Microsoft Defender for Containers merges the capabilities of the two previously offered Microsoft Defender for Cloud plans, Microsoft Defender for Kubernetes and Microsoft Defender for Container registries, and adds a new set of critical features on top of the previously offered ones. Make sure to read this article for more details.
- Multi-cloud support: AKS and any Cloud Native Computing Foundation (CNCF) certified Kubernetes clusters (through Azure Arc)
- Kubernetes-native deployment: automatic deployment using DaemonSet
- Advanced Threat Detection: deterministic, AI, and anomaly-based detection
- Vulnerability assessment: continuous scan for running images
Make sure to read one of our customer story, Land Lakes Inc., use and benefit from Microsoft Defender for Containers for their complex landscape.
Current Challenge
Defender for Containers plan provides us with amazing capabilities like, scanning images for vulnerabilities stored in an ACR Defender for Containers also provides real-time threat protection and generates alerts for suspicious activities. Defender for Cloud continuously assesses the configurations of your clusters and compares them with the initiatives applied to your subscriptions. When it finds misconfigurations, Defender for Cloud generates security recommendations that are available on Defender for Cloud's Recommendations page. When Defender for Container plan is enabled on a cluster, it will also monitor the Kubernetes API operations to find suspicious and malicious activities in the Kubernetes control pane. To protect the workloads of your Kubernetes containers with tailored recommendations, you can install the Azure Policy for Kubernetes. You can also auto deploy this component as explained in enable auto provisioning of agents and extensions.
With the add-on on your AKS cluster, every request to the Kubernetes API server will be monitored against the predefined set of best practices before being persisted to the cluster. You can then configure it to enforce the best practices and mandate them for future workloads. To learn more about the offering capabilities, check out our documentation here. One of the challenges we hear from customers is, ‘I have to navigate through multiple blades in order to view all the great capabilities Defender for Containers offers'.
Proposed Solution
Up until now, there was no single view with which you could visualize all the vulnerability assessments Defender for Container provides scanning your Azure Container Registries, Kubernetes runtimes, Threat Detection alerts, hardening recommendations and security best practices that the plan offers. You had to browse through recommendations and alerts blades in azure to assess and obtain this information. With this blog, we’re introducing you to a workbook that acts as a single pane of glass representing all the vulnerabilities, alerts, that Defender for Container found in your environment, all in one single pane of glass.
What’s in the Dashboard
The new ‘Containers Security Mapping Dashboard’ for Microsoft Defender for Cloud provides a unified view and deep visibility into the issues to provide security mappings for Defender for Containers plan based on the resource telemetry in your own environment.
The dashboard is powered by Azure Resource Graph (ARG) queries and divided into different sections. The workbook can be edited, and all queries can be modified based on your needs.
The workbook provides different sections like:
- Containers Vulnerabilities by Category & Severity (ACR)
- Hardening recommendations
- Kubernetes - Running Images Vulnerabilities by Category & Severity (Kubernetes Runtime)
- Alert summary mapped by MITRE ATT&CK Tactics.
How to Deploy
The Containers Security Mapping Dashboard is available in the Microsoft Defender for Cloud dashboard under Workbooks blade and in the Community section.
How to Use
To use this dashboard, you need at least Reader permission at the subscription level. Assuming you have the required permissions, watch the screen capture below to learn about how to navigate through and use the dashboard.
Conclusion
Microsoft Defender for Containers significantly improves the security of the container environments. Once enabled on a cluster, it will monitor the Kubernetes API operations to find suspicious and malicious activities in the Kubernetes control pane. The solution extends to your AWS (EKS Clusters) and GCP (GKE Clusters) resources as well. Make sure to utilize our ‘Containers Security Mapping Dashboard’ to get a single pane of glass view of the security of your environment.
Additional Resources
- To learn more about Microsoft Defender for Containers offering, make sure to check out our documentation
- To understand Defender for Containers feature availability check out this documentation here
- Check out our multi-cloud documentation to understand the capabilities we offer to monitor your EKS and GKE Clusters.
Acknowledgements
- Special Thanks to Maya, Tomer for the partnership and for reviewing and providing feedbacks of improvement on the artifact.
