Book Review: Microsoft Azure Security Center

Recently, I finished reading the Microsoft Azure Security Center book. 

What I appreciated about the book is that it didn’t just cover the high-level surface items. It went into detail about how Azure Security Center operates, integrates and feeds from other data sources, etc. 

It even walks through a security investigation scenario, so that you can see how/when/where you would use Azure Security Center. 

I’ve decided to share my highlights from reading this specific publication, in case the points that I found of note/interest will be of some benefit to someone else. So, here are my highlights (by chapter). Note that not every chapter will have highlights (depending on the content and the main focus of my work).

Chapter 1: The Threat Landscape

  • Collecting data without analyzing it only delays the response process. That’s why it is so important to use tools that leverage technologies such as behavior analytics, threat intelligence, and machine learning for data correlation. 
  • Before adopting cloud computing, organizations must understand the security concerns inherent in the cloud-computing model. 
  • Organizations planning to adopt cloud computing must be aware of the identity- and access management methods available and of how these methods will integrate with their current on-premises infrastructure. 
  • Organizations migrating to the cloud should evolve their internal processes, such as security monitoring, auditing, incident response, and forensics, accordingly. 
  • IMPORTANT Securing privileged access is a critical step to establishing security as surances for business. Make sure to read more about Privileged Access Workstations at http://aka.ms/cyberpaw and know more about Microsoft’s methodology for protecting high-value assets.
  • The Azure infrastructure uses a defense-in-depth approach by implementing security controls in different layers. This ranges from physical security, to data security, to identity and access management, and to application security. 
  • One way to enforce network access controls in Azure is by taking advantage of NSGs. An NSG is equivalent to a simple stateful packet-filtering firewall or router, similar to the type of firewalling done in the 1990s. (I say this not to be negative about NSGs, but to make it clear that some techniques for network access control have survived the test of time.)
  • Azure Storage automatically encrypts the data prior to persisting to storage and decrypts it prior to retrieval. 
  • By applying Azure’s massive computing, storage, and machine-learning capabilities to the problem of better securing our custom
    ers, Microsoft has developed a security intelligence service based on security signals that we receive from myriad sources—Office 365, Microsoft Account (formerly Windows Live ID), the Digital Crimes Unit, and the Azure cloud platform itself.
  • Imagine having an army of security analysts working day and night to research emerging cybersecurity threats and identify actual instances of malicious behaviors targeting your Azure resources so that you can respond and protect your critical assets in a rapid manner. With ASC, you’re not imagining it—you have that capability built right into the service, with no additional work needed on your part.

Chapter 2: Introduction To Azure Security Center

  • Security Center uses machine-learning technologies to evaluate all relevant events across the entire cloud fabric. 
  • IMPORTANT Only subscription owners or contributors and security admins can edit a security policy. Only subscription and resource group owners and contributors can apply security recommendations for a resource. 
  • Before you adopt Security Center, you should fully address all existing recommendations. Although this is not a prerequisite, it is a good practice. 
  • Here are a few key points for incorporating Security Center into your security operations: 
    • Security Center will continuously evaluate compute, network, storage, and application resources for compliance. The team responsible for ongoing security assessment should track and apply recommendations issued by Security Center on an ongoing basis.
    • The security roles available in Security Center, along with Azure’s RBAC capability, can help SOC management control who has access to what. 
    • Security Center can integrate with Power BI to create reports and graphs when more detailed analysis is needed.
    • The incident response (IR) team can use security alerts and incident features during the detection and triage phases of an attack to conduct early assessments of the incident. If more in-depth research on an attack is needed, the team can use Security Center’s investigation and search features. Finally, when the team is ready to respond, it can use the Security Playbook feature to customize a response to a certain alert.
  • IMPORTANT A security assessment conducted on VMs will also look for the presence of a security configuration based on Common Configuration Enumeration (CCE) rules. To download these rules, visit https://aka.ms/ascccerules

Chapter 3: Policy Management

  • TIP If you choose to put Security Center data into an existing workspace that already has connected solutions, monitor your costs closely. 
  • When you configure policy here—whether it’s a protection policy, a detection policy, a response policy, or what have you—you’re simply telling Security Center what you want recommendations for. That’s it. There’s no “leveling” of policy—for example, high versus medium versus low—and there’s no hierarchy. It’s just a “what do you want us to look at” type of policy.
  • Security Center uses your input in this blade to create a series of recommendations for you. It’s like having a cybersecurity expert review your configuration and provide recommendations that you can use to significantly enhance the security of your deployment. 
  • To get an idea of the baselines against which these VAs are compared, see https://gallery.technet.microsoft.com/Azure-Security-Center-a789e335
  • A network security group (NSG) is essentially a basic stateful packet filter that enables you to control inbound and outbound traffic based on a 5-tuple. It is not application layer–aware.
  • There may be times when incoming and outgoing connections of VMs and subnets use protocols other than web protocols. If so, Security Center will recommend you use something more robust than a basic WAF: a Next-Generation Firewall (NGFW). NGFWs can perform numerous sophisticated application-layer inspections, as well as protocol validation and intrusion detection and prevention. 
  • Microsoft considers these events—including login and logout events—to provide sufficient detail to represent a reasonable audit trail. Other events, such as Kerberos operations, security group changes, and more, are included based on industry consensus as to what constitutes a full audit trail. 
  • NOTE The key to success here is to understand the difference between Minimal and Common. We suggest you test both configurations to see which one meets your needs.
  • Data Collection (‘None’) This setting doesn’t really mean none—more like almost none. When you enable this option, your security dashboards in Security Center will contain information drawn from Windows firewall logs and from source assessments done by antimalware, baseline assessments, and update evaluations. It includes no security alerts and no information from the operating system logs or App Locker logs. 
  • Be certain, however, that any email addresses you include are secured with two-factor authentication. Information shared in these email notifications may contain confidential information, and you want to minimize your risk and exposure. 

Chapter 4: Mitigating Security Issues

  • After you enable Storage Encryption, only new data will be encrypted. Any existing files in this storage account will remain unencrypted. Once encryption is enabled, it cannot be disabled.

Chapter 5: Using Security Center For Incident Response

  • IMPORTANT Security alerts are not available in the free tier version of Security Center; the standard tier is required. 
  • The security analytics include data from multiple sources, including Microsoft products and services, the Microsoft Digital Crimes Unit (DCU), the Microsoft Security Response Center (MSRC), and external feeds. 
  • Security Center uses statistical profiling to build a historical baseline. 
  • The detection engine collects data from multiple data sources including but not limited to endpoint logs, network traffic, and cloud services activity, and applies atomic, behavioral, and machine learning-based logic to detect active threats. 
  • Security playbooks enable you to create a collection of procedures that can be executed from Security Center when a certain security alert is triggered. Azure Logic Apps is the automation mechanism behind security playbooks. 
  • Before creating a playbook, you should have in mind what you want to automate. Before implementing this feature, answer the following questions: 
    • For which security alert should I automate a response?
    • What steps should be automated if the conditions for this alert are true?
    • What steps should be automated if the conditions for this alert are false? 
  • TIP The following presentation, delivered by co-author Yuri Diogenes at Ignite 2017, shows how to integrate playbook with Slack: https://youtu.be/e8iFCz5RM4g

Chapter 6: Advanced Cloud Defense

  • When you use behavioral analysis, you are not concerned with how the attacker accomplishes his or her tasks. You’re more interested in the behavior that caused the attacker’s actions. 
  • To help prevent alert fatigue, Azure Security Center might not immediately generate an alert in a case like the one described here. Instead, it will note the behavior and, if some other event occurs that can be correlated with the behavior, generate a fusion alert. 
  • Azure Security Center uses machine-learning algorithms on data collected by its agents (for example, security events and network traffic logs) to recommend tailored security policies (for example, application control rules) to its customers. 
  • Azure Security Center creates baselines for VMs across an array of parameters that have been deemed useful for determining the current security state. The parameters used, and the details of how baselines are configured and calculated, is a trade secret—one of the many “secret sauces” that make Azure Security Center today’s superior security solution. However, we can tell you that for most of your VMs, the baseline period will be 30 days—although, again, this will vary. 
  • Not all anomalies are security issues, but all security issues are anomalies (unless your security architecture and implementation is so bad that security events are the norm in your environment—in which case you have problems that must be addressed well before you attempt to leverage the subtle power of anomaly detection). 
  • Azure Security Center examines processes running on the VMs in your resource groups, develops a list of allow rules, and surfaces the list as a recommendation that you can choose to accept or reject. 
  • NOTE Be prepared to receive a lot of these recommendations, as each recommendation refers to a single process or file. You can choose to accept all recommendations in the list, some but not all of the recommendations, or just one. 
  • NOTE To learn more about application whitelisting (adaptive application controls), check out the article “Adaptive Application Controls in Azure Security Center” at https://docs.microsoft.com/en-us/azure/security-center/security-center-adaptive-application.
  • The only times we do not recommend using JIT are when no existing NSG is associated with the VM or when the VM is a classic VM. 
  • Sometimes, when a VM might be a candidate for JIT VM access, Azure Security Center doesn’t issue a recommendation to that effect. This occurs when the JIT solution is disabled via a security policy set at the subscription or resource-group level, when the VM doesn’t have a public IP address, and when the VM is not associated with an NSG. 
  • When users request JIT access, Azure Security Center checks their RBAC permissions. If the user has write access to the VM, JIT access will be granted. At that point, Azure Security Center will dynamically create NSG rules to allow inbound management traffic. When JIT access expires, the NSG rules will be removed. Note that connections are not actively reset, so a user who is connected will remain so until the connection is dropped by the user or for some other reason. 

Chapter 7: Security Incident and Event Management (SIEM) Integration With Splunk

  • Azure Monitor operates at enterprise cloud scale and simplifies the management of routing log data into SIEMs using a single schema and access point across all Azure services. This dramatically simplifies Azure log integration with SIEM tools and includes the alerts available from Azure Security Center. Azure Monitor is Azure’s central logging pipeline going forward and provides several out-of-the-box integrations with popular SIEM tools such as Splunk and IBM QRadar.
  • Azure Security Center alerts are published to the Azure activity log. Azure activity logs are considered data plane–level logs, which separates them from Azure diagnostic logs (which allow you to get insight into services and troubleshoot those services).
  • IMPORTANT Be aware that the SIEM must be configured on a per-subscription basis, so each subscription that has data to transmit to the SIEM will need to be configure manually.
  • NOTE We recommend that you keep this check box as is (meaning to have all regions selected). The filter is exclusive regarding the regions selected. Any selection here means that only activities marked for those selected regions will arrive. Most activities do not note region and are reported globally, and so any specific selection will negate the arrival of global items. 

Chapter 8: Monitoring Identity and Access

  • This dashboard has a great summary of all identity-related activities monitored by Security Center. Security operations personnel should visit this dashboard multiple times throughout the day to quickly assess the current identity state. 
  • Active Critical Notable Issues Notable issues are critical events. In the context of identity, they are critical identity events. This counter reflects the active notable issues that require immediate attention. 
  • TIP For a complete list of logon failure reasons, see https://aka.ms/AccountLogon.
  • When reviewing the Event 4625 window, pay close attention to the LogonTypeName field. If this field is set to 3, it means the logon attempt came from the network. In this case, you’ll also see an IPAddress field with the corresponding IP address. If LogonTypeName is set to 5, it means the logon attempt is coming from a service or process. A Process field will contain the process name. 

Chapter 9: Using Threat Intelligence To Identify Security Issues

  • Security Center leverages the Microsoft Threat Intelligence Center (MSTIC) to improve its detection capabilities, enhance its accuracy to avoid false positive alerts, and enable customers to make proactive cybersecurity decisions. 
  • For threat intelligence to be useful, you need to draw from a large, diverse set of data and you must apply it to your processes and tools. 
  • The data collected by Microsoft from these various sources passes through three phases. The first phase involves ensuring that data is used only in ways that Microsoft customers have agreed to. The data crosses this strict privacy/compliance boundary before entering the second phase: data collection and analysis.
  • Here the data is normalized, various analytics (machine learning, detonation, behavior) are applied to identify relevant security insights and findings, and the data is published to an internal API.
  • In the third phase, each product consumes this data, combs over it to uncover insight, and feeds these new insights back into the system to enrich other product findings. 
  • Microsoft tracks an enormous number of threat actors, and each threat is handled by a virtual team. Products are instrumented to provide security-relevant data with privacy and compliance in mind. This data is used in analytics to identify abnormal behaviors. Security analysts perform investigations to understand the scope and scale of cyberthreats through log analysis, forensics, data mining, and detonation of malware samples. 
  • TIP Visit https://youtu.be/QK3qxheUdBA to watch a presentation delivered by co-author Yuri Diogenes at Ignite 2016 that demonstrates how to use the threat intelligence map in an investigation scenario. 
  • TIP To simulate these security alerts in your own environment, follow the instructions in the Azure Security Center Security Incident Playbook, at https://aka.ms/ASCSecPlaybook
  • At the time of this writing, a feature called Virtual Analyst (VA) is in private preview. The goal of VA is to automate human analyst expert knowledge by generating a custom, rich entity based hunting graph for each security alert to extract meaningful insights. VA runs this online automated investigation on security alerts and assigns them confidence scores. A confidence score gives security operations personnel more (or less) confidence in the alert and helps them decide whether to move forward in the investigation. Confidence scores can also be used to help prioritize alerts and make risk assessments. 

Appendix A: Using Multiple Workspaces In Security Center

  • One scenario in which multiple workspaces are needed is when you need to isolate data—for example, if a company wants a separate workspace for each branch office. 

Appendix B: Customizing Your Operating System Security Baseline Assessment

  • Review the following considerations before making changes to the OS security configuration 
    • Permission To perform this customization you need to belong to the Subscription Owner, Subscription Contributor, or Security Administrator role.
    • Tier The customization capability is available only in the Security Center standard tier.
    • Affected resources The customization applies to all virtual machines (VMs) and computers that are connected to all workspaces under the selected subscription. Plan carefully before making changes that will have a broad impact. 
    • Backup Before making changes to the original baseline policy, be sure to save the original baseline configuration file and keep it in a safe location for backup purposes. 
    • Planning Before making changes to the original baseline policy, be sure you plan which changes you want to make and why those changes are necessary to your environment. Also, be sure to align the business needs with the recommendations that you want to implement.
  • Azure Security Center monitors security configurations by applying a set of more than 150 recommended rules for hardening the OS, including rules related to firewalls, auditing, password policies, and more. 
  • Not all attributes are customizable. Only the following attributes can be changed:
    • expectedValue This attribute’s field data type must match the supported values per rule type. For example:
      • baselineRegistryRules This value must match the regValueType defined in that rule. (See this article for more information about registry values types: https://aka.
        ms/registrytypevalue.)
      • baselineAuditPolicyRules Use one of the following supported string values for this value:
        • Success and Failure
        • Success
    • baselineSecurityPolicyRules Use one of the following supported string values for this value:
      • No one
      • Administrators, Backup, Operators, or any other values from the list of allowed user groups
  • state The string can contain the options Disabled or Enabled. In the preview release, the string was case-sensitive. Review the latest documentation (https://aka.ms/CustomOSSec) to confirm that this still applies.
  • When creating your own rules, comply with the following requirements: 
    • baselineId and baselineName can’t be changed.
    • A ruleset cannot be removed.
    • A ruleset cannot be added.
    • The maximum number of rules allowed (including default rules) is 1,000.
    • For registry rules, the hive must have LocalMachine.
    • The originalId attribute can be null or empty. If it is not empty, it should be a valid GUID.
    • The cceId attribute can be null or empty. If it is not empty, it must be unique.
    • The ruleType attribute can be Registry, AuditPolicy, or SecurityPolicy.
    • The severity attribute can be Unknown, Critical, Warning, or Informational.
    • The analyzeOperation attribute must be Equals.
    • The auditPolicyId attribute must be a valid GUID.
    • The regValueType attribute can be Int, Long, String, or MultipleString
  • To create a new rule, simply copy the entire block of an existing rule and paste it under the last rule or in between existing rules. 
  • If it fails, you won’t be able to upload, and a red exclamation mark accompanied by a message that reads “Please upload a valid JSON configuration file” will appear. The error code will vary. To interpret the error code, see the “Error Code” section in this article: https://aka.ms/CustomOSSec
%d bloggers like this: