Azure Security Center Leverage Collective Intelligence to Detect & Prevent Threats

SailPoint integration extends Azure Active Directory Premium, enhancements to Azure Security Center.

Share online:

Microsoft helping customer to more effectively defend against the increasing volume and sophistication of security attacks as well as preventing them, today released a number of new capabilities that leverage this collective intelligence in "Azure Security Center."

Azure Security Center and Operations Management Suite help organizations protect, detect and respond to sophisticated threats across cloud and datacenter resources—"all without introducing any management overhead."

New capabilities included in this preview are:

Just-In-Time (JIT) Network Access to VMs lets you open commonly targeted RDP, SSH, etc. ports for a limited time for connecting remotely to VM, and thereby, significantly reduce attack surface.

Application Whitelisting helps block unknown and potentially malicious apps from running, the ASC can now automatically discover, recommend whitelisting policy for a group of machines and apply these settings to Windows VMs using built-in AppLocker feature.

Once a policy is applied, Security Center continously monitor configuration and suggests changes.

Additionally, new threat detections available now included are: Brute Force detections, outbound DDoS and Botnet detections, as well as new behavioral analytics for Windows and Linux VMs.

  • Brute Force Detections using machine learning against SSH, RDP, and SQL ports as well as network brute force targeting many applications and protocols, such as FTP, Telnet, SMTP, POP3, SQUID Proxy, MongoDB, Elastic Search, and VNC.
  • Outbound DDoS and Botnet Detection uses new detection algorithms generally available in Azure Security Center and analytics in private preview. "Clusters of VMs base on network traffic patterns are created to determine if a VM involved in DDoS by using supervised classification techniques." "While new analytics detect if a VM is part of a botnet. It works by joining network data (IPFIX) with passive DNS information to obtain a list of domains accessed by the VM and using them to detect malicious access patterns."
  • New Behavioral Analytics Servers and VMs - Behavioral analytics generally available in Azure Security Center help identify suspicious activity, such as process persistency in the registry, processes masquerading as system processes, and attempts to evade application whitelisting.
  • In addition, new analytics in public preview designed specifically for Windows Server 2016, for example activity related to SAM and admin account enumeration. Over next few weeks, many of these behavioral analytics will be available for Linux VMs as well.

    Operations Management Suite Security users will also benefit from these new detections for non-Azure servers and VMs.

In addition, ASC also allow bringing along with your trusted cloud security vendors, with recent additions:

Fortinet NGFW and Cisco ASA next generation firewalls integrated with ASC, automatically discovers deployments, streamlines deployment and monitoring, and integrates security alerts from these partner solutions, writes the team.

Microsoft also shared a few more additions to their ecosystem today include:

SailPoint, a leader in identity governance will add its identity governance capabilities to Azure Active Directory's unique access management and identity protection services.

  • Identity and context synchronization performed using a direct connector that automatically aggregates user accounts, group permissions, and Microsoft Access Panel tiles and maps each of these to SailPoint Identity Cube.
  • It also provides the basis for SailPoint to send change events back to Azure AD when access is modified during a governance mitigation process. In addition, SailPoint will connect to applications managed outside of Azure AD, including on-premises applications like EPIC.
  • "This creates a 360-degree view of all access in the organization and creates a strong foundation for comprehensive control," writes the Azure team.
  • The integration also adds support for self service access request and lifecycle events like join, move, or leave across all applications (cloud or on-premises) to ensure that access is granted according to business policy.
  • In both cases, this combination enables end-to-end coverage of all provisioning events with full synchronization of access changes to the Microsoft Access Panel.
  • The integration provides a simple and effective way to automate the entire access certification process. SailPoint's access certifications combine data collected from the identity and context synchronization process described above with account and entitlement data from all application sources to create a single view of all access.
  • Another important governance control is the ability to enforce SOD policies throughout a user's lifecycle with an organization.
  • SailPoint also delivers audit and compliance reporting that significantly reduces burden on IT operations teams and improves visibility for the business.
  • Self-service password reset extension automatically propagate an Azure AD password change to all connected systems in SailPoint that share a common password policy. "This allows a user to change their password once in Azure AD and have it synchronized across a wide variety of on-premises and cloud-based systems," writes azure team.
sailpoint integrates with azure active directory premium
Diagram: Sailpoint and Azure AD Premium integration.

Azure SQL Database Threat Detection will be generally available in April, provide a new layer of database security that uses machine learning to continuously monitor, profile and detect suspicious database activity to help customers detect and respond to potential threats.

You can view alerts from SQL Database Threat Detection in ASC, along with additional details and actions for investigating and preventing similar threats in the future.

azure sql database threat detection ga diagram

Diagram: Azure SQL Database Threat Detection GA

How to use SQL Database Threat Detection:

  • Just turn it ON - simply switch on Threat Detection from Auditing & Threat Detection configuration blade in Azure portal, select Azure storage account (where SQL audit log will be saved) and configure at least one email address for receiving alerts.
  • Real-time actionable alerts via an email once a threat is detected on the database, providing details of suspicious activity and recommends for further investigate and mitigate the threat
  • Live SQL security tile within database blade in Azure portal tracks the status of active threats. "Clicking on SQL security tile launches Azure Security Center alerts blade and provides an overview of active SQL threats detected on the database. Clicking on a specific alert provides additional details and actions for investigating and preventing similar threats in the future."
  • Investigate SQL threat - Each SQL Database Threat Detection email notification and Azure Security Center alert includes a direct link to the SQL audit log. Clicking the link launches Azure portal and opens SQL audit records of the event, making it easy to find the SQL statements that were executed (who accessed, what he did and when) and determine if the event was legitimate or malicious (e.g. application vulnerability to SQL injection was exploited, someone breached sensitive data, etc.)

To take advantage of these and other advanced detection capabilities, select the Standard tier or free 90 Day Trial from the Pricing Tier blade in the Security Center Policy. Learn more about pricing.