Hi all, currently i’m working a lot with Azure Security Center (ASC). For the readers that don’t know what Security Center is. Security Center provides a clear overview over your workloads running in Azure, on-premises, and in other clouds. It gives you control over hybrid cloud workloads with recommendations about how to prevent attacks and how to reduce your exposure to threats.
The reason that i wrote this blog is that i wanted to give the readers a complete overview about Azure Security Center and all the options in there.
- 1 General overview
- 2 GENERAL
- 3 PREVENTION
- 4 DETECTION
- 5 ADVANCED CLOUD DEFENSE
- 6 AUTOMATION & ORCHESTRATION
Azure Security Center has 5 main subjects:
- Advanced Cloud Defense
- Automation & Orchestration
Each of these subject are divided in blades.
The overview blade is sort of a dashboard with tiles that provides information about the other blades in Azure Security Center (Prevention, Detection, Advanced cloud defense). In the overview blade you can click on every tile to go to blade to get more details. On the top of the overview blade there is a button to scope between the different subscriptions. The other button is for enabling Microsoft Azure Log Integration, it enables integration of Azure logs into Security Information and Event Management (SIEM) systems. These include Azure Active Directory Audit logs, Virtual Machine logs, Azure Activity Logs, Azure Security Center Alerts and many of Azure Resource Provider’s Logs.
The security policy blade provides the ability to set the policy components per subscription. When clicked on the subscription the policy components options will appear.
Here you can enable of disable automatic data collection. By default the automatic data collection is enabled and this will provision the Microsoft Monitoring Agent on all supported Azure VMs and any new ones that are created. Automatic provisioning is strongly recommended, and is required for subscriptions on the Standard tier of Security Center. If you disable the automatic provisioning after the Microsoft Monitoring Agent has been installed it will not be removed.
You may want to opt out of automatic provisioning if the following applies to you:
- Automatic agent installation by Security Center applies to the entire subscription. You cannot apply automatic installation to a subset of VMs. If there are critical VMs that cannot be installed with the Microsoft Monitoring Agent, then you should opt out of automatic provisioning.
- Installation of the Microsoft Monitoring Agent extension updates the agent’s version. This applies to a direct agent and a SCOM agent. If the installed SCOM agent is version 2012 and is upgraded, manageability capabilities can be lost when the SCOM server is also version 2012. You should consider opting out of automatic provisioning if the installed SCOM agent is version 2012.
- If you have a custom workspace external to the subscription (a centralized workspace) then you should opt out of automatic provisioning. You can manually install the Microsoft Monitoring Agent extension and connect it your workspace without Security Center overriding the connection.
- If you want to avoid creation of multiple workspaces per subscription and you have your own custom workspace within the subscription, then you have two options:
- You can opt out of automatic provisioning. After migration, set the default workspace settings as described in this article
- Or, you can allow the migration to complete, the Microsoft Monitoring Agent to be installed on the VMs,
and the VMs connected to the created workspace. Then, select your own custom workspace by setting the default workspace setting with opting in to reconfiguring the already installed agents.
What happens if a SCOM or OMS direct agent is already installed on my VM?
Security Center cannot identify in advance that an agent is installed. Security Center attempts to install the Microsoft Monitoring Agent extension and fails due to the existing installed agent. This failure prevents overriding the agent’s connection settings to its workspace and avoids creating multi-homing.
Default workspace configuration
As stated before Azure Security Center uses a Log Analytics workspace where the data is stored. In the default workspace configuration there are two options:
- Use workspace(s) created by Security Center (Default Setting)
If a workspace does not exist, Security Center creates a new resource group and default workspace in that geolocation, and connects the agent to that workspace. The naming convention for the workspace and resource group is:
Resource Group: DefaultResouceGroup-[geo]
- Use another workspace – Here you can choose which Log Analytics workspace security center uses. If you choose another workspace than the default any other solutions enabled on the selected workspace will be applied to Azure VMs that are connected to it. For paid solutions, this could result in additional charges.
If you want to be in control about the name of the workspace and the resource group the workspace will be created in you have to use the “Use another workspace” option and manually create the Log Analytics Workspace.
The Security policy blade enable you to turn on or off different recommendations. To enable the option for Just In Time (JIT) Network Access, you have to upgrade to the standard tier.
In the Email notifications blade you can provide the Security contact emails (multiple possible by separating them by comma) and the Phone number (needs to be provided with country code) of a member of the security team. There also are two options regarding the emails that can be send about alerts (Both are in preview).
If you want to add on-premises or other cloud computers you need the Standard tier. If you enable data collection for a subscription, the free tier will automatically be enabled. One of the recommendations that will Security Center provide to you is that you need to upgrade to the Standard tier. In this recommendation you will get a clear view regarding the costs for the upgrade. Currently the costs are $15 per node per month but it will be free for 60 days. Microsoft sees a node as any Azure resource that is monitored by the service. Currently, each virtual machine counts as one node, and each SQL Database server (logical server that may contain multiple SQL databases and/or SQL Data Warehouse databases) counts as one node.
The difference between the free and the standard tier. The free tier provides the following features:
- Security assessment
- Security recommendations
- Basic security policy
- Connected partner solutions
The basic tier provides all the features of free with the following additional features:
- Just in time VM Access
- Network threat detection
- VM threat detection
This is the landing page for where you can go to the different Microsoft Documentation.
The events blade gives you an overview of the Events over time – Last 7 Days (the Standard tier is needed). The filter button gives you the possibility to set the filter over more or less time. The “Add Notable events” button enables you to create an event by searching with a log analytics query.
The following events are shown by default:
- Notable events (For example: Accounts failed to log on, Computers missing critical updates, etc)
- All events by type.
Onboarding to advanced security
On this blade you can upgrade the subscriptions and log analytics workspaces to the Standard Tier.
The search blade gives you the oppertunity to select a log analytics workspace and go to the Log search of Log Analytics.
By giving recommendations over the environment, the cloud admins can get a clear view about the security status of their resources. One of the nice features is that security center can provide security status over multiple subscriptions. Security Center needs a Log Analytics workspace per subscription. The resources in that subscription need to be connected to that workspace in order to get the status in Security Center.
In part 2 of this blog i will handle all the recommendations and how to get them resolved.
The security solutions blade will give you the ability to integrate several security solutions in Azure Security Center. Security Center makes it easy to enable integrated security solutions in Azure. This integrated solutions gives you the ease of simplified deployment. For example with the integration of antimalware you can deploy the needed agent on the virtual machines. Also the integrated solutions gives you the benefit of integrated detections and unified health monitoring and management.
Currently, integrated security solutions include:
- Endpoint protection (Trend Micro, Symantec, Windows Defender, and System Center Endpoint Protection (SCEP))
- Web application firewall (Barracuda, F5, Imperva, Fortinet, and Azure Application Gateway)
- Next-generation firewall (Check Point, Barracuda, Fortinet, and Cisco)
- Vulnerability assessment (Qualys)
The compute blade gives an overview of the recommendations for the VMs and computers and Cloud Services. From this blade you can also connect non-Azure machines if you have the standard tier enabled. When you click the “Add computers” button security center will ask for a Log Analytics workspace.
This tab gives the summary of the following tabs (VMs and computers, Cloud Services). Here you can find the monitoring recommendations and other recommendations. If you click on one of the recommendations, security center brings you to the regarding blade.
VMs and computers
The VMs and computers shows the status of the VMs and computers that are connected to a Log analytics workspace.
Currently the following platforms are supported by Azure Security Center.
Supported Windows operating systems:
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
Support platforms for Linux VMs
- Ubuntu versions 12.04, 14.04, 16.04, 16.10
- Debian versions 7, 8
- CentOS versions 6.*, 7.*
- Red Hat Enterprise Linux (RHEL) versions 6.*, 7.*
- SUSE Linux Enterprise Server (SLES) versions 11 SP4+, 12.*
- Oracle Linux versions 6.*, 7.*
VMs running in a cloud service are also supported. Only cloud services web and worker roles running in production slots are monitored.
The networking blade gives the recommendations for the networks in your subscriptions. On top there is a overview of the network recommendations. For example there are the following recommendations:
- Next Gen FireWall (NGFW) not installed;
- Network Security Groups (NSGs) on subnets not enabled;
- Network Security Groups (NSGs) on VMs not enabeld;
- Restrict access through Internet facing endpoints.
In the middle section there is a list of internet facing endpoints with their connected resources.
On the bottom there is the network topology, where you can see what VM is connected to which subnet and which subnet is connected to which VNET.
Storage & data
On this blade are the SQL recommendations shown along with the storage accounts and the recommendations that apply on them.
The application blade presents the endpoint that have inbound web ports (80,443) and the recommendation for that inbound web ports like Web application firewall (WAF) not installed. Currently the following WAFs are supported:
- Barracuda Networks, Inc.;
- F5 Networks;
- Imperva Inc.;
- Microsoft Application Gateway.
Identity & Access
The identity & access blade will route you to an overview of several subjects regarding identity and access activities after you have chosen a Log analytics workspace. The subjects are:
- Identity posture
- Accounts logged on
- Accounts failed to log on
- Locked accounts
- Accounts with changed or reset password
- Active critical notable issues
- Active warning notable issues
- Failed logons
- Failed logon reasons
- Overview of the accounts
- Logons over time
- Overview of when failed logons happend
- Computer accessed with the logon attempts
This is only available in the standard tier.
The threat detection works by automatically collecting security information from your Azure resources, the network, and connected partner solutions. It analyzes this information, often correlating information from multiple sources, to identify threats. Security alerts are prioritized in Security Center along with recommendations on how to remediate the threat.
The first blade of the detection subject gives an overview of all the attacks there have been, the description of the attack, when the attack was, on which environment (Azure / On-premises), the severity and what the state is. If you click on one of the attacks you will get more information about the attacked resources and from where the attack took place.
Custom alert rules (Preview)
Custom alert rules allow you to define new security alerts based on data that is already collected from your environment. You can turn any search query result into alert rule to detect custom behaviors. The queries can use computers security events, partner’s security solution logs or data ingested using APIs.
In the threat intelligence blade you can identify security threats against your environment. For example, you can identify whether a particular computer is part of a botnet. Computers can become nodes in a botnet when attackers illicitly install malware that secretly connects the computer to the command and control. Threat intelligence can also identify potential threats coming from underground communication channels, such as the dark web. This feature is only available in the standard tier.
ADVANCED CLOUD DEFENSE
Adaptive application controls (Preview)
Adaptive application controls enables you to control which applications can run on your VMs in Azure. This will help you hardening your VMs against malware. Security Center uses machine learning to analyze the processes running in the VM and helps you apply whitelisting rules using this intelligence.
This capability greatly simplifies the process of configuring and maintaining application whitelists, thsi will enable you to:
- Block or alert on attempts to run malicious applications, including those that might otherwise be missed by antimalware solutions;
- Comply with your organization’s security policy that dictates the use of only licensed software;
- Avoid unwanted software to be used in your environment;
- Avoid old and unsupported apps to run;
- Prevent specific software tools that are not allowed in your organization;
- Enable IT to control the access to sensitive data through app usage.
Just in time VM access (Preview)
With just in time virtual machine access you can lock down inbound traffic to your Azure VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed. This feature is only available in the standard tier.
AUTOMATION & ORCHESTRATION
Security playbook is a collection of procedures that can be executed from Security Center once a certain playbook is triggered from selected alert. Security playbook can help you automate and orchestrate your response to a specific security alert detected by Security Center. Security Playbooks in Security Center are based on Azure Logic Apps, which means you can use the templates that are provided under the security category in the Logic Apps templates, you can modify them based on your needs, or you can create new playbooks using Azure Logic Apps workflow, and using Security Center as your trigger.