Main Menu
Workload Protection
Onboarding ASC
Tiers
- Free
- Providing prevention capabilities
- Standard
- Extends those capabilities
- Detection
- Advanced Cloud Defence
- Extends those capabilities
Onboarding
- Agent is automatically installed when you start ASC depending on your subscription
- Same agent used for OMS (?)
- Agent can also be installed on
- On-Prem servers
- Alt. Cloud Providers (AWS)
- Linux and other OS
Non-Azure Servers
- Select the desired Workspace (collection storage?)
- Download the agent software required
- IMPORTANT!
- You will get a Workspace ID, Primary Key, and secondary Key.
- You will need these to install the agent
- IMPORTANT!
- Installing the Software
- Agent Setup Options
- [X] Connect the agent to Aure Log Analytics (OMS)
- This is where the workspace originates
- [ ] Connect the agent to System Center Operations Manager
- [X] Connect the agent to Aure Log Analytics (OMS)
- Enter:
- Workspace ID
- Workspace Key (Primary Key)
- Azure Cloud
- Select “Azure Commercial” from the drop down box
- [Advanced] if you need to use a proxy configuration
- Agent Setup Options
- It will take some time before it shows up, so be patient.
Implementing Security Policies
Security Center Policies
- A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements.
- In Security Center, you can define policies for your Azure subscriptions, which can be tailored to the type of workload or the sensitivity of data.
Azure Policy
- Azure Policy is a service in Azure that you use to create, assign and manage policy definitions.
- Policy definitions enforce different rules and actions over your resources, so those resources stay compliant with your corporate standards and service level agreements.
- It runs an evaluation of your resources to scan for which ones are not compliant with the policy definitions you have in place.
Implementing Recommendations
Prevention
All Azure components fall under Free Tier. Non-Azure require Standard Tier
- Compute
- Antimalware only?
- Windows Antimalware is FREE
- Antimalware only?
- Networking
- Applies to Azure resources only
- Next Generation Firewalls (Marketplace, Not an Azure product)
- Open ports
- Applies to Azure resources only
- Storage and Data
- Storage
- Encryption
- SQL
- Someone added to permissions
- Execution privileges
- Each DB has Right verbocity for it’s audit logs
- Encryption at rest
- Storage
- Applications
- IIS
- Web virtual root
- Marketplace applications
- IIS
Just In Time VM Access
Why use this?
- Just in time virtual machine (VM) access can be used to lock down inbound traffic to your azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
How it works
- When just in time is enabled, Security Center locks down inbound traffic to your Azure VMs by creating an NSG rule. You select the ports on the VM to which inbound traffic will be blocked. These ports are controlled by the just in time solution.
How to Enable
Security Center > Advanced Cloud Defense > Just in time VM Access > Virtual Machines > Recommended
- Select the VM to protect, then select which ports to open with JIT
- There will a default time frame to keep the ports open. 3 hrs.
How to request access
Security Center > Advanced Cloud Defense > Just in time VM Access > Virtual Machines > Configured
- Select the VM, > [Request access]
- Select the ports to open by toggling [On]
- Open to specific IPs
- My Ip
- IP Range
- Set the Timerange
- 1, 2 or 3 hours
- [Open ports]
View the Activity Log
This is used to see who had been logging in during times the ports were open.
Security Center > Advanced Cloud Defense > Just in time VM Access > Virtual Machines > Configured
- Locate the desired machine, then ‘…’ > Activity Log
- This is also where you edit the JIT rules for that VM.
Adaptive Application Controls (App White listing)
Machine learning recommendations for applications
Security Center > Advanced Cloud Defense > Adaptive application controls > Resource Groups > Recommended
- Select Audit or Enforce
- That’s all this video gave me – LAME