Azure Defender, Security Center?
Azure Defender and ASC. The hot topic of recent months, and one that I have been asked about more than any other product or topic. Yesterday, a rebrand annoucement was made to try and address some of the confusion in terms of what it is and how it fits. I think this is a smart move, changing the conversation from a ‘how do I plug this solution into my workloads‘ to a ‘this is a pattern and group of concepts which fit together in this way‘ type of conversation. This makes adoption and the learning gap a lot smoother. Part of this announcement included many changes I have compiled below, which I’ve been super excited to see. It also is the perfect time to start this blog with some more unpacking on Defender For Cloud, and it’s place in the Microsoft security portfolio.
What is Defender For Cloud?
Microsoft Defender For Cloud is part of your XDR offering within the Microsoft Defender banner, designed to protect your most critical workloads in Azure, GCP, AWS and onprem against advanced malware and sophisticated threats. This includes vulnerability detection across Linux, Windows OS and Kubernetes containers. Within this service exists multiple plans to provide protection for each of the provided services. Each have been renamed to keep in line with the branding change (Microsoft Defender for Storage).
Defender For Cloud achieves three core responsibilities.
Defender for Cloud covers two broad pillars of workload security. Cloud security posture management (CSPM) and
Cloud workload protection (CWP). CSPM gives you visibility to see your security posture at a point in time, in addition to hardening guidance to improve your score, and lower your overall risk. CWP offers security alerts powered by Microsoft threat intelligence (billions of signals across the security ecosystem) and an advanced set of workload protection capabilities, increasing your cybersecurity workload maturity.
How does Defender fit into the bigger threat protection story?
Here is a helpful diagram that I think is fantastic.
So what happened to Microsoft Defender For EndPoint? I thought that was the same?
Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. The key word here is the endpoint focus, or Endpoint Detection and Response (EDR) rather than Extended Detection Response (XDR) which is Defender For Cloud. EDR is focused on protecting the endpoint with in-depth visibility, whilst XDR is a wider view, integrating security across endpoints, cloud computing and other SaaS + PaaS offerings. Whilst it offers many of the same things, TVM, attack surface reduction, next-gen protection and additional intel, it’s important to understand the different layer this is designed to protect against.
What changes were announced at Ignite?
1) Native support for AWS environments allows for seamless onboarding without the need of an agent and utilising APIs to populate data into the Defender For Cloud portal. 160 + OOB recommendations increases your ROI on enabling this feature and starts a baseline on common attack vectors. Enhanced protection for Elastic Kubernetes Service (EKS) workloads provides additional hardening and enable a smoother onboarding process. CIS, PCI and AWS foundational security best practices support. And finally, the removal of portal switching fatigue with a one view of your multi-cloud estate of your secure score, simplifying the herculean role of reducing attack surface and risk.
2) Azure Purview Integration brings the data governance and compliance features right into Microsoft Defender For Cloud. This allows you to discover, classify, track and secure data across your cloud workloads, resulting in better security posture, prioritization and recommendations.
3) Microsoft Sentinel to Microsoft Defender For Cloud bi-directional sync is now GA to enhance the integration between the products and reduce administrative effort. In addition to enabling logging from the recommendations page in Microsoft Defender For Cloud.
4) Microsoft Threat and Vulnerability Management integration actually already has a post that I put together a couple of weeks ago, but is focused around providing another more native way of providing vulnerability assessments, rather than using Qualys. See the post here Azure Defender integration with TVM – Azure Cloud & AI Domain Blog (azurecloudai.blog)
5) Security recommendations now map to MITRE ATT&CK framework to increase the quality of recommendations based on new attack trends and intel, in addition to unifying a one approach to viewing security recommendations for all cybersecurity personnel across the industry.
6) Azure Security Benchmark (ASB) v3 provides additional control mappings for PCI-DSS v3.2.1, collaboration with CIS v8 controls, new DevOps Security, key and certificate management controls, designed control guidance for deeper and relevant insights and finally is now the default selection in the regulatory compliance dashboard.
References and additional reading: