J003-Content-Azure-Security-Center_SQOnce upon a time, Microsoft was (rightfully) criticized for making software that was feature-focused but not security-conscious. That was then; this is now.  Over a decade ago, Microsoft set out to remedy this and created the Trustworthy Computing Security Development Lifecycle based on the principle of SD3: Secure by Design, Secure by Default and Secure in Deployment. Security from the ground up, rather than as a tacked-on afterthought, became the goal.

In the intervening years, the company has had its hits and misses on the security front. Software by its very nature is vulnerable and the large numbers of security fixes that are issued on an ongoing basis not just by Microsoft but by Apple, Adobe, Mozilla, Linux distributors and other software vendors demonstrates the extent of the problem. Just take a look at the Patch Tuesday and Third Party Patch roundups that we publish here each month.

The Redmond company has, however, come a very long way, with one respected security expert recently opining that “They’ve changed themselves from worst in class to the best in class.”  The company has been investing a billion dollars a year in securing its products, according to Microsoft CEO Satya Nadella, especially Windows 10, Windows Server and the Azure cloud platform.  In November of this year, they launched the Cyber Defense Operations Center, a new group called Microsoft Enterprise Cybersecurity Group, and a new cloud service called Azure Security Center.

Computing is quickly becoming all about the cloud, and Azure is second only to Amazon Web Services (AWS) in popularity as a cloud platform. According to the 2015 Cloud Security Survey conducted by Netwrix, the majority of companies feel that the cloud is insecure because it lacks visibility, and security is still the leading concern associated with cloud technology. That’s where Azure Security Center comes in.

If you come from the Amazon cloud world, the first thing to know about ASC is that despite the similarity in names, it is a completely different animal compared to the site formerly known as AWS Security Center (now just named AWS Cloud Security). The latter is just an informational web site that details the security mechanisms Amazon uses for its cloud services and links to the security blog, bulletins, guidance and other documentation. Azure Security Center’s site includes links to documentation, as well, but ASC is an actual service. You access it through the Azure portal.

ASC is brand new. It was unveiled at AzureCon in late September, but a public preview was just made available on December 2 and announced by Principal Program Manager Sarah Fender in the Azure blog.  One of its primary purposes is to give you that much-needed visibility into the security state of your cloud resources – but it goes a lot further than that.

In the ASC console, you get a centralized view of the health of your virtual machines, networking, SQL and applications in the left-hand column, showing security issues that are related to each and rating those threats in terms of low, medium or high severity. You can drill down to see, for example, health status of individual virtual machines and the applicable security issues. Then you can dig further to, for example, get a list all missing updates for a particular VM.

That information is valuable, but knowing that you have resources at risk doesn’t do you much good unless you know what to do to remove or mitigate those problems. The middle column in the ASC interface provides you with specific recommendations to address the detected threats. For example, you might see a recommendation to add a web application firewall or to apply specific security updates to specific VMs. You can’t get much more detailed guidance than that.

That’s still not all, though. In the right-hand column, you’ll find links that you can follow to actually take action on those recommendations. For instance, if the recommendation is to add a web application firewall, in the right column you’ll have the options to use the existing firewall or create a new one by selecting one of the partner solutions that are offered. You can simply click to install, making security remediation much easier. Going back to the middle column, the Recommendation State will be shown as Open before you apply a solution and Resolved afterward.

You set the policies that define your organization’s security needs, based on the kinds of applications you’re running on Azure and the level of sensitivity of the data that is processed.  Those security policies will then serve as the basis for the recommendations that ASC makes. Policies are defined for each Azure subscription and you can configure data collection and what types of recommendations you want ASC to show.

Here’s the really interesting part: the detection of attacks using advanced analytics and machine learning. Microsoft has an extensive threat intelligence program that collects a vast amount of data about known threats as they are detected and reported. They started doing this and disseminating attack information to first responders and security researchers through their Azure-based Interflow platform for some time now, making the intel available to be fed into firewalls, IDS/IPS solutions and SIEMs.

Now the information that’s collected from Azure resources and integrated third party solutions can be analyzed to identify compromised VMs, failed attempts at exploits, brute force attacks, data exfiltration and advanced malware through rule-based analysis. When suspicious activity is detected, you get alerts, and ASC makes it easy to respond by providing suggestions as what action you should take, such as blacklisting the IP address from which the detected suspicious activity originated.

At this point, you might be wondering what this is going to cost. Well, the good news is that there will be a free tier that includes the security policies, as well as monitoring, analysis and recommendations. The free tier also includes provisioning of partner security solutions and security alerts from those solutions, and will detect and notify you when there are Azure admins whose credentials have leaked.

Unfortunately, if you want to get the really cool stuff – the behavioral analysis for VM compromise detection and the network traffic analysis and intrusion detection – that requires that you upgrade to the standard tier. There’s going to be a charge for that – eventually.  We’re not yet sure exactly when or how much, but know it is supposed to happen sometime in 2016. For the moment, though, you can use the Standard tier at no cost. You do, of course, have to have an Azure subscription. The Security Center will show up in the Azure portal. If you aren’t currently subscribed, you can get a free one-month trial of Azure, including ASC, on the Azure web site.   Make sure to check the Azure Security Team blog for the most up to date information on Azure Security Center.