I was recently discussing with a another Azure Aficionado about value proposition of Security Center Standard in comparison to staying on the free tier. This discussion concluded that I should document some of personal favorite features Security Center Standard Tier provides; For me this is top20 list easily, but I started with Top3 features, which I’ve been using, and documenting on this blog on previous occasions.
- A demo how advanced alert detections and security center workflows work together
- Link and details from my previous experience with container security enhancements provided by Azure Security Center
- Explore main benefits and basic documentation for these features
Azure Security Center Standard is enhanced tier of the Azure Security Center, which every Azure Subscriber has access to the free tier. Standard tier adds long list of security enhancements. I’ve added some references and screencaps to get idea of the basics of comparing free and standard tier.
For general description, checkout the intro @ ’What is Azure Security Center’ reference from docs.microsoft.com
Differences highlighted when changing from Free to Standard Tier
The top3 features?
1: Threat Protection options
Security Center Standard extends what I consider to be threat protection capabilities with the following features: Advanced Detections & Security Alerts, and EDR via MDATP
Automation and advanced detection working together
To show part of these capabilities together I built a short demo of advanced detections working together with Azure Security Center Workflows (Automation, in top2 section)
Threat Protection for PaaS
- Threat Protection for PaaS resources is the biggest driver for me, as reason to take the jump to Security Center Standard SKU
- Building PaaS Security monitoring requires otherwise quite the deal of API connections, and Log Correlation to be built (And to be maintained)
MDATP (Server EDR) for Azure Security Center Connected VM’s
- Having all the detections provided by Azure Security Center + EDR which supports now Linux (in preview) is pretty good offer
Feature coverage for machines
Below is comprehensive list for features regarding VM’s for the Standard tier
Feature coverage for Azure PaaS services
Below is comprehensive list for features regarding PaaS Services for the Standard tier
Security Center Alerts
The list of Security Center alerts is a long one
2: Automation and workflow
- Features such as threat protection provide signals to Azure Security Center. These signals can be used to trigger Azure Logic Apps based workflows.
- Recommendations spawned in Azure Security Center can be tied into an workflow automation
- Another cool fact is, that since the trigger ties into logic app, you can couple it virtually with any component in the Azure ecosystem. Mine favorite flow is using Logic Apps in the beginning, and then jump into Functions, which you can have as Logic App workflow step.
The Demo (Combining Top 1&2)
- The demo is related to my other post PoC part 0 – Integrating Azure Security Center Alerts with MS Teams!,
- I’ve highlighted the automation and triggers in this version to show how detections can be used to trigger automatically/manually an workflow based on Azure Logic Apps, and functions
- Manually triggering workflows from alerts is also a breeze – In the pictures below I trigger the workflow to alert my colleagues in the Security Group Team Channel
3: Container Security enhancements
In many of my development workflows I end up often working with containers. I was surprised to initially find, that security center offers plethora of really beneficial features to monitor and increase security of container based apps
- Container Image Scanning
- This is feature that works on top of Azure Container Registry, I’ve written about here Hidden gem in Azure: Scan your docker images in ACR, view results in Sub Assessment API and Azure Security Center
- Docker Baseline evaluation based on CIS
- Besides image scanning you get baseline results for Docker Hosts, and Security Center Integration for AKS as well
search "CIS*" | where BaselineType contains "Docker" | project Computer, CceId, BaselineType, Description, RuleSeverity
Bonus: Network Map
If this we’re a top-10 list, Network Map would be 4. on the list.
Network Map Renders an end to end representation of the traffic which it captures.
In the below example we can see end to end traffic mapped from Containerized NodeJS application
- To Azure Key Vault
- Container Registry
- Azure Storage
Local Network Client -> Node (Running in Docker) -> KeyVault, Azure Storage
- Before actually seeing the traffic in Network Map, I always though that the docker process would contain Node in a manner that the captured application would be ”docker”. In network map feature you see the actual process that is running in container and talking to other mapped features
Linux talking to Azure Container Registry