Azure Azure Security Center Containers docker Functions Logic Apps NodeJS Security Center

TOP3 Picks from Azure Security Center Standard

I was recently discussing with a another Azure Aficionado about value proposition of Security Center Standard in comparison to staying on the free tier. This discussion concluded that I should document some of personal favorite features Security Center Standard Tier provides; For me this is top20 list easily, but I started with Top3 features, which I’ve been using, and documenting on this blog on previous occasions.

Blog contents:

  • A demo how advanced alert detections and security center workflows work together
  • Link and details from my previous experience with container security enhancements provided by Azure Security Center
  • Explore main benefits and basic documentation for these features

Background

Azure Security Center Standard is enhanced tier of the Azure Security Center, which every Azure Subscriber has access to the free tier. Standard tier adds long list of security enhancements. I’ve added some references and screencaps to get idea of the basics of comparing free and standard tier.

For general description, checkout the intro @ ’What is Azure Security Center’ reference from docs.microsoft.com

https://docs.microsoft.com/en-us/azure/security-center/security-center-intro

Differences highlighted when changing from Free to Standard Tier

The top3 features?

1: Threat Protection options

Security Center Standard extends what I consider to be threat protection capabilities with the following features: Advanced Detections & Security Alerts, and EDR via MDATP

Automation and advanced detection working together

To show part of these capabilities together I built a short demo of advanced detections working together with Azure Security Center Workflows (Automation, in top2 section)

Threat Protection for PaaS

  • Threat Protection for PaaS resources is the biggest driver for me, as reason to take the jump to Security Center Standard SKU
  • Building PaaS Security monitoring requires otherwise quite the deal of API connections, and Log Correlation to be built (And to be maintained)
PaaS resource Alert

MDATP (Server EDR) for Azure Security Center Connected VM’s

  • Having all the detections provided by Azure Security Center + EDR which supports now Linux (in preview) is pretty good offer

References

Feature coverage for machines

Below is comprehensive list for features regarding VM’s for the Standard tier

https://docs.microsoft.com/en-us/azure/security-center/security-center-services?tabs=features-windows

Feature coverage for Azure PaaS services

Below is comprehensive list for features regarding PaaS Services for the Standard tier

https://docs.microsoft.com/en-us/azure/security-center/features-paas

Security Center Alerts

The list of Security Center alerts is a long one

https://docs.microsoft.com/en-us/azure/security-center/alerts-reference

2: Automation and workflow

  • Features such as threat protection provide signals to Azure Security Center. These signals can be used to trigger Azure Logic Apps based workflows.
    • Recommendations spawned in Azure Security Center can be tied into an workflow automation
    • Another cool fact is, that since the trigger ties into logic app, you can couple it virtually with any component in the Azure ecosystem. Mine favorite flow is using Logic Apps in the beginning, and then jump into Functions, which you can have as Logic App workflow step.

The Demo (Combining Top 1&2)

I recommend to click the ”HD” button for better playback quality
  • Manually triggering workflows from alerts is also a breeze – In the pictures below I trigger the workflow to alert my colleagues in the Security Group Team Channel

3: Container Security enhancements

In many of my development workflows I end up often working with containers. I was surprised to initially find, that security center offers plethora of really beneficial features to monitor and increase security of container based apps

MS Docs detailing Container Security Offerings [LINK]
search "CIS*" | where BaselineType contains "Docker" | project Computer, CceId, BaselineType, Description, RuleSeverity

Bonus: Network Map

If this we’re a top-10 list, Network Map would be 4. on the list.

Network Map Renders an end to end representation of the traffic which it captures.

https://docs.microsoft.com/en-us/azure/security-center/security-center-network-recommendations

In the below example we can see end to end traffic mapped from Containerized NodeJS application

  • To Azure Key Vault
  • Container Registry
  • Azure Storage

Local Network Client -> Node (Running in Docker) -> KeyVault, Azure Storage

  • Before actually seeing the traffic in Network Map, I always though that the docker process would contain Node in a manner that the captured application would be ”docker”. In network map feature you see the actual process that is running in container and talking to other mapped features

Linux talking to Azure Container Registry

Till next time!

1 comment on “TOP3 Picks from Azure Security Center Standard

  1. Paluuviite: Complete guide for Integrating Azure Security Center Alerts 2 MS Teams! – SecureCloudBlog

Vastaa

Täytä tietosi alle tai klikkaa kuvaketta kirjautuaksesi sisään:

WordPress.com-logo

Olet kommentoimassa WordPress.com -tilin nimissä. Log Out /  Muuta )

Google photo

Olet kommentoimassa Google -tilin nimissä. Log Out /  Muuta )

Twitter-kuva

Olet kommentoimassa Twitter -tilin nimissä. Log Out /  Muuta )

Facebook-kuva

Olet kommentoimassa Facebook -tilin nimissä. Log Out /  Muuta )

Muodostetaan yhteyttä palveluun %s

%d bloggaajaa tykkää tästä: