Cloud Security via Security Center

Another critical part of managing any cloud is security. In Azure Microsoft has a service called Security Center. I am going to cover Security Center at a high level here in this post as Security Center itself is a big topic and is frequently changing with new improvements. This provides continuous assessment of your clouds security posture. Security Center gives you a central place to monitor and manage your security. Security Center can even covers Hybrid Cloud with the ability to extend on-premises. With Security Center you can apply security policies to your cloud workloads and respond to attacks that occur.

Security Center has a “free” tier that can be used with any Azure subscription. In fact if you are running Azure you should at a minimum be utilizing the free tier of Security Center. The tiers are:

Not covered = not monitored by Security Center.

Basic Coverage = subscriptions under this “free” tier are under the limited, free level of Security Center.

Standard Coverage =  subscriptions under this “standard” tier have the maximum level coverage by Security Center.

Key features in Security Center are:

– Security policy, assessment, and recommendations / free / Security Center performs continuous assessment and recommendations based on security policies that are set. This is the core feature of Security Center.

– Event collection and search / standard / Security Center can store security events in a Log Analytics (LA) workspace. The events also are available in the LA workspace for searching.

– Threat Protection / standard / visibility into any detected security alerts and their severity level.

– Just in time VM access / standard / Just in time VM access locks down inbound traffic to IaaS VM’s. With this feature users are required to request access to the VM for a specified amount of time. A firewall rule is opened on an NSG allowing the access and then the ports are closed after the allotted window of access time. This can reduce the attack surface on VM’s.

NOTE: (Automate Just In Time VM Access Request With PowerShell – https://github.com/CharbelNemnom/Power-MVP-Elite/tree/master/Request%20JIT%20VM%20Access by Microsoft MVP Charbel Nemnom)

– Adaptive application controls / standard /  This feature allows you to choose what applications are allowed to run on your VMs. This feature uses machine learning to analyze the applications running in the VM and then you whitelist the ones you want to allow to run.

– Custom alerts / standard /  Security Center has a bunch of default alerts. Alerts fire when a threat, or suspicious activity occurs. You can find the list of the default alerts here: security alerts. Security Center also has custom alerts that you can setup. With these you define the conditions upon which an alert is fired.

– Threat intelligence  / standard /  this feature watches for known bad actors using threat intelligence data from Microsoft’s global products and services such as Azure, Office 365, Microsoft CRM online, Microsoft Dynamics AX, outlook.com, MSN.com, and Microsoft’s Digital Crimes Unit (DCU) and Microsoft Security Response Center (MSRC) .

It is important to note that Security Center leverages many other Azure services to power its services. Some of these other Azure services include:

  • Azure Policy
  • Log Analytics
  • Logic Apps
  • Machine Learning

Now that we looked at key features of Security Center let’s take a tour of Security Center. The best way to navigate Security Center is via the navigation on the left hand side and that is the way I will break it down. The menu sections are shown in the following table:

When you first click into Security Center you will see the Overview. Overview is also the first section under “General”. Here is a screenshot of the overview pain.

Essentially the overview pane gives you a summary of your security posture pulling in data from several sections in Security Center. Getting started is where you can launch a 60 day trial on the standard plan. Events brings you to a log analytics workspace dashboard to give you another display and search capabilities on your security data. Search will bring you directly to the log analytics search screen where you can search on your security data.

Read more