Elevate Your Container Posture: From Agentless Discovery to Risk Prioritization
As Kubernetes (K8s) continue to power modern containerized applications, the complexity of managing and securing these environments grows exponentially. The challenges in monitoring K8s environments stem not only from their dynamic nature but also from their unique structure—each K8s cluster operates as its own ecosystem, complete with its own control plane for authorization, networking, and resource management. This makes it fundamentally different from traditional cloud environments, where security practitioners often have established expertise and tools for managing the cloud control plane. The specialized nature of Kubernetes (K8s) environments limits the visibility and control available to many security teams, resulting in blind spots that increase the risk of misconfigurations, compliance gaps, and potential attack paths gaining comprehensive visibility into the posture state of K8s workloads is essential for addressing these gaps and ensuring a secure, resilient infrastructure. Key benefits By further expanding agentless container posture approach, Defender for Cloud delivers the following key benefits: Enhanced risk management: improved prioritization through additional security insights, networking information, K8s RBAC, and image evaluation status, ensuring more critical issues can addressed first. Proactive security posture: gain comprehensive insights and prevent lateral movement within Kubernetes clusters, helping to identify and mitigate threats before they cause harm. Comprehensive compliance and governance: achieve full transparency into software usage and Kubernetes RBAC configurations to meet compliance requirements and adhere to industry standards. Release features overview: Enhanced K8s workload modeling To ensure customers can better focus on security findings, and avoid reviewing stale information, Defender for Cloud now models K8s workloads in the security graph based on their configuration (K8s specification) rather than runtime assets. This improvement avoids refresh-rate discrepancies, providing a more accurate and streamlined view of your K8s workloads, with single security findings for all identical containers within the same workload. New Security Insights for Containers and Pods Security teams that use the security explorer to proactively identify security risks in their multicloud environments, now get even better visibility with additional security insights for containers and pods, including privileged containers, sensitive mounts, and more. For example, security practitioners can use the security explorer to find all containers vulnerable to remote code execution, which are also exposed to the internet and uses sensitive host mounts, to eliminate the misconfigurations and vulnerabilities before a potential attacker abuse them to attack the container remotely and break-out into the host through the sensitive host mount. Extended K8s Networking Information To enable customers to query the security graph based on additional characters of K8s networking and better understand exposure details for K8s workloads, Defender for Cloud now offers extended data collection for both K8s ingresses and services. This feature also includes new properties such as service port and service selectors. The following figure shows all new networking criteria that customers can now use to query for K8s networking configuration: The following figure show detailed exposure information on a K8s workload exposed to the internet: Enhanced image discovery Customers can now gain complete visibility to all images used in customer environments using the security explorer, including images from all supported registries, and any image running in K8s, regardless of whether the image is scanned for vulnerabilities, with extended information per image. Here are a few examples for important use cases that customers can detect and respond to action on through a single query in the security explorer: Detect usage of images from unmonitored registries: Figure 4: images deployed directly from an unscanned docker registry Check the presence of specific image in the environment Figure 5: search for an image with a specific digest Trace all images not evaluated for vulnerabilities Figure 6: all images not assessed for vulnerabilities K8s RBAC in the security graph The addition of K8s RBAC into the security graph serves two main purposes: Security practitioners gain easy visibility into K8s service accounts, their permissions, and their bindings with K8s workloads, without prior expertise, and hunt for service accounts that do not meet security best practices. In the following example, a service account that has full cluster permissions: Figure 7: example of service account cluster admin permissions on cluster level The security graph contextual analysis uses the K8s RBAC to identify lateral movement internally within K8s, from K8s to other cloud resources and from the cloud to K8s. The following example shows an attack path starting from a container exposed to the internet with a vulnerability that can be remotely exploited. It also has access to a managed identity allowing the attacker to move all the way to a critical storage account: Figure 8: attack path from a vulnerable exposed container to a critical storage account Comprehensive Software Inventory for Containers A detailed software inventory is now available for all container images and containers scanned for vulnerabilities, serving security practitioners and compliance teams in many ways: Full visibility to all software packages used in container images and containers: Figure 9: Full software list for images and containers Query specific software usage across all environments, making it easier to identify risks or ensure compliance. A common example of this use case includes a vulnerable software version with a zero-day vulnerability. For example, following the OpenSSL zero-day vulnerability publication, a security admin can use the following queries to find all instances of container images within the organization using OpenSSL version 3.0, even before a CVE was published: Figure 10: search for a specific vulnerable open ssl version Critical Asset Protection for K8s Critical asset protection has been enhanced to cover additional container use cases: Defender for cloud customers can now define rules to mark workloads as critical based on their namespace and K8s labels. The following figure shows how customers can define rules that would automatically tag critical workloads based on their K8s labels: Figure 11: customer defined rules for asset criticality based on K8s labels Predefined rules allow K8s clusters to be flagged as critical, ensuring prioritized focus during risk assessments. Example for one of the predefined rules that automatically tags K8s clusters as critical: Figure 12: Example for predefined K8s cluster criticality rules As with other asset protection features in Defender for Cloud, these updates seamlessly integrate into the risk prioritization, attack path analysis, and security explorer workflows. The following example shows a critical attack path where the attack target is critical K8s cluster: Figure 13: Critical attack path where the target is a critical K8s cluster K8s CIS benchmark Customers that would like to audit their K8s clusters for regulatory compliance using K8s CIS or enforce security controls that are part of the K8s CIS standard, now benefit from updated K8s CIS standards with broader security controls, with K8s CIS 1.5.0 for AKS, and EKS and K8s CIS 1.6.0 for GKE. To start using the new standards and controls, enable the desired K8s CIS standard through regulatory compliance dashboard, or via security policies: Figure 14: Enabling K8s CIS 1.6.0 for GKE Compliance status can then be monitored via the regulatory compliance dashboard for the relevant K8s CIS standard: Figure 15: Viewing K8s CIS 1.5.0 compliance status Get Started Today To start leveraging these new features in Microsoft Defender for Cloud, ensure either Defender for Container or Defender CSPM is enabled in your cloud environments. For additional guidance or support, visit our deployment guide. With these updates, we’re committed to helping you maintain a robust, secure, and scalable cloud-native environment. Learn More If you haven’t already, check out our previous blog post that introduced this journey: New Innovations in Container Security with Unified Visibility and Investigations. This new release continues to build on the foundation outlined in that post. With “Elevate your container posture: from agentless discovery to risk prioritization”, we’ve delivered capabilities that allow you to further strengthen your container security practices, while reducing operational complexities.Strategy to Execution: Operationalizing Microsoft Defender CSPM
In today’s dynamic digital environment, cloud security is not just about building robust security posture; it’s about ensuring an adaptive environment with forward-looking strategies that align with your organization’s goals. Threat actors – ranging from individual hackers to organized criminal networks and state-sponsored groups – continuously develop new strategies to exploit vulnerabilities. Their motivations are diverse: financial gain, competitive intelligence, or pure disruption. Moreover, the greatest risks often emerge from within organizations, where human error or intentional misconduct can compromise even the most robust security frameworks. As the threat landscape grows increasingly complex, organizations must evolve beyond reactive responses to embrace proactive and holistic cybersecurity frameworks. This shift demands long-term strategic planning coupled with hands-on operationalization, ensuring that security measures are not only defined on paper but also seamlessly integrated into day-to-day workflows. Microsoft Defender for Cloud’s Cloud Security Posture Management (CSPM) solution embodies this comprehensive approach. It empowers organizations to maintain continuous visibility across multicloud environments, enabling informed decision-making and effective allocation of resources. By aligning security initiatives with business objectives, integrating compliance seamlessly, incorporating DevSecOps principles, and preparing for incidents proactively, Defender CSPM helps organizations build a security posture that evolves in tandem with their growth and innovation. This guide explores both the strategic imperatives and the practical steps necessary to operationalize Defender CSPM. From setting long-term security goals to automating compliance checks and embedding security into DevOps, we’ll walk through how to move from strategic vision to actionable practices that yield sustainable and measurable improvements in your organization’s cloud security posture. Why Strategic Planning Matters in Cloud Security Modern cloud architectures span multiple platforms - Azure, AWS, GCP, and beyond - each posing unique security challenges. Without a unified strategic framework, teams risk creating visibility gaps that malicious actors can exploit. Coupled with the evolving threat landscape, where adversaries leverage sophisticated tactics and target APIs, applications, and data stores, organizations must continuously refine their security strategies to stay ahead. Comprehensive strategic planning ensures that: Complexity is Managed Proactively: By defining a consistent security strategy across all cloud environments, organizations avoid piecemeal protection and siloed controls. Continuous Adaptation to Emerging Threats: The rapid evolution of technologies like AI and APIs requires forward-looking strategies that anticipate and mitigate new attack vectors. Strategic planning enables continuous improvement rather than ad-hoc, reactive fixes. Regulatory Compliance is Embedded: With regulations like GDPR, HIPAA, and PCI-DSS growing more stringent, organizations must weave compliance into their broader strategy. Automated governance and compliance checks ensure rules are followed without stifling innovation. Alignment with Business Goals: Effective cloud security isn’t a cost center - it’s a strategic asset. Integrating security into the broader business roadmap ensures that risk management supports growth, innovation, and operational excellence. Defender CSPM’s Role in Strategic Cloud Security Management Microsoft Defender CSPM is designed to provide the foundational capabilities required for a strategic security posture, offering: Continuous Visibility Across Multicloud Environments: Gain a unified view of security posture across Azure, AWS, and GCP. This holistic perspective allows teams to identify misconfigurations and vulnerabilities quickly - no matter where they lurk. Risk-Based Prioritization: Not all risks are equal. Defender CSPM contextualizes vulnerabilities based on potential impact and exploitability, guiding teams to focus on the most critical threats. Automated Compliance and Governance: By continuously auditing cloud environments against industry benchmarks, Defender CSPM helps maintain adherence to complex standards without manual overhead. DevSecOps Integration: Security needs to be “shifted left,” integrated into the earliest stages of software development. Defender CSPM aligns with DevOps workflows, catching vulnerabilities before they reach production. Proactive Incident Preparedness: By highlighting potential attack paths and offering forensic insights, Defender CSPM equips organizations to handle incidents swiftly and learn from them to prevent future occurrences. Resource Optimization: With finite budgets and staff, organizations must allocate resources where they matter most. Defender CSPM’s data-driven insights help direct investments to the highest-impact areas, improving ROI. From Strategy to Operationalization: Bringing Defender CSPM into Day-to-Day Work Developing a strategic security framework is the first step; operationalizing it ensures those strategies have a tangible impact. Operationalization bridges the gap between intention and execution, allowing your security posture to evolve continuously in response to new threats and requirements. Why Operationalization is Crucial: Proactive Risk Remediation: Knowing where your risks lie isn’t enough. Operationalizing CSPM means establishing workflows that ensure vulnerabilities and misconfigurations are promptly addressed, reducing dwell time and exposure. Automated Compliance and Governance Enforcement: Manual compliance checks are slow and error prone. Operationalizing CSPM involves automating these checks and embedding policies to ensure continuous adherence to standards. Seamless DevSecOps Integration: By incorporating security gates and assessments into CI/CD pipelines, security is no longer a bottleneck but a catalyst for building more resilient applications from the outset. Effective Incident Response: Operationalization ensures that incident response teams have playbooks, tooling, and integrations - such as with SIEM and XDR solutions like Microsoft Defender XDR and Sentinel - ready to go, minimizing downtime and damage. Data-Driven Resource Allocation: Turn insights into action by regularly evaluating risk data and using it to guide budget decisions, ensuring your team’s efforts yield maximum security value. Key Steps to Operationalizing Defender CSPM Set Clear Objectives and Assess Your Environment: Begin by evaluating your multicloud footprint and defining what success looks like. Are you striving for reduced mean time to remediate (MTTR), consistent compliance, or earlier vulnerability detection in the development cycle? Develop a Cloud Security Roadmap: A roadmap outlines how you will implement CSPM’s capabilities - continuous scanning, automated compliance checks, DevSecOps integration - and sets milestones to measure progress. Automate Vulnerability Scanning and Remediation: Configure continuous scanning to identify new vulnerabilities as they appear. Integrate remediation steps into predefined workflows so that issues are not just found, but rapidly fixed. Enforce Compliance Through Policies and RBAC: Implement Role-Based access controls and automated policy enforcement to maintain regulatory compliance. Regularly review compliance dashboards to ensure standards remain met over time. Integrate Security into DevOps Workflows: Shift-left security by embedding vulnerability scans and code checks into CI/CD pipelines. Provide developers with immediate feedback on security issues, enabling them to resolve problems early and cheaply. Proactive Forensics and Incident Preparedness: Develop incident response playbooks that detail how to use Defender CSPM insights to contain, investigate, and remediate breaches. Integrate with SIEM tools like Microsoft Sentinel for real-time alerting and streamlined investigations. Continuously Optimize Resource Allocation: Use Defender CSPM’s risk-based insights to refine where you spend your time and money. Track key metrics - like reduction in exposed vulnerabilities or faster remediation times - to prove ROI and make informed budgeting decisions. Measuring Success and Continuous Improvement Operationalizing your CSPM strategy isn’t a one-and-done effort. It’s a continuous improvement cycle that relies on monitoring key performance indicators (KPIs) and adjusting tactics as needed. Consider metrics like: Vulnerability Detection and Remediation Rates: How quickly are identified risks fixed? Compliance Audit Outcomes: Are you passing regulatory checks consistently? Mean Time to Remediate (MTTR): How quickly can your team address new threats? Reduction in High-Severity Exposures: Is your environment becoming progressively harder to penetrate? Regularly reviewing these metrics ensures that your CSPM program remains aligned with business goals, adapts to emerging threats, and continually improves. Conclusion The future of cloud security depends on uniting strategic vision with practical execution. Microsoft Defender CSPM provides the visibility, intelligence, and automation necessary to strengthen your security posture continuously. By integrating Defender CSPM into both long-term planning and day-to-day operations, organizations can proactively manage risks, maintain compliance, streamline DevSecOps, and prepare effectively for incidents, ensuring that security initiatives not only protect today’s assets but also pave the way for a more resilient future. Looking Ahead: Deep Dives into Strategic and Operational Scenarios In the following five articles, we’ll translate these principles into actionable guidance for real-world contexts. Each piece will focus on a specific scenario - proactive risk identification, compliance automation, DevSecOps integration, proactive forensics and incident response, and resource optimization - offering hands-on insights and tools. Stay tuned to learn how to turn vision into measurable, lasting improvements in your cloud security posture. Microsoft Defender for Cloud Additional Resources Download the new Microsoft CNAPP eBook at aka.ms/MSCNAPP Become a Defender for Cloud Ninja by taking the assessment at aka.ms/MDCNinja Reviewers Yuri Diogenes, Principal PM Manager, CxE Defender for CloudLeveraging Defender for Containers to simplify policy management in your Kubernetes Clusters
Introduction A key part of Kubernetes security includes making sure the cluster is configured to industry and company best practices. This entails controlling what users can do on the cluster and blocking actions that don’t comply with pre-defined best practices. Out of the box, Kubernetes does not provide a mechanism to write and deploy fine grained policies required per your security and compliance mandates. As a result, you will probably leverage something like Gatekeeper along with Open Policy Agent (OPA). Defender for Containers protects your Kubernetes clusters by continuously assessing them to get visibility into misconfigurations and help mitigate identified threats. To get insight into the workload configuration on the cluster, the Azure Policy for Kubernetes is deployed as part of the Defender for Containers plan. The Azure Policy for Kubernetes extends the Gatekeeper v3 admission controller webhook for OPA. Gatekeeper is needed to check if the policy is correct before enforcing it. On Azure Kubernetes Service (AKS), it is deployed as an add-on. For Arc Enabled Kubernetes, which includes on-premises clusters and clusters hosted in Google Cloud or Amazon Web Services, it is deployed as an extension. In this blog, we will go more into detail about how Azure Policy for Kubernetes, uses Gatekeeper with OPA in the Defender for Containers plan. How does the policy deployment work? The Azure Policy for Kubernetes checks with the Azure Policy service for policy assignments to the cluster, deploys policy definitions into the cluster as constraints and constraint templates and reports details back to the Azure Policy service. Figure 1 shows at a high level how the Gatekeeper works with policy and responds to admission requests. When a user makes a request to the API server, the API server will send an admission request to the Gatekeeper validating Webhook and asks if this request should be allowed to proceed. To make a decision, the Gatekeeper will consult the Policy CRs(Core Rules). The constraint shows the gatekeeper what requirement needs to be met to make the request from the API server while the template shows exactly how to make those requests. When enabling Defender for Containers on your subscriptions, it recommends deploying the Azure Policy agent on your Kubernetes clusters. Once the agent is deployed, Defender for Containers provides best practices via recommendations across all Kubernetes clusters. Some recommendations have parameters that must be configured before they can be used effectively. The only action required by the customer is to adjust policy parameters of those recommendations to the organizational policy. For example, in the recommendation "Container images should be deployed only from trusted registries", customers must define known and trusted registries. Additionally, with “Container CPU and memory limits should be enforced”, customers must define the max allowed CPU units and memory bytes in the cluster in order for Defender for Containers to report non-compliant clusters. Organizations can also leverage the “Additional Information” section of the recommendation to view parameters that need to be configured. Another parameter organizations may consider are exclusions. Organizations may have components on the cluster such as an image or container that they want to be excluded from being monitored in relevant recommendations. Where applicable, the “Additional Information” section of the recommendation would highlight the option to configure exclusions. The exclusion would apply to all relevant data plane recommendations and are not customizable per recommendation. In the recommendation “Privileged containers should be avoided”, organizations can configure exclusions based on container images. Once configured, the exclusion would apply across all data plane recommendations where an image is relevant. To be more proactive towards Kubernetes security, consider changing the recommendation from “audit” mode to “deny”. The deny effect would prevent the creation of resources that don’t satisfy the recommendation. Exporting Affected Components Once the parameters have been configured for the recommendations, you can view the affected components by navigating to the unhealthy resources tab and clicking on the unhealthy cluster. The affected components will pop up on the left blade. This information is retrieved via API calls and can be exported using a PowerShell script. Limitations Before deploying the Azure Policy Add-on please be aware of existing limitations and recommendations. Summary In this article, we demonstrated an easy way to deploy and manage the policies for your Kubernetes clusters. Through the Azure Policy for Kubernetes, which is deployed as part of the Defender for Containers plan, organizations can leverage several built-in recommendations to monitor compliance on the Kubernetes data plane. We also showed you how to view the affected components for each recommendation, export them and apply exclusions. More Information: Container security with Microsoft Defender for Cloud | Microsoft Learn Secure your Containers from Build to Runtime - YouTube Learn Azure Policy for Kubernetes - Azure Policy | Microsoft Learn Reviewers Tomer Spivak, Senior PM(Defender for Cloud) Maya Herskovic, Senior PM(Defender for Cloud Mekonnen Kassa, Principal GPM (CxE, Defender for Cloud)
