With all the latest announcements and features that have been added to Azure Security Center lately I decided that I wanted to try and provide an overview of some of the services and integration that is part of Microsoft Azure Security Ecosystem.
Most companies see that the biggest challenge with adopting public cloud is managing security and governance.
(Source: The full RightScale 2019 State of the Cloud Report is available here for download.)
Also with the ever evolving threat landscape, most cloud platforms are always enhancing and updating their services to be able to detect / block new forms of attacks. The biggest security issue with public cloud is not the lack of functionality but how to implement and operate the different security services that the platform provides.
Within Microsoft Azure there are many different security services as part of the portfolio.
- Azure Security Center – Threat detection service. Also works as an recommendation engine to check enviroment according to best-pratices. Uses data from the Microsoft Intelligent Security Graph to detect abornal traffic / activity and attacks. Works against IaaS and PaaS services. Also has an built-in integration with Qualys to provide in-guest software vulnerability scanning.
- Azure Sentinel – SIEM/SOAR Service, built upon Log Analytics to provide analytics and hunting rules against data that is collected into Log Analytics. Also provides integrations with 3.party data sources and threat integillence services.
- Microsoft Defender ATP – EDR Service. Collects data from endpoints and servers that are enabled with Azure Security Center. Collected information about process and network traffic.
- Microsoft Security Graph API – Public API which exposes alerts and incidents from the different security products in Azure.
- Microsoft Intelligent Security Graph – Telemetry data collected from Microsoft and other 3.party data sources on threat intelligence.
- Azure Policies – Configuration Management against Azure Resource Manager Layer and In-Guest Policies. Azure Security Center provides an set of Audit default policies against Azure.
- Azure Firewall – Layer 4 Firewall Service, integrated with Microsoft Intelligent Security Graph to be block/audit traffic coming from known sources.
- Log Analytics – Log Aggregation Service, collect data from Azure native sources, third party and OS based data sources.
- Cloud App Security – Cloud Access Security Broker service, which provide API native integration with Azure, Azure AD , Office 365 and other SaaS services to detect anormal activity. Can also collect data from 3.party firewalls to map traffic against known SaaS services.
- Azure Active Directory – Conditional Access – IAM based access engine. Used for access to Azure and Azure Resource Manager, where it uses defined conditions and risk from user & device data collected to determine access.
- Azure Automation / Update Management – OS based patch service, based upon Azure Automation.
Beneath is a picture/visio showing the security ecosystem overview.
Full picture: https://i.imgur.com/vnTEMS3.png
As always, if you want to get the raw visio file send me an email at [email protected]