Azure Governance – #4 – Security Center

I'm Dean Sephora and this is the Azure Academy continuing with our look at Azure governance today we're going to talk about the azure security center let's go into all services to the Quick Start Center just set up our environment we've been using this as a overview of Azure governance and highlighting each area and talking about that today we're here to talk about the security center so let's take a look at that ok so the first thing you notice in my security center is I've got a lot of information and that's because under my subscription filter I am bringing in all of my current subscriptions of which I've got about 27 now subscriptions all up will tell Azure Security Center what's going on in three major areas and that is in policy and compliance resource security hygiene and threat protection and they're each one of those areas breaks down in the blade here to different particular topics and we're going to cover all of these today so we're gonna start off with getting started as your security center is enabled on every single Azure subscription and it is there by default however there are things that are within the security standard plan which are higher level features and these higher level features are basically around the area of threat intelligence network control just-in-time access these kind of more advanced tools that we see down here and we'll get into that as we go but when you use the Security Center you have the additional option of adding agents to your boxes and now as your Security Center by default will pull in lots of data from Asher okay now if you want data to go along with that that is inside the operating systems that you are using you can install the agent and when you install the agents then there will be something on Windows and on Linux that gets installed you run that and it will connect to a log analytics workspace to store all of your data and then that data can then be searched on and reported on inside the security center which we'll see in just a little bit under the getting started section this gives you kind of an overview of the different areas of purpose and basically you want to look at your subscriptions from the entire tenant wide view and this means from the azure side from your management groups to your subscriptions down to the individual things like policy and compliance and also the azure advisor which will dig into more so you can learn about that here in the documentation and then configuring all of these security policies that are built into Azure policy some of which we went over in our last video and you can configure those from here as well as add non Azure systems and it doesn't matter if it is on premise or in another cloud or wherever they are you can connect all of them together to have as your security center be kind of a all up view of your security footprint on your entire enterprise and can configure these non Azure devices here so let's look at that quickly and you would select a particular log analytics workspace and then if it is a Windows system you download the agent from here for the appropriate version and then if it's Linux then you would get it from here and then you add in the workspace ID and keys as appropriate and then if you have systems that do not have direct internet access or don't have open ports you can set up an OMS gateway so that you can filter that kind of like a proxy for the OMS agents and then that data will all come up into the azure Security Center I don't have any of those currently in my environment so I'll just leave that there for you to explore if you need to once all of those agents have been deployed and the systems are up and running then we can start getting into some of the data now I'll go into my analytic space here and over the last seven days we've tracked twenty thousand-plus events and those break down into two types here in the events portal and that's all events or notable ones notable events are things like failed logins so if we click this so this brings us to the cousteau language-based log analytics interface where we can write and run queries and look at all of our security events related to whatever it is as well as many other kinds of things like you could look at network monitor or your basic Azure automation and change tracking or use the query Explorer and this will help you to actually write and run queries so currently this machine had a failed login attempt on it and that's why it's listed here so more on log analytics in another video so look forward to that so let's go back here to the search interface and we'll pick our login oolitic s– workspace again and you can see it takes us right back here so this language interface is also intellisense driven so if we write something like security event now you can further write that out but what I'm going to do instead is just run that and we can see here that it has generated for us 10,000 records in the last 24 hours so what are these kinds of information well if we look at this one so this is a security related event from within Windows related to WMI so we track basically things that are out of the windows event logs so let's look at the NT system Authority GAE a successful login happened on this box ok and a new process was created on this box so it looks like a service had started so all this kind of information that you can see ok and if we look at our chart here you can see that we've got a whole lot of information but then we've got some certain spikes in information that all kind of gives us an idea of what's going on in our environment so if we were to see some abnormal spikes that may indicate that something was going on so ways to use log analytic data to your advantage so going back to the Security Center ok and under policy and compliance we have coverage now coverage refers to all of the different subscriptions and what level are they at are their subscriptions where we're not doing anything are there ones that have just basic coverage in my case I'm on standard for all of my subscriptions and it shows even the number of resources that are within them so that's more informational than anything else so if you found one that was not covered you then enable it under the security policy section we see a layout here of the different management groups that we have what subscriptions are within each of those management groups and which ones are just standalone subscriptions as well as their different compliance levels and you can click on edit settings so let's do that and this is where we see a lot of the functionality of the security center so first thing we have auto provisioning now this is referring to the Azure monitoring agent being installed on VMs in your subscription automatically now you of course do not have to do this you can deploy the security monitoring agent PowerShell as your automation arm templates or any other particular automation framework that you want to use but you could also just have it enabled here so it happens automatically and a few minutes after the VM is provisioned the monitoring agent will be installed and then it will be automatically connected to this particular workspace because this is the one that I have selected and then inside my windows systems will gather this amount of data and you can read all the information here we'll move on just for time sake and then you can enable threat detection and this is related to the Windows Defender advanced threat protection analytics you can also set up notifications to email addresses SMS phone numbers and then indicate whether or not you want to be alerted when a high security alert comes in and if the subscription owner should also be notified okay and then we have the different pricing and the pricing tiers as I said the free one is enabled by default and it includes the security assessment recommendations security policies and partner solutions what it does not include is just-in-time virtual machine access application adaptive controls network threat detection of which we will cover later ok now these features are basically indicating that everything in Azure at the azure platform level is going to report into Security Center so you can see what's going on but some of the deeper analytics or more broad-reaching analytics like threat detection are things that are included in the standard model only alright and that brings us back – the security hygiene and this section comes from the azure advisor and you can look at all of the recommendations all up in this part of the blade or you can dig into particular sections with the subsequent blades under networking we can see our network topology and I've got in this case looking at one subscription I've got multiple virtual networks who all have their own set of subnets and I've got in this case two VMs hanging off of one of those subnets so if I click on this I can see some information about that particular thing as well as I could see the traffic that it is generating and that is where this machine is talking to another machine and this happens to be my domain controller so you can see that the sets of ports that are being used match here on both sides so you can see the data from either way so this is a good way to see what is going on on your network which ports are actually open between systems communicating with each other and then you can decide whether or not those ports should be allowed to communicate where is something going on that you have been previously unaware of and now you need to take steps to to stop that from happening all right so that's the network map and let's go back to Security Center there are many different kinds of areas of concern here and so we've got a different rating system based on the the severity of the incidents so we've got gray which is kind of like your number five and then blues which are number four then we've got yellows oranges and reds so and the higher up on the color scheme you are the more that this is potentially something that is impacting and in our view of running you know tens and hundreds and thousands of subscriptions that we see this is what gives people the best bang for their buck or it gives you the best secure footprint possible now some of these things may or may not be in compliance with your security standards for example disk encryption on VMs if that's not something that you have as a requirement then even though we consider it to be red probably does not concern you additionally if you're using disk encryption through another tool or process then again this is one that you can just ignore all right and then once again when you're in one of these lists you can click on the particulars up here and do more filtering so you're just looking at the the particular resources that you want to deal with at the moment okay and then we have security solutions now this is where we integrate the security center into other platforms or objects so like Azure Active Directory can be connected to your Security Center and you can also do advanced threat analytics and add that in as well as add your sim agents things like spelunk and and other things you can get data to those and non as your systems like we already looked at so let's take a brief look at the sim tool and this is where we would send our Security Center data which is again an aggregate tool itself and that goes to our Azure monitoring and that's where we track the activity logs in particular send those to an event hub and connect that to a sim connector all right so if you're setting up something like a spelunk that's basically how you would integrate that into Azure so let's move on to the advanced cloud defense blade and this is where we're talking about those features that are kind of part of that paid version of security Center so looking at the recommendation here I guess first thing to answer is what is adaptive application control in the first place well basically it's like an application whitelist so if we click on this group I've enabled docker to be running on this system so I've accepted it here and permitted it to be functional on this system so that's okay if I go to my other system here okay I have not enabled this yet so if I wanted to I'd hit create ok and we see that that's in progress so it's turning on the whitelist and then you can go in and specify things that you want to cover and I've just mentioned also just in time VM access so let's take a look at this so just in time VM access basically allows me to specify that this VM is locked down and these particular poor our things that people need to access possibly remotely like port 443 here or they want to access RDP and you could also do other ports like 22 and you can add custom ports as well hey and there you go now we've added port 22 you can set this up so that when you have gone in here and performed a access request that now we're going to enable that port to be opened so what's the mechanism by which we're doing this well let's take a look at one of our virtual machines ok so here we have one of our virtual machines and let's go under networking ok and we see here that we have some port rules configured for 3 3 8 9 4 4 3 & 8 4 4 3 and these match the rules from our Security Center just in time controls and you can see that's how these rules are also named okay so these are controlled through the Security Center when I made the allowance to open port 3 3 8 9 it created another rule and that rule says that we're allowing communication to this specific IP from anywhere and that included the internet because that's how I did the request and so let's go to our configuration here and this is how you can enable it for a VM as well so this will be just a quick way to get back so I'm gonna put in another access request but this one I'm going to say is from a specific IP of 10.10 to attend dot 1 and then I'll make this enabled for one hour and it'll hit open port ok so now if we go back to networking we can see that our network security group has been updated to now allow 3 3 8 9 from the IP that I specified so you can do this from on-premise using a specific IP range as well and then when you set up the rule the rule will then enable the just-in-time access for whatever the port is could be for an FTP server could be for getting to the command line like it is here but it enables you to have more security on your box so that you're just not sitting there open to the Internet all right so let's look at file integrity monitoring and this is where you can control what's going on on the individual files on your systems so as you can see here not every log analytics workspace has been enabled to receive the data for the file integrity so this one has and I've got some VM set up in here all right and you can see that I've got three VMs one is not set up at all and the other two are the settings for which attributes are you looking at to be monitored are in here so you can look at the Windows registry and I've got a few keys enabled and you can also look at the windows file structure and you can look at things on the Linux system over an Etsy and you can also look at the individual files content so while the file that you may have you know a text file sitting on your your Drive the text file itself hasn't been changed we haven't changed the properties of that file but I opened it and I made some edits in the file well you can log those kind of things as well and additionally you can also look for changes on windows services all right so if I look at one of these machines again this brings us back to log analytics so looking here I created a registry key in software while 64 32 node microsoft windows currentversion run so that's where you can start up programs when the operating system starts and I created here just a test registry entry and with a value of this is a test the file integrity monitor that as this was a change that was made on the system so I could look at that here and then I can do something with it if I need to like create a new rule alert and then we have to satisfy a condition which will do the alerting so if my threshold of these alerts coming in is greater than zero okay and then you can select a action group this is where you specify how you wish to be contacted so I'll do this by my email and we'll have a subject of something changed and the alert name is vaio monitor okay something changed on my server and we'll make this informational so let's create our alert okay so now when something else changes on that system we'll get an email about so moving on so now we'll go to the threat protection section of the Security Center and we'll look at this rule here so this is when we've got a suspicious IP trying to contact us over RDP so now we see that not only was this threat detected but the IP that it was detected from date/time what kind of severity this is which resource it was trying to access under what subscription how it was trying to talk to our system and what the possible impact could be and there are also reports here that you can look at and I tell you stuff about what brute-forcing is as well as different information here about the location where the threat has come from so in this case it came from this IP address from somebody in Panama and it even gives us the latitude and longitude of where this attack originated how about that and then you can go through some possible remediation steps that we recommend based on these kinds of incidents and then you can provide us some kind of feedback down here was this information useful to you at all yes no and then you can submit that feedback now the last thing at the bottom here is a section that is currently not highlighted and we'll see why in a second but you can kick off a playbook so a playbook is something that we will look at so a playbook is a series of steps that are taken when something occurs that matches a criteria okay and we'll call it first playbook and put it in our Azure Academy okay and there's our playbook so let's open her up and we get a basic design interface where we can use some existing templates or just create a app all on our own and so these play books are all either logic apps so let's click on this one to notify us through email and teams okay and it verified my creds and then we hit continue okay and then we specify some type of condition that we want to alert on what the value of that condition is and then based on that value then if we are meeting that value then we will do our alerting and post a message into team to a channel and send an email and if it is false then we can send another kind of email and take some other action we can also add new kinds of steps in here let's close this here and you can learn a lot more about logic apps and what they can all do from this interface and we'll just move on at this point okay so this has been a overview of the azure Security Center and all that it offers and this is around helping you to understand what's going on in your environment as a all up single pane of glass covering the areas of compliance security hygiene threat detection and protection just in time access file integrity monitoring and connecting all of that into other solutions so that you can have one security place to go to analyze what's going on in your environment and then play books that we looked at briefly for how to take action when certain things occur across that environment so hope that you've enjoyed this and that you would like and subscribe to our channel provide us some comments and some feedback so we can improve as well as let us know what things you're interested in for the future

Maurice Vega

1 Response

  1. Comment about JIT:

    I created Application security group, then added AppSG to the NICs of two VMs (even different vNets), enabled JIT from one of the VM. By looking to the Networking Inbound port rules i can see that second VM also has JIT rule propagated.

    The only differences is that the Destination IP is the private IP of the VM which i've added to JIT.

    Not sure if that's a bug or by design, but would be really great to restrict Users access to the Web Site (cluster vm in the LB backend pool) by using JIT with destination to the Application security group


    27 Subscriptions

    azure boot camp (bravo) has 58 resources – what are those? Objects in that subscription?
    In my case it shows 17, but from navigation/subscriptions/resources i actually have 81

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment