Withsecure Microsoft Azure Security Framework Whitepaper en
Withsecure Microsoft Azure Security Framework Whitepaper en
Withsecure Microsoft Azure Security Framework Whitepaper en
Microsoft Azure
Security Framework
A roadmap for hardening the Authors: Emilian Cebuc and
security of your Azure environment Christian Philipov
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 2
Contents
Introduction: Securing Azure ..................................................3
Inventory management ...........................................................4
Resource isolation ..................................................................6
Backups and disaster recovery ...............................................8
Identity and access management............................................9
Logging and monitoring.........................................................14
Policies .................................................................................18
Resource governance ...........................................................20
Continuous detection and monitoring...................................21
Incident response (IR)...........................................................23
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 3
Securing Azure
Although 95% of Fortune 500 companies use Microsoft Azure1, there hasn’t yet been a single,
comprehensive guide for hardening the security of your Azure platform. In response, and inspired
by Scott Piper’s roadmap for building cloud security in AWS2, this document provides the building
blocks so you can start that journey.
No two organizations are the same. Each has a different The reference numbers throughout cite source material (refer-
technology infrastructure and security posture. Thus, when enced on page 21), including Microsoft documentation, for
configuring your cloud environment, the security implications further reading and support.
may not be immediately apparent in some cases. In others,
you may not have the right expertise to begin building effective Who it’s for
security controls. As a result, the content in this guide covers
as many bases as possible, providing actionable best practic- Securing your cloud environment requires collaboration from a
es to help you secure your Azure environment. range of stakeholders, including but not limited to:
Inventory management
Principle: understanding and logically grouping Subscription Applications
all resources avoids the growth of an
unrecognized attack surface.
Subscription Resources
Understand Your Resources Group subscriptions with management Set up cost alerting for subscriptions
groups to simplify governance
Begin by reviewing all existing resources under your organi- These should be based on the cost centers that have been
zation. Depending on the size of your cloud environment, this • Ensure there is a valid business case for each subscription allocated to each project and their budget.
can be quite an undertaking. However, it is an essential first • Use tags5 within subscriptions to identify the key owners,
step— you can’t protect what you don’t know you have. At a project names, and allocated cost center, at a minimum.6 • Restrict user permissions so that only certain users can
minimum, try to establish what: This guarantees a point of contact for any activity occurring create resources. (See the “policies” section for more infor-
in Azure in relation to a given project mation on configuring guardrails and user permissions).
• Azure Active Directory (AAD) tenants you have • Use Azure Policy definitions to mandate that all new or • Set up an alert which is triggered when your costs reach a
• Subscriptions you have within your tenants current resources should have the requisite tags in order to certain cap in a specific cost center
• Microsoft product licenses you utilize be compliant7 • Always investigate large and unexpected variations in
• Applications your organization uses4 • Use management groups8 to group subscriptions into average usage costs, as these can be an indicator of anoma-
hierarchies lous activity9
Only keep what you need • Reduce the burden of assigning and managing required
access to multiple separate environments by getting devel-
Remove any inactive subscriptions or trial subscriptions that opment teams to work on dedicated projects groups
have been created by users in error. Although it is important to
test resources before development, this should only be done These changes will create a well-organized set of manage-
in a dedicated sandbox environment. This will avoid situations ment groups with subscriptions that are classified according to
where excess subscriptions are created by team members the relevant team or project.
and improperly utilized.
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 6
Resource isolation
Principle: isolation of resources helps reduce
the “blast radius” of a cyber attack.
as complex as deducing whether initial foothold on a virtual Dev Compromised infrastructure QA Protected infrastructure PROD Protected infrastructure
machine (VM) will allow an attacker to reach an instance Write Write Write
access access access
hosting Jenkins in an entirely different subscription in a peer-
joined network. The blast radius varies from case to case, and
will therefore require dedication, resource, and time to address Compromised
developer QA Production
Read-only Read-only
the risk. However, the impact of doing so can prove the differ- account access engineer access team
Enforce logical separation between Reduce external-facing resources Review resource isolation periodically in
resources when developing within your light of changes in your environment
azure platform Minimizing your organization’s external footprint reduces the
number of points of ingress into your network. In Azure, this Resource isolation is the most effective solution to help mini-
This should be carried out when any major new addition is can be done by: mize lateral movement from an initial foothold in Azure. As
made to your cloud environment. For example, it could include resources need to communicate with each other, it is also the
creating a new application or adding a new component of a • Configuring Azure’s platform as a service (PaaS) services hardest to track, and activity must be revisited and monitored
greater platform. so that they are only accessible over a private endpoint that following the addition of any new services or major changes to
doesn’t expose them externally infrastructure.
• Start by separating resources into production and non-pro- • Limiting access through a local virtual network
duction environments.
• Use separate subscriptions and management groups Ensure testing environments correspond
for each workload in accordance with whether it will host Example: logical separation
production or testing data.10 This applies to core services, Environments should not become so distinct and disparate as
Separate key vault stores should be created for production and
such as networking, and to more specialized services. a result of logical separation that they are no longer represen-
development resources. If both production and non-production
• Although it is convenient to use peer networks to allow all tative of one another. secrets are stored in a single secret store, then the compromise of
resources to communicate freely between subscriptions, a single Azure Key Vault or equivalent key store could lead to an
ensure resources in production are adequately segregated This will lead to a loss of functionality in testing between attacker gaining access to all secrets used in the platform.
from any other environment. Follow a secure network topolo- pre-production and non-production environments, causing
gy layout11. issues for your team and your end users. As such, the pre-pro-
• Implement logical separation for the resources to ensure that duction environment should always be as similar to produc-
any compromise of a non-critical asset in a non-production tion as possible, ensuring it effectively represents the live
environment will not propagate to a compromised equivalent environment when performing security testing. This includes
resource in the production environment. teams being allowed to use more granular development
environments to test new features in different ways as part of
the product release process (e.g., “dev”, “nft”, “nonprod” or
“prod”).
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 8
Disasters do happen and losing all your business critical Backups can be performed natively through the Azure
resources right when they are most needed is something Backup15 service. Organization administrators can define How to: store backups
every organization should be prepared for. The main cloud resources and frequency, as well as other selection criteria to
Small organization without critical data
providers, Azure included, guarantee 99.99% availability for set the backup policy within the Azure environment.
your services and data. However, the Code Spaces12 and Local Redundant Storage (LVRS) and Zone Redundant Storage
OHV13 incidents have shown us the importance of always Implement comprehensive busi- (ZRS) options tend to be cheaper. In the unlikely event of an outage
being prepared for the 0.01% chance not covered by Azure’s ness continuity and disaster recovery in multiple data centers, smaller organizations may not need
Service Level Agreements (SLAs)14. Thankfully, there are strategies backups in other regions.
viable measures you can take internally to protect your organi- Large enterprise with significant critical data
zation in this scenario. Further measures can be taken to minimize the impact to busi-
ness operations in the event of a fault. This includes protecting Backups in separate regions (Geo-Redundant Storage options
Implement frequent backups for your your data, apps, and workloads, and keeping them online. For —GRS and RA-GRS). This helps minimize the risks related to any
potential region-wide outages.
most critical resources and services this purpose, Microsoft offers:
This could include snapshots of any particularly critical VMs, • Azure Site Recovery16: keeping business apps and work-
replication of Storage Accounts (with both cold and hot loads running during outages.
storage options), containers hosting sensitive or business-crit- • Azure Migrate17: a centralized hub for discovery, assessment,
ical data, DevOps project repositories, Key Vaults containing and migration of on-premise machines to Azure.V
keys, and secrets for your most used applications.
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 9
Apply the principle of least privilege from 3. Assign roles in a hierarchy. Set “Owner” roles for rele-
the outset vant resources or resource groups, and for any personnel
who are the resource or project owner(s) for those compo-
In the place of coarse-grained roles such as “Owner” and nents. Any other members, developers, or application
“Contributor”, more granular roles can be applied that consid- service principals requiring access in that specific project
er the specifics of the tasks delivered and the permissions should be assigned specialized roles based on their
required. An attack surface increases unnecessarily with required activity:
excessive role assignments. One compromised senior engi-
neer could lead to the compromise of multiple projects that • Make use of “Reader” access. Members of staff from
they didn’t require access to. other teams and external parties should only be provided
read-only “Reader” access to the environment. This
Implement a bottom-up approach can be supplemented by any other RBAC assignment
required to perform any audit checks needed.
1. Identify your starting point. Begin with the most • Gradually move “up” to less critical resources. This will
important individual resources or resource groups, i.e., include broader selections, such as resource groups or
those critical to daily operations and output, and set role even subscriptions.
assignments to only the relevant personnel. This will help
avoid broadlydefined access to management groups or Following these steps will lead to a well-defined and restrictive,
subscriptions, which would lead to unintended, inherited but functional, set of role assignments. Resource access will
access to the components within them. be granted to only the essential required personnel group or
service, without exposing them to undue risk.
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 11
AAD Manage all of your environments • Federated Authentication, either with Active Directory
Federation Services (ADFS) or other third-party feder-
When using AAD as your identity provider, there are options for The way you build your cloud environment— whether it is ation providers. Here, sign-in attempts are redirected to
managing IdAM in the cloud. cloud-native, on-premise, or a hybrid solution—will determine federation proxies between cloud and on-premises. The
your approach to authentication for IdAM. In most cases, federation servers perform the validation with on-premises
If you’re implementing Business-to-Business (B2B) organizations tend to have a hybrid solution, even if the end AD. Password hash synchronization (PHS) can be included
collaboration, use Azure AD B2B to provision Guest goal is to be fully cloud-native. For example, you might use an also.
accounts in your AAD tenant, but perform regular audits22 and application proxy that opens on-premise services to the cloud,
remove old, unused, or unnecessary ones23. or leverage Active Directory Domain Services (ADDS)24 in the
cloud.
If you’re implementing Business-to-Consumer (B2C),
security becomes heavily dependent on the type of custom- With AAD, there are 3 main IdAM options that you can imple-
ers you serve and the applications you host. Set up Condi- ment. Typically, you will be leveraging Azure AD Connect to
tional Access policies as a minimum. For example, governing synchronize with your onpremise estate:
approved locations or user access based on their risk level
(the probability that a user account is compromised). This will • Azure AD Password Hash Sync (PHS) + Seamless SSO
tighten authentication policies and minimize the effectiveness (SSSO)25. This is the least effort option, where validation
of credential stuffing attacks. happens completely in the cloud. AAD Connect synchroniz-
es cloud identities with password hashes on-premise and
Implement single sign-on (SSO) does not require any additional infrastructure.
• Azure AD Pass-Through Authentication (PTA) + SSSO).
SSO will enable users to authenticate and access the resourc- This approach uses a “middleman” authentication agent
es they need with the same set of credentials. This avoids the (1-3 maximum recommended), validating password signin
need for multiple passwords for various services, reducing attempts with the Domain Controller (DC) on-premise.
the likelihood of weak passwords or reuse. The benefits of On-premise account policies are enforced at the time of sign-
SSO apply to cloud-native environments, hybrid cloud, and in. PHS should be deployed as a backup method.
on-premise environments.
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 12
Assign, monitor, and manage user 4. Use Azure AD’s built-in roles, and when these do not ileged actions within Azure. It also helps solve the issues of
permissions in AAD fit a necessary team member role, create custom ones timeboxing and auditing of access management. Enforce
defining the needed permissions27. With custom roles, strict policies for highly privileged roles such as GAs, such as
1. Apply the principle of least privilege on the users in due to the complexity and granularity of the permission a maximum of two hours restriction and approval requirement
your AAD tenant. Always aim to have a minimum of 2 and model, make sure to avoid the broad permission defi- from another senior administrator. Similarly, for resources,
a maximum of 4 Global Administrator (GA) accounts to nitions using the star (“*”) actions. These could lead to Just-in-Time (JIT) access can be implemented to reduce
avoid ever being completely locked out of your environ- assigning an unintended level of access, so ensure your exposure.
ment. Too many GA accounts increases the risk of target- policy definitions only assign necessary permissions, for
ed phishing attacks, potentially resulting in compromised the necessary scope. Use AAD conditional access (CA) poli-
accounts with unrestricted permissions. cies to govern sign-in attempts and
2. Assign specialized, narrow roles for administrative Use azure privileged identity Manager set conditions to be met after a correct
requirements, and read-only roles for your users26, in (PIM) to avoid unnecessary Administra- sign-in
a similar fashion to the Azure RBAC roles. tor accounts
3. Monitor the activities of service principals by setting An Azure AD Premium P1 license is required at a minimum.
alerts for suspicious activities. You will most probably Constantly updating user access permissions can become an CA policies allow you to enforce things like:
end up having service principals within your tenant as a intensive overhead for your IT personnel. Just-in-Time (JIT)
result of thirdparty solutions or entities which need to run access and automation solutions for this problem do exist, • Multi-factor authentication (MFA)
with high privileges. Compromise of these highprivileged including Azure Privileged Identity Manager (PIM)28. This is a • Trusted locations or trusted/compliant device logins, via
applications would have a significant impact on your must-have security service for organizations that can afford Microsoft Intune MDM
environment, giving a foothold to an attacker. Either delete an Azure AD Premium P2 license. With PIM, users need • Restricting specific types of clients from authenticating into
service principals them when not needed or consider less- to request the role access they require, when they require the estate
privileged roles as substitutes. it, enforcing a time constraint on the role. This significantly • Advanced risk-based sign-in management via Azure AD
reduces the number of excess administrator accounts which Identity Protection
can be compromised and used by attackers to perform priv-
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 13
Implement mfa for all administrative Monitor and update permissions to main-
users tain principle of least privilege
This will create an additional security layer for sign-in attempts With an established plan for IdAM configuration, organiza-
and transactions. Ideally, you should plan a gradual rollout tions should continuously monitor people’s access and roles.
to all users in your tenant. Implementing these measures Ensure these are edited or removed accordingly whenever
will ensure that all your important administrative users are needed, maintaining the principle of least privilege to avoid
adequately protected with MFA and can request the high-level unnecessary risks.
access needed to perform a more sensitive action only when
needed. In doing so, your internal employees, apps and
services, and any third-party collaborators in your tenant will
have access to your environment governed by the policies
you’ve established. This means they will only be able to gain
access from locations or devices that you have defined as safe
and accepted, and activity carrying risk will be monitored.
Logging is an area which requires a continuous effort: your 2. Ingest telemetry for resources and tenant activity into
resources might scale, get moved, and acquire different your SOC. These logs should be used in conjunction with
purposes, and new services might be introduced. You should alert policies to inform relevant SOC staff of activities of
start configuration and Log onboarding within the Securi- interest or events happening within your tenant. Effective
ty Operations Center (SOC) as early as possible and add alerts are fundamental to your incident readiness and
other Telemetry as your Azure platform evolves. Getting your response effort. Creating an effective set of alerts requires
logging and monitoring right from the beginning helps ensure contextual information about the Components within your
that nothing is overlooked. Left until later, the implementation tenant.
of a logging plan becomes a time-consuming task and risks
suspicious activity going undetected if the right Logs are not Log types
configured.
You can’t enable logging for everything, as this will Incur
Logging basics greater costs and can overwhelm the SOC with low-risk alerts.
Start small, and focus on the most critical resources first:
1. Establish visibility over what happens in your tenant,
both at the control plane level and the resource level. • Use metrics logs to create visibility over what Happens
This reveals what actions users are performing in your internally to your resources, such as performance, health,
tenant and with your resources. Performance information diagnostics, technical issues, etc.
helps you make the most of your resources. It also gives • Use activity logs to create visibility over what events happen
clues about how a suspicious login, a sudden spike in a with resources in your tenant, such as control plane actions
VM performance stats, and a high number of read opera- like creation of resource groups, a change to an Azure Policy,
tions from a Storage Container could together be indica- etc.
tors of data compromise and exfiltration.
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 15
The Azure Monitor service29 works as a comprehensive solu- Whether it’s suspicious and unexpected activity within your
tion for collecting, analyzing, and acting on telemetry, both network flow traffic, abnormal use of your resources, spikes in
from your cloud and on-premises environments. It provides performance, or unusual devices being suddenly active, these
general Information on how resources in your environment kinds of metrics can alert you to a potential compromise within
are performing and more detailed information on activity your environment.
and telemetry for infrastructure, applications and networking
aspects. Monitor can collect all available information for each 1. Enable Application Insights to monitor both cloud and
supported resource. To enable this collection, set up the Log on-premise. If you have managed Application Services,
Analytics agents (e.g., For vms), and enable Diagnostic Logs Azure Functions, Azure Kubernetes Service etc. deployed
within the pages of each service supporting them (SQL dbs, within your tenant, enable Application Insights for them, to
VKey Vaults, Azure AD, etc.). monitor the availability, performance, errors, exceptions,
and usage. It can monitor both cloud and on-premise
environments. Enable NSG Flow logs in Virtual Networks
and write them to a storage account or Log Analytics work-
space, to have clear visibility over network traffic.
2. Enable diagnostics logs for “Compute” type
resources. “Compute” type resources include VMs,
Container Instances, Kubernetes Service, etc. Enable
diagnostics logs and deploy the relevant Log Analyt-
ics agents (more on Log Analytics further down below).
Ensure that both host-level (what Azure sees) was well as
guest level (what the OS sees) monitoring is in place.
3. Enable Storage Diagnostics for “Storage” type
resources. “Storage” type resources include Storage
Accounts, SQL Databases, storage disks, etc. Enable
Storage Diagnostics, so that Monitor can collect metrics
on each component of a storage account.
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 16
Azure AD logs
Firewall logs
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 17
Log analytics 2. Retain your logs for backups, disaster recovery, and
investigation in the event of a cyber attack. Cost is
Azure Monitor is based on the Log Analytics service, which an essential consideration for log collection. However,
allows the storage of logs from all your various sources in defaulting to the standard retention period of 90 days for
Workspaces31. This enables correlation of data, complex activity logs, having them appear in each resource’s page,
analysis, insights, and querying capabilities via the Kusto and not considering Workspaces fails to take advantage
Query Language (KQL). Sending resource and activity logs to of using Log Analytics for establishing a timeline of events
Log Analytics is the preferred option, while storage accounts and understanding of the actions. Storing and analyzing
should be used if a more manual, static analysis of logs is more logs becomes increasingly advantageous when you
needed. consider that initial compromise tends to happen several
months before the first detection of an intrusion. As Log
1. Use workspaces to group logs and manage who can Analytics allows you to also increase the retention policy
access them. Opt-in for multiple workspaces to more up to 730 days, opt for a longer retention policy that suits
effectively group logs by purpose or by logically-related your business needs.
resources. For backup purposes or for manual review
all critical logs should also be sent to a storage account
configured for cold storage of data.
Policies
Principle: effective guardrails help establish a minimum security and
compliance configuration, without disrupting development activities.
As your Azure environment develops—especially in fast- Organizations have different requirements for their environ-
paced, growing organizations—a lack of effective policies can ments, resources, and the services they are using. It is import-
result in unchecked areas of vulnerability, leaving an open goal ant to define some custom policies, fitting security guardrails
for attackers. Guardrails are the most efficient way to ensure appropriate to the organization’s development processes.
that any resource has a secure baseline configuration.
Review microsoft’s pre-defined policies33
Control resource deployments with azure
policy These pre-made policies serve as a good foundation for your
organization’s Azure environment. They are built around
This is one of the key services available in Azure to ensure common security recommendations from governing bodies
resource governance at scale and is the primary way of estab- such as the Center for Internet Security (CIS)34 or National
lishing guardrails in a given platform. Azure policies are made Institute of Standards and Technology (NIST)35.
up of a policy definition resource written in a JSON format.
Within that policy definition, users can define the specific Once you review the pre-made policies, scope any relevant
parameters it evaluates, the logical condition it uses to eval- policy definitions accordingly to a subscription or management
uate those parameters, and the action that will be performed group level. Where possible, use the pre-made policies to not
if the condition is evaluated to be true. When a policy is eval- only audit resources, but also attempt to remediate common
uated, Azure Policy provides 7 options for actions, including: issues by explicitly denying the creation of insecure services.
“Audit”, “Deny”, and “DeployIfNotExists”.32 These self-explan-
atory activities represent the common outcomes and can be
used either to just provide oversight or directly interfere with
the usage of a noncompliant resource.
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 19
Define custom policies to prevent Test your policies to ensure they do not
development misconfigurations hamper the development workflow
When defining custom policies, try to strike a balance that Careful deliberation will be required to tailor any policy guard-
works for your organization. Your policies should be sufficiently rails to your environment. Once implemented and considered
restrictive to prevent development misconfigurations, but also as part of the development workflow, your guardrails ensure
maneuverable enough so that developers and engineers do that any created resource has a secure baseline configuration.
not attempt to “work around” them. Due diligence must be Each product can now be built upon continuously and any new
carried out to ensure that any required exceptions are cate- security features can be added to the templates so that securi-
gorized and recorded in advance. Additionally, the implemen- ty doesn’t have to lag behind development.
tation of policies should be done only after sufficient testing
using an audit condition. As a first step, implement custom
policies such as:
Resource governance
Principle: continuous evaluation of existing practices can highlight deficiencies
in your security and inform design improvements.
Resource governance is essential in any digital environment. Terraform files. Alternatively, an entirely native Azure solution Audit resources within your platform
In the context of Azure, it will not only help you identify areas would be to create Azure Resource Manager (ARM) template regularly
for improvement. It also highlights potential faults that cause definitions38 and have the templates built within the cloud
the recurrence of security issues due to new developments. environment using the Azure Blueprints service39. As new In an ideal scenario, any small change would be reviewed
If current processes are failing to build a scalable and secure resources will likely be deployed using these same templates, at the time and deemed expected (i.e., safe) or potentially
environment, now is the time to consider making some core they are a key component in establishing a security baseline malicious. However, reality is rarely so kind. The size and the
design changes. across all new resources. These templates must establish number of deployments required to complete a product can
secure defaults and the necessary tags to ensure Azure Policy make manually reviewing each one impractical. As such, the
Define, build, and review deployment definitions correctly audit each resource on creation. cloud management team should conduct monthly audits of
templates Azure Policy data to investigate the status of, and reasons
Use caution when deploying any new templates within a cloud behind, any noncompliant resources
Modern development can make infrastructure too complex to environment. Implement a "four-eyes" review process for any
manage manually, which has prompted a change in thinking new deployment template to ensure it does not unnecessarily .
about controlled automation. It is important to support new increase the available attack surface of the platform. These
processes, such as deployment templates, ensuring they security baseline checks can be done via automated tooling
establish a secure baseline that is both maintainable and (as part of the pipeline deployment) to ensure the template has
reproducible.36 not changed fundamentally from the reviewed version.
There are multiple native and third-party tools that can be used
to define and build deployment templates. A popular third-par-
ty tool that integrates with Azure is HashiCorp Terraform37,
which supports the creation of complex infrastructure via
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 21
Log management is a continuous process, needing constant will be notified by alerts when certain conditions are met. posture of your data centers, and provides advanced threat
attention and updates based on changes to your environment The context of these organized logs will then allow analysts protection across your hybrid workloads in the cloud—whether
and resources. But only collecting logs no follow-on activity to deduce malicious behavior or if further manual review is they’re in Azure or not—as well as on premises.”
wastes both effort and money. When logs are processed, needed. As a minimum, define a number of core alerts. For
grouped accordingly by risk, false-positive fidelity, actions, example: Implement a security self-assessment
etc., SOC analysts can better prioritize their time and focus on practice
the most pressing alerts. This should be the goal. • a privileged role assignment has been performed
• a critical Azure Policy has been modified Use your self-assessment to monitor and identify security-re-
Establish a list of the most critical • an unexpectedly high number of resources (such as VMs) lated issues within the tenant and feed the information back
resources present within your has been deployed into the SIEM solutions. Tools such as the security module for
environment • an unexpected access to an Azure Key Vault entry the Azure DevOps Kit41 can help significantly as part of contin-
• impossible travel distances for logins uous monitoring. It performs checks for low-hanging fruits
Here, security analysts and engineers should come together • logins from unidentified or unexpected locations related to RBACs, Azure AD, DevOps, and governance.
to create an established list of critical resources that can be
used to prioritize alerts. Consider important users and service Enable Azure security center40 for the
accounts that would be the likely targets of an attack. entirety of the tenant
Set up risk-prioritized altering policies This is an invaluable one-stop-shop for security alerts and
based on the criticality of resources remediation actions, and it has great integration with most
resources and services. Microsoft’s own description of the
In doing so, once there is a prioritized list of resources and platform is: “Azure Security Center is a unified infrastructure
personnel know what each resource is expected to do, they security management system that strengthens the security
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 22
These can help reduce certain types of alerts, thus reducing the time spent on
more trivial alerts and tasks. As your Azure platform evolves, sending specific Evaluate Create prioritized
types of alerts to a ticketing solution (e.g., Jira) may also be useful for security Effectiveness alerts based on
new logs
and risk management.
Act upon these events based on set risk policies and/or alert personnel for
manual investigation. Machine learning can aid this process by minimizing false
positives. It can be set up in conjunction with Azure AD Conditional Access
policies for highly-advanced authentication protection.
The “assume breach” model posits that an attacker will eventually attain
some level of privileged access within your environment. As your organiza-
tion increases the number of services it uses, the number of potential points of
compromise increases too. We’ve already discussed how to monitor for such
intrusions and minimize lateral movement. This section will provide guidance
SOC Security
on what to do when you observe telemetry pointing to a live security incident. Analysts Engineers
Incident
Response Risk-based Proactive
playbooks attack detection threat hunting
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 24
Create incident response playbooks for Further IR measures Use the tools at hand to generate high-im-
your cloud environment pact alerts based on anomaly detection
• Perform regular tabletop exercises to prepare for various
In the context of thorough, accurate, and up-to-date incident intrusion points based on their level of assigned risk. Native tools such as Azure Sentinel enable IR teams to build
response plans and playbooks, the cloud is still a new frontier. • Configure all critical components to generate as much telem- responsive activities that can be triggered automatically, or by
The MITRE cloud Matrix is being continuously updated as new etry as possible. This data should be funneled to the security a human operator. Automation means these actions can be
data is gathered on known breaches43. Tactics, Techniques, team or SOC for their continuous review. performed at scale across a large organization. Although the
and procedures (TTPs) used in the cloud are changing all the • Utilize Microsoft resources to supplement your existing play- specifics can differ between security orchestration automat-
time, so—as with on-premise — It is important to establish books with guidance around common attack methods used ed response (SOAR) tools, the fundamental idea remains
a dynamic and continuous approach to your cloud-based IR currently by attackers44. the same: certain actions can be automatically applied the
activities. Establish playbooks that include an action plan for • Where possible, organizations should conduct their own moment a given security alert is triggered. This helps reduce
assumed breach. Given the increase in cloud attacks and the internal research and analysis to ensure their response effort the impact to the organization while maximizing immediate,
novelty of the TTPs used, it is crucial that cloud engineers, the is relevant and appropriate. automated response to certain critical alerts.
SOC, and key platform stakeholders work together to ensure • Accomplishing this requires significant time and resourc-
that they are as contextually-relevant as possible. es, and may not be possible large-scale. However, minimal
investment can potentially change the outcome of a compro-
To encourage continuous improvement and providing a mise. Your central aim should be to reduce the time it takes
current baseline against attacks, evaluate and update your for the security team to identify a live threat and respond with
cloud IR playbooks regularly, whenever: the correct measures.
• new deployments have been made within your platform Significant time and resource are needed and may not be
• new threat intelligence is published possible large-scale. However, minimal investment can
• new offensive techniques are identified publicly potentially change the outcome of a compromise by reducing
the time it takes your security team to identify live threats and
respond.
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 25
What next?
Principles
References
1. What is Azure? https://azure.microsoft.com/en-us/overview/what-is-azure/
2. AWS Security Maturity Roadmap https://summitroute.com/downloads/aws_security_maturity_roadmap-Summit_Route.pdf
3. Hunting Azure Blobs Exposes Millions of Sensitive Files https://www.cyberark.com/resources/threat-research-blog/hunting-azure-blobs-exposes-millions-of-sensitive-files
4. Tutorial: Discover and manage shadow IT in your network https://docs.microsoft.com/en-us/cloud-app-security/tutorial-shadow-it
5. Use tags to organize your Azure resources and management hierarchy https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-resources
6. Resource naming and tagging decision guide https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/decision-guides/resource-tagging
7. Assign policy definitions for tag compliance https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/tag-policies
8. What are Azure management groups? https://docs.microsoft.com/en-gb/azure/governance/management-groups/overview
9. Use cost alerts to monitor usage and spending https://docs.microsoft.com/en-us/azure/cost-management-billing/costs/cost-mgt-alerts-monitor-usage-spending
10. Organize your Azure resources effectively https://docs.microsoft.com/en-gb/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources
11. Traditional Azure networking topology https://docs.microsoft.com/en-gb/azure/cloud-adoption-framework/ready/azure-best-practices/traditional-azure-networking-topology
12. Code Spaces goes titsup FOREVER after attacker NUKES its Amazon-hosted data https://www.theregister.com/2014/06/18/code_spaces_destroyed/
13. OVH data center burns down knocking major sites offline https://www.bleepingcomputer.com/news/technology/ovh-data-center-burns-down-knocking-major-sites-offline/
14. Service-level agreements https://azure.microsoft.com/en-gb/support/legal/sla/
15. What is the Azure Backup service? https://docs.microsoft.com/en-us/azure/backup/backup-overview
16. About Site Recovery https://docs.microsoft.com/en-us/azure/site-recovery/site-recovery-overview
17. Azure Migrate https://azure.microsoft.com/en-gb/services/azure-migrate/
18. Assign Azure roles using the Azure portal https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
19. Assign Azure roles to a managed identity (Preview) https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal-managed-identity
20. Azure custom roles https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
21. Create and assign a custom role in Azure Active Directory https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-create
22. What are Azure AD access reviews? https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
23. How To: Manage inactive user accounts in Azure AD https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-manage-inactive-user-accounts
24. What is Azure Active Directory Domain Services? https://docs.microsoft.com/en-us/azure/active-directory-domain-services/overview
25. Azure Active Directory Seamless Single Sign-On https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso
26. Azure AD built-in roles https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference
27. Create and assign a custom role in Azure Active Directory https://docs.microsoft.com/en-us/azure/active-directory/roles/custom-create
28. What is Azure AD Privileged Identity Management? https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure
29. Azure Monitor overview https://docs.microsoft.com/en-us/azure/azure-monitor/overview
30. Audit logs in Azure Active Directory https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs
31. Log Analytics tutorial https://docs.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-tutorial
Microsoft Azure Security Framework | WithSecureTM Consulting © 2021 27