In this blog post, we will have a quick look at the new Azure Security Center enhancements introduced on Feb 10, 2017.
These new capabilities leverage collective intelligence derived from millions of Azure customers WW, and are intended to provide effective threat detection as well as prevention against the ever increasing volume and sophistication of attacks.
Advanced Cloud Defense:
Some traditional security controls deliver important protection from threats, but have proved to be too costly to configure and maintain. By applying prescriptive analytics to application and network data, learning the behavior of a machine or a group of machines, and combining these insights with broad cloud reputation, Azure Security Center empowers customers to realize the benefits of these controls without introducing any management overhead.
- Application Whitelisting – Once compromised, an attacker will likely execute malicious code on a VM as they take action toward their objectives. Whitelisting legitimate applications helps block unknown and potentially malicious applications from running, but historically managing and maintaining these whitelists has been problematic. Azure Security Center can now automatically discover, recommend whitelisting policy for a group of machines and apply these settings to your Windows VMs using the built-in AppLocker feature. After applying the policy, Azure Security Center continues to monitor the configuration and suggests changes making it easier than ever before to leverage the powerful security benefits of application whitelisting.
- Just-In-Time (JIT) Network Access to VMs – Attackers commonly target open network ports (RDP, SSH, etc.) with Brute Force attacks as a means to gain access to VMs running in the cloud. By only opening these ports for a limited time when needed to connect remotely to the VM, Azure Security Center can significantly reduce the attack surface and subsequently the risk that the VM will be compromised.
Advanced Threat Detection:
Microsoft’s security research and data science teams constantly monitor threat landscape and keep on adding new or enhancing current detection algorithms.
Azure Security Center customers benefit from these innovations as algorithms are continuously released, validated, and tuned without the need to worry about keeping signatures up to date.
Here are some of the most recent updates:
- Harnessing the Power of Machine Learning – Azure Security Center has access to a vast amount of data about cloud network activity, which can be used to detect threats targeting your Azure deployments. For example:
- Brute Force Detections – Machine learning is used to create a historical pattern of remote access attempts, which allows it to detect brute force attacks against SSH, RDP, and SQL ports. Microsoft will be expanding these capabilities to also monitor for network brute force attempts targeting many applications and protocols, such as FTP, Telnet, SMTP, POP3, SQUID Proxy, MongoDB, Elastic Search, and VNC.
- Outbound DDoS and Botnet Detection – A common objective of attacks targeting cloud resources is to use the compute power of these resources to execute other attacks. New detection algorithms are generally available in Azure Security Center, which clusters virtual machines together according to network traffic patterns and uses supervised classification techniques to determine if they are taking part in a DDoS attack. Also, in private preview are new analytics that detect if a virtual machine is part of a botnet. It works by joining network data (IPFIX) with passive DNS information to obtain a list of domains accessed by the VM and using them to detect malicious access patterns.
- New Behavioral Analytics Servers and VMs – Once a server or virtual machine is compromised, attackers employ a wide variety of techniques to execute malicious code on that system while avoiding detection, ensuring persistence, and obviating security controls. Additional behavioral analytics are now generally available in Azure Security Center to help identify suspicious activity, such as process persistence in the registry, processes masquerading as system processes, and attempts to evade application whitelisting. In addition, new analytics have been released to public preview that are designed specifically for Windows Server 2016, for example activity related to SAM and admin account enumeration. Shortly, many of the behavioral analytics available for Windows VMs will be available for Linux VMs as well. Operations Management Suite Security users will also benefit from these new detections for non-Azure servers and VMs.
- Azure SQL Database Threat Detection – Threat Detection for Azure SQL Database, which identifies anomalous database activities indicating unusual and potentially harmful attempts to access or exploit databases, announced upcoming general availability in April 2017. You can view alerts from SQL Database Threat Detection in Azure Security Center, along with additional details and actions for investigating and preventing similar threats in the future.
New Integrated partners:
Azure Security Center makes it easy to bring your trusted cloud security vendors with you to the cloud. Recent additions include:
- Fortinet NGFW and Cisco ASA – In addition to solutions from Checkpoint and Barracuda, ASC now features integration with Fortinet and Cisco ASA next generation firewalls. ASC automatically discovers deployments where these solutions are recommended (based on the policy you set), streamlines deployment and monitoring, and integrates security alerts from these partner solutions – making it easier than ever to bring your trusted security solutions with you to the cloud.
Azure Security Center requires zero setup – simply open Security Center in the Azure Portal. Use the free version or upgrade to the 90 Day Trial to enable advanced prevention and threat detection.
You can find the original announcement source here
Hope you found this blog post useful. If you have any queries/feedback, please feel free to mention in the comments section below.