More and more services are moving to the cloud and bringing their security challenges with them. In this blog post, we will focus on the security concerns of container environments.
In a previous blog post Azure Security Center announced new features for containers security, including Docker recommendations and compliance based on the CIS benchmark for containers. We’ll go over several security concerns in containerized environments, from the Docker level to the Kubernetes cluster level, and we will show how Azure Security Center can help you detect and mitigate threats in the environment as they’re occurring in real time.
When it comes to Docker a common access vector for attackers is a misconfigured daemon. By default the Docker engine is accessible only via a UNIX socket. This setting guarantees that the Docker engine won’t be accessible remotely. However, in many cases, remote management is required. Therefore, Docker support also TCP sockets. Docker supports an encrypted and authenticated remote communication. However running the daemon with a TCP socket, without explicitly specifying the “tlsverify” flag in the daemon execution, will enable anyone with a network access to the Docker host to send unauthenticated API requests to the Docker engine.
This blog post was co-authored by Lucy Raikova, Senior Program Manager, Azure Global – Financial Services.
It is vital for our customers in the Financial Services Industry to deliver innovation and value to their customers while adhering to strict security and regulatory requirements. We at Microsoft Azure know this, and we understand the complexities of trying to innovate fast and effectively, while also ensuring that key regulations and compliance necessities are not overlooked. Azure is uniquely positioned to help our global FSI customers meet their regulatory requirements. Most customers, and likely the entire FSI, need to identify risks and conduct a full risk assessment before committing to any cloud service. This is often mandated by internal risk policies or external regulations, and we agree it is a critical security practice to do the due diligence of assessing a cloud service provider’s (CSP) ability to comply with strict regulations. This will validate the competence of a CSP to enable the privacy, security, access, and continuity of their cloud environment and downstream customer data in cloud.
Microsoft provides rich set of solutions and resources to help you assess and manage your compliance risk as you evaluate moving to the Microsoft cloud. One of
This post is co-authored by Tim Burrell, Principal Security Engineering Manager and Dotan Patrich, Principal Software Engineer.
As cyberattacks become more complex and harder to detect. The traditional correlation rules of a SIEM are not enough, they are lacking the full context of the attack and can only detect attacks that were seen before. This can result in false negatives and gaps in the environment. In addition, correlation rules require significant maintenance and customization since they may provide different results based on the customer environment.
Advanced Machine Learning capabilities that are built in into Azure Sentinel can detect indicative behaviors of a threat and helps security analysts to learn the expected behavior in their enterprise. In addition, Azure Sentinel provides out-of-the-box detection queries that leverage the Machine Learning capabilities of Azure Monitor Logs query language that can detect suspicious behaviors in such as abnormal traffic in firewall data, suspicious authentication patterns, and resource creation anomalies. The queries can be found in the Azure Sentinel GitHub community.
Below you can find three examples for detections leveraging built in Machine Learning capabilities to protect your environment.
Time series analysis of authentication of user accounts from unusual large number of locations
Azure Security Center discovered a new cryptocurrency mining operation on Azure customer resources.
This operation takes advantage of an old version of known open source CMS, with a known RCE vulnerability (CVE-2018-7600) as the entry point, and then after using the CRON utility for persistency, it mines “Monero” cryptocurrency using a new compiled binary of the “XMRig” open-source crypto mining tool.
Azure Security Center (ASC) spotted the attack in real-time, and alerted the affected customer with the following alerts:
Suspicious file download – Possible malicious file download using wget detected Suspicious CRON job – Possible suspicious scheduling tasks access detected Suspicious activity – ASC detected periodic file downloads and execution from the suspicious source Process executed from suspicious location
The entry point
Following the traces the attacker left behind, we were able to track the entry point of this malware and conclude it was originated by leveraging a remote code execution vulnerability of a known open source CMS – CVE-2018-7600.
This vulnerability is exposed in an older version of this CMS and is estimated to impact a large number of websites that are using out of date versions. The cause of this vulnerability is insufficient input validation within an
You have a great web application, and users from all over the world love it. Well, so do malicious attackers. Cyber-attacks grow each year in frequency and sophistication, and being unprotected against them exposes you to the risks of service interruptions, data loss, and tarnished reputation.
We have heard from many of you that security is a top priority when moving web applications onto the cloud. Today, we are very excited to announce our public preview of the Web Application Firewall (WAF) for the Azure Front Door service. By combining the global application and content delivery network with natively integrated WAF engine, we now offer a highly available platform helping you deliver your web applications to the world, secure and fast!
WAF with Front Door service leverages the scale of and the deep security investments we have made at the Azure edge, and it is designed to protect you from multiple attack vectors such as injection type attacks and volumetric DoS attacks. It inspects each incoming request at Azure’s network edge, stops unwanted traffic before they enter your backend servers, and offers protection at scale without sacrificing on performance. With WAF for Front Door, you have the option to fine
This blog post was co-authored by Ron Matchoro, Principal Program Manager, Ronit Reger, Senior Program Manager, Miri Landau, Senior Program Manager, and Devendra Tiwari, Principal PM Manager, Azure Security Center.
As more organizations are delivering innovation faster by moving their businesses to the cloud, increased security is critically important for every industry. Azure has built-in security controls across data, applications, compute, networking, identity, threat protection, and security management so you can customize protection and integrate partner solutions. Microsoft Azure Security Center is the central hub for monitoring and protecting against related incidents within Azure.
We love making Azure Security Center richer for our customers, and we are excited to share exciting updates this week at Hannover Messe 2019. We are excited to announce that Advanced Threat Protection for Azure Storage, the Regulatory Compliance Dashboard, Dedicated Hardware Security Module Service (HMS) in UK, Canada, and Australia, Azure disk encryption support for Virtual Machine Scale Sets (VMSS), and support for virtual machine sets are now generally available as part of Azure Security Center.
Advanced Threat Protection for Azure Storage is now generally available
Advanced Threat Protection for Azure Storage helps customers detect and respond to potential threats on their storage account as
This month’s updates include improvements to IaaS, Azure Data Explorer, Security Center, Recovery Services, Role-Based Access Control, Support, and Intune.
Here’s the list of April updates to the Azure portal: IaaS Improved create experience for Managed Disks Use non-ASCII characters for virtual machine names Azure Data Explorer New full-screen Create Cluster experience Security Center Public preview: Adaptive network hardening in Azure Security Center Azure Security Center adaptive application control updates Support for virtual network peering in Azure Security Center Azure Security Center: Secure score impact changes Azure Site Recovery Replication to managed disks Role-Based Access Control New Classic administrators tab Support Updated support request experience Other Updates to Microsoft Intune IAAS Improved create experience for Managed Disks
Managed disks now have the latest UI pattern for creating resources in Azure. This updated flow eliminates horizontal scrolling during the creation workflow and follows the same UI patterns that we use in other popular services like VM, Storage, Cosmos DB and AKS, resulting in easier to learn and better customer experiences.