At the RSA Conference in San Francisco, Micorsoft on Tuesday announced new Azure Security Center capabilities that will provide enhanced protection to help users keep pace with evolving cybersecurity landscape.
The new Azure Security Center uses machine learning and advanced analytics to quikcly detect threats and also helps preventing them. “It’s agent-based approach helps gain deeper security insights from the workloads and extends these protections to workloads running on-premises as well as other clouds, providing a unified security management for you,” stated microsoft.
The capabilities generally available today, includes integration with virtual machine experience, Web Security Configuration Assessments, and Just-in-Time VM Access.
While the following features are in public preview:
- Visibility into identity and access controls,
- File Integrity Monitoring (FIM),
- Adaptive Application Controls,
- Integration with Windows Defender Advanced Threat Protection,
- Fileless Attack Detection,
- Detecting threats targeting Azure App Service and Azure Resource Management logs.
Also some capabilities are available in limited public preview, like new Security Center dashboard, interactive network topology and security assessments for containers.
Azure Security Center offering include following benefits:
Governance at Organizational Level
Using the new overview dashboard you can gain visibility into security state from an organizational level instead of a subscription level. Also, it’s now possible to set security policies for management groups in organization and monitor it with an organization-wide compliance score as well as a breakdown score per subscription and management group.
Integrated security configuration in Virtual Machine experience lets you secure resources in IaaS when creating a new virtual machines. Once enabled Security Center, you can easily assess security state of a VM with actionable recommendations and mitigate risks.
Identity & Access Management section lets you discover access controls, such as multifactor authentication, for applications and data, as well as identity and access issues and receive instructions for remediation.
Just-in-time VM access reaches general availability and protects against threats, such as brute force attacks by reducing access to VM management ports only when it is needed.
Adaptive application controls using machine learning offers improvements, such as recommendations for new file types like MSIs and scripts, and an ability to group VM based on similarity of applications.
Both of these enhancements are to improve the accuracy of the whitelisting policy that Security Center recommends for the virtual machines in a specific workload, and make it even easier for you to block unwanted applications and malware.
Interactive network security monitoring lets you explore connections between virtual networks, subnets and nodes along with actionable recommendations, such as missing network security groups or web application firewalls are detected.
File integrity monitoring (FIM) help protect integrity of system and application software. If any abnormal change to files or a malicious behavior is detected, an alert will let you stay in control of files.
Threat protection extended to containers environment and monitor for unsecure configuration on the container engine.
New secure configuration assessments for servers helps in finding vulnerabilities in the IIS web servers running on IaaS VMs with actionable recommendations.
Integration with Windows Defender Advanced Threat Protection for servers (WDATP) now provide improved threat detection for Windows Servers. WDATP is automatically enabled for Azure and on-premises Windows Servers that have onboarded to Security Center.
Microsoft also released some major improvements to Azure AD Conditional Access, which is based on a new integration with Intune and WDATP, that introduces an ability to create access policies based on the risk level detected at Windows 10 endpoints, which ensure that only trusted users on trusted devices can access corporate data.
With this new integration, Azure AD Conditional Access can now receive intelligence about suspicious activity in domain-joined devices and automatically block those devices from accessing corporate resources.
For more information on how this integration works you can watch the video below:
With upcoming Spring Creators Update of Windows 10, WDATP will also provide richer capabilities for businesses, such as;
Automatic investigation and remediation of threats uses artifical intelligence (AI) to investigate alerts, determine if a threat is active, its origin and then appropriate steps to automatically remediate it.
If a incident includes multiple machines, it automatically expands the investigation across the entire scope of breach and performs the required actions on those in parallel.
Also, in the next update, if a threat is detected the dynamic machine risk level can be used to define Microsoft 365 conditional access policies and prevent risk to corporate data.
As an example, “if a bad threat lands on your endpoints, even using most advanced file less attacks, Windows Defender ATP can detect it and automatically protect your precious corporate information through conditional access,” wrote microsoft . In parallel, “Windows Defender ATP will start an automated investigation to quickly remediate the threat. Once the threat is remediated, based on the preference set (automatic or reviewed), the risk level is set back to “no risk” – and access is granted again.”
Advanced Hunting lets you proactively hunt and investigate across organization’s data. From new process creation, file modification, machine login, network communication, registry update, remediation actions and many other event types – are entities you can now easily query, correlate and intersect.
You can get started with a set of sample queries within the tool along with a project on GitHub which contains additional sample queries.
Microsoft also now share detections to automatically update its protection and detection mechanism across Microsoft 365 through the Microsoft Intelligent Security Graph (ISG).
Additionally, the company is now providing wider Advanced Threat Protection coverage across identities (Azure ATP), apps and data (Office 365 ATP) and devices (Windows Defender ATP).
Microsoft also display Windows Secure Score across Windows and Office in a single view with the Microsoft Secure Score. A new dashboard providing insights about the exposure level of organization – currently for Meltdown and Spectre vulnerability, so you can easily understand what machines are still exposed. This includes information about your network, operating system updates, and microcode level information against these threats.
Fileless Attack Detection: Security Center uses a variety of advanced memory forensic techniques to identify malware that persists only in memory and is not detected via traditional means. You can use the rich set of contextual information for alert triage, correlation, analysis and pattern extraction.
Threat analytics detects threats targeting admin activity by analyzing Azure Resource Management logs. An alert will let you investigate if something abnormal is attempted or permissive privileges have been granted.
Security Center is also extending its threat detection capabilities to PaaS resources. It can now detect threats targeting Azure App Services and provide recommendations to protect your applications.
To dive deeper, watch the video demonstrating Azure Essentials or head over to this web page.
A limited preview of Password-less sign-in to Windows 10 & Azure AD using FIDO2 is coming soon. This new capability will give employees an ability to sign in to an Azure Active Directory-joined Windows 10 PC without a username or password.
To sign-in a user will need to insert FIDO2 compliant security key into their USB port and tab. They’ll be automatically signed in to the device and they’ll get single-sign-on access to all your Azure AD protected cloud resources, as well.
- A limited-preview of Password-less sign-in using a FIDO2 security key will available in the next update to Windows 10 (coming this spring).
- Azure AD Conditional Access policies can now check device health as reported by Windows Defender Advanced Threat Protection.
- With the addition of domain allow and deny lists, Azure AD B2B Collaboration now gives you the ability to control which partner organizations you work with.
The videi below demostrates ne FIDO2:
- Access reviews help managing the drift in access rights over time. And, now with GA, it’s possible now to schedule access reviews to run on a regular basis. And review results can be automatically applied to help ensure clean compliance reviews.
- Azure AD PIM for Azure Resources offers an ability to use time-bound access and assignment capabilities to secure access to Azure Resources. For example, you can enforce Multi-Factor Authentication or an approval workflow whenever
“Many customers have told us they need a way to let their employees and partners how they should be using the data they are about to access, especially with the May 25th 2018 GDPR deadline looming,” Microsoft stated.
Azure AD B2B Collaboration now gives an ability to control which partner organizations you work with as it now let you add “domain to allow or deny lists.” To do this, simple create a list of specific allow or deny domains. “When a domain is blocked using these capabilities, employees can no longer send invitations to people in that domain.”
This helps you control access to your resources, while enabling a smooth experience for approved users.
This B2B Collaboration feature is available for all Azure Active Directory customers and can be used in conjunction with Azure AD Premium features, like conditional access and identity protection for more granular control of when and how external business users sign in and gain access.
Also, Microsoft is introducing new ways to manage passwords, protect identities, and mitigate threats. In this end, the Password-less sign-in into Windows with Azure AD feature will soon be in limited preview.
Microsoft also today announced the integration of Azure Information Protection (AIP) and Azure Active Directory (AAD). With this integration it’s now easier to set up conditional access to allow or block access to AIP protected documents or enforce additional security requirements such as Multi-Factor Authentication (MFA) or device enrollment based on the device, location or risk score of users trying to access sensitive documents.
Below is a list of some common scenarios:
- Require Multi-Factor Authentication: Enforce an MFA challenge to access AIP-protected documents. This can help protect against the risk of stolen and phished credentials.
- Device Compliance/Domain Joined: Allow access only if the user device is domain joined and/or is compliant as per company MDM/MAM policy (device compliance policies are configured in Intune).
- Risky Sign-in: Block access to sensitive content when a user has any of High, Medium or Low likelihood of risky-sign in (i.e., sign-in attempt was not performed by the legitimate owner of a user account).
- Trusted Network: Block access when the user is not at work. In other words, you can require access to sensitive content to be only from a network you trust.
Microsoft is also recommending to secure Azure Active Directory with Azure Mutli-Factor Authentication, which is a central system for managing access across all cloud services, including Azure, Office 365, and hundreds of popular SaaS and PaaS cloud services as well as on-premises.
Users are also advised to secure their network created through Azure virtual networks (VNet) by extending on-premises network to the cloud using secure site-to-site VPN or a dedicated Azure ExpressRoute connection.
And, to protect web applications you can use built-in Web Application Firewall. At RSA, the new Azure DDoS Protection Standard that gives more control over DDoS protection for virtual networks with turnkey protection, telemetry and alerting is announced as well.
With Microsoft Cloud App Security, the following two new featues enabling customers to gain insight into and better control of their eco-system of SaaS apps, of and beyond native Microsoft applications is shared, too:
Ransomware Ativity: Cloud App Security that already detect ransomware attacks via activity policy templates, today extends to anomaly detection against sophisticated Ransomware attacks.
Terminated-user Activity will be able to identify when a terminated employee continues to perform actions on a SaaS apps. “This allows us to profile the regular activity of the user, identify when the account is terminated, and determine activity on other apps beyond the suspension of credentials,” wrote microsoft. For example, “if an employee AAD account was terminated, but he or she continues to access the corporate AWS infrastructure, an alert will be triggered.”
Lastly, a Public Preview of custom activities for deeper visibility and control of user actions via Conditional Access App Control is announced and let you create a Session Policy with an Activity type filter, to monitor and/or block a variety of granular, app-specific activities, such as those shown below.
This new filter augments the existing file download control features, to provide you with comprehensive control of the applications in your organization.
Update 04/19: Windows Defender Browser Protection extension is now available from the Chrome Web Store as a free download, enables protection to your computer against threats such as phishing and websites that trick machine into downloading and installing malicious programs which can harm it.
Microsoft accomplishes this by checking the URL of an opened website with its own database of malicious links. If the URLs match, Windows Defender Browser Protection presents a red warning screen to the user and offers them “a clear path back to safety with one click.”