Microsoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? Now in public preview, DCSPM (Defender for Cloud Security Posture Management) extends its capabilities to cover serverless workloads in both Azure and AWS, like Azure Web Apps and AWS Lambda. For more information, see our public documentation. Defender for Cloud’s integration with Endor Labs is now GA Focus on exploitable open-source vulnerabilities across the application lifecycle with Defender for Cloud and Endor Lab integration. This feature is now generally available! For more details, please refer to this documentation. Blogs of the month In December, our team published the following blog posts: Defender for AI Alerts Demystifying AI Security Posture Management Breaking down security silos: Defender for Cloud expands into the Defender portal Part 3: Unified Security Intelligence – Orchestrating Gen AI Threat Detection with Microsoft Sentinel Defender for Cloud in the field Watch the latest Defender for Cloud in the Field YouTube episode here: Malware Automated Remediation New Secure score in Defender for Cloud GitHub Community Check out Module 27 in the Defender for Cloud lab on GitHub. This module covers gating mechanisms to enforce security policies and prevent deployment of insecure container images. Click here for MDC Github lab module 27 Customer journeys Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Ford Motor Company. Ford Motor Company, an American multinational automobile manufacturer, and its innovative and evolving technology footprint and infrastructure needed equally sophisticated security. With Defender and other Microsoft products like Purview, Sentinel and Entra, Ford was able to modernize and deploy end-to-end protection, with Zero-trust architecture, and reduce vulnerabilities across the enterprise. Additionally, Ford’s SOC continues to respond with speed and precision with the help of Defender XDR. Join our community! JANUARY 20 (8:00 AM- 9:00 AM PT) What's new in Microsoft Defender CSPM We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribeBreaking down security silos: Microsoft Defender for Cloud Expands into the Defender Portal
Picture this: You’re managing security across Azure, AWS, and GCP. Alerts are coming from every direction, dashboards are scattered and your team spends more time switching portals than mitigating threats. Sound familiar? That’s the reality for many organizations today. Now imagine a different world—where visibility, control and response converge into one unified experience, where posture management, vulnerability insights and incident response live side by side. That world is no longer a dream: Microsoft Defender for Cloud (MDC) is now integrated into Defender XDR in public preview. The expansion of MDC into the Defender portal isn’t just a facelift. It’s a strategic leap forward toward a Cloud-Native Application Protection Platform (CNAPP) that scales with your business. With Microsoft Defender for Cloud’s deep integration into the unified portal, we eliminate security silos and bring a modern, streamlined experience that is more intuitive and purpose-built for today’s security teams, while delivering a single pane of glass for hybrid and multi-cloud security. Here’s what makes this release a game-changer: Unified dashboard See everything with a single pane of glass—security posture, coverage, trends—across Azure, AWS and GCP. No more blind spots. Risk-based recommendations Prioritize by exploitability and business impact. Focus on what matters most, not just noise. Attack path analysis across all Defenders Visualize potential breach paths and cut them off before attackers can exploit them. Unified cloud assets inventory A consolidated view of assets, health data and onboarding state—so you know exactly where you stand. Cloud scopes & unified RBAC Create boundaries between teams, ensure each persona has access to the right level of data in the Defender portal. The enhanced in-portal experience includes all familiar Defender for Cloud capabilities and adds powerful new cloud-native workflows — now accessible directly within the Defender portal. Over time, additional features will be rolled out so that security teams can rely on a single pane of glass for all their pre- and post-breach operations. Unified cloud security dashboard A brand-new “Cloud Security→ Overview” page in Defender portal gives you a central place to assess your cloud posture across all connected clouds and environments (Azure, AWS, GCP, on-prem and onboarded environments such as Azure DevOps, Github, Gitlab, DockerHub, Jfrog). The unified dashboard displays the new Cloud Security Score, Threat Detection alerts and Defender coverage statistics. Amongst the high-level metrics, you can find the number of assessed resources, count of active recommendations, security alerts and more, giving you at-a-glance insight into your environment’s health. From here, you can drill into individual areas: Security posture, Exposure Management bringing visibility over Recommendations and Vulnerability Management, a unified asset inventory, workload specific insights and historical security posture data going back up to 6 months. Cloud Assets Inventory The cloud asset inventory view provides a unified, contextual inventory of all resources you have connected to Defender for Cloud — across cloud environments or on-premises. Assets are categorized by workload type, criticality, Defender coverage status, with integrated health data, risk signals, associated exposure management data, recommendations and related attack paths. Resources with unresolved security recommendations or alerts are clearly flagged — helping you quickly prioritize on risky or non-compliant assets. While you will get a complete list of cloud assets under "All assets", the rest of the tabs show you the complete view into each workload, with detailed and specific insights on each workload (VMs, Data, Containers, AI, API, DevOps, Identity and Serverless). Posture & Risk Management: From Secure Score to risk-based recommendations The traditional posture-management and CSPM capabilities of Defender for Cloud expand into the Defender portal under “Exposure Management.” A key upgrade is the new Cloud Secure Score — a risk-based model that factors in asset criticality and risk factors (e.g. internet exposure, data sensitivity) to give a more accurate, prioritized view of cloud security posture. The score ranges from 0 to 100, where 100 means perfect posture. It aggregates across all assets, weighting each asset by its criticality and the risk of its open recommendations. You can view the Cloud Secure Score overall, by subscription, cloud environment or workload type. This allows security teams to quickly understand which parts of their estate require urgent attention, and track posture improvements over time. Defender for Cloud continues to generate security recommendations based on assessments against built-in (or custom) security standards. When you have the Defender CSPM plan enabled in the Defender portal, these recommendations are surfaced with risk-based prioritization, where recommendations are tied to high-risk or critical assets show up first — helping you remediate what matters most. Each recommendation shows risk level, number of attack paths, MITRE ATT&CK tactics and techniques. For each recommendation you will see the remediation steps, attack map and the initiatives it contributes to - such as the Cloud Secure score. Continued remediation — across all subscriptions and environments — is the path toward a hardened cloud estate. Proactive Attack Surface Management: Attack path analysis A powerful addition is the "Attack paths" overview, which helps you visualize potential paths attackers could use — from external exposure zones to your most critical business assets to infiltrate your environment and access sensitive data. Defender’s algorithm models your network, resource interactions, vulnerabilities and external exposures to surface realistic, exploitable attack paths, rather than generic threat scenarios, while putting focus on the top targets, entry points and choke points involved in attack paths. The Attack Paths page organizes findings by risk level and correlates data across all Defender solutions, allowing users to rapidly detect high-impact attack paths and focus remediation on the most vulnerable assets. For some workloads, for example container-based or runtime workloads, additional prerequisites may apply (e.g. enabling agentless scanning or relevant Defender plans) to get full visualization. Governance, Visibility and Access: Cloud Scopes and Unified RBAC The expansion into the Defender portal doesn’t just bring new dashboards — it also brings unified access and governance using a single identity and RBAC model for the Defender solutions. Now you can manage cloud security permissions alongside identity, device and app permissions. Cloud Scopes ensure that teams with appropriate roles within the defined permission groups (e.g. Security operations, Security posture) can access the assets and features they need, scoped to specific subscriptions and environments. This unified scope system simplifies operations, reduces privilege sprawl and enforces consistent governance across cloud environments and across security domains. The expansion of Defender for Cloud into the Defender portal is more than a consolidation—it’s a strategic shift toward a truly integrated security ecosystem. Cloud security is no longer an isolated discipline. It is intertwined with exposure management, threat detection, identity protection and organizational governance. To conclude, this new experience empowers security teams to: Understand cloud risk in full context Prioritize remediation that reduces real-world threats Investigate attacks holistically across cloud and non-cloud systems Govern access and configurations with greater consistency Predict and prevent attack paths before they happen In this new era, cloud security becomes a continuous, intelligent and unified journey. The Defender portal is now the command center for that journey—one where insights, context and action converge to help organizations secure the present while anticipating the future. Ready to Explore? Defender for Cloud in the Defender portal Integration FAQ Enable Preview Features Azure portal vs Defender portal feature comparison What’s New in Defender for CloudMicrosoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? Defender for Cloud integrates into the Defender portal as part of the broader Microsoft Security ecosystem, now in public preview. This integration, while adding posture management insight, eliminates silos natively to allow security teams to see and act on threats across all cloud, hybrid, and code environments from one place. For more information, see our public documentation. Discover Azure AI Foundry agents in your environment The Defender Cloud Security Posture Management (CSPM) plan secures generative AI applications and now, in public preview, AI agents throughout its entire lifecycle. Discover AI agent workloads and identify details of your organization’s AI Bill of Materials (BOM). Details like vulnerabilities, misconfigurations and potential attack paths help protect your environment. Plus, Defender for Cloud monitors for any suspicious or harmful actions initiated by the agent. Blogs of the month Unlocking Business Value: Microsoft’s Dual Approach to AI for Security and Security for AI Fast-Start Checklist for Microsoft Defender CSPM: From Enablement to Best Practices Announcing Microsoft cloud security benchmark v2 (public preview) Microsoft Defender for Cloud Innovations at Ignite 2025 Defender for AI services: Threat protection and AI red team workshop Defender for Cloud in the field Revisit the Cloud Detection Response experience here.. Visit our YouTube page: here GitHub Community Check out the Microsoft Defender for Cloud Enterprise Onboarding Guide. It has been updated to include the latest network requirements. This guide describes the actions an organization must take to successfully onboard to MDC at scale. Customer journeys Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Icertis. Icertis, a global leader in contract intelligence, launched AI applications using Azure OpenAI in Foundry Models that help customers extract clauses, assess risk, and automate contract workflows. Because contracts contain highly sensitive business rules and arrangements, their deployment of Vera, their own generative AI technology that includes Copilot agents and analytics for tailored contract intelligence, introduced challenges like enforcing and maintaining compliance and security challenges like prompt injections, jailbreak attacks and hallucinations. Microsoft Defender for Cloud’s comprehensive AI posture visibility with risk reduction recommendations and threat protection for AI applications with contextual evidence helped preserve their generative AI applications. Icertis can monitor OpenAI deployments, detect malicious prompts and enforce security policies as their first line of defense against AI-related threats. Join our community! Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. Check out our upcoming webinars this month! DECEMBER 4 (8:00 AM- 9:00 AM PT) Microsoft Defender for Cloud | Unlocking New Capabilities in Defender for Storage DECEMBER 10 (9:00 AM - 10:00 AM PT) Microsoft Defender for Cloud | Expose Less, Protect More with Microsoft Security Exposure Management DECEMBER 11 (8:00 AM - 9:00 AM PT) Microsoft Defender for Cloud | Modernizing Cloud Security with Next‑Generation Microsoft Defender for Cloud We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribe
Key findings from product telemetry: top storage security alerts across industries
1.0 Introduction Cloud storage stands at the core of AI-driven applications, making its security more vital than ever. As generative AI continues to drive innovation, protecting the storage infrastructure becomes central to ensuring both the reliability and safety of AI solutions. Every industry encounters its own set of storage security challenges. For example, financial services must navigate complex compliance requirements and guard against insider risks. Healthcare organizations deal with the protection of confidential patient information (e.g. electronic medical records), while manufacturing and retail face the complexities of distributed environments and vulnerable supply chains. At Microsoft, we leverage product telemetry to gain insight into the most frequent storage security alerts and understand how risks manifest differently across various customer sectors. This article delves into how storage threats are shaped by industry dynamics, drawn on data collected from our customer base to illustrate emerging patterns and risks. Acknowledgement: This blog represents the collaborative work of the following Stroage security in MDC v-team members: Fernanda Vela and Alex Steele, for initiating the project and preparing the initial draft and directing the way we tell the story Eitan Bremler and Lior Tsalovich, for product and customer insights, synthesizing product telemetry and providing review Yuri Diogenes, for his supervision, review and cheerleading We extend our sincere appreciation to each contributor for their dedication and expertise. 1.1 Key findings from product telemetry: Top storage security alerts across industries Based on telemetry gathered from Microsoft Defender for Cloud, certain alerts consistently emerge as the most prevalent across different sectors. These patterns highlight the types of threats and suspicious activities organizations encounter most frequently, reflecting both industry-specific risks and broader attack trends. In the section that follows, this information is presented in detail, offering a breakdown of the most common alerts observed within each industry and providing valuable insight into how storage environments are being targeted and defended. 1.1.1 How does storage security alert in Defender for Cloud work To protect storage accounts from threats, Microsoft Defender for Cloud storage security provides a wide range of security alerts designed to detect suspicious, risky, or anomalous activity across Azure Storage services such as Blob Storage, Data Lake Gen2, and Azure Files. These alerts cover scenarios like unauthorized access attempts, abnormal usage patterns, potential data exfiltration, malware uploads or downloads, sensitive data exposure and changes that may expose storage containers to the public. They leverage threat intelligence and behavioral analytics to identify activity from malicious IPs, unusual geographies, or suspicious applications, ensuring organizations are alerted when their storage environment is potentially at risk. Each alert is categorized by severity, helping organizations prioritize responses to the most critical threats, such as confirmed malware or credential compromise, while also surfacing medium and low-risk anomalies that may indicate early stages of an attack. Overall, Defender for Storage enables proactive monitoring and rapid detection of threats to cloud storage, reducing the risk of exposure, misuse, or compromise of valuable data assets. 1.1.2 Top alert types for major industries Financial, healthcare, technology, energy and manufacturing are often cited as the most targeted industries because of the value of their data, regulatory exposure and their role in critical infrastructure. Our telemetry from Microsoft Defender for Cloud (MDC) shows the top security alerts in storage resources across these five industries: Finance industry Health care industry Manufacturing industry Software industry Energy industry 1.1.3 Top 9 alerts across industries Across industries, the most common alert—averaging 1,300 occurrences per month—is “Unusual application accessed a storage account,” indicating unexpected access to a storage account. Below are the top cross-industry alerts based on this analysis. 1.2 Analysis Application Anomaly Alerts Ranking: #1 across all industries (Finance, Manufacturing, Software, Energy, Healthcare) Alert: Access from a suspicious application (Storage.Blob_ApplicationAnomaly) Why it happens: Organizations increasingly use automation, third-party integrations, and custom scripts to interact with cloud storage. Shadow IT and lack of centralized app governance lead to unexpected access patterns. In sectors like healthcare and finance, sensitive data attracts attackers who may use compromised or malicious apps to probe for weaknesses. Interpretation: High prevalence indicates a need for stricter application registration, monitoring, and access controls. Industries should prioritize visibility into which apps are accessing storage and enforce policies to block unapproved applications. Geo-Anomaly Alerts Ranking: #2 or #3 in most industries Alert: Access from an unusual location (Storage.Blob_GeoAnomaly, Storage.Files_GeoAnomaly) Why it happens: Global operations, remote work, and distributed teams are common in energy, manufacturing, and healthcare. Attackers may use VPNs or compromised credentials to access storage from unusual regions. Interpretation: Frequent geo-anomalies suggest gaps in geo-fencing and conditional access policies. Organizations should review access logs, enforce region-based restrictions, and monitor cross-border data flows. Malware-Related Alerts Ranking: Prominent in healthcare, finance, and software sectors Alert: Malware found in blob (Storage.Blob_AM.MalwareFound) Malware download detected (Storage.Blob_MalwareDownload) Access from IP with suspicious file hash reputation (Storage.Blob_MalwareHashReputation) Why it happens: High-value data and frequent file exchanges make these industries attractive targets for ransomware and malware campaigns. Insufficient scanning capacity or delayed remediation can allow malware to persist. Interpretation: Rising malware alerts point to active threat campaigns and the need for real-time scanning and automated remediation. Industries should scale up Defender capacity, integrate threat intelligence, and enable automatic malware removal. Open Container Scanning Alerts Ranking: More frequent in energy and manufacturing Alerts: Successful discovery of open storage containers (Storage.Blob_OpenContainersScanning.SuccessfulDiscovery) Failed attempt to scan open containers (Storage.Blob_OpenContainersScanning.FailedAttempt) Why it happens: Rapid cloud adoption and operational urgency can lead to misconfigured storage containers. Legacy systems and lack of automated policy enforcement increase exposure risk. Interpretation: High rates of open container alerts signal the need for regular configuration audits and automated security policies. Organizations should prioritize closing public access and monitoring for changes in container exposure. Anonymous Access & Data Exfiltration Alerts Ranking: Present across industries, especially where sensitive data is stored Alerts: Anonymous access anomaly detected (Storage.Blob_AnonymousAccessAnomaly) Data exfiltration detected: unusual amount/number of blobs (Storage.Blob_DataExfiltration.AmountOfDataAnomaly, Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly) Why it happens: Attackers may attempt to access data anonymously or exfiltrate large volumes of data. Weak access controls or lack of monitoring can enable these behaviors. Interpretation: These alerts should trigger immediate investigation and remediation. Organizations must enforce strict access controls and monitor for abnormal data movement. Key Takeaways Across Industries Application anomaly and geo-anomaly alerts are universal, reflecting the challenges of managing automation and global access in modern cloud environments. Malware-related alerts are especially critical in sectors handling sensitive or regulated data, indicating active targeting by threat actors. Open container and capacity alerts reveal operational and configuration risks, often tied to rapid scaling and cloud adoption. Interpreting these trends: High alert shares for specific patterns should drive targeted investments in security controls, monitoring, and automation. Industries must adapt their security strategies to their unique risk profiles, balancing innovation with robust protection. 1.3 Protect storage accounts from threats To address these challenges, Microsoft Defender for Cloud Storage Security offers: Real-time monitoring of storage-related threats: Identifies unusual access patterns with direct integration with Azure. Detect and mitigate with threat intelligence: understand threat context and reduce false positives. Integration with Defender XDR: Provides unified threat correlation, investigation and triaging with industry leading SIEM integration. 2.0 Malware in Storage: A Growing Threat Based on the findings from section 1, let’s analyze which industry receives the most amount of malware related threats: 2.1 Top Findings Healthcare: Malware found in blob (8.6%) Malware download detected (5.5%) Malware hash reputation (4.6%) Total malware-related share: ~18.7% Finance: Malware found in blob (4.5%) Malware download detected (3.9%) Malware hash reputation (4.6%) Total malware-related share: ~13% Manufacturing: Malware found in blob (8.5%) Malware download detected (2.7%) Malware hash reputation (3.3%) Total malware-related share: ~14.5% Software: Malware found in blob (7.8%) Malware download detected (5.9%) Malware hash reputation (15.6%) Total malware-related share: ~29.3% (notably high due to hash reputation alert) Energy: Malware hash reputation (4.2%) Malware found in blob (not top 7) Malware download detected (not top 7) Total malware-related share: ~4.2% (lower than other sectors) 2.2 Analysis Software industry has the highest ranked malware alerts, especially due to a very high share for “Malware hash reputation” (15.6%) and significant shares for “Malware found in blob” and “Malware download detected.” Healthcare also has a high combined share of malware alerts, but not as high as software. Finance, Manufacturing, and Energy have lower shares for malware alerts compared to software and healthcare. How to Read This Trend Software companies are likely targeted more for malware due to their high volume of code, frequent file exchanges, and integration with many external sources. Healthcare is also a prime target because of sensitive patient data (e.g. electronic medical records) and regulatory requirements. If your organization is in software or healthcare, pay extra attention to malware scanning, automated remediation, and threat intelligence integration. Regularly review and update malware protection policies. 2.3 How Microsoft Helps Prevent Malware Spread Defender for Cloud mitigates these risks by: Scanning for malicious content on upload or on demand, in storage accounts Automatic remediation after suspicious uploads Integrating with threat intelligence for threat context correlation, advance investigation and threat response. To learn more about Malware Scanning in Defender for Cloud, visit: Introduction to Defender for Storage malware scanning - Microsoft Defender for Cloud | Microsoft Learn 3.0 Conclusion As cloud and AI adoption accelerate, storage security is now essential for every industry. Microsoft Defender for Cloud storage security telemetry shows that the most frequent alerts—like suspicious application access, geo-anomalies, and malware detection—reflect both evolving threats and the realities of modern operations. These trends highlight the need for proactive monitoring, and strong threat detection and mitigation. Defender for Cloud helps organizations stay ahead of risks, protect critical data, and enable safe innovation in the cloud. Learn more about Defender for Cloud storage security: Microsoft Defender for Cloud | Microsoft Security Start a free Azure trial. Read more about Microsoft Defender for Cloud Storage Security here. 4.0 Appendix: Detailed Data for Top Industry-Specific Alerts 4.1 Finance Industry Alert Type Tag Description Share (%) Access from a suspicious application Storage.Blob_ApplicationAnomaly Blob accessed using a suspicious/uncommon application 34.40 Access from an unusual location Storage.Blob_GeoAnomaly Blob accessed from a geographic location that deviates from typical patterns 23.10 Access from an unusual location (Azure Files) Storage.Files_GeoAnomaly Azure Files share accessed from an unexpected geographic region 7.90 Access from a suspicious application (Files) Storage.Files_ApplicationAnomaly Azure Files share accessed using a suspicious application 7.80 Failed attempt to scan open containers Storage.Blob_OpenContainersScanning.FailedAttempt Failed attempt to scan publicly accessible containers for security risks 6.40 Access from IP with suspicious file hash Storage.Blob_MalwareHashReputation Blob accessed from an IP with known malicious file hashes 4.60 Malware found in blob Storage.Blob_AM.MalwareFound Malware detected within a blob during scanning 4.50 Malware download detected Storage.Blob_MalwareDownload Blob download activity suggests malware distribution 3.90 Anonymous access anomaly detected Storage.Blob_AnonymousAccessAnomaly Blob accessed anonymously in an abnormal way 3.30 Data exfiltration: unusual amount of data Storage.Blob_DataExfiltration.AmountOfDataAnomaly Large volume of data accessed/downloaded, possible exfiltration 2.20 4.2 Healthcare Industry Alert Type Tag Description Share (%) Access from a suspicious application Storage.Blob_ApplicationAnomaly Blob accessed using a suspicious/uncommon application 42.40 Access from an unusual location Storage.Blob_GeoAnomaly Blob accessed from a geographic location that deviates from typical patterns 17.10 Access from a suspicious application (Files) Storage.Files_ApplicationAnomaly Azure Files share accessed using a suspicious application 9.70 Malware found in blob Storage.Blob_AM.MalwareFound Malware detected within a blob during scanning 8.60 Access from an unusual location (Files) Storage.Files_GeoAnomaly Azure Files share accessed from an unexpected geographic region 8.20 Malware download detected Storage.Blob_MalwareDownload Blob download activity suggests malware distribution 5.50 Access from IP with suspicious file hash Storage.Blob_MalwareHashReputation Blob accessed from an IP with known malicious file hashes 4.60 Failed attempt to scan open containers Storage.Blob_OpenContainersScanning.FailedAttempt Failed attempt to scan publicly accessible containers for security risks 4.10 4.3 Manufacturing Industry Alert Type Tag Description Share (%) Access from a suspicious application Storage.Blob_ApplicationAnomaly Blob accessed using a suspicious/uncommon application 28.70 Access from an unusual location Storage.Blob_GeoAnomaly Blob accessed from a geographic location that deviates from typical patterns 24.10 Access from a suspicious application (Files) Storage.Files_ApplicationAnomaly Azure Files share accessed using a suspicious application 9.40 Failed attempt to scan open containers Storage.Blob_OpenContainersScanning.FailedAttempt Failed attempt to scan publicly accessible containers for security risks 8.90 Malware found in blob Storage.Blob_AM.MalwareFound Malware detected within a blob during scanning 8.50 Access from an unusual location (Files) Storage.Files_GeoAnomaly Azure Files share accessed from an unexpected geographic region 7.00 Anonymous access anomaly detected Storage.Blob_AnonymousAccessAnomaly Blob accessed anonymously in an abnormal way 5.20 Access from IP with suspicious file hash Storage.Blob_MalwareHashReputation Blob accessed from an IP with known malicious file hashes 3.30 Malware download detected Storage.Blob_MalwareDownload Blob download activity suggests malware distribution 2.70 Data exfiltration: unusual number of blobs Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly Unusual number of blobs accessed, possible exfiltration 2.30 4.4 Software Industry Alert Type Tag Description Share (%) Access from a suspicious application Storage.Blob_ApplicationAnomaly Blob accessed using a suspicious/uncommon application 22.20 Access from an unusual location Storage.Blob_GeoAnomaly Blob accessed from a geographic location that deviates from typical patterns 16.40 Access from IP with suspicious file hash Storage.Blob_MalwareHashReputation Blob accessed from an IP with known malicious file hashes 15.60 Access from a suspicious application (Files) Storage.Files_ApplicationAnomaly Azure Files share accessed using a suspicious application 8.10 Malware found in blob Storage.Blob_AM.MalwareFound Malware detected within a blob during scanning 7.80 Failed attempt to scan open containers Storage.Blob_OpenContainersScanning.FailedAttempt Failed attempt to scan publicly accessible containers for security risks 7.10 Malware download detected Storage.Blob_MalwareDownload Blob download activity suggests malware distribution 5.90 Anonymous access anomaly detected Storage.Blob_AnonymousAccessAnomaly Blob accessed anonymously in an abnormal way 5.50 Access from an unusual location (Files) Storage.Files_GeoAnomaly Azure Files share accessed from an unexpected geographic region 5.50 Data exfiltration: unusual amount of data Storage.Blob_DataExfiltration.AmountOfDataAnomaly Large volume of data accessed/downloaded, possible exfiltration 3.30 Data exfiltration: unusual number of blobs Storage.Blob_DataExfiltration.NumberOfBlobsAnomaly Unusual number of blobs accessed, possible exfiltration 2.50 4.5 Energy Industry Alert Type Tag Description Share (%) Access from a suspicious application Storage.Blob_ApplicationAnomaly Blob accessed using a suspicious/uncommon application 38.60 Access from an unusual location Storage.Blob_GeoAnomaly Blob accessed from a geographic location that deviates from typical patterns 22.60 Successful discovery of open containers Storage.Blob_OpenContainersScanning.SuccessfulDiscovery Publicly accessible containers discovered during scanning, exposure risk 13.50 Access from a suspicious application (Files) Storage.Files_ApplicationAnomaly Azure Files share accessed using a suspicious application 10.20 Access from an unusual location (Files) Storage.Files_GeoAnomaly Azure Files share accessed from an unexpected geographic region 5.90 Failed attempt to scan open containers Storage.Blob_OpenContainersScanning.FailedAttempt Failed attempt to scan publicly accessible containers for security risks 3.0Unlocking Business Value: Microsoft's Dual Approach to AI for Security and Security for AI
Overview In an era where cyber threats evolve at an unprecedented pace and artificial intelligence (AI) transforms business operations, Microsoft stands at the forefront with a comprehensive strategy that addresses both leveraging AI to bolster security and safeguarding AI systems themselves. This white paper, presented in blog post format, explores Microsoft's business value model for "AI for Security" – using AI to enhance threat detection, response, and prevention – and "Security for AI" – protecting AI deployments from emerging risks. Drawing from independent studies, real-world case studies, and economic analyses, we demonstrate how these approaches deliver tangible returns on investment (ROI) and total economic impact (TEI). Whether you're a CISO evaluating security investments or a business leader integrating AI, this post provides insights, visuals, and calculations to guide your strategy. Executive Summary The enterprise adoption of AI has transcended from a technological novelty to a strategic imperative, fundamentally altering competitive landscapes and business models. Organizations that fail to integrate AI risk operational inefficiency, diminished competitiveness, and missed revenue opportunities. However, the path from initial awareness to full-scale transformation is fraught with a new and complex class of security risks that traditional cybersecurity postures are ill-equipped to address. This report provides a comprehensive analysis of the enterprise AI adoption journey, the evolving threat landscape, and a data-driven financial case for securing AI initiatives exclusively through Microsoft's unified security ecosystem. The AI journey is a multi-stage process, beginning with Awareness and Experimentation before progressing to Operational deployment, Systemic integration, and ultimately, Transformational impact. Advancement through these stages is contingent not on technology alone, but on a clear executive vision, a structured roadmap that aligns AI potential with business reality, and a foundational commitment to responsible AI governance. This journey is paralleled by the emergence of a sophisticated AI threat landscape. Malicious actors are no longer targeting just infrastructure but the very logic and integrity of AI models. Threats such as data poisoning, model theft, prompt injection, risks to intellectual property, data privacy, regulatory compliance, and brand reputation. Furthermore, the proliferation of generative AI tools creates a novel "accidental insider" risk, where well-intentioned employees can inadvertently leak sensitive corporate data to third-party models. To counter these multifaceted threats, a fragmented, multi-vendor security approach is proving insufficient. Microsoft offers a cohesive, AI-native security platform that provides end-to-end protection across the entire AI lifecycle. This unified framework integrates Microsoft Purview for proactive data security and governance, Microsoft Sentinel for AI-powered threat detection and response, and Microsoft Defender alongside Azure AI Services for comprehensive endpoint, application, infrastructure protection and Microsoft Entra for securing and protecting the identity and access management control. The platform's strength lies in its deep, native integration, which creates a virtuous cycle of shared intelligence and automated response that siloed solutions cannot replicate. A rigorous market analysis, based on independent studies from Forrester and IDC, demonstrates that investing in this unified security framework is not a cost center but a significant value driver. The financial returns are compelling: Microsoft Purview delivers a 355% Return on Investment (ROI) over three years, driven by a 30% reduction in data breach likelihood and a 75% improvement in security investigation time. For more details: mccs-ms-purview-final-9-3.pdf Microsoft Sentinel generates a 234% ROI, reducing the Total Cost of Ownership (TCO) from legacy Security Information and Event Management (SIEM) solutions by 44% and cutting false positives by up to 79%. For more details: The Total Economic Impact™ Of Microsoft Sentinel Microsoft Defender provides a 242% ROI with a payback period of less than six months, fueled by significant savings from vendor consolidation and a 30% faster threat remediation time. For more details: TEI-of-M365Defender-FINAL.pdf Microsoft Entra Suite: 131% ROI over three years, with $14.4 million in benefits, $8.2 million net present value, payback in less than six months, 30% reduction in identity-related risk exposure, 60% reduction in VPN license usage, 80% reduction in user management time, and 90% fewer password reset tickets. For more details: The Total Economic Impact™ Of Microsoft Entra Suite Collectively, these solutions do more than mitigate risk; they enable innovation. By establishing a secure and trusted data environment, organizations can confidently accelerate their adoption of transformative AI technologies, unlocking the broader business value and competitive advantage that AI promises. This report concludes with a clear strategic recommendation: to successfully navigate the AI frontier, executive leadership must prioritize investment in a unified, AI-native security and governance framework as a foundational enabler of their digital transformation strategy. AI Risks/Challenges AI is transforming cybersecurity, but it also might introduce new vulnerabilities and attack surfaces. Organizations adopting AI must address risks such as data leakage, prompt injection attacks, model poisoning, identity and access management, and compliance gaps. These threats are not hypothetical—they are already impacting enterprises globally. Key Risks and Their Impact Data Security & Privacy 80%+ of security leaders cite leakage of sensitive data as their top concern when adopting AI. BYOAI (Bring Your Own AI) is rampant: 78% of employees use unapproved AI tools at work, increasing exposure to unmanaged risks. Source: Microsoft Work Trend Index & ISMG Study Emerging Threats Indirect Prompt Injection Attacks: 77% of organizations are concerned; 11% are extremely concerned. Hijacking & Automated Scams: 85% of respondents fear AI-driven scams and hijacking scenarios. Source: KPMG Global AI Study Compliance & Governance: 55% of leaders admit they lack clarity on AI regulations and compliance requirements. Agentic AI Risks: 88% of organizations are piloting AI agents, creating agent sprawl and new attack vectors. by 2029, 50%+ of successful attacks against AI agents will exploit access control weaknesses. The Numbers Tell the Story 97% of organizations reported security incidents related to Generative AI in the past year. Known AI security breaches jumped from 29% in 2023 to 74% in 2024, yet 45% of incidents go unreported. Source: Capgemini & HiddenLayer AI Threat Landscape Report Global AI cybersecurity market is projected to grow from $30B in 2024 to $134B by 2030, reflecting the urgency of securing AI systems. Source: Statista AI in Cybersecurity Where do we see customers in adoption Journey Understanding where an organization stands in its AI adoption journey is the critical first step in formulating a successful strategy. The transition from recognizing AI's potential to harnessing it for transformative business value is not a single leap but a structured progression through distinct stages of maturity. Many organizations falter by pursuing technologically interesting projects that fail to solve core business problems, leading to wasted resources and disillusionment. A coherent maturity model provides a diagnostic tool to assess current capabilities and a roadmap to guide future investments, ensuring that each step of the journey is aligned with measurable business goals. From Awareness to Transformation: A Unified AI Maturity Model By synthesizing frameworks from leading industry analysts and practitioners, a comprehensive five-stage maturity model emerges. This model provides a clear pathway for organizations, detailing the characteristics, challenges, and objectives at each level of AI integration. Stage 1: Aware / Exploration This initial stage is characterized by an early interest in AI, where organizations recognize its potential but have limited to no practical experience. Activities are focused on research and education, with internal teams exploring different tools to understand their capabilities and potential business use cases. A common and effective starting point is conducting brainstorming workshops with key stakeholders to identify pressing business pain points and map them to potential AI solutions. The primary goal is to build initial familiarity and garner buy-in from leadership to move beyond theoretical discussions. The most significant challenge at this stage is the "zero-to-one gap"—overcoming organizational inertia and a lack of executive sponsorship to secure the approval and resources needed for initial experimentation. Stage 2: Active / Experimentation In the experimentation phase, organizations have initiated small-scale pilot projects, often isolated within a data science team or a specific business unit. AI literacy remains limited, with only a few individuals or teams actively using AI tools in their daily work. A formal, enterprise-wide AI strategy is typically absent, leading to a fragmented approach where different teams may be experimenting with disparate tools. This is the stage where many organizations encounter the "Production Chasm." While they may successfully develop prototypes, they struggle to move these models into a live production environment. This difficulty arises from a critical skills gap; the expertise required for production-level AI—a multidisciplinary blend of data science, IT operations, and DevOps, often termed MLOps—is fundamentally different and far rarer than the skills needed for experimental modeling. This chasm is widened by a misleading perception of what constitutes professional-grade AI, often formed through exposure to public tools, which lack the security, scalability, and deep integration required for enterprise use. Stage 3: Operational / Optimizing Organizations reaching this stage have successfully deployed one or more AI solutions into production. The focus now shifts from experimentation to optimization and scalability. The primary challenge is to move from isolated successes to consistent, repeatable processes that can be applied across the enterprise. This requires a deliberate strategic shift from scattered efforts to a structured portfolio of AI initiatives, each with a clear business case and measurable goals. Key activities include defining a formal AI strategy, investing in enterprise-grade tools, and launching broader initiatives to improve the AI literacy of the entire workforce, not just specialized teams. The objective is to achieve tangible improvements in productivity, efficiency, and business performance through the integration of AI into key processes. Stage 4: Systemic / Standardizing At the systemic stage, AI is no longer a collection of discrete projects but is deeply integrated into core business operations and workflows. The organization makes significant investments in enterprise-wide technology, including modern data platforms and robust governance frameworks, to ensure standardized and responsible usage of AI. A culture of innovation is fostered, encouraging employees to leverage AI tools to drive the business forward. The focus is on maximizing efficiency at scale, automating complex processes, and creating a sustainable competitive advantage through widespread gains in productivity and creativity. Stage 5: Transformational / Monetization This is the apex of AI maturity, a level achieved by only a few organizations. Here, AI is a central pillar of the corporate strategy and a key priority in executive-level budget allocation.3 The organization is recognized as an industry leader, leveraging AI not just to optimize existing operations but to completely transform them, creating entirely new revenue streams, innovative business models, and disruptive market offerings.4 The focus is on maximizing the bottom-line impact of AI across every facet of the business, from employee productivity to customer satisfaction and financial performance. Why using AI in defense is imperative Cybersecurity has entered an era where the speed, scale, and sophistication of attacks outpace traditional defenses. AI is no longer optional—it’s a strategic necessity for organizations aiming to protect critical assets and maintain resilience: 1. The Threat Landscape Has Changed AI-powered attacks are real and growing fast: Breakout times for breaches have dropped to under an hour, making manual detection and response obsolete. Attackers use AI to craft polymorphic malware, deepfakes, and automated phishing campaigns that bypass legacy security controls. Source: [mckinsey.com] 93% of security leaders fear AI-driven attacks, yet 69% see AI as the answer, and 62% of enterprises already use AI in defense. 2. AI Delivers Asymmetric Advantage Predictive Threat Intelligence: AI analyzes billions of signals to anticipate attacks before they occur, reducing downtime and mitigating risk. Automated Response: AI-driven SOCs cut response times from hours to seconds, isolating compromised endpoints and revoking malicious access instantly. Source: [analyticsinsight.net] Behavioral Analytics: Detects insider threats and anomalous activities that traditional tools miss, safeguarding identities and sensitive data 3. Operational Efficiency & Talent Gap Cybersecurity teams face a global shortage of skilled professionals. AI acts as a force multiplier, automating repetitive tasks and enabling analysts to focus on strategic threats. Organizations report 76% improvement in early threat detection and $2M+ savings per breach when leveraging AI-powered security solutions. Source: AI-Powered Security: The Future of Threat Detection and Response Microsoft approach to AI security As AI adoption accelerates, Microsoft has developed a multi-layered security strategy to protect AI systems, data, and identities while enabling innovation. This approach combines platform-level security, responsible AI principles, and advanced threat protection to ensure AI is deployed securely and ethically across enterprises. 1. Foundational Principles Microsoft’s AI security strategy is grounded in: Responsible AI Principles: Fairness, privacy & security, inclusiveness, transparency, accountability, and reliability. These principles guide every stage of AI development and deployment. Secure Future Initiative (SFI): Embedding security by design, default, and deployment across AI workloads. 2. The Secure AI Framework Microsoft’s Secure AI Framework (SAIF) provides a structured approach to securing AI environments: Prepare: Implement Zero Trust principles, secure identities, and configure environments for AI readiness. Discover: Gain visibility into AI usage, sensitive data flows, and potential vulnerabilities. Protect: Apply end-to-end security controls for data, models, and infrastructure. Govern: Enforce compliance with regulations like GDPR and the EU AI Act, and monitor AI interactions for risk. 3. Key Security Controls Data Security & Governance: o Microsoft Purview for Data Security Posture Management (DSPM) in AI prompts and completions. o Auto-classification, encryption, and risk-adaptive controls to prevent data leakage. Identity & Access Management: o Microsoft Entra for securing AI agents and enforcing least privileges with adaptive access policies. Threat Protection: o Microsoft Defender for AI integrates with Defender for Cloud to detect prompt injection, model poisoning, and jailbreak attempts in real time. Compliance & Monitoring: o Continuous posture assessments aligned with ISO 42001 and NIST AI RMF. 4. Security by Design Microsoft embeds security throughout the AI lifecycle: Secure Development Lifecycle (SDL) for AI models. AI Red Teaming using tools like PyRIT to simulate adversarial attacks and validate resilience. Content Safety Systems in Azure AI Foundry to block harmful or inappropriate outputs. 5. Integrated Security Ecosystem Microsoft’s AI security capabilities are deeply integrated across its portfolio: Microsoft Defender XDR: Correlates AI workload alerts with broader threat intelligence. Microsoft Sentinel: Provides graph-based context for AI-driven threat investigations. Security Copilot: AI-powered assistant for SOC teams, accelerating detection and response. Market research on ROI and Cost Savings from securing AI Investing in a robust security framework for AI is not merely a defensive measure or a cost center; it is a strategic investment that yields a quantifiable and compelling return. Independent market analysis conducted by leading firms like Forrester and IDC, along with real-world customer case studies, provides extensive evidence that deploying Microsoft's unified security platform delivers significant financial benefits. These benefits manifest in two primary ways: a "defensive" ROI derived from mitigating risks and reducing costs, and an "offensive" ROI achieved by enabling the secure and rapid adoption of high-value AI initiatives that drive business growth. A recurring and powerful theme across these studies is that platform consolidation is a major, often underestimated, value driver. A significant portion of the quantified ROI comes from retiring a fragmented stack of legacy point solutions and eliminating the associated licensing, infrastructure, and specialized labor costs, allowing the investment in the Microsoft platform to be funded, in part or in whole, by reallocating existing budget. The Total Economic Impact™ of a Unified Security Posture Microsoft has commissioned Forrester Consulting to conduct a series of Total Economic Impact™ (TEI) studies on its core security products. These studies, based on interviews with real-world customers, construct a "composite organization" to model the financial costs and benefits over a three-year period. The results consistently show a strong positive ROI across the platform. Microsoft Purview: The TEI study on Microsoft Purview found that the composite organization experienced benefits of $3.0 million over three years versus costs of $633,000, resulting in a net present value (NPV) of $2.3 million and an impressive 355% ROI. The primary value drivers included reduced data breach impact, significant efficiency gains for security and compliance teams, and the avoidance of costs associated with legacy data governance tools. Microsoft Sentinel: For Microsoft Sentinel, the Forrester study calculated an NPV of $7.9 million and a 234% ROI over three years. Key financial benefits were derived from a 44% reduction in TCO by replacing expensive, on-premises legacy SIEM solutions, a dramatic 79% reduction in false-positive alerts that freed up analyst time, and a 35% reduction in the likelihood of a data breach. Microsoft Defender: The unified Microsoft Defender XDR platform delivered an NPV of $12.6 million and a 242% ROI over three years, with an exceptionally short payback period of less than six months. The benefits were substantial, including up to $12 million in savings from vendor consolidation, $2.4 million from SecOps optimization, and $2.8 million from the reduced cost of material breaches. Microsoft Security Copilot: As a newer technology, the TEI for Security Copilot is a projection. Forrester projects a three-year ROI ranging from a low of 99% to a high of 348%, with a medium impact scenario yielding a 224% ROI and an NPV of $1.13 million. This return is driven almost entirely by amplified SecOps team efficiency, with projected productivity gains on security tasks ranging from 23% to 46.7%, and cost efficiencies from a reduced reliance on third-party managed security services. The following table aggregates the headline financial metrics from these independent Forrester TEI studies, providing a clear, at-a-glance summary of the platform's investment value. Table: Aggregated Financial Impact of Microsoft AI Security Solutions (Forrester TEI Data) Microsoft Solution 3-Year ROI (%) 3-Year NPV ($M) Payback Period (Months) Key Value Drivers Microsoft Purview 355% $2.3 < 6 Reduced breach likelihood by 30%, 75% faster investigations, 60% less manual compliance effort, legacy tool consolidation. Microsoft Sentinel 234% $7.9 < 6 44% TCO reduction vs. legacy SIEM, 79% reduction in false positives, 85% less effort for advanced investigations. Microsoft Defender 242% $12.6 < 6 Up to $12M in vendor consolidation savings, 30% faster threat remediation, 80% less effort to respond to incidents. Security Copilot 99% - 348% (Projected) $0.5 - $1.76 (Projected) Not Specified 23%-47% productivity gains for SecOps tasks, reduced reliance on third-party services, upskilling of security personnel. Microsoft Entra Suite 131% $8.2 Not Specified 30% reduction in identity risk, 80% reduction in user management time, 90% fewer password reset tickets, 60% VPN license reduction. Quantifying Risk Reduction and Its Financial Impact A core component of the ROI calculation is the direct financial savings from preventing and mitigating security incidents. Reduced Likelihood of Data Breaches: The Forrester study on Microsoft Purview quantified a 30% reduction in the likelihood of a data breach for the composite organization. This translated into over $225,000 in annual savings from avoided costs of security incidents and regulatory fines. The study on Microsoft Sentinel found a similar 35% reduction in breach likelihood, which was valued at $2.8 million over the three-year analysis period. These figures provide a tangible financial value for improved security posture. The Cost of Inaction: The financial case is further strengthened when contrasted with the high cost of failure. The Forrester study on Microsoft Defender highlights that organizations with insufficient incident response capabilities spend an average of $204,000 more per breach and experience nearly one additional breach per year compared to their more prepared peers. This underscores that the investment in a modern, unified platform is an effective insurance policy against significantly higher future costs. Driving SOC Efficiency and Cost Optimization Beyond risk reduction, the Microsoft security platform drives substantial cost savings through automation, AI-powered efficiency, and platform consolidation. These savings free up both budget and highly skilled personnel to focus on more strategic, value-added activities. Faster Mean Time to Respond (MTTR): Time is money during a security incident. The platform's AI and automation capabilities dramatically accelerate the entire response lifecycle. The Sentinel TEI found that its AI-driven correlation engine reduced the manual labor effort for advanced, multi-touch investigations by 85%. The Defender TEI noted that security teams could remediate threats 30% faster, reducing the mean time to acknowledge (MTTA) from 30 minutes to just 15, and cutting the mean time to resolve (MTTR) from up to three hours to less than one hour in many cases. Similarly, Purview was found to reduce the time security teams spent on investigations by 75%. Legacy Tool and Cost Avoidance: Consolidating on the Microsoft platform allows organizations to retire a host of redundant security and compliance tools. The Purview study identified nearly $500,000 in savings over three years from sunsetting legacy records management and data security solutions. The Defender study attributed up to a massive $12 million in benefits over three years to vendor consolidation, eliminating licensing, maintenance, and management costs from other tools. The Microsoft Entra Suite was found to reduce VPN license usage by 60%, saving an estimated $680,000 over three years. Reduced IT Overhead and Labor Costs: Automation extends beyond the SOC to general IT operations. The Microsoft Entra study found that automated governance and lifecycle workflows reduced the time IT spent on ongoing user management by 80%, yielding $4.6 million in time savings over three years. The same study noted a 90% reduction in password reset help desk tickets, from 80,000 to just 8,000 per year, avoiding $2.6 million in support costs. For more details: https://www.microsoft.com/en-us/security/blog/2025/09/23/microsoft-purview-delivered-30-reduction-in-data-breach-likelihood/ https://www.microsoft.com/en-us/security/blog/2025/08/04/microsoft-entra-suite-delivers-131-roi-by-unifying-identity-and-network-access/ https://azure.microsoft.com/en-us/blog/explore-the-business-case-for-responsible-ai-in-new-idc-whitepaper/ https://www.microsoft.com/en-us/security/blog/2025/09/18/microsoft-defender-delivered-242-return-on-investment-over-three-years/ https://tei.forrester.com/go/microsoft/microsoft_sentinel/ https://www.gartner.com/reviews/market/email-security-platforms/compare/abnormal-ai-vs-microsoft Fast-track generative AI security with Microsoft Purview | Microsoft Security Blog Conclusion Summary Consolidating security and compliance operations on the Microsoft platform delivers substantial cost savings and operational efficiencies. Studies have shown that moving away from legacy tools and embracing automation through Microsoft solutions not only reduces licensing and maintenance expenses, but also significantly lowers IT labor and support costs. By leveraging integrated tools like Microsoft Purview, Defender, and Entra Suite, organizations can realize millions of dollars in savings and free up valuable IT resources for higher-value work. Key Highlights Significant Cost Savings: Up to $12 million in benefits over three years from vendor consolidation, and $500,000 saved by retiring legacy records management and data security solutions. License Optimization: The Microsoft Entra Suite reduced VPN license usage by 60%, saving an estimated $680,000 over three years. IT Efficiency Gains: Automated governance and lifecycle workflows decreased IT time spent on user management by 80%, resulting in $4.6 million in time savings. Support Cost Reduction: Password reset help desk tickets dropped by 90%, from 80,000 to 8,000 per year, avoiding $2.6 million in support costs.Microsoft Defender for Cloud Customer Newsletter
What’s new in Defender for Cloud? We're enhancing the severity levels of recommendations to improve risk assessment and prioritization. As part of this update, we reevaluated all severity classifications and introduced a new level — Critical. See this page for more info. General Availability of File Integrity Monitoring (FIM) based on Microsoft Defender for Endpoint in Azure Government File Integrity Monitoring based on Microsoft Defender for Endpoint is now GA in Azure Government (GCCH) as part of Defender for Servers Plan 2. For more details, please refer to our documentation Blog(s) of the month In March, our team published the following blog posts we would like to share: Integrating Security into DevOps Workflows with Microsoft Defender CSPM New innovations to protect custom AI applications with Defender for Cloud All Key Vaults Are Critical, But Some Are More Critical Than Others: Finding the Crown Jewels GitHub Community Learn more about code reachability in Defender for Cloud: Module 26 - Defender for Cloud Code Reachability Vulnerabilities with Endor Labs Visit our GitHub page Defender for Cloud in the field Watch the latest Defender for Cloud in the Field YouTube episode here: Unveiling Kubernetes lateral movement in Defender for Cloud Manage cloud security posture with Microsoft Defender for Cloud Visit our new YouTube page Customer journey Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Danfuss. Danfoss’s growth contrasted with inefficient manual, on-premises security solutions. It wanted a scalable security solution to defend its global data and SAP landscape while lifting security team effectiveness. Danfoss adopted Microsoft Sentinel and the Microsoft Sentinel solution for SAP applications. It ingests logs from 20 applications and thousands of devices with the connectors including Defender for Cloud. Show me more stories Security community webinars Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. Check out our upcoming webinars this month! April 15 Microsoft Defender for Cloud | Securing Custom Built AI Applications with Microsoft Defender for Cloud April 30 Microsoft Defender for Cloud | Securing Custom Built AI Applications with Microsoft Defender for Cloud We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribeAll Key Vaults Are Critical, But Some Are More Critical Than Others: Finding the Crown Jewels
Introduction A critical asset is one of substantial value, whose compromise or disruption would result in significant adverse effects on the organization. This definition lays the foundation for understanding why Azure Key Vaults often fall into this category. Azure Key Vaults are integral to cloud environments as they manage sensitive data like cryptographic keys, passwords, and certificates. Their frequent use in securing applications, managing secrets, and enabling secure operations makes them highly valuable. Given this importance, identifying which Key Vaults are critical becomes essential. Approach Our approach to identifying critical Key Vaults is based on operational activity. We classify Key Vaults using the top n percentile of operations within each tenant, ensuring that only the most active and essential Key Vaults are flagged as critical. This approach provides a fair evaluation across varying tenant sizes and ensures that thresholds dynamically adjust with data size and distribution, making the classification resilient to outliers and representative of actual operational importance. Why Focus on Key Vaults with High Operation Counts? Increased Usage Indicates High Dependency: A high volume of operations suggests that the Key Vault is heavily utilized, meaning it plays a central role in the security and operational processes within the environment. For example, it might be frequently accessed to retrieve secrets, keys, or certificates, which are essential for the functioning of various applications and services. Sensitive Data Storage: Key Vaults typically store sensitive data, such as cryptographic keys, passwords, and other secrets. A Key Vault with many operations is likely to store and manage a significant amount of this sensitive data, making it a high-value target for potential attacks. Operational Impact: If a heavily used Key Vault were compromised or became unavailable, it could disrupt multiple critical processes across the organization. This could include application outages, security breaches, or other operational failures, making the Key Vault critical to overall business continuity. Security Implications: Frequent access to a Key Vault might indicate its role in automated processes or scripts that require secure handling of credentials and keys. The more a Key Vault is accessed, the higher the potential risk if its security is breached, hence making it essential to protect and monitor it closely. Benefits of Using Percentiles in Criticality Classification In critical asset classification, the use of percentiles offers several distinct advantages over percentage-based methods: Resilience to Outliers: Percentiles rank Key Vaults without being influenced by extreme values. For instance, even if one Key Vault has an unusually high operation count, the percentile method ensures that the classification threshold remains stable. Dynamic Adaptation to Dataset Size: As the number of Key Vaults grows, percentile thresholds adjust dynamically, maintaining consistency and accuracy over time. Fair Evaluation Across Tenants: Different tenants have varying numbers of Key Vaults. Percentiles allow for a fair assessment by ensuring that each tenant’s Key Vaults are evaluated within that tenant’s dataset. This means that even smaller tenants with fewer Key Vaults can have their most active Key Vaults identified as critical without being overshadowed by the larger operation counts of bigger tenants. Percentiles rank within each tenant individually, making the classification equitable across different scales. Mathematical Rigor: Percentiles provide a statistically sound method for ranking Key Vaults, offering a reliable framework for criticality classification. Operational Relevance: By using percentiles, the classification highlights Key Vaults that are truly operationally significant within their own environment, enhancing security monitoring and response efforts. This approach ensures that critical assets are identified accurately, without the distortions caused by outliers, dataset size, or operational scale variations, making it ideal for cloud environments. Findings from Research Overall Critical Assets: Around 0.5% of total KVs were identified as critical Tenant-wise Analysis: Percentile thresholds adjusted dynamically across tenant sizes. Large tenants saw a minimal increase in critical assets, validating accuracy. Smaller tenants benefited from nuanced classification. Percentile-based classification ensures that Key Vaults with relatively high operation counts are identified, regardless of tenant size, providing a balanced approach. Figure 1: Tenant-wise Analysis Finding the Optimal Percentile Threshold The reverse elbow curve method is a data-driven approach to determine the optimal percentile threshold. Figure 2 illustrates this concept by plotting the percentage of Key Vaults classified as critical against various percentile values. As the percentile value increases from 90 to 99, the percentage of critical Key Vaults decreases, forming a clear reverse elbow shape. In this graph, the curve starts to flatten around the 95th percentile, marked as the 'Optimal Percentile Threshold.' This point represents where the rate of decrease in critical Key Vaults slows down significantly. Selecting this threshold ensures that we capture the most critical Key Vaults without unnecessarily including too many lower-priority assets. Before this point, too many Key Vaults are classified as critical, while after this point, too few Key Vaults are included. Figure 2: Identifying the optimal percentile threshold This visual example demonstrates why the reverse elbow curve method is essential for balancing coverage and precision in critical asset classification, ensuring that the most operationally significant Key Vaults are identified efficiently. Conclusion In conclusion, identifying critical Azure Key Vaults is essential for maintaining the security, availability, and operational integrity of cloud environments. By leveraging a percentile-based classification approach, we ensure that only the most active and essential Key Vaults are recognized as critical assets. The use of the reverse elbow curve method further strengthens this classification by selecting an optimal percentile threshold that balances coverage and precision. This methodology not only minimizes noise from less active Key Vaults but also ensures that highly utilized and sensitive Key Vaults receive the attention they deserve. As cloud operations continue to scale, such data-driven classification approaches are vital for effective security management and risk mitigation.
Protecting Azure AI Workloads using Threat Protection for AI in Defender for Cloud
Understanding Jailbreak attacks Evasion attacks involve subtly modifying inputs (images, audio files, documents, etc.) to mislead models at inference time, making them a stealthy and effective means of bypassing inherent security controls in the AI Service. Jailbreak can be considered a type of evasion attack. The attack involves crafting inputs that cause the AI model to bypass its safety mechanisms and produce unintended or harmful outputs. Attackers can use techniques like crescendo to bypass security filters for example creating a recipe for Molotov Cocktail. Due to the nature of working with human language, generative capabilities, and the data used in training the models, AI models are non-deterministic, i.e., the same input will not always produce the same outputs. A “classic” jailbreak happens when an authorized operator of the system crafts jailbreak inputs in order to extend their own powers over the system. Indirect prompt injection happens when a system processes data controlled by a third party (e.g., analyzing incoming emails or documents editable by someone other than the operator) who inserts a malicious payload into that data, which then leads to a jailbreak of the system. There are various types of jailbreak-like attacks. Some, like DAN, involve adding instructions to a single user input, while others, like Crescendo, operate over multiple turns, gradually steering the conversation towards a specific outcome. Therefore, jailbreaks should be seen not as a single technique but as a collection of methods where a guardrail can be circumvented by a carefully crafted input. Understanding Native protections against Jailbreak Defender for Cloud’s AI Threat Protection (https://learn.microsoft.com/en-us/azure/defender-for-cloud/ai-threat-protection) feature integrates with Azure Open AI and reviews the prompt and response for suspicious behavior (https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-ai-workloads) In case of Jailbreak, the solution integrates with Azure Open AI’s Content Filter Prompt Shields (https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/content-filter), which uses an ensemble of multi-class classification models to detect four categories of harmful content (violence, hate, sexual, and self-harm) at four severity levels respectively (safe, low, medium, and high), and optional binary classifiers for detecting jailbreak risk, existing text, and code in public repositories. When Prompt Shield detects a Jailbreak attempt, it filters / annotate the user’s prompt. Defender for Cloud then picks up this information and makes it available to the security teams. Note that User Prompts are protected from Direct Attacks like Jailbreak by default. As a result, once you enable Threat Protection for AI in Defender for Cloud your security teams will have complete visibility on these. Fig 1. Threat Protection for AI alert Tangible benefits for your Security Teams Since the Defender for Cloud is doing the undifferentiated heavy lifting here your Security Governance, Architecture, and Operations all benefit like so, Governance Content is available out of the box and is enabled by default in several critical risk scenarios. This helps meet your AI security controls like OWASP LLM 01: Prompt Injection (https://genai.owasp.org/llmrisk/llm01-prompt-injection/) You can further refine the Content Filter levels for each model running in AI Foundry depending on the risk such as the data model accesses (RAG), public exposure, etc. The application of the control is enabled by default The Control reporting is available out of the box and can/will follow the existing workflow that you have set up for remainder of your cloud workloads Defender for Cloud provides Governance Framework Architecture Threat Protection for AI can be enabled at subscription level so the service scales with your workloads and provides coverage for any new deployments There is native integration with Azure Open AI so you do not need to write and manage custom patterns unlike a third party service The service is not in-line so you do not have to worry about downstream impact on the workload Since Threat Protection for AI is a capability within Defender for Cloud, you do not need to define specific RBAC permissions for users or service The alerts from the capability will automatically follow the export flow you have set up for the rest of the Defender for Cloud capabilities. Operations The alerts are already ingested in the Microsoft XDR portal so you can continue threat hunting without learning new tools there by maximizing your existing skills You can set up Workflow Automation to respond to AI alerts much like alerts from other capabilities like Defender for Storage. So, your overall logic app patterns can be reused with small tweaks Since your SOC analyst might still be learning Gen AI threats and your playbooks might not be up to date, the alerts (see Fig 1 above) contain steps that they should take to resolve The alerts are available in XDR portal, which you might already be familiar with so won’t have to learn a new solution Fig 2. Alerts in XDR Portal The alerts contain the prompt as an evidence in addition to other relevant attributes like IP, user details, targeted resource. This helps you quickly triage the alerts Fig 3. Prompt Evidence captured as part of the alert You can train the model using the detected prompts to block any future responses on similar user prompts Summary Threat Protection for AI: Provides holistic coverage of your Gen AI workloads Helps you maximize the investment in Microsoft Solutions Reduces the need for learning another solution to protect another new workloads Drives overall cost, time, and operational efficiencies Enroll in the preview https://learn.microsoft.com/en-us/azure/defender-for-cloud/ai-onboarding#enroll-in-the-limited-previewUnveiling Kubernetes lateral movement and attack paths with Microsoft Defender for Cloud
The cloud security landscape is constantly evolving and securing containerized environments including Kubernetes is a critical piece of the puzzle. Kubernetes environments provide exceptional flexibility and scalability, which are key advantages for modern infrastructure. However, the complex and intricate permissions structure of Kubernetes, combined with the dynamic, ephemeral nature of containers, introduces significant security challenges. Misconfigurations in permissions can easily go unnoticed, creating opportunities for unauthorized access or privilege escalation. The rapid lifecycle of resources in Kubernetes adds to the complexity of this issue, making it harder to maintain visibility and enforce a consistent security posture. Traditional security tools often lack the depth needed to map and analyze Kubernetes permissions effectively, leaving organizations vulnerable to security gaps. In this blog we will explore how Microsoft Defender for Cloud provides visibility to address these challenges with the recent addition of Kubernetes role-based access control (RBAC) into the cloud security graph. We'll analyze potential techniques attackers use to move laterally in Kubernetes environments and demonstrate how Microsoft Defender for Cloud provides visibility to these threats as attack paths. Finally, we will demonstrate how this advanced feature allows customers to identify Kubernetes RBAC bindings that don't follow security best practices with the security explorer capabilities. Enhancing Security with Kubernetes RBAC Integration into the cloud security graph Defender for Cloud uses a cloud security graph to represent the data of your multicloud environment. This graph-based engine analyzes data on your cloud assets and their security posture, providing contextual analysis, attack path insights, and identify security risks with queries in the cloud security explorer. The introduction of Kubernetes RBAC into the cloud security graph addresses the visibility and security challenges posed by Kubernetes' complex permissions structure and dynamic workloads. By ingesting Kubernetes RBAC objects into the graph as nodes and edges, we create a more comprehensive picture of Kubernetes environment’s security posture. The cloud security graph leverages Kubernetes RBAC to map relationships between Kubernetes identities, Kubernetes objects, and cloud identities. This functionality uncovers additional attack paths and equips customers to proactively identify and mitigate threats in their cloud environments. Revealing attackers techniques Visualizing potential lateral movement within a Kubernetes cluster can be challenging. Attackers who establish an initial foothold in the cluster may exploit various techniques to move laterally, accessing sensitive resources within the cluster and even extending to other cloud resources in the victim's environment. Let’s examine the techniques attackers use for lateral movement in Kubernetes environments and explore how identifying new attack paths, along with the factors enabling such movement, can support proactive threat remediation. Inner cluster lateral movement In Kubernetes, each pod is attached to a Kubernetes service account that determines the permissions of the pod in the cluster. By default, the service account associated with a pod allows it to interact with the Kubernetes API with minimal permissions, but it is often granted more privileges than required for its specific function. Attackers who compromise a container can exploit the container pod’s service account RBAC permissions to move laterally within the cluster and access sensitive resources. For instance, if the compromised service account has impersonation privileges, attackers can use them to act as a more privileged service account by leveraging impersonation headers, potentially leading to a full cluster takeover. Cluster to cloud lateral movement In addition to lateral movement inside Kubernetes clusters, attackers could also use additional techniques to move laterally from the managed Kubernetes clusters to the cloud. Using the Instance Metadata Service (IMDS) In managed Kubernetes environments, each worker node is assigned a specific cloud identity or IAM role that gives it the necessary permissions to interact with the cloud provider's API to perform tasks that maintain cluster operations (such as autoscaling). To do this, the worker node can access the Instance Metadata Service (IMDS), which provides important details like configurations, settings, and the identity credentials of the node. The IMDS is accessible through a special IPv4 link-local address (169.254.169.254), allowing the worker node to securely retrieve its credentials and perform its tasks. If attackers gains control of a container in a managed Kubernetes cluster, they may attempt to query the IMDS endpoint to assume the IAM role or identity credentials associated with the worker node hosting the container. These credentials can then be exploited to access cloud resources, such as databases or compute instances outside the cluster. The potential damage caused by such an attack depends on the permissions of the worker node identity. 2. Using the workload identity Workload identity in Azure, Google Cloud, and AWS as IAM Roles for Service Accounts (IRSA) or EKS Pod Identity, allows Kubernetes pods to authenticate to cloud services using cloud-native identity mechanisms without needing to manage long-lived credentials like API keys. In this setup, a pod is associated with a Kubernetes service account that is linked to a cloud identity (e.g., a GCP service account, Managed identity for Azure resources, or AWS IAM role), enabling the pod to access cloud resources securely. While this integration enhances security, if attackers compromise a pod that is using workload identity, they could exploit the cloud identity associated with that pod to access cloud resources. Depending on the permissions granted to the cloud identity or IAM role, the attackers could perform actions like reading sensitive data from cloud storage, interacting with databases, or even modifying infrastructure—potentially escalating the attack beyond the Kubernetes environment into the cloud platform itself. Cloud to cluster lateral movement In cloud environments, managing access to Kubernetes clusters is critical to maintaining security. Cloud identities who are granted high-level permissions over Kubernetes clusters pose a potential security risk. If these identities have elevated permissions—such as the ability to create or modify resources within the cluster—an attacker who compromises their credentials can leverage these permissions to take full control of the cluster. Once attackers gain access to a privileged cloud account, they could manipulate Kubernetes configurations, create malicious workloads, or access sensitive data. This scenario could lead to a complete cluster takeover. Using Defender for Cloud to prevent lateral movement Defender for Cloud provides organizations with instant visibility into potential attack paths that attackers could exploit to move laterally within their cluster, enabling them to take preventive actions before an attack occurs. In the example shown in figure 1, an attack path is being generated to highlight how a vulnerable container can be exploited by an attacker to move laterally within the cluster and eventually achieve a full cluster takeover. This involves remotely compromising the vulnerable container, leveraging the Kubernetes service account linked to the pod, and impersonating a more privileged service account to gain control over the cluster. In another example, as shown in figure 2, the attack path illustrates how an attacker can exploit a vulnerable container to move laterally from the cluster to cloud resources outside of it by leveraging the pod service account's associated cloud identity. With the visibility provided by these attack paths, security teams can take actions prior to an attack taking place i.e. block external access to the container unless absolutely required, ensure the vulnerability is addressed and verify if the pod service account permissions are indeed required. Kubernetes risk hunting with the cloud security explorer In addition to the attack paths capabilities, Defender for Cloud's contextual security capabilities assist security teams in reducing the risk of Kubernetes RBAC misconfigurations. By executing graph-based queries on the cloud security graph using the cloud security explorer, security teams can proactively identify risks within a multicloud Kubernetes environments. By utilizing the query builder, teams can search for and locate risks associated with Kubernetes identities and workloads, enabling them to preemptively address potential threats. The cloud security explorer provides you with the ability to perform proactive exploration, along with built-in query templates that are dedicated to Kubernetes RBAC risks. Kubernetes query templates Beyond cloud security As the cloud security graph is part of Microsoft enterprise exposure graph, customers can gain further visibility beyond the cloud boundary. By using Microsoft enterprise exposure management, customers will be able to see not only the lateral movement from K8s to the cloud and vice versa, but also how the identities used by the attacker can be further used to move laterally to additional assets in the organization, and how breach of an on-prem asset can lead to lateral movement to Kubernetes assets in the cloud. In the example shown in figure 4, we have an attack path that highlights how a vulnerable device can be exploited by an attacker to move laterally from an on-prem environment to Kubernetes cluster located in the cloud. This process includes remotely compromising the vulnerable device, extracting the browser cookie stored on it, and using that cookie to authenticate as a cloud identity with elevated permissions to access a Kubernetes cluster in the cloud. Conclusion - A brighter future for Kubernetes security The introduction of Kubernetes RBAC into the cloud security graph represents a significant advancement in securing Kubernetes’ environments. By providing comprehensive visibility into the complex permissions structure and dynamic workloads of Kubernetes, Microsoft Defender for Cloud enables organizations to proactively identify and mitigate potential security risks. This enhanced visibility not only helps in uncovering new attack paths and lateral movement threats but also supports the enforcement of security best practices within Kubernetes clusters. To start leveraging these new features in Microsoft Defender for Cloud, ensure either Defender for Container or Defender CSPM is enabled in your cloud environments. For additional guidance or support, visit our deployment guide. Learn more If you haven’t already, check out our previous blog post that introduced this journey: Elevate Your Container Posture: From Agentless Discovery to Risk Prioritization.Prevent malware from spreading by scanning cloud storage accounts on-demand
What’s new? On-demand malware scanning now in public preview We’re excited to announce the public preview of on-demand malware scanning. Previously, customers could get malware scanning results when uploading files to Azure blob storage. Now, customers can scan existing files in storage accounts on-demand, which helps customers to gain finer control and customization for critical storage assets. On-demand scanning allows you to scan existing files directly from Azure storage accounts What’s the relationship between Defender for Storage and Malware Scanning? Defender for Storage is the storage security plan under Microsoft Defender for Cloud, a Cloud Native Application Protection Platform (CNAPP). It helps Security Operations Center (SOC) analysts to monitor and react to threats in near real-time, prioritize threat protection for sensitive data and keep cloud storage malware-free. Malware Scanning is a paid add-on of Defender for Storage that helps customers to prevent malware from spreading in storage. It helps SOC analysts and security admins to prevent malware from spreading by scanning stored or newly uploaded data. What is coming next? In the coming weeks, we’ll expand file size support to 50 GB—a 25x increase from the current 2 GB limit. Additionally, new filtering options for on-upload scanning will allow you to exclude files based on prefixes, suffixes, and size, providing more precise control over scanning scope and costs. Why Malware Scanning? 1)Shadow data is a hidden security risk untracked data in cloud storage, introduces security and compliance risks even without active downstream consumers. Misconfigurations, weak access controls, or lack of encryption can make these hidden data stores attractive targets for attackers. They also complicate compliance by potentially violating data governance policies. Legacy security tools often focus on administrative actions, overlooking risks tied to unmanaged data. This gap leaves shadow data vulnerable to exploitation and compliance failures. Effective solutions must provide visibility into shadow data, enforce robust controls, and reduce these risks without adding operational complexity. 2)AI boom amplifies cloud storage risks The rapid growth of AI and Large Language Models (LLMs) is driving massive demands on cloud storage, with training and operational use generating and accessing terabytes of sensitive data. This surge in storage usage introduces unique security challenges. AI datasets, often proprietary and distributed, are attractive targets for cyber threats like ransomware, data breaches, and adversarial attacks, requiring a re-evaluation of storage security strategies. Why us? 1)Easy maintenance, and better accuracy Microsoft Defender for Storage addresses these challenges with a comprehensive, cloud-native malware scanning solution powered by Defender Antivirus and Microsoft Threat Intelligence. Traditional malware scanning solutions for cloud storage often require extensive infrastructure, such as proxies, compute resources, or third-party integrations, adding latency, increasing security gaps, and escalating maintenance costs. Defender for Storage overcomes these challenges with a fully cloud-native design that directly embeds malware scanning within Azure, requiring no additional agent. By analyzing storage logs, it delivers accurate, proactive threat detection with minimal impact on storage performance, using Microsoft’s industry-leading threat intelligence and machine learning (ML) detection algorithms. This built-in design makes Defender for Storage particularly well-suited for dynamic cloud environments, where it provides comprehensive, scalable protection without altering existing architecture. 2) Flexibility in scanning options to streamline security operations Malware scanning supports both scanning on-upload of storage files and scanning of existing files within storage accounts. Multiple entry points of scanning capabilities give security admins the flexibility to operationalize malware scanning based on their organizational needs. Similarly, for flexibility and customization, the to-be-released up-to 50 GB scanning capacity caters to large file scanning scenarios. How to use Malware Scanning? When to use on-upload vs. on-demand malware scanning Each type of malware scanning in Defender for Storage serves distinct scenarios, tailored to meet different security needs and operational contexts: On-Upload Scanning: Designed for immediate, proactive protection at the point of entry, on-upload scanning inspects files as they’re uploaded or modified in real time. This type of scanning is ideal for scenarios where immediate data integrity is crucial, such as in collaborative platforms, file-sharing applications, and web applications that regularly receive external content. Additionally, regulated industries like finance and healthcare benefit from on-upload scanning because it provides near real-time defenses for incoming data, helping maintain compliance and prevent malware from embedding in critical workflows. By scanning files upon entry, organizations can prevent malicious content from reaching end users or impacting downstream processes, ensuring data security in high-upload environments. On-Demand Scanning: On-demand scanning provides retrospective, flexible protection for files already stored in the cloud, making it especially useful for incident response, audits, and compliance checks. This mode is ideal when organizations need to inspect older data against updated threat definitions or when scanning is triggered by security events flagged in Microsoft Sentinel or other monitoring tools. On-demand scanning works well for organizations with archival data, where periodic assessments are necessary to meet evolving compliance and security standards. It’s also valuable for checking files after a potential breach or suspicious activity to confirm there’s no lingering malware in the environment. With scheduled or API-triggered scans, on-demand scanning allows organizations to proactively review their storage environment without constant manual intervention. Key capabilities of Defender for Storage Malware Scanning Microsoft Defender for Storage’s malware scanning provides advanced features tailored to modern storage environments, with unique benefits that distinguish it from traditional solutions: Cloud-Native Integration: Embedded fully within Azure, Defender for Storage eliminates the need for third-party setups, allowing for streamlined deployment and ongoing maintenance without modifying architecture or application code. Comprehensive Threat Detection: Defender for Storage leverages Microsoft Defender Antivirus and global threat intelligence to detect a wide range of threats, including polymorphic and metamorphic malware, supporting both standard and archive file types (e.g., ZIP, RAR). Upcoming updates will expand support to scan files up to 50GB, meeting larger storage needs. Flexible Scanning Options: By offering both on-upload and on-demand scanning, Defender for Storage provides adaptable security to cover both immediate and ongoing protection needs across new and existing data. Automated Response Capabilities: Defender for Storage enables automated actions based on scan results, such as quarantining or deleting flagged files and moving clean files to secure storage locations. This capability is enhanced by attribute-based access control (ABAC), which can restrict access to flagged files, ensuring that only safe, scanned files are accessible. Incident Response Playbooks: Organizations can configure playbooks for on-demand scanning that trigger scans in response to suspicious activity, enabling rapid, automated investigation and containment of potential threats. Scheduled Scanning for Continuous Protection: Using Logic Apps, Automation Runbooks, or PowerShell scripts, organizations can schedule recurring scans of high-risk resources based on tags or names, allowing for proactive monitoring and enhancing security posture over time. Cost Control and Management: Defender for Storage includes flexible cost management features, allowing customers to set monthly caps on on-upload scanning to control expenses. For on-demand scanning, cost estimates are provided before scans begin, supporting budget-conscious decision-making. Usecases of Malware Scanning in Defender for Storage Defender for Storage’s malware scanning addresses a variety of real-world use cases across different industries: Incident Response and Threat Hunting: When Microsoft Defender XDR and Sentinel detects unusual access, on-demand scanning can be triggered to inspect impacted files, helping security teams respond to potential threats effectively. Compliance in Regulated Sectors: Sectors like finance, healthcare, and government rely on Defender for Storage’s on-upload and on-demand scanning to meet strict data integrity and compliance requirements, with auditable records for regulatory standards. Securing Archived Data: On-demand scanning ensures that files stored for extended periods are inspected against the latest threat definitions, protecting data integrity before archived files are used or shared. Preventing Malware Distribution: By scanning all uploads, on-upload malware scanning blocks malicious files as they enter storage, while on-demand scanning secures existing data. Together, these modes provide layered protection against malware propagation within and outside the organization. Case studies The following scenarios illustrate how Microsoft Defender for Storage’s capabilities are applied to real-world challenges that enterprises face in securing cloud storage. These examples demonstrate how different organizations might leverage features such as malware scanning, sensitive data threat detection, and activity monitoring to protect critical data and maintain compliance: Case Study 1: Large Enterprise Secures AI-Driven Workflows with On-Upload and On-Demand Malware Scanning A large enterprise implementing AI-driven workflows across departments needed to secure the vast datasets stored in Azure Blob Storage against malware without disrupting critical business operations. By adopting Microsoft Defender for Storage’s on-upload malware scanning, the organization ensured that all files uploaded for AI and machine learning processes were scanned at the point of entry, preventing malicious content from embedding within key datasets. Additionally, on-demand malware scanning allowed them to periodically assess legacy files against updated threat intelligence, proactively mitigating risks across both newly added and older data. This approach provided robust, low-maintenance protection that scaled across the organization, helping ensure data integrity without impacting performance or requiring significant architectural changes. Case Study 2: Financial Institution Detects and Mitigates Misconfigured SAS Tokens to Protect Sensitive Data A financial institution with strict policies for secure cloud storage access recently encountered an incident involving a misconfigured shared access signature (SAS) token. Although their organizational policy mandated access through identities only, a configuration drift allowed a storage account with sensitive data to be accessed via an overly permissive SAS token with a long expiration period. The compromised token was detected by Microsoft Defender for Storage’s data-plane activity monitoring, which flagged unusual access patterns, generating a security alert about the potential misuse. In response, the institution immediately rotated the key, effectively revoking the compromised SAS token, and then traced the owner of the impacted Infrastructure as Code (IaC) template to update the configuration to enforce keyless access. This detection and corrective action improved their security posture, reinforcing adherence to internal policies and reducing the risk of unauthorized data access. Case Study 3: Global Manufacturer Uses Automated Workflows to Prevent Malware Distribution to Partners A global manufacturing company that shares design and media files across Azure Blob Storage with external partners needed a solution to prevent malware from spreading through shared resources. By enabling Defender for Storage’s on-upload malware scanning, the company ensured that any files uploaded to shared storage accounts were scanned for malicious content before being accessible to internal teams and external collaborators. They integrated automated workflows using Event Grid and Function Apps to quarantine flagged files immediately and route clean files to designated storage locations. This seamless, automated approach minimized manual intervention, providing an efficient way to prevent malware distribution while supporting uninterrupted collaboration with partners and maintaining secure shared storage environments. Explore additional resources to protect your cloud storage: Get started: 📖 On-Demand Malware Scanning Docs https://lnkd.in/gYfyDG4Q 📚 GitHub Lab for a hands-on walkthrough via UI and API https://lnkd.in/g37YJMbx 🛠️ PowerShell script that lets you automate on-demand malware scans on Storage Accounts tagged with specific key-value pairs https://lnkd.in/gGq8N23s Learn more about storage security in Defender for Cloud. Test out Defender for Storage and Malware Scanning with Defender for Cloud Labs. Ready to protect your cloud data? Explore Microsoft Defender for Storage today: Start a Free Trial. Learn about our recent Ignite releases. Learn how you can unlock business value with Defender for Cloud.
