Azure Security Features
Microsoft Sentinel
A SIEM (Security Information and Event Management).
Collecting, analyzing, visualizing, detecting, investigating and querying data from a large set of resources to identity incidents and anomalies in a network.
Querying data via the Analytic Log with the Kusto Query Language (KQL)
Leverage IA and Microsoft Threat Intelligence
No server to deploy (100% cloud based).
Connectors
Connectors are used to connect services and apps to Microsoft Sentinel. MS is thus able to collect data/logs from different sources. Can be used with Azure services and on-premise or others cloud provider resources.
Incident investigation tools
With Microsoft Sentinel, you can investigate and visualize specific incidents. An incident is created when a security alert is triggered. You can also manage tasks related to a specific incident.
Workbook
Customizable dashboard to help you visualize the data collected by MS.
Security alerts
Use some alert using the Microsoft IA technology or custom your own security alerts.
Playbooks
Tool allowing the SOC team to automate response to incidents/alerts. Can be integrated with Azure Logic Apps to automate responses to incidents and alerts.
Microsoft Defender for Cloud
Previously known as Microsoft Security Center.
Can be used on-premise, in multi-clouds environments and with any Azure services (GCP, AWS, Azure).
Detect suspicious activities on Web App, Servers, Databases, Containers, Storages, etc.
Microsoft Defender includes plans dedicated to protect specifics assets (web app, server, storage, etc). The tenant is invited to choose what plans are needed depending of its infrastructure and security needs.
Can identify if proper security controls are in place and if resources are compliant with the regulatory and policy requirements.
Monitor your security posture over time (Secure Score - high secure score means a protected environment).
Provide and prioritize recommendations to improve your security posture.
Make use of Microsoft Threat Intelligence.
Two main components:
Cloud Security Posture Management - CSPM) - Detect and visualize
Cloud workload protection (CWP) - React to threat, send alerts.
Defender for Cloud's enhanced security features
Allow you to trigger alerts
Defense in depth
Microsoft applies the concept of defense in depth for its on-premise and cloud resources. Security controls can be implemented at each layer of the network to help protect the Confidentiality - Integrity - Availability (CIA triad) of resources. The 7 layers of security make it harder for an attacker to fully compromise the network since multiple layer of protection are implemented.
Network Security Groups
Can be compared to an internal firewall for virtual networks. Let the administrator define security rules that will either allow inbound or outbound traffic for a group of resources.
Network security group (NSG)
can be applied to subnets or network interfaces;
are better to be applied on subnets than network interfaces (easier to manage);
operates at level 4 of the OSI model;
offers rules that can be applied on on-premise and Azure resources;
have default security rules that can not be modified, but that can be overwrite.
Security rules
accept ICMP, TCP, UDP protocols;
use 5 properties (source, source port, destination, destination port, and protocol);
are set a priority number between 100 and 4096 (lowest number have priority)
An augmented version of security rules allows for the deployment of Apps Security groups and Service tags. These features allow a single security rules to be applied to multiples resources issued from different subnets or networks. For example, Apps Security rules allow to group VMs logically in one single group no matter their IP or subnet. Some resources or services are grouped by Microsoft under a Service tag. This Service tag simplify the administration since a single rules can be applied for multiple resources that have their own IP address and are part of different subnets.
Azure Firewall
It is possible to implement an Azure firewall for your Azure resources in order to restrict the inbound and outbound traffic. Traffic rules can be based on the IP address (source and destination), port, protocol and FQDN name of the application. Azure firewall benefits from the cloud high scalability and availability and can be integrated with Azure monitor. Azure firewall is dynamic which means that the full context (not just a packet) of a request is analyzed before accepting or blocking the traffic.
Three types of rules are associated with Azure firewalls
Web apps rules
NAT rules (Network Address Translation)
Network rules
Azure DDoS Protection
Azure offers a basic DDoS protection to all subscriptions. A customers would want to upgrade its protection for the standard DDoS protection which help to protect the virtual network from protocol and volumetric attacks affecting the hosts.
Last updated