Part 4: Security features Flashcards
Azure Security Center
Azure Security Center is a monitoring service that provides visibility of your security posture across all of your services, both on Azure and on-premises.
Security Posture
The term security posture refers to cybersecurity policies and controls, as well as how well you can predict, prevent, and respond to security threats.
Security Center (example)
Resource security Hygiene
Secure score
Secure score is a measurement of an organization’s security posture.
Report on the current state of your organization’s security posture.
Improve your security posture by providing discoverability, visibility, guidance, and control.
Compare with benchmarks and establish key performance indicators (KPIs).
Protection: Just-in-time VM access
Just-in-time VM access
Tailwind Traders will configure just-in-time access to VMs. This access blocks traffic by default to specific network ports of virtual machines, but allows traffic for a specified time when an administrator requests and approves it.
Protection: Adaptive application controls
Adaptive application controls
Tailwind Traders can control which applications are allowed to run on its virtual machines. In the background, Security Center uses machine learning to look at the processes running on a virtual machine. It creates exception rules for each resource group that holds the virtual machines and provides recommendations. This process provides alerts that inform the company about unauthorized applications that are running on its VMs.
Protection: Adaptive network hardening
Adaptive network hardening
Security Center can monitor the internet traffic patterns of the VMs and compare those patterns with the company’s current network security group (NSG) settings. From there, Security Center can make recommendations on whether the NSGs should be locked down further and provide remediation steps.
Protection: File integrity monitoring
File integrity monitoring
Tailwind Traders can also configure the monitoring of changes to important files on both Windows and Linux, registry settings, applications, and other aspects that might indicate a security attack.
Security: Workflow automation
Workflow automation uses Azure Logic Apps and Security Center connectors. The logic app can be triggered by a threat detection alert or by a Security Center recommendation, filtered by name or by severity.
What is SIEM?
security information and event management (SIEM)
Azure Sentinel
Collect cloud data at scale
Collect data across all users, devices, applications, and infrastructure, both on-premises and from multiple clouds.
Detect previously undetected threats
Minimize false positives by using Microsoft’s comprehensive analytics and threat intelligence.
Investigate threats with artificial intelligence
Examine suspicious activities at scale, tapping into years of cybersecurity experience from Microsoft.
Respond to incidents rapidly
Utilize built-in orchestration and automation of common tasks.
Azure Sentinel data sources
Connect Microsoft solutions
Connectors provide real-time integration for services like Microsoft Threat Protection solutions, Microsoft 365 sources (including Office 365), Azure Active Directory, and Windows Defender Firewall.
Connect other services and solutions
Connectors are available for common non-Microsoft services and solutions, including AWS CloudTrail, Citrix Analytics (Security), Sophos XG Firewall, VMware Carbon Black Cloud, and Okta SSO.
Connect industry-standard data sources
Azure Sentinel supports data from other sources that use the Common Event Format (CEF) messaging standard, Syslog, or REST API.
Detect threats
Built in analytics
use templates designed by Microsoft’s team of security experts and analysts based on known threats, common attack vectors, and escalation chains for suspicious activity. These templates can be customized and search across the environment for any activity that looks suspicious. Some templates use machine learning behavioral analytics that are based on Microsoft proprietary algorithms.
Custom analytics
are rules that you create to search for specific criteria within your environment. You can preview the number of results that the query would generate (based on past log events) and set a schedule for the query to run. You can also set an alert threshold.
Automated response to threats
Azure Monitor Workbook