What is Azure Security Center and its Capabilities?
Azure Security Center provides unified security management and advanced threat protection across hybrid cloud workloads.
This Article is focused on Azure Security Center capabilities, its features, how to enable the services to protect the workload and other architecture components. This is one of the articles wherein I’ll be publishing a series of articles to talk more about Azures security, applying security policies across workloads to limit exposure to security threats and detect and respond to cyber-attacks.
Security Center help protect all Azure and certain on-prem resources through its free & standard tiers to find and fix security vulnerabilities, apply access and application controls to block malicious activity, detect threats using analytics and intelligence, and respond quickly when an attack is undergoing. Currently, Azure security center can be enabled at the subscription level and you need to do it in the Azure portal. Azure provides free 30 days to try the services if you would like before paying.
If you’re curious to know the pricing details then you can refer the pricing page.
These are the resources that are now being assessed by the Security Center along with the current security posture:
· Compute & apps
· Networking
· Data security
· Identity & access
Azure Security Center provides integrated security monitoring and policy management across Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.
In order to access the security center, login into the Azure portal and then go to “Security Center” from the right links section or search it under all services search box by typing “security center” if the link is not present in the quick link section. The homepage provides an overview along with the current policy & compliance status.
Strengthen security posture
Azure security center enables you to strengthen the security posture — helps to identify and perform the hardening tasks recommended as security best practices and implement them across VM, data services and applications. The events collected from the agents and from Azure are correlated in the security analytics engine to provide tailored recommendations, that your organization should follow to make sure your workloads are secure, and threat detection alerts.
Continuous assessments
Security Center helps continuously discovers new resources that are being deployed across the workloads and assesses whether they are configured according to security best practices if not, they’re flagged and provides a prioritized list of recommendations for you need to fix in order to protect the resources.
One of the most powerful tools the Security Center provides for continuously monitoring the security status of your network is the Network map. The map enables you to see the topology of workloads, so you can see if each node is properly configured. You can see how your nodes are connected, which helps you block unwanted connections that could potentially make it easier for an attacker to creep along with your network.
Provide protection against threats:
Azure security center’s threat protection capability help enables to detect and prevent threats at the infrastructure as a service (IaaS) layer, non-Azure servers as ell as for platforms as a service (PaaS) in Azure. It includes threat protection fusion kill-chain analysis, which automatically correlates alerts in the environment based on cyber kill-chain analysis to help better understand the full attack surface as to where it started and what kind of impact it had on the resources.
Discover and onboard Azure resources in Security Center:
To get started with Security Center, a subscription to Microsoft Azure is needed. If you do not have a subscription, you can sign up for a free trial. Security Center’s free pricing tier is enabled with the Azure subscription. To take advantage of advanced security management and threat detection capabilities, it must be upgraded to the standard pricing tier. The standard tier can be tried for free for 30 days for free.
The security center overview page provides a unified view into the security posture of cloud workload enabling you to discover and assess the security of workload and identify & mitigate risk.
Once a subscription is enabled, the Security Center will begin assessing the security of these subscriptions to identify security vulnerabilities. To customize the types of assessments, you can modify the security policy. A security policy defines the desired configuration of your workloads and helps ensure compliance with company or regulatory security requirements.
Within minutes of launching Security Center the first time, it provides:
Recommendations for ways to improve the security of your Azure subscriptions. Clicking the Recommendations tile will launch a prioritized list that you can start remediation on.
An inventory of Compute & apps, Networking, Data Security, and Identity & access resources that are now being assessed by the Security Center along with the security posture of each.
The heart of Azure Security Center’s value lies in its recommendations. The recommendations are tailored to the particular security concerns found on your workloads, and Security Center does the security admin work for you, by not only finding vulnerabilities but providing you with specific instructions for how to get rid of them.
Security Center collects data from Azure VMs and non-Azure computers to monitor for security vulnerabilities and threats. Data is collected using the Microsoft Monitoring Agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. By default, the Security Center will create a new workspace for you.
When automatic provisioning is enabled, the Security Center installs the Microsoft Monitoring Agent on all supported Azure VMs and any new ones that are created. Automatic provisioning is strongly recommended.
To enable automatic provisioning of the Microsoft Monitoring Agent, follow these steps.
1. Under the Security Center main menu, select Security Policy
2. On the row of the subscription, select Edit settings.
3. In the Data Collection tab, set Auto-provisioning to On.
4. Select Save as shown in the screenshot below.
Working with security policies
Azure Security Center automatically assigns its built-in security policies on each subscription that is onboarded. You can configure if needed in Azure Policy, which also enables you to set policies across Management groups and across multiple subscriptions.
An Azure policy consists of the following components:
· A policy is a rule.
· An initiative is a collection of policies.
· An assignment is the application of an initiative or a policy to a specific scope (management group, subscription, or resource group).
Responding to security incidents
Security Center continuously analyzes hybrid cloud workloads using advanced analytics and threat intelligence to alert a malicious activity. In addition, you can integrate alerts from other security products and services into Security Center, and create custom alerts based on your own indicators or intelligence sources. Once an alert is generated an action can be taken to investigate and remediate it. In the upcoming tutorials, I explain how to:
· Triage security alerts
· Investigate alert to determine the root cause and scope of a security incident
· Search security data to aid in the investigation
