Muokkaa

Jaa


Zero trust and Defender for Cloud

This article provides strategy and instructions for integrating zero trust infrastructure solutions with Microsoft Defender for Cloud. The guidance includes integrations with other solutions, including security information and event management (SIEM), security orchestration automated response (SOAR), endpoint detection and response (EDR), and IT service management (ITSM) solutions.

Infrastructure comprises the hardware, software, micro-services, networking infrastructure, and facilities required to support IT services for an organization. Whether on-premises or multicloud, infrastructure represents a critical threat vector.

Zero Trust infrastructure solutions assess, monitor, and prevent security threats to your infrastructure. Solutions support the principles of zero trust by ensuring that access to infrastructure resources is verified explicitly, and granted using principles of least privilege access. Mechanisms assume breach, and look for and remediate security threats in infrastructure.

What is zero trust?

Zero Trust is a security strategy for designing and implementing the following sets of security principles:

Verify explicitly Use least privilege access Assume breach
Always authenticate and authorize based on all available data points. Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

Zero Trust and Defender for Cloud

Zero Trust infrastructure deployment guidance provides key stages of zero trust infrastructure strategy:

  1. Assess compliance with chosen standards and policies.
  2. Harden configuration wherever gaps are found.
  3. Employ other hardening tools such as just-in-time (JIT) VM access.
  4. Set up threat protection.
  5. Automatically block and flag risky behavior and take protective actions.

Here's how these stages map to Defender for Cloud.

Goal Defender for Cloud
Assess compliance In Defender for Cloud, every subscription automatically has the Microsoft cloud security benchmark (MCSB) security initiative assigned.
Using the secure score tools and the regulatory compliance dashboard you can get a deep understanding of security posture.
Harden configuration Infrastructure and environment settings are assessed against compliance standard, and recommendations are issued based on those assessments. You can review and remediate security recommendations and [track secure score improvements] (secure-score-access-and-track.md) over time. You can prioritize which recommendations to remediate based on potential attack paths.
Employ hardening mechanisms Least privilege access is a zero trust principle. Defender for Cloud can help you to harden VMs and network settings using this principle with features such as:
Just-in-time (JIT) VM access.
Set up threat protection Defender for Cloud is a cloud workload protection platform (CWPP), providing advanced, intelligent protection of Azure and hybrid resources and workloads. Learn more.
Automatically block risky behavior Many of the hardening recommendations in Defender for Cloud offer a deny option, to prevent the creation of resources that don't satisfy defined hardening criteria. Learn more.
Automatically flag suspicious behavior Defenders for Cloud security alerts are triggered by threat detections. Defender for Cloud prioritizes and lists alerts, with information to help you investigate. It also provides detailed steps to help you remediate attacks. Review a full list of security alerts.

Apply zero trust to hybrid and multicloud scenarios

With cloud workloads commonly spanning multiple cloud platforms, cloud security services must do the same.Defender for Cloud protects workloads wherever they're running. In Azure, on-premises, AWS, or GCP.

Protect Azure PaaS services

When Defender for Cloud is available in an Azure subscription, and Defender for Cloud plans enabled for all available resource types, a layer of intelligent threat protection, powered by Microsoft Threat Intelligence protects resources in Azure PaaS services, including Azure Key Vault, Azure Storage, Azure DNS, and others. Learn more about the resource types that Defender for Cloud can secure.

Automate responses with Azure Logic Apps

Use Azure Logic Apps to build automated scalable workflows, business processes, and enterprise orchestrations to integrate your apps and data across cloud services and on-premises systems.

Defender for Cloud's workflow automation feature lets you automate responses to Defender for Cloud triggers.

This is great way to define and respond in an automated, consistent manner when threats are discovered. For example, to notify relevant stakeholders, launch a change management process, and apply specific remediation steps when a threat is detected.

Integrate with SIEM, SOAR, and ITSM solutions

Defender for Cloud can stream your security alerts into the most popular SIEM, SOAR, and ITSM solutions. There are Azure-native tools to ensure you can view your alert data in all of the most popular solutions in use today, including:

  • Microsoft Sentinel
  • Splunk Enterprise and Splunk Cloud
  • IBM's QRadar
  • ServiceNow
  • ArcSight
  • Power BI
  • Palo Alto Networks

Integrate with Microsoft Sentinel

Defender for Cloud natively integrates with Microsoft Sentinel, Microsoft's SIEM/SOAR solution.

There are two approaches to ensuring that Defender for Cloud data is represented in Microsoft Sentinel:

Stream alerts with Microsoft Graph Security API

Defender for Cloud has out-of-the-box integration with Microsoft Graph Security API. No configuration is required and there are no extra costs.

You can use this API to stream alerts from the entire tenant, and data from many other Microsoft Security products into third-party SIEMs and other popular platforms:

Stream alerts with Azure Monitor

Use Defender for Cloud's continuous export feature to connect to Azure monitor via Azure Event Hubs, and stream alerts into ArcSight, SumoLogic, Syslog servers, LogRhythm, Logz.io Cloud Observability Platform, and other monitoring solutions.

Learn more about streaming alerts to monitoring solutions.

Integrate with EDR solutions

Microsoft Defender for Endpoint

Defender for Endpoint is a holistic, cloud-delivered endpoint security solution. The Defender for Cloud servers workload plan, Defender for Servers, includes an integrated license for Defender for Endpoint. Together, they provide comprehensive EDR capabilities. Learn more about protecting endpoints.

When Defender for Endpoint detects a threat, it triggers an alert. The alert is shown in Defender for Cloud. From Defender for Cloud, you can pivot to the Defender for Endpoint console and perform a detailed investigation to uncover the scope of the attack.

Other EDR solutions

Defender for Cloud provides health assessment of supported versions of EDR solutions.

Defender for Cloud provides recommendations based on the Microsoft security benchmark. One of the controls in the benchmark relates to endpoint security: ES-1: Use Endpoint Detection and Response (EDR). There are two recommendations to ensure you've enabled endpoint protection and it's running well. Learn more about assessment for supported EDR solutions in Defender for Cloud.

Next steps

Start planning multicloud protection.