Azure Network Watcher provides you the ability to monitor, diagnose, and gain insights into your network in Azure.
Among its suite of capabilities, Network Watcher offers the ability to log network traffic through Network Security Group (NSG) Flow Logging. When NSG Flow Logging is enabled, you gain access to Network flow-level data that has endless applications in security, compliance, and traffic monitoring use cases. Deeper analysis of this NSG flow data is available in Network Watcher using Traffic Analytics, which is currently in preview.
Since Azure Network Watcher’s inception, we have continuously partnered with leaders in the SIEM and Log Management industry to provide a rich ecosystem of tools that seamlessly integrate and understand your network in Azure. I would like to highlight two of the most recent partners, offering customers additional choice and value through integration with Azure. On top of our growing ecosystem, we have now enabled the option to send NSG Flow Log data across subscriptions which greatly enhances log management in larger environments.
McAfee Cloud Workload Security integration
Recently, McAfee announced the general availability of the Cloud Workload Security (CWS) Platform in Azure including integration with Network Watcher. CWS automates the discovery and defense of elastic workloads
We are delighted to announce the general availability of SQL Vulnerability Assessment for Azure SQL Database! SQL Vulnerability Assessment (VA) provides you a one-stop-shop to discover, track and remediate potential database vulnerabilities. It helps give you visibility into your security state, and includes actionable steps to investigate, manage and resolve security issues, and enhance your database fortifications. VA is available for Azure SQL Database customers as well as for on-premises SQL Server customers via SSMS.
If you have data privacy requirements or need to comply with data protection regulations like the European Union General Data Protection Regulation (EU GDPR), then VA is your built-in solution to simplify these processes and monitor your database protection status. For dynamic database environments where changes are frequent and hard to track, VA is invaluable in detecting the settings that can leave your database vulnerable to attack.
New SQL Advanced Threat Protection (ATP)
VA is being released to general availability (GA) as part of a new security package for your Azure SQL Database, called SQL Advanced Threat Protection (ATP). ATP provides a single go-to location for discovering, classifying and protecting sensitive data, managing your database vulnerabilities, and detecting anomalous activities that could indicate a
This blog post was authored by the Azure Security Center team.
We have heard from our customers that investigating malicious activity on their systems can be tedious and knowing where to start is challenging. Azure Security Center makes it simple for you to respond to detected threats. It uses built-in behavioral analytics and machine learning to detect threats and generates alerts for the attempted or successful attacks. As discussed in a previous post, you can explore the alerts of detected threats through the Investigation Path, which uses Azure Log Analytics to show the relationship between all the entities involved in the attack. Today, we are going to explain to you how Security Center’s ability to detect threats using machine learning and Azure Log Analytics can help you keep pace with rapidly evolving cyberattacks.
Investigate anomalies on your systems using Azure Log Analytics
One method is to look at the trends of processes, accounts, and computers to understand when anomalous or rare processes and accounts are run on computers which indicates potentially malicious or unwanted activity. Run the below query against your data and note that what comes up is an anomaly or rare over the last 30 days. This
We heard from our customers that they wanted an even simpler onboarding experience to Azure Security Center. Today, we are excited to announce the general availability of Azure Security Center’s Cross Subscription Workspace Selection. This capability allows you to collect and monitor data in one location from virtual machines that run in different workspaces, subscriptions, and run queries.
When first onboarding to Azure Security Center, you’ll need to start in our Data Collection tab to provision a monitoring agent onto Azure. The agent will allow you to monitor the security state of your hybrid cloud resources. As virtual machines are being spun up and down, and workload owners across your organization are creating new workloads and resources, you need to make sure these are protected at the time they are created.
By default, we put the data that the monitoring agent collects in a Log Analytics workspace, but we give you the flexibility to use another workspace if you are using it already for other management functions.
Today, when you select a workspace for your data to reside in, you’ll see all the workspaces across all your subscriptions available. Cross Subscription Workspace Selection allows you to collect data from
We are seeing more developers building and running their applications in the public cloud. In fact, companies are using multiple public clouds to run their applications. Our customers tell us that they choose to build applications in Azure because it’s easy to get started and that they have peace of mind knowing the services that their applications rely on will be available, reliable, and secure. Today, we are going to discuss how Azure Security Center’s Just-in-Time VM Access can help you secure virtual machines that are running your applications and code.
Successful attacks on your virtual machines can create serious challenges for development. If a server is compromised, your source code could potentially be exposed, along with the proprietary algorithms or internal knowledge about the application. The pace of development can slow down because your team is focused on recovering from the attack instead of writing and reviewing code. Most importantly, an attack can affect your customers’ abilities to access your applications, impacting your brand and your business. Just-in-Time VM Access can help you reduce your exposure to attacks by limiting the amount of time management ports are open on the virtual machines running your code.
Just-in-Time VM Access
Last September, I had the privilege to publicly announce our Azure confidential computing efforts, where Microsoft Azure became the first cloud platform to enable new data security capabilities that protect customer data while in use. The Azure team, alongside Microsoft Research, Intel, Windows, and our Developer Tools group, have been working together to bring Trusted Execution Environments (TEEs) such as Intel SGX and Virtualization Based Security (VBS – previously known as Virtual Secure mode) to the cloud. TEEs protect data being processed from access outside the TEE. We’re ready to share more details about our confidential cloud vision and the work we’ve done since the announcement.
Many companies are moving their mission critical workloads and data to the cloud, and the security benefits that public clouds provide is in many cases accelerating that adoption. In their 2017 CloudView study, International Data Corporation (IDC) found that ‘improving security’ was one of the top drivers for companies to move to the cloud. However, security concerns still remain a commonly cited blocker for moving extremely sensitive IP and data scenarios to the cloud. Cloud Security Alliance (CSA) recently published the latest version of its Treacherous 12 Threats to Cloud Computing report. Not surprisingly,
As businesses around the world continue to adopt Azure, it’s our mission to ensure our customers can trust our cloud. Today in Redmond, we invited the world to see how our teams are innovating in the Azure Cloud Collaboration Center, a first-of-its-kind facility that combines innovation and scale to address operational issues and unexpected events in order to drive new levels of customer responsiveness, security and efficiency.
We’re using the Cloud Collaboration Center to take a proactive approach to delivering responsiveness for our customers, who count on our cloud services in 140 countries and on all inhabited continents. To meet the mission-critical requirements businesses trust, we need to be always looking ahead. Delivering innovation in Azure services means identifying new efficiencies and finding new ways to streamline connections with the intelligence we have at every level of the cloud.
The Cloud Collaboration Center space gives customers a snapshot of what is happening with their data 24/7 and enables real-time troubleshooting of any issue by multiple teams simultaneously from across the organization. It is a space that’s purpose-built for collaborative work, with a 1,600 square foot video wall that enables a comprehensive view
Azure Cosmos DB is Microsoft’s globally distributed, multi-model database. Azure Cosmos DB enables you to elastically and independently scale throughput and storage across any number of Azure’s geographic regions with a single click. It offers throughput, latency, availability, and consistency guarantees with comprehensive service level agreements (SLAs), a feature that no other database service can offer.
A database that holds sensitive data across international borders must meet high standards for security, privacy, and compliance. Additionally, the cloud service provider must anticipate and be ready for new standards, such as the General Data Protection Regulation (GDPR), which will soon govern the collection and use of EU resident’s data. Microsoft has pledged that Azure services will be GDPR compliant by the May 25 implementation date.
Microsoft’s cloud privacy policies state that we will use your customer data only to provide the services we have agreed upon, and for purposes that are compatible with providing those services. We do not share your data with our advertiser-supported services, nor do we mine it for marketing or advertising.
Azure Cosmos DB also implements stringent security practices. All the documents, attachments and backups stored in Azure Cosmos DB are encrypted at rest and
Azure Security Center (ASC) is now extending its Linux threat detection preview program, both on cloud and on-premise. New capabilities include detection of suspicious processes, suspect login attempts, and anomalous kernel module loads. Security Center is using auditd for collecting machines’ events, which is one of the most common frameworks for auditing on Linux. Auditd has the advantage of having been around for a long time and living in the mainline kernel. Any Linux machine that runs auditd by default and is covered by Security Center will benefit from this public preview. For a little more detail on how the collection works, check out our private preview announcement from October.
In addition to building up Linux-specific detections, we have also reviewed applicability of our current detections originally developed for Windows. Attackers also like to be OS-agnostic, especially for large-scale attacks, and will reuse tools and techniques where they can. In such circumstances the same detection is also applicable across operating systems. Happily, several of our analytics worked with minimal tuning. Today, I’ll walk you through an analytic example in the form of malicious crypto coin mining and then give some tips on using Azure Log Analytics with Linux machines.
This blog post was co-authored by JR Mayberry, Principal PM Manager, Azure Networking.
Today we are excited to announce the general availability of the Azure DDoS Protection Standard service in all public cloud regions. This service is integrated with Azure Virtual Networks (VNet) and provides protection and defense for Azure resources against the impacts of DDoS attacks.
Distributed Denial of Service (DDoS) attacks are intended to disrupt a service by exhausting its resources (e.g., bandwidth, memory). DDoS attacks are one of the top availability and security concerns voiced by customers moving their applications to the cloud. With extortion and hacktivism being the common motivations behind DDoS attacks, they have been consistently increasing in type, scale, and frequency of occurrence as they are relatively easy and cheap to launch.
These concerns are justified as the number of documented DDoS amplification attacks increased by more than 357 percent in the fourth quarter of 2017, compared to 2016 according to data from Nexusguard. Further, more than 56 percent of all attacks exploit multiple vector combinations. In February 2018, Github was attacked via a reflection exploit in Memcached generating 1.35 terabits of attack traffic, the largest DDoS attack ever recorded.
As the types and