Azure Security Center – Part I

Join me to get into Azure Security Center in three steps!

  1. What? Why? Who? When? Azure Security Center!
  2. Azure Security Center. How-To’s
  3. Azure Security Center. Get into PowerShell …

Today I will talk about …

What? Why? Who? When? ASC!

What is Azure Security Center?

Security in the cloud! Don’t forget it, is not when we are working in the cloud that security is not needed anymore. We need to secure the environment in Azure. (Creating Azure Network Security Groups, Activate Azure Diagnostic logs, …)

A great tool to help us with this is “Azure Security Center” (ASC).

ASC is a cloud workload protection solution that provides security management and advanced threat protection across hybrid cloud workloads. Extended with Log Analytics, to collects telemetry and other data and this for compute, network, storage and application workloads.

Picture01_ASC

What’s included:

  • Monitor security across on-premises and cloud workloads
  • Apply policy to ensure compliance with security standard
  • Find and fix vulnerabilities before they can be exploited
  • Use access and application controls to block malicious activity
  • Leverage advanced analytics and threat intelligence to detect attacks.

Azure Security Center – Pricing model

There are two pricing models: Free and Standard
The free version is always activate on the Azure subscription.
Don’t forget the first 60 days are free of charge, when standard version has been activated. After the 60 days we need to count  €0.017 per node/hour for West Europe. Around € 12.31 per node/month. ($ 0.02 per node/hour)
Picture02-2_ASC
Pricing can be activated on the Azure instance or per resource group in the Azure instance.

Picture of the Free Security Center, advanced threat protection is not enabled.

Picture03_ASC

Why Azure Security Center is important?

Picture04-01_ASC

The threats increasing rapidly, and the threats landscape is changing continuously. Ransom-wares like Wanna Cry infections in businesses and even home users, was in the beginning of 2017 a big problem. Another security threat are Trojans. Before you can protect and resolve these threats you need to understand the cyber kill chain.Picture04-02_ASCAttackers can breach a resource and then use this source to attack other resources in the cloud. We need to detect (monitor) breaches and based on these alerts, we need to take the necessary actions to prevent these attacks. This will result in a better protection of your environment and will cause less loss of data and money. Picture04-03_ASCDetecting/Monitoring threats is a good start, but we need to gather data to understand the threat, looking for patterns by using machine learning that will make the solution more bullet proof against threats.

Picture05_ASCGetting your cloud security onto track will reduce your losses because of cyber attacks.Some of the customers are thinking that when you’re moving to the cloud, security is also moving too the cloud. But this is not true! When we have a IAAS or PAAS solution, the security for these solutions in the cloud is the responsibility of the customer himself and that’s where Azure Security Center is coming to help us! To help us protect our IAAS or PAAS solution as good as possible.

Who?

Security in Azure it’s a shared security responsibility. You’re responsible for hardening, patching your environment, monitoring, … Microsoft is providing you some security recommendations for a IAAS or PAAS and how to harden you’re environment, but again you will take the necessary actions to hardening the environment (Azure Security Center recommendations)

Understanding the cyber kill chain.

Before we continue to explain ASC, we need to understand the cyber kill chain and how cyber criminals are doing an attack, or any other.

Lockheed Martin has developed a cyber kill chain, to help us with understanding the way a cyber criminal is trying too attack an environment. Each step of the chain is representing a phase in the attack chain.
Picture06_ASC

01 – EXTERNAL RECOGNITION
Getting as much information about the customer. The rate of quality of the information will reflect the success of the attack. (email information, conference information, etc)

02 – WEAPONIZE
The hacker prepares the tool which includes the backdoor, into a deliverable package.

03 – DELIVERY
The hacker will try by using different technics to deliver the package to the victim by using fishing emails, USB, web, etc

04 – EXPLOITATION
The backdoor will be installed on the victim’s environment and the hackers gets access to the system.

05 – INSTALLATION
Installing malware on the infected device.

06 – COMMAND & CONTROL
Hackers get full control on the infected device.

07 – ACTIONS ON OBJECTIVES
Hackers have hands on to the system and can intrude deeper and deeper into the environment of the victim. What will lead to data, money loss and worse.

200 days is the average amount of days before a hacker is detected. Really?

Based on this model we can adopt that protection of only the assets is not enough. Building a solid security posture will be more the way to go, to secure your environment against threats. This solid security posture is based on three pillars:

  • Protect
  • Detect
  • Responds

Reflecting this to the Azure Security Center

  • Prevention pillar helps you harden your environment (recommendations, visibility)
  • Detection pillar helps you detect gaps in your environment strategy (threats)
  • Advanced cloud defence – Tools to stay productive and secure.

    Picture07_ASC

Getting started with Azure Security Center.

In the next blog I will speak about starting with Azure Security Center and what the first steps  to start. Like …

  • Define role and responsibilities (Role based Access Control)
  • Policies
  • Data collection and storage
  • Recommendations
  • Monitoring and alerting
__________________________________________________________________________________________________________________________________________Resource list:
Azure Security Center: Azure Security Center – Homepage
Lockheed Martin – Cyber Kill Chain: Cyber Kill Chain – web
Book Microsoft Azure Security Center of Yuri Diogenes and Dr. Thomas W. Shinder

 


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.