Defender for Cloud Coverage

 Introduction


Defender for Cloud is an interesting attempt by Microsoft to protect assets that are often left neglected by your usual security stack. At large Defender for Cloud is three things: Security Assessments, Defender for Endpoint and cloud resource threat detection. The combination of security assessments and threat detection is something commonly observed across the Defender suite and is something I very much welcome as the reality of most breaches isn't that the protection tools failed it's that humans did.

I'm going to be writing more on Defender for Cloud but in this blog, I've listed each of the separate 'Defender' technologies under the Defender for Cloud banner and which features you get.

Defender for Cloud


 
There are important distinctions between each Defender for Cloud technology in particular around how threat detection is achieved but at large below is a summary:

  • Security Assessments - Defender for Cloud will identify configuration-related vulnerabilities either through its own means or where the data already exists in Azure through other services like Defender for Cloud App.
    • Defender for Endpoint - For the compute-related Defender for cloud technologies such as virtual machines Defender for Cloud will either leverage the entire Defender for Endpoint offering (Sense, SenseIR and Antivirus engine) or just the Threat vulnerability management capability depending on relevancy.
    • Cloud resource threat detection - Some of the Defender for Cloud technologies will utilize their own exclusive threat detection capabilities most of which do not impact the resource they are protecting. Examples of this are monitoring blob operations for anomalies or applying TI feeds to network traffic leaving resources.

    *The above table lists features gained by enabling Defender for Cloud. As stated above Defender for cloud will utilize other data sources if already available so this is not an exhaustive list.



    Just at a glance the breadth of controls Defender for Cloud offers is impressive and if an organization heavily relies on Azure, it is a very easy decision to turn it on. Most of the threat detection capabilities Defender for Cloud provides could be achieved by ingesting the data/telemetry into Microsoft Sentinel and writing the appropriate near real-time rules. If that's an exercise you want to complete use this resource (https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference) to reverse engineer, the alerts generated by Defender for Cloud into your own custom rules.






    Popular posts from this blog

    Endpoint on Adrenaline : One

    Image
    Introduction   This blog series will capture how to maximise the protection of an endpoint using the various technologies in the Defender suite. The controls outlined in the series will each need to have their own considerations taken into account for a given environment but hopefully at a minimum it will be clear just how powerful of an offering Microsoft has.  Unfortunately due to the highly modular and distinct diversity in controls Microsoft offers things are often overlooked and misconfigured when tests are conducted. With this in mind, the shortest possible route to a solution for this is utilizing the recommendations, CSPM and Secure Score technology contained within Defender 365 and Defender for Cloud as it will automatically conduct posture assessments and inform you of things you have missed and may want to turn on (IE dont take these recommendations lightly) Lastly, I would recommend reading the book “Defender for Endpoint in depth” from packt as it showcases the complexitie
    Read more

    Brilliance in the Basics

    Image
    Introduction Tired of watching you and your friends get compromised, do exactly what's in this blog and start eating adversaries alive. Avoiding the memes adversaries win because of simple mistakes and neglect and we all already know what they are so I'm going to list them for you. Its all for free too. Enumerate To put it simply, there shouldn't be anything you don't know about your environment, you should know who all your users are, where all your electronic devices are and what they do, what applications you have and what versions they are. Enumeration is the jet fuel for making good defensive decisions. I wrote about how to enumerate your environment here  Securing your estate: The First Step (goblinloot.net) . Follow these steps and become the arbitrator of your own environment  Your perimeter is a bridge, not a wall Monitor your perimeter as best as you can but always assume it has already been defeated. Monitor endpoint system and process telemetry and southwest
    Read more

    Investigate

    Image
      Introduction This document details how an analyst should conduct investigations and triage in the normal duties of their job. It will describe concepts and logic that enable analysts to look at data, ask investigative questions, evaluate those questions and arrive at assertions about what they have found. An Alert For the most part, analysts begin their investigative work when an alert is generated. Alerts are fantastic because they are a statement that something has happened and something needs to be done about it. Typically alerts are filled with information that an analyst can then use in their investigation. Alerts are generated by detections and these detections can come in many shapes and sizes. Some just look for a particular action like someone unlocking their car door, others might have access to more context like someone who isn’t the owner of the car unlocking the door. Going even further some detections might look at how the car door was opened or at what
    Read more