Security Control v3: Posture and vulnerability management
Posture and Vulnerability Management focuses on controls for assessing and improving Azure security posture, including vulnerability scanning, penetration testing and remediation, as well as security configuration tracking, reporting, and correction in Azure resources.
PV-1: Define and establish secure configurations
CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
---|---|---|
4.1, 4.2 | CM-2, CM-6 | 1.1 |
Security Principle: Define the secure configuration baselines for different resource types in the cloud. Alternatively, use configuration management tools to establish the configuration baseline automatically before or during resource deployment so the environment can be compliant by default after the deployment.
Azure Guidance: Use the Azure Security Benchmark and service baseline to define your configuration baseline for each respective Azure offering or service. Refer to Azure reference architecture and Cloud Adoption Framework landing zone architecture to understand the critical security controls and configurations that may need across Azure resources.
Use Azure Blueprints to automate deployment and configuration of services and application environments, including Azure Resource Manager templates, Azure RBAC controls, and policies, in a single blueprint definition.
Implementation and additional context:
- Illustration of Guardrails implementation in Enterprise Scale Landing Zone
- Working with security policies in Microsoft Defender for Cloud
- Tutorial: Create and manage policies to enforce compliance
- Azure Blueprints
Customer Security Stakeholders (Learn more):
PV-2: Audit and enforce secure configurations
CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
---|---|---|
4.1, 4.2 | CM-2, CM-6 | 2.2 |
Security Principle: Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploy a configuration.
Azure Guidance: Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources.
Use Azure Policy [deny] and [deploy if not exist] rule to enforce secure configuration across Azure resources.
For resource configuration audit and enforcement not supported by Azure Policy, you may need to write your own scripts or use third-party tooling to implement the configuration audit and enforcement.
Implementation and additional context:
- Understand Azure Policy effects
- Create and manage policies to enforce compliance
- Get compliance data of Azure resources
Customer Security Stakeholders (Learn more):
PV-3: Define and establish secure configurations for compute resources
CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
---|---|---|
4.1 | CM-2, CM-6 | 2.2 |
Security Principle: Define the secure configuration baselines for your compute resources, such as VMs and containers. Use configuration management tools to establish the configuration baseline automatically before or during the compute resource deployment so the environment can be compliant by default after the deployment. Alternatively, use a pre-configured image to build the desired configuration baseline into the compute resource image template.
Azure Guidance: Use Azure recommended operating system baseline (for both Windows and Linux) as a benchmark to define your compute resource configuration baseline.
Additionally, you can use custom VM image or container image with Azure Policy guest configuration and Azure Automation State Configuration to establish the desired security configuration.
Implementation and additional context:
- Linux OS security configuration baseline
- Windows OS security configuration baseline
- Security configuration recommendation for compute resources
- Azure Automation State Configuration Overview
Customer Security Stakeholders (Learn more):
PV-4: Audit and enforce secure configurations for compute resources
CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
---|---|---|
4.1 | CM-2, CM-6 | 2.2 |
Security Principle: Continuously monitor and alert when there is a deviation from the defined configuration baseline in your compute resources. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploy a configuration in compute resources.
Azure Guidance: Use Microsoft Defender for Cloud and Azure Policy guest configuration agent to regularly assess and remediate configuration deviations on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements.
Note: Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft.
Implementation and additional context:
- How to implement Microsoft Defender for Cloud vulnerability assessment recommendations
- How to create an Azure virtual machine from an ARM template
- Azure Automation State Configuration overview
- Create a Windows virtual machine in the Azure portal
- Container security in Microsoft Defender for Cloud
Customer Security Stakeholders (Learn more):
PV-5: Perform vulnerability assessments
CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
---|---|---|
5.5, 7.1, 7.5, 7.6 | RA-3, RA-5 | 6.1, 6.2, 6.6 |
Security Principle: Perform vulnerabilities assessment for your cloud resources at all tiers in a fixed schedule or on-demand. Track and compare the scan results to verify the vulnerabilities are remediated. The assessment should include all type of vulnerabilities, such as vulnerabilities in Azure services, network, web, operating systems, misconfigurations, and so on.
Be aware of the potential risks associated with the privileged access used by the vulnerability scanners. Follow the privileged access security best practice to secure any administrative accounts used for the scanning.
Azure Guidance: Follow recommendations from Microsoft Defender for Cloud for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Microsoft Defender for Cloud has a built-in vulnerability scanner for virtual machine scan. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications)
Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Microsoft Defender for Cloud, you can pivot into the selected scan solution's portal to view historical scan data.
When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.
Note: Azure Defender services (including Defender for server, container registry, App Service, SQL, and DNS) embed certain vulnerability assessment capabilities. The alerts generated from Azure Defender services should be monitored and reviewed together with the result from Microsoft Defender for Cloud vulnerability scanning tool.
Note: Ensure your setup email notifications in Microsoft Defender for Cloud.
Implementation and additional context:
- How to implement Microsoft Defender for Cloud vulnerability assessment recommendations
- Integrated vulnerability scanner for virtual machines
- SQL vulnerability assessment
- Exporting Microsoft Defender for Cloud vulnerability scan results
Customer Security Stakeholders (Learn more):
PV-6: Rapidly and automatically remediate vulnerabilities
CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
---|---|---|
7.2, 7.3, 7.4, 7.7 | RA-3, RA-5, SI-2: FLAW REMEDIATION | 6.1, 6.2, 6.5, 11.2 |
Security Principle: Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources. Use the appropriate risk-based approach to prioritize the remediation of the vulnerabilities. For example, more severe vulnerabilities in a higher value asset should be addressed as a higher priority.
Azure Guidance: Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically.
For third-party software, use a third-party patch management solution or System Center Updates Publisher for Configuration Manager.
Prioritize which updates to deploy first using a common risk scoring program (such as Common Vulnerability Scoring System) or the default risk ratings provided by your third-party scanning tool and tailor to your environment. You should also consider which applications present a high security risk and which ones require high uptime.
Implementation and additional context:
- How to configure Update Management for virtual machines in Azure
- Manage updates and patches for your Azure VMs
Customer Security Stakeholders (Learn more):
PV-7: Conduct regular red team operations
CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
---|---|---|
18.1, 18.2, 18.3, 18.4, 18.5 | CA-8, RA-5 | 6.6, 11.2, 11.3 |
Security Principle: Simulate real-world attacks to provide a more complete view of your organization's vulnerability. Red team operations and penetration testing complement the traditional vulnerability scanning approach to discover risks.
Follow industry best practices to design, prepare and conduct this kind of testing to ensure it will not cause damage or disruption to your environment. This should always include discussing testing scope and constraints with relevant stakeholders and resource owners.
Azure Guidance: As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings.
Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.
Implementation and additional context:
- Penetration testing in Azure
- Penetration Testing Rules of Engagement
- Microsoft Cloud Red Teaming
- Technical Guide to Information Security Testing and Assessment
Customer Security Stakeholders (Learn more):