Zero trust and Defender for Cloud
This article provides strategy and instructions for integrating zero trust infrastructure solutions with Microsoft Defender for Cloud. The guidance includes integrations with other solutions, including security information and event management (SIEM), security orchestration automated response (SOAR), endpoint detection and response (EDR), and IT service management (ITSM) solutions.
Infrastructure comprises the hardware, software, micro-services, networking infrastructure, and facilities required to support IT services for an organization. Whether on-premises or multicloud, infrastructure represents a critical threat vector.
Zero Trust infrastructure solutions assess, monitor, and prevent security threats to your infrastructure. Solutions support the principles of zero trust by ensuring that access to infrastructure resources is verified explicitly, and granted using principles of least privilege access. Mechanisms assume breach, and look for and remediate security threats in infrastructure.
What is zero trust?
Zero Trust is a security strategy for designing and implementing the following sets of security principles:
| Verify explicitly | Use least privilege access | Assume breach |
|---|---|---|
| Always authenticate and authorize based on all available data points. | Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. | Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses. |
Zero Trust and Defender for Cloud
Zero Trust infrastructure deployment guidance provides key stages of zero trust infrastructure strategy:
- Assess compliance with chosen standards and policies.
- Harden configuration wherever gaps are found.
- Employ other hardening tools such as just-in-time (JIT) VM access.
- Set up threat protection.
- Automatically block and flag risky behavior and take protective actions.
Here's how these stages map to Defender for Cloud.
| Goal | Defender for Cloud |
|---|---|
| Assess compliance | In Defender for Cloud, every subscription automatically has the Microsoft cloud security benchmark (MCSB) security initiative assigned. Using the secure score tools and the regulatory compliance dashboard you can get a deep understanding of security posture. |
| Harden configuration | Infrastructure and environment settings are assessed against compliance standard, and recommendations are issued based on those assessments. You can review and remediate security recommendations and [track secure score improvements] (secure-score-access-and-track.md) over time. You can prioritize which recommendations to remediate based on potential attack paths. |
| Employ hardening mechanisms | Least privilege access is a zero trust principle. Defender for Cloud can help you to harden VMs and network settings using this principle with features such as: Just-in-time (JIT) VM access. |
| Set up threat protection | Defender for Cloud is a cloud workload protection platform (CWPP), providing advanced, intelligent protection of Azure and hybrid resources and workloads. Learn more. |
| Automatically block risky behavior | Many of the hardening recommendations in Defender for Cloud offer a deny option, to prevent the creation of resources that don't satisfy defined hardening criteria. Learn more. |
| Automatically flag suspicious behavior | Defenders for Cloud security alerts are triggered by threat detections. Defender for Cloud prioritizes and lists alerts, with information to help you investigate. It also provides detailed steps to help you remediate attacks. Review a full list of security alerts. |
Apply zero trust to hybrid and multicloud scenarios
With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same.Defender for Cloud protects workloads wherever they're running. In Azure, on-premises, AWS, or GCP.
- AWS: To protect AWS machines, you onboard AWS accounts into Defender for Cloud. This integration provides a unified view of Defender for Cloud recommendations and AWS Security Hub findings. Learn more about connecting AWS accounts to Microsoft Defender for Cloud.
- GCP: To protect GCP machines, you onboard GCP accounts into Defender for Cloud. This integration provides a unified view of Defender for Cloud recommendations and GCP Security Command Center findings. Learn more about connecting GCP accounts to Microsoft Defender for Cloud.
- On-premises machines. You can extend Defender for Cloud protection by connecting on-premises machines to Azure Arc enabled servers. Learn more about connecting on-premises machines to Defender for Cloud.
Protect Azure PaaS services
When Defender for Cloud is available in an Azure subscription, and Defender for Cloud plans enabled for all available resource types, a layer of intelligent threat protection, powered by Microsoft Threat Intelligence protects resources in Azure PaaS services, including Azure Key Vault, Azure Storage, Azure DNS, and others. Learn more about the resource types that Defender for Cloud can secure.
Automate responses with Azure Logic Apps
Use Azure Logic Apps to build automated scalable workflows, business processes, and enterprise orchestrations to integrate your apps and data across cloud services and on-premises systems.
Defender for Cloud's workflow automation feature lets you automate responses to Defender for Cloud triggers.
This is great way to define and respond in an automated, consistent manner when threats are discovered. For example, to notify relevant stakeholders, launch a change management process, and apply specific remediation steps when a threat is detected.
Integrate with SIEM, SOAR, and ITSM solutions
Defender for Cloud can stream your security alerts into the most popular SIEM, SOAR, and ITSM solutions. There are Azure-native tools to ensure you can view your alert data in all of the most popular solutions in use today, including:
- Microsoft Sentinel
- Splunk Enterprise and Splunk Cloud
- IBM's QRadar
- ServiceNow
- ArcSight
- Power BI
- Palo Alto Networks
Integrate with Microsoft Sentinel
Defender for Cloud natively integrates with Microsoft Sentinel, Microsoft's SIEM/SOAR solution.
There are two approaches to ensuring that Defender for Cloud data is represented in Microsoft Sentinel:
Sentinel connectors - Microsoft Sentinel includes built-in connectors for Microsoft Defender for Cloud at the subscription and tenant levels:
- Stream alerts to Microsoft Sentinel at the subscription level
- Connect all subscriptions in your tenant to Microsoft Sentinel
Tip
Learn more in Connect security alerts from Microsoft Defender for Cloud.
Audit logs streaming - An alternative way to investigate Defender for Cloud alerts in Microsoft Sentinel is to stream your audit logs into Microsoft Sentinel:
Stream alerts with Microsoft Graph Security API
Defender for Cloud has out-of-the-box integration with Microsoft Graph Security API. No configuration is required and there are no extra costs.
You can use this API to stream alerts from the entire tenant, and data from many other Microsoft Security products into third-party SIEMs and other popular platforms:
- Splunk Enterprise and Splunk Cloud - Use the Microsoft Graph Security API Add-On for Splunk
- Power BI - Connect to the Microsoft Graph Security API in Power BI Desktop
- ServiceNow - Follow the instructions to install and configure the Microsoft Graph Security API application from the ServiceNow Store
- QRadar - Use IBM's Device Support Module for Defender for Cloud via Microsoft Graph API
- Palo Alto Networks, Anomali, Lookout, InSpark, and more. Learn more about Microsoft Graph Security API.
Stream alerts with Azure Monitor
Use Defender for Cloud's continuous export feature to connect to Azure monitor via Azure Event Hubs, and stream alerts into ArcSight, SumoLogic, Syslog servers, LogRhythm, Logz.io Cloud Observability Platform, and other monitoring solutions.
- This can also be done at the Management Group level using Azure Policy. Learn about creating continuous export automation configurations at scale.
- To view the event schemas of the exported data types, review the Event Hubs event schemas.
Learn more about streaming alerts to monitoring solutions.
Integrate with EDR solutions
Microsoft Defender for Endpoint
Defender for Endpoint is a holistic, cloud-delivered endpoint security solution. The Defender for Cloud servers workload plan, Defender for Servers, includes an integrated license for Defender for Endpoint. Together, they provide comprehensive EDR capabilities. Learn more about protecting endpoints.
When Defender for Endpoint detects a threat, it triggers an alert. The alert is shown in Defender for Cloud. From Defender for Cloud, you can pivot to the Defender for Endpoint console and perform a detailed investigation to uncover the scope of the attack.
Other EDR solutions
Defender for Cloud provides health assessment of supported versions of EDR solutions.
Defender for Cloud provides recommendations based on the Microsoft security benchmark. One of the controls in the benchmark relates to endpoint security: ES-1: Use Endpoint Detection and Response (EDR). There are two recommendations to ensure you've enabled endpoint protection and it's running well. Learn more about assessment for supported EDR solutions in Defender for Cloud.
Next steps
Start planning multicloud protection.