By Florin Bodnarescu and Azure Security News
After deciding to split its Ignite event into two separate parts, Microsoft is now well underway with part two, highlighting some of the security-focused enhancements it made across its services. To make it clear which services are available when and what availability limitations there are, we’ll split this post into separate sections.
Security solutions now generally available
Under the general availability banner, it’s prudent to start with Azure Security Center and Azure Defender enhancements, including EDR (endpoint detection and response) support, better security alerts – thanks to Azure Resource Graph and Azure Sentinel -, the highlighting of Azure Firewall status within the Security Center dashboard – via Firewall Manager integration -, and more.
Speaking of EDR support, Server 2019 also has this now via Microsoft Defender for Endpoint, a tool included in Azure Defender.
It’s also worth mentioning Azure Sentinel, the Redmond giant’s SIEM (security information event management) tool, which now has expanded capabilities relating to its extended detection and response (XDR) ability.
Microsoft has also put together new SOAR (security orchestration automated response) playbooks to help admins create automation rules that block suspicious IPs via Azure Firewall, isolate devices with Intune, or update the risk state of a user via Azure Active Directory Identity Protection.
In addition to the above, there are also now more than 30 new built-in connections for data collection, including those for Dynamics, Salesforce Service Cloud, VMware, and Cisco Umbrella.
There’s also Attack Simulation Training, a component of Microsoft Defender for Office 365. Used to help users detect, prioritize, and mitigate risks associated with phishing attacks, the tool entered public preview back in September of last year, and has been generally available since January 6.
Security solutions in preview
To start off this section, we’ll spotlight some key vault and confidential computing updates from Ignite. Among them Azure Key Vault Managed HSM, a hardware security module service with FIPS 140-2 Level 3 validated modules. The highly available single-tenant service is available now in preview.
Also in preview is the ability to create Always Encrypted protected memory regions (via security enclaves) for SQL Server 2019 and Azure SQL Database, alongside Trusted Launch, a capability that can be used in both confidential and non-confidential VMs to protect against boot kits, rootkits, and kernel-level malware.
Switching gears to public previews, there are shared incidents, schema, and user experiences between Microsoft 365 Defender and Azure Sentinel now available, along with Azure Storage, Azure SQL, Azure Kubernetes Service, and Azure Key Vault connectors.
The Azure Security Center has some new previews of its own, including new reporting capabilities which can make use of out-of-the-box reports or custom ones created via Azure Workbooks.
Another thing to spotlight is Edge Secured-core (now in public preview), a new device label within the Azure Certified Device program. This is pretty much exactly what it sounds like, a label that confirms that an edge device meets a set of security requirements.
While the label was previously announced for enterprise Windows devices only, it’s now available for IoT devices too. Whether or not a device has this new label can be checked in the Azure Device Catalog, and in order to be certified, the IoT device will have Azure Defender for IoT built-in.
The secured-core is also included in Windows Server 2022 (now in preview), alongside secured connectivity – via AES 256 encryption -, improved hybrid server management, support for virtualized time zones, IPv6 support for globally scalable apps, containerization tools for .NET, ASP.NET, and IIS apps, and much more.
Going from Server to Defender, there are now enhanced XDR (extended detection and response) capabilities inside Microsoft 365 Defender – in preview -, including unified alerts, automated analysis, a new email entity page for extended email alert capabilities, as well as new Learning Hub for instructional resources.
As with the previous section, it’s worth highlighting another solution which has been in preview for a while. In this case, it’s Threat Analytics, a set of reports from expert Microsoft researchers, which allows for the understanding and mitigation of active threats – like the previously disclosed Solorigate attack. Previously only available in Defender for Endpoint, the report set is now active inside Microsoft 365 Defender and has been in preview since January 31.