cloud security posture management
120 TopicsStrategy to Execution: Operationalizing Microsoft Defender CSPM
In today’s dynamic digital environment, cloud security is not just about building robust security posture; it’s about ensuring an adaptive environment with forward-looking strategies that align with your organization’s goals. Threat actors – ranging from individual hackers to organized criminal networks and state-sponsored groups – continuously develop new strategies to exploit vulnerabilities. Their motivations are diverse: financial gain, competitive intelligence, or pure disruption. Moreover, the greatest risks often emerge from within organizations, where human error or intentional misconduct can compromise even the most robust security frameworks. As the threat landscape grows increasingly complex, organizations must evolve beyond reactive responses to embrace proactive and holistic cybersecurity frameworks. This shift demands long-term strategic planning coupled with hands-on operationalization, ensuring that security measures are not only defined on paper but also seamlessly integrated into day-to-day workflows. Microsoft Defender for Cloud’s Cloud Security Posture Management (CSPM) solution embodies this comprehensive approach. It empowers organizations to maintain continuous visibility across multicloud environments, enabling informed decision-making and effective allocation of resources. By aligning security initiatives with business objectives, integrating compliance seamlessly, incorporating DevSecOps principles, and preparing for incidents proactively, Defender CSPM helps organizations build a security posture that evolves in tandem with their growth and innovation. This guide explores both the strategic imperatives and the practical steps necessary to operationalize Defender CSPM. From setting long-term security goals to automating compliance checks and embedding security into DevOps, we’ll walk through how to move from strategic vision to actionable practices that yield sustainable and measurable improvements in your organization’s cloud security posture. Why Strategic Planning Matters in Cloud Security Modern cloud architectures span multiple platforms - Azure, AWS, GCP, and beyond - each posing unique security challenges. Without a unified strategic framework, teams risk creating visibility gaps that malicious actors can exploit. Coupled with the evolving threat landscape, where adversaries leverage sophisticated tactics and target APIs, applications, and data stores, organizations must continuously refine their security strategies to stay ahead. Comprehensive strategic planning ensures that: Complexity is Managed Proactively: By defining a consistent security strategy across all cloud environments, organizations avoid piecemeal protection and siloed controls. Continuous Adaptation to Emerging Threats: The rapid evolution of technologies like AI and APIs requires forward-looking strategies that anticipate and mitigate new attack vectors. Strategic planning enables continuous improvement rather than ad-hoc, reactive fixes. Regulatory Compliance is Embedded: With regulations like GDPR, HIPAA, and PCI-DSS growing more stringent, organizations must weave compliance into their broader strategy. Automated governance and compliance checks ensure rules are followed without stifling innovation. Alignment with Business Goals: Effective cloud security isn’t a cost center - it’s a strategic asset. Integrating security into the broader business roadmap ensures that risk management supports growth, innovation, and operational excellence. Defender CSPM’s Role in Strategic Cloud Security Management Microsoft Defender CSPM is designed to provide the foundational capabilities required for a strategic security posture, offering: Continuous Visibility Across Multicloud Environments: Gain a unified view of security posture across Azure, AWS, and GCP. This holistic perspective allows teams to identify misconfigurations and vulnerabilities quickly - no matter where they lurk. Risk-Based Prioritization: Not all risks are equal. Defender CSPM contextualizes vulnerabilities based on potential impact and exploitability, guiding teams to focus on the most critical threats. Automated Compliance and Governance: By continuously auditing cloud environments against industry benchmarks, Defender CSPM helps maintain adherence to complex standards without manual overhead. DevSecOps Integration: Security needs to be “shifted left,” integrated into the earliest stages of software development. Defender CSPM aligns with DevOps workflows, catching vulnerabilities before they reach production. Proactive Incident Preparedness: By highlighting potential attack paths and offering forensic insights, Defender CSPM equips organizations to handle incidents swiftly and learn from them to prevent future occurrences. Resource Optimization: With finite budgets and staff, organizations must allocate resources where they matter most. Defender CSPM’s data-driven insights help direct investments to the highest-impact areas, improving ROI. From Strategy to Operationalization: Bringing Defender CSPM into Day-to-Day Work Developing a strategic security framework is the first step; operationalizing it ensures those strategies have a tangible impact. Operationalization bridges the gap between intention and execution, allowing your security posture to evolve continuously in response to new threats and requirements. Why Operationalization is Crucial: Proactive Risk Remediation: Knowing where your risks lie isn’t enough. Operationalizing CSPM means establishing workflows that ensure vulnerabilities and misconfigurations are promptly addressed, reducing dwell time and exposure. Automated Compliance and Governance Enforcement: Manual compliance checks are slow and error prone. Operationalizing CSPM involves automating these checks and embedding policies to ensure continuous adherence to standards. Seamless DevSecOps Integration: By incorporating security gates and assessments into CI/CD pipelines, security is no longer a bottleneck but a catalyst for building more resilient applications from the outset. Effective Incident Response: Operationalization ensures that incident response teams have playbooks, tooling, and integrations - such as with SIEM and XDR solutions like Microsoft Defender XDR and Sentinel - ready to go, minimizing downtime and damage. Data-Driven Resource Allocation: Turn insights into action by regularly evaluating risk data and using it to guide budget decisions, ensuring your team’s efforts yield maximum security value. Key Steps to Operationalizing Defender CSPM Set Clear Objectives and Assess Your Environment: Begin by evaluating your multicloud footprint and defining what success looks like. Are you striving for reduced mean time to remediate (MTTR), consistent compliance, or earlier vulnerability detection in the development cycle? Develop a Cloud Security Roadmap: A roadmap outlines how you will implement CSPM’s capabilities - continuous scanning, automated compliance checks, DevSecOps integration - and sets milestones to measure progress. Automate Vulnerability Scanning and Remediation: Configure continuous scanning to identify new vulnerabilities as they appear. Integrate remediation steps into predefined workflows so that issues are not just found, but rapidly fixed. Enforce Compliance Through Policies and RBAC: Implement Role-Based access controls and automated policy enforcement to maintain regulatory compliance. Regularly review compliance dashboards to ensure standards remain met over time. Integrate Security into DevOps Workflows: Shift-left security by embedding vulnerability scans and code checks into CI/CD pipelines. Provide developers with immediate feedback on security issues, enabling them to resolve problems early and cheaply. Proactive Forensics and Incident Preparedness: Develop incident response playbooks that detail how to use Defender CSPM insights to contain, investigate, and remediate breaches. Integrate with SIEM tools like Microsoft Sentinel for real-time alerting and streamlined investigations. Continuously Optimize Resource Allocation: Use Defender CSPM’s risk-based insights to refine where you spend your time and money. Track key metrics - like reduction in exposed vulnerabilities or faster remediation times - to prove ROI and make informed budgeting decisions. Measuring Success and Continuous Improvement Operationalizing your CSPM strategy isn’t a one-and-done effort. It’s a continuous improvement cycle that relies on monitoring key performance indicators (KPIs) and adjusting tactics as needed. Consider metrics like: Vulnerability Detection and Remediation Rates: How quickly are identified risks fixed? Compliance Audit Outcomes: Are you passing regulatory checks consistently? Mean Time to Remediate (MTTR): How quickly can your team address new threats? Reduction in High-Severity Exposures: Is your environment becoming progressively harder to penetrate? Regularly reviewing these metrics ensures that your CSPM program remains aligned with business goals, adapts to emerging threats, and continually improves. Conclusion The future of cloud security depends on uniting strategic vision with practical execution. Microsoft Defender CSPM provides the visibility, intelligence, and automation necessary to strengthen your security posture continuously. By integrating Defender CSPM into both long-term planning and day-to-day operations, organizations can proactively manage risks, maintain compliance, streamline DevSecOps, and prepare effectively for incidents, ensuring that security initiatives not only protect today’s assets but also pave the way for a more resilient future. Looking Ahead: Deep Dives into Strategic and Operational Scenarios In the following five articles, we’ll translate these principles into actionable guidance for real-world contexts. Each piece will focus on a specific scenario - proactive risk identification, compliance automation, DevSecOps integration, proactive forensics and incident response, and resource optimization - offering hands-on insights and tools. Stay tuned to learn how to turn vision into measurable, lasting improvements in your cloud security posture. Microsoft Defender for Cloud Additional Resources Download the new Microsoft CNAPP eBook ataka.ms/MSCNAPP Become a Defender for Cloud Ninja by taking the assessment ataka.ms/MDCNinja Reviewers Yuri Diogenes, Principal PM Manager, CxE Defender for CloudAKS Security Dashboard
In today’s digital landscape, the speed of development and security must go hand in hand.Applications are being developed and deployed faster than ever before. Containerized application developers and platform teams enjoy the flexibility and scale that Kubernetes has brought to the software development world. Open-source code and tools have transformed the industry -but with speed comes increased risk and a growing attack surface. However, in vast parts of the software industry, developers and platform engineering teams find it challenging to prioritize security. They are required to deliver features quickly and security practices can sometimes be seen as obstacles that slow down the development process. Lack of knowledge or awareness of the latest security threats and best practices make it challenging to build secure applications. The new Azure Kubernetes Service (AKS) security dashboard aims to alleviate these pains by providing comprehensive visibility and automated remediation capabilities for security issues, empowering platform engineering teams to secure their Kubernetes environment more effectively and easily. Consolidating security and operational data in one place directly within the AKS portal allows engineers to benefit from a unified view of their Kubernetes environment. Enabling more efficient detection, and remediation of security issues, with minimal disruption to their workflows. Eventually reducing the risk of oversight security issues and improving remediation cycles. To leverage the AKS security dashboard, navigate to the Microsoft Defender for Cloud section in the AKS Azure portal. If your cluster is already onboarded to Defender for Containers or Defender CSPM, security recommendations will appear on the dashboard. If not, it may take up to 24 hours after onboarding before Defender for Cloud scans your cluster and delivers insights. Security issues identified in the cluster, surfaced in the dashboard are prioritized to risk. Risk level is dynamically calculated by an automatic attack path engine operating behind the scenes. This engine assesses the exploitability of security issues by considering multiple factors, such as cluster RBAC (Role Based Access Control), known exploitability in the wild, internet exposure, and more. Learn more about how Defender for Cloud calculates risk. Security issues surfaced in the dashboard are divided into different tabs: Runtime environment vulnerability assessment: The dynamic and complex nature of Kubernetes environments means that vulnerabilities can arise from multiple sources, with different ownership for the fix. For vulnerabilities originating from the containerized application code, Defender for Cloud will point out every vulnerable container running in the cluster. For each vulnerable container Defender for cloud will surface remediation guidelines that include the list of vulnerable software packages and specify the version that contains the fix. The scanning of container images powered by Microsoft Defender Vulnerability Management (MDVM) includes scanning of both OS packages and language specific packagessee thefull list of the supported OS and their versions. For vulnerabilities originating from the AKS infrastructure, Defender for cloud will include a list of all identified CVEs (common vulnerabilities and exposures) and recommend next steps for remediation. Remediation may include upgrading the Node pool image version or the AKS version itself. Since new vulnerabilities are discovered daily, even if a scanning tool is deployed as part of the CI/CD process, runtime scan can’t be overlooked. Defender for cloud makes sure Kubernetes workloads are scanned daily compared to an up-to-date vulnerability list. Security misconfigurations: Security misconfigurations are also highlighted in the AKS security dashboard, empowering developers and platform teams to execute fixes that can significantly minimize the attack surface. In some cases, changing a single line of code in a container's YAML file, without affecting application functionality, can eliminate a significant attack vector. Each security misconfiguration highlighted in the AKS security dashboard includes manual remediation steps, and where applicable, an automated fix button is also available. For containers misconfigurations, a quick link to a built-in Azure policy is included for easily preventing future faulty deployments of that kind. This approach empowers DevOps & platform engineering teams to use the “Secure by Default” method for application development. To conclude - automated remediation and prevention can be a game changer in keeping the cluster secure- a proactive approach that can help prevent security breaches before they can cause damage, ensuring that the cluster remains secure and compliant with industry standards. Ultimately, automated remediation empowers security teams to focus on more strategic tasks, knowing that their Kubernetes environment is continuously monitored and protected. Assigning owners to security issues Since cluster administration and containers security issues remediation is not always the responsibility of a single team or person, it is recommended to use the “assign owner” button in the security dashboard to notify the correct owner about the issue need to be handled. It is also possible to filter the view using the built-in filters and assign multiple issues to the same person quickly. Get Started Today To start leveraging these new features in Microsoft Defender for Cloud, ensure either Defender for Container or Defender CSPM is enabled in your cloud environments. For additional guidance or support, visit ourdeployment guide for a full subscription coverage, or enable on a single cluster using the dashboard settings section. Learn More If you haven’t already, check out our previous blog post that introduced this journey:NewInnovationsinContainerSecuritywithUnifiedVisibilityandInvestigations. This new release continues to build on the foundation outlined in that post. With “Elevate your container posture: from agentless discovery to risk prioritization”, we’ve delivered capabilities that allow you to further strengthen your container security practices, while reducing operational complexities.Elevate Your Container Posture: From Agentless Discovery to Risk Prioritization
As Kubernetes (K8s) continue to power modern containerized applications, the complexity of managing and securing these environments grows exponentially. The challenges in monitoring K8s environments stem not only from their dynamic nature but also from their unique structure—each K8s cluster operates as its own ecosystem, complete with its own control plane for authorization, networking, and resource management. This makes it fundamentally different from traditional cloud environments, where security practitioners often have established expertise and tools for managing the cloud control plane. The specialized nature of Kubernetes (K8s) environments limits the visibility and control available to many security teams, resulting in blind spots that increase the risk of misconfigurations, compliance gaps, and potential attack paths gaining comprehensive visibility into the posture state of K8s workloads is essential for addressing these gaps and ensuring a secure, resilient infrastructure. Key benefits By further expanding agentless container posture approach, Defender for Cloud delivers the following key benefits: Enhanced risk management: improved prioritization through additional security insights, networking information, K8s RBAC, and image evaluation status, ensuring more critical issues can addressed first. Proactive security posture: gain comprehensive insights and prevent lateral movement within Kubernetes clusters, helping to identify and mitigate threats before they cause harm. Comprehensive compliance and governance: achieve full transparency into software usage and Kubernetes RBAC configurations to meet compliance requirements and adhere to industry standards. Release features overview: Enhanced K8s workload modeling To ensure customers can better focus on security findings, and avoid reviewing stale information, Defender for Cloud now models K8s workloads in the security graph based on their configuration (K8s specification) rather than runtime assets. This improvement avoids refresh-rate discrepancies, providing a more accurate and streamlined view of your K8s workloads, with single security findings for all identical containers within the same workload. New Security Insights for Containers and Pods Security teams that use the security explorer to proactively identify security risks in their multicloud environments, now get even better visibility with additional security insights for containers and pods, including privileged containers, sensitive mounts, and more. For example, security practitioners can use the security explorer to find all containers vulnerable to remote code execution, which are also exposed to the internet and uses sensitive host mounts, to eliminate the misconfigurations and vulnerabilities before a potential attacker abuse them to attack the container remotely and break-out into the host through the sensitive host mount. Extended K8s Networking Information To enable customers to query the security graph based on additional characters of K8s networking and better understand exposure details for K8s workloads, Defender for Cloud now offers extended data collection for both K8s ingresses and services. This feature also includes new properties such as service port and service selectors. The following figure shows all new networking criteria that customers can now use to query for K8s networking configuration: The following figure show detailed exposure information on a K8s workload exposed to the internet: Enhanced image discovery Customers can now gain complete visibility to all images used in customer environments using the security explorer, including images from all supported registries, and any image running in K8s, regardless of whether the image is scanned for vulnerabilities, with extended information per image. Here are a few examples for important use cases that customers can detect and respond to action on through a single query in the security explorer: Detect usage of images from unmonitored registries: Figure 4: images deployed directly from an unscanned docker registry Check the presence of specific image in the environment Figure 5: search for an image with a specific digest Trace all images not evaluated for vulnerabilities Figure 6: all images not assessed for vulnerabilities K8s RBAC in the security graph The addition of K8s RBAC into the security graph serves two main purposes: Security practitioners gain easy visibility into K8s service accounts, their permissions, and their bindings with K8s workloads, without prior expertise, and hunt for service accounts that do not meet security best practices. In the following example, a service account that has full cluster permissions: Figure 7: example of service account cluster admin permissions on cluster level The security graph contextual analysis uses the K8s RBAC to identify lateral movement internally within K8s, from K8s to other cloud resources and from the cloud to K8s. The following example shows an attack path starting from a container exposed to the internet with a vulnerability that can be remotely exploited. It also has access to a managed identity allowing the attacker to move all the way to a critical storage account: Figure 8: attack path from a vulnerable exposed container to a critical storage account Comprehensive Software Inventory for Containers A detailed software inventory is now available for all container images and containers scanned for vulnerabilities, serving security practitioners and compliance teams in many ways: Full visibility to all software packages used in container images and containers: Figure 9: Full software list for images and containers Query specific software usage across all environments, making it easier to identify risks or ensure compliance. A common example of this use case includes a vulnerable software version with a zero-day vulnerability. For example, following the OpenSSL zero-day vulnerability publication, a security admin can use the following queries to find all instances of container images within the organization using OpenSSL version 3.0, even before a CVE was published: Figure 10: search for a specific vulnerable open ssl version Critical Asset Protection for K8s Critical asset protection has been enhanced to cover additional container use cases: Defender for cloud customers can now define rules to mark workloads as critical based on theirnamespaceandK8s labels. The following figure shows how customers can define rules that would automatically tag critical workloads based on their K8s labels: Figure 11: customer defined rules for asset criticality based on K8s labels Predefined rules allow K8s clusters to be flagged as critical, ensuring prioritized focus during risk assessments. Example for one of the predefined rules that automatically tags K8s clusters as critical: Figure 12: Example for predefined K8s cluster criticality rules As with other asset protection features in Defender for Cloud, these updates seamlessly integrate into the risk prioritization, attack path analysis, and security explorer workflows. The following example shows a critical attack path where the attack target is critical K8s cluster: Figure 13: Critical attack path where the target is a critical K8s cluster K8s CIS benchmark Customers that would like to audit their K8s clusters for regulatory compliance using K8s CIS or enforce security controls that are part of the K8s CIS standard, now benefit from updated K8s CIS standards with broader security controls, with K8s CIS 1.5.0 for AKS, and EKS and K8s CIS 1.6.0 for GKE. To start using the new standards and controls, enable the desired K8s CIS standard through regulatory compliance dashboard, or via security policies: Figure 14: Enabling K8s CIS 1.6.0 for GKE Compliance status can then be monitored via the regulatory compliance dashboard for the relevant K8s CIS standard: Figure 15: Viewing K8s CIS 1.5.0 compliance status Get Started Today To start leveraging these new features in Microsoft Defender for Cloud, ensure either Defender for Container or Defender CSPM is enabled in your cloud environments. For additional guidance or support, visit ourdeployment guide. With these updates, we’re committed to helping you maintain a robust, secure, and scalable cloud-native environment. Learn More If you haven’t already, check out our previous blog post that introduced this journey:NewInnovationsinContainerSecuritywithUnifiedVisibilityandInvestigations. This new release continues to build on the foundation outlined in that post. With“Elevate your container posture: from agentless discovery to risk prioritization”, we’ve delivered capabilities that allow you to further strengthen your container security practices, while reducing operational complexities.446Views3likes0CommentsMicrosoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? AI security posture management is now generally available! Reduce risk to cross cloud AI workloads by discovering generative AI Bill of Materials, strengthen generative AI application security posture and use the attack path analysis to identify risk. Learn more about it here. On-demand malware scanning now in public preview We’re excited to announce the public preview of on-demand malware scanning. Customers can now scan existing files in storage accounts on-demand, which helps customers to gain finer control and customization for critical storage assets. For more details, please refer to our documentation. Blog(s) of the month In November, following Ignite announcements, our team published the following blog posts we'd like to share: Cloud security innovations: strengthening defenses against modern cloud and AI threats New innovations in container security with unified visibility, investigations, and response actions Proactively harden your cloud security posture in the age of AI with CSPM innovations Prevent malware from spreading by scanning cloud storage accounts on-demand Deprecation of “Bring Your Own License” in MDC” GitHub community Learn how to onboard Azure DevOps to Defender for Cloud in our updated lab - Module 14 here. Visit our GitHub page here. Defender for Cloud in the field Refresh your knowledge on securing your AI applications: Secure your AI applications from code to runtime Visit our new YouTube page Customer journey Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuringThe NBA (National Basketball Association), a global sports and media powerhouse dedicated to growing and celebrating the game of basketball, partnered with Microsoft to address the complexities of scale, and security required for next-generation technologies. With its IT estate in Azure, the NBA leverages Defender for Cloud to provide a single pane of glass on its cloud security posture. Security community webinars Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. This month, we have the following upcoming webinar: DEC 11Microsoft Defender for Cloud |Exploring the Latest Container Security Updates from Microsoft Ignite DEC 12Microsoft Defender for Cloud|Future-Proofing Cloud Security with Defender CSPM We offer several customer connection programs within our private communities. By signing up, you can help usshape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up ataka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested inhttps://aka.ms/PublicContentFeedback. Note:If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter:https://aka.ms/MDCNewsSubscribe242Views0likes0CommentsProactively harden your cloud security posture in the age of AI with CSPM innovations
Generative AI applications have rapidly transformed industries, from marketing and content creation to personalized customer experiences. These applications, powered by sophisticated models, bring unprecedented capabilities—but also unique security challenges. As developers build generative AI systems, they increasingly rely on containers and APIs to streamline deployment, scale effectively, and ensure consistent performance. However, the very tools that facilitate agile development also introduce new security risks. Containers, essential for packaging AI models and their dependencies, are susceptible to misconfigurations and can expose entire systems to attacks if not properly secured. APIs, which allow seamless integration of AI functionalities into various platforms, can be compromised if they lack robust access controls or encryption. As generative AI becomes more integrated into critical business processes, security admins are challenged with continuously hardening the security posture of the foundation for AI application. Ensuring core workloads, like containers and APIs, are protected is vital to safeguard sensitive data of any application. And when introducing generative AI, remediating vulnerabilities and misconfigurations efficiently, ensures a strong security posture to maintain the integrity of AI models and trust in their outputs. New cloud security posture innovations in Microsoft Defender Cloud Security Posture Management (CSPM) help security teams modernize how they proactively protect their cloud-native applications in a unified experience from code to runtime. API security posture management is now natively available in Defender CSPM We're excited to announce that API security posture management is now natively integrated into Defender CSPM and available in public preview at no additional cost. This integration provides comprehensive visibility, proactive API risk analysis, and security best practice recommendations for Azure API Management APIs. Security teams can use these insights to identify unauthenticated, inactive, dormant, or externally exposed APIs, along and receive risk-based security recommendations to prioritize and implement API security best practices. Additionally, security teams can now assess their API exposure risks within the context of their overall application by mapping APIs to their backend compute hosts and visualizing the topology powered by cloud security explorer. This mapping now enables end-to-end API-led attack path analysis, helping security teams proactively identify and triage lateral movement and data exfiltration risks. We’ve also enhanced API security posture capabilities by expanding sensitive data discovery beyond request and response payloads to now include API URLs, path, query parameters, and the sources of data exposure in APIs. This allows security teams to track and mitigate sensitive data exposure across cloud applications efficiently. In addition, the new support for API revisions enables automatic onboarding of all APIs, including tagged revisions, security insights assessments, and multi-regional gateway support for Azure API Management premium customers. Enhanced container security posture across the development lifecycle While containers offer flexibility and ease of deployment, they also introduce unique security challenges that need proactive management at every stage to prevent vulnerabilities from becoming exploited threats. That’s why we’re excited to share new container security and compliance posture capabilities in Defender CSPM, expanding current risk visibility across the development lifecycle: It's crucial to validate the security of container images during the build phase and block the build if vulnerabilities are found, helping security teams prevent issues at the source. To support this, we’re thrilled to share container image vulnerability scanning for any CI/CD pipeline is now in public preview. The expanded capability offers a command-line interface (CLI) tool that allows seamless CI/CD integration and enables users to perform container image vulnerability scanning during the build stage, providing visibility into vulnerabilities at build. After integrating their CI/CD pipelines, organizations can use the cloud security explorer to view container images pushed by their pipelines. Once the container image is built, scanned for vulnerabilities, it is pushed to a container registry until ready to be deployed to runtime environments. Organizations rely on cloud and third-party registries to pull container images, making these registries potential gateways for vulnerabilities to enter their environment. To minimize this, container image vulnerability scanning is now available for third-party private registries, starting with Docker Hub and JFrog Artifactory. The scan results are immediately available to both the security teams and developers to expedite patches or image updates before the container image is pushed to production. In addition to container security posture capabilities, security admins can also strengthen the compliance posture of Kubernetes across clouds. Now in public preview, security teams can leverage multicloud regulatory compliance assessments with support for CIS Kubernetes Benchmarks for Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service, and Google Kubernetes Engine (GKE). AI security posture management (AI-SPM) is now generally available Discover vulnerability and misconfiguration of generative AI apps using Azure OpenAI Service, Azure Machine Learning, and Amazon Bedrock to reduce risks associated with AI-related artifacts, components, and connectors built into the apps and provide recommended actions to proactively improve security posture with Defender CSPM. New enhancements in GA include: Expanded support of Amazon Bedrock provides deeper discovery of AWS AI technologies, new recommendations, and attack paths. Additional support for AWS such as Amazon OpenSearch (service domains and service collections), Amazon Bedrock Agents, and Amazon Bedrock Knowledge Bases. New AI grounding data insights provides resource context to its use as a grounding source within an AI application. Grounding is the invisible line between organizational data and AI applications. Ensuring the right data is used – and correctly configured in the application – for grounding can reduce hallucinations, prevent sensitive data loss, and reduce the risk of grounding data poisoning and malicious outputs. Customers can use the cloud security explorer to query multicloud data used for AI grounding. New ‘used for AI grounding’ risk factor in recommendations and attack paths can also help security teams prioritize risks to datastores. Thousands of organizations are already reaping the benefits of AI-SPM in Defender CSPM, like Mia Labs, an innovative startup that is securely delivering customer service through their AI assistant with the help of Defender for Cloud. “Defender for Cloud shows us how to design our processes with optimal security and monitor where jailbreak attempts may have originated.” Marwan Kodeih, Chief Product Officer, Mia Labs, Inc. New innovations to find and fix issues in code with new DevOps security innovations Addressing risks at runtime is only part of the picture. Remediating risks in the Continuous Integration/Continuous Deployment (CI/CD) pipeline is equally critical, as vulnerabilities introduced in development can persist into production, where they become much harder—and costlier—to fix. Insecure DevOps practices, like using untrusted images or failing to scan for vulnerabilities, can inadvertently introduce risks before deployment even begins. New innovations include: Agentless code scanning, now in public preview, empowers security teams to quickly gain visibility into their Azure DevOps repositories and initiate an agentless scan of their code immediately after onboarding to Defender CSPM. The results are provided as recommendations for exposed Infrastructure-as-Code misconfigurations and code vulnerabilities. End-to-end secrets mapping, now in public preview, helps customers understand how a leaked credential in code impacts deployed resources in runtime. It provides deeper risk insights by tracing exposed secrets back to code repositories where it originated, with both secret validation and mapping to accessible resources. Defender CSPM now highlights which secrets could cause the most damage to systems and data if compromised. Additional CSPM enhancements [General Availability] Critical asset protection: Enables security admins to prioritize remediation efforts with the ability to identify their ‘crown jewels’ by defining critical asset rules in Microsoft Security Exposure Management and applying them to their cloud workloads in Defender for Cloud. As a result, the risk levels of recommendations and attack paths consider the resource criticality tags, streamlining prioritization above other un-tagged resources. In addition to the General Availability release, we are also extending support for tagging Kubernetes and non-human identity resources. [Public Preview] Simplified API security testing integration: Integrating API security testing results into Defender for Cloud is now easier than ever. Security teams can now seamlessly integrate results from supported API security testing providers into Defender for Cloud without needing a GitHub Advanced Security license. Explore additional resources to strengthen your cloud security posture With these innovations, Defender CSPM users are empowered to enhance their security posture from code to runtime and prepared to protect their AI applications. Below are additional resources that expand on our innovations and help you incorporate them in your operations: Learn more about container security innovations in Defender for Cloud. Enable the API security posture extension in Environment Settings. Get started with AI security posture management for your Azure OpenAI, Azure Machine Learning, and Amazon Bedrock deployments. RSVP to join us on December 3rd the Microsoft Tech Community AMA to get your questions answered.Cloud security innovations: strengthening defenses against modern cloud and AI threats
In today’s fast-paced digital world, attackers are more relentless than ever, exploiting vulnerabilities and targeting cloud environments with unprecedented speed and sophistication. They are taking advantage of the dynamic nature of cloud environments and silos across security tools to strike opportunistically and bypass boundaries between endpoints, on-premises and cloud environments. With the rise of Gen AI, security complexities are only growing, further testing the limits of traditional cloud security measures and strategies. Protecting multicloud environments requires vigilance not only within each cloud instance but also across interconnected networks and systems. For defenders, the challenge lies in keeping pace with attackers who operate with lightning speed. To stay ahead, they need tools that enable rapid risk prioritization and targeted remediation, reducing unnecessary toil and aligning security efforts with business objectives. The key to defending today’s cloud landscapes is a risk-driven approach and a unified security platform that spans all domains across their organization. This approach integrates automation to streamline security operations, allowing teams to focus on critical threats. With these capabilities, defenders can protect dynamic multicloud environments with the agility and insight needed to counter the sophisticated and evolving tactics of modern attackers. Our integrated cloud-native application platform (CNAPP) provides complete security and compliance from code to runtime. Enhanced by generative AI and threat intelligence, it helps protect your hybrid and multicloud environments. Organizations can enable secure development, minimize risks with contextual posture management, and protect workloads and applications from modern threats in Microsoft’s unified security operations platform. Today, we’re thrilled to announce new innovations in Defender for Cloud to accelerate comprehensive protection with a multi-layered risk-driven approach allowing security teams to focus on the most critical threats. We’re also excited to introduce new features that make SecOps teams more efficient, allowing them to detect and respond to cloud threats in near real-time with the enhanced Defender XDR integration. Unlock advanced risk prioritization with true code-to-runtime reachability As we continue to expand our existing partner ecosystem, Microsoft Defender for Cloud’s integration with Endor Labs brings code reachability analysis directly to the Defender for Cloud portal, advancing code-to-runtime context and risk prioritization efforts significantly. Traditional AppSec tools generate hundreds to thousands of vulnerability findings, while less than 9.5% are truly exploitable within an application’s context, according to a recent study conducted by Endor Labs. These vulnerabilities belong to parts of the code that can be accessed and executed in runtime – aka reachable code vulnerabilities. Without this precise context of what is reachable, teams face an unsustainable choice: spend extensive time researching each finding or attempt to fix all vulnerabilities, leading to inefficiencies. Endor Labs provides a reachability-based Software Composition Analysis (SCA), and with the Defender for Cloud integration, deploying and configuring this SCA is streamlined. Once active, security engineers gain access to code-level reachability analysis for every vulnerability, from build to production, including visibility into reachable findings where an attack path exists from the developer’s code through open-source dependencies to a vulnerable library or function. With these insights, security teams can accurately identify true threats, prioritizing remediation based on the likelihood and impact of exploitation. Defender for Cloud already has robust risk prioritization based on multiple risk factors including internet exposure, sensitive data exposure, access and identity privileges, business risk and more. Endor Lab’s code reachability adds another robust layer of risk prioritization to reduce noise and productivity tax associated with maintaining multiple security platforms, offering streamlined and efficient protection for today’s complex multicloud environments. Figure 1: Risk prioritization with an additional layer of code reachability analysis New enhancements to cloud security posture management with additional API, Containers, and AI grounding data insights Defender for Cloud has made a series of enhancements to its cloud security posture management (CSPM) capabilities, starting with the general availability of AI Security Posture Management (AI-SPM). AI-SPM capabilities help identify vulnerabilities and misconfigurations in generative AI applications using Azure OpenAI, Azure Machine Learning, and Amazon Bedrock. We have also added expanded support for AWS AI technologies, new recommendations, and detailed attack paths, enhancing the discovery and mitigation of AI-related risks. Additionally, enriched AI grounding data insights provide context to data in AI applications, helping prioritize risks to datastores through tailored recommendations and attack paths. We have also included API security posture management in Defender CSPM at no additional cost. With these new capabilities, security teams can automatically map APIs to their backend compute hosts, helping organizations to visualize their API topology and understand the flow of data through APIs to identify sensitive data exposure risks. This allows security teams to see full API-led attack paths and take proactive measures against potential threats such as lateral movement and data exfiltration risks. Additionally, expanded sensitive data classification now includes API URL paths and query parameters, enhancing the ability to track and mitigate data-in-transit risks. Alongside API security enhancements, Defender for Cloud has also bolstered its container security posture capabilities. These advancements ensure continuous visibility into vulnerabilities and compliance from development through deployment. Security teams can shift left by scanning container images for vulnerabilities early in the CI/CD pipeline across multicloud and private registries, including Docker Hub and JFrog Artifactory. Additionally, the public preview of full multicloud regulatory compliance assessment for CIS Kubernetes Benchmarks across Amazon EKS, Azure Kubernetes Service, and Google Kubernetes Engine provides a robust framework for securing Kubernetes environments. Elevate cloud detection and response capabilities with enhanced monitoring, forensics, and cloud-native response actions The latest advancements in the integration between Defender for Cloud and Defender XDR bring a new level of protection against sophisticated threats. One notable feature is the near real-time detection for containers, which provides a detailed view of every step an attacker takes before initiating malicious activities like crypto mining or sensitive data exfiltration. Additionally, the Microsoft Kubernetes threat matrix, developed by Microsoft security researchers, provides valuable insights into specific attack techniques, enhancing the overall security incident triaging. To complement real-time detection, we are introducing a new threat analytics report that offers a comprehensive investigation of container-related incidents, helping security teams understand the potential attack methods that attackers could leverage to infiltrate containers. It also contains threat remediation suggestions and advanced hunting techniques. Figure 2. Cloud detection and response with Defender for Cloud and Defender XDR integration The introduction of new cloud-native response actions significantly aids in putting the investigation results into action or remediation. With a single click, analysts can isolate or terminate compromised Kubernetes pods, with all actions tracked in the Investigation Action Center for transparency and accountability. The new Security Copilot assisted triage and response actions helps analysts make informed decisions faster during an investigation. In all, these advancements, coupled with the seamless integration of cloud process events for threat hunting, empower security teams to respond quickly and effectively to threats, ensuring robust protection for their digital environments. Empowering defenders to stay ahead Defender for Cloud empowers security teams to stay ahead of attackers with a comprehensive code to runtime protection. With a focus on speed, efficiency, and efficacy, defenders can keep their cloud environments secure and resilient in the face of evolving threats. To learn more about Defender for Cloud and our new innovations, you can: Check out our cloud security solutionpage. Join us at Ignite. Learn how you can unlock business value with Defender for Cloud. See it in action with a cloud detection and response use-case. Start a 30-day free trial.1.6KViews2likes0CommentsEnhancing Server and Container Risk Score Analysis in Power BI
Navigating the complex landscape of cloud security requires a nuanced approach to vulnerability management. This blog dives into a Power BI solution that elevates Microsoft Defender for Cloud's assessments for servers and container images. By incorporating factors like CVE severity, exploitability, contextual risk, and CVE age, the solution delivers a more comprehensive risk score for each resource. It enables dynamic prioritization of remediation efforts through percentile-based thresholds and user-friendly visualizations, empowering security teams to tackle the most critical threats first. Discover how this approach can transform your cloud security strategy.1.4KViews4likes0CommentsAgentless scanning for virtual machines in the cloud – technical deep dive
Over the past three years, a notable shift has unfolded in the realm of cloud security. Increasingly, security vendors are introducing agentless scanning solutions to enhance the protection of their customers. These solutions empower users with visibility into their security posture and the ability to detect threats — all achieved without the need to install any additional software, commonly referred to as an agent, onto their workloads.8.2KViews10likes3CommentsMicrosoft Defender for Cloud - strategy and plan towards Log Analytics Agent (MMA) deprecation
Log Analytics agent (also known as MMA) is on a deprecation path and will be retired in Aug 2024. The purpose of this blogpost is to clarify how Microsoft Defender for Cloud will align with this plan and what is the impact on customers.84KViews2likes28Comments