Microsoft Defender for Cloud Named a Leader in Frost Radar™ for CNAPP for the Second Year in a Row!
In the ever-evolving landscape of cloud security, Microsoft continues to assert its dominance with its comprehensive and innovative solutions. The Frost Radar™: Cloud-Native Application Protection Platforms, 2024 reportunderscores Microsoft's leadership in both - the innovation and growth index, highlighting several key strengths that set it apart from the competition. Frost and Sullivan states in its report, “With significant investments in cloud security, a strong partner network, and strategic positioning as a multicloud security provider, Microsoft has a solid foundation for sustained growth in the next few years to maintain its lead in the cloud security industry as competition increases." Figure 1. Frost Radar TM : Cloud-Native Application Protection Platforms 2024 showing Microsoft as a leader. Unified and Comprehensive Security The report highlights that Microsoft's Defender for Cloud stands out as a unified Cloud-Native Application Protection Platform (CNAPP) that integrates a broad range of security functionalities to protect both cloud and hybrid environments. Defender for Cloud includes workload security, Cloud Security Posture Management (CSPM), Infrastructure as Code (IaC) security, Data Security Posture Management, DevOps security with CI/CD pipeline hardening, AI-driven Security Posture Management (SPM), and Cloud Infrastructure Entitlement Management (CIEM) through Microsoft Entra Permissions Management. This extensive range of capabilities ensures end-to-end visibility and protection for cloud-native applications, making it a robust choice for organizations of all sizes. Seamless Platform Integration and Advanced Threat Protection The report also recognizes that one of Microsoft's significant advantages is its ability to leverage its extensive ecosystem to provide seamless integration and advanced threat protection. Defender for Cloud integrates effortlessly with tools like Visual Studio, GitHub, and Azure DevOps during the development phase, embedding security early in the lifecycle. In production, it works with Microsoft Defender XDR, Microsoft Security Exposure Management, and Security Copilot to deliver advanced threat protection, reduce attack surfaces, and continuously monitor security posture across multi-cloud and hybrid environments. This holistic approach ensures that security is not an afterthought but a fundamental aspect of the entire development and deployment process. Data-Aware Security and Multicloud Support According to Frost, Microsoft excels in data-aware security, offering granular visibility into sensitive assets with advanced data classification and monitoring through Microsoft Purview integration with Defender for Cloud. This capability is crucial for organizations that need to manage and protect sensitive data across various cloud environments. Additionally, Defender for Cloud supports a wide range of workloads, including Azure, AWS, and Google Cloud, using both agent-based and agentless scanning. This multicloud support is a testament to Microsoft's commitment to providing flexible and comprehensive security solutions that cater to diverse customer needs. Market Leadership and Robust Growth Frost & Sullivan’s reportpraises Microsoft's strategic positioning as a security player, enabling it to dominate the CNAPP market. The report highlights that Microsoft has been the largest player in the market over the last four years, with a projected revenue growth of 32.5% in 2024, capturing a dominant market share of 24.7%. This impressive growth is driven by its massive customer base from its Azure business and its extensive network of over 15,000 security partners, GSIs, MSSPs, and a thriving independent software vendor community. Microsoft's ability to leverage its vast ecosystem and strategic partnerships has solidified its leadership position and set the stage for sustained growth in the coming years. Innovation, Gen AI and Future Prospects The Frost report also noted that Microsoft's commitment to innovation is evident in its continuous enhancement of Defender for Cloud's capabilities. The platform's integration with advanced AI and machine learning technologies, such as Microsoft Security Copilot provides organizations with real-time threat detection and response capabilities. This focus on innovation ensures that Microsoft remains at the forefront of cloud security, addressing emerging threats and evolving customer needs. In conclusion, Microsoft's Defender for Cloud exemplifies the company's strengths in providing a unified, comprehensive, and innovative security solution for cloud-native applications. Its seamless integration, advanced threat protection, data-aware security, and robust market presence make it a leader in the CNAPP space. As organizations continue to navigate the complexities of cloud security, Microsoft's solutions offer the reliability and advanced capabilities needed to protect their digital assets effectively. To learn more about Defender for Cloud: Check out our cloud security solutionpage. Learn how you can unlockbusiness valuewith Defender for Cloud. See it in actionwith a cloud detection and response use-case. Start a freetrial.Strategy to Execution: Operationalizing Microsoft Defender CSPM
In today’s dynamic digital environment, cloud security is not just about building robust security posture; it’s about ensuring an adaptive environment with forward-looking strategies that align with your organization’s goals. Threat actors – ranging from individual hackers to organized criminal networks and state-sponsored groups – continuously develop new strategies to exploit vulnerabilities. Their motivations are diverse: financial gain, competitive intelligence, or pure disruption. Moreover, the greatest risks often emerge from within organizations, where human error or intentional misconduct can compromise even the most robust security frameworks. As the threat landscape grows increasingly complex, organizations must evolve beyond reactive responses to embrace proactive and holistic cybersecurity frameworks. This shift demands long-term strategic planning coupled with hands-on operationalization, ensuring that security measures are not only defined on paper but also seamlessly integrated into day-to-day workflows. Microsoft Defender for Cloud’s Cloud Security Posture Management (CSPM) solution embodies this comprehensive approach. It empowers organizations to maintain continuous visibility across multicloud environments, enabling informed decision-making and effective allocation of resources. By aligning security initiatives with business objectives, integrating compliance seamlessly, incorporating DevSecOps principles, and preparing for incidents proactively, Defender CSPM helps organizations build a security posture that evolves in tandem with their growth and innovation. This guide explores both the strategic imperatives and the practical steps necessary to operationalize Defender CSPM. From setting long-term security goals to automating compliance checks and embedding security into DevOps, we’ll walk through how to move from strategic vision to actionable practices that yield sustainable and measurable improvements in your organization’s cloud security posture. Why Strategic Planning Matters in Cloud Security Modern cloud architectures span multiple platforms - Azure, AWS, GCP, and beyond - each posing unique security challenges. Without a unified strategic framework, teams risk creating visibility gaps that malicious actors can exploit. Coupled with the evolving threat landscape, where adversaries leverage sophisticated tactics and target APIs, applications, and data stores, organizations must continuously refine their security strategies to stay ahead. Comprehensive strategic planning ensures that: Complexity is Managed Proactively: By defining a consistent security strategy across all cloud environments, organizations avoid piecemeal protection and siloed controls. Continuous Adaptation to Emerging Threats: The rapid evolution of technologies like AI and APIs requires forward-looking strategies that anticipate and mitigate new attack vectors. Strategic planning enables continuous improvement rather than ad-hoc, reactive fixes. Regulatory Compliance is Embedded: With regulations like GDPR, HIPAA, and PCI-DSS growing more stringent, organizations must weave compliance into their broader strategy. Automated governance and compliance checks ensure rules are followed without stifling innovation. Alignment with Business Goals: Effective cloud security isn’t a cost center - it’s a strategic asset. Integrating security into the broader business roadmap ensures that risk management supports growth, innovation, and operational excellence. Defender CSPM’s Role in Strategic Cloud Security Management Microsoft Defender CSPM is designed to provide the foundational capabilities required for a strategic security posture, offering: Continuous Visibility Across Multicloud Environments: Gain a unified view of security posture across Azure, AWS, and GCP. This holistic perspective allows teams to identify misconfigurations and vulnerabilities quickly - no matter where they lurk. Risk-Based Prioritization: Not all risks are equal. Defender CSPM contextualizes vulnerabilities based on potential impact and exploitability, guiding teams to focus on the most critical threats. Automated Compliance and Governance: By continuously auditing cloud environments against industry benchmarks, Defender CSPM helps maintain adherence to complex standards without manual overhead. DevSecOps Integration: Security needs to be “shifted left,” integrated into the earliest stages of software development. Defender CSPM aligns with DevOps workflows, catching vulnerabilities before they reach production. Proactive Incident Preparedness: By highlighting potential attack paths and offering forensic insights, Defender CSPM equips organizations to handle incidents swiftly and learn from them to prevent future occurrences. Resource Optimization: With finite budgets and staff, organizations must allocate resources where they matter most. Defender CSPM’s data-driven insights help direct investments to the highest-impact areas, improving ROI. From Strategy to Operationalization: Bringing Defender CSPM into Day-to-Day Work Developing a strategic security framework is the first step; operationalizing it ensures those strategies have a tangible impact. Operationalization bridges the gap between intention and execution, allowing your security posture to evolve continuously in response to new threats and requirements. Why Operationalization is Crucial: Proactive Risk Remediation: Knowing where your risks lie isn’t enough. Operationalizing CSPM means establishing workflows that ensure vulnerabilities and misconfigurations are promptly addressed, reducing dwell time and exposure. Automated Compliance and Governance Enforcement: Manual compliance checks are slow and error prone. Operationalizing CSPM involves automating these checks and embedding policies to ensure continuous adherence to standards. Seamless DevSecOps Integration: By incorporating security gates and assessments into CI/CD pipelines, security is no longer a bottleneck but a catalyst for building more resilient applications from the outset. Effective Incident Response: Operationalization ensures that incident response teams have playbooks, tooling, and integrations - such as with SIEM and XDR solutions like Microsoft Defender XDR and Sentinel - ready to go, minimizing downtime and damage. Data-Driven Resource Allocation: Turn insights into action by regularly evaluating risk data and using it to guide budget decisions, ensuring your team’s efforts yield maximum security value. Key Steps to Operationalizing Defender CSPM Set Clear Objectives and Assess Your Environment: Begin by evaluating your multicloud footprint and defining what success looks like. Are you striving for reduced mean time to remediate (MTTR), consistent compliance, or earlier vulnerability detection in the development cycle? Develop a Cloud Security Roadmap: A roadmap outlines how you will implement CSPM’s capabilities - continuous scanning, automated compliance checks, DevSecOps integration - and sets milestones to measure progress. Automate Vulnerability Scanning and Remediation: Configure continuous scanning to identify new vulnerabilities as they appear. Integrate remediation steps into predefined workflows so that issues are not just found, but rapidly fixed. Enforce Compliance Through Policies and RBAC: Implement Role-Based access controls and automated policy enforcement to maintain regulatory compliance. Regularly review compliance dashboards to ensure standards remain met over time. Integrate Security into DevOps Workflows: Shift-left security by embedding vulnerability scans and code checks into CI/CD pipelines. Provide developers with immediate feedback on security issues, enabling them to resolve problems early and cheaply. Proactive Forensics and Incident Preparedness: Develop incident response playbooks that detail how to use Defender CSPM insights to contain, investigate, and remediate breaches. Integrate with SIEM tools like Microsoft Sentinel for real-time alerting and streamlined investigations. Continuously Optimize Resource Allocation: Use Defender CSPM’s risk-based insights to refine where you spend your time and money. Track key metrics - like reduction in exposed vulnerabilities or faster remediation times - to prove ROI and make informed budgeting decisions. Measuring Success and Continuous Improvement Operationalizing your CSPM strategy isn’t a one-and-done effort. It’s a continuous improvement cycle that relies on monitoring key performance indicators (KPIs) and adjusting tactics as needed. Consider metrics like: Vulnerability Detection and Remediation Rates: How quickly are identified risks fixed? Compliance Audit Outcomes: Are you passing regulatory checks consistently? Mean Time to Remediate (MTTR): How quickly can your team address new threats? Reduction in High-Severity Exposures: Is your environment becoming progressively harder to penetrate? Regularly reviewing these metrics ensures that your CSPM program remains aligned with business goals, adapts to emerging threats, and continually improves. Conclusion The future of cloud security depends on uniting strategic vision with practical execution. Microsoft Defender CSPM provides the visibility, intelligence, and automation necessary to strengthen your security posture continuously. By integrating Defender CSPM into both long-term planning and day-to-day operations, organizations can proactively manage risks, maintain compliance, streamline DevSecOps, and prepare effectively for incidents, ensuring that security initiatives not only protect today’s assets but also pave the way for a more resilient future. Looking Ahead: Deep Dives into Strategic and Operational Scenarios In the following five articles, we’ll translate these principles into actionable guidance for real-world contexts. Each piece will focus on a specific scenario - proactive risk identification, compliance automation, DevSecOps integration, proactive forensics and incident response, and resource optimization - offering hands-on insights and tools. Stay tuned to learn how to turn vision into measurable, lasting improvements in your cloud security posture. Microsoft Defender for Cloud Additional Resources Download the new Microsoft CNAPP eBook ataka.ms/MSCNAPP Become a Defender for Cloud Ninja by taking the assessment ataka.ms/MDCNinja Reviewers Yuri Diogenes, Principal PM Manager, CxE Defender for CloudAKS Security Dashboard
In today’s digital landscape, the speed of development and security must go hand in hand.Applications are being developed and deployed faster than ever before. Containerized application developers and platform teams enjoy the flexibility and scale that Kubernetes has brought to the software development world. Open-source code and tools have transformed the industry -but with speed comes increased risk and a growing attack surface. However, in vast parts of the software industry, developers and platform engineering teams find it challenging to prioritize security. They are required to deliver features quickly and security practices can sometimes be seen as obstacles that slow down the development process. Lack of knowledge or awareness of the latest security threats and best practices make it challenging to build secure applications. The new Azure Kubernetes Service (AKS) security dashboard aims to alleviate these pains by providing comprehensive visibility and automated remediation capabilities for security issues, empowering platform engineering teams to secure their Kubernetes environment more effectively and easily. Consolidating security and operational data in one place directly within the AKS portal allows engineers to benefit from a unified view of their Kubernetes environment. Enabling more efficient detection, and remediation of security issues, with minimal disruption to their workflows. Eventually reducing the risk of oversight security issues and improving remediation cycles. To leverage the AKS security dashboard, navigate to the Microsoft Defender for Cloud section in the AKS Azure portal. If your cluster is already onboarded to Defender for Containers or Defender CSPM, security recommendations will appear on the dashboard. If not, it may take up to 24 hours after onboarding before Defender for Cloud scans your cluster and delivers insights. Security issues identified in the cluster, surfaced in the dashboard are prioritized to risk. Risk level is dynamically calculated by an automatic attack path engine operating behind the scenes. This engine assesses the exploitability of security issues by considering multiple factors, such as cluster RBAC (Role Based Access Control), known exploitability in the wild, internet exposure, and more. Learn more about how Defender for Cloud calculates risk. Security issues surfaced in the dashboard are divided into different tabs: Runtime environment vulnerability assessment: The dynamic and complex nature of Kubernetes environments means that vulnerabilities can arise from multiple sources, with different ownership for the fix. For vulnerabilities originating from the containerized application code, Defender for Cloud will point out every vulnerable container running in the cluster. For each vulnerable container Defender for cloud will surface remediation guidelines that include the list of vulnerable software packages and specify the version that contains the fix. The scanning of container images powered by Microsoft Defender Vulnerability Management (MDVM) includes scanning of both OS packages and language specific packagessee thefull list of the supported OS and their versions. For vulnerabilities originating from the AKS infrastructure, Defender for cloud will include a list of all identified CVEs (common vulnerabilities and exposures) and recommend next steps for remediation. Remediation may include upgrading the Node pool image version or the AKS version itself. Since new vulnerabilities are discovered daily, even if a scanning tool is deployed as part of the CI/CD process, runtime scan can’t be overlooked. Defender for cloud makes sure Kubernetes workloads are scanned daily compared to an up-to-date vulnerability list. Security misconfigurations: Security misconfigurations are also highlighted in the AKS security dashboard, empowering developers and platform teams to execute fixes that can significantly minimize the attack surface. In some cases, changing a single line of code in a container's YAML file, without affecting application functionality, can eliminate a significant attack vector. Each security misconfiguration highlighted in the AKS security dashboard includes manual remediation steps, and where applicable, an automated fix button is also available. For containers misconfigurations, a quick link to a built-in Azure policy is included for easily preventing future faulty deployments of that kind. This approach empowers DevOps & platform engineering teams to use the “Secure by Default” method for application development. To conclude - automated remediation and prevention can be a game changer in keeping the cluster secure- a proactive approach that can help prevent security breaches before they can cause damage, ensuring that the cluster remains secure and compliant with industry standards. Ultimately, automated remediation empowers security teams to focus on more strategic tasks, knowing that their Kubernetes environment is continuously monitored and protected. Assigning owners to security issues Since cluster administration and containers security issues remediation is not always the responsibility of a single team or person, it is recommended to use the “assign owner” button in the security dashboard to notify the correct owner about the issue need to be handled. It is also possible to filter the view using the built-in filters and assign multiple issues to the same person quickly. Get Started Today To start leveraging these new features in Microsoft Defender for Cloud, ensure either Defender for Container or Defender CSPM is enabled in your cloud environments. For additional guidance or support, visit ourdeployment guide for a full subscription coverage, or enable on a single cluster using the dashboard settings section. Learn More If you haven’t already, check out our previous blog post that introduced this journey:NewInnovationsinContainerSecuritywithUnifiedVisibilityandInvestigations. This new release continues to build on the foundation outlined in that post. With “Elevate your container posture: from agentless discovery to risk prioritization”, we’ve delivered capabilities that allow you to further strengthen your container security practices, while reducing operational complexities.Important Update: Deprecation of “Bring Your Own License” in Microsoft Defender for Cloud
Introduction With the introduction of Microsoft Security Exposure Management data connectors, we are committed to enhancing your enterprise exposure management experience and data consumption through this unified view. As part of this effort, we are making changes to streamline and improve our vulnerability assessment (VA) solutions. One of these changes involves deprecating the “Bring Your Own License” (BYOL) feature in Microsoft Defender for Cloud and transitioning to Exposure Management data connectors for a more seamless and comprehensive solution. Why this change? Our goal is to provide a cohesive and comprehensive VA solution within the unified security operations platform. By consolidating these capabilities, we can deliver a more integrated and efficient experience for vulnerability and exposure management across cloud, hybrid and on-premises. Deprecation timeline The “Bring Your Own License” (BYOL) feature for vulnerability assessment will be deprecated in two phases: February 3, 2025: The feature will no longer be available for onboarding new machines and subscriptions. Any VMs between Feb and May will not have agents deployed May 1, 2025: The feature will be fully deprecated and no longer available. What this means for you? The new data connectors in Exposure Management will replace BYOL in Defender for Cloud and will offer: Multiple scanner options: Integration of different third-party VA solutions, providing more flexibility and coverage. More information about the connectors can be found here. Unified visibility: A single, combined view of all vulnerability assessments across multi-cloud and on-premises, simplifying prioritization, management, and reporting. Seamless integration: Once the data connector is configured, There is no agent installation required, because the connector retrieves data directly from the VA product via API. With the API permissions you provide, Microsoft Security Exposure Management can seamlessly consume your vulnerability data from the connector and the data collected in your environment. Exposure Management: Microsoft Security Exposure Management is a comprehensive security solution that offers a unified view of your security posture across all company assets and workloads. It enhances asset information with valuable security context, enabling you to proactively manage attack surfaces, protect critical assets, and identify and mitigate exposure risks effectively. Read more here. Microsoft Defender for Cloud is already a key component of Exposure Management, providing a unified security flow that ensures consistent application of security measures across all assets. We are continuously working to enhance this collaboration, further strengthening your overall security posture by delivering a cohesive and comprehensive security strategy. A key Initiative in this strategy is vulnerability management. We aim to enhance and centralize this aspect as much as possible, leveraging all available data points from MDC, Microsoft Defender for Endpoint (MDE), Microsoft Defender Vulnerability Managment, and various connectors. This centralized approach ensures that vulnerabilities are identified, prioritized and addressed promptly, minimizing potential risks and improving overall security resilience. This BYOL deprecation and transition to Security Exposure Management connectors is designed to enhance your overall experience and value. Below is a feature comparison to provide more clarity on the additional capabilities that will be available as part of this transition: Feature Defender for Cloud BYOL Microsoft Security Exposure Managment data connectors* Auto provisioning Automatic agent deployment for Azure machines** Customer deploys VA solution according to each vendors recommendation Multi-cloud Azure Only Multi-cloud and non-cloud Supported vendors Rapid7, Qualys Rapid7, Qualys, Tenable (and more planned) Aggregated results from multiple scanners Each device shows results from a single provider Devices show aggregated results from multiple providers Product experience Defender for Cloud portal Defender portal *Note: during the preview phase, use of data connectors is free. Once data connectors become generally available, there will be a consumption-based cost for each of the non-Microsoft data connectors. For more information, please see here. ** Removing BYOL auto-provisioning in Defender for Cloud means that while Microsoft will no longer automatically provision the agent,customers deploy the VA solution according to each vendors recommendation. Actions required If you are currently using BYOL solutions in Defender for Cloud, we encourage you to begin configuring your Microsoft Security Exposure Management data connectors for Qualys and Rapid7 before May 1, 2025. For more information on using the connectors, please visit the connectors onboarding documentation. Additional Note: BYOL is not the recommended migration path for all Defender for Servers customers currently utilizing Qualys Built-in for Vulnerability Assessment. Instead, these customers should migrate to the connector's solution suggested above for a seamless and optimized transition.
Elevate Your Container Posture: From Agentless Discovery to Risk Prioritization
As Kubernetes (K8s) continue to power modern containerized applications, the complexity of managing and securing these environments grows exponentially. The challenges in monitoring K8s environments stem not only from their dynamic nature but also from their unique structure—each K8s cluster operates as its own ecosystem, complete with its own control plane for authorization, networking, and resource management. This makes it fundamentally different from traditional cloud environments, where security practitioners often have established expertise and tools for managing the cloud control plane. The specialized nature of Kubernetes (K8s) environments limits the visibility and control available to many security teams, resulting in blind spots that increase the risk of misconfigurations, compliance gaps, and potential attack paths gaining comprehensive visibility into the posture state of K8s workloads is essential for addressing these gaps and ensuring a secure, resilient infrastructure. Key benefits By further expanding agentless container posture approach, Defender for Cloud delivers the following key benefits: Enhanced risk management: improved prioritization through additional security insights, networking information, K8s RBAC, and image evaluation status, ensuring more critical issues can addressed first. Proactive security posture: gain comprehensive insights and prevent lateral movement within Kubernetes clusters, helping to identify and mitigate threats before they cause harm. Comprehensive compliance and governance: achieve full transparency into software usage and Kubernetes RBAC configurations to meet compliance requirements and adhere to industry standards. Release features overview: Enhanced K8s workload modeling To ensure customers can better focus on security findings, and avoid reviewing stale information, Defender for Cloud now models K8s workloads in the security graph based on their configuration (K8s specification) rather than runtime assets. This improvement avoids refresh-rate discrepancies, providing a more accurate and streamlined view of your K8s workloads, with single security findings for all identical containers within the same workload. New Security Insights for Containers and Pods Security teams that use the security explorer to proactively identify security risks in their multicloud environments, now get even better visibility with additional security insights for containers and pods, including privileged containers, sensitive mounts, and more. For example, security practitioners can use the security explorer to find all containers vulnerable to remote code execution, which are also exposed to the internet and uses sensitive host mounts, to eliminate the misconfigurations and vulnerabilities before a potential attacker abuse them to attack the container remotely and break-out into the host through the sensitive host mount. Extended K8s Networking Information To enable customers to query the security graph based on additional characters of K8s networking and better understand exposure details for K8s workloads, Defender for Cloud now offers extended data collection for both K8s ingresses and services. This feature also includes new properties such as service port and service selectors. The following figure shows all new networking criteria that customers can now use to query for K8s networking configuration: The following figure show detailed exposure information on a K8s workload exposed to the internet: Enhanced image discovery Customers can now gain complete visibility to all images used in customer environments using the security explorer, including images from all supported registries, and any image running in K8s, regardless of whether the image is scanned for vulnerabilities, with extended information per image. Here are a few examples for important use cases that customers can detect and respond to action on through a single query in the security explorer: Detect usage of images from unmonitored registries: Figure 4: images deployed directly from an unscanned docker registry Check the presence of specific image in the environment Figure 5: search for an image with a specific digest Trace all images not evaluated for vulnerabilities Figure 6: all images not assessed for vulnerabilities K8s RBAC in the security graph The addition of K8s RBAC into the security graph serves two main purposes: Security practitioners gain easy visibility into K8s service accounts, their permissions, and their bindings with K8s workloads, without prior expertise, and hunt for service accounts that do not meet security best practices. In the following example, a service account that has full cluster permissions: Figure 7: example of service account cluster admin permissions on cluster level The security graph contextual analysis uses the K8s RBAC to identify lateral movement internally within K8s, from K8s to other cloud resources and from the cloud to K8s. The following example shows an attack path starting from a container exposed to the internet with a vulnerability that can be remotely exploited. It also has access to a managed identity allowing the attacker to move all the way to a critical storage account: Figure 8: attack path from a vulnerable exposed container to a critical storage account Comprehensive Software Inventory for Containers A detailed software inventory is now available for all container images and containers scanned for vulnerabilities, serving security practitioners and compliance teams in many ways: Full visibility to all software packages used in container images and containers: Figure 9: Full software list for images and containers Query specific software usage across all environments, making it easier to identify risks or ensure compliance. A common example of this use case includes a vulnerable software version with a zero-day vulnerability. For example, following the OpenSSL zero-day vulnerability publication, a security admin can use the following queries to find all instances of container images within the organization using OpenSSL version 3.0, even before a CVE was published: Figure 10: search for a specific vulnerable open ssl version Critical Asset Protection for K8s Critical asset protection has been enhanced to cover additional container use cases: Defender for cloud customers can now define rules to mark workloads as critical based on theirnamespaceandK8s labels. The following figure shows how customers can define rules that would automatically tag critical workloads based on their K8s labels: Figure 11: customer defined rules for asset criticality based on K8s labels Predefined rules allow K8s clusters to be flagged as critical, ensuring prioritized focus during risk assessments. Example for one of the predefined rules that automatically tags K8s clusters as critical: Figure 12: Example for predefined K8s cluster criticality rules As with other asset protection features in Defender for Cloud, these updates seamlessly integrate into the risk prioritization, attack path analysis, and security explorer workflows. The following example shows a critical attack path where the attack target is critical K8s cluster: Figure 13: Critical attack path where the target is a critical K8s cluster K8s CIS benchmark Customers that would like to audit their K8s clusters for regulatory compliance using K8s CIS or enforce security controls that are part of the K8s CIS standard, now benefit from updated K8s CIS standards with broader security controls, with K8s CIS 1.5.0 for AKS, and EKS and K8s CIS 1.6.0 for GKE. To start using the new standards and controls, enable the desired K8s CIS standard through regulatory compliance dashboard, or via security policies: Figure 14: Enabling K8s CIS 1.6.0 for GKE Compliance status can then be monitored via the regulatory compliance dashboard for the relevant K8s CIS standard: Figure 15: Viewing K8s CIS 1.5.0 compliance status Get Started Today To start leveraging these new features in Microsoft Defender for Cloud, ensure either Defender for Container or Defender CSPM is enabled in your cloud environments. For additional guidance or support, visit ourdeployment guide. With these updates, we’re committed to helping you maintain a robust, secure, and scalable cloud-native environment. Learn More If you haven’t already, check out our previous blog post that introduced this journey:NewInnovationsinContainerSecuritywithUnifiedVisibilityandInvestigations. This new release continues to build on the foundation outlined in that post. With“Elevate your container posture: from agentless discovery to risk prioritization”, we’ve delivered capabilities that allow you to further strengthen your container security practices, while reducing operational complexities.Microsoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? AI security posture management is now generally available! Reduce risk to cross cloud AI workloads by discovering generative AI Bill of Materials, strengthen generative AI application security posture and use the attack path analysis to identify risk. Learn more about it here. On-demand malware scanning now in public preview We’re excited to announce the public preview of on-demand malware scanning. Customers can now scan existing files in storage accounts on-demand, which helps customers to gain finer control and customization for critical storage assets. For more details, please refer to our documentation. Blog(s) of the month In November, following Ignite announcements, our team published the following blog posts we'd like to share: Cloud security innovations: strengthening defenses against modern cloud and AI threats New innovations in container security with unified visibility, investigations, and response actions Proactively harden your cloud security posture in the age of AI with CSPM innovations Prevent malware from spreading by scanning cloud storage accounts on-demand Deprecation of “Bring Your Own License” in MDC” GitHub community Learn how to onboard Azure DevOps to Defender for Cloud in our updated lab - Module 14 here. Visit our GitHub page here. Defender for Cloud in the field Refresh your knowledge on securing your AI applications: Secure your AI applications from code to runtime Visit our new YouTube page Customer journey Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuringThe NBA (National Basketball Association), a global sports and media powerhouse dedicated to growing and celebrating the game of basketball, partnered with Microsoft to address the complexities of scale, and security required for next-generation technologies. With its IT estate in Azure, the NBA leverages Defender for Cloud to provide a single pane of glass on its cloud security posture. Security community webinars Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. This month, we have the following upcoming webinar: DEC 11Microsoft Defender for Cloud |Exploring the Latest Container Security Updates from Microsoft Ignite DEC 12Microsoft Defender for Cloud|Future-Proofing Cloud Security with Defender CSPM We offer several customer connection programs within our private communities. By signing up, you can help usshape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up ataka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested inhttps://aka.ms/PublicContentFeedback. Note:If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter:https://aka.ms/MDCNewsSubscribe
