Share via

Security and protection against ransomware/malware in Azure

cloudseeker 0 Reputation points
2025-02-12T13:09:25.79+00:00

We have VPN S2S connections from various locations.

Plannign to deploy Azure Standard firewall. None of the VMs have public ips.

We will be configuring azure sql managed instance with private endpoints and storage accounts with private links.

Also will have keyvaults for password protection.

Have secured AD with conditional access policies.

Planning to have public webapps configured behind WAF.

Microsoft Defender is enabled for the resources.

Wil be enabling Azure DDOS protection for the VPN and Azure public IPs.

Do we still need more protection against ransomware/malware ? are we missing anything?

Do we need to go for firewall premium? Please let me know your views or suggestions and what are the similar things you have implemented in your Azure env for more security.

Azure DDos Protection
Azure DDos Protection
An Azure service that provides defense against distributed denial-of-service (DDoS) attacks.
75 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
721 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,499 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 36,280 Reputation points MVP
    2025-02-12T13:19:57.9566667+00:00

    Your security posture is strong, but adding ransomware-specific protections such as immutable storage, backup security, and Defender for Storage would be beneficial. If deep packet inspection, IDPS, or URL filtering is needed, Azure Firewall Premium is worth considering. Otherwise, Standard may be sufficient.

    In particular, here are some additional options to consider:

    Ransomware-specific protections

    • Immutable Storage & Versioning
      • Enable Azure Storage Blob versioning, soft delete, and immutable policies to prevent data loss.
    • Backup & Recovery Strategy
      • Use Azure Backup with immutable vaults to prevent attackers from deleting backups.
      • Ensure backup encryption keys are stored securely in Key Vault.
    • Defender for Storage & SQL
      • Helps detect unusual access patterns that could indicate ransomware.
    • Endpoint Protection for VMs
      • Microsoft Defender for Endpoint on VMs helps detect malware and ransomware behaviors.

    Firewall considerations: Standard vs. Premium
    Azure Firewall Standard protects network resources but lacks advanced threat intelligence, TLS inspection, and malware filtering.

    Azure Firewall Premium provides:

    • TLS Inspection – Deep packet inspection for encrypted traffic.
    • Intrusion Detection & Prevention (IDPS) – Detects advanced threats.
    • Advanced Threat Intelligence – Blocks known bad IPs/domains in real-time.
    • Malware & URL Filtering – Prevents ransomware downloads via malicious sites.

    If you have internet-exposed workloads, TLS inspection and IDPS make Azure Firewall Premium a better choice. However, if your main exposure is through private endpoints and VPN, Standard might be sufficient.

    Additional hardening recommendations

    • Privileged Identity Management (PIM) for Just-in-Time (JIT) admin access.
    • Network segmentation using NSGs and private endpoints to isolate critical resources.
    • Microsoft Sentinel for collecting logs from Azure Firewall, Defender, and Key Vault for threat monitoring.
    • Azure Policy to regularly check for misconfigurations.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.