Become a Microsoft Defender for Cloud Ninja
[Last update: 02/26/2025] This blog post has a curation of many Microsoft Defender for Cloud (formerly known as Azure Security Center and Azure Defender) resources, organized in a format that can help you to go from absolutely no knowledge in Microsoft Defender for Cloud, to design and implement different scenarios. You can use this blog post as a training roadmap to learn more about Microsoft Defender for Cloud. On November 2nd, at Microsoft Ignite 2021, Microsoft announced the rebrand of Azure Security Center and Azure Defender for Microsoft Defender for Cloud. To learn more about this change, read this article. Every month we are adding new updates to this article, and you can track it by checking the red date besides the topic. If you already study all the modules and you are ready for the knowledge check, follow the procedures below: To obtain the Defender for Cloud Ninja Certificate 1. Take this knowledge check here, where you will find questions about different areas and plans available in Defender for Cloud. 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. To obtain the Defender for Servers Ninja Certificate (Introduced in 08/2023) 1. Take this knowledge check here, where you will find only questions related to Defender for Servers. 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. Modules To become an Microsoft Defender for Cloud Ninja, you will need to complete each module. The content of each module will vary, refer to the legend to understand the type of content before clicking in the topic’s hyperlink. The table below summarizes the content of each module: Module Description 0 - CNAPP In this module you will familiarize yourself with the concepts of CNAPP and how to plan Defender for Cloud deployment as a CNAPP solution. 1 – Introducing Microsoft Defender for Cloud and Microsoft Defender Cloud plans In this module you will familiarize yourself with Microsoft Defender for Cloud and understand the use case scenarios. You will also learn about Microsoft Defender for Cloud and Microsoft Defender Cloud plans pricing and overall architecture data flow. 2 – Planning Microsoft Defender for Cloud In this module you will learn the main considerations to correctly plan Microsoft Defender for Cloud deployment. From supported platforms to best practices implementation. 3 – Enhance your Cloud Security Posture In this module you will learn how to leverage Cloud Security Posture management capabilities, such as Secure Score and Attack Path to continuous improvement of your cloud security posture. This module includes automation samples that can be used to facilitate secure score adoption and operations. 4 – Cloud Security Posture Management Capabilities in Microsoft Defender for Cloud In this module you will learn how to use the cloud security posture management capabilities available in Microsoft Defender for Cloud, which includes vulnerability assessment, inventory, workflow automation and custom dashboards with workbooks. 5 – Regulatory Compliance Capabilities in Microsoft Defender for Cloud In this module you will learn about the regulatory compliance dashboard in Microsoft Defender for Cloud and give you insights on how to include additional standards. In this module you will also familiarize yourself with Azure Blueprints for regulatory standards. 6 – Cloud Workload Protection Platform Capabilities in Azure Defender In this module you will learn how the advanced cloud capabilities in Microsoft Defender for Cloud work, which includes JIT, File Integrity Monitoring and Adaptive Application Control. This module also covers how threat protection works in Microsoft Defender for Cloud, the different categories of detections, and how to simulate alerts. 7 – Streaming Alerts and Recommendations to a SIEM Solution In this module you will learn how to use native Microsoft Defender for Cloud capabilities to stream recommendations and alerts to different platforms. You will also learn more about Azure Sentinel native connectivity with Microsoft Defender for Cloud. Lastly, you will learn how to leverage Graph Security API to stream alerts from Microsoft Defender for Cloud to Splunk. 8 – Integrations and APIs In this module you will learn about the different integration capabilities in Microsoft Defender for Cloud, how to connect Tenable to Microsoft Defender for Cloud, and how other supported solutions can be integrated with Microsoft Defender for Cloud. 9 - DevOps Security In this module you will learn more about DevOps Security capabilities in Defender for Cloud. You will be able to follow the interactive guide to understand the core capabilities and how to navigate through the product. 10 - Defender for APIs In this module you will learn more about the new plan announced at RSA 2023. You will be able to follow the steps to onboard the plan and validate the threat detection capability. 11 - AI Posture Management and Workload Protection In this module you will learn more about the risks of Gen AI and how Defender for Cloud can help improve your AI posture management and detect threats against your Gen AI apps. Module 0 - Cloud Native Application Protection Platform (CNAPP) Improving Your Multi-Cloud Security with a CNAPP - a vendor agnostic approach Microsoft CNAPP Solution Planning and Operationalizing Microsoft CNAPP Understanding Cloud Native Application Protection Platforms (CNAPP) Cloud Native Applications Protection Platform (CNAPP) Microsoft CNAPP eBook Understanding CNAPP Module 1 - Introducing Microsoft Defender for Cloud What is Microsoft Defender for Cloud? A New Approach to Get Your Cloud Risks Under Control Getting Started with Microsoft Defender for Cloud Implementing a CNAPP Strategy to Embed Security From Code to Cloud Boost multicloud security with a comprehensive code to cloud strategy A new name for multi-cloud security: Microsoft Defender for Cloud Common questions about Defender for Cloud MDC Cost Calculator (02/2025) Module 2 – Planning Microsoft Defender for Cloud Features for IaaS workloads Features for PaaS workloads Built-in RBAC Roles in Microsoft Defender for Cloud Enterprise Onboarding Guide Assigning Permissions in Microsoft Defender for Cloud Design Considerations for Log Analytics Workspace Microsoft Defender for Cloud Monitoring Agent Deployment Options Onboarding on-premises machines using Windows Admin Center Understanding Security Policies in Microsoft Defender for Cloud Creating Custom Policies Centralized Policy Management in Microsoft Defender for Cloud using Management Groups Planning Data Collection for IaaS VMs Considerations for Multi-Tenant Scenario How to Effectively Perform an Microsoft Defender for Cloud PoC Microsoft Defender for Cloud PoC Series – Microsoft Defender for Resource Manager Microsoft Defender for Cloud PoC Series – Microsoft Defender for Storage Microsoft Defender for Cloud PoC Series – Microsoft Defender for DNS Microsoft Defender for Cloud PoC Series – Microsoft Defender for App Service Microsoft Defender for Cloud PoC Series - Microsoft Defender for Container Registries Microsoft Defender for Cloud PoC Series – Microsoft Defender CSPM Microsoft Defender for DevOps GitHub Connector - Microsoft Defender for Cloud PoC Series Grant tenant-wide permissions to yourself Protect non-Azure resources using Azure Arc and Microsoft Defender for Cloud Simplifying Onboarding to Microsoft Defender for Cloud with Terraform Module 3 – Enhance your Cloud Security Posture Azure Secure Score vs. Microsoft Secure Score How to calculate your secure score How Secure Score affects your governance Enhance your Secure Score in Microsoft Defender for Cloud Security recommendations Resource exemption Customizing Endpoint Protection Recommendation in Microsoft Defender for Cloud How to keep track of Resource Exemptions in Microsoft Defender for Cloud Deliver a Security Score weekly briefing Send Microsoft Defender for Cloud Recommendations to Azure Resource Stakeholders Secure Score Reduction Alert Weekly Secure Score Progress Report Average Time taken to remediate resources Improved experience for managing the default Azure security policies Security Policy Enhancements in Defender for Cloud Create custom recommendations and security standards Secure Score Overtime Workbook Automation Artifacts for Secure Score Recommendations Remediation Scripts Module 4 – Cloud Security Posture Management Capabilities in Microsoft Defender for Cloud CSPM in Defender for Cloud Take a Proactive Risk-Based Approach to Securing your Cloud Native Applications Predict future security incidents! Cloud Security Posture Management with Microsoft Defender Software inventory filters added to asset inventory Drive your organization to security actions using Governance experience Managing Asset Inventory in Microsoft Defender for Cloud Vulnerability Assessment Deployment Options Vulnerability Assessment Workbook Template Vulnerability Assessment for Containers Exporting Azure Container Registry Vulnerability Assessment in Microsoft Defender for Cloud Improvements in Continuous Export feature Implementing Workflow Automation Workflow Automation Artifacts Creating Custom Dashboard for Microsoft Defender for Cloud Using Microsoft Defender for Cloud API for Workflow Automation What you need to know when deleting and re-creating the security connector(s) in Defender for Cloud Connect AWS Account with Microsoft Defender for Cloud Video Demo - Connecting AWS accounts Microsoft Defender for Cloud PoC Series - Multi-cloud with AWS Onboarding your AWS/GCP environment to Microsoft Defender for Cloud with Terraform How to better manage cost of API calls that Defender for Cloud makes to AWS Connect GCP Account with Microsoft Defender for Cloud Protecting Containers in GCP with Defender for Containers Video Demo - Connecting GCP Accounts Microsoft Defender for Cloud PoC Series - Multicloud with GCP All You Need to Know About Microsoft Defender for Cloud Multicloud Protection Custom recommendations for AWS and GCP 31 new and enhanced multicloud regulatory standards coverage (02/2025) Azure Monitor Workbooks integrated into Microsoft Defender for Cloud and three templates provided How to Generate a Microsoft Defender for Cloud exemption and disable policy report Cloud security posture and contextualization across cloud boundaries from a single dashboard Best Practices to Manage and Mitigate Security Recommendations Defender CSPM Defender CSPM Plan Options Cloud Security Explorer Identify and remediate attack paths Agentless scanning for machines Cloud security explorer and Attack path analysis Governance Rules at Scale Governance Improvements Data Security Aware Posture Management A Proactive Approach to Cloud Security Posture Management with Microsoft Defender for Cloud Prioritize Risk remediation with Microsoft Defender for Cloud Attack Path Analysis Understanding data aware security posture capability Agentless Container Posture Agentless Container Posture Management Microsoft Defender for Cloud - Automate Notifications when new Attack Paths are created Proactively secure your Google Cloud Resources with Microsoft Defender for Cloud Demystifying Defender CSPM Discover and Protect Sensitive Data with Defender for Cloud Defender for cloud's Agentless secret scanning for virtual machines is now generally available! Defender CSPM Support for GCP Data Security Dashboard Agentless Container Posture Management in Multicloud Agentless malware scanning for servers Recommendation Prioritization Unified insights from Microsoft Entra Permissions Management Defender CSPM Internet Exposure Analysis Future-Proofing Cloud Security with Defender CSPM ServiceNow's integration now includes Configuration Compliance module 🚀 Suggested Labs: Improving your Secure Posture Connecting a GCP project Connecting an AWS project Defender CSPM Agentless container posture through Defender CSPM Contextual Security capabilities for AWS using Defender CSPM Module 5 – Regulatory Compliance Capabilities in Microsoft Defender for Cloud Regulatory compliance dashboard Understanding Regulatory Compliance Capabilities in Microsoft Defender for Cloud Adding new regulatory compliance standards Regulatory Compliance workbook Regulatory compliance dashboard now includes Azure Audit reports Microsoft cloud security benchmark: Azure compute benchmark is now aligned with CIS! Updated naming format of Center for Internet Security (CIS) standards in regulatory compliance CIS Azure Foundations Benchmark v2.0.0 in regulatory compliance dashboard Spanish National Security Framework (Esquema Nacional de Seguridad (ENS)) added to regulatory compliance dashboard for Azure 🚀 Suggested Lab: Regulatory Compliance Module 6 – Cloud Workload Protection Platform Capabilities in Microsoft Defender for Clouds Understanding Just-in-Time VM Access Implementing JIT VM Access File Integrity Monitoring in Microsoft Defender Define known-safe applications using Adaptive Application Control Understanding Threat Protection in Microsoft Defender Microsoft Defender for Servers Demystifying Defender for Servers Onboarding directly (without Azure Arc) to Defender for Servers Agentless secret scanning for virtual machines in Defender for servers P2 & DCSPM Vulnerability Management in Defender for Cloud File Integrity Monitoring using Microsoft Defender for Endpoint Microsoft Defender for Network Layer Microsoft Defender for Containers Basics of Defender for Containers Secure your Containers from Build to Runtime AWS ECR Coverage in Defender for Containers Upgrade to Microsoft Defender Vulnerability Management End to end container security with unified SOC experience Binary drift detection episode Binary drift detection Cloud Detection Response experience Exploring the Latest Container Security Updates from Microsoft Ignite 2024 Unveiling Kubernetes lateral movement and attack paths with Microsoft Defender for Cloud (02/2025) Onboarding Docker Hub and JFrog Artifactory (02/2025) Improvements in Container’s Posture Management New AKS Security Dashboard in Defender for Cloud (02/2025) Microsoft Defender for Storage Protect your storage resources against blob-hunting Malware Scanning in Defender for Storage Microsoft Defender for SQL Microsoft Defender for SQL and the Vulnerability Assessment (VA) New Defender for SQL VA Microsoft Defender for SQL Anywhere Validating Alerts on Microsoft Defender for SQL on machines New autoprovisioning process for SQL Server on machines plan Defender for Open-Source Relational Databases Multicloud Microsoft Defender for KeyVault Microsoft Defender for AppService How Microsoft Defender for App Service works Microsoft Defender for Resource Manager Understanding Security Incident Security Alert Correlation Alert Reference Guide 'Copy alert JSON' button added to security alert details pane Alert Suppression Simulating Alerts in Microsoft Defender for Cloud Alert validation Simulating alerts for Windows Simulating alerts for Linux Simulating alerts for Containers Simulating alerts for Storage Simulating alerts for Microsoft Key Vault Simulating alerts for Microsoft Defender for Resource Manager Integration with Microsoft Defender for Endpoint Auto-provisioning of Microsoft Defender for Endpoint unified solution Resolve security threats with Microsoft Defender for Cloud Protect your servers and VMs from brute-force and malware attacks with Microsoft Defender for Cloud Investigating Microsoft Defender for Cloud alerts using Azure Sentinel Service Layer Protection - Microsoft Defender for Resource Manager and DNS Azure Arc and Azure Microsoft for Kubernetes Filter security alerts by IP address Alerts by resource group Defender for Servers Security Alerts Improvements 🚀 Suggested Labs: Workload Protections Agentless container vulnerability assessment scanning Microsoft Defender for Cloud database protection Protecting On-Prem Servers in Defender for Cloud Defender for Storage Module 7 – Streaming Alerts and Recommendations to a SIEM Solution Continuous Export capability in Microsoft Defender for Cloud Deploying Continuous Export using Azure Policy Connecting Microsoft Sentinel with Microsoft Defender for Cloud Closing an Incident in Azure Sentinel and Dismissing an Alert in Microsoft Defender for Cloud Accessing Microsoft Defender for Cloud Alerts in Splunk using Graph Security API Integration Microsoft Sentinel bi-directional alert synchronization 🚀 Suggested Lab: Exporting Microsoft Defender for Cloud information to a SIEM Module 8 – Integrations and APIs Integration with Tenable Integrate security solutions in Microsoft Defender for Cloud Defender for Cloud integration with Defender EASM Defender for Cloud integration with Defender TI REST APIs for Microsoft Defender for Cloud Obtaining Secure Score via REST API Using Graph Security API to Query Alerts in Microsoft Defender for Cloud Automate(d) Security with Microsoft Defender for Cloud and Logic Apps Automating Cloud Security Posture and Cloud Workload Protection Responses Module 9 – DevOps Security Overview of Microsoft Defender for Cloud DevOps Security DevOps Security Interactive Guide Configure the Microsoft Security DevOps Azure DevOps extension Configure the Microsoft Security DevOps GitHub action Automate SecOps to Developer Communication with Defender for DevOps Compliance for Exposed Secrets Discovered by DevOps Security Automate DevOps Security Recommendation Remediation DevOps Security Workbook Remediating Security Issues in Code with Pull Request Annotations Code to Cloud Security using Microsoft Defender for DevOps GitHub Advanced Security for Azure DevOps alerts in Defender for Cloud Securing your GitLab Environment with Microsoft Defender for Cloud Bridging the Gap Between Code and Cloud with Defender for Cloud Integrate Defender for Cloud CLI with CI/CD pipelines (02/2025) Code Reachability Analysis (02/2025) 🚀 Suggested Labs: Onboarding Azure DevOps to Defender for Cloud Onboarding GitHub to Defender for Cloud Module 10 – Defender for APIs What is Microsoft Defender for APIs? Onboard Defender for APIs Validating Microsoft Defender for APIs Alerts . API Security with Defender for APIs Microsoft Defender for API Security Dashboard Exempt functionality now available for Defender for APIs recommendations Create sample alerts for Defender for APIs detections Defender for APIs reach GA Increasing API Security Testing Visibility Boost Security with API Security Posture Management (02/2025) 🚀 Suggested Lab: Defender for APIs Module 11 – AI Posture Management and Workload Protection Secure your AI applications from code to runtime with Microsoft Defender for Cloud AI security posture management AI threat protection Secure your AI applications from code to runtime Data and AI security dashboard (02/2025) Protecting Azure AI Workloads using Threat Protection for AI in Defender for Cloud (02/2025) 🚀 Suggested Lab: Security for AI workloads Are you ready to take your knowledge check? If so, click here. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. Note: it can take up to 24 hours for you to receive your certificate via email. Other Resources Microsoft Defender for Cloud Labs Become an Microsoft Sentinel Ninja Become an MDE Ninja Cross-product lab (Defend the Flag) Release notes (updated every month) Important upcoming changes Have a great time ramping up in Microsoft Defender for Cloud and becoming a Microsoft Defender for Cloud Ninja!! Reviewer: Tom Janetscheck, Senior PMIntegrating Security into DevOps Workflows with Microsoft Defender CSPM
This forth article in our series builds on the main overview (“Strategy to Execution: Operationalizing Microsoft Defender CSPM”). Here, we focus on embedding security directly into DevOps workflows using Microsoft Defender for Cloud’s Cloud Security Posture Management (CSPM) capabilities. Introduction DevOps has revolutionized the way organizations build, deploy, and manage everything from applications to enterprise infrastructure, to capture the full breadth of stuff that goes into code repos, breaking down silos between development and operations teams and enabling faster software delivery, consistent and declarative infrastructure. However, increased speed often brings heightened security risks if vulnerabilities slip through the pipeline unnoticed. The antidote is to “shift security left,” weaving it throughout every stage of the software development lifecycle (SDLC). Microsoft Defender Cloud Security Posture Management (CSPM) provides the automation, continuous monitoring, and governance controls essential for implementing DevSecOps. By integrating CSPM with your CI/CD pipelines, you can detect misconfigurations and vulnerabilities early, prevent security bottlenecks, and maintain both agility and robust protection across Azure, AWS, GCP, and beyond. Below, we’ll explore the importance of aligning security practices with DevOps goals, detail how Defender CSPM supports shift-left security, and provide operational steps to incorporate automated checks and remediation into your CI/CD processes. Why Security Belongs in DevOps Reducing Security Debt Late-stage vulnerability discovery can be costly, forcing teams to revisit code or configurations after they’ve been deployed. By integrating security early, potential issues are detected and remediated when fixes are fastest and least disruptive. Maintaining DevOps Agility Security, when bolted on at the end, risks slowing down release cycles. Embedding checks and automated gating within your DevOps pipeline helps maintain velocity, ensuring security standards are met without derailing rapid deployments. Aligning Security with Development Goals Effective DevOps aims to deliver high-quality, reliable software quickly. Security shouldn’t be an afterthought; it should reinforce the same objectives, high-quality, secure software. With the right tools and processes, security becomes a natural part of the release process, not an obstacle. How Defender CSPM Enhances DevSecOps Shift-Left Security Defender CSPM scans for vulnerabilities and misconfigurations early in the SDLC, detecting issues in code or Infrastructure-as-Code (IaC) templates before they reach production. Code-to-Cloud Contextualization Security risks don't exist in isolation. Defender CSPM provides end-to-end visibility from code to cloud, tracing vulnerabilities from the development phase through deployment. For instance, if a developer introduces an insecure dependency, Defender CSPM can assess its impact on the cloud environment, enabling teams to address security risks in context. Infrastructure-as-Code (IaC) Security By analyzing Terraform, ARM, and other IaC templates, Defender CSPM helps prevent security misconfigurations before infrastructure is provisioned. If a Terraform script inadvertently exposes a storage bucket to the internet, Defender CSPM flags the issue and provides actionable remediation steps. Reachability Analysis (via Endor Labs Integration) Through integration with Endor Labs, Defender CSPM can perform advanced reachability analysis on vulnerabilities within code dependencies or container images. By identifying whether your application actually calls the affected functions or libraries, this approach helps security teams focus remediation efforts on genuinely exploitable vulnerabilities—thereby reducing noise and prioritizing the highest-impact risks. You can learn more about reachability analysis types in Endor Labs’ guide. Continuous Assessments Rather than relying on sporadic audits, Defender CSPM continuously monitors cloud resources to identify and address misconfigurations, vulnerabilities, and compliance gaps in real time. Container Image Security Defender CSPM scans container images for known vulnerabilities before deployment, alerting teams if an exploitable package is included and providing guidance for mitigation. Security as Code Security policies, governance models, and compliance requirements can be codified and enforced automatically within CI/CD pipelines, allowing teams to integrate security without disrupting delivery speed. Automated Remediation Customizable playbooks can automatically fix issues—from misconfigured IAM policies to security patches—reducing manual effort and human error. Security Gates in CI/CD Pipelines To prevent insecure deployments, Defender CSPM enforces security gates in DevOps workflows. If a high-risk vulnerability is detected during the build or deployment phase, the pipeline is halted until the issue is resolved, ensuring only secure code reaches production. Seamless Integration with DevOps Workflows Defender CSPM integrates natively into popular CI/CD solutions, enabling collaborative workflows that bring together development, security, and operations teams under a shared responsibility model. Automated Compliance Checks Defender CSPM verifies infrastructure and applications against regulatory standards (e.g., PCI-DSS, HIPAA) throughout the DevOps lifecycle. New compliance requirements (e.g., mandatory data encryption) are continuously evaluated for adherence. Continuous Visibility and Risk Prioritization Defender CSPM dynamic security posture assessment helps teams focus on high-impact risks by surfacing critical vulnerabilities with remediation guidance. Step-by-Step: Integrating Defender CSPM into DevOps Workflows Below is a practical framework combining both conceptual guidance and operational steps to help you establish DevSecOps with Defender CSPM. Step 1: Setting Up Security Gates in the CI/CD Pipeline Objective: Automate security checks at critical stages to ensure security policies are enforced before software moves to production. Define Security Policies for Development Collaborate with development and security teams to establish code-level and infrastructure-level policies (e.g., no exposed ports, mandatory encryption, disallowing vulnerable libraries). Use Defender CSPM to enforce these policies directly within the pipeline so that non-compliant code is flagged early, including the ability to trace its potential impact on cloud environments. For detailed on configuring Defender for Cloud in your pipeline, see the official CI/CD integration documentation. Configure Automated Gates Integrate Defender CSPM with Azure DevOps, GitHub Actions, or other CI/CD tools. Set up automated scans at each build or deployment step. Deployments halt if critical issues arise, such as vulnerabilities with severity above a set threshold. This ensures that only secure and compliant code is deployed to production. Read further details on how to configure the Microsoft Security DevOps (MSDO) Action. Enable Continuous Security Assessments Trigger a security scan on every code commit to catch new vulnerabilities immediately. For infrastructure, leverage Infrastructure as Code (IaC) scans before provisioning resources (e.g., checking ARM or Terraform templates against security policies). Pre-Deployment Security Testing Incorporate static (SAST) and dynamic (DAST) security testing as part of the pipeline. For instance, use SonarQube for SAST and OWASP ZAP for DAST, with Defender CSPM acting as the overarching guardrail to confirm findings and enforce organizational policies. Role-Based Access Control (RBAC) Implement RBAC so that only authorized personnel can modify security policies and configurations, preserving the integrity of security settings. Step 2: Continuous Security Assessments During the Development Lifecycle Objective: Perform ongoing, automated security checks throughout coding, testing, and release cycles. Monitor All Cloud Resources Enable continuous monitoring of dev, staging, and production environments. Defender CSPM flags issues like unencrypted data or open ports as soon as they appear, expediting remediation. Automate Security Checks on IaC Scan Infrastructure as Code (IaC) templates for security compliance before resource creation. For example, if a Terraform template lacks encryption on a storage bucket, Defender CSPM can flag or block the deployment. This proactive approach ensures that security is embedded in the infrastructure from the outset, reducing the risk of security breaches. Define Clear DevSecOps Roles Clearly define roles within the DevSecOps framework. Developers are responsible for writing secure code, DevOps teams manage secure infrastructure provisioning, and security engineers validate controls. Forming a DevSecOps council or similar forum can help ensure alignment and timely resolution of vulnerabilities. This collaborative approach fosters a culture of shared responsibility for security. Collaborative Feedback Loops Regularly review CSPM findings with both development and security teams. Integrate with ticketing systems like Service Azure Boards to track vulnerabilities and manage them as backlog items. This continuous feedback loop helps in prioritizing and addressing security issues, ensuring that they are resolved in a timely manner. Step 3: Automating Feedback Loops Between Security and DevOps Teams Objective: Ensure rapid vulnerability detection, assignment, and remediation through real-time notifications and integrated workflows. Automate Vulnerability Notifications Use Azure Logic Apps or similar tools to push alerts to communication platforms like Teams or email. These alerts should provide details on the severity of the vulnerability, affected resources, and recommended fixes so that developers can act quickly. For example, if Defender CSPM detects an unencrypted storage bucket, an alert can be sent to the relevant team with instructions on how to enable encryption. Establish a Continuous Remediation Loop Defender CSPM flags a critical issue, a playbook can automatically open a pull request with recommended configuration changes or patches. Developers can then fix the code, and the pipeline will re-run security checks before merging the changes. This ensures that vulnerabilities are addressed promptly and that the code remains secure throughout the development lifecycle. Track Vulnerability Remediation Progress Assign Service Level Agreements (SLAs) for vulnerabilities based on their severity. Regularly review CSPM dashboards to monitor the progress of vulnerability remediation and set escalation rules for overdue items via tools like ServiceNow. This helps ensure that critical vulnerabilities are addressed within the required timeframes and that any delays are promptly escalated. Automated Reporting and Metrics Generate monthly or weekly reports on the security posture, including open vulnerabilities, average remediation time, and block rates in the pipeline. Use tools like Azure Workbooks or Power BI to visualize trending data and identify areas for process improvement. These reports can help in tracking the effectiveness of security measures and in making informed decisions to enhance the overall security posture. Strategic Benefits of DevSecOps with Defender CSPM Proactive Risk Mitigation: By catching vulnerabilities early, organizations can minimize the chance of costly breaches and protect customer trust. Defender CSPM provides code-to-runtime contextualization, allowing teams to identify and address security issues from the code level to the cloud infrastructure. This proactive approach ensures that security is embedded throughout the development lifecycle, preventing issues from escalating. Faster Remediation and Reduced Security Debt: Continuous monitoring and automated fixes prevent issues from lingering or piling up, ensuring that your production environment stays clean. For example, if a misconfiguration is detected in a Terraform script, Defender CSPM can alert the team and provide guidance on how to fix it. This helps maintain a secure infrastructure from the outset, reducing the risk of security breaches. Compliance Monitoring at Runtime: Defender CSPM identifies misconfigurations and vulnerabilities against various frameworks (e.g., PCI-DSS, HIPAA) after deployment, reducing manual overhead for compliance checks. While there isn’t a direct mapping of tool findings to a specific compliance framework during the build stage, continuous runtime assessments help maintain a secure and compliant environment, ensuring that infrastructure and applications meet regulatory and security requirements once deployed. Enhanced Collaboration: Transparency and shared ownership bridge the gap between development, security, and operations teams, making security an enabler rather than a roadblock. Defender CSPM integrates seamlessly into DevOps workflows, enabling security teams to work closely with development and operations teams. This collaboration helps identify and mitigate security risks early in the development process, fostering a culture of shared responsibility for security. Consistent Scalability: As your cloud footprint expands, automated checks ensure that new resources, teams, and pipelines follow the same robust security standards. Continuous visibility into the security posture of the cloud environment helps in prioritizing risks based on their impact, ensuring that the most critical security issues are addressed promptly. Key Metrics to Track DevSecOps Success Vulnerability Detection Rate: Ensures early and frequent discovery of security issues. Deployment Block Rate: Indicates how often releases are halted due to security violations. A high block rate may mean teams need additional training or improved processes. Mean Time to Detect (MTTD): Tracks the average time taken to detect a security issue from the moment it occurs. Shorter detection times reflect the effectiveness of continuous monitoring and automated security checks. Remediation Time (MTTR): Measures how quickly issues are resolved after detection. Shorter times reflect mature collaboration and processes. Compliance Pass Rate: Tracks how consistently code and cloud resources meet defined standards before going live. False Positive Rate: Measures the frequency of false positives in security alerts. A lower false positive rate indicates more accurate detection and reduces the burden on teams to investigate non-issues. Change Failure Rate: Indicates the percentage of changes that result in a failure or security issue. A lower change failure rate suggests that security is well-integrated into the development process and that changes are being implemented securely. Security Incident Frequency: Measures the number of security incidents over a specific period. Monitoring this metric helps in understanding the overall security posture and identifying trends or patterns in security incidents. Conclusion and Next Steps Integrating Defender CSPM into DevOps workflows is pivotal for any organization aiming to balance speed and security in the cloud. By automating security gates, shifting security checks left, and fostering real-time collaboration, you reduce the risk of late-breaking vulnerabilities and maintain a more resilient production environment. To revisit the broader context of this series and learn about our earlier topics, such as risk identification and prioritization, review the main overview article, Considerations for risk identification and prioritization in Defender for Cloud, and Strengthening Cloud Compliance and Governance with Microsoft Defender CSPM. In our next piece, we’ll explore how Defender CSPM can bolster proactive forensics and incident preparedness, equipping your organization to detect threats early and respond decisively when incidents occur. Stay tuned! Microsoft Defender for Cloud - Additional Resources Blog series main article - Strategy to Execution: Operationalizing Microsoft Defender CSPM Blog Series article - Considerations for risk identification and prioritization in Defender for Cloud Blog Series article - Strengthening Cloud Compliance and Governance with Microsoft Defender CSPM Download the new Microsoft CNAPP eBook at aka.ms/MSCNAPP Become a Defender for Cloud Ninja by taking the assessment at aka.ms/MDCNinja Reviewers Yuri Diogenes, Principal PM Manager, CxE Defender for Cloud Dick Lake, Security Product Manager, CxE Defender for CloudMicrosoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? On-demand malware scanning in Defender for Storage is now in GA! This feature also supports blobs up to 50 GB in size (previously limited to 2GB). See this page for more info. 31 new and enhanced Multicloud regulatory standards We’ve published enhanced and expanded support of over 31 security and regulatory frameworks in Defender for Cloud across Azure, AWS & GCP. For more details, please refer to our documentation. Blogs of the month In February, our team published the following blog posts we would like to share: Unveiling Kubernetes lateral movement and attack paths with Microsoft Defender for Cloud Protecting Azure AI Workloads using Threat Protection for AI in Defender for Cloud New and enhanced multicloud regulatory compliance standards in Defender for Cloud Strengthening Cloud Compliance and Governance with Microsoft Defender CSPM GitHub Community Learn more about Code Reachability Vulnerabilities with Endor Labs with Module 26 - Defender for Cloud Code Reachability Vulnerabilities with Endor Labs Defender for Cloud in the field Watch the latest Defender for Cloud in the Field YouTube episodes here: Integrate Defender for Cloud CLI with CI/CD pipelines Code Reachability Analysis Visit our YouTube page! Customer journeys Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Kurita Water Industries, a water treatment solutions company, that leverages both Microsoft Entra Permissions Management and Defender for Cloud’s CSPM for resource statuses, vulnerabilities, state of access permissions, and risk prioritization and CWPP capabilities to continuously monitor and protect cloud workloads Security community webinars Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. Check out our upcoming webinars this month in the link below! MAR 5 Microsoft Defender for Cloud | API Security Posture with Defender for Cloud We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribeSecure containers software supply chain across the SDLC
In today’s digital landscape, containerization is essential for modern application development, but it also expands the attack surface with risks like vulnerabilities in base images, misconfigurations, and malicious code injections. Securing containers across their lifecycle is critical. Microsoft Defender for Cloud delivers end-to-end protection, evaluating threats at every stage—from development to runtime. Recent advancements further strengthen container security, making it a vital solution for safeguarding applications throughout the Software development lifecycle (SDLC). Container software development lifecycle The lifecycle of containers involves several stages, during which the container evolves through different software artifacts. Container software supply chain It all starts with a container or docker script file, created or edited by developer in development phase, submitted into the code repository. Script file converts into a container image during the build phase via the CI/CD pipeline, submitted into container registry as part of the ship phase When a container image is deployed into a Kubernetes cluster, it transforms into running, ephemeral container instances, marking the transition to the runtime phase. A container may encounter numerous challenges throughout its transition from development to runtime. Ensuring its security requires maintaining visibility, mitigating risks, and implementing remediation measures at each stage of its journey. Microsoft Defender for Cloud's latest advancements in container security assist in securing your container's journey and safeguarding your containerized environments Command line interface (CLI) tool for container image scanning at build phase, is now in public preview Integrating security into every phase of your software development is crucial. To effectively incorporate container security evaluation early in the container lifecycle, particularly during the development phase, and to seamlessly integrate it into diverse DevSecOps ecosystems, the use of a Command Line Interface (CLI) is essential. This new capability of Microsoft Defender for Cloud provides an alternative method for assessing container image for security findings. This capability, available through a CLI abstract layer, allows for seamless integration into any tool or process, independently of Microsoft Defender for Cloud portal. Key purpose of Microsoft Defender for Cloud CLI: Expanding container security to cover the development phase, code repository phase, and CI/CD phase: o Development phase: Developers can scan container images locally on Windows, Linux, or Mac OS using PowerShell or any scripting terminal. o Code repository phase: Integrate the CLI into code repositories with webhook integrations like GitHub actions to scan and potentially abort pull requests based on findings. o CI/CD phase: Scan container images in the CI/CD pipeline to detect and block vulnerabilities during the build stage. Invoke scanning on-demand for specific container images. Integrate easily into existing DevSecOps processes and tools. For more details watch the demo CLI demo How it works Microsoft Defender for Cloud CLI requires authentication through API tokens. These tokens are managed via the Integrations section in the Microsoft Defender for Cloud Portal, by Security Administrators. Figure 3: API push tokens management The CLI supports Microsoft proprietary and third-party engines like Trivy, enabling vulnerability assessment of container images and generating results in SARIF format. It integrates with Microsoft Defender for Cloud for further analysis and helps incorporate security guardrails early in development. Additionally, it provides visibility of container artifacts' security posture from code to runtime and context essential for security issues remediations such as artifact owner and repo of origin. For more details, setup guides, and use cases, please refer to official documentation. Vulnerabilities assessment of container images in third party registries, now in public preview Container registries are centralized repositories used to store container images for the ship phase, prior deployment to Kubernetes clusters. They play an essential role in the container's software supply chain and accessing container images for vulnerabilities at this phase might be the last chance to prevent vulnerable images from reaching your production runtime environments. Many organizations use a mix of cloud-native (ACR, ECR, GCR, GAR) and 3 rd party container registries. To enhance coverage, Microsoft Defender for Cloud now offers vulnerability assessments for third-party registries like Docker Hub and Jfrog Artifactory. These are popular 3 rd party container registries. You can now integrate them into your Microsoft Defender for Cloud tenant to scan container images for security vulnerabilities, improving your organization's coverage of the container software supply chain. This integration offers key benefits: Automated vulnerability scanning: Automatically scans container images for known vulnerabilities, helping identify and fix security issues early. Continuous monitoring: Ensures that new vulnerabilities are promptly detected and addressed. Compliance management: Assists organizations in maintaining compliance by providing detailed security posture reports on container images and resources. Actionable security recommendations: Provides recommendations based on best practices to improve container security. Figure 4: Docker Hub & Jfrog Artifactory environments Figure 5: Jfrog Artifactory container images in Security Explorer To learn more please refer to official documentation for Docker Hub and Jfrog Artifactory. Azure Kubernetes Service (AKS) security dashboard for cluster admin view, now in public preview, provides granular visibility into container security directly within the AKS portal Microsoft Defender for Cloud aims to provide security insights relevant to each audience in the context of their existing tools & process, helping various roles prioritize security and build secure software applications essential to ensure your containers security across SDLC. To learn more please explore AKS Security Dashboard Conclusion Microsoft Defender for Cloud introduces groundbreaking advancements in container security, providing a robust framework to protect containerized applications. With integrated vulnerability assessment, malware detection, and comprehensive security insights, organizations can strengthen their security posture across the software development lifecycle (SDLC). These enhancements simplify security management, ensure compliance, and offer risk prioritization and visibility tailored to different audiences and roles. Explore the latest innovations in Microsoft Defender for Cloud to safeguard your containerized environments- New Innovations in Container Security with Unified Visibility and Investigations.Strengthening Cloud Compliance and Governance with Microsoft Defender CSPM
Introduction This is the third article in our blog series, “Strategy to Execution: Operationalizing Microsoft Defender CSPM.” If you’re new to the series, or want a more holistic view of strategic planning, start with our main overview article and then explore “Considerations for Risk Identification and Prioritization in Defender for Cloud” for a deeper dive into proactive risk management. Cloud security compliance and governance are no longer optional. Organizations operating in multi-cloud environments such as Azure, AWS, and GCP face a rising tide of complex regulations (like HIPAA, PCI-DSS, and ISO 27001) and stringent internal policies. Non-compliance carries significant risks: financial penalties, damage to reputation, and disrupted operations. Effective governance, enforcing security controls, defining responsibilities, and maintaining environmental visibility is essential but challenging in dynamic cloud environments. Automation and a unified approach are essential. Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) directly addresses these challenges. It delivers automated compliance checks, continuous monitoring, real-time policy enforcement, and streamlined reporting. This results in a proactive security posture, enabling rapid gap detection and remediation while aligning security with business objectives. This article provides a practical guide to leveraging Defender CSPM for compliance and governance. We will detail how to automate audits, implement policy-driven controls, conduct gap analyses, and continuously strengthen your cloud security posture. Our goal is to equip you to confidently navigate evolving regulations and minimize the risk of costly breaches and fines. Why Compliance and Governance Matter in the Cloud Compliance and governance are not merely best practices; they are foundational pillars for secure and sustainable operations. Organizations need to fully grasp the consequences of neglecting these critical aspects and the compelling justifications for prioritizing them. The following points outline the key drivers, underscoring the essential role of robust compliance and governance frameworks: Regulatory Requirements Organizations in highly regulated sectors, finance, healthcare, retail must adhere to strict controls around data handling, access management, and security practices. Non-compliance can incur fines that stretch into millions of dollars and severely damage brand reputation. Data Privacy and Security Regulatory frameworks often mandate encryption standards, multi-factor authentication (MFA), and regular audits, to name a few. As cloud infrastructures expand and shift, real-time monitoring becomes essential to ensuring these security controls remain intact across all environments. Governance Accountability Cloud configurations change rapidly, especially in DevOps-heavy environments. Governance ensures standardized security practices are enforced consistently, assigning ownership for remediation tasks and verifying that best practices are followed at every stage. By automating these aspects, compliance checks, governance policies, and enforcement organizations can minimize risk, conserve resources, and systematically adapt to new requirements. How Defender CSPM Automates Compliance and Governance Addressing the complexities of cloud compliance and governance effectively requires automation. Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) solution is specifically designed to streamline these processes, moving organizations away from manual, time-consuming efforts towards a more efficient and proactive approach. The following points detail how Defender CSPM automates key aspects of compliance and governance, delivering significant benefits in terms of speed, accuracy, and resource optimization. Automated Compliance Audits Defender CSPM automates continuous audits of your cloud resources, comparing configurations against various industry and regional standards (e.g., HIPAA, PCI-DSS, ISO 27001). In addition to these established frameworks, it also permits the creation of custom controls to audit internal policies or distinctive organizational requirements. You can even combine built-in standards with custom controls to create an entirely tailored compliance standard. While not all assessments can be automated, this approach greatly reduces the reliance on manual audits, enabling security teams to focus on higher-priority, strategic tasks. Critically, any violations, whether against standard or custom benchmarks, are flagged for immediate, targeted remediation. Continuous Compliance Monitoring Cloud environments are inherently dynamic; new deployments and changes can inadvertently introduce non-compliance workloads. Defender CSPM’s continuous monitoring approach ensures that as soon as a resource slips out of compliance, your team is notified. This continuous feedback loop is crucial for large, multicloud deployments, where manual assessment quickly becomes unmanageable. Centralized Reporting and Dashboards To effectively manage, analyze, and communicate compliance status, Defender CSPM offers built-in dashboards and predefined reports within Microsoft Defender for Cloud, allowing you to visualize and export data such as Compliance status (e.g., via PDF, CSV/XLS). Additionally, you can leverage Azure Resource Graph to create more customized views or integrate with external reporting solutions. While not an end-to-end automated reporting platform, these features collectively help organizations share compliance insights across teams and satisfy regulatory or stakeholder requirements. For personalized and in-depth reports, you can leverage Azure Workbooks. This powerful feature enables you to create highly customized reports directly within Azure, allowing you to focus on specific data points and visualizations relevant to your unique requirements. For advanced analytical reports and interactive dashboards, Defender CSPM seamlessly integrates with Power BI. This integration empowers you to build sophisticated dashboards, conduct in-depth data analysis, and gain deeper insights into your compliance trends and potential areas of concern. Furthermore, for organizations preferring alternative reporting solutions or needing to integrate compliance data into existing systems, Defender CSPM offers a REST API. This open API allows any reporting tool capable of consuming RESTful data to access and utilize Defender CSPM's compliance data, providing maximum flexibility and interoperability. Gap Analysis and Continuous Improvement Regular gap analyses pinpoint areas that fall short of regulatory or internal standards. This insight drives ongoing improvement, prompting updates to both technical configurations and governance models. Defender CSPM’s iterative approach to compliance ensures that security posture evolves alongside the organization. Step-by-Step: Operationalizing Compliance and Governance Step 1: Automating Compliance Audits Objective: Implement automated checks for regulations and internal policies, ensuring continuous visibility into compliance posture. Identify Relevant Standards Form a dedicated team to map industry regulations (e.g., HIPAA, PCI-DSS, ISO 27001) to specific security controls within your Azure, AWS, or GCP environments. This team will be responsible for ongoing compliance governance. Create and maintain a matrix that clearly links each cloud configuration requirement to the relevant policy or regulation it addresses. This matrix will serve as your central reference for compliance. Configure Automated Audits Activate Defender CSPM to perform ongoing compliance assessments. Microsoft Cloud Security Benchmark (MCSB) is enabled by default for a broad baseline review. You can activate additional frameworks relevant to your specific industry and regulatory obligations. (Note: Compliance standards in Defender for Cloud are accessible with any Defender for Cloud plan, excluding Defender for Servers Plan 1 or Defender for API Plan 1. For more information, see: Microsoft Defender for Cloud Regulatory Compliance Packages.) Set up Workflow automation and Logic Apps (as documented by Microsoft: Workflow automation - Microsoft Defender for Cloud) to automatically trigger remediation actions or send alerts to designated teams upon detection of non-compliance. Defender CSPM also allows you to configure automated rules to assign remediation tasks to specific individuals or teams, or to create Service Requests in ITSM systems like ServiceNow. (For best practices, refer to: Best Practices to Manage and Mitigate Security Recommendations). Schedule Compliance Reports Defender for Cloud includes some built-in dashboards and reports that can be exported as PDF or CSV. While there isn’t a single, end-to-end scheduling mechanism within Defender CSPM, you can publish your compliance data to Power BI for scheduled, recurring distribution. This approach ensures that compliance reports automatically reach the right stakeholders at set intervals, minimizing manual effort and helping maintain an up-to-date view of your cloud security posture. Leverage reports and dashboards to visually track compliance trends, identify recurring non-compliance issues, and monitor the progress of remediation efforts. Step 2: Implementing Policy-Based Governance Models Objective: Enforce consistent standards and assign the right roles to maintain control across cloud environments. Aligning your approach with the Microsoft Cloud Security Benchmark (MCSB), and create a cohesive framework that defines governance policies, responsibilities, and operational processes. Define Governance Framework Aligned with MCSB Draw on MCSB guidelines to formalize key governance pillars, including: Align Organization Roles, Responsibilities, and Accountabilities. Clearly document who owns cloud security decisions. Prioritize accountability, ensuring all stakeholders understand their roles. Define and Implement Enterprise Segmentation/Separation of Duties Strategy. Establish a strategy that uses identity, network, or application controls to segment assets without impeding collaboration. Define and Implement Data Protection Strategy. Incorporate data protection guidance for encryption, key management, and data lifecycle controls. Consider how data classification, egress policies, and zero-trust principles fit into your governance. Define and Implement Network Security Strategy. Document how you’ll segment networks, manage internet edge ingress/egress, and maintain up-to-date network artifacts (e.g., diagrams, reference architectures). Define and Implement Security Posture Management Strategy. Describe how you’ll continuously assess, detect, and remediate vulnerabilities and misconfigurations, leveraging Defender for Cloud (CSPM). Define and Implement Identity and Privileged Access Strategy. Align with MCSB identity and privileged access controls, outlining standards for MFA, password policies, break-glass accounts, and periodic access reviews. Define and Implement Logging, Threat Detection, and Incident Response Strategy. Specify how logs are collected and correlated; identify your SIEM/XDR workflows; detail an escalation path for incident response, referencing MCSB logging and threat detection guidelines. Define and Implement Backup and Recovery Strategy. Articulate RTO/RPO requirements, redundancy design, and backup protections against unauthorized access or tampering. Define and Implement Endpoint Security Strategy. Document your approach to EDR, antivirus, and other endpoint controls, ensuring non-production environments follow the same standards. Define and Implement DevOps Security Strategy. Embed security checks (shift-left) throughout the CI/CD pipeline, enforcing IaC policies, scanning code, and automating compliance checks as recommended in MCSB DevOps sections. Define and Implement Multi-Cloud Security Strategy If you operate in multiple clouds, maintain consistent governance and unify operational processes across platforms. Train teams on differing architectures while standardizing risk management and tooling. Engage a diverse group of stakeholders from across your organization in the development and review of the Governance Manual. Maintain a Living Governance Document Regularly revisit and refine the Governance Framework as your technology, business requirements, and regulatory demands evolve. Keeping policies current prevents misalignment over time and reinforces a proactive security culture. Policy-Driven Compliance Utilize the native policy engines provided by your cloud platforms, Azure Policy for Azure, AWS Config for AWS, and GCP IAM Policy or Organization Policies for GCP, to actively enforce your defined governance policies. Configure these policy engines not just for detection of non-compliant configurations, but also to enable automatic remediation wherever technically feasible and operationally safe. Auto-remediation significantly reduces the window of vulnerability and minimizes manual effort. Set up alerts and notifications within your cloud policy engines to immediately notify security teams when policy violations are detected, especially for critical security controls. Ensure these alerts are routed to the appropriate teams with clear instructions and context, enabling rapid response and remediation actions to address any deviations that could potentially compromise compliance and security. Automating Policy Reviews Implement scheduled policy review cycles – for example, bi-annual or quarterly – to ensure your Cloud Security Governance Manual and enforced policies remain current and relevant. The frequency of reviews should be driven by the pace of change within your organization and the evolving regulatory landscape. Leverage Workflow Automation features within your cloud platforms or utilize Azure Logic Apps (or equivalent automation services in AWS/GCP), to proactively notify the designated governance teams when scheduled policy reviews are due. These automated notifications ensure timely reviews and prevent policy stagnation, allowing your governance framework to scale effectively as your cloud environment expands and new regulatory demands emerge. Step 3: Running Compliance Gap Analysis and Remediation Objective: Identify deviations from compliance standards in your environment and proactively remediate identified issues. Conduct Initial Gap Analysis Use Defender CSPM to benchmark your cloud resources against your defined security policies and relevant external compliance standards. Generate a prioritized list of identified compliance gaps. This list should clearly highlight the potential risk and business impact associated with each gap. Categorize and Prioritize Gaps Categorize identified compliance gaps based on their risk level (e.g., High, Medium, Low). Consider factors such as data sensitivity, business criticality, and potential regulatory impact for accurate classification. Clearly assign responsibility for remediating each gap to specific teams or individuals. Establish Service Level Agreements (SLAs) for remediation based on the risk level (e.g., 24-48 hours for High-risk gaps) to ensure timely resolution. Automated Remediation Playbooks Create automated remediation playbooks for frequently occurring misconfigurations, such as unencrypted data storage or publicly accessible resources. Utilize Workflow Automation, Azure Logic Apps, Azure Automation, or other serverless automation frameworks to automatically remediate identified misconfigurations, aiming for near real-time resolution of common issues. Track Progress and Iterate Actively use the built-in or custom compliance dashboards within Defender CSPM to continuously track the status of remediation efforts across all identified gaps. Automate the generation and distribution of weekly compliance progress reports to relevant stakeholders. Use these reports to track overall progress, identify bottlenecks, and iteratively refine remediation workflows and resource allocation as needed for optimal efficiency Strategic Advantages of Automation Substantially Reduced Legal and Financial Risk: Automating compliance checks offers a crucial shield against potentially devastating legal and financial repercussions. By proactively and continuously identifying compliance violations early in the lifecycle, automation allows for rapid remediation before they escalate into significant issues. This proactive approach directly minimizes the risk of incurring steep regulatory fines, facing costly legal battles, and suffering significant financial losses due to non-compliance. Furthermore, maintaining a consistently compliant posture demonstrates due diligence and responsible data handling, mitigating the potential for legal scrutiny and associated costs. Enhanced Efficiency and Optimized Resource Allocation: Automation fundamentally transforms how security teams operate. By offloading the tedious and time-consuming burden of manual compliance audits and routine governance tasks to automated systems, organizations achieve significant gains in efficiency. This shift liberates highly skilled security professionals from repetitive, low-value activities, allowing them to focus their expertise and resources on more strategic and critical priorities. These include proactive threat detection, sophisticated incident response, in-depth security analysis, and the development of forward-thinking security strategies – areas where human expertise and ingenuity are irreplaceable and deliver far greater value to the organization. Strengthened Accountability and Streamlined Remediation: Automation plays a vital role in establishing a robust and accountable governance structure. By automatically enforcing clearly defined governance policies and assigning ownership for security controls, automation eliminates ambiguity and promotes responsibility. When non-compliance issues are automatically detected, automated workflows can immediately assign remediation tasks to specific teams or even individuals based on pre-defined rules and responsibilities. This clear assignment of accountability dramatically accelerates the remediation process, reduces confusion and "finger-pointing" across teams, and ensures that security gaps are addressed swiftly and efficiently. Future-Proofed Security and Agile Adaptability: In the rapidly evolving landscape of cloud computing and regulatory environments, agility is paramount. Automation provides the essential foundation for a future-proof security posture. Continuous compliance audits, coupled with automated policy enforcement, enable organizations to seamlessly adapt to new and evolving regulatory requirements, dynamic cloud platform changes, and shifting business priorities without being caught off guard. This inherent adaptability ensures that your organization can proactively maintain a strong security and compliance posture, regardless of the pace of change or the emergence of new challenges, ensuring long-term resilience and minimizing future risk. Conclusion and Next Steps By integrating Microsoft Defender CSPM into a structured compliance and governance framework, organizations can maintain an ongoing, automated process for meeting regulatory requirements, enforcing consistent policies, and remediating gaps. The result is a cloud security posture that is proactive, resilient, and aligned with business objectives. In our previous article, we explored how to identify and prioritize risks in your cloud environments. If you’re new to the series or want an overarching strategy perspective, check out our main overview article. Next, we’ll dive into integrating Defender CSPM within DevOps workflows, ensuring security is woven into every step of the development lifecycle. Stay tuned for Article 3, where we’ll cover practical methods for embedding security early and maintaining compliance without disrupting innovation. Microsoft Defender for Cloud - Additional Resources Blog series main article - Strategy to Execution: Operationalizing Microsoft Defender CSPM Blog Series article 2 - Considerations for risk identification and prioritization in Defender for Cloud Download the new Microsoft CNAPP eBook at aka.ms/MSCNAPP Become a Defender for Cloud Ninja by taking the assessment at aka.ms/MDCNinja Reviewers Yuri Diogenes, Principal PM Manager, CxE Defender for Cloud
New and enhanced multicloud regulatory compliance standards in Defender for Cloud
Security compliance across multicloud environments is challenging due to the diversity and complexity of platforms. Each cloud provider—whether AWS, Azure, Google Cloud, or others—has its own security protocols, configurations, and compliance requirements. This variation can lead to discrepancies and gaps in security posture, as what works in one cloud environment may not be applied seamlessly in another. Managing multiple compliance frameworks simultaneously adds complexity, especially when each provider has different methods for meeting these standards. Without unified compliance visibility, security teams are forced to monitor each cloud platform independently, which is time-consuming and prone to human error. This fragmentation can lead to missed compliance requirements, especially when resources are limited or when team members are unfamiliar with specific cloud platforms. As a result, organizations face increased risks of data breaches, fines, and reputational damage if they fail to meet regulatory requirements consistently across all platforms. A streamlined approach ultimately strengthens the organization’s security posture and simplifies the path to achieving and maintaining compliance across complex, multi-cloud landscapes. Microsoft Defender for Cloud aids security teams in meeting various regulations and industry standards through our Regulatory Compliance dashboard. Each standard has multiple compliance controls, which are groups of related security recommendations. Defender for Cloud constantly evaluates the environment against these controls, indicating whether resources are compliant or non-compliant. To help security teams streamline with compliance teams, Defender for Cloud regulatory compliance signals can be integrated into Microsoft Purview Compliance Manager. Today, we’re excited to share enhanced and expanded support of over 30 regulatory compliance frameworks in Defender for Cloud, across Azure, AWS, and GCP. New regulatory compliance frameworks for multicloud environments now available in public preview Unified compliance posture assessments actualized to the latest versions with parity across Azure, AWS, and GCP. New regulatory compliance standards include: E.U. Network and Information Security Directive 2 (NIS2) CIS GCP Foundations v3.0 U.S. Criminal Justice Information Services (CJIS) Security Policy, Version 5.9.5 U.S. Federal Financial Institutions Examination Council Cybersecurity Assessment Tool (FFIEC CAT) U.K. National Cyber Security Centre (NCSC) Cyber Essentials v3.1 U.K. National Cyber Security Centre (NCSC) Cyber Assurance Framework (CAF) v3.2 Enhancements to existing regulatory compliance standards Leverage the latest versions of currently supported regulatory compliance standards with expansion to full parity across Azure, AWS, and GCP. Some key standards include: SWIFT Customer Security Controls Framework (2024) E.U. General Data Protection Regulation (GDPR) ISO IEC 27002:2022 NIST CSF v2.0 PCI DSS v4.0.1 NIST SP 800 53 R5.1.1 View the full list of regulatory compliance standards. Get started with regulatory compliance assessment in Defender for Cloud today.Unveiling Kubernetes lateral movement and attack paths with Microsoft Defender for Cloud
The cloud security landscape is constantly evolving and securing containerized environments including Kubernetes is a critical piece of the puzzle. Kubernetes environments provide exceptional flexibility and scalability, which are key advantages for modern infrastructure. However, the complex and intricate permissions structure of Kubernetes, combined with the dynamic, ephemeral nature of containers, introduces significant security challenges. Misconfigurations in permissions can easily go unnoticed, creating opportunities for unauthorized access or privilege escalation. The rapid lifecycle of resources in Kubernetes adds to the complexity of this issue, making it harder to maintain visibility and enforce a consistent security posture. Traditional security tools often lack the depth needed to map and analyze Kubernetes permissions effectively, leaving organizations vulnerable to security gaps. In this blog we will explore how Microsoft Defender for Cloud provides visibility to address these challenges with the recent addition of Kubernetes role-based access control (RBAC) into the cloud security graph. We'll analyze potential techniques attackers use to move laterally in Kubernetes environments and demonstrate how Microsoft Defender for Cloud provides visibility to these threats as attack paths. Finally, we will demonstrate how this advanced feature allows customers to identify Kubernetes RBAC bindings that don't follow security best practices with the security explorer capabilities. Enhancing Security with Kubernetes RBAC Integration into the cloud security graph Defender for Cloud uses a cloud security graph to represent the data of your multicloud environment. This graph-based engine analyzes data on your cloud assets and their security posture, providing contextual analysis, attack path insights, and identify security risks with queries in the cloud security explorer. The introduction of Kubernetes RBAC into the cloud security graph addresses the visibility and security challenges posed by Kubernetes' complex permissions structure and dynamic workloads. By ingesting Kubernetes RBAC objects into the graph as nodes and edges, we create a more comprehensive picture of Kubernetes environment’s security posture. The cloud security graph leverages Kubernetes RBAC to map relationships between Kubernetes identities, Kubernetes objects, and cloud identities. This functionality uncovers additional attack paths and equips customers to proactively identify and mitigate threats in their cloud environments. Revealing attackers techniques Visualizing potential lateral movement within a Kubernetes cluster can be challenging. Attackers who establish an initial foothold in the cluster may exploit various techniques to move laterally, accessing sensitive resources within the cluster and even extending to other cloud resources in the victim's environment. Let’s examine the techniques attackers use for lateral movement in Kubernetes environments and explore how identifying new attack paths, along with the factors enabling such movement, can support proactive threat remediation. Inner cluster lateral movement In Kubernetes, each pod is attached to a Kubernetes service account that determines the permissions of the pod in the cluster. By default, the service account associated with a pod allows it to interact with the Kubernetes API with minimal permissions, but it is often granted more privileges than required for its specific function. Attackers who compromise a container can exploit the container pod’s service account RBAC permissions to move laterally within the cluster and access sensitive resources. For instance, if the compromised service account has impersonation privileges, attackers can use them to act as a more privileged service account by leveraging impersonation headers, potentially leading to a full cluster takeover. Cluster to cloud lateral movement In addition to lateral movement inside Kubernetes clusters, attackers could also use additional techniques to move laterally from the managed Kubernetes clusters to the cloud. Using the Instance Metadata Service (IMDS) In managed Kubernetes environments, each worker node is assigned a specific cloud identity or IAM role that gives it the necessary permissions to interact with the cloud provider's API to perform tasks that maintain cluster operations (such as autoscaling). To do this, the worker node can access the Instance Metadata Service (IMDS), which provides important details like configurations, settings, and the identity credentials of the node. The IMDS is accessible through a special IPv4 link-local address (169.254.169.254), allowing the worker node to securely retrieve its credentials and perform its tasks. If attackers gains control of a container in a managed Kubernetes cluster, they may attempt to query the IMDS endpoint to assume the IAM role or identity credentials associated with the worker node hosting the container. These credentials can then be exploited to access cloud resources, such as databases or compute instances outside the cluster. The potential damage caused by such an attack depends on the permissions of the worker node identity. 2. Using the workload identity Workload identity in Azure, Google Cloud, and AWS as IAM Roles for Service Accounts (IRSA) or EKS Pod Identity, allows Kubernetes pods to authenticate to cloud services using cloud-native identity mechanisms without needing to manage long-lived credentials like API keys. In this setup, a pod is associated with a Kubernetes service account that is linked to a cloud identity (e.g., a GCP service account, Managed identity for Azure resources, or AWS IAM role), enabling the pod to access cloud resources securely. While this integration enhances security, if attackers compromise a pod that is using workload identity, they could exploit the cloud identity associated with that pod to access cloud resources. Depending on the permissions granted to the cloud identity or IAM role, the attackers could perform actions like reading sensitive data from cloud storage, interacting with databases, or even modifying infrastructure—potentially escalating the attack beyond the Kubernetes environment into the cloud platform itself. Cloud to cluster lateral movement In cloud environments, managing access to Kubernetes clusters is critical to maintaining security. Cloud identities who are granted high-level permissions over Kubernetes clusters pose a potential security risk. If these identities have elevated permissions—such as the ability to create or modify resources within the cluster—an attacker who compromises their credentials can leverage these permissions to take full control of the cluster. Once attackers gain access to a privileged cloud account, they could manipulate Kubernetes configurations, create malicious workloads, or access sensitive data. This scenario could lead to a complete cluster takeover. Using Defender for Cloud to prevent lateral movement Defender for Cloud provides organizations with instant visibility into potential attack paths that attackers could exploit to move laterally within their cluster, enabling them to take preventive actions before an attack occurs. In the example shown in figure 1, an attack path is being generated to highlight how a vulnerable container can be exploited by an attacker to move laterally within the cluster and eventually achieve a full cluster takeover. This involves remotely compromising the vulnerable container, leveraging the Kubernetes service account linked to the pod, and impersonating a more privileged service account to gain control over the cluster. In another example, as shown in figure 2, the attack path illustrates how an attacker can exploit a vulnerable container to move laterally from the cluster to cloud resources outside of it by leveraging the pod service account's associated cloud identity. With the visibility provided by these attack paths, security teams can take actions prior to an attack taking place i.e. block external access to the container unless absolutely required, ensure the vulnerability is addressed and verify if the pod service account permissions are indeed required. Kubernetes risk hunting with the cloud security explorer In addition to the attack paths capabilities, Defender for Cloud's contextual security capabilities assist security teams in reducing the risk of Kubernetes RBAC misconfigurations. By executing graph-based queries on the cloud security graph using the cloud security explorer, security teams can proactively identify risks within a multicloud Kubernetes environments. By utilizing the query builder, teams can search for and locate risks associated with Kubernetes identities and workloads, enabling them to preemptively address potential threats. The cloud security explorer provides you with the ability to perform proactive exploration, along with built-in query templates that are dedicated to Kubernetes RBAC risks. Beyond cloud security As the cloud security graph is part of Microsoft enterprise exposure graph, customers can gain further visibility beyond the cloud boundary. By using Microsoft enterprise exposure management, customers will be able to see not only the lateral movement from K8s to the cloud and vice versa, but also how the identities used by the attacker can be further used to move laterally to additional assets in the organization, and how breach of an on-prem asset can lead to lateral movement to Kubernetes assets in the cloud. In the example shown in figure 4, we have an attack path that highlights how a vulnerable device can be exploited by an attacker to move laterally from an on-prem environment to Kubernetes cluster located in the cloud. This process includes remotely compromising the vulnerable device, extracting the browser cookie stored on it, and using that cookie to authenticate as a cloud identity with elevated permissions to access a Kubernetes cluster in the cloud. Conclusion - A brighter future for Kubernetes security The introduction of Kubernetes RBAC into the cloud security graph represents a significant advancement in securing Kubernetes’ environments. By providing comprehensive visibility into the complex permissions structure and dynamic workloads of Kubernetes, Microsoft Defender for Cloud enables organizations to proactively identify and mitigate potential security risks. This enhanced visibility not only helps in uncovering new attack paths and lateral movement threats but also supports the enforcement of security best practices within Kubernetes clusters. To start leveraging these new features in Microsoft Defender for Cloud, ensure either Defender for Container or Defender CSPM is enabled in your cloud environments. For additional guidance or support, visit our deployment guide. Learn more If you haven’t already, check out our previous blog post that introduced this journey: Elevate Your Container Posture: From Agentless Discovery to Risk Prioritization.Microsoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? Baseline Linux feature has been updated to improve its accuracy and coverage. For more information, please visit this page. Container vulnerability assessment enhancements Containers Vulnerability Assessment scanning, powered by MDVM, has the following updates: Support for PHP, Ruby and Rust programming languages, extended Java Language support including exploded JARs and improved memory usage. For more details, please refer to our announcement. Blogs of the month In January, our team published the following blog posts we would like to share: Considerations for risk identification and prioritization Elevating Runtime Protection Bringing AppSec and CloudSec Together: MDC integrates with Endor Labs Boost security with API Posture Management GitHub Community Activate Defender for Servers on a resource level with this PowerShell script. Visit our GitHub page for more content! Defender for Cloud in the field Watch the latest Defender for Cloud in the Field YouTube episodes here: Onboarding Docker Hub and JFrog Artifactory New AKS Security Dashboard in MDC Visit our YouTube page! Customer journeys Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Mia Labs, Inc., a conversational AI virtual assistant startup for auto dealerships. Mia Labs, Inc., leverages OpenAI enriched with Azure AI technologies to help identify sales and service opportunities within the automotive industry. Further, they use Defender for Cloud to provide contextual AI security posture management via CSPM capabilities and protects AI workloads with runtime security alerts. Together, Mia Labs, Inc., was able to detect numerous jailbreak attacks, one of the most common threats to generative AI systems. Security community webinars Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. Check out our upcoming webinars this month in the link below! I would like to register Watch past webinars We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribeValidating Microsoft Defender for Resource Manager Alerts
This document is provided “as is.” MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. As announced at Ignite 2021, Microsoft Defender for Resource Manager plan provides threat detection against malicious usage of Azure Resource Management Layer (Portal, Rest, API, PowerShell). To learn more about Azure Defender for ARM, read our official documentation. You can enable Microsoft Defender for Resource Manager on your subscription via environment settings, select the subscription, change the plan to ON (as shown below) and click Save to commit the change. Now that you have this plan set to ON, you can use the steps below to validate this threat detection. First, make sure that you The script must be executed by a cloud user with read permissions on the subscription. you need to have the Az PowerShell module installed before running the script. It can be installed using: "Install-Module -Name Az". After ensuring those two items are done, run the script below: # Script to alert ARM_MicroBurst.AzDomainInfo alert Import-Module Az # Login to the Azure account and get a random Resource group $accountContext = Connect-AzAccount $subscriptionId = $accountContext.Context.Subscription.Name $resourceGroup = Get-AzResourceGroup | Get-Random $rg = $resourceGroup.ResourceGroupName Write-Output "[*] Dumping information`nSubscription: $subscriptionId`nResource group: $rg." Write-Output "[*] Scanning Storage Accounts..." $storageAccountLists = Get-AzStorageAccount -ResourceGroupName $rg | select StorageAccountName,ResourceGroupName Write-Output "[*] Scanning Azure Resource Groups..." $resourceGroups = Get-AzResourceGroup Write-Output "[*] Scanning Azure Resources..." $resourceLists = Get-AzResource Write-Output "[*] Scanning AzureSQL Resources..." $azureSQLServers = Get-AzResource | where {$_.ResourceType -Like "Microsoft.Sql/servers"} Write-Output "[*] Scanning Azure App Services..." $appServs = Get-AzWebApp -ResourceGroupName $rg Write-Output "[*] Scanning Azure App Services #2..." $appServs = Get-AzWebApp -ResourceGroupName $rg Write-Output "[*] Scanning Azure Disks..." $disks = (Get-AzDisk | select ResourceGroupName, ManagedBy, Zones, TimeCreated, OsType, HyperVGeneration, DiskSizeGB, DiskSizeBytes, UniqueId, EncryptionSettingsCollection, ProvisioningState, DiskIOPSReadWrite, DiskMBpsReadWrite, DiskIOPSReadOnly, DiskMBpsReadOnly, DiskState, MaxShares, Id, Name, Location -ExpandProperty Encryption) Write-Output "[*] Scanning Azure Deployments and Parameters..." $idk = Get-AzResourceGroupDeployment -ResourceGroupName $rg Write-Output "[*] Scanning Virtual Machines..." $VMList = Get-AzVM Write-Output "[*] Scanning Virtual Machine Scale Sets..." $scaleSets = Get-AzVmss Write-Output "[*] Scanning Network Interfaces..." $NICList = Get-AzNetworkInterface Write-Output "[*] Scanning Public IPs for each Network Interface..." $pubIPs = Get-AzPublicIpAddress | select Name,IpAddress,PublicIpAllocationMethod,ResourceGroupName Write-Output "[*] Scanning Network Security Groups..." $NSGList = Get-AzNetworkSecurityGroup | select Name, ResourceGroupName, Location, SecurityRules, DefaultSecurityRules Write-Output "[*] Scanning RBAC Users and Roles..." $roleAssignment = Get-AzRoleAssignment Write-Output "[*] Scanning Roles Definitions..." $roles = Get-AzRoleDefinition Write-Output "[*] Scanning Automation Account Runbooks and Variables..." $autoAccounts = Get-AzAutomationAccount Write-Output "[*] Scanning Tenant Information..." $tenantID = Get-AzTenant | select TenantId Write-Output "[!] Done Running." There may be a delay of up to 60 minutes between script completion and the alert appearing in the client environment (With an average of 45 min). An example of this alert is shown below: Reviewers Dick Lake, Senior Product Manager Script by Yuval Barak, Security Researcher
