Microsoft Azure has an incredible tool to manage all aspects of security in the Azure Cloud — Azure Security Center. Using Azure Security Center, the administrator is able to see the entire cloud security health and start taking actions based on the recommendations provided by the tool.
Using Azure Security Center helps the creation of policies and reduces exposure of your assets by detecting and responding to attacks. The solution works with on-premises workloads and has the capability to integrate with third-party tools and solutions. A good example is to connect Azure Security Center with your SIEM solution.
Azure Security Center: First steps and initial configuration
Security Center is available on all Azure environments. You can find it on the left side or search for Security Center. In the Overview page, we will have a summary of all security components that are being assessed and monitored by the Security Center, and we will tackle that page in this article as well.
However, in order to get started with the solution, the Getting Started page is going to give a good list of the tasks that we need to perform to get the Security Center working properly and it will help you to get acquainted with the tool. Every link on the Getting Started page will open a new browser with the documentation of the solution.
The first step is to configure the Security Policy. Click on Security Policy located in the Policy & Compliance section. On the blade located on the right side a list of the current subscription will be listed, click on any given subscription that you have listed.
In the first item, which is Data Collection, we can configure the auto-provisioning where we force the installation of the Microsoft Monitoring Agent on all existent VMs, and it will be the default on new VMs as well.
We can also define which workspace will be used to store the Security Center data gathered from the resources. You can use a workspace created automatically by Security Center or use a specific one. In this article, we are going to define our own workspace.
Click on the Security Policy item. In this section we can define all components that the Security Center will provide recommendations for. The first three, which are System Updates, Security Configurations, and Endpoint Protection require data collection installed on the VMs. All other ones are retrieved from the objects without an agent. The items with an upgrade button require an upgrade to the Standard tier for enhanced security. We will focus on those features from that tier in a future article here at TechGenix.
In the Email notifications section, we can provide email and phone numbers to receive alerts in case of a possible compromise. We can define if we want to send emails to the contacts that we just entered and subscriptions owners as well.
Security Center tiers
Azure Security Center comes in two flavors: Basic Coverage, which is free, and Standard Coverage. Both provide security policy, assessment, and recommendations and connection with partner solutions. The Standard plan has tons of features, such as Just in Time VM Access; Advanced Threat Protection for networks, VMs, and Azure services; threat intelligence, security events, collection, and search. The price for that tier is $15 per node a month.
The plans can be assigned per subscription. The best way to understand what you have configured is using the Coverage item from Security Center. From that blade, we can select all subscriptions and list them if they are not covered.
Exploring the recommendations
Azure Security Center is a fantastic tool, but to get a notion of what it does behind the scenes, I recommend to go to Overview item, and in a single glance, you will check all your Policy & compliance, resource security hygiene, a summary of the most prevalent recommendations, and the compliance over time. All that comes in all tiers — if you are using Standard tier, you will have threat protection available as well.
All those graphs displayed on that page allows the administrator to click on them and it will go to a specific blade that will provide more insight information.
When we use the Recommendations item, we can see a summary of all resources and the severity of the issue. The summary has the description of the error, resources affected, and severity. We can use Filter to narrow the issues by severity. When we click on any item from the list, we will have another blade with more information. If it is missing software, there will be an action item to install it. The Security Center gives most of the information required to fix the issues assessed by the tool.
Let’s use, for example, the disk encryption recommendation. When we click on the item from the previous blade, a new blade called Apply disk encryption, in this case, will be displayed with a good description about the issue, links, and every single resources/VM that is being impacted by this issue.
The beauty of using Azure Security Center is that we can check the details in a couple of clicks of several key areas, such as Compute & Apps, Network and Data & Storage. In the Networking area, we can see an overall networking recommendation at the top where it is recommending to use NGFirewall, NSGs at the subnet level, and restrict access to the Internet.
There is also a list of all endpoints facing the Internet, and the topology based on inheritance of objects will be displayed with indicators for NSGs. If we click on any object we will have a blade with more information.
Integrating with third-party vendors
We mentioned this feature at the beginning of this article. In case an integration is required, the best way to start is by clicking on Security Solutions and a list of data sources will be displayed, click on it and configure the integration with Azure Security Center.
You’re up and running
Congratulations! Now that you have Azure Security Center installed, you can monitor the health of your systems much better and ward off threats before they cause serious damage.
Featured image: Shutterstock