Month: March 2020

Azure Security Center – Continuous Export

Azure Security Center (ASC) is a great holistic solution provided by Microsoft to not only assess your Azure resources, but can also be extended to your On-Premises infrastructure as well. ASC is a security management solution that improves your overall security posture within your Azure environment and on-premises infrastructure. I work with a lot of customers where they require an “agnostic” SIEM solution, so they don’t have all of their eggs in one basket (sort of speak) with a single vendor. Azure Sentinel is a great solution, but still lacks maturity in comparison to other products like IBM’s QRadar, Splunk and some others.

ASC also generates detailed security recommendations and alerts that can be viewed through the ASC portal. However when customers have a requirement to send this telemetry to some third party SIEM, Azure’s Event Hubs is a great middleman solution.

In short, your Azure resources can send their security events directly to Event Hubs (via Diagnostic Agents) or can be configured (the easier approach) with ASC. Choosing the latter, we can also configure ASC to Continuously Export the data being collected in ASC to be forwarded to Event Hubs. Which in turn will allow the third party SIEM to ingest the data within Event Hubs.

Once you have enabled ASC, enrolled your resources, (assuming you have already configured Event Hubs and a third party SIEM) you can then setup Continuous Export within the ASC console as shown below.

Setting up ASC Continuous Export is pretty straightforward, provided you have already configured Event Hubs, and your SIEM to ingest from Event Hubs. Within ASC, select Continuous Export. Enable which workspace to send the data to, either Event Hubs, or Log Analytics (Sentinel). Select the type of alerts and recommendations (All, Low, Medium, High). Specify the Subscription where Event Hubs lives, the Event Hub Namespace, Name, and Policy Name. Hit Save, and that is it!

That is, pretty simple. Definitely a much easier solution than deploying Linux and Windows Agent Diagnostic (LAD/WAD) — another post for another day 🙂

Azure Security Center – Secure Score Enhancements

Over the last few days, Azure Security Center (ASC) made an update to how Secure Score is calculated. This new enhancement simplifies how the Secure Score is calculated, and in this post I would like to show how this is done.

As previously mentioned, Azure Security Center is a high-level, holistic assessment of your Azure environment. Azure Security Center can also be extended to your on-premises environment as well. Nevertheless, one of the key functionalities ASC provides is a Secure Score. Secure Score is a calculation based on your specific environment, and the resources deployed within your environment. The Secure Score provides a ratio between your healthy resources and total resources deployed within your environment as per recommendation for each security/vulnerability.

To see your Secure Score, go to Azure Security Center, and looked for your score within the Policy & Compliance blade:

Now let’s look at how the Secure Score is calculated.

If you drill down to your recommendations section, you can see how each control and its potential score. You can also review how you can achieve a higher score by implementing the suggested recommendations.

If we select one of the many recommendations, we can see by implementing MFA in the environment, our overall Secure Score has the potential to increase by 10 points, or 18%.

To get the full list of Security Controls and each recommendations, please see Microsoft’s documentation HERE.