Azure Security Center is an advanced, unified security management platform that Microsoft offers all Azure subscribers. Features of the standard offering include security health monitoring for both cloud and on-premises workloads; security threat blocking through access and app controls; adjustable security policies for maintaining regulatory and standards compliance; security vulnerability discovery tools and patches; and advanced threat detection through security alerts and analytics. Here we provide an overview of Azure Security Center and how to leverage its rich feature set to enhance the security of your cloud and onsite implementations.
The hybrid cloud approach
If managing the security of your Azure-only deployments is your sole concern, then Azure Security Center offers an entirely free service that covers your subscription’s security policy, assessments, recommendations and connected partner solutions. However, if you have hybrid deployments (whereby Azure connects to your on-premises implementations) as well, then you will want to leverage Azure’s standard offering, which is free for the first 60 days. This hybrid cloud approach greatly simplifies the discovery and assessment of security threats by consolidating all your security data from both Azure-cloud and connected on-premises deployments into a single, searchable UI with at-a-glance analytics, and a wealth of security tools.
Setting up your center: roles and policies
Assigning roles
Azure Security Center allows you to assign roles to specific members of your team in order to grant them access to particular sets of tools within Security Center that correspond to their different areas of responsibility. Security Center’s role system is built on Role-Based Access Control (RBAC), which provides Azure subscribers with control over user access and permissions throughout Azure. The RBAC system comes with three built-in user roles—Owner, Contributor, and Reader—which work across Azure. The Owner and Contributor roles come in two types (Subscription and Resource Group). Azure Security Center has also added two additional roles that are unique to its security offering: Security Reader and Security Administrator. Altogether, this brings the total to seven available roles:
- Subscription Owner
- Subscription Contributor
- Resource Group Owner
- Resource Group Contributor
- Security Administrator
- Security Reader
- Reader
These seven roles vary in their permissions with respect to performing the following four actions:
- Viewing security alerts and recommendations
- Dismissing security alerts and recommendations
- Applying security recommendations to a resource
- Editing the security policy for a subscription
Subscription Owner and Subscription Contributor have the broadest scope, as they are able to perform all four of the actions above. Reader and Security Reader have the narrowest scope, as they are only able to view alerts and recommendations.
A security policy for achieving regulatory and standards compliance
In order to properly and effectively monitor the security status of each of your resources, it’s important to create a security policy. The policy should reflect the unique security requirements for a given resource. For example, a development environment that contains only filler content may have a very different security policy profile than a production environment with sensitive data.
To give you a head start creating security policies, Azure will automatically generate a security policy for each Azure subscription. You can then adjust the default security settings to match the unique security needs of your resources. For example, if you have a resource with personally identifiable information or other data subject to regulation, then you will want to adjust your security policy settings accordingly to maintain full regulatory compliance.
The Security Center dashboard
Once you set up user roles and security policies, it’s time to make use of the Security Center dashboard—a unified, intuitive, tile-based interface summarizing the security status of your resources. The dashboard is divided into four sections. The first section, Overview, provides an executive-level security status summary displaying the total number of security recommendations, solutions, alerts and recent events across all of your resources. The dashboard’s remaining three sections serve as entry points into key aspects of the Azure security offering:
Prevention
The second section of the dashboard, Prevention, is divided into four tiles:
- Compute
- Networking
- Storage & data
- Applications
Each tile displays the total number of issues that the Security Center has identified for each corresponding system. Along with the totals you will see a visual breakdown of the relative number of issues that represent security threats of high severity (red), medium severity (yellow), and low severity (blue). Healthy, issue-free resource systems are shown in green.
By clicking on an at-a-glance tile, you will open up a new page with a complete list of recommendations addressing each VM or computer suffering from the issue at hand. Each recommendation is accompanied by a visual indicator identifying the severity of the security threat, as well as the number of resources in a given category that are suffering from it. By clicking on a recommendation, you can find more detailed, actionable information.
Detection
The third section of the dashboard, Detection, gives you a visual timeline of security alerts that have occurred over the last few days. A bar-graph orders recent security alerts by high, medium and low severity. Clicking on the graph will open up a list of alerts with descriptions such as the following:
- Suspicious process executed
- Malicious SQL activity
- Failed RDP brute force attack
You can sort the detailed list of alerts by any of the following columns:
- Description
- Count
- Detected by
- Date
- State
- Severity
You can also filter alerts by severity, date or state in order to focus on a specific subset of alerts. To get started with filters, click the prominent Filter link on the Security Alerts page.
When you click on a security alert, a new list will appear that identifies each resource attacked along with the number of attacks, the time detected, the current state and the severity. Click on an entry for a wealth of data on the corresponding attack, including instructions for remedying the underlying security issue. You can also launch an investigation into the attack to uncover still more information:
- The attack’s complete timeline
- The method of the attack
- Potentially compromised systems
- Credentials used in the attack
- Visual map of the attack from beginning to end
To investigate compromised systems, you can also run playbooks, which are sets of procedures that Azure Security Center can run on your behalf whenever triggered by a specific security alert.
Advanced Cloud Defense
The dashboard’s fourth and final section, Advanced Cloud Defense, is currently in preview and includes two new aspects of the Security Center focused on VM-related security. The first is Just in time VM, which helps you restrict access to your VMs. The second is Adaptive Application Controls, which helps you take control of apps running on your VMs.
Leveraging Azure Security Center
As outlined above, Azure Security Center comes in two tiers: free and standard. While the free version offers core security features addressing your cloud-only Azure resources, the standard version takes an advanced, hybrid-cloud approach, monitoring both your Azure cloud resources and your hybrid, Azure-connected on-premises deployments. Once you’ve set up roles for your team and security policies for your resources, the Azure Security Center will bring all your security data together into a single, unified interface. The Security Center dashboard gives you an overall snapshot of the security status of your resources, while allowing you to drill down within the Prevention, Detection and Advanced Cloud Defensesections. The Prevention area identifies current security vulnerabilities, while offering detailed recommendations to help close them; the Detection area focuses on security alerts that detail specific attacks and paths to remediation; and the Advanced Cloud Defense area, currently in preview, focuses on the security of your VMs.
Overall, the Azure Security Center speaks to the growing need for an enterprise-grade security management platform that encompasses both cloud and onsite resources with a unified, analytics-rich, actionable interface that helps you take control of the security of your resources on all fronts.
For more information on Azure Security Center and other Azure services, contact us.