Azure DDoS protection

Azure Security best practice: Mitigate DDoS Attacks

This is Part#9 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Enable DDoS protection beyond the default free tier

What : Enable DDoS Mitigations for all business-critical web applications, and services

Why : DDoS attacks are prevalent and are very inexpensive to access on the dark markets

How : Evaluate and select the best option for protecting your critical applications and services

  • Azure DDoS standard
  • 3rd party service

Azure includes basic Distributed Denial of Service (DDoS) protection, which can be upgraded to the Standard offering

The basic capabilities apply to all workloads in Azure as this protection is applied to all Microsoft properties on our network (which also include services like Office 365, Windows Update, Xbox Live, etc.)

The standard offering adds local visibility and control for your workloads with:

  • Advanced protection for your virtual network resources
  • Automatic mitigation for 60+ network layer attacks
  • Adaptive tuning via application traffic profiling and machine learning algorithm
  • Real time monitoring and alerting in Azure Monitor
  • Integration with WAF application layer protection
Azure DDoS protection
Azure DDoS protection
web application firewalls

Azure Security best practice: Implement Web Application Firewalls (WAFs)

This is Part#8 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Use Web App Firewall on All Internet Facing Applications

What : Configure web application firewalls (WAFs) to protect all internet facing applications

Why : Common security vulnerability types are often exploited by attackers targeting applications (either as an ingress point to the environment or as the ultimate objective).
WAFs are a critical mitigation for these attacks if you don’t have a mature security development lifecycle (SDL) to find/fix these vulnerabilities. WAFs also serve as an important safety measure even if you don’t have a mature SDL (much like a parachute in a plane).

How : Microsoft includes WAF capabilities in Azure Application Gateway and many vendors offer these capabilities as standalone security appliances or as part of next generation firewalls.

Web Application Firewall
Web Application Firewall

Azure Security best practice: Assign and publish roles and responsibilities

This is Part#6 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Define Clear Lines of Responsibility

What : Designate the parties responsible for specific functions
in Azure

Why : Consistency helps avoid confusion that can lead to human and automation errors that create security risk.

How : Designate groups (or individual roles) that will be responsible for key centralized functions

Network Security Typically existing network security team
Configuration and maintenance of Azure Firewall, Network Virtual Appliances (and associated routing), WAFs, NSGs, ASGs, etc.
Network Management Typically existing network operations team
Enterprise-wide virtual network and subnet allocation
Server Endpoint Security Typically IT operations, security, or jointly
Monitor and remediate server security (patching, configuration, endpoint security, etc.)
Incident Monitoring and Response Typically security operations team
Investigate and remediate security incidents in SIEM or source console:
•Azure Security Center
•Azure AD Identity Protection
Policy Management Typically GRC team + Architecture
Set direction for use of Roles Based Access Control (RBAC), Azure Security Center, Administrator protection strategy, and Azure Policy to govern Azure resources
Identity Security and Standards Typically Security Team + Identity Team Jointly
Set direction for Azure AD directories, PIM/PAM usage, MFA, password/synchronization configuration, Application Identity Standards
Reference Azure Firewall Configuration with native controls

Azure Security best practice: Choose and Implement a Firewall Strategy

This is Part#7 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Internet EDGE Strategy: For your core services segment you can choose between native controls and 3rd party capabilities for internet traffic filtering.

What : Choose whether to use Native Azure Controls or 3rd party Network Virtual Appliances (NVAs) for internet edge security (North-South)

Why : Legacy workloads require network protection from internet sources and there are advantages to using either 1st or 3rd party controls to provide this.

How : Select a strategy using the comparison information below

AZURE NATIVE CONTROLS
Basic capabilities with simple  integration & management
3rd Party Capabilities
Advanced security capabilities
from existing vendors
Azure Firewall + Web App Firewall (in Application Gateway)
These offer basic security that is good enough for some scenarios with a fully stateful firewall as a service, built-in high availability, unrestricted cloud scalability, FQDN filtering, support for OWASP core rule sets, and simple setup and configuration
Next Generation Firewall (NGFW) and other 3rd party offerings
Network virtual appliances in the Azure Marketplace include familiar security tools that provide enhanced network security capabilities
Configuration is more complex, but allows you to leverage existing capabilities, and skillets
Reference Azure Firewall Configuration with Native Controls


Reference Azure Firewall Configuration with Native Controls
Reference Azure Firewall Configuration with 3rd party capabilities
Reference Azure Firewall Configuration with 3rd party capabilities
securing devops

Azure Security best practice: Follow DevOps security guidance

This is Part#5 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

DevOps
DevOps

What : Integrate guidance and automation for securing applications on the cloud

Why : Using resources and lessons learned by external organizations that are early adopters of these models can accelerate the improvement of an organization’s security posture with less expenditure of effort and resources.

How : Secure your application development / DevOps process by integrating existing guidance such as:

  • Microsoft Secure DevOps Toolkit
  • Organization for Web App Security Project (OWASP) DevOps Pipeline security
Securing DevOps
Securing DevOps

Azure Security best practice: Monitor for Potential Attacks

This is Part#4 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Security Operations – Azure Alerts

What : Enable Azure Security Center security Alerts

Why : Azure Security Center provides actionable detections for common attack methods which can save your team significant effort on query development.

These alerts are focused on high true positive rate by leveraging Microsoft’s extensive threat intelligence, advanced machine learning, industry leading Endpoint Detection & Response (EDR) (MITRE report), and other approaches. 

How : Enable Azure Security Center (We recommend Standard Tier to gain full control over all the security options)

Azure Security Center Alerts
Azure Security Center Alerts

Security Operations – Centralized Visibility

Use Azure Security Center and Azure Sentinel to create your own Security Dashboard.

Azure Security Center is focused on protection and governance of Azure Workloads  by assessing risk to them, reducing attack surface, and generating alerts on potential threats using advanced threat detection technologies. The roles who use ASC will typically include security engineers and GRC Professionals that report risk to the CISO.

Azure Sentinel is focused on monitoring All Environments by SOC analysts. Azure Sentinel allows for monitoring alerts and security related events from any source (Microsoft security solutions, 3rd party, custom rules). Azure Sentinel is built for security analysts and SOC managers to make their work easier and more effective. Azure Sentinel is designed to simplify the application of advanced technologies like Machine Learning, User and Entity Behavior Analytics (UEBA), to the variety of data-sets you monitor and is complemented by other Microsoft Threat Protection solutions that provide specialized investigation of hosts, email, identity attacks, and more.

 Azure Security Operations – Centralized Visibility


Azure Security Operations – Centralized Visibility

Azure Security best practice: Enterprise segmentation & Zero Trust preparation

This is Part#3 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Align segmentation strategy & teams by unifying network, identity, app, etc. into a single enterprise segmentation strategy (as you migrate to Azure).

SEGMENTATION STRATEGY

What : Identify security segments that are needed
for your organization to contain risk

Why : A clear and simple segmentation strategy enables stakeholders (IT, Security, Business Units) can understand and support it. This clarity reduces the risk of human errors and automation failures that can lead to security vulnerabilities, operational downtime, or both

How : Select the segmentation approaches from
the reference design and assign permissions and network controls as appropriate.

A Good Segmentation Strategy:

1.Enables Operations – Minimizes operation friction by aligning to business practices and applications

2.Contains Risk – Adds cost and friction to attackers by

  • Isolating sensitive workloads from compromise of other assets
  • Isolating high exposure systems from being used as a pivot to other systems

3.Is Monitored – Security Operations should monitor for potential violations of the integrity of the segments (account usage, unexpected traffic, etc.)

Azure Security best practice: Administration – Account protection

This is Part#2 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

Passwordless Or Multi-factor Authentication For Admins

What : Require all critical impact admins to be passwordless (preferred) or require MFA.

Why : Passwords cannot protect accounts against common attacks.

How :

  • Passwordless (Windows Hello)
  • Passwordless (Authenticator App)
  • Multifactor Authentication
  • 3rd Party MFA Solution

No Standing Access

What : No standing access for critical impact admins

Why : Permanent privileges increase business risk by increasing attack surface of accounts (time)

How :

  • Just in Time : Enable Azure AD PIM or 3rd party solution) for all of these accounts
  • Break glass : Process for accounts (preferred for low use accounts like global admin)

Azure Security best practice: Operationalize Secure Score for cleaning up risk

This is Part#1 of our series of articles about best security practices that you can apply to an Azure environment. Please note that all the articles have been compiled from various official Microsoft sources.

What – Assign stakeholders to use Secure Score in Azure Security Center to monitor risk profile and continuously improve security posture

Why – Rapidly identifying and remediating common security hygiene risks can significantly reduce overall risk

How – Set up a regular cadence (typically monthly) to review Azure secure score and plan initiatives with specific improvement goals. Gamify the activity if possible to increase engagement.

Suggested Process Owners

Operationalize Secure Score for cleaning up risk

Common cloud security threats we see in the wild

Common cloud security threats we see in the wild

The biggest question now becomes as to how to protect your Azure environment against all those threats: protect your cloud workload from
threats using Azure Security Center and Azure Policies!

A go-do list to protect your workloads against threats:

  1. Good hygiene comes first, strengthen your cloud security posture
  2. Turn on threat protection for all cloud resources
  3. Reduce attack surface for VMs with JIT, Network and app controls
  4. Integrate alerts into your SIEM or Ticketing system & notify app owners
  5. Identify root cause and drive new security hygiene up
  6. Bring security controls together by using a standard like Azure CIS/NIST 800-53/ISO27001

The last point on the above list touches upon our Managed Security Services for Azure.