threat protection
51 TopicsMicrosoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? AI security posture management is now generally available! Reduce risk to cross cloud AI workloads by discovering generative AI Bill of Materials, strengthen generative AI application security posture and use the attack path analysis to identify risk. Learn more about it here. On-demand malware scanning now in public preview We’re excited to announce the public preview of on-demand malware scanning. Customers can now scan existing files in storage accounts on-demand, which helps customers to gain finer control and customization for critical storage assets. For more details, please refer to our documentation. Blog(s) of the month In November, following Ignite announcements, our team published the following blog posts we'd like to share: Cloud security innovations: strengthening defenses against modern cloud and AI threats New innovations in container security with unified visibility, investigations, and response actions Proactively harden your cloud security posture in the age of AI with CSPM innovations Prevent malware from spreading by scanning cloud storage accounts on-demand Deprecation of “Bring Your Own License” in MDC” GitHub community Learn how to onboard Azure DevOps to Defender for Cloud in our updated lab - Module 14 here. Visit our GitHub page here. Defender for Cloud in the field Refresh your knowledge on securing your AI applications: Secure your AI applications from code to runtime Visit our new YouTube page Customer journey Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuringThe NBA (National Basketball Association), a global sports and media powerhouse dedicated to growing and celebrating the game of basketball, partnered with Microsoft to address the complexities of scale, and security required for next-generation technologies. With its IT estate in Azure, the NBA leverages Defender for Cloud to provide a single pane of glass on its cloud security posture. Security community webinars Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. This month, we have the following upcoming webinar: DEC 11Microsoft Defender for Cloud |Exploring the Latest Container Security Updates from Microsoft Ignite DEC 12Microsoft Defender for Cloud|Future-Proofing Cloud Security with Defender CSPM We offer several customer connection programs within our private communities. By signing up, you can help usshape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up ataka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested inhttps://aka.ms/PublicContentFeedback. Note:If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter:https://aka.ms/MDCNewsSubscribe222Views0likes0CommentsPrevent malware from spreading by scanning cloud storage accounts on-demand
What’s new? On-demand malware scanning now in public preview We’re excited to announce the public preview of on-demand malware scanning. Previously, customers could get malware scanning results when uploading files to Azure blob storage. Now, customers can scan existing files in storage accounts on-demand, which helps customers to gain finer control and customization for critical storage assets. On-demand scanning allows you to scan existing files directly from Azure storage accounts What’s the relationship between Defender for Storage and Malware Scanning? Defender for Storage is the storage security plan under Microsoft Defender for Cloud, a Cloud Native Application Protection Platform (CNAPP). It helps Security Operations Center (SOC) analysts to monitor and react to threats in near real-time, prioritize threat protection for sensitive data and keep cloud storage malware-free. Malware Scanning is apaid add-on of Defender for Storage that helps customers to prevent malware from spreading in storage. It helps SOC analysts and security admins to prevent malware from spreading by scanning stored or newly uploaded data. What is coming next? In the coming weeks, we’ll expand file size support to 50 GB—a 25x increase from the current 2 GB limit. Additionally, new filtering options for on-upload scanning will allow you to exclude files based on prefixes, suffixes, and size, providing more precise control over scanning scope and costs. Why Malware Scanning? 1)Shadow data is a hidden security risk untracked data in cloud storage, introduces security and compliance risks even without active downstream consumers. Misconfigurations, weak access controls, or lack of encryption can make these hidden data stores attractive targets for attackers. They also complicate compliance by potentially violating data governance policies. Legacy security tools often focus on administrative actions, overlooking risks tied to unmanaged data. This gap leaves shadow data vulnerable to exploitation and compliance failures. Effective solutions must provide visibility into shadow data, enforce robust controls, and reduce these risks without adding operational complexity. 2)AI boom amplifies cloud storage risks The rapid growth of AI and Large Language Models (LLMs) is driving massive demands on cloud storage, with training and operational use generating and accessing terabytes of sensitive data. This surge in storage usage introduces unique security challenges. AI datasets, often proprietary and distributed, are attractive targets for cyber threats like ransomware, data breaches, and adversarial attacks, requiring a re-evaluation of storage security strategies. Why us? 1)Easy maintenance, and better accuracy Microsoft Defender for Storage addresses these challenges with a comprehensive, cloud-native malware scanning solution powered by Defender Antivirus and Microsoft Threat Intelligence. Traditional malware scanning solutions for cloud storage often require extensive infrastructure, such as proxies, compute resources, or third-party integrations, adding latency, increasing security gaps, and escalating maintenance costs. Defender for Storage overcomes these challenges with a fully cloud-native design that directly embeds malware scanning within Azure, requiring no additional agent. By analyzing storage logs, it delivers accurate, proactive threat detection with minimal impact on storage performance, using Microsoft’s industry-leading threat intelligence and machine learning (ML) detection algorithms. This built-in design makes Defender for Storage particularly well-suited for dynamic cloud environments, where it provides comprehensive, scalable protection without altering existing architecture. 2) Flexibility in scanning options to streamline security operations Malware scanning supports both scanning on-upload of storage files and scanning of existing files within storage accounts. Multiple entry points of scanning capabilities give security admins the flexibility to operationalize malware scanning based on their organizational needs. Similarly, for flexibility and customization, the to-be-released up-to 50 GB scanning capacity caters to large file scanning scenarios. How to use Malware Scanning? When to use on-upload vs. on-demand malware scanning Each type of malware scanning in Defender for Storage serves distinct scenarios, tailored to meet different security needs and operational contexts: On-Upload Scanning: Designed for immediate, proactive protection at the point of entry, on-upload scanning inspects files as they’re uploaded or modified in real time. This type of scanning is ideal for scenarios where immediate data integrity is crucial, such as in collaborative platforms, file-sharing applications, and web applications that regularly receive external content. Additionally, regulated industries like finance and healthcare benefit from on-upload scanning because it provides near real-time defenses for incoming data, helping maintain compliance and prevent malware from embedding in critical workflows. By scanning files upon entry, organizations can prevent malicious content from reaching end users or impacting downstream processes, ensuring data security in high-upload environments. On-Demand Scanning: On-demand scanning provides retrospective, flexible protection for files already stored in the cloud, making it especially useful for incident response, audits, and compliance checks. This mode is ideal when organizations need to inspect older data against updated threat definitions or when scanning is triggered by security events flagged in Microsoft Sentinel or other monitoring tools. On-demand scanning works well for organizations with archival data, where periodic assessments are necessary to meet evolving compliance and security standards. It’s also valuable for checking files after a potential breach or suspicious activity to confirm there’s no lingering malware in the environment. With scheduled or API-triggered scans, on-demand scanning allows organizations to proactively review their storage environment without constant manual intervention. Key capabilities of Defender for Storage Malware Scanning Microsoft Defender for Storage’s malware scanning provides advanced features tailored to modern storage environments, with unique benefits that distinguish it from traditional solutions: Cloud-Native Integration: Embedded fully within Azure, Defender for Storage eliminates the need for third-party setups, allowing for streamlined deployment and ongoing maintenance without modifying architecture or application code. Comprehensive Threat Detection: Defender for Storage leverages Microsoft Defender Antivirus and global threat intelligence to detect a wide range of threats, including polymorphic and metamorphic malware, supporting both standard and archive file types (e.g., ZIP, RAR). Upcoming updates will expand support to scan files up to 50GB, meeting larger storage needs. Flexible Scanning Options: By offering both on-upload and on-demand scanning, Defender for Storage provides adaptable security to cover both immediate and ongoing protection needs across new and existing data. Automated Response Capabilities: Defender for Storage enables automated actions based on scan results, such as quarantining or deleting flagged files and moving clean files to secure storage locations. This capability is enhanced by attribute-based access control (ABAC), which can restrict access to flagged files, ensuring that only safe, scanned files are accessible. Incident Response Playbooks: Organizations can configure playbooks for on-demand scanning that trigger scans in response to suspicious activity, enabling rapid, automated investigation and containment of potential threats. Scheduled Scanning for Continuous Protection: Using Logic Apps, Automation Runbooks, or PowerShell scripts, organizations can schedule recurring scans of high-risk resources based on tags or names, allowing for proactive monitoring and enhancing security posture over time. Cost Control and Management: Defender for Storage includes flexible cost management features, allowing customers to set monthly caps on on-upload scanning to control expenses. For on-demand scanning, cost estimates are provided before scans begin, supporting budget-conscious decision-making. Usecases of Malware Scanning in Defender for Storage Defender for Storage’s malware scanning addresses a variety of real-world use cases across different industries: Incident Response and Threat Hunting: When Microsoft Defender XDR and Sentinel detects unusual access, on-demand scanning can be triggered to inspect impacted files, helping security teams respond to potential threats effectively. Compliance in Regulated Sectors: Sectors like finance, healthcare, and government rely on Defender for Storage’s on-upload and on-demand scanning to meet strict data integrity and compliance requirements, with auditable records for regulatory standards. Securing Archived Data: On-demand scanning ensures that files stored for extended periods are inspected against the latest threat definitions, protecting data integrity before archived files are used or shared. Preventing Malware Distribution: By scanning all uploads, on-upload malware scanning blocks malicious files as they enter storage, while on-demand scanning secures existing data. Together, these modes provide layered protection against malware propagation within and outside the organization. Case studies The following scenarios illustrate how Microsoft Defender for Storage’s capabilities are applied to real-world challenges that enterprises face in securing cloud storage. These examples demonstrate how different organizations might leverage features such as malware scanning, sensitive data threat detection, and activity monitoring to protect critical data and maintain compliance: Case Study 1: Large Enterprise Secures AI-Driven Workflows with On-Upload and On-Demand Malware Scanning A large enterprise implementing AI-driven workflows across departments needed to secure the vast datasets stored in Azure Blob Storage against malware without disrupting critical business operations. By adopting Microsoft Defender for Storage’s on-upload malware scanning, the organization ensured that all files uploaded for AI and machine learning processes were scanned at the point of entry, preventing malicious content from embedding within key datasets. Additionally, on-demand malware scanning allowed them to periodically assess legacy files against updated threat intelligence, proactively mitigating risks across both newly added and older data. This approach provided robust, low-maintenance protection that scaled across the organization, helping ensure data integrity without impacting performance or requiring significant architectural changes. Case Study 2: Financial Institution Detects and Mitigates Misconfigured SAS Tokens to Protect Sensitive Data A financial institution with strict policies for secure cloud storage access recently encountered an incident involving a misconfigured shared access signature (SAS) token. Although their organizational policy mandated access through identities only, a configuration drift allowed a storage account with sensitive data to be accessed via an overly permissive SAS token with a long expiration period. The compromised token was detected by Microsoft Defender for Storage’s data-plane activity monitoring, which flagged unusual access patterns, generating a security alert about the potential misuse. In response, the institution immediately rotated the key, effectively revoking the compromised SAS token, and then traced the owner of the impacted Infrastructure as Code (IaC) template to update the configuration to enforce keyless access. This detection and corrective action improved their security posture, reinforcing adherence to internal policies and reducing the risk of unauthorized data access. Case Study 3: Global Manufacturer Uses Automated Workflows to Prevent Malware Distribution to Partners A global manufacturing company that shares design and media files across Azure Blob Storage with external partners needed a solution to prevent malware from spreading through shared resources. By enabling Defender for Storage’s on-upload malware scanning, the company ensured that any files uploaded to shared storage accounts were scanned for malicious content before being accessible to internal teams and external collaborators. They integrated automated workflows using Event Grid and Function Apps to quarantine flagged files immediately and route clean files to designated storage locations. This seamless, automated approach minimized manual intervention, providing an efficient way to prevent malware distribution while supporting uninterrupted collaboration with partners and maintaining secure shared storage environments. Explore additional resources to protect your cloud storage: Get started: 📖 On-Demand Malware Scanning Docs https://lnkd.in/gYfyDG4Q 📚 GitHub Lab for a hands-on walkthrough via UI and API https://lnkd.in/g37YJMbx 🛠️ PowerShell script that lets you automate on-demand malware scans on Storage Accounts tagged with specific key-value pairs https://lnkd.in/gGq8N23s Learn more aboutstorage security in Defender for Cloud. Test out Defender for Storage and Malware Scanning with Defender for Cloud Labs. Ready to protect your cloud data? Explore Microsoft Defender for Storage today: Start a Free Trial. Learn about our recent Ignite releases. Learn how you can unlock business value with Defender for Cloud.Introducing the new File Integrity Monitoring with Defender for Endpoint integration
As the final and most complex piece of this puzzle is the release of File Integrity Monitoring (FIM) powered by Defender for Endpoint, marks a significant milestone in the Defender for Servers simplification journey. The new FIM solution based on Defender for Endpoint offers real-time monitoring on critical file paths and system files, ensuring that any changes indicating a potential attack are detected immediately. In addition, FIM offers built-in support for relevant security regulatory compliance standards, such as PCI-DSS, CIS, NIST, and others, allowing you to maintain compliance.Cloud security innovations: strengthening defenses against modern cloud and AI threats
In today’s fast-paced digital world, attackers are more relentless than ever, exploiting vulnerabilities and targeting cloud environments with unprecedented speed and sophistication. They are taking advantage of the dynamic nature of cloud environments and silos across security tools to strike opportunistically and bypass boundaries between endpoints, on-premises and cloud environments. With the rise of Gen AI, security complexities are only growing, further testing the limits of traditional cloud security measures and strategies. Protecting multicloud environments requires vigilance not only within each cloud instance but also across interconnected networks and systems. For defenders, the challenge lies in keeping pace with attackers who operate with lightning speed. To stay ahead, they need tools that enable rapid risk prioritization and targeted remediation, reducing unnecessary toil and aligning security efforts with business objectives. The key to defending today’s cloud landscapes is a risk-driven approach and a unified security platform that spans all domains across their organization. This approach integrates automation to streamline security operations, allowing teams to focus on critical threats. With these capabilities, defenders can protect dynamic multicloud environments with the agility and insight needed to counter the sophisticated and evolving tactics of modern attackers. Our integrated cloud-native application platform (CNAPP) provides complete security and compliance from code to runtime. Enhanced by generative AI and threat intelligence, it helps protect your hybrid and multicloud environments. Organizations can enable secure development, minimize risks with contextual posture management, and protect workloads and applications from modern threats in Microsoft’s unified security operations platform. Today, we’re thrilled to announce new innovations in Defender for Cloud to accelerate comprehensive protection with a multi-layered risk-driven approach allowing security teams to focus on the most critical threats. We’re also excited to introduce new features that make SecOps teams more efficient, allowing them to detect and respond to cloud threats in near real-time with the enhanced Defender XDR integration. Unlock advanced risk prioritization with true code-to-runtime reachability As we continue to expand our existing partner ecosystem, Microsoft Defender for Cloud’s integration with Endor Labs brings code reachability analysis directly to the Defender for Cloud portal, advancing code-to-runtime context and risk prioritization efforts significantly. Traditional AppSec tools generate hundreds to thousands of vulnerability findings, while less than 9.5% are truly exploitable within an application’s context, according to a recent study conducted by Endor Labs. These vulnerabilities belong to parts of the code that can be accessed and executed in runtime – aka reachable code vulnerabilities. Without this precise context of what is reachable, teams face an unsustainable choice: spend extensive time researching each finding or attempt to fix all vulnerabilities, leading to inefficiencies. Endor Labs provides a reachability-based Software Composition Analysis (SCA), and with the Defender for Cloud integration, deploying and configuring this SCA is streamlined. Once active, security engineers gain access to code-level reachability analysis for every vulnerability, from build to production, including visibility into reachable findings where an attack path exists from the developer’s code through open-source dependencies to a vulnerable library or function. With these insights, security teams can accurately identify true threats, prioritizing remediation based on the likelihood and impact of exploitation. Defender for Cloud already has robust risk prioritization based on multiple risk factors including internet exposure, sensitive data exposure, access and identity privileges, business risk and more. Endor Lab’s code reachability adds another robust layer of risk prioritization to reduce noise and productivity tax associated with maintaining multiple security platforms, offering streamlined and efficient protection for today’s complex multicloud environments. Figure 1: Risk prioritization with an additional layer of code reachability analysis New enhancements to cloud security posture management with additional API, Containers, and AI grounding data insights Defender for Cloud has made a series of enhancements to its cloud security posture management (CSPM) capabilities, starting with the general availability of AI Security Posture Management (AI-SPM). AI-SPM capabilities help identify vulnerabilities and misconfigurations in generative AI applications using Azure OpenAI, Azure Machine Learning, and Amazon Bedrock. We have also added expanded support for AWS AI technologies, new recommendations, and detailed attack paths, enhancing the discovery and mitigation of AI-related risks. Additionally, enriched AI grounding data insights provide context to data in AI applications, helping prioritize risks to datastores through tailored recommendations and attack paths. We have also included API security posture management in Defender CSPM at no additional cost. With these new capabilities, security teams can automatically map APIs to their backend compute hosts, helping organizations to visualize their API topology and understand the flow of data through APIs to identify sensitive data exposure risks. This allows security teams to see full API-led attack paths and take proactive measures against potential threats such as lateral movement and data exfiltration risks. Additionally, expanded sensitive data classification now includes API URL paths and query parameters, enhancing the ability to track and mitigate data-in-transit risks. Alongside API security enhancements, Defender for Cloud has also bolstered its container security posture capabilities. These advancements ensure continuous visibility into vulnerabilities and compliance from development through deployment. Security teams can shift left by scanning container images for vulnerabilities early in the CI/CD pipeline across multicloud and private registries, including Docker Hub and JFrog Artifactory. Additionally, the public preview of full multicloud regulatory compliance assessment for CIS Kubernetes Benchmarks across Amazon EKS, Azure Kubernetes Service, and Google Kubernetes Engine provides a robust framework for securing Kubernetes environments. Elevate cloud detection and response capabilities with enhanced monitoring, forensics, and cloud-native response actions The latest advancements in the integration between Defender for Cloud and Defender XDR bring a new level of protection against sophisticated threats. One notable feature is the near real-time detection for containers, which provides a detailed view of every step an attacker takes before initiating malicious activities like crypto mining or sensitive data exfiltration. Additionally, the Microsoft Kubernetes threat matrix, developed by Microsoft security researchers, provides valuable insights into specific attack techniques, enhancing the overall security incident triaging. To complement real-time detection, we are introducing a new threat analytics report that offers a comprehensive investigation of container-related incidents, helping security teams understand the potential attack methods that attackers could leverage to infiltrate containers. It also contains threat remediation suggestions and advanced hunting techniques. Figure 2. Cloud detection and response with Defender for Cloud and Defender XDR integration The introduction of new cloud-native response actions significantly aids in putting the investigation results into action or remediation. With a single click, analysts can isolate or terminate compromised Kubernetes pods, with all actions tracked in the Investigation Action Center for transparency and accountability. The new Security Copilot assisted triage and response actions helps analysts make informed decisions faster during an investigation. In all, these advancements, coupled with the seamless integration of cloud process events for threat hunting, empower security teams to respond quickly and effectively to threats, ensuring robust protection for their digital environments. Empowering defenders to stay ahead Defender for Cloud empowers security teams to stay ahead of attackers with a comprehensive code to runtime protection. With a focus on speed, efficiency, and efficacy, defenders can keep their cloud environments secure and resilient in the face of evolving threats. To learn more about Defender for Cloud and our new innovations, you can: Check out our cloud security solutionpage. Join us at Ignite. Learn how you can unlock business value with Defender for Cloud. See it in action with a cloud detection and response use-case. Start a 30-day free trial.1.6KViews2likes0CommentsNew innovations in container security with unified visibility, investigations, and response actions
Container technology has become essential for modern application development and deployment. It's a critical component for over 90% of cloud-native organizations, facilitating swift, reliable, and flexible processes that drive digital transformation. This advancement has transformed software delivery and fostered innovation. The container market is growing rapidly, with containers-as-a-service adoption expected to reach 52% by 2024. However, as adoption accelerates and container capabilities evolve, organizations face rising container security challenges. The ephemeral and dynamic nature of containers makes it difficult to identify which ones are running at any given time and even harder to identify faulty or vulnerable containers. This makes it challenging for security teams to pinpoint the source of a security incident, putting the organization at risk of undetected threats. Consequently, tracking traffic flow and detecting runtime anomalies become more complex, thereby exposing critical systems to potential security breaches. In addition to that, the lack of expertise in containerized and cloud-native environments, combined with overwhelming vulnerability scan results, makes it difficult to detect, prioritize, and address critical security gaps, leaving the organization’s security weak and disjointed. To address these challenges, Microsoft Defender for Cloud, our Cloud Native Application Protection Platform (CNAPP), is enhancing its’ container security capabilities from development to runtime. These enhancements start with enhanced discovery, providing agentless visibility into Kubernetes environments, tracking containers, pods, and applications as they scale across the entire lifecycle. It strengthens security posture offering continuous and granular scanning from build to runtime, helping maintain compliance and secure configurations across all stages of the SDLC. Finally, Defender for Cloud’s native integration with Defender XDR delivers threat protection with real-time monitoring, prioritizing vulnerabilities based on risk and enabling SOC analysts to detect and respond to threats faster through rich contextual insights and cloud-native response tools. Today, we are excited to announce new and enhanced innovations in Defender for Cloud for securing containerized environments: Elevate your container posture: From agentless discovery to risk prioritization Enhanced container image discovery is now generally available, to ensure images are accurately identified and scanned for risks. Kubernetes Identity and Access information, now in public preview to enhance security by offering critical visibility into access permissions and potential attack paths within Kubernetes environments. Tagging and automatic classification of critical assets through pre-defined rules for prioritization is now generally available to improve response times and operational resilience. Breakthroughs in container security to strengthen the software supply chain across the SDLC Command line interface (CLI) tool for container image scanning at build phase, is now in public preview, integrating security into every phase of development. Vulnerability assessment of container images in third party registries, now in public preview to provide continuous vulnerability scanning across third party registries such as Docker Hub and JFrog Artifactory. Agentless vulnerability assessments for host VMs, now in public preview, enhances the security and compliance for servers in Managed Kubernetes services. Azure Kubernetes Service (AKS) security dashboard for cluster admin view, now in public preview, provides granular visibility into container security directly within the AKS portal. Container defense in action: Enhanced threat detection and response with Defender XDR integration Kubernetes process alert, powered by Microsoft Defender for Endpoint (MDE) detection engine, is now generally available, expanding threat coverage for containerized environments. Binary drift detection, now generally available, provides real-time detection and response to unauthorized changes in container configurations, ensuring container security during runtime. Malware detection for Kubernetes host is now in public preview, ensuring comprehensive protection for both container workloads and underlying host infrastructure. Threat analytics report for containers incidents in Defender XDR, now generally available, providing SOC teams with detailed insights into potential attack methods, and incident investigation. Cloud process events and investigation queries in Defender XDR, now in public preview enhance investigation depth with process data and built-in queries Kubernetes response actions for container workloads is now in public preview to rapidly contain threats in near real-time. AI-powered guided threat remediation, now generally available, empowers SOC teams to efficiently manage container-specific incidents with step-by-step assistance, even with minimal expertise. In this blog, we will share more details on each of these announcements and how they address the typical challenges organizations face when securing containerized applications from build to runtime. Elevate your container posture: From agentless discovery to risk prioritization Effective container security starts with discovery. Without a clear understanding of what’s running in the environment, securing it becomes an impossible task. Containers are dynamic and ephemeral, making it challenging to track them, monitor vulnerabilities, and secure configurations. This is where enhanced container image discovery becomes essential—ensuring that container images are accurately identified and scanned for potential risks. To address this need, we’re excited to announce enhanced container image discovery, providing full visibility into container images, collecting comprehensive inventory data and offering insights into all images in the cloud environment, directly within the cloud security explorer. Once containers are discovered, the next step is managing access and understanding how vulnerabilities can be exploited. Role-Based Access Controls (RBAC) are crucial for managing permissions and access within Kubernetes environments. Microsoft Defender for Cloud now provides critical findings to help teams secure access within clusters and across cloud environments. Introducing the new Kubernetes Identity and Access information in Defender for Cloud, security teams can now query identities, access data, and visualize how over-permissive authorization can lead to lateral movement. To further strengthen container security posture, Defender for Cloud maps all possible attack routes with a new attack path analysis engine. This capability helps detect and address complex threats from Kubernetes to cloud and vice versa across multicloud environments, before a breach occurs, proactively securing Kubernetes environments. Taking our commitment to enhanced container security and operational resilience a step further, Defender for Cloud helps improves response times, reduces downtime, and sets the stage for future automation with manual tagging of critical assets and automatic classification of critical assets in Kubernetes environment. Manual tagging empowers teams to explicitly identify their most critical Kubernetes assets, ensuring these receive top priority. Auto criticality, however, uses research-backed rules and cross-customer insights to automatically assign criticality levels to containers, identifying risks security teams might overlook. Enhanceddata added to the Cloud Security Explorer including enhanced image discovery and Kubernetes RBAC data. Breakthroughs in container security to strengthen the software supply chain across the SDLC As cloud-native applications grow rapidly, integrating security into every development stage becomes critical. Microsoft Defender for Cloud simplifies this by scanning container images from their creation in the CI/CD pipeline to registries and host VMs, strengthening the security posture without slowing down development due to late-stage fixes. We are excited to offer a command-line interface (CLI) tool that allows seamless integration into any CI/CD pipeline. The CLI tool scans container images in the CI/CD pipeline, enabling developers to detect and block vulnerabilities during image building at any stage. Through this integration, Defender for Cloud provides visibility into onboarded pipelines and all container images pushed from those pipelines, allowing security teams to identify the source of the container image. After an image is built, scanned, and remediated, it’s pushed to a container registry until deployment. Continuous scanning, including daily registry rescans, helps identify zero-day vulnerabilities and ensures all images, even those bypassing the monitored pipeline, are fully scanned. In addition to its native support for scanning container images in cloud registries, Defender for Cloud is excited to also support vulnerability assessment of container images in third party registries, including Docker Hub Container Registry and JFrog Artifactory. Defender for Cloud scans CI/CD pipelines and integrates with container registries, meeting developers and DevOps teams where they manage images. This seamless scanning for vulnerabilities simplifies management and offers centralized visibility into images across environments. The container registry scan results are available to both the development and security teams, so they can quickly patch, update or block images before they’re pushed to production. The goal of a secure software supply chain is not only to prevent the use of vulnerable container images but also to ensure that the container infrastructure is secure throughout its lifecycle. Kubernetes host is the foundation of a containerized environment. If the host is compromised, it can lead to the entire cluster being at risk. Attackers could gain access to sensitive data, disrupt services, or even take control of the entire infrastructure. To enhance container security and compliance, Defender for Cloud now includes agentless vulnerability assessments for host VMs in Managed Kubernetes services (AKS only). While securing container images at the build and registry stages is critical for preventing vulnerabilities early in the development process, it’s equally important to maintain strong security once those containers are deployed and running. To facilitate this, the new AKS Security Dashboard empowers resource owners or cluster administrators with a simplified, streamlined experience, offering granular visibility into container posture assessments directly within the AKS portal. This includes vulnerability assessments for hosts and container images including CVE remediation, compliance checks, and security best practices, enabling more efficient security management. Development teams and cluster operators can now access these insights without switching tools, enhancing communication between development and security disciplines, offering actionable recommendations at the cluster level. Container defense in action: Enhanced threat detection and response with Defender XDR integration Ensuring runtime security is vital to maintain the integrity of applications in shared environments. Continuous monitoring, enforcing isolation, and detecting anomalies help prevent and respond to threats in real-time, keeping containers secure throughout their lifecycle. Building on these essential security measures, we are excited to announce that our unique eBPF sensor now provides Kubernetes alerts, powered by Microsoft Defender for Endpoint (MDE) detection engine in the backend. We've optimized Microsoft Defender for Endpoint to effectively detect threats in containerized environments. By validating detections, enriching them with container-specific context, and fine-tuning alerts based on the Microsoft Kubernetes threat matrix, developed and maintained up to date by Microsoft security researchers, we've ensured a balance of comprehensive threat coverage and accurate detection. Runtime security demands vigilance against unauthorized changes, orbinary drift, in container images—a key indicator of potential attacks. With Microsoft Defender for Cloud, you can now detect and respond to these changes in real-time, ensuring containers stay secure and unaltered throughout their lifecycle. While monitoring and securing container workloads is critical, ensuring the host infrastructure is protected from malware is equally vital for maintaining the security of your containerized environment. To address this, Defender for Cloud is extending the Malware detection for Kubernetes host VMs. Real-time threat detection helps identify potential issues and deviations within your containers; the next critical step is to fully understand the scope and impact of these threats. Think of threat detection as spotting smoke from a fire—it's the first sign something's wrong. But to fully understand the situation and prevent further damage, you need to find the source of the fire and assess its spread. To provide such detailed threat investigation, Defender for Cloud offers a threat analytics report for containers incidents in Defender XDR that helps SOC teams and analysts with extensive information around the potential attack methods that attackers could leverage to infiltrate the containers. It also contains suggestions on how to remediate these threats, and for hunting queries. To facilitate deeper investigation, Cloud process events and investigation queries in Defender XDR,now enable security teams to leverage enriched insights from integrated cloud audit and process event logs. These capabilities help SOC teams trace suspicious activity, analyze control plane and runtime processes, and conduct thorough forensic analysis. Building on this foundation, Defender for Cloud introduces the go hunt action, equipping SOC teams with pre-built, advanced hunting queries tailored to specific clusters. These queries retrieve incident-time data, streamlining investigation so teams can focus on analyzing results and responding to threats efficiently. Together, these capabilities enhance investigation depth, reduce response time, and strengthen overall security resilience. When a containerized environment faces a threat, swift containment is key to protecting critical assets and minimizing downtime. With Defender for Cloud’s new one-click containment Kubernetes response action, security teams can now manually isolate or terminate compromised pods instantly, cutting off unauthorized access and stopping lateral movement within the cluster. This rapid response feature reduces Mean Time to Resolve (MTTR), allowing teams to neutralize threats in real time, safeguard operations, and focus on investigating the root cause—all without complex configurations. Additionally, security teams can leverage AI-driven guided threat remediation with step-by-step assistance, empowering SOC teams to manage container-specific incidents efficiently, even with minimal expertise. New innovations for container threat protection with Microsoft Defender for Cloud Additional container security announcements [General Availability] Containers software inventory: Defender for Cloud now provides a list of software installed in their containers and container images through the Cloud Security Explorer. This list can also be used to quickly gain other insights into the customer environment, such as finding all containers and container images with software impacted by a zero-day vulnerability, even before a CVE is published. [Public Preview] CIS Kubernetes Benchmark: Security teams can leverage multicloud regulatory compliance assessments with support for CIS Kubernetes Benchmarks for Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service, and Google Kubernetes Engine (GKE). [General Availability] Enhanced Kubernetes (K8s) alert documentation and simulation tool: Defender for Cloud’s simulation tool proactively tests Kubernetes (K8s) environment by simulating real-world attack scenarios, causing alerts to be generated. The simulation tool deploys two pods in a target cluster: attacker and victim. During the simulation, the attacker "attacks" the victim using real-world techniques. Stay ahead of container vulnerabilities and attacks with end-to-end protection As containers become central to cloud-native applications, Microsoft Defender for Cloud provides end-to-end security across the entire container lifecycle—enhancing security posture, detecting and responding to threats, and ensuring compliance from development to runtime. As a cloud-native application protection platform (CNAPP), Defender for Cloud empowers everyone from individual developers to SOC analysts and CISOs, providing the precision and depth needed to effectively protect containerized environments from sophisticated threats — setting our approach apart from traditional security methods. To learn more about Defender for Cloud and our new security innovations, you can: Read about the latest posture management security innovations in Defender for Cloud. Check out our cloud security solution page. Learn about our latest releases here. Join us at Ignite. Learn how you can unlock business value with Defender for Cloud. See it in action with a cloud detection and response use-case. Start a 30-day free trial. Source: 1.CNCF Annual Survey 2023 2. Flexera 2024 State of the Cloud ReportMicrosoft Defender for Cloud - strategy and plan towards Log Analytics Agent (MMA) deprecation
Log Analytics agent (also known as MMA) is on a deprecation path and will be retired in Aug 2024. The purpose of this blogpost is to clarify how Microsoft Defender for Cloud will align with this plan and what is the impact on customers.84KViews2likes28CommentsDetect Container Drift with Microsoft Defender for Containers
Introduction In cloud-native Kubernetes environments, Containers are often treated as immutableresources, meaning they shouldn’t change after deployment. Immutable containers minimize the attack surface because they do not allow modifications during runtime. This limits the potential for attackers to make unauthorized changes, install malware, or create backdoors within a running container. Container drift refers to unintended or unauthorized manual changes, updates, patches, or other modifications made during its runtime. When containers drift, they may incorporate untested and unverified changes, such as software updates, configuration modifications, or new libraries. These changes can introduce new vulnerabilities that were not present in the original, vetted container image. Drift might introduce changes that grant elevated privileges to processes or users within the container, which can be exploited to gain broader access to the system or network. Changes caused by drift can alter or disable security monitoring tools within the container, making it harder to detect and respond to security incidents promptly. Microsoft Defender for Containers introduces the binary drift detection feature in public preview, to detect execution of files in a running container drifting from original Container Image which was scanned, tested, and validated. It's available for the Azure (AKS) V1.29, Amazon (EKS), and Google (GKE) clouds. Defender for Containers Binary Drift Detection helps organizations: Early Detection of Breaches: Drift detection serves as an early warning system for potential security breaches. If an attacker compromises a container and makes unauthorized changes, drift detection can immediately alert security teams, enabling them to respond quickly and mitigate the impact. Monitor for Insider Activity: Drift detection helps mitigate insider threats by monitoring for unauthorized changes that could indicate malicious activity by an insider. This includes unauthorized changes to configurations, deployment scripts, or access controls within containers. Reduce Human Error: Human error is a common cause of security breaches. Drift detection reduces the risk of human error by ensuring that any unintended changes made by administrators or developers are quickly detected and corrected. Ensure Compliance with Security Standards: Many regulatory standards require organizations to maintain secure configurations and prevent unauthorized changes. Drift detection helps ensure compliance by continuously monitoring and documenting the state of containers, providing evidence that configurations remain consistent with regulatory requirements. Prerequisites to enable Binary drift detection: Defender for Containers plan should be enabled on Azure subscription, AWS Connector, GCP Connector. For more details refer Configure Microsoft Defender for Containers components - Microsoft Defender for Cloud | Microsoft Learn Defender sensor must be enabled. Security Admin or higher permissions on the tenant to create and modify drift policies Configure Binary Drift Detection Security Admins can configure drift detection policies at Azure Subscription, AWS Connector or GCP Connector and on Resources at Cluster level, Name space, Pod, or individual container level. For details on how to configure drift detection Rules, refer : Binary drift detection (preview) - Microsoft Defender for Cloud | Microsoft Learn Rules are evaluated in ascending order of priority. First rule 1 is evaluated, if it's a match the evaluation stops. If no match is found, the next rule is evaluated. If there's no match for any rule, the out of the boxDefault binary driftrule with default Ignore drift detection applies. Best practices for Drift Detection: Kubernetes Administrators should ensure that all container images are regularly updated and patched to include the latest security fixes. Detecting drift at the cluster level helps prevent unauthorized changes that could compromise the security and stability of the entire cluster. For example, an attacker gaining access to the Kubernetes API server might change cluster-wide settings to escalate privileges or disable security features. In multi-tenant environments, where different teams or customers share the same Kubernetes cluster but operate within their own namespaces, organizations can apply drift detection at namespace level monitoring only the areas of the cluster that are relevant to particular applications or teams. In development or testing environments, developers might need to make ad-hoc changes to containers to test new features, configurations, or debug issues, without the overhead of redeploying containers. Apply the ruleset only to the specific labelled Kubernetes pods. During scheduled maintenance windows, organizations might need to apply emergency patches or make quick operational changes directly to running containers to address critical security vulnerabilities or fix urgent issues. In this scenario, modify the rule action to Ignore Drift detection to avoid false positives. Allow list for processes - Organizations might define specific processes like monitoring agents, logging agents to be exempt from drift detection to avoid false positives. Test / Simulate a binary drift alert To test the binary drift feature and generate alerts (only in situations you defined in the binary drift policy that you’d like to get an alerts) you can execute any binary process in the container (not part of the original image). You can also use this script to create binary drift scenario: kubectl run ubuntu-pod --image=ubuntu --restart=Never -- /bin/bash -c “cp /bin/echo /bin/echod; /bin/echod This is a binary drift execution” Below you can observe the drift detection alert generated in a threat scenario: Click on Open Logs to further examine the activities performed on this resource around the time of the alert. The attempt to list the Cluster admin credentials succeeded. The alert also indicates there are 42 more alerts on the affected resource This incident indicates that suspicious activity has been detected on the Kubernetes cluster. Multiple alerts from different Defender for Cloud plans have been triggered on the same cluster, which increases the fidelity of malicious activity. The suspicious activity might indicate that a threat actor has gained unauthorized access to your environment and is attempting to compromise it. Advanced Hunting with XDR Security teams can now access Defender for Cloud alerts and incidents within the Microsoft Defender portal, get the complete picture of an attack, including suspicious and malicious events that happen in their cloud environment, through immediate correlations of alerts and incidents. By combining drift detection data with other security event information, SOC teams can build a more comprehensive understanding of potential incidents. A multi-stage incident involving multiple alerts can be observed in the XDR portal. The alert evidence pane shows there has been suspicious activity with “ubuntu-pod” The SOC team can further investigate the commands executed on the affected pod, and the user who executed the commands using the below query: CloudAuditEvents | where Timestamp > ago(1d) | where DataSource == "Azure Kubernetes Service" | where OperationName == "create" | where RawEventData.ObjectRef.resource == "pods" and RawEventData.ResponseStatus.code == 101 | where RawEventData.ObjectRef.namespace == "kube-system" | where RawEventData.ObjectRef.subresource == "exec" | where RawEventData.ResponseStatus.code == 101 | extend RequestURI = tostring(RawEventData.RequestURI) | extend PodName = tostring(RawEventData.ObjectRef.name) | extend PodNamespace = tostring(RawEventData.ObjectRef.namespace) | extend Username = tostring(RawEventData.User.username) | where PodName == "ubuntu-pod" | extend Commands = extract_all(@"command=([^\&]*)", RequestURI) | extend ParsedCommand = url_decode(strcat_array(Commands, " ")) | project Timestamp, AzureResourceId , OperationName, IPAddress, UserAgent, PodName, PodNamespace, Username, ParsedCommand For more information on how to Investigate suspicious Kubernetes (Kubeaudit) control plane activities in XDR advanced hunting refer: Kubeaudit events in advanced hunting - Microsoft Defender for Cloud | Microsoft Learn SOC team can assign incidents from theManage incidentpane for mitigating the attack Kubernetes Cluster administrators can configure automated workflows to handle common drift scenarios, such as reverting unauthorized changes, notifying relevant teams, or trigger response actions automatically. Additional Resources You can also use the resources below to learn more about these capabilities: Binary drift detection in Defender for Containers (Video) Binary drift detection (preview) - Microsoft Defender for Cloud | Microsoft Learn Kubeaudit events in advanced hunting - Microsoft Defender for Cloud | Microsoft Learn Container security architecture - Microsoft Defender for Cloud | Microsoft Learn Reviewers Eyal Gur, Principal Product Manager, Defender for CloudUsing Defender XDR Portal to hunt for Kubernetes security issues
In the last article,we showed how to leverage binary drift detection. In this article (Part 2 of the Series) we will build on that capability using Defender XDR Portal. This article will walk you through some starter queries to augment the Defender for Container alerts and show you a quick way to hunt without requiring you to have an in-depth understanding of Kubernetes. To recap the series: Part 1: Newest detection “binary drift” and how you can expand the capability using Microsoft XDR Portal https://learn.microsoft.com/en-us/defender-xdr/microsoft-365-defender-portal. We will also look what you get as result of native integration between Defender for Cloud and Microsoft XDR. We will also showcase why this integration is advantageous for your SOC teams Part 2 [current]: Further expanding on the integration capabilities, we will demonstrate how you can automate your hunts using Custom Detection Rules https://learn.microsoft.com/en-us/defender-xdr/custom-detection-rules. Reducing operational burden and allowing you to proactively detect Kubernetes security issues. Wherever applicable, we will also suggest an alternative way to perform the detection Part 3: Bringing AI to your advantage, we will show how you can leverage Security Copilot both in Defender for Cloud and XDR portal for Kubernetes security use cases.