Security is changing as companies move their mission-critical workloads to the cloud, with Azure as one of the preferred destinations.
Security in Azure follows the shared responsibility model, meaning components like application and data security are owned by the customer while Microsoft is responsible for delivering a secure hosting platform. There are several native security tools and features in Azure that can be implemented by customers to secure their workloads. While these tools and services are focused on preventing attacks ranging from network infiltration to container vulnerability exploitation, breaches still happen.
Vulnerabilities identified in the Azure App Service for Linux, for example, could allow attack methods like local file inclusion, remote code execution, or malicious code injection. Another vulnerability identified in Azure Network Watcher’s Linux extension could enable attacks through escalation of privilege. Even Linux, which is traditionally considered to be a safe environment, has become a target for new attacks given it’s large presence in the cloud. For perspective, over 50% of workloads in Azure use Linux.
Let’s explore nine key tools available in Azure that will help improve the security of your workloads hosted in the platform.
Azure Firewall is a highly available, managed network security service that helps protect workloads connected to your Azure Virtual Network (VNet). The threat intelligence-based filtering feature of Azure Firewall can alert you to any traffic flow to or from known malicious sources and can be configured to deny such traffic. Details on malicious sources are kept up to date by Microsoft threat intelligence feed, a service that leverages Microsoft’s Intelligent Security Graph capabilities in the backend.
Azure Web Application Firewall (WAF)
Azure Web Application Firewall (WAF) provides your Azure-hosted web applications comprehensive security against commonly known threats and vulnerabilities. It also provides an option for centrally patching a vulnerability—i.e., before the attack reaches your web applications.
This tool comes prebuilt with a rule set that protects from vulnerabilities, which may include:
- Cross-site scripting
- PHP injection attacks
- SQL injection
- Remote command execution
- Protocol attacks
WAF can be integrated with front-end services like Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network, acting as a first line of defense against attacks targeting web applications.
Azure DDoS Protection
Azure platform provides basic DDoS protection for all services at the platform level. For more adaptive and advanced DDoS protection for workloads connected to VNet, customers can use the DDoS standard protection.
This service can be natively integrated with your VNet and doesn’t require any resource-level reconfigurations. It also monitors the application traffic over time and adaptively tunes the DDoS protection capabilities.
Azure DDoS protection delivers extensive mitigation scale by protecting your workloads from 60 different types of attacks. And finally, it can be integrated with WAF or third-party application firewalls to enable multilayer protection for your applications.
Azure Security Center
Azure Security Center is the native Cloud Security Posture Management solution in Azure that continuously evaluates your deployments against defined security baselines. Any deviations or misconfigurations are flagged for review and remediation. Additionally, the adaptive application controls in Azure Security Center can be used to define a list of known-safe applications.
Azure Security Center also provides a Cloud Workload Protection Platform (CWPP) through integration with Microsoft Defender Advanced Threat Protection (ATP) service. ATP delivers endpoint protection and reduces attack surface through risk-based vulnerability assessments, managed hunting, automated investigations, and remediation. Azure Defender can also be used to ensure runtime security of AKS nodes and clusters that host your containers.
While there is a focus on security capabilities for Windows workloads, there are limited native options in Azure available for securing Linux against post-vulnerability exploitation and other in-memory threats. Azure Defender protection for Linux is based on records from the Linux auditing system, auditd. These records are aggregated and analyzed using log analytics for any malicious behaviors.
However, advanced threats don’t always generate suspicious behavioral patterns, which means they run the risk of going unnoticed in your system. To bridge this gap, Intezer has developed a threat detection technology which identifies threats based on runtime monitoring of applications for any malicious code. This innovation has proven to be the fastest to detect threats in Linux and containerized environments. If your cloud landscape is also predominantly Linux, as Azure is, you need specialized runtime CWPP tools like Intezer Protect that provide advanced Linux threat protection.
Container Image Scanning
Azure Security Center’s Azure Defender for container registries feature can be enabled to scan all Linux container images pushed to or pulled from Azure Container Registry. The scanner is powered by Qualys and provides insights to vulnerabilities associated with container images before they get deployed. The vulnerabilities are classified based on severity, and the tool also provides mitigation guidance.
Note that while image scanning offers first level protection from vulnerabilities, attackers can still target containerized workloads by injecting malicious code during runtime. To reinforce security for your containers, you’ll need to use a third party tool like Intezer Protect for additional runtime protection.
Azure Sentinel is the native Security Information and Event Management (SIEM) and Security Orchestration, Automation, Response (SOAR) solution service in Azure. Sentinel collects data from multiple devices and resources across environments (both on-premise and cloud) and uses Microsoft threat intelligence and analytics capabilities to provide a birds-eye view of threat statistics across your enterprise.
Azure Sentinel hunts for suspicious activities by using AI to analyze the collected data. Along with many built-in queries, the powerful query language with IntelliSense can be used to create custom queries for tailored threat detection, and hunting steps can be combined to create reusable notebooks to automate the investigation process in the future.
You can also integrate Azure Sentinel with tools like Intezer Protect, which enhances security for your workloads through niche capabilities like runtime protection for Linux.
Azure Activity and Resource Logs
Azure Activity logs provide information about subscription-level events like resource provisioning and modification. The logs can be centrally stored in an Azure Storage account or integrated with an Azure Log Analytics workspace for detailed analytics and insights.
Azure resource logs provide insights on the operations executed on specific Azure resources. Diagnostics settings have to be configured for Azure resources so that the resource logs can be collected and directed to a Log Analytics workspace, to Azure Event Hubs, or to Azure Storage for archival. By leveraging capabilities of Log Analytics, you can correlate events associated with a resource to monitor control plane activities.
Azure AD Reports
Because attackers can use credentials theft to gain access to your resources, it’s important to monitor activity logs for user access. Azure Active Directory (AD) reports provide insights about user activity in Azure, how your applications are being utilized by users, and any threats associated with user accounts. The reports will flag compromised user accounts and risky sign-ins or anomalies in sign-in activities.
Network Security Group (NSG) Flow Logs
NSGs act as the first line of defense in Azure VNets by filtering the ingress and egress traffic. Any anomalies in this traffic could indicate a possible attack on your network resources.
The NSG flow logs feature collects information about traffic that flows through Azure network security groups. This helps you identify unknown traffic patterns, or traffic from undesired sources that could indicate an intrusion attempt. The logs can be exported to Log Analytics for further correlation and analysis to identify organized attack attempts.
The nine tools we’ve discussed are crucial for building out your security controls in Azure. However, attack vectors in the cloud are evolving fast and attackers may still find a way into your production environments through unknown vulnerabilities, misconfigurations, or backdoors in the supply chain. Studies have shown that 68% of top-30 AV products fail at detecting Linux threats, as the majority of these products are tailored for Windows platforms. If your workloads are predominantly Linux or containerized, you need a specialized runtime CWPP solution like Intezer Protect to provide a last line of defense against the attack vectors mentioned above.
If you have workloads deployed across AWS, Azure, and GCP, our comparison of the security features available across these platforms will help you implement the right security controls for your applications.