Showing posts with label Azure Security Center. Show all posts
Showing posts with label Azure Security Center. Show all posts
Azure Security Center Playbooks Introduction
Azure Security Centre is a great tool in order to manage your hybrid cloud security health. As I have previously written its a tool that can be used to monitor both Azure infrastructure as well as on-premises machines with a central monitoring dashboard. Please feel read to read the other blog post in the Azure Security Centre series. http://www.ruckcloud.ml/2018/02/using-azure-security-center-for.html
Today I will be writing about a specific feature of the Azure Security Centre called Security Playbooks. Security Playbooks are alert triggered procedures that run within Azure Security Center. When a specific alert is is triggered a playbook will run that will automate a response to that specific alert. This can help orchestrate as well as speed up security alert management.
Security Playbooks are based on Azure Logic Apps. What this gives us is the ability to use security templates based in Azure Logic Apps which you can edit or create and then trigger these with Security Centre.
What are Azure Logic apps?
Azure Logic Apps help to simplify and implement scale-able integrations and workflows in the cloud. Please see further info at the end of this post.
Creating a Security Playbook
Please see the below steps in order to create a Security Playbook in the Azure portal:
1. Select Security Centre - Playbooks (preview) - Add Playbook
4. Click on the newly created logic app which will launch the logic app designer:
5. Click blank logic app:
7. Add an action to run and click save:
8. After this has been completed, the playbook can be run from Security Center "Playbooks"
Please read further on Azure Logic Apps: https://docs.microsoft.com/en-gb/rest/api/logic/
Using Azure Security Center for monitoring
You are able to apply policies and also locate and fix vulnerabilities before they can be exploited. What is also great is that you are able to leverage advanced analytics to detect and mitigate attacks on your infrastructure using the Advanced Threat Protection module.
In this article I will go about explaining the basics of this service, from locating where to find it to some basic overviews of the monitoring dashboard and some of the remediation features. As with all my articles they can be read by the first time Azure user all the way up to a seasoned pro who may be interested in learning about a new product.
The Azure Security Centre is simply launched from within the Azure portal:
Once you have opened the portal, it will display your monitoring dashboard with alerts:
This dashboard will contain your security related overview, prevention and detection. Please note that you will require an additional 60 day trial to view the Advanced Threat Detection. the Advanced Threat Detection is an advanced feature that can be used to automatically locate and resolve security issues based on the Azure Security Centre intelligence.
Recommendations
When monitoring the dashboard you can scroll through and check the recommendations that can be implemented to better secure your current workload, these are arranged into a high and medium severity. When opening these they will provide instructions on how to resolve and implement better security practises onto your cloud or on-premise workloads.
As per the the above recommendation I have located that I am not using a Network Security Group (NSG) on a specific virtual network. I can then click through the blades in order to find more information on this specific issue and resolve it directly from within the portal. As per the below I can directly enable the required NSG through the next portal steps:
Prevention
Under the prevention tab you will see additional alerts generated based on your infrastructure. These tabs will contain compute, networking, storage & data and applications.
In my example I have a few alerts across compute and networking. When clicking on the compute tab I am given the following recommendations with regards to my virtual machines:
From within this tab I can continue through to obtain further information as in this case I have not installed the endpoint protection on the virtual machine (this is used to scan for malware threats) as well as having missing disk encryption on the virtual machine disks. Within the following windows you will receive further information and directions for resolving these issues. This allows you to become proactive with regards to security issues.
Within networking, storage and data similar issues are reported with further information on the threats and directions on how to resolve them. This is incredibly useful and provides a great overview of your Azure infrastructure security and gives great direction on resolving any issues that may have been located.
One other point that I haven't mentioned is that you can also install the Azure Security Centre monitoring agent on on-premises machines which create a fully hybrid cloud security monitoring overview. Its also great as you can have all security information for cloud and on-premises in one place (dashboard) for monitoring and reporting. A Log Analytics work space is required to on-board non-Azure computers to Security Centre:
There are a lot more functions that can be enabled within Azure Security Centre and I have only touched on the basics in this article. Please feel free to look further into Advanced Threat Detection which contains great threat intelligence and security alerting functions.
Further information can be found here: https://azure.microsoft.com/en-gb/services/security-center/ and documentation here: https://azure.microsoft.com/en-us/documentation/services/security-center/
Subscribe to:
Posts (Atom)
