8 Important Microsoft Azure Security Center Best Practices

From enabling multifactor authentication and extending protection beyond virtual machines to establishing rules around log analysis and remediation, here’s how businesses can get the most out of Azure Security Center.

The Brains Of The Operation

Azure Security Center is an infrastructure security management system that strengthens the security posture of data centers and delivers advanced threat protection across hybrid cloud workloads as well as on-premises, according to Microsoft. It provides businesses with the necessary tools to harden their network, secure their services and make sure they’re managing their security posture correctly.

Azure Security Center starts by assessing an organization’s environment, enabling it to understand the status of resources as well as whether they are secure. In addition, it assesses workloads and raises threat prevention recommendations and security alerts. Azure Security Center is natively integrated, making deployment easy and providing businesses with auto-provisioning and protection from Azure services.

The following slides feature pointers from experts at Microsoft as well as five security vendors around how organizations can make sure they’re getting the most out of Azure Security Center. From enabling multifactor authentication and extending protection beyond virtual machines to implementing a regimen for log analysis and remediation, here’s what the top cloud security minds are advising.

8. Enable Multifactor Authentication

Every Microsoft Azure customer should be using multifactor authentication since it dramatically improves the chance of mitigating attacks, according to Scott Woodgate, senior director of Azure security and Windows Virtual Desktop at Microsoft. Microsoft has been pushing multifactor authentication hard for the last 24 months given its effectiveness at preventing identity theft, he said.

Woodgate also recommended that Azure Security Center customers enable role-based access control and conditional access to ensure the right identity access privileges are in place. Conditional access can be set up in Azure Active Directory and is used in conjunction with multifactor authentication to enable single sign-on through applications on a device-by-device basis, according to Woodgate.

Solution providers can assist by doing an audit of access control across Azure to ensure the principle of least privileged access to the fewest resources necessary is being applied, he said. Solution providers can review which roles in the organization have access to Azure, ensure that people with access to keys in the key vault have the proper security credentials, and verify that Azure is locked down correctly, he said.

7. Align Policies, Procedures Across Different Clouds

Azure Security Center’s native position within Azure provides it with more flexibility, according to Matt Pley, Fortinet’s vice president of cloud and service providers. But if customers with native security products are using more than one cloud, Pley said they must ensure that the company’s policies and postures are being applied consistently across all the different platforms.

The approach of each of the public cloud vendors to security has been different as each attempts to figure out how to best meet the needs of the business and the customers. Pley said Azure has expanded recently expanded Azure Security Center with new features and capabilities.

Businesses can get the most out of Azure Security Center by pursuing native integrations, application-level controls, effective ease of use, and high performance and high levels of availability, according to Jon Bove, Fortinet’s vice president of Americas channels. Having integrations with a push-pull relationship is important from both a threat detection and portability perspective, Pley said.

6. Use It For Managing, Maintaining Virtual Machines

Azure Security Center delivers value around visibility and control both on-premises as well as for virtual machines, according to Mark Nunnikhoven, Trend Micro’s vice president of cloud research. It is most useful for maintaining and managing virtual machines, Nunnikhoven said, providing visibility into what’s going on from a patching perspective as well as basic events that are outside behavioral norms.

Azure Security Center runs an agent on Windows and Linux virtual machines, and its basic tooling can spot configuration mismatches, according to Nunnikhoven. The alerts generated by Azure Security Center can be easily sent to the DevOps teams running the machines, and it’s simple for them to react without having to add much additional context, Nunnikhoven said.

Application control and intrusion prevention are also vital to protecting Azure, but they aren’t part of Azure Security Center today, according to Nunnikhoven. Azure Sentinel provides more robust analytics and incident response capabilities than Azure Security Center, and Nunnikhoven said it makes sense for most customers to upgrade to Sentinel.

5. Determine Who Owns Securing Software In The Cloud

Azure Security Center is effective at pulling together information from different sources, but it only works if there’s a team tasked with operational responsibility and ownership, according to Matt Chiodi, Palo Alto Networks’ chief security officer of public cloud.

The IT department traditionally has owned legacy on-premises environments, Chiodi said, but cloud development is usually owned by developers who are more focused on features and functionality on a day-to-day basis rather than security. As a result, Chiodi said who owns securing software in the cloud can often be a gray area for organizations.

As customers go into the cloud, Chiodi said they must delineate who’s responsible for what and implement a holistic approach to security that incorporates people, process and technology. Like the other cloud providers, Chiodi said Microsoft has spent a good deal of time over the past year or two beefing up its native security capabilities with new innovations, features and functionality in the platform.

4. Lock Down Unused Ports

Azure Security Center’s just-in-time protection defends against remote desktop protocol (RDP) and SSH brute force exploits, both of which are common, according to Microsoft’s Woodgate. Brute forcing into RDP with a password is often an organization’s weakest link, and once an adversary is in, it can move laterally across the entire organization, which Woodgate said is very dangerous.

Businesses must protect the perimeter by ensuring that machines are properly configured, Woodgate said. And Azure Security Center can let customers know if an unused port has been left on for a long period of time, according to Woodgate.

Just-in-time virtual machine access approves a specific IP address for an allotted amount of time, ensuring that no one else has access to the remote connection, according to Woodgate. Solution providers looking at a customer’s Secure Score in Azure will be able to see machines with RDP ports that are open and need to be used, Woodgate said.

3. Establish A Protocol For Remediation

Azure Security Center is a key offering for compliance and evaluation of security services in the Azure environment, but companies must ensure their policies are defined and their cloud environment is being monitored, according to Marina Segal, Check Point Software Technologies’ head of product management for Coud SecOps and compliance.

Azure Security Center has a set of tools to monitor environments against best practices, and Segal said businesses need to make sure the checks they have in place are aligned with their regulatory and security practices. Businesses can use Azure Security Center to ensure they have the right policies in place for the right accounts or leverage automated tools to scan their environment and signal if anything’s awry.

From there, Segal said organizations need to have a program around remediation that indicates whether issues identified by Azure Security Center are addressed manually, by creating a ticket for the dev team, or via automation from third-party tools. Most customers start with detection, and only after they understand their findings do they start remediating based on what’s most critical or easiest to address.

2. Have Experts In Place Who Can Analyze Logs

Azure Security Center generates a large volume of medium- to high level alerts from the endpoint, flow analysis algorithms as well as the Microsoft Teams communication and collaboration platform, according to Rohit Dhamankar, Alert Logic’s vice president of threat intelligence products.

But companies must have experts in place that are able to provide additional context around the alerts to figure out how the business can most effectively respond to issues and avoid having a medium-level threat become a high-level one, Dhamankar said. To get value out of Azure Security Center, the business must have people who can analyze logs and glean actionable information from it.

By analyzing the anomalies found by Azure Security Center, Dhamankar said companies can determine the best course of action to curtail the threats. The analysis can incorporate everything from pieces of information from code and databases to seeing if anomaly alerts have been raised for the host to examining blacklists, according to Dhamankar.

1. Protect Storage And Databases, Not Just VMs

Businesses often rely on Azure Security Center for virtual machines (VMs), which was great three or four years ago when everyone was on VMs, according to Microsoft’s Woodgate. But the security ecosystem is more sophisticated today due to native cloud applications that leverage cloud storage, Woodgate said.

Specifically, Woodgate said SQL databases and storage accounts both house very important private information for customers. Organizations can mitigate the chance of an adversary getting into their cloud storage or SQL database and exfiltrating private data by turning on threat protection, according to Woodgate.

Partners and customers can protect the entire Azure estate rather than just virtual machines by turning on Secure Score for all cloud resources, according to Woodgate. Protecting SQL databases and cloud storage requires additional action in Azure Security Center and is more expensive than just safeguarding VMs, Woodgate said.