Become a Microsoft Defender for Cloud Ninja
[Last update: 04/08/2025] All content was reviewed and updated for the month of April 2025. This blog post has a curation of many Microsoft Defender for Cloud (formerly known as Azure Security Center and Azure Defender) resources, organized in a format that can help you to go from absolutely no knowledge in Microsoft Defender for Cloud, to design and implement different scenarios. You can use this blog post as a training roadmap to learn more about Microsoft Defender for Cloud. On November 2nd, at Microsoft Ignite 2021, Microsoft announced the rebrand of Azure Security Center and Azure Defender for Microsoft Defender for Cloud. To learn more about this change, read this article. Every month we are adding new updates to this article, and you can track it by checking the red date besides the topic. If you already study all the modules and you are ready for the knowledge check, follow the procedures below: To obtain the Defender for Cloud Ninja Certificate 1. Take this knowledge check here, where you will find questions about different areas and plans available in Defender for Cloud. 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. To obtain the Defender for Servers Ninja Certificate (Introduced in 08/2023) 1. Take this knowledge check here, where you will find only questions related to Defender for Servers. 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. Modules To become an Microsoft Defender for Cloud Ninja, you will need to complete each module. The content of each module will vary, refer to the legend to understand the type of content before clicking in the topic’s hyperlink. The table below summarizes the content of each module: Module Description 0 - CNAPP In this module you will familiarize yourself with the concepts of CNAPP and how to plan Defender for Cloud deployment as a CNAPP solution. 1 – Introducing Microsoft Defender for Cloud and Microsoft Defender Cloud plans In this module you will familiarize yourself with Microsoft Defender for Cloud and understand the use case scenarios. You will also learn about Microsoft Defender for Cloud and Microsoft Defender Cloud plans pricing and overall architecture data flow. 2 – Planning Microsoft Defender for Cloud In this module you will learn the main considerations to correctly plan Microsoft Defender for Cloud deployment. From supported platforms to best practices implementation. 3 – Enhance your Cloud Security Posture In this module you will learn how to leverage Cloud Security Posture management capabilities, such as Secure Score and Attack Path to continuous improvement of your cloud security posture. This module includes automation samples that can be used to facilitate secure score adoption and operations. 4 – Cloud Security Posture Management Capabilities in Microsoft Defender for Cloud In this module you will learn how to use the cloud security posture management capabilities available in Microsoft Defender for Cloud, which includes vulnerability assessment, inventory, workflow automation and custom dashboards with workbooks. 5 – Regulatory Compliance Capabilities in Microsoft Defender for Cloud In this module you will learn about the regulatory compliance dashboard in Microsoft Defender for Cloud and give you insights on how to include additional standards. In this module you will also familiarize yourself with Azure Blueprints for regulatory standards. 6 – Cloud Workload Protection Platform Capabilities in Azure Defender In this module you will learn how the advanced cloud capabilities in Microsoft Defender for Cloud work, which includes JIT, File Integrity Monitoring and Adaptive Application Control. This module also covers how threat protection works in Microsoft Defender for Cloud, the different categories of detections, and how to simulate alerts. 7 – Streaming Alerts and Recommendations to a SIEM Solution In this module you will learn how to use native Microsoft Defender for Cloud capabilities to stream recommendations and alerts to different platforms. You will also learn more about Azure Sentinel native connectivity with Microsoft Defender for Cloud. Lastly, you will learn how to leverage Graph Security API to stream alerts from Microsoft Defender for Cloud to Splunk. 8 – Integrations and APIs In this module you will learn about the different integration capabilities in Microsoft Defender for Cloud, how to connect Tenable to Microsoft Defender for Cloud, and how other supported solutions can be integrated with Microsoft Defender for Cloud. 9 - DevOps Security In this module you will learn more about DevOps Security capabilities in Defender for Cloud. You will be able to follow the interactive guide to understand the core capabilities and how to navigate through the product. 10 - Defender for APIs In this module you will learn more about the new plan announced at RSA 2023. You will be able to follow the steps to onboard the plan and validate the threat detection capability. 11 - AI Posture Management and Workload Protection In this module you will learn more about the risks of Gen AI and how Defender for Cloud can help improve your AI posture management and detect threats against your Gen AI apps. Module 0 - Cloud Native Application Protection Platform (CNAPP) Improving Your Multi-Cloud Security with a CNAPP - a vendor agnostic approach Microsoft CNAPP Solution Planning and Operationalizing Microsoft CNAPP Understanding Cloud Native Application Protection Platforms (CNAPP) Cloud Native Applications Protection Platform (CNAPP) Microsoft CNAPP eBook Understanding CNAPP Module 1 - Introducing Microsoft Defender for Cloud What is Microsoft Defender for Cloud? A New Approach to Get Your Cloud Risks Under Control Getting Started with Microsoft Defender for Cloud Implementing a CNAPP Strategy to Embed Security From Code to Cloud Boost multicloud security with a comprehensive code to cloud strategy A new name for multi-cloud security: Microsoft Defender for Cloud Common questions about Defender for Cloud MDC Cost Calculator Module 2 – Planning Microsoft Defender for Cloud Features for IaaS workloads Features for PaaS workloads Built-in RBAC Roles in Microsoft Defender for Cloud Enterprise Onboarding Guide Assigning Permissions in Microsoft Defender for Cloud Design Considerations for Log Analytics Workspace Onboarding on-premises machines using Windows Admin Center Understanding Security Policies in Microsoft Defender for Cloud Creating Custom Policies Centralized Policy Management in Microsoft Defender for Cloud using Management Groups Planning Data Collection for IaaS VMs Microsoft Defender for Cloud PoC Series – Microsoft Defender for Resource Manager Microsoft Defender for Cloud PoC Series – Microsoft Defender for Storage How to Effectively Perform an Microsoft Defender for Cloud PoC Microsoft Defender for Cloud PoC Series – Microsoft Defender for App Service Considerations for Multi-Tenant Scenario Microsoft Defender for Cloud PoC Series – Microsoft Defender CSPM Microsoft Defender for DevOps GitHub Connector - Microsoft Defender for Cloud PoC Series Grant tenant-wide permissions to yourself Simplifying Onboarding to Microsoft Defender for Cloud with Terraform Module 3 – Enhance your Cloud Security Posture Azure Secure Score vs. Microsoft Secure Score How Secure Score affects your governance Enhance your Secure Score in Microsoft Defender for Cloud Security recommendations Resource exemption Customizing Endpoint Protection Recommendation in Microsoft Defender for Cloud Deliver a Security Score weekly briefing Send Microsoft Defender for Cloud Recommendations to Azure Resource Stakeholders Secure Score Reduction Alert Average Time taken to remediate resources Improved experience for managing the default Azure security policies Security Policy Enhancements in Defender for Cloud Create custom recommendations and security standards Secure Score Overtime Workbook Automation Artifacts for Secure Score Recommendations Remediation Scripts Module 4 – Cloud Security Posture Management Capabilities in Microsoft Defender for Cloud CSPM in Defender for Cloud Take a Proactive Risk-Based Approach to Securing your Cloud Native Applications Predict future security incidents! Cloud Security Posture Management with Microsoft Defender Software inventory filters added to asset inventory Drive your organization to security actions using Governance experience Managing Asset Inventory in Microsoft Defender for Cloud Vulnerability Assessment Workbook Template Vulnerability Assessment for Containers Improvements in Continuous Export feature Implementing Workflow Automation Workflow Automation Artifacts Creating Custom Dashboard for Microsoft Defender for Cloud Using Microsoft Defender for Cloud API for Workflow Automation What you need to know when deleting and re-creating the security connector(s) in Defender for Cloud Connect AWS Account with Microsoft Defender for Cloud Video Demo - Connecting AWS accounts Microsoft Defender for Cloud PoC Series - Multi-cloud with AWS Onboarding your AWS/GCP environment to Microsoft Defender for Cloud with Terraform How to better manage cost of API calls that Defender for Cloud makes to AWS Connect GCP Account with Microsoft Defender for Cloud Protecting Containers in GCP with Defender for Containers Video Demo - Connecting GCP Accounts Microsoft Defender for Cloud PoC Series - Multicloud with GCP All You Need to Know About Microsoft Defender for Cloud Multicloud Protection Custom recommendations for AWS and GCP 31 new and enhanced multicloud regulatory standards coverage Azure Monitor Workbooks integrated into Microsoft Defender for Cloud and three templates provided How to Generate a Microsoft Defender for Cloud exemption and disable policy report Cloud security posture and contextualization across cloud boundaries from a single dashboard Best Practices to Manage and Mitigate Security Recommendations Defender CSPM Defender CSPM Plan Options Cloud Security Explorer Identify and remediate attack paths Agentless scanning for machines Cloud security explorer and Attack path analysis Governance Rules at Scale Governance Improvements Data Security Aware Posture Management A Proactive Approach to Cloud Security Posture Management with Microsoft Defender for Cloud Prioritize Risk remediation with Microsoft Defender for Cloud Attack Path Analysis Understanding data aware security posture capability Agentless Container Posture Agentless Container Posture Management Microsoft Defender for Cloud - Automate Notifications when new Attack Paths are created Proactively secure your Google Cloud Resources with Microsoft Defender for Cloud Demystifying Defender CSPM Discover and Protect Sensitive Data with Defender for Cloud Defender for cloud's Agentless secret scanning for virtual machines is now generally available! Defender CSPM Support for GCP Data Security Dashboard Agentless Container Posture Management in Multicloud Agentless malware scanning for servers Recommendation Prioritization Unified insights from Microsoft Entra Permissions Management Defender CSPM Internet Exposure Analysis Future-Proofing Cloud Security with Defender CSPM ServiceNow's integration now includes Configuration Compliance module 🚀 Suggested Labs: Improving your Secure Posture Connecting a GCP project Connecting an AWS project Defender CSPM Agentless container posture through Defender CSPM Contextual Security capabilities for AWS using Defender CSPM Module 5 – Regulatory Compliance Capabilities in Microsoft Defender for Cloud Understanding Regulatory Compliance Capabilities in Microsoft Defender for Cloud Adding new regulatory compliance standards Regulatory Compliance workbook Regulatory compliance dashboard now includes Azure Audit reports Microsoft cloud security benchmark: Azure compute benchmark is now aligned with CIS! Updated naming format of Center for Internet Security (CIS) standards in regulatory compliance CIS Azure Foundations Benchmark v2.0.0 in regulatory compliance dashboard Spanish National Security Framework (Esquema Nacional de Seguridad (ENS)) added to regulatory compliance dashboard for Azure 🚀 Suggested Lab: Regulatory Compliance Module 6 – Cloud Workload Protection Platform Capabilities in Microsoft Defender for Clouds Understanding Just-in-Time VM Access Implementing JIT VM Access File Integrity Monitoring in Microsoft Defender Understanding Threat Protection in Microsoft Defender Microsoft Defender for Servers Demystifying Defender for Servers Onboarding directly (without Azure Arc) to Defender for Servers Agentless secret scanning for virtual machines in Defender for servers P2 & DCSPM Vulnerability Management in Defender for Cloud File Integrity Monitoring using Microsoft Defender for Endpoint Microsoft Defender for Containers Basics of Defender for Containers Secure your Containers from Build to Runtime AWS ECR Coverage in Defender for Containers Upgrade to Microsoft Defender Vulnerability Management End to end container security with unified SOC experience Binary drift detection episode Binary drift detection Cloud Detection Response experience Exploring the Latest Container Security Updates from Microsoft Ignite 2024 Unveiling Kubernetes lateral movement and attack paths with Microsoft Defender for Cloud Onboarding Docker Hub and JFrog Artifactory Improvements in Container’s Posture Management New AKS Security Dashboard in Defender for Cloud Microsoft Defender for Storage Protect your storage resources against blob-hunting Malware Scanning in Defender for Storage Microsoft Defender for SQL New Defender for SQL VA Microsoft Defender for SQL Anywhere New autoprovisioning process for SQL Server on machines plan Defender for Open-Source Relational Databases Multicloud Microsoft Defender for KeyVault Microsoft Defender for AppService Microsoft Defender for Resource Manager Understanding Security Incident Security Alert Correlation Alert Reference Guide 'Copy alert JSON' button added to security alert details pane Alert Suppression Simulating Alerts in Microsoft Defender for Cloud Alert validation Simulating alerts for Windows Simulating alerts for Linux Simulating alerts for Containers Simulating alerts for Storage Simulating alerts for Microsoft Key Vault Simulating alerts for Microsoft Defender for Resource Manager Integration with Microsoft Defender for Endpoint Auto-provisioning of Microsoft Defender for Endpoint unified solution Resolve security threats with Microsoft Defender for Cloud Protect your servers and VMs from brute-force and malware attacks with Microsoft Defender for Cloud Filter security alerts by IP address Alerts by resource group Defender for Servers Security Alerts Improvements 🚀 Suggested Labs: Workload Protections Agentless container vulnerability assessment scanning Microsoft Defender for Cloud database protection Protecting On-Prem Servers in Defender for Cloud Defender for Storage Module 7 – Streaming Alerts and Recommendations to a SIEM Solution Continuous Export capability in Microsoft Defender for Cloud Deploying Continuous Export using Azure Policy Connecting Microsoft Sentinel with Microsoft Defender for Cloud Closing an Incident in Azure Sentinel and Dismissing an Alert in Microsoft Defender for Cloud Microsoft Sentinel bi-directional alert synchronization 🚀 Suggested Lab: Exporting Microsoft Defender for Cloud information to a SIEM Module 8 – Integrations and APIs Integration with Tenable Integrate security solutions in Microsoft Defender for Cloud Defender for Cloud integration with Defender EASM Defender for Cloud integration with Defender TI REST APIs for Microsoft Defender for Cloud Obtaining Secure Score via REST API Using Graph Security API to Query Alerts in Microsoft Defender for Cloud Automate(d) Security with Microsoft Defender for Cloud and Logic Apps Automating Cloud Security Posture and Cloud Workload Protection Responses Module 9 – DevOps Security Overview of Microsoft Defender for Cloud DevOps Security DevOps Security Interactive Guide Configure the Microsoft Security DevOps Azure DevOps extension Configure the Microsoft Security DevOps GitHub action Automate SecOps to Developer Communication with Defender for DevOps Compliance for Exposed Secrets Discovered by DevOps Security Automate DevOps Security Recommendation Remediation DevOps Security Workbook Remediating Security Issues in Code with Pull Request Annotations Code to Cloud Security using Microsoft Defender for DevOps GitHub Advanced Security for Azure DevOps alerts in Defender for Cloud Securing your GitLab Environment with Microsoft Defender for Cloud Bridging the Gap Between Code and Cloud with Defender for Cloud Integrate Defender for Cloud CLI with CI/CD pipelines Code Reachability Analysis 🚀 Suggested Labs: Onboarding Azure DevOps to Defender for Cloud Onboarding GitHub to Defender for Cloud Module 10 – Defender for APIs What is Microsoft Defender for APIs? Onboard Defender for APIs Validating Microsoft Defender for APIs Alerts API Security with Defender for APIs Microsoft Defender for API Security Dashboard Exempt functionality now available for Defender for APIs recommendations Create sample alerts for Defender for APIs detections Defender for APIs reach GA Increasing API Security Testing Visibility Boost Security with API Security Posture Management 🚀 Suggested Lab: Defender for APIs Module 11 – AI Posture Management and Workload Protection Secure your AI applications from code to runtime with Microsoft Defender for Cloud AI security posture management AI threat protection Secure your AI applications from code to runtime Data and AI security dashboard Protecting Azure AI Workloads using Threat Protection for AI in Defender for Cloud 🚀 Suggested Lab: Security for AI workloads Are you ready to take your knowledge check? If so, click here. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. Other Resources Microsoft Defender for Cloud Labs Become an Microsoft Sentinel Ninja Become an MDE Ninja Cross-product lab (Defend the Flag) Release notes (updated every month) Important upcoming changes Have a great time ramping up in Microsoft Defender for Cloud and becoming a Microsoft Defender for Cloud Ninja!! Reviewer: Tom Janetscheck, Senior PMMicrosoft Defender for Cloud Customer Newsletter
What’s new in Defender for Cloud? We're enhancing the severity levels of recommendations to improve risk assessment and prioritization. As part of this update, we reevaluated all severity classifications and introduced a new level — Critical. See this page for more info. General Availability of File Integrity Monitoring (FIM) based on Microsoft Defender for Endpoint in Azure Government File Integrity Monitoring based on Microsoft Defender for Endpoint is now GA in Azure Government (GCCH) as part of Defender for Servers Plan 2. For more details, please refer to our documentation Blog(s) of the month In March, our team published the following blog posts we would like to share: Integrating Security into DevOps Workflows with Microsoft Defender CSPM New innovations to protect custom AI applications with Defender for Cloud All Key Vaults Are Critical, But Some Are More Critical Than Others: Finding the Crown Jewels GitHub Community Learn more about code reachability in Defender for Cloud: Module 26 - Defender for Cloud Code Reachability Vulnerabilities with Endor Labs Visit our GitHub page Defender for Cloud in the field Watch the latest Defender for Cloud in the Field YouTube episode here: Unveiling Kubernetes lateral movement in Defender for Cloud Manage cloud security posture with Microsoft Defender for Cloud Visit our new YouTube page Customer journey Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Danfuss. Danfoss’s growth contrasted with inefficient manual, on-premises security solutions. It wanted a scalable security solution to defend its global data and SAP landscape while lifting security team effectiveness. Danfoss adopted Microsoft Sentinel and the Microsoft Sentinel solution for SAP applications. It ingests logs from 20 applications and thousands of devices with the connectors including Defender for Cloud. Show me more stories Security community webinars Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. Check out our upcoming webinars this month! April 15 Microsoft Defender for Cloud | Securing Custom Built AI Applications with Microsoft Defender for Cloud April 30 Microsoft Defender for Cloud | Securing Custom Built AI Applications with Microsoft Defender for Cloud We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribeThe Future of CIEM in Microsoft Defender for Cloud
Today, Microsoft announced the planned retirement of Microsoft Entra Permissions Management, targeted for October 1, 2025. As we navigate this transition, we want to reassure customers of our ongoing commitment to deliver Cloud Infrastructure Entitlement Management (CIEM) capabilities within Microsoft Defender for Cloud. Our investment in CIEM remains a strategic priority and an integral component of our comprehensive Cloud-Native Application Protection Platform (CNAPP). What Does This Mean for Your Defender for Cloud Experience? The planned changes around Microsoft Entra Permissions Management will not affect existing CIEM capabilities in Microsoft Defender for Cloud. All permissions management functionality you rely on today, including identity discovery, permissions visibility, and entitlement governance, will remain fully available in Defender CSPM, ensuring your cloud security operations continue to run smoothly without interruption. Our Long-term Investment in CIEM Capabilities CIEM is a critical component of CNAPP and is essential for addressing security risks associated with identity and permissions misconfigurations in multicloud environments. Microsoft remains committed to continuously enhancing Defender for Cloud’s CIEM capabilities, aligning closely with core CNAPP use cases, including: Centralized multicloud identity discovery: Providing visibility and analysis of cloud identities and entitlements across Azure, AWS, and GCP, enabling security teams to proactively identify and address permission-related risks across their entire cloud estate. Permissions gap analysis: Assessing assigned permissions against actual usage to highlight unnecessary entitlements, allowing organizations to significantly reduce identity-based risk and permissions sprawl. Inactive identity tracking: Identifying and managing inactive identities and unused permissions, supporting the principle of least privilege by removing unnecessary access. Our roadmap includes ongoing innovation designed to help your organization proactively manage entitlements, mitigate risks, and strengthen overall cloud security posture. Continuing Our Security Journey Together We deeply value your trust and collaboration. Our goal is to provide security teams with enhanced CIEM capabilities within Defender for Cloud that support your organization's cloud security efforts now and in the future. For guidance on enabling and optimizing CIEM capabilities within Microsoft Defender for Cloud, please visit our Microsoft Learn page.All Key Vaults Are Critical, But Some Are More Critical Than Others: Finding the Crown Jewels
Introduction A critical asset is one of substantial value, whose compromise or disruption would result in significant adverse effects on the organization. This definition lays the foundation for understanding why Azure Key Vaults often fall into this category. Azure Key Vaults are integral to cloud environments as they manage sensitive data like cryptographic keys, passwords, and certificates. Their frequent use in securing applications, managing secrets, and enabling secure operations makes them highly valuable. Given this importance, identifying which Key Vaults are critical becomes essential. Approach Our approach to identifying critical Key Vaults is based on operational activity. We classify Key Vaults using the top n percentile of operations within each tenant, ensuring that only the most active and essential Key Vaults are flagged as critical. This approach provides a fair evaluation across varying tenant sizes and ensures that thresholds dynamically adjust with data size and distribution, making the classification resilient to outliers and representative of actual operational importance. Why Focus on Key Vaults with High Operation Counts? Increased Usage Indicates High Dependency: A high volume of operations suggests that the Key Vault is heavily utilized, meaning it plays a central role in the security and operational processes within the environment. For example, it might be frequently accessed to retrieve secrets, keys, or certificates, which are essential for the functioning of various applications and services. Sensitive Data Storage: Key Vaults typically store sensitive data, such as cryptographic keys, passwords, and other secrets. A Key Vault with many operations is likely to store and manage a significant amount of this sensitive data, making it a high-value target for potential attacks. Operational Impact: If a heavily used Key Vault were compromised or became unavailable, it could disrupt multiple critical processes across the organization. This could include application outages, security breaches, or other operational failures, making the Key Vault critical to overall business continuity. Security Implications: Frequent access to a Key Vault might indicate its role in automated processes or scripts that require secure handling of credentials and keys. The more a Key Vault is accessed, the higher the potential risk if its security is breached, hence making it essential to protect and monitor it closely. Benefits of Using Percentiles in Criticality Classification In critical asset classification, the use of percentiles offers several distinct advantages over percentage-based methods: Resilience to Outliers: Percentiles rank Key Vaults without being influenced by extreme values. For instance, even if one Key Vault has an unusually high operation count, the percentile method ensures that the classification threshold remains stable. Dynamic Adaptation to Dataset Size: As the number of Key Vaults grows, percentile thresholds adjust dynamically, maintaining consistency and accuracy over time. Fair Evaluation Across Tenants: Different tenants have varying numbers of Key Vaults. Percentiles allow for a fair assessment by ensuring that each tenant’s Key Vaults are evaluated within that tenant’s dataset. This means that even smaller tenants with fewer Key Vaults can have their most active Key Vaults identified as critical without being overshadowed by the larger operation counts of bigger tenants. Percentiles rank within each tenant individually, making the classification equitable across different scales. Mathematical Rigor: Percentiles provide a statistically sound method for ranking Key Vaults, offering a reliable framework for criticality classification. Operational Relevance: By using percentiles, the classification highlights Key Vaults that are truly operationally significant within their own environment, enhancing security monitoring and response efforts. This approach ensures that critical assets are identified accurately, without the distortions caused by outliers, dataset size, or operational scale variations, making it ideal for cloud environments. Findings from Research Overall Critical Assets: Around 0.5% of total KVs were identified as critical Tenant-wise Analysis: Percentile thresholds adjusted dynamically across tenant sizes. Large tenants saw a minimal increase in critical assets, validating accuracy. Smaller tenants benefited from nuanced classification. Percentile-based classification ensures that Key Vaults with relatively high operation counts are identified, regardless of tenant size, providing a balanced approach. Figure 1: Tenant-wise Analysis Finding the Optimal Percentile Threshold The reverse elbow curve method is a data-driven approach to determine the optimal percentile threshold. Figure 2 illustrates this concept by plotting the percentage of Key Vaults classified as critical against various percentile values. As the percentile value increases from 90 to 99, the percentage of critical Key Vaults decreases, forming a clear reverse elbow shape. In this graph, the curve starts to flatten around the 95th percentile, marked as the 'Optimal Percentile Threshold.' This point represents where the rate of decrease in critical Key Vaults slows down significantly. Selecting this threshold ensures that we capture the most critical Key Vaults without unnecessarily including too many lower-priority assets. Before this point, too many Key Vaults are classified as critical, while after this point, too few Key Vaults are included. Figure 2: Identifying the optimal percentile threshold This visual example demonstrates why the reverse elbow curve method is essential for balancing coverage and precision in critical asset classification, ensuring that the most operationally significant Key Vaults are identified efficiently. Conclusion In conclusion, identifying critical Azure Key Vaults is essential for maintaining the security, availability, and operational integrity of cloud environments. By leveraging a percentile-based classification approach, we ensure that only the most active and essential Key Vaults are recognized as critical assets. The use of the reverse elbow curve method further strengthens this classification by selecting an optimal percentile threshold that balances coverage and precision. This methodology not only minimizes noise from less active Key Vaults but also ensures that highly utilized and sensitive Key Vaults receive the attention they deserve. As cloud operations continue to scale, such data-driven classification approaches are vital for effective security management and risk mitigation.
New innovations to protect custom AI applications with Defender for Cloud
Today’s blog post introduced new capabilities to enhance AI security and governance across multi-model and multi-cloud environments. This follow-on blog post dives deeper into how Microsoft Defender for Cloud can help organizations protect their custom-built AI applications. The AI revolution has been transformative for organizations, driving them to integrate sophisticated AI features and products into their existing systems to maintain a competitive edge. However, this rapid development often outpaces their ability to establish adequate security measures for these advanced applications. Moreover, traditional security teams frequently lack the visibility and actionable insights needed, leaving organizations vulnerable to increasingly sophisticated attacks and struggling to protect their AI resources. To address these challenges, we are excited to announce the general availability (GA) of threat protection for AI services, a capability that enhances threat protection in Microsoft Defender for Cloud. Starting May 1, 2025, the new Defender for AI Services plan will support models in Azure AI and Azure OpenAI Services. “Security is paramount at Icertis. That’s why we've partnered with Microsoft to host our Contract Intelligence platform on Azure, fortified by Microsoft Defender for Cloud. As large language models (LLMs) became mainstream, our Icertis ExploreAI Service leveraged generative AI and proprietary models to transform contract management and create value for our customers. Microsoft Defender for Cloud emerged as our natural choice for the first line of defense against AI-related threats. It meticulously evaluates the security of our Azure OpenAI deployments, monitors usage patterns, and promptly alerts us to potential threats. These capabilities empower our Security Operations Center (SOC) teams to make more informed decisions based on AI detections, ensuring that our AI-driven contract management remains secure, reliable, and ahead of emerging threats.” Subodh Patil, Principal Cyber Security Architect at Icertis With these new threat protection capabilities, security teams can: Monitor suspicious activity in Azure AI resources, abiding by security frameworks like the OWASP Top 10 threats for LLM applications to defend against attacks on AI applications, such as direct and indirect prompt injections, wallet abuse, suspicious access to AI resources, and more. Triage and act on detections using contextual and insightful evidence, including prompt and response evidence, application and user context, grounding data origin breadcrumbs, and Microsoft Threat Intelligence details. Gain visibility from cloud to code (right to left) for better posture discovery and remediation by translating runtime findings into posture insights, like smart discovery of grounding data sources. Requires Defender CSPM posture plan to be fully utilized. Leverage frictionless onboarding with one-click, agentless enablement on Azure resources. This includes native integrations to Defender XDR, enabling advanced hunting and incident correlation capabilities. Detect and protect against AI threats Defender for Cloud helps organizations secure their AI applications from the latest threats. It identifies vulnerabilities and protects against sophisticated attacks, such as jailbreaks, invisible encodings, malicious URLs, and sensitive data exposure. It also protects against novel threats like ASCII smuggling, which could otherwise compromise the integrity of their AI applications. Defender for Cloud helps ensure the safety and reliability of critical AI resources by leveraging signals from prompt shields, AI analysis, and Microsoft Threat Intelligence. This provides comprehensive visibility and context, enabling security teams to quickly detect and respond to suspicious activities. Prompt analysis-based detections aren’t the full story. Detections are also designed to analyze the application and user behavior to detect anomalies and suspicious behavior patterns. Analysts can leverage insights into user context, application context, access patterns, and use Microsoft Threat Intelligence tools to uncover complex attacks or threats that escape prompt-based content filtering detectors. For example, wallet attacks are a common threat where attackers aim to cause financial damage by abusing resource capacity. These attacks often appear innocent because the prompts' content looks harmless. However, the attacker's intention is to exploit the resource capacity when left unconstrained. While these prompts might go unnoticed as they don't contain suspicious content, examining the application's historical behavior patterns can reveal anomalies and lead to detection. Respond and act on AI detections effectively The lack of visibility into AI applications is a real struggle for security teams. The detections contain evidence that is hard or impossible for most SOC analysts to access. For example, in the below credential exposure detection, the user was able to solicit secrets from the organizational data connected to the Contoso Outdoors chatbot app. How would the analyst go about understanding this detection? The detection evidence shows the user prompt and the model response (secrets are redacted). The evidence also explicitly calls out what kind of secret was exposed. The prompt evidence of this suspicious interaction is rarely stored, logged, or accessible anywhere outside the detection. The prompt analysis engine also tied the user request to the model response, making sense of the interaction. What is most helpful in this specific detection is the application and user context. The application name instantly assists the SOC in determining if this is a valid scenario for this application. Contoso Outdoors chatbot is not supposed to access organizational secrets, so this is worrisome. Next, the user context reveals who was exposed to the data, through what IP (internal or external) and their supposed intention. Most AI applications are built behind AI gateways, proxies, or Azure API Management (APIM) instances, making it challenging for SOC analysts to obtain these details through conventional logging methods or network solutions. Defender for Cloud addresses this issue by using a straightforward approach that fetches these details directly from the application’s API request to Azure AI. Now, the analyst can reach out to the user (internal) or block (external) the identity or the IP. Finally, to resolve this incident, the SOC analyst intends to remove and decommission the secret to mitigate the impact of the exposure. The final piece of evidence presented reveals the origin of the exposed data. This evidence substantiates the fact that the leak is genuine and originates from internal organizational data. It also provides the analyst with a critical breadcrumb trail to successfully remove the secret from the data store and communicate with the owner on next steps. Trace the invisible lines between your AI application and the grounding sources Defender for Cloud excels in continuous feedback throughout the application lifecycle. While posture capabilities help triage detections, runtime protection provides crucial insights from traffic analysis, such as discovering data stores used for grounding AI applications. The AI application's connection to these stores is often hidden from current control or data plane tools. The credential leak example provided a real-world connection that was then integrated into our resource graph, uncovering previously overlooked data stores. Tagging these stores improves attack path and risk factor identification during posture scanning, ensuring safe configuration. This approach reinforces the feedback loop between runtime protection and posture assessment, maximizing cloud-native application protection platform (CNAPP) effectiveness. Align with AI security frameworks Our guiding principle is widely recognized by OWASP Top 10 for LLMs. By combining our posture capabilities with runtime monitoring, we can comprehensively address a wide range of threats, enabling us to proactively prepare for and detect AI-specific breaches with Defender for Cloud. As the industry evolves and new regulations emerge, frameworks such as OWASP, the EU AI Act, and NIST 600-1 are shaping security expectations. Our detections are aligned with these frameworks as well as the MITRE ATLAS framework, ensuring that organizations stay compliant and are prepared for future regulations and standards. Get started with threat protection for AI services To get started with threat protection capabilities in Defender for Cloud, it’s as simple as one-click to enable it on your relevant subscription in Azure. The integration is agentless and requires zero intervention in the application dev lifecycle. More importantly, the native integration directly inside Azure AI pipeline does not entail scale or performance degradation in the application runtime. Consuming the detections is easy, it appears in Defender for Cloud’s portal, but is also seamlessly connected to Defender XDR and Sentinel, leveraging the existing connectors. SOC analysts can leverage the correlation and analysis capabilities of Defender XDR from day one. Explore these capabilities today with a free 30-day trial*. You can leverage your existing AI application and simply enable the “AI workloads” plan on your chosen subscription to start detecting and responding to AI threats. *Trial free period is limited to up to 75B tokens scanned. Learn more about the innovations designed to help your organization protect data, defend against cyber threats, and stay compliant. Join Microsoft leaders online at Microsoft Secure on April 9. Explore additional resources Learn more about Runtime protection Learn more about Posture capabilities Watch the Defender for Cloud in the Field episode on securing AI applications Get started with Defender for CloudIntegrating Security into DevOps Workflows with Microsoft Defender CSPM
This forth article in our series builds on the main overview (“Strategy to Execution: Operationalizing Microsoft Defender CSPM”). Here, we focus on embedding security directly into DevOps workflows using Microsoft Defender for Cloud’s Cloud Security Posture Management (CSPM) capabilities. Introduction DevOps has revolutionized the way organizations build, deploy, and manage everything from applications to enterprise infrastructure, to capture the full breadth of stuff that goes into code repos, breaking down silos between development and operations teams and enabling faster software delivery, consistent and declarative infrastructure. However, increased speed often brings heightened security risks if vulnerabilities slip through the pipeline unnoticed. The antidote is to “shift security left,” weaving it throughout every stage of the software development lifecycle (SDLC). Microsoft Defender Cloud Security Posture Management (CSPM) provides the automation, continuous monitoring, and governance controls essential for implementing DevSecOps. By integrating CSPM with your CI/CD pipelines, you can detect misconfigurations and vulnerabilities early, prevent security bottlenecks, and maintain both agility and robust protection across Azure, AWS, GCP, and beyond. Below, we’ll explore the importance of aligning security practices with DevOps goals, detail how Defender CSPM supports shift-left security, and provide operational steps to incorporate automated checks and remediation into your CI/CD processes. Why Security Belongs in DevOps Reducing Security Debt Late-stage vulnerability discovery can be costly, forcing teams to revisit code or configurations after they’ve been deployed. By integrating security early, potential issues are detected and remediated when fixes are fastest and least disruptive. Maintaining DevOps Agility Security, when bolted on at the end, risks slowing down release cycles. Embedding checks and automated gating within your DevOps pipeline helps maintain velocity, ensuring security standards are met without derailing rapid deployments. Aligning Security with Development Goals Effective DevOps aims to deliver high-quality, reliable software quickly. Security shouldn’t be an afterthought; it should reinforce the same objectives, high-quality, secure software. With the right tools and processes, security becomes a natural part of the release process, not an obstacle. How Defender CSPM Enhances DevSecOps Shift-Left Security Defender CSPM scans for vulnerabilities and misconfigurations early in the SDLC, detecting issues in code or Infrastructure-as-Code (IaC) templates before they reach production. Code-to-Cloud Contextualization Security risks don't exist in isolation. Defender CSPM provides end-to-end visibility from code to cloud, tracing vulnerabilities from the development phase through deployment. For instance, if a developer introduces an insecure dependency, Defender CSPM can assess its impact on the cloud environment, enabling teams to address security risks in context. Infrastructure-as-Code (IaC) Security By analyzing Terraform, ARM, and other IaC templates, Defender CSPM helps prevent security misconfigurations before infrastructure is provisioned. If a Terraform script inadvertently exposes a storage bucket to the internet, Defender CSPM flags the issue and provides actionable remediation steps. Reachability Analysis (via Endor Labs Integration) Through integration with Endor Labs, Defender CSPM can perform advanced reachability analysis on vulnerabilities within code dependencies or container images. By identifying whether your application actually calls the affected functions or libraries, this approach helps security teams focus remediation efforts on genuinely exploitable vulnerabilities—thereby reducing noise and prioritizing the highest-impact risks. You can learn more about reachability analysis types in Endor Labs’ guide. Continuous Assessments Rather than relying on sporadic audits, Defender CSPM continuously monitors cloud resources to identify and address misconfigurations, vulnerabilities, and compliance gaps in real time. Container Image Security Defender CSPM scans container images for known vulnerabilities before deployment, alerting teams if an exploitable package is included and providing guidance for mitigation. Security as Code Security policies, governance models, and compliance requirements can be codified and enforced automatically within CI/CD pipelines, allowing teams to integrate security without disrupting delivery speed. Automated Remediation Customizable playbooks can automatically fix issues—from misconfigured IAM policies to security patches—reducing manual effort and human error. Security Gates in CI/CD Pipelines To prevent insecure deployments, Defender CSPM enforces security gates in DevOps workflows. If a high-risk vulnerability is detected during the build or deployment phase, the pipeline is halted until the issue is resolved, ensuring only secure code reaches production. Seamless Integration with DevOps Workflows Defender CSPM integrates natively into popular CI/CD solutions, enabling collaborative workflows that bring together development, security, and operations teams under a shared responsibility model. Automated Compliance Checks Defender CSPM verifies infrastructure and applications against regulatory standards (e.g., PCI-DSS, HIPAA) throughout the DevOps lifecycle. New compliance requirements (e.g., mandatory data encryption) are continuously evaluated for adherence. Continuous Visibility and Risk Prioritization Defender CSPM dynamic security posture assessment helps teams focus on high-impact risks by surfacing critical vulnerabilities with remediation guidance. Step-by-Step: Integrating Defender CSPM into DevOps Workflows Below is a practical framework combining both conceptual guidance and operational steps to help you establish DevSecOps with Defender CSPM. Step 1: Setting Up Security Gates in the CI/CD Pipeline Objective: Automate security checks at critical stages to ensure security policies are enforced before software moves to production. Define Security Policies for Development Collaborate with development and security teams to establish code-level and infrastructure-level policies (e.g., no exposed ports, mandatory encryption, disallowing vulnerable libraries). Use Defender CSPM to enforce these policies directly within the pipeline so that non-compliant code is flagged early, including the ability to trace its potential impact on cloud environments. For detailed on configuring Defender for Cloud in your pipeline, see the official CI/CD integration documentation. Configure Automated Gates Integrate Defender CSPM with Azure DevOps, GitHub Actions, or other CI/CD tools. Set up automated scans at each build or deployment step. Deployments halt if critical issues arise, such as vulnerabilities with severity above a set threshold. This ensures that only secure and compliant code is deployed to production. Read further details on how to configure the Microsoft Security DevOps (MSDO) Action. Enable Continuous Security Assessments Trigger a security scan on every code commit to catch new vulnerabilities immediately. For infrastructure, leverage Infrastructure as Code (IaC) scans before provisioning resources (e.g., checking ARM or Terraform templates against security policies). Pre-Deployment Security Testing Incorporate static (SAST) and dynamic (DAST) security testing as part of the pipeline. For instance, use SonarQube for SAST and OWASP ZAP for DAST, with Defender CSPM acting as the overarching guardrail to confirm findings and enforce organizational policies. Role-Based Access Control (RBAC) Implement RBAC so that only authorized personnel can modify security policies and configurations, preserving the integrity of security settings. Step 2: Continuous Security Assessments During the Development Lifecycle Objective: Perform ongoing, automated security checks throughout coding, testing, and release cycles. Monitor All Cloud Resources Enable continuous monitoring of dev, staging, and production environments. Defender CSPM flags issues like unencrypted data or open ports as soon as they appear, expediting remediation. Automate Security Checks on IaC Scan Infrastructure as Code (IaC) templates for security compliance before resource creation. For example, if a Terraform template lacks encryption on a storage bucket, Defender CSPM can flag or block the deployment. This proactive approach ensures that security is embedded in the infrastructure from the outset, reducing the risk of security breaches. Define Clear DevSecOps Roles Clearly define roles within the DevSecOps framework. Developers are responsible for writing secure code, DevOps teams manage secure infrastructure provisioning, and security engineers validate controls. Forming a DevSecOps council or similar forum can help ensure alignment and timely resolution of vulnerabilities. This collaborative approach fosters a culture of shared responsibility for security. Collaborative Feedback Loops Regularly review CSPM findings with both development and security teams. Integrate with ticketing systems like Service Azure Boards to track vulnerabilities and manage them as backlog items. This continuous feedback loop helps in prioritizing and addressing security issues, ensuring that they are resolved in a timely manner. Step 3: Automating Feedback Loops Between Security and DevOps Teams Objective: Ensure rapid vulnerability detection, assignment, and remediation through real-time notifications and integrated workflows. Automate Vulnerability Notifications Use Azure Logic Apps or similar tools to push alerts to communication platforms like Teams or email. These alerts should provide details on the severity of the vulnerability, affected resources, and recommended fixes so that developers can act quickly. For example, if Defender CSPM detects an unencrypted storage bucket, an alert can be sent to the relevant team with instructions on how to enable encryption. Establish a Continuous Remediation Loop Defender CSPM flags a critical issue, a playbook can automatically open a pull request with recommended configuration changes or patches. Developers can then fix the code, and the pipeline will re-run security checks before merging the changes. This ensures that vulnerabilities are addressed promptly and that the code remains secure throughout the development lifecycle. Track Vulnerability Remediation Progress Assign Service Level Agreements (SLAs) for vulnerabilities based on their severity. Regularly review CSPM dashboards to monitor the progress of vulnerability remediation and set escalation rules for overdue items via tools like ServiceNow. This helps ensure that critical vulnerabilities are addressed within the required timeframes and that any delays are promptly escalated. Automated Reporting and Metrics Generate monthly or weekly reports on the security posture, including open vulnerabilities, average remediation time, and block rates in the pipeline. Use tools like Azure Workbooks or Power BI to visualize trending data and identify areas for process improvement. These reports can help in tracking the effectiveness of security measures and in making informed decisions to enhance the overall security posture. Strategic Benefits of DevSecOps with Defender CSPM Proactive Risk Mitigation: By catching vulnerabilities early, organizations can minimize the chance of costly breaches and protect customer trust. Defender CSPM provides code-to-runtime contextualization, allowing teams to identify and address security issues from the code level to the cloud infrastructure. This proactive approach ensures that security is embedded throughout the development lifecycle, preventing issues from escalating. Faster Remediation and Reduced Security Debt: Continuous monitoring and automated fixes prevent issues from lingering or piling up, ensuring that your production environment stays clean. For example, if a misconfiguration is detected in a Terraform script, Defender CSPM can alert the team and provide guidance on how to fix it. This helps maintain a secure infrastructure from the outset, reducing the risk of security breaches. Compliance Monitoring at Runtime: Defender CSPM identifies misconfigurations and vulnerabilities against various frameworks (e.g., PCI-DSS, HIPAA) after deployment, reducing manual overhead for compliance checks. While there isn’t a direct mapping of tool findings to a specific compliance framework during the build stage, continuous runtime assessments help maintain a secure and compliant environment, ensuring that infrastructure and applications meet regulatory and security requirements once deployed. Enhanced Collaboration: Transparency and shared ownership bridge the gap between development, security, and operations teams, making security an enabler rather than a roadblock. Defender CSPM integrates seamlessly into DevOps workflows, enabling security teams to work closely with development and operations teams. This collaboration helps identify and mitigate security risks early in the development process, fostering a culture of shared responsibility for security. Consistent Scalability: As your cloud footprint expands, automated checks ensure that new resources, teams, and pipelines follow the same robust security standards. Continuous visibility into the security posture of the cloud environment helps in prioritizing risks based on their impact, ensuring that the most critical security issues are addressed promptly. Key Metrics to Track DevSecOps Success Vulnerability Detection Rate: Ensures early and frequent discovery of security issues. Deployment Block Rate: Indicates how often releases are halted due to security violations. A high block rate may mean teams need additional training or improved processes. Mean Time to Detect (MTTD): Tracks the average time taken to detect a security issue from the moment it occurs. Shorter detection times reflect the effectiveness of continuous monitoring and automated security checks. Remediation Time (MTTR): Measures how quickly issues are resolved after detection. Shorter times reflect mature collaboration and processes. Compliance Pass Rate: Tracks how consistently code and cloud resources meet defined standards before going live. False Positive Rate: Measures the frequency of false positives in security alerts. A lower false positive rate indicates more accurate detection and reduces the burden on teams to investigate non-issues. Change Failure Rate: Indicates the percentage of changes that result in a failure or security issue. A lower change failure rate suggests that security is well-integrated into the development process and that changes are being implemented securely. Security Incident Frequency: Measures the number of security incidents over a specific period. Monitoring this metric helps in understanding the overall security posture and identifying trends or patterns in security incidents. Conclusion and Next Steps Integrating Defender CSPM into DevOps workflows is pivotal for any organization aiming to balance speed and security in the cloud. By automating security gates, shifting security checks left, and fostering real-time collaboration, you reduce the risk of late-breaking vulnerabilities and maintain a more resilient production environment. To revisit the broader context of this series and learn about our earlier topics, such as risk identification and prioritization, review the main overview article, Considerations for risk identification and prioritization in Defender for Cloud, and Strengthening Cloud Compliance and Governance with Microsoft Defender CSPM. In our next piece, we’ll explore how Defender CSPM can bolster proactive forensics and incident preparedness, equipping your organization to detect threats early and respond decisively when incidents occur. Stay tuned! Microsoft Defender for Cloud - Additional Resources Blog series main article - Strategy to Execution: Operationalizing Microsoft Defender CSPM Blog Series article - Considerations for risk identification and prioritization in Defender for Cloud Blog Series article - Strengthening Cloud Compliance and Governance with Microsoft Defender CSPM Download the new Microsoft CNAPP eBook at aka.ms/MSCNAPP Become a Defender for Cloud Ninja by taking the assessment at aka.ms/MDCNinja Reviewers Yuri Diogenes, Principal PM Manager, CxE Defender for Cloud Dick Lake, Security Product Manager, CxE Defender for CloudMicrosoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? On-demand malware scanning in Defender for Storage is now in GA! This feature also supports blobs up to 50 GB in size (previously limited to 2GB). See this page for more info. 31 new and enhanced Multicloud regulatory standards We’ve published enhanced and expanded support of over 31 security and regulatory frameworks in Defender for Cloud across Azure, AWS & GCP. For more details, please refer to our documentation. Blogs of the month In February, our team published the following blog posts we would like to share: Unveiling Kubernetes lateral movement and attack paths with Microsoft Defender for Cloud Protecting Azure AI Workloads using Threat Protection for AI in Defender for Cloud New and enhanced multicloud regulatory compliance standards in Defender for Cloud Strengthening Cloud Compliance and Governance with Microsoft Defender CSPM GitHub Community Learn more about Code Reachability Vulnerabilities with Endor Labs with Module 26 - Defender for Cloud Code Reachability Vulnerabilities with Endor Labs Defender for Cloud in the field Watch the latest Defender for Cloud in the Field YouTube episodes here: Integrate Defender for Cloud CLI with CI/CD pipelines Code Reachability Analysis Visit our YouTube page! Customer journeys Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Kurita Water Industries, a water treatment solutions company, that leverages both Microsoft Entra Permissions Management and Defender for Cloud’s CSPM for resource statuses, vulnerabilities, state of access permissions, and risk prioritization and CWPP capabilities to continuously monitor and protect cloud workloads Security community webinars Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. Check out our upcoming webinars this month in the link below! MAR 5 Microsoft Defender for Cloud | API Security Posture with Defender for Cloud We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribeSecure containers software supply chain across the SDLC
In today’s digital landscape, containerization is essential for modern application development, but it also expands the attack surface with risks like vulnerabilities in base images, misconfigurations, and malicious code injections. Securing containers across their lifecycle is critical. Microsoft Defender for Cloud delivers end-to-end protection, evaluating threats at every stage—from development to runtime. Recent advancements further strengthen container security, making it a vital solution for safeguarding applications throughout the Software development lifecycle (SDLC). Container software development lifecycle The lifecycle of containers involves several stages, during which the container evolves through different software artifacts. Container software supply chain It all starts with a container or docker script file, created or edited by developer in development phase, submitted into the code repository. Script file converts into a container image during the build phase via the CI/CD pipeline, submitted into container registry as part of the ship phase When a container image is deployed into a Kubernetes cluster, it transforms into running, ephemeral container instances, marking the transition to the runtime phase. A container may encounter numerous challenges throughout its transition from development to runtime. Ensuring its security requires maintaining visibility, mitigating risks, and implementing remediation measures at each stage of its journey. Microsoft Defender for Cloud's latest advancements in container security assist in securing your container's journey and safeguarding your containerized environments Command line interface (CLI) tool for container image scanning at build phase, is now in public preview Integrating security into every phase of your software development is crucial. To effectively incorporate container security evaluation early in the container lifecycle, particularly during the development phase, and to seamlessly integrate it into diverse DevSecOps ecosystems, the use of a Command Line Interface (CLI) is essential. This new capability of Microsoft Defender for Cloud provides an alternative method for assessing container image for security findings. This capability, available through a CLI abstract layer, allows for seamless integration into any tool or process, independently of Microsoft Defender for Cloud portal. Key purpose of Microsoft Defender for Cloud CLI: Expanding container security to cover the development phase, code repository phase, and CI/CD phase: o Development phase: Developers can scan container images locally on Windows, Linux, or Mac OS using PowerShell or any scripting terminal. o Code repository phase: Integrate the CLI into code repositories with webhook integrations like GitHub actions to scan and potentially abort pull requests based on findings. o CI/CD phase: Scan container images in the CI/CD pipeline to detect and block vulnerabilities during the build stage. Invoke scanning on-demand for specific container images. Integrate easily into existing DevSecOps processes and tools. For more details watch the demo CLI demo How it works Microsoft Defender for Cloud CLI requires authentication through API tokens. These tokens are managed via the Integrations section in the Microsoft Defender for Cloud Portal, by Security Administrators. Figure 3: API push tokens management The CLI supports Microsoft proprietary and third-party engines like Trivy, enabling vulnerability assessment of container images and generating results in SARIF format. It integrates with Microsoft Defender for Cloud for further analysis and helps incorporate security guardrails early in development. Additionally, it provides visibility of container artifacts' security posture from code to runtime and context essential for security issues remediations such as artifact owner and repo of origin. For more details, setup guides, and use cases, please refer to official documentation. Vulnerabilities assessment of container images in third party registries, now in public preview Container registries are centralized repositories used to store container images for the ship phase, prior deployment to Kubernetes clusters. They play an essential role in the container's software supply chain and accessing container images for vulnerabilities at this phase might be the last chance to prevent vulnerable images from reaching your production runtime environments. Many organizations use a mix of cloud-native (ACR, ECR, GCR, GAR) and 3 rd party container registries. To enhance coverage, Microsoft Defender for Cloud now offers vulnerability assessments for third-party registries like Docker Hub and Jfrog Artifactory. These are popular 3 rd party container registries. You can now integrate them into your Microsoft Defender for Cloud tenant to scan container images for security vulnerabilities, improving your organization's coverage of the container software supply chain. This integration offers key benefits: Automated vulnerability scanning: Automatically scans container images for known vulnerabilities, helping identify and fix security issues early. Continuous monitoring: Ensures that new vulnerabilities are promptly detected and addressed. Compliance management: Assists organizations in maintaining compliance by providing detailed security posture reports on container images and resources. Actionable security recommendations: Provides recommendations based on best practices to improve container security. Figure 4: Docker Hub & Jfrog Artifactory environments Figure 5: Jfrog Artifactory container images in Security Explorer To learn more please refer to official documentation for Docker Hub and Jfrog Artifactory. Azure Kubernetes Service (AKS) security dashboard for cluster admin view, now in public preview, provides granular visibility into container security directly within the AKS portal Microsoft Defender for Cloud aims to provide security insights relevant to each audience in the context of their existing tools & process, helping various roles prioritize security and build secure software applications essential to ensure your containers security across SDLC. To learn more please explore AKS Security Dashboard Conclusion Microsoft Defender for Cloud introduces groundbreaking advancements in container security, providing a robust framework to protect containerized applications. With integrated vulnerability assessment, malware detection, and comprehensive security insights, organizations can strengthen their security posture across the software development lifecycle (SDLC). These enhancements simplify security management, ensure compliance, and offer risk prioritization and visibility tailored to different audiences and roles. Explore the latest innovations in Microsoft Defender for Cloud to safeguard your containerized environments- New Innovations in Container Security with Unified Visibility and Investigations.Strengthening Cloud Compliance and Governance with Microsoft Defender CSPM
Introduction This is the third article in our blog series, “Strategy to Execution: Operationalizing Microsoft Defender CSPM.” If you’re new to the series, or want a more holistic view of strategic planning, start with our main overview article and then explore “Considerations for Risk Identification and Prioritization in Defender for Cloud” for a deeper dive into proactive risk management. Cloud security compliance and governance are no longer optional. Organizations operating in multi-cloud environments such as Azure, AWS, and GCP face a rising tide of complex regulations (like HIPAA, PCI-DSS, and ISO 27001) and stringent internal policies. Non-compliance carries significant risks: financial penalties, damage to reputation, and disrupted operations. Effective governance, enforcing security controls, defining responsibilities, and maintaining environmental visibility is essential but challenging in dynamic cloud environments. Automation and a unified approach are essential. Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) directly addresses these challenges. It delivers automated compliance checks, continuous monitoring, real-time policy enforcement, and streamlined reporting. This results in a proactive security posture, enabling rapid gap detection and remediation while aligning security with business objectives. This article provides a practical guide to leveraging Defender CSPM for compliance and governance. We will detail how to automate audits, implement policy-driven controls, conduct gap analyses, and continuously strengthen your cloud security posture. Our goal is to equip you to confidently navigate evolving regulations and minimize the risk of costly breaches and fines. Why Compliance and Governance Matter in the Cloud Compliance and governance are not merely best practices; they are foundational pillars for secure and sustainable operations. Organizations need to fully grasp the consequences of neglecting these critical aspects and the compelling justifications for prioritizing them. The following points outline the key drivers, underscoring the essential role of robust compliance and governance frameworks: Regulatory Requirements Organizations in highly regulated sectors, finance, healthcare, retail must adhere to strict controls around data handling, access management, and security practices. Non-compliance can incur fines that stretch into millions of dollars and severely damage brand reputation. Data Privacy and Security Regulatory frameworks often mandate encryption standards, multi-factor authentication (MFA), and regular audits, to name a few. As cloud infrastructures expand and shift, real-time monitoring becomes essential to ensuring these security controls remain intact across all environments. Governance Accountability Cloud configurations change rapidly, especially in DevOps-heavy environments. Governance ensures standardized security practices are enforced consistently, assigning ownership for remediation tasks and verifying that best practices are followed at every stage. By automating these aspects, compliance checks, governance policies, and enforcement organizations can minimize risk, conserve resources, and systematically adapt to new requirements. How Defender CSPM Automates Compliance and Governance Addressing the complexities of cloud compliance and governance effectively requires automation. Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) solution is specifically designed to streamline these processes, moving organizations away from manual, time-consuming efforts towards a more efficient and proactive approach. The following points detail how Defender CSPM automates key aspects of compliance and governance, delivering significant benefits in terms of speed, accuracy, and resource optimization. Automated Compliance Audits Defender CSPM automates continuous audits of your cloud resources, comparing configurations against various industry and regional standards (e.g., HIPAA, PCI-DSS, ISO 27001). In addition to these established frameworks, it also permits the creation of custom controls to audit internal policies or distinctive organizational requirements. You can even combine built-in standards with custom controls to create an entirely tailored compliance standard. While not all assessments can be automated, this approach greatly reduces the reliance on manual audits, enabling security teams to focus on higher-priority, strategic tasks. Critically, any violations, whether against standard or custom benchmarks, are flagged for immediate, targeted remediation. Continuous Compliance Monitoring Cloud environments are inherently dynamic; new deployments and changes can inadvertently introduce non-compliance workloads. Defender CSPM’s continuous monitoring approach ensures that as soon as a resource slips out of compliance, your team is notified. This continuous feedback loop is crucial for large, multicloud deployments, where manual assessment quickly becomes unmanageable. Centralized Reporting and Dashboards To effectively manage, analyze, and communicate compliance status, Defender CSPM offers built-in dashboards and predefined reports within Microsoft Defender for Cloud, allowing you to visualize and export data such as Compliance status (e.g., via PDF, CSV/XLS). Additionally, you can leverage Azure Resource Graph to create more customized views or integrate with external reporting solutions. While not an end-to-end automated reporting platform, these features collectively help organizations share compliance insights across teams and satisfy regulatory or stakeholder requirements. For personalized and in-depth reports, you can leverage Azure Workbooks. This powerful feature enables you to create highly customized reports directly within Azure, allowing you to focus on specific data points and visualizations relevant to your unique requirements. For advanced analytical reports and interactive dashboards, Defender CSPM seamlessly integrates with Power BI. This integration empowers you to build sophisticated dashboards, conduct in-depth data analysis, and gain deeper insights into your compliance trends and potential areas of concern. Furthermore, for organizations preferring alternative reporting solutions or needing to integrate compliance data into existing systems, Defender CSPM offers a REST API. This open API allows any reporting tool capable of consuming RESTful data to access and utilize Defender CSPM's compliance data, providing maximum flexibility and interoperability. Gap Analysis and Continuous Improvement Regular gap analyses pinpoint areas that fall short of regulatory or internal standards. This insight drives ongoing improvement, prompting updates to both technical configurations and governance models. Defender CSPM’s iterative approach to compliance ensures that security posture evolves alongside the organization. Step-by-Step: Operationalizing Compliance and Governance Step 1: Automating Compliance Audits Objective: Implement automated checks for regulations and internal policies, ensuring continuous visibility into compliance posture. Identify Relevant Standards Form a dedicated team to map industry regulations (e.g., HIPAA, PCI-DSS, ISO 27001) to specific security controls within your Azure, AWS, or GCP environments. This team will be responsible for ongoing compliance governance. Create and maintain a matrix that clearly links each cloud configuration requirement to the relevant policy or regulation it addresses. This matrix will serve as your central reference for compliance. Configure Automated Audits Activate Defender CSPM to perform ongoing compliance assessments. Microsoft Cloud Security Benchmark (MCSB) is enabled by default for a broad baseline review. You can activate additional frameworks relevant to your specific industry and regulatory obligations. (Note: Compliance standards in Defender for Cloud are accessible with any Defender for Cloud plan, excluding Defender for Servers Plan 1 or Defender for API Plan 1. For more information, see: Microsoft Defender for Cloud Regulatory Compliance Packages.) Set up Workflow automation and Logic Apps (as documented by Microsoft: Workflow automation - Microsoft Defender for Cloud) to automatically trigger remediation actions or send alerts to designated teams upon detection of non-compliance. Defender CSPM also allows you to configure automated rules to assign remediation tasks to specific individuals or teams, or to create Service Requests in ITSM systems like ServiceNow. (For best practices, refer to: Best Practices to Manage and Mitigate Security Recommendations). Schedule Compliance Reports Defender for Cloud includes some built-in dashboards and reports that can be exported as PDF or CSV. While there isn’t a single, end-to-end scheduling mechanism within Defender CSPM, you can publish your compliance data to Power BI for scheduled, recurring distribution. This approach ensures that compliance reports automatically reach the right stakeholders at set intervals, minimizing manual effort and helping maintain an up-to-date view of your cloud security posture. Leverage reports and dashboards to visually track compliance trends, identify recurring non-compliance issues, and monitor the progress of remediation efforts. Step 2: Implementing Policy-Based Governance Models Objective: Enforce consistent standards and assign the right roles to maintain control across cloud environments. Aligning your approach with the Microsoft Cloud Security Benchmark (MCSB), and create a cohesive framework that defines governance policies, responsibilities, and operational processes. Define Governance Framework Aligned with MCSB Draw on MCSB guidelines to formalize key governance pillars, including: Align Organization Roles, Responsibilities, and Accountabilities. Clearly document who owns cloud security decisions. Prioritize accountability, ensuring all stakeholders understand their roles. Define and Implement Enterprise Segmentation/Separation of Duties Strategy. Establish a strategy that uses identity, network, or application controls to segment assets without impeding collaboration. Define and Implement Data Protection Strategy. Incorporate data protection guidance for encryption, key management, and data lifecycle controls. Consider how data classification, egress policies, and zero-trust principles fit into your governance. Define and Implement Network Security Strategy. Document how you’ll segment networks, manage internet edge ingress/egress, and maintain up-to-date network artifacts (e.g., diagrams, reference architectures). Define and Implement Security Posture Management Strategy. Describe how you’ll continuously assess, detect, and remediate vulnerabilities and misconfigurations, leveraging Defender for Cloud (CSPM). Define and Implement Identity and Privileged Access Strategy. Align with MCSB identity and privileged access controls, outlining standards for MFA, password policies, break-glass accounts, and periodic access reviews. Define and Implement Logging, Threat Detection, and Incident Response Strategy. Specify how logs are collected and correlated; identify your SIEM/XDR workflows; detail an escalation path for incident response, referencing MCSB logging and threat detection guidelines. Define and Implement Backup and Recovery Strategy. Articulate RTO/RPO requirements, redundancy design, and backup protections against unauthorized access or tampering. Define and Implement Endpoint Security Strategy. Document your approach to EDR, antivirus, and other endpoint controls, ensuring non-production environments follow the same standards. Define and Implement DevOps Security Strategy. Embed security checks (shift-left) throughout the CI/CD pipeline, enforcing IaC policies, scanning code, and automating compliance checks as recommended in MCSB DevOps sections. Define and Implement Multi-Cloud Security Strategy If you operate in multiple clouds, maintain consistent governance and unify operational processes across platforms. Train teams on differing architectures while standardizing risk management and tooling. Engage a diverse group of stakeholders from across your organization in the development and review of the Governance Manual. Maintain a Living Governance Document Regularly revisit and refine the Governance Framework as your technology, business requirements, and regulatory demands evolve. Keeping policies current prevents misalignment over time and reinforces a proactive security culture. Policy-Driven Compliance Utilize the native policy engines provided by your cloud platforms, Azure Policy for Azure, AWS Config for AWS, and GCP IAM Policy or Organization Policies for GCP, to actively enforce your defined governance policies. Configure these policy engines not just for detection of non-compliant configurations, but also to enable automatic remediation wherever technically feasible and operationally safe. Auto-remediation significantly reduces the window of vulnerability and minimizes manual effort. Set up alerts and notifications within your cloud policy engines to immediately notify security teams when policy violations are detected, especially for critical security controls. Ensure these alerts are routed to the appropriate teams with clear instructions and context, enabling rapid response and remediation actions to address any deviations that could potentially compromise compliance and security. Automating Policy Reviews Implement scheduled policy review cycles – for example, bi-annual or quarterly – to ensure your Cloud Security Governance Manual and enforced policies remain current and relevant. The frequency of reviews should be driven by the pace of change within your organization and the evolving regulatory landscape. Leverage Workflow Automation features within your cloud platforms or utilize Azure Logic Apps (or equivalent automation services in AWS/GCP), to proactively notify the designated governance teams when scheduled policy reviews are due. These automated notifications ensure timely reviews and prevent policy stagnation, allowing your governance framework to scale effectively as your cloud environment expands and new regulatory demands emerge. Step 3: Running Compliance Gap Analysis and Remediation Objective: Identify deviations from compliance standards in your environment and proactively remediate identified issues. Conduct Initial Gap Analysis Use Defender CSPM to benchmark your cloud resources against your defined security policies and relevant external compliance standards. Generate a prioritized list of identified compliance gaps. This list should clearly highlight the potential risk and business impact associated with each gap. Categorize and Prioritize Gaps Categorize identified compliance gaps based on their risk level (e.g., High, Medium, Low). Consider factors such as data sensitivity, business criticality, and potential regulatory impact for accurate classification. Clearly assign responsibility for remediating each gap to specific teams or individuals. Establish Service Level Agreements (SLAs) for remediation based on the risk level (e.g., 24-48 hours for High-risk gaps) to ensure timely resolution. Automated Remediation Playbooks Create automated remediation playbooks for frequently occurring misconfigurations, such as unencrypted data storage or publicly accessible resources. Utilize Workflow Automation, Azure Logic Apps, Azure Automation, or other serverless automation frameworks to automatically remediate identified misconfigurations, aiming for near real-time resolution of common issues. Track Progress and Iterate Actively use the built-in or custom compliance dashboards within Defender CSPM to continuously track the status of remediation efforts across all identified gaps. Automate the generation and distribution of weekly compliance progress reports to relevant stakeholders. Use these reports to track overall progress, identify bottlenecks, and iteratively refine remediation workflows and resource allocation as needed for optimal efficiency Strategic Advantages of Automation Substantially Reduced Legal and Financial Risk: Automating compliance checks offers a crucial shield against potentially devastating legal and financial repercussions. By proactively and continuously identifying compliance violations early in the lifecycle, automation allows for rapid remediation before they escalate into significant issues. This proactive approach directly minimizes the risk of incurring steep regulatory fines, facing costly legal battles, and suffering significant financial losses due to non-compliance. Furthermore, maintaining a consistently compliant posture demonstrates due diligence and responsible data handling, mitigating the potential for legal scrutiny and associated costs. Enhanced Efficiency and Optimized Resource Allocation: Automation fundamentally transforms how security teams operate. By offloading the tedious and time-consuming burden of manual compliance audits and routine governance tasks to automated systems, organizations achieve significant gains in efficiency. This shift liberates highly skilled security professionals from repetitive, low-value activities, allowing them to focus their expertise and resources on more strategic and critical priorities. These include proactive threat detection, sophisticated incident response, in-depth security analysis, and the development of forward-thinking security strategies – areas where human expertise and ingenuity are irreplaceable and deliver far greater value to the organization. Strengthened Accountability and Streamlined Remediation: Automation plays a vital role in establishing a robust and accountable governance structure. By automatically enforcing clearly defined governance policies and assigning ownership for security controls, automation eliminates ambiguity and promotes responsibility. When non-compliance issues are automatically detected, automated workflows can immediately assign remediation tasks to specific teams or even individuals based on pre-defined rules and responsibilities. This clear assignment of accountability dramatically accelerates the remediation process, reduces confusion and "finger-pointing" across teams, and ensures that security gaps are addressed swiftly and efficiently. Future-Proofed Security and Agile Adaptability: In the rapidly evolving landscape of cloud computing and regulatory environments, agility is paramount. Automation provides the essential foundation for a future-proof security posture. Continuous compliance audits, coupled with automated policy enforcement, enable organizations to seamlessly adapt to new and evolving regulatory requirements, dynamic cloud platform changes, and shifting business priorities without being caught off guard. This inherent adaptability ensures that your organization can proactively maintain a strong security and compliance posture, regardless of the pace of change or the emergence of new challenges, ensuring long-term resilience and minimizing future risk. Conclusion and Next Steps By integrating Microsoft Defender CSPM into a structured compliance and governance framework, organizations can maintain an ongoing, automated process for meeting regulatory requirements, enforcing consistent policies, and remediating gaps. The result is a cloud security posture that is proactive, resilient, and aligned with business objectives. In our previous article, we explored how to identify and prioritize risks in your cloud environments. If you’re new to the series or want an overarching strategy perspective, check out our main overview article. Next, we’ll dive into integrating Defender CSPM within DevOps workflows, ensuring security is woven into every step of the development lifecycle. Stay tuned for Article 3, where we’ll cover practical methods for embedding security early and maintaining compliance without disrupting innovation. Microsoft Defender for Cloud - Additional Resources Blog series main article - Strategy to Execution: Operationalizing Microsoft Defender CSPM Blog Series article 2 - Considerations for risk identification and prioritization in Defender for Cloud Download the new Microsoft CNAPP eBook at aka.ms/MSCNAPP Become a Defender for Cloud Ninja by taking the assessment at aka.ms/MDCNinja Reviewers Yuri Diogenes, Principal PM Manager, CxE Defender for Cloud
