This is Part#4 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Security Operations – Azure Alerts

What : Enable Azure Security Center security Alerts

Why : Azure Security Center provides actionable detections for common attack methods which can save your team significant effort on query development.

These alerts are focused on high true positive rate by leveraging Microsoft’s extensive threat intelligence, advanced machine learning, industry leading Endpoint Detection & Response (EDR) (MITRE report), and other approaches. 

How : Enable Azure Security Center (We recommend Standard Tier to gain full control over all the security options)

Security Operations – Centralized Visibility

Use Azure Security Center and Azure Sentinel to create your own Security Dashboard.

Azure Security Center is focused on protection and governance of Azure Workloads  by assessing risk to them, reducing attack surface, and generating alerts on potential threats using advanced threat detection technologies. The roles who use ASC will typically include security engineers and GRC Professionals that report risk to the CISO.

Azure Sentinel is focused on monitoring All Environments by SOC analysts. Azure Sentinel allows for monitoring alerts and security related events from any source (Microsoft security solutions, 3^rd party, custom rules). Azure Sentinel is built for security analysts and SOC managers to make their work easier and more effective. Azure Sentinel is designed to simplify the application of advanced technologies like Machine Learning, User and Entity Behavior Analytics (UEBA), to the variety of data-sets you monitor and is complemented by other Microsoft Threat Protection solutions that provide specialized investigation of hosts, email, identity attacks, and more.

This is Part#3 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Align segmentation strategy & teams by unifying network, identity, app, etc. into a single enterprise segmentation strategy (as you migrate to Azure).

SEGMENTATION STRATEGY

What : Identify security segments that are needed
for your organization to contain risk

Why : A clear and simple segmentation strategy enables stakeholders (IT, Security, Business Units) can understand and support it. This clarity reduces the risk of human errors and automation failures that can lead to security vulnerabilities, operational downtime, or both

How : Select the segmentation approaches from
the reference design and assign permissions and network controls as appropriate.

A Good Segmentation Strategy:

1.Enables Operations – Minimizes operation friction by aligning to business practices and applications

2.Contains Risk – Adds cost and friction to attackers by

• Isolating sensitive workloads from compromise of other assets
• Isolating high exposure systems from being used as a pivot to other systems

3.Is Monitored – Security Operations should monitor for potential violations of the integrity of the segments (account usage, unexpected traffic, etc.)

This is Part#2 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Passwordless Or Multi-factor Authentication For Admins

What : Require all critical impact admins to be passwordless (preferred) or require MFA.

Why : Passwords cannot protect accounts against common attacks.

How :

• Passwordless (Windows Hello)
• Passwordless (Authenticator App)
• Multifactor Authentication
• 3rd Party MFA Solution

No Standing Access

What : No standing access for critical impact admins

Why : Permanent privileges increase business risk by increasing attack surface of accounts (time)

How :

• Just in Time : Enable Azure AD PIM or 3rd party solution) for all of these accounts
• Break glass : Process for accounts (preferred for low use accounts like global admin)

This is Part#1 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

What – Assign stakeholders to use Secure Score in Azure Security Center to monitor risk profile and continuously improve security posture

Why – Rapidly identifying and remediating common security hygiene risks can significantly reduce overall risk

How – Set up a regular cadence (typically monthly) to review Azure secure score and plan initiatives with specific improvement goals. Gamify the activity if possible to increase engagement.

Suggested Process Owners

The biggest question now becomes as to how to protect your Azure environment against all those threats: protect your cloud workload from
threats using Azure Security Center and Azure Policies!

A go-do list to protect your workloads against threats:

1. Good hygiene comes first, strengthen your cloud security posture
2. Turn on threat protection for all cloud resources
3. Reduce attack surface for VMs with JIT, Network and app controls
4. Integrate alerts into your SIEM or Ticketing system & notify app owners
5. Identify root cause and drive new security hygiene up
6. Bring security controls together by using a standard like Azure CIS/NIST 800-53/ISO27001

The last point on the above list touches upon our Managed Security Services for Azure.

With so many recommendations out there you need to be focused on the ones with highest impact and rapid implementation.

As recommended by Microsoft, here are the top 10 Azure Security best practices:

Operationalize Secure Score for cleaning up risk	Passwordless or MFA for admins	Enterprise segmentation & Zero Trust preparation	Enable Threat Protection for Azure Resources	Follow the guidance to secure your DevOps

Assign and Publish Roles Responsibilities	Choose a Firewall Strategy	Implement Web Application Firewalls	Choose DDoS Mitigation for Critical Apps	Consider Retiring Legacy Classic Technology

In the next few days and over a few blog post will explore in more details each of the recommendations, but keep in mind that our managed Azure security services can complement if not completely replace all the tasks done by you.

There are many options when you want to enhance the security of your VMs . Here are a few options that when configured correctly will greatly improve your security posture.

Reduce open network ports:

• Use Just-in-Time to avoid exposure of management ports
• Limit open ports with adaptive network hardening

Protect against malware:

• Block malware with adaptive application controls
• Built-in Microsoft Defender ATP EDR
• Crash dump analysis and fileless attack detection

Use the built-in vulnerability assessment for VMs:

• Automated deployment of the vulnerability scanner
• Continuously scans installed applications to find vulnerabilities
• Visibility to the vulnerability findings in Security Center portal and APIs

The goal of cyber security standards is to improve the security of information technology (IT) systems, networks, and critical infrastructures. A cyber security standard defines both functional and assurance requirements within a product, system, process, or technology environment. A standard must address user needs, but must also be practical since cost and technological limitations must be considered in building products to meet the standard. Additionally, a standard’s requirements must be verifiable; otherwise, users cannot assess security even when products are tested against the standard.

Many organizations security needs are driven by compliance requirements. Azure Security Center measures compliance against the following:

Our proposal: let us manage your security compliance!

Azure has built-in functionality for discovering and classifying sensitive data, surfacing and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to your database.

Those powerful features are part of the Advanced Data Security (ADS) package for advanced SQL security. Specifically, Advanced Threat Protection for Azure SQL Database and SQL Data Warehouse detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases:

• Vulnerability to SQL Injection
• Potential SQL injection
• Access from unusual location
• Access from unusual data center
• Access from unfamiliar principal
• Access from potentially harmful application
• Brute force SQL Credentials

The cost of ADS is aligned with Azure Security Center standard tier pricing per node, where a node is the entire SQL Database server or managed instance. You are thus paying only once for protecting all databases on the database server or managed instance with ADS.

Another feature of Azure Security, part of the above mentioned ADS, is SQL Vulnerability Assessment.

Vulnerability Assessment is a scanning service built into the Azure SQL Database service. The service employs a knowledge base of rules that flag security vulnerabilities and highlight deviations from best practices, such as misconfigurations, excessive permissions, and unprotected sensitive data. The rules are based on Microsoft’s best practices and focus on the security issues that present the biggest risks to your database and its valuable data. We recommend using regularly this service, as it can provide valuable insight into your database security posture.

Organizations want to minimize the number of people who have access to secure information or resources, because that reduces the chance of a malicious actor getting that access, or an authorized user inadvertently impacting a sensitive resource. However, users still need to carry out privileged operations in Azure AD, Azure, Office 365, or SaaS apps. Organizations can give users just-in-time privileged access to Azure resources and Azure AD. There is a need for oversight for what those users are doing with their administrator privileges.

By using Privileged Identity Management, you can enable time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about.

Using this feature requires an Azure AD Premium P2 license.