Getting Started with Azure Security Center

  Azure, Security Center

Main Menu

Getting Started with Azure Security Center

https://mva.microsoft.com/en-US/training-courses/hybrid-cloud-workload-protection-with-azure-security-center-18173?l=Ld0LK42jE_006218965

What is Azure Security Center

  • Azure service that allows customers to:
    • Gain visibility and control into their Azure infrastructure
    • Integrate 3rd Party partner solutions with a click of a button
    • Detect attacks on resources deployed in the environment
  • Three Main Pillars
    • Prevention
      • Harden your environment-Free Of Charge
      • Compute
        • Are systems monitored
        • Patched status
        • Vulnerability exposures and recommendations
      • Networking
        • Visibility into all resources that are able to reach the Internet
      • Storage and Data
        • Auditing
        • Ensuring your data is encrypted at rest
      • Applications
        • Whether then are appropriately hardened
        • How they fit into your architecture
    • Detection Pillar (This is where the power is!)
      • Detect gaps in your prevention strategy -ASC Standard or OMS Sec.
      • Azure security experts:
        • Watching your environment
        • Seeing patterns of behavior
        • Identifying if there is suspicious activity
          • Activity is reported as why they feel this is a threat
          • Recommendations on how to prevent and remove
    • Advanced Cloud Defense
      • Tools to:
        • Stay productive and secure
        • Administer your environment
        • Way to open ssh, rdp for narrow window of time without having those resources available to attackers

Planning Security Center Adoption

  • Define Roles and Responsibilities
    • People of various positions/depts. that need to see, but not edit, information
    • Roles can be customized or use the built in, predefined roles.
  • Policies
    • Can I do Group Policies in Security Center?  Not really.
    • These are toggle switches to activate, deactivate specific scans
      • System updates
      • OS Vulnerabilities
      • Endpoint protection
      • Disk encryption
      • Network Security groups
      • Etc
    • These can and should change between different stages
      • Dev – pretty relaxed
      • Testing – Harder
      • Production – Hardened
  • Data collection and storage
    • Microsoft monitoring agent scans for various security related configurations and events it into Event Tracing for Windows (ETW) traces.
    • In addition
      • Operating system type and version
      • Operating system logs (Windows event logs)
      • Running pricesses
      • Machine name
      • IP addresses
      • Logged in user
      • Tenant ID
      • Crash dump files
    • Workspaces
      • Agent runs on your computer or your VM and transfers the data collected to your workspace.
      • A workspace is an Azure resource that serves as a container for data.  You or other members of your organization might use multiple workspaces to manage different sets of data that is collected from all or portions of your IT infrastructure.
      • Data collected from the Microsoft Monitoring Agent (on behalf of Azure Security Center) will be stored in either an existing Log Analytics workspace associated with your Azure subscription or a new workspace, taking into account the geography of the VM.
  • Onboarding resources
    • What do you want to protect?
    • Identify the workloads that you want to protect the describe how to harden them appropriately
    • Once these resources are identified –
      • press the button and enable data collection.
  • Security Operations
    • Incorporate Security Center as part of your Security Operations
      • When you first opt in to use Security Center for your current Azure environment, make sure that you review all recommendations, which can be done in the Recommendations tile or per resource (Compute, Networking, Storage & Data, Applications)
      • Once you address all recommendations, the Prevention section should be green for all resources that were addressed.  Ongoing monitoring at this point becomes easier since you will only take actions based on changes in the resource security health and recommendations tiles.
  • Incident Response
    • Incorporate Security Center in these stages
      • Detect
        • Identify a suspicious activity in one or more resources
      • Assess
        • Perform the initial assessment to obtain more information about the suspicious activity
      • Diagnose
        • Use the remediation steps to conduct the technical procedure to address the issue.
      • Stabilize
      • Close

Using Security Center to Enhance your Security Posture

  • Protect
    • Across all endpoints, from sensors to the datacenter
  • Detect
    • Using targeted signals, behavioral monitoring and machine learning.
  • Respond
    • Closing the gap between discovery and action

 

Security Solutions

  • Recommends and streamlines provisioning of partner solutions
  • Integrates signals for centralized alerting and advanced detection
  • Enables monitoring and basic management with easy access to advanced configuration using the partner solution
  • Leverages Azure Marketplace for commerce and billing.

 

LEAVE A COMMENT