How Azure Security Center works

azure security center recommendations and azure security center agent and azure security center vs aws and azure security center advanced threat detection
Dr.MohitBansal Profile Pic
Dr.MohitBansal,Canada,Teacher
Published Date:26-10-2017
Your Website URL(Optional)
Comment
Getting Started with Azure Security Center Prevent, Detect, Respond In Chapter 2 you learned about the cost model beyond licenses and identified additional cost considerations required in an Azure cloud such as storage, static IP addressing, Domain Name System (DNS) servers, and other cloud infrastructure costs. Chapter 2 also covered the Azure infrastructure details required to evaluate the true financial impact of Azure Security Center on the business. You justified a budget increase through a real-world example using the financial impact of a ransomware attack in a quantitative risk assessment. You can use the same formula in your business analysis with the clear definitions of the model explained in Chapter 2. You then walked through some of the differences in standard business frameworks and how customization is needed to integrate cybersecurity as a service with existing IT business programs. Minor cybersecurity program changes may be necessary because of the diversity of different businesses. In this chapter, you’ll learn about some of the challenges of cloud security and get a high-level overview of exactly what Azure Security Center provides for intrusion detection and prevention. Additionally, you’ll learn ways Azure Security Center can be positioned to support a cybersecurity framework for defense. You will learn best practices to support businesses using the IT life cycle and the layered security model. Specifically, this chapter provides guidance to leverage Azure Security Center in the following areas: • Prevention (overall compliance and applied best practices) • Detection (Security Operations Center 24/7) • Response (incident response process notification and event handling) This chapter introduces a typical Azure cloud deployment example. This Contoso.com example is used in all the exercises in the remaining chapters. The cloud deployment infrastructure example includes virtual networks (vnets), virtual machines (VMs), and SQL Server instances. These cloud assets are designed to highlight the features of Azure Security Center based on real-world customer deployments, including mistakes. ■ Note This deployment example is also designed to follow standard cloud deployments that are often completed in Azure infrastructure deployments by new-to-the-cloud IT teams. The Contoso.com example provides security improvements that can and should apply to real-world deployments to strengthen a business’s cybersecurity posture in the cloud. ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer Finally, this chapter discusses Azure subscription types that can be used for educational purposes before going into production. You’ll learn how to enable a 30-day free Azure trial specifically for testing Azure Security Center. Cloud Security Challenges Small, medium, and enterprise-scale companies as well as government agencies are moving to the public cloud to take advantage of the elasticity and commodity of scale from trusted providers. Companies need to enable the best cloud security methods to extend their on-premises security layering to protect customer data, systems, and assets in the cloud. Cloud infrastructures, in most companies new to cloud management and cybersecurity, are greatly distributed, and management is sometimes difficult. Chief information officers (CIOs) and chief information security officers (CISOs) are still responsible for the security of these environments even though the cloud infrastructure is more dynamic. A CISO requires best practices for security from on-premises environment integrated into the cloud. Customers with larger teams and longevity have on average 30 different security or cybersecurity-related solutions. Many of these tools create alerts that require attention, and the expertise required for each security solution creates another challenge for experts to use each solution and gain value from the data. Sunset applications are ones that may no longer have engineering support, and these older applications are greater targets for cyber-attacks. In fact, some of the older applications were created under nonagile methods and could take more time and resources to be reviewed by a current software assurance program. Every size company using Security Center leverages continuous security data analyses from Azure-deployed virtual machines, virtual networks, platform as a service (PaaS) services (think Azure SQL database), and partner solutions such as Barracuda, Fortinet, or Check Point. Companies gain visibility into the current security state, which extends across all subscriptions, so for customers that leverage parent-child Azure subscriptions, like a sandbox, those subscriptions may be used by system admins to improve their cloud knowledge. Senior executives must rethink their approach to cloud security beyond traditional on-premises security expertise. Enterprise organizations may have greater numbers of staff members labeled as experienced cloud security experts; however, investment in cloud expertise introduces new challenges. Moving data to Azure cloud resources challenges administrators in the management of access and auditing of cloud security for those assets. Small and medium-size companies have the same compliance requirements as larger organizations with the additional competitive struggle to attract and maintain crucial cloud security experts. In addition, the support for secure DevOps is challenging for companies that want application development to include cloud agility. It is important to understand the attack targets that bad actors are attempting to compromise inside an organization. The same type of attack surfaces can be seen in the Azure cloud, as shown here: • Impersonation of a user (social media) • Credential theft and elevation of privileges (admin or developer) • Installing code to enable backdoors • Gaining access to data and data resources (cloud resources) • Azure subscription owners (top-level administration) • Pivot attacks from on-premises to the public cloud • Cloud resource compromises by hijacking or other exploitation • Privilege elevation to move between subscriptions • Public storage secret credential keys (GitHub) • Misconfiguration of credential keys • Imperva “man-in-the-cloud” token synchronized 56 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer • Side-channel code enablement • Ransomware on cloud resources The added training requirements that are needed to ramp up for cloud administrators and the additional need to improve knowledge to extend cybersecurity expertise to the cloud can be overwhelming. Every organization that chooses Microsoft Azure as part of their hybrid infrastructure can leverage Azure Security Center. Security Center Overview As you know, Microsoft Azure Security Center is a cloud-based service providing intrusion detection and intrusion prevention for a customer’s Azure virtual infrastructure. It increases visibility by providing security control recommendations during automated configuration scanning and protects against cyber-threats attempting to compromise assets in Azure. Security Center provides integration using next-generation monitoring and policy management for the detection of threats that could go unnoticed. The collection of data from systems such as virtual machines, networks, or SQL Server instances is used to assess the current state of security. If evidence of a compromise is identified, security administrators are alerted to potential threats. In addition, Security Center uses the security state of systems and networks to provide best practice security recommendations to improve security readiness and reduce cyber-risks. From a functional perspective, Azure installs a lightweight agent on the Windows or Linux VM, and the agent is enabled to automatically collect health monitoring, security configuration, and event data for all virtual machines in the subscription. The agent enables extensions to collect the data with minimum impact on the server performance. The security policy is set at the subscription level, and the data collections flow up from the group level. The events are collected and automatically prioritized based on the billions of security attributes and millions of Windows systems events accumulated across Microsoft’s data intelligence. Azure Security Center accumulates events and other data in your Azure subscription by monitoring the network and identifying suspicious machines communicating to command and control sites. ■ Note Command and control servers may be directly controlled by the malware operators or themselves run on hardware compromised by malware. If you’d like to know more about command and control, review the wikipedia page at https://en.wikipedia.org/wiki/Command_and_control_%28malware%29. Many Internet addresses are identified as known sites for cyber-terrorists and are challenging for network providers to remove from the Internet. The information used in Security Center is collected from Microsoft’s Digital Crimes Unit, Microsoft’s Security Response Center, and leading security providers that have partnered with Microsoft specifically for security analytics. The following are the advanced detection capabilities enabled out of the box: • Anomaly detection for statistical profiling used for baselines • Behavior analytics and known malicious behaviors and patterns • Threat intelligence to identify known malicious attacks • Synthesis, which is a mixture of events and alerts mapping of the kill chain timeline • Secure Shell (SSH) or Remote Data Protocol (RDP) brute-force attacks and failed exploitation attempts • Web application exploitations 57 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer Companies can leverage the current investment from on-premises security information and event management (SEIM) systems by importing the data into Azure Security Center or exporting it out of Azure for on-premises analysis or archiving. The preconfigured collections are set to 30 days for a baseline to understand the changes and to leverage machine learning in a supervisory manor with the data that is collected. Security center is detecting the threats and tagging them as true positive events and reducing false positives so customers can focus on the real threats. This provides your cloud security team with clearly identified security alerts. These alerts are automatically analyzed from log data about the network, firewall configuration, and partner solutions like anti-malware. Threats are detected, and the corresponding alert is sent as a notification. Additional information from the correlated data provided by Security Center, with analysis and best practice recommendations, is also part of the overall solution. If you are part of or have a traditional Security Operations Center (SOC), the goal is to retrieve the individual system event information and pool it for SIEM data use and then analyze it for known and unknown patterns. The event data reviewed is based on the SOC generation capabilities for log analysis. The systems have moved far beyond manually analyzing huge amounts of information to using an automated process. Vulnerability management takes place as described in NIST Special Publication 800-40 Revision 3, “Guide to Enterprise Patch Management Technologies.” From a pure cybersecurity risk analyst perspective, a vulnerability is discovered and confirmed, and corrective measures (i.e., best practices) are identified. Traditional log analysis collects large amounts of data (big data) from host systems, networks, and endpoints (nodes), so when an attack starts, much of the data is not visible in this limited view. In other words, this limited information from the host or network does not provide a complete and clear view of the attack attributes. ■ Note The feature called event Tracing for windows (eTw) provides a mechanism to trace and log events that are raised by user-mode applications and kernel-mode drivers. eTw is implemented in the windows operating system and provides developers with a fast, reliable, and versatile set of event tracing features. Security Center Placement As you learned in earlier chapters, a cybersecurity defense framework provides measured controls and security protection for external and internal security threats. As you start to leverage additional security solutions, such as Azure Security Center, a seasoned CISO or CIO must expect the worst outcome and plan accordingly. To be more specific, the resources from a determined nation make greater threats available that can defeat most if not all of the security layers put in place. Clearly, no amount of financial resources or even company-supported, well-trained security resources can sustain continued attacks from a cyber-army because of their unlimited resources to overpower. The placement of Azure Security Center may very well depend on the results from testing completed in your environment. Security Center is viewed by many security teams as an intrusion identification service with the added features of recommending changes to improve security. Defensive design allows Azure Security Center to detect attacks and potentially breached networks and systems. Organizations can leverage the strength of Security Center discussed earlier as part of the layered cybersecurity defense framework and strategy. It uses next-generation solutions to actively identify attackers at the beginning of the attack before they can be successful. Another key feature to help identify how to best use Azure Security Center is that the solution allows you to leverage the strengths of Microsoft’s global cybersecurity knowledge and its global partners that previously required multiple products and highly skilled cybersecurity team members. After evaluating the solution, you may find it provides the necessary coverage in the cloud so additional licenses for on-premises solutions 58 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer that overlap features of Security Center are not required. Additional insight is provided by standards from the Open Web Application Security Project ( OWASP ), which focuses on the improvement of software security. Read more athttps://www.owasp.org. ■ Note “The national and economic security of the united States depends on the reliable functioning of critical infrastructure. To strengthen the resilience of this infrastructure, president Obama issued executive Order 13636 (eO), ‘Improving Critical Infrastructure Cybersecurity,’ on February 12, 2013.” To learn more about this quote from the nIST Cybersecurity Framework or more about the framework, visit https://www.nist.gov/ cyberframework. In Chapter 2 you were introduced to some best practices; for example, the Information Technology Infrastructure Library (ITIL) is IT guidance and not a security framework. You also discovered that governance is a key focus for cloud deployments specifically around security requirements such as lease privileged. Many professionals point out that the NIST Cybersecurity Framework does not fully address all cybersecurity areas; some security control areas are missing. For our discussion, we’ll use the NIST Cybersecurity Framework so you have a single framework for referencing the NIST “Framework for Improving Critical Infrastructure Cybersecurity” document so that you can clearly place the components of Azure Security Center in support of this framework. If your business has a custom cybersecurity framework, the placement should be transparent also. Refer to Table 3-1 as you identify the placement of features for the exercises in the following chapters. Table 3-1. Cybersecurity Framework Function and Identifier Categories Function Unique Identifier Function Category Unique Identifier Category ID Identify ID.AM Asset Management ID.BE Business Environment ID.GV Governance ID.RM Risk Assessment ID.RM Risk Management Strategy PR Protect PR.AC Access Control PR.AT Awareness and Training PR.DS Data Security PR.IP Information Protection Processes & Procedures PR.MA Maintenance PR.PT Protective Technology DE Detect DE.AE Anomalies and Events DE.CM Security Continuous Monitoring DE.DP Detection Processes (continued) 59 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer Table 3-1. (continued) Function Unique Identifier Function Category Unique Identifier Category RS Respond RS.RP Response Planning RS.CO Communications RS.AN Analysis RS.MI Mitigation Improvements RS.IM RC Recovery RC.RP Recovery Planning RC.IM Improvements RC.CO Communications Azure Security Center provides support for areas in the framework to do the following: • Protect (AC, AT, DS, IP, PT) • Detect (AE, CM, DP) • Respond (CO, an, MI, IM) As you complete the exercises in later chapters, I will identify the specific connection to the cybersecurity support feature. In addition, I will explain the share support model between the cloud provider and customer as the customer expands their hybrid cloud model, as shown in Table 3-2. You will be provided specific guidance when using Security Center features to enable a gap feature. Table 3-2. Share Security Support Table to Identify Areas for Customers to Reference PaaS IaaS OS updates = Azure automated OS updates = Customer manual Logging = Azure automated Logging = Customer manual ACSs = Azure automated ACLs= Customer manual OS configuration = Hybrid OS configuration = Customer manual RDP = On demand RDP/SSH = Customer manual Preventing an Azure Infrastructure Breach Security controls are in place to reduce the risk of an Azure subscription security breach. Some of the infrastructure safeguards include just-in-time administration (JIT) and role-based access control (RBAC). Security in the cloud is similar to on-premises after going through a security life cycle. An organization can use their current security framework (or NIST Cybersecurity Framework) as a key part of its systematic process for identifying, assessing, and managing cybersecurity risk. The framework is not designed to replace existing processes; an organization can use its current process and overlay it onto the framework to determine gaps in its current cybersecurity risk approach and develop a road map to improvement. Utilizing the framework as a cybersecurity risk management tool, an organization can determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment. The framework is designed to complement existing business and cybersecurity operations. It can serve as the foundation for a new cybersecurity program or a mechanism for improving an existing program. The cybersecurity framework provides a means of expressing cybersecurity 60 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer requirements to business partners and customers and can help identify gaps in an organization’s cybersecurity practices. It also provides a general set of considerations and processes for privacy and civil liberties implications in the context of a cybersecurity program. The following sections present different ways in which organizations can use the framework. Basic Review of Cybersecurity Practices The Cybersecurity Framework can be used to compare an organization’s current cybersecurity activities with those outlined in the framework’s core. Through the creation of a current profile, organizations can examine the extent to which they are achieving the outcomes described in the core categories and subcategories, aligned with the five high-level functions: identify, protect, detect, respond, and recover. An organization may find that it is already achieving the desired outcomes, thus managing cybersecurity commensurate with the known risk. Conversely, an organization may determine that it has opportunities to (or needs to) improve. The organization can use that information to develop an action plan to strengthen existing cybersecurity practices and reduce cybersecurity risk. An organization may also find that it is overinvesting to achieve certain outcomes. The organization can use this information to reprioritize resources to strengthen other cybersecurity practices. While they do not replace a risk management process, these five high-level functions will provide a concise way for senior executives and others to refine fundamental concepts of cybersecurity risk so they can assess identified risks, how each could be managed, and how their organization stacks up at a high level against existing cybersecurity standards, guidelines, and practices. The framework can also help an organization answer fundamental questions, including “How are we doing?” Then the organization can move in a more informed way to strengthen its cybersecurity practices where and when deemed necessary. Establishing or Improving a Cybersecurity Program The following steps illustrate how an organization could use the Cybersecurity Framework to create a new cybersecurity program or improve one that is currently in place. These steps should be repeated as necessary for a continuously improved cybersecurity life cycle. The high-level steps include the following: 1. Prioritization: The business identifies mission objectives and reconfigures the priorities based on the goal. Using this new prioritization, the business makes strategic resolutions for cybersecurity implementations. The Cybersecurity Framework can easily be customized for larger enterprise businesses or for unique business lines. Many customers have different business needs and associated risk tolerance. 2. Rationalize: The next step for the cybersecurity team is to identify related systems and assets. Accommodate the requirements and overall risk guidance based on the direction. The cybersecurity team can then identify specific types of threats with more focused vulnerabilities based on those systems, data, and other assets. 3. Delineation: The cybersecurity team provides analysis of specific business lines based on category and subcategory. Both of these parent-child businesses are products of the rationalization achieved. 4. Assessment: The risk assessment is the guide for the business to address the overall risk management process. The cybersecurity team and the business together analyze the operational environment to ascertain any security event and provide US Dollar value to the business of the event impact. Companies should continue security analyses for evaluating emerging risks and threat. Proactive vulnerability data, used by the business units to mitigate issues, is like using a “wide net” for information, business cost, business needs, by understanding potential impact of cybersecurity events. 61 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer 5. Targeted: The cybersecurity team creates a persona that focuses on the assessments of the business and business lines. The characteristics describing the organization’s desired cybersecurity expectations are used to develop additional subcategories to address unique organizational risks. 6. Gap analysis: To truly provide mitigation on all exposed business assets, the cybersecurity team must allow identified gaps to be addressed. It is the gap analysis that is used to recommend changes to address specific gaps. The business can then better determine the necessary steps to remediate and address any budgetary concerns. 7. Implement: What are the exact actions to carry out based on the gap analysis? Continuous improvement is leveraged with reevaluation following the cybersecurity best practices you just enabled. You can gain additional guidance using the Cybersecurity Framework references. Azure Virtual Networking Example The fundamentals of networking are not exactly the same as on-premises because Azure is a hosted multitenant model. If you are new to Azure, then creating Azure virtual networks is often first done from the portal, and security features used on-premises are not configured for the vnet. There are two main reasons for this, listed here: • You are new to Azure and are just learning the functionality. • System administrators are not network security experts. As cloud administrators work through the portal wizard to create subnets, Azure windows prompt you with guidance and try to be helpful when building networks. Each Azure vnet subnet permits network traffic from one vnet to other Azure vnets by default unless you specifically prevent the TCP/IP communication. Perimeter networks of on-premises IP subnets are isolated by firewalls to prevent Internet attacks that try to gain access to other network subnets on-premises. How do you secure specific subnets from the Internet and really design the Azure virtual network to resemble your on-premises network? If you have the skill set for IP subnets and networks, then you could architect the entire infrastructure. In addition to knowing TCP/IP subnetting, you also need to know details about subnetting and security in Azure. Another point to consider is whether you are working in a small IT shop and you wear many “hats” and don’t have time to invest in Ethernet networking classes and additional classes for Azure. Azure Security Center scans and discovers the current Azure infrastructure with best practices to implement based on your deployment. A security architecture needs to consider the network aspects of Azure as an extension of its on-premises network design. The values used for TCP/IP subnets cannot be duplicated in Azure. In other words, the IP subnets are managed and maintained by the same IT business team. Extending your company’s network into Azure is important, and you must get it right. To show how Azure Security Center provides best practices and guidance for Azure vnets, I have created a simple design for discussion purposes only. The virtual network shown in Figure 3-1 is how most Azure administrators start creating virtual networks before they start to place VMs into the individual networks. This example shows how Azure Security Center reviews the network configuration and suggests security measures to help improve your security posture. Other exercises in the other book “Microsoft Azure: Planning, Deploying, and Managing Your Data Center in the Cloud, Apress Publishing ISBN-10: 1484210441” will build VMs like in this foundation network example for the single purpose of identifying additional security-enabled features recommended by Azure Security Center so you can increase security protection in your Azure subscription. 62 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer Figure 3-1. Azure vnet example of Contoso used in chapter exercises ■ Tip If you need detailed guidance on Microsoft Azure services, you can read my book Microsoft Azure: Planning, Deploying, and Managing Your Data Center in the Cloud (http://tinyurl.com/h5vktdg). ON-PREMISES TO AZURE VPN CONNECTION you will now gain a brief overview of your options for moving a hybrid environment from your on-premises network into Azure. Most customers extend Azure on-premises into Azure using one of the three options, listed here: • point-to-site (p2S) • Site-to-site (S2S) Vpn • expressroute 63 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer A p2S connection is used for remote branch sites or to connect a developer’s laptop to Azure. Small and medium-sized companies often use telecom services to enable access from IT datacenters or IT data closest to the Internet. Companies have hardware devices that support a static public Ip address, and they can be used to create a Vpn connection into Azure. A p2S configuration supports a secure connection from an individual client computer, like a laptop, to an Azure virtual network. A p2S connection is useful when you want to connect to your vnet from a small office or from a mobile user’s location such as a home office or a conference or when only a few clients need to connect to an Azure virtual network. The connection most medium and large customers start with is an S2S Vp connection. This type of connection enables companies to use a routed connection between separate offices or with other organizations into Azure. One point to make is the S2S connection is completed over a public network (i.e., Internet) connection. A routed Vpn connection across the Internet connects your company’s on-premises network over the Internet to a router in Azure. A site-to-site Vpn connects a private network using mutual authentication. Then, using this site-to-site Vpn connection, the packets are sent from either router across the Vpn connection to pass TCp/Ip packets to and from your hybrid network on-premises to your Azure subscription. Azure expressroute requires a network service provider (nSp) to create private connections between Azure and on-premises infrastructure to enable the network to connect into your Azure subscription. expressroute connections do not allow TCp/Ip traffic to traverse the public Internet. expressroute requires the configuration of hardware by the network service provider to enable faster speeds, lower latencies, and higher security than typical Internet connections. depending on the amount of traffic in and out of Azure, expressroute’s unlimited SKu allows the transfer of data between on-premises systems, and Azure can enable significant cost savings over an S2S Vpn connection. expressroute directly connects to Azure from your existing wAn network provided by a network service provider. Select an Azure Subscription If you are new to Microsoft Azure, then a free trial subscription might be the best first option to start becoming familiar with the portal interface to create services in the cloud. Before walking through that option, though, you should understand there are four options to purchase a Microsoft Azure subscription, with other options possible in the future. The options are as follows: • Pay-as-you-go: This plan is the most flexible for customers that want to utilize a competitive pricing option without a long-term commitment. Since it requires only a valid business or personal credit card, this option allows cancellation at any time. • Microsoft reseller: The program includes many software resellers that may offer Microsoft Azure through the Open Volume License Program. Once the contract is purchased, you can activate a new subscription or add credits to maintain your Azure infrastructure. • Prepaid subscription: Purchase Microsoft Azure services at a discount by prepaying for 12 months. You can add additional prepayments to continue the discount for services or pay as you go by using a business invoice or credit card. 64 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer • Enterprise agreement: Large corporations often sign a Microsoft enterprise agreement (EA) to make up-front monetary commitments with annual payments. One of the benefits of adding Azure to an EA is the ability to “true up” at the end of the year if additional services are needed for other business areas to leverage Azure. You don’t have to ask the board of directors for an increase in budget in the middle of the year with other subscription options. You have an option to purchase an Azure subscription as shown in Figure 3-2. ■ Note Customers that have opted for the pay-as-you-go option have seen a delay in increasing some of the core services once they are ready to radically ramp up more virtual machines or utilize more core services. The delay comes when the request is made to increase core services by several hundred and a credit report is exercised by Microsoft Azure to help substantiate payment. The report may take a day or longer to validate the financial change request and could possibly impact your production build-out timelines. Figure 3-2. Options to purchase as shown in Figure 3-2 an Azure subscription 65 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer ■ Note To learn more about these payment options, follow the guidance at https://azure.microsoft. com/en-us/pricing/purchase-options/. Before you choose the best option to support your business, you should enable a free Azure subscription to ramp up your knowledge on utilizing Azure. It is recommended that you have a test/dev Azure environment to create a more specific rollout plan with customized documentation. If you have a current Azure subscription, you can create a new subscription that consumes services from the same parent subscription. The new environment would be separate from the current production environment. The free subscription can be created by anyone with an Internet connection and currently does not require a credit card to start. Azure services provide a 200 credit to try any combination of Azure resources. The free trial is limited to 30 days, and it’s available to all countries and areas where Azure is commercially available. Remember that you need to prepare to have all your services decommissioned at the end of that 30 days. However, you do have the option to convert the trial subscription to a pay-as-you-go subscription. ■ Note To choose the free one-month trial, follow the instructions at https://azure.microsoft.com/en- us/pricing/free-trial/. CREATING A FREE MICROSOFT AZURE ACCOUNT This example walks you through the process of creating a 30-day trial of Azure with the option to convert the account to a pay-as-you-go account later. you’ll then use the same Azure subscription to build the necessary cloud infrastructure to host the Contoso.com example site to test Azure Security Center. 1. Open a browser with in-private windows and follow the options to create a free Azure trial at https://azure.microsoft.com/en-us/pricing/free-trial/. A free hotmail account is used in this example; you can do the same to prevent configuration issues if your current e-mail is already associated with an e-mail account. After visiting the previously mentioned urL, choose the option to create a free e-mail account. In this example, the account used iscontosomgrhotmail.com. 2. After the e-mail account is created, complete the necessary information on the sign-up page (Figure 3-3). Click next. enter the information and note there are two mandatory verification processes: by phone and by credit card. 66 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer Figure 3-3. The Hotmail account creation for a Contoso manager ■ Note your credit card is not charged; it is for verification processes only to validate the identity of the free Azure account. 3. If you click the link in the top left to learn more, as shown in Figure 3-4, the information provides the credit limits of the free account. Click next. Figure 3-4. The form to fill out contact information for a free Azure subscription 67 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer ■ Note The text “200 windows Azure Credit” refers to the legacy name before the product was rebranded on the Microsoft cloud service to Microsoft Azure. 4. Once both the phone and credit card validation processes are complete, take the time to read through the subscription agreement, as shown in Figure 3-5, and click the sign-up button. Figure 3-5. Credit card verification for account creation 68 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer This free account grants access to all Azure services. Operating system licenses are included in the VMs you are going to build to enable the infrastructure. The next few screens display that your new Azure subscription is being created and may take up to four minutes. your Azure subscription is ready, as shown in Figure 3-6, when the screen changes; click the green button to start managing your service. Figure 3-6. Final page of the free Azure subscription wizard 5. The next screen, shown in Figure 3-7, provides the last step and is an easy option to convert your free subscription to a paid subscription using the credit card entered in step 4. you always have the option to convert to a pay-as-you-go account, so for now click the top-right button to gain access to the Azure portal. 69 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer Figure 3-7. Confirmation page and guidance to log on to the Azure portal 6. The Azure portal is now created. This is where you build the infrastructure to maintain the Contoso.com and Ad Connect servers. you can start building the networking and VM infrastructure from the Microsoft Azure portal, as shown in Figure 3-8. 70 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer Figure 3-8. Azure portal after you log on to learn the limits of your subscription This process has just enabled access to one of the world’s largest, cost-efficient, and most secured datacenters. This newly created Microsoft Azure subscription provides any company with the ability to start creating IT services without having to wait multiple years to construct an on-premises datacenter, order server hardware, and hire IT staff to manage the datacenter. Navigating Microsoft Azure Cloud computing is easy to use and navigate once you have an understanding of what IT services are available and how to use the interface to activate the infrastructure to support your business. You need to have a clear understanding of the type of services to enable in your new Azure subscription, including the following: • Understanding IaaS in Azure • Understanding PaaS in Azure Once your subscription is completed, you can access it by logging into the Azure web portal and becoming familiar with this new IT infrastructure. The portal provides access to all the Azure cloud services and entire IT infrastructure with the click of a mouse. The current portal provides the ability to create new resources such as virtual networks and virtual machines, create control access, manage and monitor resources, and review billing information. 71 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer The Microsoft Azure portal shown in Figure 3-9 gives you the ability to create any services, including the ones needed for this chapter, to enable federation in Azure: cloud services, virtual machines, and virtual networks. This chapter provides the steps for the necessary configuration; however, there are many additional Azure features that could be used to support your business that are not discussed in this chapter. Figure 3-9. Azure portal to start building Contoso.com test infrastructure 72 ChApTer 3 ■ GeTTInG STArTed wITh Azure SeCurITy CenTer ■ Tip If you need detailed guidance on Microsoft Azure services, you can refer to my book Microsoft Azure: Planning, Deploying, and Managing Your Data Center in the Cloud (http://tinyurl.com/h5vktdg). Once you have created the Azure subscription, you can click any of the properties to gain access to individual IT components. Understanding the individual components needed for the IT infrastructure is the next process. Summary In this chapter, you learned about some of the challenges of cloud security and got a high-level overview of just what Azure Security Center is and the ways Azure Security Center can be positioned to support a cybersecurity framework for defense. You were introduced to some of the issues an Azure consultant may encounter via a typical Azure cloud deployment example for Contoso.com. The Contoso.com example is used in all the exercises in the remaining chapters. The cloud deployment infrastructure example includes vnets, VMs, and SQL Server instances. These cloud assets are designed to highlight the features of Azure Security Center based on real-world customer deployments, including mistakes. Finally, in this chapter, you created an Azure subscription for testing but also learned about the types of Azure subscriptions that customers can use. In the next chapter, you will learn how to leverage Azure Security Center with step-by-step exercises. 73CHAPTER 4 Azure Security Center Configuration Security as a Service In Chapter 3 you learned about a few of the challenges that all cloud security professionals are confronted with. The previous chapter was intentionally written at a high level to not overwhelm cloud administrators with details of cybersecurity examples. It also touched on the recurring theme of prevention, detection, and response. This chapter leverages the 30-day free Azure trial specifically for testing Azure Security Center using Contoso.com as a typical Azure cloud deployment example. If you skipped Chapter 3, go back and read it now before continuing. The Contoso.com network example has typical servers deployed into TCP/IP Subnet and is used in all the exercises in this chapter and remaining chapters. A typical infrastructure deployment includes virtual machines (VMs) in the perimeter IP subnet and infrastructure IP subnet and SQL Servers in the database IP subnet. The next few exercises in this chapter will walk you through Azure Security Center and focus on the main configuration topics. You’ll look the Contoso.com example in greater detail with screenshots, and then you’ll go through some configuration exercises to see how to leverage the security as a service (SaaS) feature in Azure Security Center. Specifically, you’ll learn how to do the following: • Enable data collection • See security policy details • E-mail security alerts • Review console recommendations This chapter deepens your knowledge no matter what role you may have in your company. For example, if you are an Azure cloud administrator, you will gain insight into the world of cybersecurity and how to lower risks. If you’re a security architect, this chapter provides insight into Azure configurations for your infrastructure. ■ Note The example network was introduced in Chapter 3, so to gain background information about the network infrastructure, you should make sure to read that chapter before proceeding with these exercises. By the end of this chapter, you will better understand that the Azure operations team roles and security architect roles are destined to merge. Security is necessary in every Azure cloud deployment, which is why security is built into the Azure fabric and other Azure services and needs to be enabled. Infrastructure design best practices have a long history in on-premises design, so adapting to a cloud deployment introduces new security challenges. The processes and stages are different in Azure cloud security deployment, but the end results are focused on the same goal: a secure deployment that mitigates security risks. © Marshall Copeland 2017 75 M. Copeland, Cyber Security on Azure, DOI 10.1007/978-1-4842-2740-4_4