Swedish Windows Security User Group

With digital transformation in the face of macroeconomic pressures, strategies to optimize both cloud environments and cloud security are increasingly appealing to enterprises. Organizations worry about vulnerabilities in code getting deployed, critical misconfigurations, overprivileged access to cloud infrastructure, and evolving threats that can cause sensitive data loss. Unfortunately, most reported security incidents involve bad actors exploiting vulnerabilities that security teams aren’t even aware of.

The answer is an end-to-end solution that offers comprehensive cloud security from development to runtime—a Cloud-Native Application Protection Platform (CNAPP).

Let’s dive into what’s driving CNAPP adoption and walk through how Microsoft Defender for Cloud—one of the only platforms with comprehensive coverage and integrated insights all in one solution—can help organizations embed security from code to cloud.

What is CNAPP, and why does it matter?

CNAPPs are the leading edge of cloud security. A CNAPP unifies security and compliance capabilities to prevent, detect, and respond to modern cloud security threats from development to runtime.

A CNAPP delivers a unified experience for organizations that synthesizes insights and drives effective collaboration among developers, DevOps teams, security teams, and security operations center (SOC) analysts to reduce excessive risks for cloud-native applications and to embed security across the continuous integration and continuous delivery (CI/CD) lifecycle.

Why do organizations need a CNAPP for modern cloud security?

A CNAPP directly addresses critical challenges faced by cloud security teams as they aim to strengthen their security posture, detect and respond to threats, and prevent critical data breaches:

• The need for “shifting security left” into the DevOps pipeline: Development and security teams need to be empowered to collaborate to embed security into the code itself so that cloud-native applications can start secure and stay secure.
• Lack of visibility and prioritization in managing multicloud security posture: The dynamic nature of cloud-native applications creates flexibility but also blind spots for posture management. Multicloud and hybrid scenarios add to the complexity, making a centralized, prioritized view with contextual security insights crucial to reducing recommendation fatigue and helping security teams focus on what matters.
• Advanced threat actors and increasing cost of breach: The evolving threat landscape worsens the threat response challenge, resulting in SOC analysts and security admin teams that are overwhelmed by mounting threat signals.
• Mismanaged and misconfigured cloud infrastructure entitlement: Security admins also worry about overprivileged access to infrastructure, which can leave room for exploitation and infiltration.

Key CNAPP capabilities

Security teams need an end-to-end platform for cloud security. This means security integration into DevOps, visibility across their multicloud environments, a prioritized view of their most critical vulnerabilities and misconfigurations, built-in governance and automated remediation tools, and the means to detect and respond to modern threats across their cloud workloads.

To acheive this, an effective CNAPP should combine capabilities across cloud security posture management, DevOps security management, cloud workload protection, cloud infrastructure entitlement management, and network security.

Microsoft’s unified CNAPP is recognized as a Representative Vendor in the Gartner® 2023 Market Guide for Cloud-Native Application Protection Platforms (CNAPPs) and our platform includes:

• Cloud security posture management (CSPM): CSPM solutions provide visibility across multicloud and hybrid environments from development to runtime, provide alerts and recommendations to security teams on critical vulnerabilities and misconfigurations that could lead to issues, and have built-in workflows to strengthen security posture and help drive remediation (and at scale). Microsoft Defender Cloud Security Posture Management in Defender for Cloud helps cut through the noise to focus on remediating your most critical risk with integrated insights across the SOC, DevOps, External Attack Surface Management (EASM), identity and access management, and compliance. It has a single connected view in the cloud security graph with attack path analysis to help security teams identify exploitable resource paths and the built-in tools to mitigate risk across cloud environments.
• Cloud workload protection (CWP): CWP solutions are comprehensive services that provide real-time detection and response to modern threats across your cloud workloads including virtual machines, containers and Kubernetes, databases, storage accounts, network layers, app Services, and more. Cloud Workload Protection in Defender for Cloud analyzes workloads using advanced analytics and threat intelligence to help reduce the attack surface and respond to emerging threats quickly. The integrated experience with Microsoft 365 Defender and Microsoft Sentinel enables a comprehensive detection and response solution for a modern security operations center.
• DevOps security: Microsoft Defender for DevOps in Defender for Cloud empowers security teams to unify, strengthen, and manage multipipeline DevOps security, shift security left, and enable code-to-cloud protections in a central console. This solution helps security teams rightfully focus on critical evolving threats by enabling the security of Infrastructure as Code (IaC) templates and container images to minimize cloud misconfigurations reaching production environments, and correlate contextual cloud security intelligence from runtime to dev platforms to prioritize remediation in code.
• Cloud infrastructure entitlement management (CIEM): Permissions give identities the ability to perform an action on a resource. Across major clouds, more than 40,000 permissions can be granted, of which over 50 percent are high risk, meaning they can cause service disruption, service degradation, or data leakage when used improperly.¹ To help support a viable multicloud strategy and avoid accidental or malicious permission misuse, streamlined permissions management is essential. Microsoft Entra Permissions Management helps you understand the real footprint of your cloud infrastructure entitlements, prevent permissions creep, and enforce the principle of least privilege across your multicloud environment. Defender for Cloud integrates with Permissions Management, enabling security teams to get unified visibility and recommendations in a central cloud security dashboard.
• Network security: Network security protects your cloud network infrastructure and applications from distributed denial-of-service, web application, and network attacks. Azure Network Security offers the full benefits of cloud-native services for securing your cloud and hybrid network infrastructure and applications. Based on Zero Trust network security, Azure Network Security is designed to provide organizations with granular segmentation controls, intelligent threat protection by Microsoft Threat Intelligence, traffic encryption in transit and at rest, and private access linking to infrastructure as a service (IaaS), platform as a service (PaaS), and on-premises resources. Defender for Cloud continuously analyzes the security state of  Azure resources for network security best practices. Security teams can get adaptive recommendations for network hardening in a central place and use the end-to-end view to improve security posture across network infrastructure and applications.

Microsoft’s CNAPP: Comprehensive cloud-native protection with unparalleled integrated insights

Microsoft’s comprehensive CNAPP seamlessly combines security and compliance capabilities into a single platform to provide end-to-end cloud security for full-stack workloads across Amazon Web Services, Google Cloud Platform, and Azure Cloud Services. Security admins no longer need to manually synthesize data and tools across products, and instead can proactively address security threats across their multicloud and hybrid environments in a single platform.

Defender for Cloud is empowering security teams with a more comprehensive and differentiated approach:

• Integrated CNAPP capabilities and more in a single portal on a single platform: All managed in Microsoft Defender for Cloud, organizations get centralized visibility and integrated insights across Azure Network Security, Permissions Management, Microsoft 365 Defender for detection and response, and Microsoft Sentinel for security information and event management and security orchestration, automation, and response capabilities.
• Additional capabilities to accelerate cloud-native protection: Further, Defender for Cloud’s integration with Microsoft Defender External Attack Surface Management enables true identification of internet-exposed resources, augmenting signals from configurations and cloud APIs.
• Protection across your multicloud data estate: Security teams can enable comprehensive data protection in cloud storage and SQL database resources across PaaS, IaaS, and open-source databases, and detect potential threats to data such as brute-force attacks, SQL injection, and suspicious data extraction.
• Full lifecycle protection: Microsoft helps security teams minimize vulnerabilities from making it to production with code scanning and IaC scanning, and reduce time to remediate with integrated workflows into developer environments. Microsoft Defender for DevOps integrations with Azure DevOps and GitHub unify multipipeline DevOps security and ensure secure development.
• Unparalleled view of the evolving threat landscape: Defender for Cloud leverages leverages the comprehensive threat intelligence coming from synthesizing 65 trillion signals a day to identify emerging threat vectors and help security teams respond quickly.  
• Cloud scale and integrated CNAPP: Defender for Cloud is designed with scale and insights gained from running Microsoft Azure, one of the leading public cloud platforms in the industry. Microsoft is the only public cloud provider to enable a CNAPP solution natively in the cloud portal, helping security teams simplify security management in Azure and extend it to other clouds.

Even with these capabilities, Microsoft is only getting started. And our continued investments for ushering the next wave of cloud-native security is featured in Omdia’s February report on Defender for Cloud, “Microsoft is developing a full cloud-native security platform.“

More innovations to come

To learn more about critical upcoming CNAPP innovations in Microsoft Defender for Cloud, register to join me at Microsoft Secure, our free, virtual Microsoft Security event on March 28, 2023, as I’ll share news in Breakout Session 11, “Protect multicloud environments with cloud-native security innovations.” And immediately following this session, attend our CNAPP interactive product session (CATE11) to get your questions answered.

You can also explore Microsoft Defender for Cloud and sign up for a free trial today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

---

¹2021 State of Cloud Permissions Risks Report, Microsoft. 2021.

Gartner® , Market Guide for Cloud-Native Application Protection Platforms, March 14, 2023. Neil MacDonald, et al.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

The post The next wave of multicloud security with Microsoft Defender for Cloud, a Cloud-Native Application Protection Platform (CNAPP) appeared first on Microsoft Security Blog.

Security teams face an expanding attack surface as organizations increasingly use cloud-native services to develop, deploy, and manage applications across their multicloud and hybrid environments. Their challenge is compounded by incomplete visibility, siloed processes, and a lack of prioritized mitigations that put defenders into a position where they often react to threats once they’ve already been breached. Unfortunately, bad actors capitalize on this by exploiting vulnerabilities much earlier in the development lifecycle—at the code itself. And what further complicates this is the reality that bad actor tactics look one way today and another tomorrow. This can frustrate businesses traditionally operating with a finite mindset, thinking a problem can be solved once and for all. Instead, organizations need a comprehensive approach toward cloud security and a centralized, integrated solution to mitigate risk from code to cloud to counter these threats. We have an opportunity to think bigger and differently—especially in cloud security, where the pace of innovation and complexity can be breathtaking.

At Microsoft, we’re approaching cloud security with an infinite mindset. In a constantly changing world, we use threat intelligence, AI, and automation to create a virtuous cycle of signals to evolve and respond faster to bad actors and events. We bring this vision to life with Microsoft Defender for Cloud, our integrated cloud-native application protection solution for hybrid and multicloud environments. Defender for Cloud strengthens security posture, accelerates protection against modern threats, and reduces risk throughout the cloud application lifecycle so organizations can stay protected.

I am thrilled to announce new innovations in Microsoft Defender for Cloud to expand our vision for cloud security, including the previews of Microsoft Defender for DevOps and Microsoft Defender Cloud Security Posture Management (Defender CSPM).

• Unify DevOps security management across multiple pipeline environments with Defender for DevOps: Security teams will gain insights across multi-pipeline environments in a central console, including leading platforms like GitHub and Azure DevOps, with more to follow. Defender for DevOps can correlate with other contextual cloud security intelligence to prioritize remediation of code vulnerabilities throughout the application development lifecycle. 
• Gain full coverage, prioritize, and remediate the most critical risks with Defender CSPM: Defender CSPM builds on existing posture management capabilities in Defender for Cloud to help security teams get comprehensive coverage of their hybrid and multicloud environments, and prioritize and proactively remediate the most critical threats with contextual cloud security and attack path analysis.  

With these new capabilities, organizations can adopt an infinite approach to cloud security and do more with less.

Empower security teams with unified DevOps security management across multi-pipeline environments

Security teams have a fragmented view of their DevOps security posture due to many disconnected security tools, and multiple DevOps and cloud platforms throughout their organization. Security and development teams continue to operate in silos, and security tools are not equipped to keep pace with developer speed. These disjointed tool stacks lack the capabilities to provide business risk context and to effectively drive remediation in the development lifecycle. Security teams waste precious resources tracking down the right owners who can fix identified issues. The result is that security practitioners grapple with overwhelming amounts of security issues in production. As bad actors continue to break records exploiting zero-day vulnerabilities, security teams need a unified and integrated approach to securing their cloud applications throughout the lifecycle.¹

Defender for DevOps empowers security teams to unify, strengthen, and manage DevOps security to achieve more secure code development and strengthen their overall cloud security. It provides full visibility into the DevOps inventory and the security posture of application code and resource configurations across multi-pipeline and multicloud environments. Infrastructure-as-code and container image scanning help prevent cloud misconfigurations from ever reaching production environments. Security teams can streamline processes to fix security issues in code and get contextual insights connected from code to runtime resources, helping them prioritize and drive remediation in code.

Defender for DevOps integrates with GitHub Advanced Security to enable automated workflows across industry-leading platforms like GitHub and Azure DevOps, fostering stronger collaboration between SecOps and developer teams. Defender for DevOps is the result of close design partnerships with our customers on their journey to “shift left.” As one of our customers who participated in the creation of this product recently shared:

“If we shift left and bring security to the developers right away, code deployment will have tightened protection. Integrating DevSecOps results into Microsoft Defender for Cloud and having a single pane of glass that shows me what is in production, the code quality, and what is coming into the pipeline so that I don’t need to go into multiple places and reports to scan for code errors is going to be priceless for us.”

James Rajeshvincent, Managing Director Head of Platform Development at Rockefeller Capital Management

Proactively prioritize and remediate your most critical risk across multicloud resources

Security teams need to cut through the noise and quickly focus on the most critical issues that have a major business impact. But with multicloud deployments, multiple tools, and a lack of visibility into the threat or business value of each resource, it’s hard to know where to even begin remediation.

Defender CSPM helps businesses save time and focus on what matters with contextual insights and attack path analysis, built on top of the new intelligent cloud security graph. It provides comprehensive visibility with agentless scanning for real-time assessments across multicloud environments. Defender CSPM connects the dots for security teams, integrating insights from cloud workloads as well as signals from Defender for DevOps and Microsoft Defender External Attack Surface Management. Instead of sifting through long lists of vulnerable resources, customers can use the proactive attack path analysis to reduce recommendation noise by up to 99 percent and only focus on the most exploitable vulnerabilities along potential attack paths to begin remediation.

Security teams also get integrated recommendations from Microsoft Entra Permissions Management, the cloud infrastructure entitlement management (CIEM) solution from Microsoft, to understand the level of risk associated with the number of unused or excessive permissions across identities and resources. Also, the new Microsoft cloud security benchmark provides a standardized framework for fundamental cloud security principles, along with detailed technical guidance, so teams can implement best practices across cloud platforms. Microsoft is the only major cloud provider to offer a comprehensive cloud security benchmark across multiple clouds, now available in Defender for Cloud as a single pane of glass to consistently maintain your security compliance across clouds.

We have a thriving and passionate community of customers using Defender for Cloud to manage security across clouds. I am excited to introduce these new capabilities today and wanted to share an insight from one of our customers, Rabobank:

“It’s difficult to ensure that we have full insights from a security perspective when our platforms are so varied. We wanted protection and visibility everywhere. That’s why we use Defender for Cloud—it gives us single pane of glass visibility across our hybrid and multicloud environment.”

Raoul van der Voort, Global Service Owner, Cyber Defense Center, Rabobank

Learn more about Microsoft Defender for Cloud

From code to cloud, Microsoft Defender for Cloud is the platform, powered by intelligence, that will help you do more with less. Develop an infinite mindset to cloud security and learn more about the expansion of the security portfolio in Microsoft Defender for Cloud. Get started today with the preview of these new innovations.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹2021 has broken the record for zero-day hacking attacks, Patrick Howell O’Neill. September 23, 2021.

The post Introducing new Microsoft Defender for Cloud innovations to strengthen cloud-native protections appeared first on Microsoft Security Blog.

Security teams face an expanding attack surface as organizations increasingly use cloud-native services to develop, deploy, and manage applications across their multicloud and hybrid environments. Their challenge is compounded by incomplete visibility, siloed processes, and a lack of prioritized mitigations that put defenders into a position where they often react to threats once they’ve already been breached. Unfortunately, bad actors capitalize on this by exploiting vulnerabilities much earlier in the development lifecycle—at the code itself. And what further complicates this is the reality that bad actor tactics look one way today and another tomorrow. This can frustrate businesses traditionally operating with a finite mindset, thinking a problem can be solved once and for all. Instead, organizations need a comprehensive approach toward cloud security and a centralized, integrated solution to mitigate risk from code to cloud to counter these threats. We have an opportunity to think bigger and differently—especially in cloud security, where the pace of innovation and complexity can be breathtaking.

At Microsoft, we’re approaching cloud security with an infinite mindset. In a constantly changing world, we use threat intelligence, AI, and automation to create a virtuous cycle of signals to evolve and respond faster to bad actors and events. We bring this vision to life with Microsoft Defender for Cloud, our integrated cloud-native application protection solution for hybrid and multicloud environments. Defender for Cloud strengthens security posture, accelerates protection against modern threats, and reduces risk throughout the cloud application lifecycle so organizations can stay protected.

I am thrilled to announce new innovations in Microsoft Defender for Cloud to expand our vision for cloud security, including the previews of Microsoft Defender for DevOps and Microsoft Defender Cloud Security Posture Management (Defender CSPM).

• Unify DevOps security management across multiple pipeline environments with Defender for DevOps: Security teams will gain insights across multi-pipeline environments in a central console, including leading platforms like GitHub and Azure DevOps, with more to follow. Defender for DevOps can correlate with other contextual cloud security intelligence to prioritize remediation of code vulnerabilities throughout the application development lifecycle. 
• Gain full coverage, prioritize, and remediate the most critical risks with Defender CSPM: Defender CSPM builds on existing posture management capabilities in Defender for Cloud to help security teams get comprehensive coverage of their hybrid and multicloud environments, and prioritize and proactively remediate the most critical threats with contextual cloud security and attack path analysis.  

With these new capabilities, organizations can adopt an infinite approach to cloud security and do more with less.

Empower security teams with unified DevOps security management across multi-pipeline environments

Security teams have a fragmented view of their DevOps security posture due to many disconnected security tools, and multiple DevOps and cloud platforms throughout their organization. Security and development teams continue to operate in silos, and security tools are not equipped to keep pace with developer speed. These disjointed tool stacks lack the capabilities to provide business risk context and to effectively drive remediation in the development lifecycle. Security teams waste precious resources tracking down the right owners who can fix identified issues. The result is that security practitioners grapple with overwhelming amounts of security issues in production. As bad actors continue to break records exploiting zero-day vulnerabilities, security teams need a unified and integrated approach to securing their cloud applications throughout the lifecycle.¹

Defender for DevOps empowers security teams to unify, strengthen, and manage DevOps security to achieve more secure code development and strengthen their overall cloud security. It provides full visibility into the DevOps inventory and the security posture of application code and resource configurations across multi-pipeline and multicloud environments. Infrastructure-as-code and container image scanning help prevent cloud misconfigurations from ever reaching production environments. Security teams can streamline processes to fix security issues in code and get contextual insights connected from code to runtime resources, helping them prioritize and drive remediation in code.

Defender for DevOps integrates with GitHub Advanced Security to enable automated workflows across industry-leading platforms like GitHub and Azure DevOps, fostering stronger collaboration between SecOps and developer teams. Defender for DevOps is the result of close design partnerships with our customers on their journey to “shift left.” As one of our customers who participated in the creation of this product recently shared:

“If we shift left and bring security to the developers right away, code deployment will have tightened protection. Integrating DevSecOps results into Microsoft Defender for Cloud and having a single pane of glass that shows me what is in production, the code quality, and what is coming into the pipeline so that I don’t need to go into multiple places and reports to scan for code errors is going to be priceless for us.”

James Rajeshvincent, Managing Director Head of Platform Development at Rockefeller Capital Management

Proactively prioritize and remediate your most critical risk across multicloud resources

Security teams need to cut through the noise and quickly focus on the most critical issues that have a major business impact. But with multicloud deployments, multiple tools, and a lack of visibility into the threat or business value of each resource, it’s hard to know where to even begin remediation.

Defender CSPM helps businesses save time and focus on what matters with contextual insights and attack path analysis, built on top of the new intelligent cloud security graph. It provides comprehensive visibility with agentless scanning for real-time assessments across multicloud environments. Defender CSPM connects the dots for security teams, integrating insights from cloud workloads as well as signals from Defender for DevOps and Microsoft Defender External Attack Surface Management. Instead of sifting through long lists of vulnerable resources, customers can use the proactive attack path analysis to reduce recommendation noise by up to 99 percent and only focus on the most exploitable vulnerabilities along potential attack paths to begin remediation.

Security teams also get integrated recommendations from Microsoft Entra Permissions Management, the cloud infrastructure entitlement management (CIEM) solution from Microsoft, to understand the level of risk associated with the number of unused or excessive permissions across identities and resources. Also, the new Microsoft cloud security benchmark provides a standardized framework for fundamental cloud security principles, along with detailed technical guidance, so teams can implement best practices across cloud platforms. Microsoft is the only major cloud provider to offer a comprehensive cloud security benchmark across multiple clouds, now available in Defender for Cloud as a single pane of glass to consistently maintain your security compliance across clouds.

We have a thriving and passionate community of customers using Defender for Cloud to manage security across clouds. I am excited to introduce these new capabilities today and wanted to share an insight from one of our customers, Rabobank:

“It’s difficult to ensure that we have full insights from a security perspective when our platforms are so varied. We wanted protection and visibility everywhere. That’s why we use Defender for Cloud—it gives us single pane of glass visibility across our hybrid and multicloud environment.”

Raoul van der Voort, Global Service Owner, Cyber Defense Center, Rabobank

Learn more about Microsoft Defender for Cloud

From code to cloud, Microsoft Defender for Cloud is the platform, powered by intelligence, that will help you do more with less. Develop an infinite mindset to cloud security and learn more about the expansion of the security portfolio in Microsoft Defender for Cloud. Get started today with the preview of these new innovations.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹2021 has broken the record for zero-day hacking attacks, Patrick Howell O’Neill. September 23, 2021.

The post Introducing new Microsoft Defender for Cloud innovations to strengthen cloud-native protections appeared first on Microsoft Security Blog.

As businesses around the world grapple with the growth of an industrialized, organized attacker ecosystem, the need for customers to secure multicloud and hybrid infrastructure and workloads is increasingly urgent.

Today, organizations face an attacker ecosystem that is highly economically motivated to exploit security issues with your multicloud and hybrid workloads—as made evident in the rise in human-operated ransomware, with hackers launching an average of 50 million password attacks every day (579 per second), the rise of web shell attacks,¹ and increasing firmware attacks.² As with most attack vectors in this evolving threat landscape, prevention and detection are critical.

These threats can present a growing challenge for organizations using a combination of on-premises, hybrid, and multicloud infrastructure and workloads. With this distributed infrastructure, it can be a challenge to protect resources against motivated attackers when security management, policies, and signals are not unified.

Securing your multicloud and hybrid infrastructure in 3 steps

Securing infrastructure is fundamental to the business—for every business. So, what does a solution for multicloud, on-premises, and hybrid infrastructure security look like? A powerful defense must be unified, simplified, and actionable. It must make it easier to enable digital transformation and not slow progress in this crucial area. For businesses who need to secure multicloud, on-premises, and hybrid infrastructure, an increased security stance can start with three simple steps:

1. Connecting your hybrid infrastructure to Azure Arc.
2. Enhancing security for your Azure Arc-connected hybrid infrastructure using Microsoft Defender for Cloud.
3. Further enhancing the security of on-premises workloads with Secured-core for Azure Stack HCI.

1. Connect your on-premises and hybrid infrastructure to Microsoft security services using Azure Arc

Many organizations today are challenged with the growing complexity of securing their infrastructure with disparate tools across multicloud, hybrid, and edge environments. To begin securing these assets, you can use Azure Arc to connect your resources to Microsoft Azure from wherever they are deployed, making them addressable by Azure security services and enabling you to manage them from a single pane of glass in Azure Resource Manager. Azure Arc extends the control plane to these resources so that they can be managed and secured centrally with tools including our cloud extended detection and response (XDR) solution, Microsoft Defender for Cloud, or the secure key management tool, Azure Key Vault.

“When you see how Azure security and compliance features benefit your on-premises infrastructure, it helps put your mind at ease regarding the capabilities and benefits of the cloud. It also makes you a harder target for would-be attackers, and that’s what we’re hoping to achieve.”—Lody Mustamu, Manager of Marketing and Sales, ASAPCLOUD.

Read more about how ASAPCLOUD’s story here.

2. Secure your Azure Arc-enabled infrastructure using Microsoft Defender for Cloud

Once these distributed multicloud and hybrid environments are connected through Azure Arc, Microsoft Defender for Cloud enables you to find weak spots across your configuration, helps strengthen the overall security posture, and can help you meet any relevant compliance requirements for your resources across Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).

While prevention is critical, at the same time, the increasing sophistication of attacks requires that organizations have a comprehensive threat protection strategy in place. Microsoft Defender for Cloud provides vulnerability assessment with insights from industry-leading security research and provides advanced threat protection for a broad range of workloads across cloud and on-premises including virtual machines, containers, databases, storage, and more.

“The choice made sense to us because Microsoft Defender connects so tightly and automatically to Azure Arc,” says Iñigo Martinez Lasala, Director of Technology and Systems at Prosegur. “There are other tools out there, but Microsoft Defender provides additional functionality that other tools don’t have, such as establishing rules of compliance, hardening servers, and launching scripts to fix server issues.” 

Read more about how Prosegur’s story here.

Get started by enabling Microsoft Defender for Cloud for your Azure subscriptions and easily onboard other environments to understand your current security posture. You can then enable the enhanced features to protect and manage the security of all relevant workloads across your cloud and on-premises environments from a central place, all connected through Azure Arc.

Figure 1. Protect your workloads with Microsoft Defender for Cloud.

3. Further secure your on-premises and hybrid infrastructure using Secured-core for Azure Stack HCI

As security threats continue to become more sophisticated, they are moving lower in the stack to the operating system, firmware, and hardware level, so there is a growing need for additional security at these lower levels. One way to gain additional protection against these attacks is an integrated solution called Secured-core, now available for Azure Stack HCI. Secured-core servers provide out-of-box safeguards with enhanced protections. For example, Secured-core servers help stop attacks in the event of a successful web application compromise with features like virtualization-based security (VBS) and hypervisor-based code integrity (HVCI). Credential protection in Azure Stack HCI helps mitigate the common attack of credential theft by using VBS to isolate credentials in their own virtual machine, a feature that is on by default in Secured-core servers. These features help prevent what could otherwise be a much larger breach.

Secured-core servers have three focused pillars:

1. Protect with hardware root of trust: Trusted platform modules (TPMs) ensure that even firmware malware cannot tamper hardware recordings of what firmware ran on the device.
2. Defend against firmware level attack: System guard secured VBS protects by not relying on firmware for trust.
3. Prevent access to unverified code: HVCI protects against both known vulnerable drivers and entire classes of problems

All these capabilities built into Secured-core servers ensure that your servers are protected out-of-box, giving you confidence in your hardware. And managing the status and configuration of Secured-core servers is easy from the browser-based Windows Admin Center for both Windows Server and Azure Stack HCI solutions.

Figure 2. Secured-core server cluster management in Windows Admin Center.

“To help our customers remain secure and accelerate their business outcomes, Hewlett Packard Enterprise (HPE) is excited to release the new Gen 10 Plus (v2) products for Azure Stack HCI 21H2 and Windows Server 2022 which can be delivered with the HPE GreenLake edge-to-cloud platform,” said Keith White, Senior Vice President and General Manager, GreenLake Cloud Services Commercial Business. “These offer unprecedented host protection by combining HPE’s security technologies with Secured-core server functionalities for a secure, hybrid implementation.”

Take steps today to secure your on-premises and hybrid infrastructure

• Connect your on-premises workloads to Azure Arc:
  • How to add a Server to Azure Arc
  • Plan and deploy Azure Arc-enabled servers
• Activate Microsoft Defender for Cloud and other applicable Microsoft Defender Products on your on-premises workloads.
• Ask for Secured-core servers for your HCI solutions.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Web shell attacks continue to rise, Detection and Response Team (DART), Microsoft 365 Defender Research Team, Microsoft Security. February 11, 2021.

²New Security Signals study shows firmware attacks on the rise; here’s how Microsoft is working to help eliminate this entire class of threats, Microsoft Security Team, Microsoft Security. March 30, 2021.

The post 3 steps to secure your multicloud and hybrid infrastructure with Azure Arc appeared first on Microsoft Security Blog.

Cybersecurity threats are always evolving, and today we’re seeing a new wave of advanced attacks specifically targeting IoT devices used in enterprise environments as well as operational technology (OT) devices used in industrial systems and critical infrastructure (like ICS/SCADA). It’s not surprising since 60 percent of security practitioners believe IoT and OT security is one of the least secured aspects of their organization and less than 50 percent of organizations have deployed solutions designed specifically to secure their IoT and OT devices. Customers recognize that these types of devices are often unpatched, misconfigured, and unmonitored, making them the ideal targets for attackers.

To address these risks, we’re excited to announce Microsoft Defender for IoT, formerly Azure Defender for IoT, is adding agentless monitoring capabilities to secure enterprise IoT devices connected to IT networks [like Voice over Internet Protocol (VoIP), printers, and smart TVs], so organizations can take advantage of a single integrated solution that can secure all of their IoT and OT infrastructure. Access to the public preview of these new capabilities will be available on November 30, 2021.

Threats and customer challenges

In the past, attacks on IoT and OT devices for many organizations seemed like a hypothetical threat but in recent years organizations have learned otherwise. We’ve seen attacks on cameras and VoIP devices,¹ smart building automation,² service providers providing IoT services, and then there have been ransomware attacks—like the ones that shut down a major gas pipeline³ and global food processor. All of these highlight the challenge of securing IoT and OT devices.

There are many ways attackers will attempt to compromise and take advantage of enterprise IoT devices. They can be used as a point of entry, for lateral movement, or evasion just to name a few examples. The following chart below depicts a cyber kill chain involving two IoT devices. One is used as a point of entry, and another is used for lateral movement that inevitably leads to the exfiltration of sensitive information.

Figure 1: Attackers scan the internet for vulnerable internet-facing IoT devices and then use them as a point of entry. Next, they will perform reconnaissance and lateral movement to achieve their goals.

While most organizations recognize IoT and OT security as the least secured aspects of their organization, they continue to deploy devices at high rates and with little hesitation due to the demand for digital transformation and to remain competitive. Due to this, Chief Information Security Officers will soon be responsible for an attack surface area that is many times larger than what they are used to today and a vast majority of that new surface area will be unmanaged IoT and OT devices.

When it comes to IoT and OT security, organizations face a long list of challenges. Some of the top challenges include:

• Lack complete visibility to all their IoT and OT asset inventory.
• Lack detailed IoT and OT vulnerability management capabilities.
• Lack of mature detections for IoT and OT-specific attacks.
• Lack of insights and automation that an integrated SIEM and extended detection and response solution can bring.

Because of these threats and challenges, security and risk leaders ranked the IoT and cyber-physical systems as their top concerns for the next three to five years.⁴

Microsoft Defender for IoT is part of the Microsoft SIEM and XDR offering

We recognize that IoT is just one of the security inputs in a comprehensive threat protection strategy. For that reason, adding agentless enterprise IoT support to Microsoft Defender for IoT and making it part of our broader SIEM and XDR offer, enables us to deliver comprehensive security for all your endpoint types, applications, identities, and more. Customers will now be able to get the same types of vulnerability management, threat detection, response, and other capabilities for enterprise IoT devices that were previously only available for managed endpoints and OT devices. With it, organizations get the visibility and insights they need to address complex multi-stage attacks that specifically take advantage of IoT and OT devices to achieve their goals. Learn more about Microsoft 365 Defender, Microsoft Defender for Cloud, and Microsoft Sentinel.

Our customers tell us that the biggest challenge they face when it comes to securing enterprise IoT devices is gaining enough visibility to locate, identify, and secure their complete IoT asset inventory. Defender for IoT takes a unique approach to solve this challenge and can help you discover and secure your IoT devices within Microsoft 365 Defender environments in minutes. We’ll share more about our unique approach in the passive, agentless architecture section below.

Figure 2: View your complete IT and IoT inventory alongside the rest of your IT devices (workstations, servers, and mobile) within a single unified view.

The second biggest challenge our customers face is related to vulnerability management. Defender for IoT can perform assessments for all your enterprise IoT devices. These recommendations are surfaced in the Microsoft 365 console (for example, Update to a newer version of Bash for Linux).

Figure 3: Prioritize vulnerabilities and misconfigurations and use integrated workflows to bring devices into a more secure state.

The third biggest challenge we hear about is related to threat detection. To ensure we have leading-edge efficacy for enterprise IoT threats, we’ve tasked Section 52, our in-house IoT and OT security research team, to ensure we have the best possible detection capabilities. Section 52’s work recently enabled Defender for IoT to rank number 1 in threat visibility coverage in the MITRE ATT&CK for ICS evaluation, successfully detecting malicious activity for 100 percent of major attack steps and 96 percent of all adversary sub-steps (with fewest missed detections of any other vendor).

Defender for IoT customers benefit from the machine learning and threat intelligence obtained from trillions of signals collected daily across the global Microsoft ecosystem (like email, endpoints, cloud, Azure Active Directory, and Microsoft 365), augmented by IoT and OT-specific intelligence collected by our Section 52 security research team. Because Section 52 works in close collaboration with domain experts across the broader Microsoft security research and threat intelligence teams—Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC)—we enable our customers to reduce the alert signal to noise ratio by providing them with prioritized incidents that render end-to-end attacks in complete context rather than giving them an endless list of uncorrelated alerts. This will lead to high efficacy incident response.

Figure 4: View prioritized incidents that are inclusive of IT and IoT devices all in a single dashboard to reduce confusion, clutter, investigation times, and alert fatigue.

Finally, one of the last things our customers have shared is that they struggle with finding solutions that will enable them to securely meet the promise of IT and OT network convergence initiatives.⁵ Most tools have difficulty providing analysts with a user experience that can correlate and render multi-stage attacks that cross IT and OT network boundaries.

Because Microsoft Defender for IoT is part of the broader Microsoft SIEM and XDR offer, we can provide analysts with the automation and visualization tools they need to address attacks crossing IT and OT network boundaries. Analysts can perform incident response holistically rather than as separate disconnected attacks that require extensive manual investigations to bring together. With these efficiency gains, analysts can stop attacks and bring their environments back to a pre-breach state far more quickly.

Figure 5: Deep contextual telemetry (like asset and connection details) combined with threat intelligence (like analytics rules, SOAR playbooks, and dashboards) from Section 52 helps analysts perform high-efficiency incident response.

Passive, agentless architecture

Some of the key design principles for Defender for IoT are to be non-invasive and to be easy to deploy. By using the existing Microsoft Defender for Endpoint clients, which are often deployed pervasively across an organization’s infrastructure, we can provide immediate device discovery with no additional deployment or configuration required. For the most complete view of your IoT and OT devices and specifically for network segments where Defender for Endpoint sensors are not present, Defender for IoT includes a deployable network sensor that can be used to collect all of the network data it needs for discovery, behavioral analytics, and machine learning.

Figure 6: A hybrid sensor approach using Defender for Endpoint clients as sensors provide customers with broad visibility on day one. Deploying the network sensor or using one from a third-party can ensure complete visibility and can be deployed over time.

Microsoft Defender for IoT is an open platform that allows customers to integrate third-party network data to enrich the information coming from multiple sources. For example, organizations that have already deployed Corelight’s open Network Detection and Response (NDR) platform and its Zeek-based network sensors can connect it to Defender for IoT enabling it to access raw network data from Corelight. From here Defender for IoT will apply its behavioral analytics and machine learning capabilities to discover and classify devices as well as protect, detect, and respond to attacks.

Learn more about our Corelight partnership and its integration within Microsoft Defender for IoT.

Get ready for the upcoming public preview!

While we’re excited to share all this news with you today, were even more excited to hear your feedback. Please join the new Microsoft Defender for IoT public preview which will be available on November 30, 2021. In the first build of the preview, you will have access to five main capabilities:

• An integrated view of IoT and OT Device Inventory available in the Azure console.
• Microsoft Defender for Endpoint clients will act as IoT network sensors and will add devices to Microsoft 365 Defender Device Inventory.
• An integrated IoT and OT Network Sensor will be available for deployment.
• IoT Threat and Vulnerability Assessments will be available in the Microsoft 365 Defender console.
• Support for third-party network sensors.

Additional new capabilities are expected to be released soon, including richer security recommendations, detections, and responses.

More details on the upcoming public preview and roadmap can be viewed in our Ignite session.

More information on the current release of Microsoft Defender for IoT (formerly Azure Defender for IoT) which offers OT security can be found in the following resources:

• New OT threat-monitoring solution for Sentinel featuring OT-specific analytics rules, SOAR playbooks, and workbooks.
• Microsoft Defender for IoT.
• Go inside the new Azure Defender for IoT including CyberX.
• Microsoft scores highest in threat visibility coverage for MITRE ATT&CK for ICS.
• Azure Defender for IoT demonstration video.
• Microsoft Azure Defender for IoT Training.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 

---

¹Microsoft: Russian state hackers are using IoT devices to breach enterprise networks, Catalin Cimpanu, ZDNet. 5 August 2019.

²Hackers are hijacking smart building access systems to launch DDoS attacks, Catalin Cimpanu, ZDNet. 2 February 2020.

³Hackers Breached Colonial Pipeline Using Compromised Password, William Turton, Kartikay Mehrotra, Bloomberg. 4 June 2021.

⁴Develop a Security Strategy for Cyber-Physical Systems, Susan Moore, Gartner. 13 April 2021.

⁵When IT and Operational Technology Converge, Christy Pettey, Gartner. 13 January 2017.

The post How Microsoft Defender for IoT can secure your IoT devices appeared first on Microsoft Security Blog.