Latest posts by Paul Schnackenburg (see all)
- Office 365 Secure Score – Securing Exchange Online - Thu, Aug 3 2017
- Office 365 Secure Score - Reporting and monitoring - Tue, Aug 1 2017
- Office 365 Secure Score - MFA for users and auditing - Mon, Jul 31 2017
Monitoring is a reactive approach to system maintenance. An Operations Manager or a third party solution bubbles up alerts when something requires attention. For security applications, this isn’t always appropriate, because by the time you see the alert and react to it, the bad guy’s already done the damage.
Security health monitoring, on the other hand, is about checking the security posture of your resources and warning you if they’re not in line with your company policy before you’re attacked. This is the focus of Azure Security Center.
What is Security Center? ^
To test out Security Center for yourself, simply login to portal.azure.com, go to Browse in the left hand blade, scroll all the way down to Security Center and select it. You will be prompted to add monitoring to all subscriptions you have and to define a storage account where logs will be stored.
Turn on data collection
As you can see in the screenshot above, you need to turn on data collection for VMs (which relies on the VM agent). You can then select which recommendations you’d like to see:
- System updates – determines whether or not your Windows VMs are missing OS patches.
- Baseline rules - compares your OS configuration against security best practices and recommends changes if they don’t match up. This is for both Windows and Linux VMs (Ubuntu 12.04, 14.04, 14.10, and 15.04, with more coming).
- Apply system updates – checks if your Windows VMs are missing OS patches.
- Enable Antimalware – checks your Windows VMs for anti-virus software. If none is present, a user can select which software to deploy from the various options that Azure offers.
- Access Control List (ACL) on endpoints – Configures ACLs for endpoints to restrict incoming traffic. This only applies to classic VMs.
- Network Security Groups (NSG) – enables NSGs on subnets and network interfaces. NSGs are the secret sauce to control network traffic for ARM VMs. This rule will recommend that you implement NSGs, which is followed by restricting access through public external endpoints.
- Web Application Firewall (WAF) – adds a WAF for web endpoints, which is the equivalent of network protection for ARM VMs. This must be followed by rerouting incoming traffic using the Finalize web application firewall setup.
- SQL auditing – enables auditing for an SQL server and database for SQL as a service (not your own VMs, where you’re running SQL).
- SQL Transparent Data Encryption (TDE) – implements TDE to encrypt SQL Server and Azure SQL Database data files.
- Deploy VM Agent – warns you if there are VMs with no agent installed. To use the first three rules in this list (system updates, baseline rules, and antimalware), a VM agent must be installed.
Once the agents are installed and the data have been collected, you will receive recommendations to improve the security posture of your resources. If you don’t need a particular recommendation, you can either right click on it or click “…” and select Dismiss. You can view a list of dismissed recommendations by clicking the Filter button.
Implementing an NSG recommendation
Recommendations come in three severities: high, which require attention; medium, which indicates less critical suggestions; and low, which aren’t normally shown.
Network Security ^
As mentioned above, Security Center isn’t just about the security of your VMs and SQL databases; it also looks at your network configuration. For instance, if you have a web-based application that would benefit from protection, the web application firewall rule will recommend implementing a third-party partner solution. It’ll then give you the basic steps to implement and configure a virtual appliance. Security Center will also collect logs from such third-party solutions for an integrated analysis of VM, antimalware, and appliance security event logs.
The gathered log data are also analyzed with Microsoft global threat intelligence resources. For example, if your VM is communicating with a known “bad IP address,” this will be flagged.
Not all Azure resources need to have the same level of security scrutiny. If you have a dev test subscription, you can define a different set of policies and active rules than for your production subscription. At this time, policies are defined on a per subscription basis. I’d really like to see Microsoft extend this (using ARM) to allow different sets of policies for subsets of subscriptions.
Azure is starting to come together as a huge toolbox with different tools for various business applications. This is similar to the way in which Office 365 isn’t just plain vanilla hosted Exchange, but rather an integrated suite of powerful collaboration tools with additional services on top.
Security Center is a really interesting addition to Azure. Centralizing security event monitoring across resources is certainly valuable. Because it both looks at the security posture of each resource and gathers, analyzes, and correlates events, it has potential to be your single view of all Azure security data.
As more Azure resources are integrated, the value will increase, but there’s enough there to warrant implementation today, especially given that the price is $0 (apart from storage costs for the logs).