused on allowing you to focus on Defender for DevOps, to see an overview of security findings from GitHub. There are several tabs that you click through. See more information about this workbook here. Further Resources MDC Ninja Training:Become a Microsoft Defender for Cloud Ninja (microsoft.com)module 9 is Defender for DevOps MDC Lab for Defender for DevOps with GitHub The latest episode of Defender for Cloud in the Field features DfD:https://www.youtube.com/watch?v=wYCOyFUMRPk DfD Interactive Guide:Unify DevOps security management with Microsoft Defender for Cloud (cloudguides.com) DfD Ignite On-Demand session:https://ignite.microsoft.com/en-US/sessions/418befd8-a7ee-4f46-a6a8-8b522b120135?source=sessions Blogs Pre-Deployment Protection for Infrastructure as Code - Microsoft Community Hub DevOps Security Workbook - Microsoft Community Hub Compliance for Exposed Secrets Discovered by Defender for DevOps - Microsoft Community Hub Automate Defender for DevOps Recommendation Remediation - Microsoft Community Hub Automate SecOps to Developer Communication with Defender for DevOps - Microsoft Community Hub Integrate security into your developer workflow with GitHub Advanced Security for Azure DevOps - Azure DevOps Blog (microsoft.com) Download(free) a special Appendix about Defender for DevOps from the latest Microsoft Defender for Cloud book published by Microsoft Press Defender for DevOps documentation Microsoft Defender for DevOps - the benefits and features | Microsoft Learn Quickstart: Connect your GitHub repositories to Microsoft Defender for Cloud | Microsoft Learn Quickstart: Connect your Azure DevOps repositories to Microsoft Defender for Cloud | Microsoft Learn Configure the Microsoft Security DevOps GitHub action | Microsoft Learn Configure the Microsoft Security DevOps Azure DevOps extension | Microsoft Learn Discover misconfigurations in Infrastructure as Code - Defender for Cloud | Microsoft Learn Detect exposed secrets in code - Defender for Cloud | Microsoft Learn Tutorial Enable pull request annotations in GitHub or in Azure DevOps | Microsoft Learn Automations Automate SecOps to Developer Communication with Defender for DevOps: https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/automate-secops-to-developer-communication-with-defender-for/ba-p/3637669 Conclusion By the end of this article, you should have been able to understand the value proposition of Microsoft Defender for DevOps and now have the knowledge of how to run a PoC for it on GitHub. Thanks to the following teammates for reviewing this article: Charles Oxyer, Microsoft Defender for DevOps Product Manager David Trigano, Senior Microsoft Defender for DevOps Product Manager Yuri Diogenes, Principal Microsoft Defender for Cloud Product Manager P.S.Subscribeto our Microsoft Defender for Cloud Newsletter to stay up to date on helpful tips and new releases andjoinourTech Communitywhere you can be one of the first to hear the latest Microsoft Defender for Cloud news, announcements and get your questions answered by Azure Security experts.
