1. Laura E. Hunter Principal Program Manager October 2016
1/27/2018
Azure Security Center
Laura E. Hunter
Principal Program Manager
October 2016
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

2. Cloud Presents Unique Security Challenges
1/27/2018 1:24 PM
Cloud Presents Unique Security Challenges $ $ $ $ $ $ $ $ $ $ $ $ $ $
CIOs and CISOs lack visibility and control: management is increasingly distributed and physical networks no longer define the perimeter
Cloud environments are more dynamic: resources are being spun up (and down) frequently, it’s not just about VMs – there’s also PaaS to consider
Enterprises bring on-premises security issues to the cloud: disconnected point solutions, noisy alerts, and advanced threats
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. 1/27/2018 1:24 PM
Azure Security Center Helps you Prevent, Detect, and Respond to Threats
Gain visibility and control
Get a central view of the security state of all your Azure resources. At a glance, you could verify that the appropriate security controls are in place. And, you could quickly identify any resources that require attention.
Enable secure DevOps
Say ‘Yes’ to agility by enabling DevOps with policy-driven recommendations that guide resource owners through the process of implementing required controls – taking the guesswork out of cloud security.
Stay ahead of threats
Stay ahead of current and emerging threats with an integrated and analytics-driven approach. Detect actual threats earlier and reduce false alarms.
Gain visibility and control
Enable security at cloud speed
Integrate partner solutions
Detect cyber attacks
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Gain visibility and control
1/27/2018 1:24 PM
Gain visibility and control
Provides a unified view of security across all your Azure subscriptions, including vulnerabilities and threats detected
Enables you to define security policies for hardening cloud configurations
APIs, SIEM connector and Power BI dashboards make it easy to access, integrate, and analyze security information using existing tools and processes
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. Set security policies for subscriptions and resource groups

6. Monitor the security state of resources – quickly identify vulnerabilities

7. Standard Log Connector
1/27/2018 1:24 PM
Azure
Access security data in near real-time from your SIEM –security alerts, activity logs, VM security events
Azure Storage
Azure
Diagnostics
Azure APIs
Azure Log Integration
Log Analytics/SIEM
Rehydrate:
“Forwarded Events”
Flat files (IIS Logs)
CEF formatted logs
Export Logs
Standard Log Connector
(ArcSight, Splunk, etc)
Preview
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Gain insight into the security state of subscriptions in Power BI

9. Enable security at cloud speed
1/27/2018 1:24 PM
Enable security at cloud speed
Continuously assesses the security of your workloads even as they change
Creates policy-driven recommendations and guides users through the process of remediating security vulnerabilities
Enables rapidly deployment of build-in security controls as well as products and services from security partners (firewalls, endpoint protection, and more)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. Prioritized recommendations take the guesswork out of security for resource owners

11. Integrate partner solutions
1/27/2018 1:24 PM
Integrate partner solutions
Recommends and streamlines provisioning of partner solutions
Integrates signals for centralized alerting and advanced detection
Enables monitoring and basic management with easy access to advanced configuration using the partner solution
Leverages Azure Marketplace for commerce and billing
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. Easily deploy security solutions from partners and automatically integrate logs

13. Monitor and manage partner security solutions

14. 1/27/2018 1:24 PM
Detect cyber attacks
Analyzes security data from your Azure virtual machines, Azure services (like Azure SQL databases), the network, and connected partner solutions
Leverages security intelligence and advanced analytics to detect threats more quickly and reduce false positives
Creates prioritized security alerts and incidents that provide insight into the attack and recommendations on how to remediate
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. Prioritized security alerts provide details about the threat detected and suggests steps to remediate

16. Alerts that conform to kill chain patterns are fused into a single incident

17. Use built-in threat intelligence reports to inform your response

18. Advanced detection capabilities
1/27/2018 1:24 PM
Advanced detection capabilities
Threat intelligence
Looks for known malicious actors
Examples
Network traffic to malicious IP address
Malicious process executed
Behavioral analytics
Looks for known patterns and malicious behaviors
Examples
Process executed in a suspicious manner
VM started sending spam
Anomaly detection
Uses statistical profiling to build historical baselines
Alert on deviations that conform to a potential attack vector
Example
Remote desktop connections to a specific VM typically occur 5 times a day, today there were 100 connection attempts
Fusion
Combine events and alerts from across the kill chain to map the attack timeline
Examples
SQL injections (WAF + Azure SQL Logs)
Malicious process (Crash dump… and later… suspicious process execution)
Breach detection (Brute force attempt… and later… suspicious VM activity)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19. Detection throughout the kill chain
1/27/2018 1:24 PM
Detection throughout the kill chain
Target and attack
Inbound brute force RDP, SSH, and SQL attacks
Application and DDoS attacks (WAF partners)
Intrusion detection (NG Firewall partners)
Install and exploit
Known malware (EPP/AM partners)
In-memory malware and exploit attempts
Suspicious process execution
Lateral movement
Internal reconnaissance
Post breach
Communication to a known malicious IP (data exfiltration or command and control)
Using compromised resources to mount additional attacks (outbound port scanning, brute force RDP/SSH attacks, DDoS, and spam)
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20. New detection algorithm
1/27/2018 1:24 PM
Ongoing Security Research and Innovation
Security
Research
Teams of security researchers and data scientists:
Monitor threat intelligence
Share signals and analysis across Microsoft security products/services
Work with on specialized fields, like forensics and web attack detections
Culminates in new detection algorithms, which are validated and tuned
Often results in new security insights or threat intelligence that informs security research
Security insights
New detection algorithm
Validation and tuning
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21. Azure Security Center Gain visibility and control
1/27/2018 1:24 PM
Azure Security Center
Gain visibility and control
Get a central view of the security state of all your Azure resources. At a glance, you could verify that the appropriate security controls are in place. And, you could quickly identify any resources that require attention.
Enable secure DevOps
Say ‘Yes’ to agility by enabling DevOps with policy-driven recommendations that guide resource owners through the process of implementing required controls – taking the guesswork out of cloud security.
Stay ahead of threats
Stay ahead of current and emerging threats with an integrated and analytics-driven approach. Detect actual threats earlier and reduce false alarms.
Gain visibility and control
Understand your cloud security posture
Enable security at cloud speed
Take the guesswork out of security for workload owners
Integrate partner solutions
Streamline provisioning and monitoring of security solutions
Detect cyber attacks
Advanced analytics to detect threats with insights that help you respond quickly
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22. Hybrid Cloud Workload Protection
1/27/2018 1:24 PM
Hybrid Cloud Workload Protection
&
Azure Security Center
OMS Security
Security for OMS Log Analytics
Threat detection using advanced analytics
Collection of security data from virtually any source (Azure or AWS, Windows Server or Linux, VMware or OpenStack)
Insight into security status (antimalware, system updates)
Correlations to detect malicious activities and search for rapid investigation
Integrates operational and security management
Security for Azure
Asset discovery and ongoing security assessment (OS configurations, system updates, SQL Db configurations, virtual network configurations)
Actionable security recommendations with easy remediation
Security policy for IT governance
Integrated management and monitoring of partner security solutions
Microsoft Operations Management Suite
OMS offers security insights and threat detection across on-premises and cloud IT environments, including private and public datacenters. Security Center provides security management, including policies, security assessment, and threat detection, for Azure resources. It is built-in to Azure and basic monitoring is available at no charge. Based on their needs, a customer could choose to use one or both solutions.
Over time, we expect that the same capabilities will be available in both OMS and Azure, proving a single security management and monitoring solution that can be used to protect the customer’s entire IT environment, including workloads running in private and public datacenters (Azure and AWS).
© 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. Microsoft Infrastructure Security
1/27/2018 1:24 PM
Microsoft Infrastructure Security
Integrated Approach
Central security management across subscriptions, native to Azure
Seamless deployment and monitoring of partner security solutions
APIs and SIEM connector for integration with existing security tools and processes
Intelligence and Expertise
Shared insights from Microsoft products and cloud services
Global threat intelligence from the Digital Crimes Unit, Incident Response Centers and third party feeds
World class security engineers with unique expertise in cloud security
Speed, Scale, and Savings
Zero setup required, instant insights into vulnerabilities and active threats
Scales seamlessly as new workloads and subscriptions are added (vs security monitoring appliances or SIEMs)
Significant time and cost savings versus cobbling together solutions from multiple providers
Cost Comparison
Azure
AWS
Security Management (policy, recommendations, etc)
Security Center (Free)
Marketplace Partners ($10-$20/VM)
Vulnerability Assessment
Inspector ($.03-$.05/Assessment)
Threat Detection & Investigation
Security Center ($15/VM)
Marketplace Partners ($10-$15/VM)
Total Cost
$15 Per VM Per Month
$25-$40 Per VM Per Month
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24. Prevention Threat Detection Management Investigation Roadmap
Additional integrated security partners along with the ability to connect partner solutions previously deployed
Expanded baselines (VM, SQL, Web) and application controls
Parity across Windows and Linux VMs
Threat Detection
Ongoing security research resulting in new and refined detection algorithms
Linux VM behavioral detections
Geo expansion - Europe, Australia, and Azure Government
Management
Expanded security roles
Enterprise-wide security policies
More granular policies, including custom baselines
Investigation
Additional dashboards and actionable security incidents to simplify/expedite investigation and remediation
Microsoft Confidential

25. Azure log Integration Customer Testimonials – GuidePoint –
“Azure log integration enables GuidePoint's vSOC to provide comprehensive incident detection and correlation capabilities for our customers that have embraced the cloud. By configuring it, we now have unprecedented visibility into our customer's Azure virtual infrastructure”
-Kevin Manson, vSOC Technical Lead
Partner Integrations –
IBM QRadar released DSM for Azure Activity logs
Please visit us at the Monitoring booth for Demo
How to integrate logs to SIEMs –

26. Learn more To learn more about Azure Security Center, visit: And
1/27/2018 1:24 PM
To learn more about Azure Security Center, visit:
And
us/documentation/videos/azure-security-center- overview/
Speaker Notes:
Go check it out!
Learn more about MSFT’s broader security approach at:
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27. 1/27/2018
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

28. Supported Azure Services
1/27/2018 1:24 PM
Supported Azure Services
Security Policy, Assessment, and Recommendations
Threat Detection
Systems Updates
OS Vulnerabilities
Disk Encryption**
Endpoint Protection
Network Security Groups
Web Application Firewalls
Network Firewalls
Network Monitoring
VM Monitoring
Compute
Windows VMs* X
Linux VMs*
Cloud Services
App Service Environ.
Auditing
TDE
SQL Threat Detection
Azure SQL Database
*Includes Resource Manager and Classic virtual machines, see FAQs for a detailed list of supported OS versions
**Disk Encryption is not available for classic virtual machines
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.