What is Azure Defender?

Mention the name “Defender” in relation to Microsoft and I’m taken back to the launch of the Windows Defender anti-spyware product, in 2006. This was truly breaking news that Microsoft would launch their own protection software, off the back of the acquisition of GIANT anti-spyware, that would be free to users of Windows XP. Fast forward fourteen years and there’s a new Defender in town – or is there?

Not a new product – but some new capabilities
Previously we’ve talked about Azure Security Center having two “tiers” of features and pricing: the Free tier and the Standard tier. Azure resources were enabled with the free tier by default and could be upgraded to Standard. Azure Defender is the new name for the standard tier, but it goes further than just a name change.

Azure Defender¬†unifies the security management of different workload types, within the Azure Security Center. In addition to a list of supported (generally available) and newly supported (in public preview) services, Azure Defender also analyzes signals from Azure network fabric and the service control plane, to detect threats across all Azure resources. It also protects non-Azure resources, utilizing Azure Arc, including those on-premises and in both AWS and GCP (once they’ve been onboarded).

Generally Available:
Azure Defender for Azure VMs
Azure Defender for Storage  
Azure Defender for Key Vault 
Azure Defender for Azure Kubernetes  
Azure Defender for Azure App Service 
Azure Defender for Azure SQL  
Azure Defender for Azure files
Azure Defender for Azure Synapse
Azure Defender for Managed Instance
Azure Defender for Azure Network Layer V1

What does it look like?
You’ll find Azure Defender inside the Azure Security Center. At a glance, it shows:
– Coverage statistics, so you can identify and upgrade your workloads
– Security alerts, by severity
– Advanced protection statistics, highlighting unprotected workloads
– Insights, including most prevalent security alerts, most attacked resources and high severity VM vulnerability alerts

What’s new?
The following capabilities are now in public preview:
Azure Defender for ACR – Now has continuous image scanning of recently pulled images.

Azure Defender for Azure Kubernetes – Admission control policy management allows you to mandate/audit security best practices such as avoid running containers as root users or enable trusted registries. Also check out the recently published Kubernetes attack matrix: 

Azure Defender for Servers – Automatic onboarding of VMs in AWS via multi-cloud connectors and Azure Arc. View your multi cloud security posture, pulling data from the AWS security hub and the GCP command center, into Azure Security Center. And with the high severity VM vulnerability alerts detected on your servers, you can drill down with the Azure Resource Graph query for more detail, which you can further customize, graph & export.

Azure Defender for IoT – Now has agentless technology with our acquisition of CyberX. Network traffic analysis is done via an on-premises sensor connected to the SPAN port of your network switch. To learn more, visit Azure Defender for IoT: Agentless Security for OT 

Azure Defender for SQL – Azure Arc enabled SQL servers allow threat detection & vulnerability assessments on SQL servers outside of Azure. Detect harmful attempts to breach SQL, suspicious queries and discover & remediate SQL server misconfigurations. For example, if a security incident is detected against an on-premises SQL server, it may show some suspicious processes being executed and some potential SQL injections. Then there’s tips for taking action on how to mitigate the threat, prevent future attacks, trigger an automated response or suppress similar alerts (preview).

Azure Security Centre also gets an update 
The new overview shows coverage across Azure, AWS and GCP, your Secure Score over time, Compliance by the number of passed controls, Azure Defender alerts, Inventory recommendations for unprotected resources and Insights including top improvements and changes in compliance.

What about Azure Sentinel?
Azure Sentinel¬†continues to grow as Microsoft’s Security, Information and Event Management (SIEM) product, aggregating security events from a huge range of sources and enhancing investigations. Microsoft Defender feeds into Azure Sentinel, as our eXtended Detection and Response (XDR) capability, monitoring endpoints.

Leave a Reply