What is Microsoft Defender for Storage?

Članak
11/26/2024

Microsoft Defender for Cloud gives you an Azure-native layer of security intelligence that finds potential threats to your storage accounts with the Defender for Storage plan.

Defender for Storage helps prevent malicious file uploads, sensitive data exfiltration, and data corruption, ensuring the security and integrity of your data and workloads.

Defender for Storage provides comprehensive security by analyzing the data plane and control plane telemetry generated by Azure Blob Storage, Azure Files, and Azure Data Lake Storage services. It uses advanced threat detection capabilities powered by Microsoft Threat Intelligence, Microsoft Defender Antivirus, and Sensitive Data Discovery to help you discover and mitigate potential threats.

Animated diagram showing how Defender for Storage protects against common threats to data.

Defender for Storage includes:

Activity monitoring - Detect unusual and potentially harmful activities involving your storage accounts by analyzing access patterns and behaviors. This can be valuable for identifying unauthorized access, data exfiltration attempts, and other security threats.
Sensitive data threat detection - Identify and protect sensitive data within your storage accounts by detecting suspicious activities that may indicate a potential security threat. By monitoring for actions such as unusual data access patterns or potential data exfiltration, it enhances the security of your sensitive information stored in Azure.
Malware Scanning - Scan your storage accounts for malware by analyzing files for known threats and suspicious content. This helps in identifying and mitigating potential security risks from malicious files that may be stored or uploaded to your Azure storage accounts, thereby enhancing the overall security posture of your data storage.

Getting started

You can enable Defender for Storage agentlessly at the subscription level, resource levels, or at scale.

When you enable Defender for Storage at the subscription level, all existing and newly created storage accounts under that subscription are automatically included and protected. You can also exclude specific storage accounts from protected subscriptions.

Note

If you have the Defender for Storage (classic) enabled and want access to the current security features and pricing, you'll need to migrate to the new pricing plan.

Benefits

Diagram showing the benefits of using Defender for Storage to protect your data.

Defender for Storage provides the following:

Better protection against malware: The Malware Scanning scans and detects in near real-time all file types, including archives of every uploaded blob, and provides fast and reliable results, helping you prevent your storage accounts from acting as an entry and distribution point for threats. Learn more about Malware Scanning.
Improved threat detection and protection of sensitive data: The sensitive data threat detection capability enables security professionals to efficiently prioritize and examine security alerts by considering the sensitivity of the data that could be at risk, leading to better detection and protection against potential threats. By quickly identifying and addressing the most significant risks, this capability lowers the likelihood of data breaches and enhances sensitive data protection by detecting exposure events and suspicious activities on resources containing sensitive data. Learn more about sensitive data threat detection.
Detection of entities without identities: Defender for Storage detects suspicious activities generated by entities without identities that access your data using misconfigured and overly permissive Shared Access Signatures (SAS tokens) that might have leaked or compromised so that you can improve the security hygiene and reduce the risk of unauthorized access. This capability is an expansion of the Activity Monitoring security alerts suite.
Coverage of the top cloud storage threats: Powered by Microsoft Threat Intelligence, behavioral models, and machine learning models to detect unusual and suspicious activities. The Defender for Storage security alerts covers the top cloud storage threats, such as sensitive data exfiltration, data corruption, and malicious file uploads.
Comprehensive security without enabling logs: When Microsoft Defender for Storage is enabled, it continuously analyzes both the data plane and control plane telemetry stream generated by Azure Blob Storage, Azure Files, and Azure Data Lake Storage services without the requirement of enabling diagnostic logs.
Frictionless enablement at scale: Microsoft Defender for Storage is an agentless solution, easy to deploy, and enables security protection at scale using a native Azure solution.

How does Defender for Storage work?

Activity monitoring

Defender for Storage continuously analyzes data and control plane logs from protected storage accounts when enabled. There's no need to turn on resource logs for security benefits. Use Microsoft Threat Intelligence to identify suspicious signatures such as malicious IP addresses, Tor exit nodes, and potentially dangerous apps. It also builds data models and uses statistical and machine-learning methods to spot baseline activity anomalies, which might indicate malicious behavior. You receive security alerts for suspicious activities, but Defender for Storage ensures you won't get too many similar alerts. Activity monitoring won't affect performance, ingestion capacity, or access to your data.

Diagram showing how activity monitoring identifies threats to your data.

Malware Scanning (powered by Microsoft Defender Antivirus)

Malware Scanning in Defender for Storage helps protect storage accounts from malicious content by performing a full malware scan on uploaded content in near real time, applying Microsoft Defender Antivirus capabilities. It's designed to help fulfill security and compliance requirements to handle untrusted content. Every file type is scanned, and scan results are returned for every file. The Malware Scanning capability is an agentless SaaS solution that allows simple setup at scale, with zero maintenance, and supports automating response at scale. This is a configurable feature in the new Defender for Storage plan that is priced per GB scanned. Learn more about Malware Scanning.

Sensitive data threat detection (powered by Sensitive Data Discovery)

The ‘sensitive data threat detection’ capability enables security teams to efficiently prioritize and examine security alerts by considering the sensitivity of the data that could be at risk, leading to better detection and preventing data breaches. ‘Sensitive data threat detection’ is powered by the “Sensitive Data Discovery” engine, an agentless engine that uses a smart sampling method to find resources with sensitive data. The service is integrated with Microsoft Purview's sensitive information types (SITs) and classification labels, allowing seamless inheritance of your organization's sensitivity settings.

This is a configurable feature in the new Defender for Storage plan. You can choose to enable or disable it with no other cost. For more details, visit Sensitive data threat detection.

Pricing and cost controls

Per storage account pricing

The new Microsoft Defender for Storage plan has predictable pricing based on the number of storage accounts you protect. With the option to enable at the subscription or resource level and exclude specific storage accounts from protected subscriptions, you have increased flexibility to manage your security coverage. The pricing plan simplifies the cost calculation process, allowing you to scale easily as your needs change. Other charges might apply to storage accounts with high-volume transactions.

Malware Scanning - Billing per GB, monthly capping, and configuration

Malware Scanning is charged on a per-gigabyte basis for scanned data. To ensure cost predictability, a monthly cap can be established for each storage account's scanned data volume, per-month basis. This cap can be set subscription-wide, affecting all storage accounts within the subscription, or applied to individual storage accounts. Under protected subscriptions, you can configure specific storage accounts with different limits.

By default, the limit is set to 5,000 GB per month per storage account. Once this threshold is exceeded, scanning will cease for the remaining blobs, with a 20-GB confidence interval. For configuration details, refer to configure Defender for Storage.

Important

Malware scanning in Defender for Storage is not included for free in the first 30 day trial and will be charged from the first day in accordance with the pricing scheme available on the Defender for Cloud pricing page. Malware scanning will also incur additional charges for other Azure services - Azure Storage read operations, Azure Storage blob indexing and Azure Event Grid notifications.

Enablement at scale with granular controls

Microsoft Defender for Storage enables you to secure your data at scale with granular controls. You can apply consistent security policies across all your storage accounts within a subscription or customize them for specific accounts to suit your business needs. You can also control your costs by choosing the level of protection you need for each resource. To get started, visit enable Defender for Storage.

Monitoring your malware scanning cap

To ensure uninterrupted protection while effectively managing costs, there are two informational security alerts related to malware scanning cap usage. The first alert, Malware Scanning will stop soon: 75% of monthly gigabytes scan cap reached (Preview), is triggered as your usage approaches 75% of the set monthly cap, offering a heads-up to adjust your cap if needed. The second alert, Malware Scanning stopped: monthly gigabytes scan cap reached (Preview), notifies you when the cap has been reached and scanning is paused for the month, potentially leaving new uploads unscanned. Both alerts come with details on affected storage accounts to facilitate prompt and informed action, ensuring you can maintain your desired level of security without unexpected expenses.

Understanding the differences between Malware Scanning and hash reputation analysis 

Defender for Storage offers two capabilities to detect malicious content uploaded to storage accounts: Malware Scanning and hash reputation analysis.

Malware Scanning

Malware Scanning uses Microsoft Defender Antivirus (MDAV) to scan blobs uploaded to Blob storage, providing a comprehensive analysis that includes deep file scans and hash reputation analysis. This feature provides an enhanced level of detection against potential threats.

Hash reputation analysis

Hash reputation analysis detects potential malware in Blob storage and Azure Files by comparing the hash values of newly uploaded blobs/files against those of known malware by Microsoft Threat Intelligence. Not all file protocols and operation types are supported with this capability, leading to some operations not being monitored for potential malware uploads. Unsupported use cases include SMB file shares and when a blob is created using Put Block and Put blocklist.

In summary, Malware Scanning, which is only available on the new plan for Blob storage, offers a more comprehensive approach to malware detection by analyzing the full content of files and incorporating hash reputation analysis in its scanning methodology.

Next steps

In this article, you learned about Microsoft Defender for Storage.

Enable Defender for Storage
Check out common questions about Defender for Storage.

Dijelite putem