Implement Microsoft Defender for Cloud

Completed

Microsoft Defender for Cloud is a solution for cloud security posture management (CSPM) and cloud workload protection (CWP) that finds weak spots across your cloud configuration, helps strengthen the overall security posture of your environment, and can protect workloads across multicloud and hybrid environments from evolving threats.

For an interactive overview of how to Manage your cloud security posture with Microsoft Defender for Cloud, click on the image.

Defender for Cloud fills three vital needs as you manage the security of your resources and workloads in the cloud and on-premises:

• Defender for Cloud secure score continually assesses your security posture so you can track new security opportunities and precisely report on the progress of your security efforts.
• Defender for Cloud recommendations secures your workloads with step-by-step actions that protect your workloads from known security risks.
• Defender for Cloud alerts defends your workloads in real-time so you can react immediately and prevent security events from developing.

Strengthen the security posture of your cloud resources

• Get a continuous assessment of the security of your cloud resources running in Azure, AWS, and Google Cloud.
• Use built-in policies and prioritized recommendations that are aligned to key industry and regulatory standards or build custom requirements that meet your organization's needs.
• Gather actionable insights by discovering your complete digital footprint and external attack surface signals. Use the insights to automate recommendations and help ensure that resources are configured securely and meet your compliance needs.

Protect cloud and hybrid workloads against threats

Microsoft Defender for Cloud enables you to protect against evolving threats across multicloud and hybrid environments. You'll be able to understand vulnerabilities with insights from industry-leading security research and secure your critical workloads across VMs, containers, databases, storage, app services, and more. Use many options to automate and streamline your security administration from a single place.

Protect your resources and track your security progress

Microsoft Defender for Cloud's features covers the two broad pillars of cloud security:

• Cloud Security Posture Management (CSPM) - Remediate security issues and watch your security posture improve
• Cloud Workload Protection (CWP) - Identify unique workload security requirements

Protect all of your resources under one roof

Because Defender for Cloud is an Azure-native service, many Azure services are monitored and protected without needing any deployment. You can also add resources that are on-premises or in other public clouds.

When necessary, Defender for Cloud can automatically deploy a Log Analytics agent to gather security-related data. For Azure machines, deployment is handled directly. For hybrid and multicloud environments, Microsoft Defender plans are extended to non-Azure machines with the help of Azure Arc. Cloud Security Posture Management (CSPM) features are extended to multicloud machines without the need for any agents.

Defend your Azure-native resources

Defender for Cloud helps you detect threats across:

• Azure Platform as a Service (PaaS) services - Detect threats targeting Azure services, including Azure App Service, Azure SQL, Azure Storage Account, and more data services. You can also perform anomaly detection on your Azure activity logs using the native integration with Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security).
• Azure data services - Defender for Cloud includes capabilities that help you automatically classify your data in Azure SQL. You can also get assessments for potential vulnerabilities across Azure SQL and Storage services and recommendations for how to mitigate them.
• Networks - Defender for Cloud helps you limit exposure to brute force attacks, by reducing access to virtual machine ports and using just-in-time VM access (available with Defender for Servers Plan 2). You can harden your network by preventing unnecessary access. Also, you can set secure access policies on selected ports for only authorized users, allowed source IP address ranges or IP addresses, and for a limited amount of time.

Defend your on-premises resources

In addition to defending your Azure environment, you can add Defender for Cloud capabilities to your hybrid cloud environment to protect your non-Azure servers. To help you focus on what matters the most, you get customized threat intelligence and prioritized alerts according to your specific environment.

To extend protection to on-premises machines, deploy Azure Arc and enable Defender for Cloud's enhanced security features.

Defend resources running on other clouds

Defender for Cloud can protect resources in other clouds (such as Amazon Web Services AWS and Google Cloud Platform GCP).

For example, if you connect an Amazon Web Services (AWS) account to an Azure subscription, you can enable any of these protections:

• Defender for Cloud's CSPM features extend to your AWS resources. This agentless plan assesses your AWS resources according to AWS-specific security recommendations, and these are included in your secure score. The resources are assessed for compliance with built-in standards specific to AWS (AWS Center for Internet Security (CIS), AWS Payment Card Industry (PCI) Data Security Standards (DSS), and AWS Foundational Security Best Practices). Defender for Cloud's asset inventory page is a multicloud enabled feature helping you manage your AWS resources alongside your Azure resources.
• Microsoft Defender for Kubernetes extends its container threat detection and advanced defenses to your Amazon Elastic Kubernetes Service (EKS) Linux clusters.
• Microsoft Defender for Servers brings threat detection and advanced defenses to your Windows and Linux Elastic Compute Cloud 2 (EC2) instances. This plan includes the integrated license for Microsoft Defender for Endpoint, security baselines, and OS level assessments, vulnerability assessment scanning, adaptive application controls (AAC), file integrity monitoring (FIM), and more.

Close vulnerabilities before they get exploited

Defender for Cloud includes vulnerability assessment solutions for virtual machines, container registries, and SQL servers as part of the enhanced security features. Some of the scanners are powered by Qualys. But you don't need a Qualys license or even a Qualys account - everything's handled seamlessly inside Defender for Cloud.

Microsoft Defender for Servers includes automatic, native integration with Microsoft Defender for Endpoint. With this integration enabled, you'll have access to the vulnerability findings from Microsoft Defender Vulnerability Management.

Review the findings from these vulnerability scanners and respond to them all from within Defender for Cloud. This broad approach brings Defender for Cloud closer to being the single pane of glass for all of your cloud security efforts.

Enforce your security policy from the top down

It's a security basic to know and make sure your workloads are secure, and it starts with having tailored security policies in place. Because policies in Defender for Cloud are built on top of Azure Policy controls, you're getting the full range and flexibility of a world-class policy solution. In Defender for Cloud, you can set your policies to run on management groups, across subscriptions, and even for a whole tenant.

Defender for Cloud continuously discovers new resources that are being deployed across your workloads and assesses whether they're configured according to security best practices. If not, they're flagged, and you get a prioritized list of recommendations for what you need to fix. Recommendations help you reduce the attack surface across each of your resources.

The list of recommendations is enabled and supported by the Microsoft Cloud Security Benchmark. This Microsoft-authored benchmark, based on common compliance frameworks, began with Azure and now provides a set of guidelines for security and compliance best practices for multiple cloud environments.

In this way, Defender for Cloud enables you not just to set security policies but to apply secure configuration standards across your resources.

Extend Defender for Cloud with Defender plans and external monitoring

You can extend the Defender for Cloud protection with the following:

• Advanced threat protection features for virtual machines, Structured Query Language SQL databases, containers, web applications, your network, and more - Protections include securing the management ports of your VMs with just-in-time access and adaptive application controls to create allowlists for what apps should and shouldn't run on your machines.

The Defender plans of Microsoft Defender for Cloud offer comprehensive defenses for the compute, data, and service layers of your environment:

• Microsoft Defender for Servers
• Microsoft Defender for Storage
• Microsoft Defender for Structured Query Language (SQL)
• Microsoft Defender for Containers
• Microsoft Defender for App Service
• Microsoft Defender for Key Vault
• Microsoft Defender for Resource Manager
• Microsoft Defender for Domain Name System (DNS)
• Microsoft Defender for open-source relational databases
• Microsoft Defender for Azure Cosmos Database (DB)
• Microsoft Defender for APIs
  • Defender Cloud Security Posture Management (CSPM)
    • Security governance and regulatory compliance
    • Cloud security explorer
    • Attack path analysis
    • Agentless scanning for machines
  • Defender for DevOps

Use the advanced protection tiles in the workload protections Azure dashboard to monitor and configure each of these protections.

Tip

Microsoft Defender for the Internet of Things (IoT) is a separate product.

• Security alerts - When Defender for Cloud detects a threat in any area of your environment, it generates a security alert. These alerts describe details of the affected resources, suggested remediation steps, and in some cases, an option to trigger a logic app in response. Whether an alert is generated by Defender for Cloud or received by Defender for Cloud from an integrated security product, you can export it. To export your alerts to Microsoft Sentinel, any third-party Security information and event management (SIEM), or any other external tool, follow the instructions in Stream alerts to a SIEM, Security orchestration, automation and response (SOAR), or IT Service Management solution. Defender for Cloud's threat protection includes fusion kill-chain analysis, which automatically correlates alerts in your environment based on cyber kill-chain analysis, to help you better understand the full story of an attack campaign, where it started, and what kind of impact it had on your resources. Defender for Cloud's supported kill chain intents are based on version 9 of the MITRE ATT&CK matrix.