As public cloud platforms continue to mature, new security tools and services emerge. The Microsoft Azure Security Center, for example, is a service within the Azure platform that helps users prevent, detect and respond to security threats for all cloud resources.
Microsoft Azure Security Center provides a number of preventative controls out of the box. It monitors the security state of all Azure resources, whether those are virtual machines (VMs) or managed platform as a service-based offerings like Azure App Service.
Security policies check for risks, such as OS vulnerabilities, endpoint protection, weak network security group configurations and unencrypted risks. Then, those policies create recommendations for corrective actions. Users can also deploy services from other vendors, such as security appliances, inside the Security Center.
Threat detection is driven by advanced analytics systems within Azure, including machine learning and behavioral analysis, and caters to the fact that each user environment is different. Over time, Microsoft Azure Security Center’s threat detection technology understands each user’s unique usage patterns and can make intelligent recommendations based on prior activity.
In addition, users can collect and analyze security data from Azure resources, and tap into external resources, such as the Microsoft Security Response Center to identify vulnerabilities and security issues.
Incident response in Microsoft Azure Security Center provides a number of capabilities, including prioritized alerts that users can take action on or dismiss. The service identifies attacks on your resources, and offers insights into the source of those attacks, as well as suggestions to mitigate them.
One common example is Remote Desktop Protocol (RDP) attacks on Windows servers. When the network security group allows access to that protocol (TCP port 3389) from any source, it’s not uncommon to see a large number of attacks against that service. Microsoft Azure Security Center identifies this, and provides guidance on how to secure your network security groups with ingress rules that restrict access.
The Microsoft Azure Security Center offers a free tier that can be used with any Azure subscription. There’s also a standard tier that offers advanced threat detection controls. Users can take the standard tier for a spin on a 90-day free trial. After that, the standard tier currently runs $15 per node each month. At this time, nodes only map to Azure VMs, which means you pay $15 per VM. Monitoring for other services, such as SQL databases and Azure Cloud Services, are currently included, but Microsoft may count those as distinct resources down the road.
Also note that Microsoft Azure Security Center stores security data from protected nodes in Azure storage, and those storage costs are not included within the per-node price. This is true during the free trial as well.
How to get started
The Microsoft Azure Security Center is available to all Azure users. You can find it by clicking on More Services in the Azure portal and scrolling through the list of services. You may find it easier to do a search, as shown in Figure 1.
From there, you’ll be able to manage security policies, view alerts and recommendations, and deploy services built by Microsoft partners.
After navigating to the Microsoft Azure Security Center, click on Overview. This will give you a good idea of the issues you need to address within your Azure account. For example, in Figure 2, there are two resources with issues. One is a VM, and the other is a virtual network. There are also five recommendations on securing Azure resources.
Users can configure policies for both Azure subscriptions and individual resource groups. Policies include a number of settings, including whether or not to collect data from VMs for analysis, where to send email notifications and which pricing tier to use.
Figure 3 shows the security policy for a resource group called MyServers. The settings in this policy are currently inherited from the parent policy at the subscription level. Users can disable this and configure custom policy settings, if needed. For example, individual policies can be useful for different environments that run your account, perhaps for development and production deployments.
To see which security settings the system will use to make recommendations, users can drill into the prevention policy, as shown in Figure 4. To receive recommendations for system updates, OS vulnerabilities or endpoint protection, enable the data collection option on the policy.
Data collection will install an agent on each VM to which the policy is applied. Users don’t need to manually install anything; this happens automatically after launching VMs, but may take a little time.
Within the Prevention section of the Security Center, you can navigate to Recommendations. This gives users a list of open and resolved issues, classified by severity. You can also choose to dismiss recommendations if they don’t make sense for your particular scenario.
Figure 5 shows a common recommendation classified with a medium severity type. In this case, the network security group contains inbound rules that permit access to any external resource on the internet to the RDP protocol (TCP port 3389). Click the Edit button on the top of the notification screen to access the inbound security rules and correct the issue.