Microsoft has announced the general availability of Azure Security Center, a centralized solution for monitoring the security of your Azure deployment.
What is Azure Security Center?
Microsoft announced Azure Security Center at their online event, AzureCon 2015, and launched a public preview on December 2nd, 2015. Security Center is a part of Microsoft’s vision for enterprise security, recognizing that the effectiveness of old methods based on independent solutions, such as a firewall and antivirus, were not enough to protect a business against today’s attacks.
Azure Security Center collects data from your deployment in Azure, including the fabric, the Azure resources that you have deployed, and even third-party solutions such as application gateways or next generation firewalls. The goal is to provide a unified view of the security status of your network. Imagine this scenario:
- A database server is experiencing an unusually large amount of activity from a remote login.
- The firewall is showing a large amount of data being sent from the database server to an IP address in Asia.
The firewall is configured to allow outbound data, so there’s nothing wrong there. The database server has been configured to allow remote logins, and bursts of activity aren’t unusual. So malware scanning, the database, and the firewall see nothing wrong. But you have put the pieces together, and realized that there’s probably an attack in progress via a compromised identity, and the attacker is downloading the database to an IP address in Asia. This is the sort of attack that Azure Security Center will recognize because it sees the whole picture in your deployment, and more.
Powered by Azure Machine Learning, Azure Security Center understands what is going on not just in your subscription, but also in all other monitored subscriptions, the Azure fabric, and reportedly, in all of Microsoft. This gives Azure Security Center a great understanding of attacks. If a seemingly harmless pattern has been seen before and determined to be an attack, Azure Security Center can warn you. Azure Security Center does more than just monitoring.
For those of you that are inclined, you can explore your Azure Security Center data using two different Power BI dashboards, which will require additional per-user licensing for Power BI.
Virtual Machine Support
At this time, Azure Security Center is focused on virtual machines, but support for cloud services (Classic or ASM deployments) and SQL databases will be added in the future. The following guest operating systems are supported at this time (from the FAQ):
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Ubuntu versions 12.04, 14.04, 15.10, 16.04
- Debian versions 7, 8
- CentOS versions 6.*, 7.*
- Red Hat Enterprise Linux (RHEL) versions 6.*, 7.*
- SUSE Linux Enterprise Server (SLES) versions 11.*, 12.*
Microsoft has a lot of security best practices for Azure, operating systems, and applications. Azure Security Center gathers information and analyzes it against these best practices. A set of recommendations is made, based on what Azure Security Center finds. For example, by default, it will recommend that you deploy a firewall in a virtual appliance (in a DMZ). In the example below, a recommendation has found an issue with a network security group configuration.
There is a high-level mechanism for controlling which recommendations will be offered from Azure Security Center. For example, I might have decided that I was not going to deploy a security virtual appliance, and rely just on NAT rules and network security groups. I can disable recommendations for web application firewalls and next generation firewalls in Security Policy.
This mechanism allows you to control noisy alerts. Not all of your deployments in a subscription will require the same policies; you can set a global policy, affecting all resource groups by inheritance, or you can create a policy for individual resource groups.
As with all monitoring, I would not expect someone to sit there all day looking at and refreshing the Azure Security Center blades in the Azure Portal – although that’s how some stuck-in-the-1990s IT managers think. We should always manage by exception; that means we need a way to receive alerts when Azure Security Center detect an anomaly.
You can use the below screen to configure an email address (use a distribution group or a ticketing system) and a phone number (a help desk or similar) so that Microsoft can contact you if they find an attack. By default, emails about high severity alerts are disabled, but you can enable them.
Examples of alerts that you might receive are:
- A known malicious IP address communicating with your virtual machines.
- Brute force attacks.
- Security alerts from a partner security solution that can integrate with Azure Security Center.
As with the Operations Management Suite (OMS), Microsoft has gone with a freemium model with Azure Security Center. There are two types of charge. The first element is storage consumed, which is charged for even during a free trial of Azure Security Center. I have not yet found what kind of storage that Azure Security Center consumes, but I suspect that it is blob storage.
There are two Azure Security Center plans:
- Free: This gives you a basic solution including security policy and recommendations, integration with partner solutions, and basic alerting.
- Standard: This offering adds advanced threat detection (the really cool stuff) to the free plan.
There is also a 90-day free trial of the Standard plan, which will automatically transition to the paid-for Standard plan at the end of the trial.
The Standard plan charges monthly for each monitored/managed node; so the question is, what is a node? That depends. Right now, only virtual machines are monitored, and each machine counts as one node. So if I monitor 10 virtual machines for 1 month, then I will be charged €126.50 for monitoring those machines – the price is pro-rated on a daily basis.