Microsoft Defender PoC Series – Defender CSPM

Introduction

This Microsoft Defender for Cloud PoC Series provides guidelines on how to perform a proof of concept for specific Microsoft Defender plans. For a more holistic approach where you need to validate Microsoft Defender for Cloud and Microsoft Defender plans, please read How to Effectively Perform an Microsoft Defender for Cloud PoC article. 

Cloud Security Posture Management provides organizations with a centralized view of their cloud security posture, allowing them to quickly identify and respond to security risks, ensures compliance, and allows for continuous monitoring and improvement of cloud security posture.

Defender for Cloud CSPM provides organizations with a unified view of their cloud environment across multiple cloud providers, including Azure, AWS, GCP and On-premises.

Defender for Cloud offers CSPM in two plans: a free Foundational CSPM plan and a Premium Defender CSPM plan. To understand the capabilities of CSPM plans, please refer: Overview of Cloud Security Posture Management (CSPM) | Microsoft Learn.

Defender CSPM plan, provides advanced posture management capabilities such as Attack path analysis, Cloud security explorer, Agentless Scanning, security governance capabilities, and also tools to assess your security compliance.

Planning

As part of your Defender CSPM PoC you need to identify the use case scenarios that you want to validate. You can use these 3 blogs from our Tech Community as a starting point to validate proactive security posture management scenarios:

• A Proactive Approach to Cloud Security Posture Management with Microsoft Defender for Cloud
  
• Proacting Hunting with Cloud Security Explorer in Defender for Cloud - Microsoft Community Hub
  
• Prioritize Risk remediation with Microsoft Defender for Cloud Attack Path Analysis - Microsoft Community Hub
  

The next scenarios that you can validate are:

• Quick onboard of a virtual machine to see how agentless is effective.
  
• Create governance rules to assign tasks to workload owners to remediate recommendations.
  

Preparation   

The Defender CSPM plan needs to be enabled on the Azure subscription. You need at least Security Admin role to enable Microsoft Defender CSPM plan. Agentless scanning requires the Subscription Owner to enable the plan. 

Enabling Defender CSPM plan

To gain access to the capabilities provided by Defender CSPM, you'll need to enable the Defender Cloud Security Posture Management (CSPM) plan on your subscription

1. Open Azure Portal and navigate to Microsoft Defender for Cloud blade.
   
2. From Defender for Cloud's menu, open the Environment Settings page and select the relevant subscription.
   
3. In the Defender plans page, select Defender CSPM turn the status to ON 
   

4. Select Settings. Turn ON the Agentless scanning for machines (preview) and click continue

5. Click on Save to save the changes

Implementation and Validation    

Now that you already validated proactive security posture management approach, let’s validate the other capabilities.

Agentless Scanning

To validate the usage of agentless capability, you will provision a new Windows Server VM and wait 24 hours to start getting the results. This is a requirement for Agentless scanning to provide vulnerability assessment and software inventory in 24 hours. Leave the setup and comeback after 24 hours. After waiting this time, follow the steps below to see software inventory for this VM:

1. Open Azure Portal and navigate to Microsoft Defender for Cloud blade.
   
2. From Defender for Cloud's menu, open the Inventory page and select the Virtual Machine you created, and click on the Virtual Machine. It will take you to the Resource Health Page
   
3. On the right pane click on Installed Applications. Agentless scanning provides visibility into installed software and software vulnerabilities on your Virtual Machine. Learn more about agentless scanning.
   
4. On the right pane click on Recommendations. Click on the recommendation “Machines should have vulnerability findings resolved”. Defender for Cloud shows the vulnerability findings for that VM, ordered by severity. Learn more about View findings from vulnerability assessment solutions in Microsoft Defender for Cloud | Microsoft Learn.
   

Governance

The last scenario to validate, is Governance. Follow the steps below to assign a Governance Rule to remediate high severity vulnerabilities on the VM

1. Open Azure Portal and navigate to Microsoft Defender for Cloud blade.
   
2. From Defender for Cloud's menu, open the Environment Settings page and select the relevant subscription.
   
3. Under settings Select Governance Rules(Preview)
   
4. Click on +Create governance rule
   
5. Give a rule name, select scope at subscription level, priority 100
   
6. Under conditions, select By severity -> High, Owner -> By email address, specify the email address of the workload owner to receive notification email, Remediation timeframe -> 90 days
   
7. Notify Owners weekly about open and overdue tasks and click Save.
   
8. Click on save. A weekly email will be sent to specified owners and their managers with all recommendations they are assigned to.
   

Conclusion

By the end of this PoC you should be able to determine the value proposition of Microsoft Defender CSPM and the importance to proactively mitigate risks in your environment.

Stay tuned for more Microsoft Defender PoC Series!

More Resources

To learn more about Defender CSPM capabilities, visit the following resources:

• Defender for Cloud in the Field –
  
  
• Defender CSPM Lab
  
• 
  

Continue reading...