Secure containers software supply chain across the SDLC
In today’s digital landscape, containerization is essential for modern application development, but it also expands the attack surface with risks like vulnerabilities in base images, misconfigurations, and malicious code injections. Securing containers across their lifecycle is critical. Microsoft Defender for Cloud delivers end-to-end protection, evaluating threats at every stage—from development to runtime. Recent advancements further strengthen container security, making it a vital solution for safeguarding applications throughout the Software development lifecycle (SDLC). Container software development lifecycle The lifecycle of containers involves several stages, during which the container evolves through different software artifacts. Container software supply chain It all starts with a container or docker script file, created or edited by developer in development phase, submitted into the code repository. Script file converts into a container image during the build phase via the CI/CD pipeline, submitted into container registry as part of the ship phase When a container image is deployed into a Kubernetes cluster, it transforms into running, ephemeral container instances, marking the transition to the runtime phase. A container may encounter numerous challenges throughout its transition from development to runtime. Ensuring its security requires maintaining visibility, mitigating risks, and implementing remediation measures at each stage of its journey. Microsoft Defender for Cloud's latest advancements in container security assist in securing your container's journey and safeguarding your containerized environments Command line interface (CLI) tool for container image scanning at build phase, is now in public preview Integrating security into every phase of your software development is crucial. To effectively incorporate container security evaluation early in the container lifecycle, particularly during the development phase, and to seamlessly integrate it into diverse DevSecOps ecosystems, the use of a Command Line Interface (CLI) is essential. This new capability of Microsoft Defender for Cloud provides an alternative method for assessing container image for security findings. This capability, available through a CLI abstract layer, allows for seamless integration into any tool or process, independently of Microsoft Defender for Cloud portal. Key purpose of Microsoft Defender for Cloud CLI: Expanding container security to cover the development phase, code repository phase, and CI/CD phase: o Development phase: Developers can scan container images locally on Windows, Linux, or Mac OS using PowerShell or any scripting terminal. o Code repository phase: Integrate the CLI into code repositories with webhook integrations like GitHub actions to scan and potentially abort pull requests based on findings. o CI/CD phase: Scan container images in the CI/CD pipeline to detect and block vulnerabilities during the build stage. Invoke scanning on-demand for specific container images. Integrate easily into existing DevSecOps processes and tools. For more details watch the demo CLI demo How it works Microsoft Defender for Cloud CLI requires authentication through API tokens. These tokens are managed via the Integrations section in the Microsoft Defender for Cloud Portal, by Security Administrators. Figure 3: API push tokens management The CLI supports Microsoft proprietary and third-party engines like Trivy, enabling vulnerability assessment of container images and generating results in SARIF format. It integrates with Microsoft Defender for Cloud for further analysis and helps incorporate security guardrails early in development. Additionally, it provides visibility of container artifacts' security posture from code to runtime and context essential for security issues remediations such as artifact owner and repo of origin. For more details, setup guides, and use cases, please refer to official documentation. Vulnerabilities assessment of container images in third party registries, now in public preview Container registries are centralized repositories used to store container images for the ship phase, prior deployment to Kubernetes clusters. They play an essential role in the container's software supply chain and accessing container images for vulnerabilities at this phase might be the last chance to prevent vulnerable images from reaching your production runtime environments. Many organizations use a mix of cloud-native (ACR, ECR, GCR, GAR) and 3 rd party container registries. To enhance coverage, Microsoft Defender for Cloud now offers vulnerability assessments for third-party registries like Docker Hub and Jfrog Artifactory. These are popular 3 rd party container registries. You can now integrate them into your Microsoft Defender for Cloud tenant to scan container images for security vulnerabilities, improving your organization's coverage of the container software supply chain. This integration offers key benefits: Automated vulnerability scanning: Automatically scans container images for known vulnerabilities, helping identify and fix security issues early. Continuous monitoring: Ensures that new vulnerabilities are promptly detected and addressed. Compliance management: Assists organizations in maintaining compliance by providing detailed security posture reports on container images and resources. Actionable security recommendations: Provides recommendations based on best practices to improve container security. Figure 4: Docker Hub & Jfrog Artifactory environments Figure 5: Jfrog Artifactory container images in Security Explorer To learn more please refer to official documentation for Docker Hub and Jfrog Artifactory. Azure Kubernetes Service (AKS) security dashboard for cluster admin view, now in public preview, provides granular visibility into container security directly within the AKS portal Microsoft Defender for Cloud aims to provide security insights relevant to each audience in the context of their existing tools & process, helping various roles prioritize security and build secure software applications essential to ensure your containers security across SDLC. To learn more please explore AKS Security Dashboard Conclusion Microsoft Defender for Cloud introduces groundbreaking advancements in container security, providing a robust framework to protect containerized applications. With integrated vulnerability assessment, malware detection, and comprehensive security insights, organizations can strengthen their security posture across the software development lifecycle (SDLC). These enhancements simplify security management, ensure compliance, and offer risk prioritization and visibility tailored to different audiences and roles. Explore the latest innovations in Microsoft Defender for Cloud to safeguard your containerized environments- New Innovations in Container Security with Unified Visibility and Investigations.Unveiling Kubernetes lateral movement and attack paths with Microsoft Defender for Cloud
The cloud security landscape is constantly evolving and securing containerized environments including Kubernetes is a critical piece of the puzzle. Kubernetes environments provide exceptional flexibility and scalability, which are key advantages for modern infrastructure. However, the complex and intricate permissions structure of Kubernetes, combined with the dynamic, ephemeral nature of containers, introduces significant security challenges. Misconfigurations in permissions can easily go unnoticed, creating opportunities for unauthorized access or privilege escalation. The rapid lifecycle of resources in Kubernetes adds to the complexity of this issue, making it harder to maintain visibility and enforce a consistent security posture. Traditional security tools often lack the depth needed to map and analyze Kubernetes permissions effectively, leaving organizations vulnerable to security gaps. In this blog we will explore how Microsoft Defender for Cloud provides visibility to address these challenges with the recent addition of Kubernetes role-based access control (RBAC) into the cloud security graph. We'll analyze potential techniques attackers use to move laterally in Kubernetes environments and demonstrate how Microsoft Defender for Cloud provides visibility to these threats as attack paths. Finally, we will demonstrate how this advanced feature allows customers to identify Kubernetes RBAC bindings that don't follow security best practices with the security explorer capabilities. Enhancing Security with Kubernetes RBAC Integration into the cloud security graph Defender for Cloud uses a cloud security graph to represent the data of your multicloud environment. This graph-based engine analyzes data on your cloud assets and their security posture, providing contextual analysis, attack path insights, and identify security risks with queries in the cloud security explorer. The introduction of Kubernetes RBAC into the cloud security graph addresses the visibility and security challenges posed by Kubernetes' complex permissions structure and dynamic workloads. By ingesting Kubernetes RBAC objects into the graph as nodes and edges, we create a more comprehensive picture of Kubernetes environment’s security posture. The cloud security graph leverages Kubernetes RBAC to map relationships between Kubernetes identities, Kubernetes objects, and cloud identities. This functionality uncovers additional attack paths and equips customers to proactively identify and mitigate threats in their cloud environments. Revealing attackers techniques Visualizing potential lateral movement within a Kubernetes cluster can be challenging. Attackers who establish an initial foothold in the cluster may exploit various techniques to move laterally, accessing sensitive resources within the cluster and even extending to other cloud resources in the victim's environment. Let’s examine the techniques attackers use for lateral movement in Kubernetes environments and explore how identifying new attack paths, along with the factors enabling such movement, can support proactive threat remediation. Inner cluster lateral movement In Kubernetes, each pod is attached to a Kubernetes service account that determines the permissions of the pod in the cluster. By default, the service account associated with a pod allows it to interact with the Kubernetes API with minimal permissions, but it is often granted more privileges than required for its specific function. Attackers who compromise a container can exploit the container pod’s service account RBAC permissions to move laterally within the cluster and access sensitive resources. For instance, if the compromised service account has impersonation privileges, attackers can use them to act as a more privileged service account by leveraging impersonation headers, potentially leading to a full cluster takeover. Cluster to cloud lateral movement In addition to lateral movement inside Kubernetes clusters, attackers could also use additional techniques to move laterally from the managed Kubernetes clusters to the cloud. Using the Instance Metadata Service (IMDS) In managed Kubernetes environments, each worker node is assigned a specific cloud identity or IAM role that gives it the necessary permissions to interact with the cloud provider's API to perform tasks that maintain cluster operations (such as autoscaling). To do this, the worker node can access the Instance Metadata Service (IMDS), which provides important details like configurations, settings, and the identity credentials of the node. The IMDS is accessible through a special IPv4 link-local address (169.254.169.254), allowing the worker node to securely retrieve its credentials and perform its tasks. If attackers gains control of a container in a managed Kubernetes cluster, they may attempt to query the IMDS endpoint to assume the IAM role or identity credentials associated with the worker node hosting the container. These credentials can then be exploited to access cloud resources, such as databases or compute instances outside the cluster. The potential damage caused by such an attack depends on the permissions of the worker node identity. 2. Using the workload identity Workload identity in Azure, Google Cloud, and AWS as IAM Roles for Service Accounts (IRSA) or EKS Pod Identity, allows Kubernetes pods to authenticate to cloud services using cloud-native identity mechanisms without needing to manage long-lived credentials like API keys. In this setup, a pod is associated with a Kubernetes service account that is linked to a cloud identity (e.g., a GCP service account, Managed identity for Azure resources, or AWS IAM role), enabling the pod to access cloud resources securely. While this integration enhances security, if attackers compromise a pod that is using workload identity, they could exploit the cloud identity associated with that pod to access cloud resources. Depending on the permissions granted to the cloud identity or IAM role, the attackers could perform actions like reading sensitive data from cloud storage, interacting with databases, or even modifying infrastructure—potentially escalating the attack beyond the Kubernetes environment into the cloud platform itself. Cloud to cluster lateral movement In cloud environments, managing access to Kubernetes clusters is critical to maintaining security. Cloud identities who are granted high-level permissions over Kubernetes clusters pose a potential security risk. If these identities have elevated permissions—such as the ability to create or modify resources within the cluster—an attacker who compromises their credentials can leverage these permissions to take full control of the cluster. Once attackers gain access to a privileged cloud account, they could manipulate Kubernetes configurations, create malicious workloads, or access sensitive data. This scenario could lead to a complete cluster takeover. Using Defender for Cloud to prevent lateral movement Defender for Cloud provides organizations with instant visibility into potential attack paths that attackers could exploit to move laterally within their cluster, enabling them to take preventive actions before an attack occurs. In the example shown in figure 1, an attack path is being generated to highlight how a vulnerable container can be exploited by an attacker to move laterally within the cluster and eventually achieve a full cluster takeover. This involves remotely compromising the vulnerable container, leveraging the Kubernetes service account linked to the pod, and impersonating a more privileged service account to gain control over the cluster. In another example, as shown in figure 2, the attack path illustrates how an attacker can exploit a vulnerable container to move laterally from the cluster to cloud resources outside of it by leveraging the pod service account's associated cloud identity. With the visibility provided by these attack paths, security teams can take actions prior to an attack taking place i.e. block external access to the container unless absolutely required, ensure the vulnerability is addressed and verify if the pod service account permissions are indeed required. Kubernetes risk hunting with the cloud security explorer In addition to the attack paths capabilities, Defender for Cloud's contextual security capabilities assist security teams in reducing the risk of Kubernetes RBAC misconfigurations. By executing graph-based queries on the cloud security graph using the cloud security explorer, security teams can proactively identify risks within a multicloud Kubernetes environments. By utilizing the query builder, teams can search for and locate risks associated with Kubernetes identities and workloads, enabling them to preemptively address potential threats. The cloud security explorer provides you with the ability to perform proactive exploration, along with built-in query templates that are dedicated to Kubernetes RBAC risks. Beyond cloud security As the cloud security graph is part of Microsoft enterprise exposure graph, customers can gain further visibility beyond the cloud boundary. By using Microsoft enterprise exposure management, customers will be able to see not only the lateral movement from K8s to the cloud and vice versa, but also how the identities used by the attacker can be further used to move laterally to additional assets in the organization, and how breach of an on-prem asset can lead to lateral movement to Kubernetes assets in the cloud. In the example shown in figure 4, we have an attack path that highlights how a vulnerable device can be exploited by an attacker to move laterally from an on-prem environment to Kubernetes cluster located in the cloud. This process includes remotely compromising the vulnerable device, extracting the browser cookie stored on it, and using that cookie to authenticate as a cloud identity with elevated permissions to access a Kubernetes cluster in the cloud. Conclusion - A brighter future for Kubernetes security The introduction of Kubernetes RBAC into the cloud security graph represents a significant advancement in securing Kubernetes’ environments. By providing comprehensive visibility into the complex permissions structure and dynamic workloads of Kubernetes, Microsoft Defender for Cloud enables organizations to proactively identify and mitigate potential security risks. This enhanced visibility not only helps in uncovering new attack paths and lateral movement threats but also supports the enforcement of security best practices within Kubernetes clusters. To start leveraging these new features in Microsoft Defender for Cloud, ensure either Defender for Container or Defender CSPM is enabled in your cloud environments. For additional guidance or support, visit our deployment guide. Learn more If you haven’t already, check out our previous blog post that introduced this journey: Elevate Your Container Posture: From Agentless Discovery to Risk Prioritization.Microsoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? Baseline Linux feature has been updated to improve its accuracy and coverage. For more information, please visit this page. Container vulnerability assessment enhancements Containers Vulnerability Assessment scanning, powered by MDVM, has the following updates: Support for PHP, Ruby and Rust programming languages, extended Java Language support including exploded JARs and improved memory usage. For more details, please refer to our announcement. Blogs of the month In January, our team published the following blog posts we would like to share: Considerations for risk identification and prioritization Elevating Runtime Protection Bringing AppSec and CloudSec Together: MDC integrates with Endor Labs Boost security with API Posture Management GitHub Community Activate Defender for Servers on a resource level with this PowerShell script. Visit our GitHub page for more content! Defender for Cloud in the field Watch the latest Defender for Cloud in the Field YouTube episodes here: Onboarding Docker Hub and JFrog Artifactory New AKS Security Dashboard in MDC Visit our YouTube page! Customer journeys Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Mia Labs, Inc., a conversational AI virtual assistant startup for auto dealerships. Mia Labs, Inc., leverages OpenAI enriched with Azure AI technologies to help identify sales and service opportunities within the automotive industry. Further, they use Defender for Cloud to provide contextual AI security posture management via CSPM capabilities and protects AI workloads with runtime security alerts. Together, Mia Labs, Inc., was able to detect numerous jailbreak attacks, one of the most common threats to generative AI systems. Security community webinars Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. Check out our upcoming webinars this month in the link below! I would like to register Watch past webinars We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribe
Microsoft Defender for Cloud - Elevating Runtime Protection
In today's rapidly evolving digital landscape, runtime security is crucial for maintaining the integrity of applications in containerized environments. As threats become increasingly sophisticated, the demand for more adaptive protection continues to rise. Attackers are no longer relying on generic exploits — they are actively targeting vulnerabilities in container configurations, runtime processes, and shared resources. From injecting malicious code to escalating privileges and exploiting kernel vulnerabilities, their tactics are constantly evolving. Overcoming these challenges requires continuous monitoring, validating container immutability, and detecting anomalies to prevent and respond to threats in real time, ensuring container security throughout their lifecycle. Building on these best practices, Microsoft Defender for Cloud delivers advanced and innovative runtime threat protection for containerized environments, providing real-time defense and adaptive security to address evolving threats head-on. Empowering SOC with real-time threat detection At the heart of our enhanced runtime protection lies our advanced detection capabilities. To stay ahead of evolving threats and offer near real-time threat detection, Microsoft Defender for Cloud is proud to announce significant advancements in its unique eBPF sensor. This sensor now provides Kubernetes alerts, powered by Microsoft Defender for Endpoint (MDE) detection engine in the backend. Leveraging Microsoft’s industry-leading security expertise, we've tailored MDE's robust security capabilities to specifically address the unique challenges of containerized environments. By carefully validating detections against container-specific threat landscapes, adding relevant context, and adjusting alerts as needed, we've optimized the solution for maximum accuracy and effectiveness that is needed for cloud-native environments. By utilizing the MDE detection engine, we offer the following enhancements: Near real-time detection: Our solution provides timely alerts, enabling you to respond quickly to threats and minimize their impact. Expanded threat coverage: We've expanded our detection capabilities to cover a broader range of threats such as binary drift and additional threat matrix coverage. Enhanced visibility: Gain deeper insights into your container environment with detailed threat information and context that is sent to Defender XDR for further investigation. Switching between multiple portals leaves customers with a fragmented view of their security landscape, hindering their ability to investigate and respond to security incidents efficiently. To combat this, Defender for Cloud alerts are integrated with Defender XDR. By centralizing alerts from both solutions within Defender XDR, customers can gain comprehensive visibility of their security landscape and simplify incident detection, investigation, and response effectively. Introducing binary drift detection to maintain optimal security and performance, containerized applications should strictly adhere to their defined boundaries. With binary drift detection in place, unauthorized code injections can be swiftly identified. By comparing the modified container image against the original, the system detects any discrepancies, enabling timely response to potential threats. By combining binary drift detection with other security measures, organizations can reduce the risk of exploitation and protect their containerized applications from malicious attacks. An example of binary drift detection Key takeaways from above illustration: Common Vulnerability and Exposures (CVE) pose significant risks to containerized environments. Binary drift detection can help identify unauthorized changes to container images, even if they result from CVE exploitation. Regular patching and updating of container images are crucial to prevent vulnerabilities. In some customer environments, it's common to deviate from best practices. For example, tasks like debugging and monitoring often require running processes that aren’t part of the original container image. To handle this, we offer binary drift detection along with a flexible policy system. This lets you choose when to receive alerts or ignore them. You can customize these settings based on your cloud environment or by filtering specific Kubernetes resources. Learn more about binary drift detection For a deep dive into binary drift detection and how it can enhance your container security posture, please see Container, Security, Kubernetes. Presenting new scenario-driven alert simulation Simulate real-world attack scenarios within your containerized environments with this innovative simulator, enabling you to test your detection capabilities and response procedures. You can enhance your security posture and protect your containerized environments from emerging threats by leveraging this powerful tool. Examples of some of the attack scenarios that can be simulated using this tool are: Reconnaissance activity: Mimic the actions of attackers as they gather information about your cluster. Cluster-to-cloud: Simulate lateral movement as attackers attempt to spread across your environment. Secret gathering: Test your ability to detect attempts to steal sensitive information. Crypto-mining activity: Simulate the impact of resource-intensive crypto-mining operations. Webshell invocation: Test your detection capabilities for malicious web shells. You can gain valuable insights into your security controls and identify areas for improvement. This tool provides a safe and controlled environment to practice incident response, ensuring that your team is well-prepared to handle real-world threats. Key benefits of scenario-driven alert simulation: Test detection capabilities: Validate your ability to identify and respond to various attack types. Validate response procedures: Ensure your incident response teams are prepared to handle real-world threats. Identify gaps in security: Discover weaknesses in your security posture and address them proactively. Improve incident response time: Practice handling simulated incidents to reduce response times in real-world situations. Alert simulation tool Enhancing Cloud Detection and Response (CDR) From detection to resolution, we've streamlined every step of the process to ensure robust and efficient threat management. By enabling better visibility, faster investigation, and precise response capabilities, SOC teams can confidently address container threats, reducing risks and operational disruptions across multi-cloud environments. Cloud-native response actions for containers Swift and precise containment is critical in dynamic, containerized environments. To address this, we’ve introduced cloud-native response actions in Defender XDR, enabling SOC teams to: Cut off unauthorized pod access and prevent lateral movement by instantly isolating compromised pods. Stop ongoing malicious pod activity and minimize impact by terminating compromised pods with a single click. These capabilities are specifically designed to meet the unique challenges of multi-cloud ecosystems, empowering security teams to reduce Mean Time to Resolve (MTTR) and ensure operational continuity. Response actions Action center view Log collection in advanced hunting Limited visibility in Kubernetes activities, cloud infrastructure changes, and runtime processes weakens effective threat detection and investigation in containerized environments. To bridge this gap, we’ve enhanced Defender XDR’s advanced hunting experience by collecting: KubeAudit logs: Delivering detailed insights into Kubernetes events and activities. Azure Control Plane logs: Providing a comprehensive view of cloud infrastructure activities. Process events: Capturing detailed runtime activity. This enriched data enables SOC teams to do deeper investigations, hunt for advanced threats, and create custom detection rules. With full visibility across AKS, EKS, and GKE, these capabilities strengthen defenses and support proactive security strategies. Advance hunting view Accelerating investigations with built-in queries Lengthy investigation processes can delay incident resolution and can potentially lead to a successful attack attempt. To address this, we’ve equipped go hunt with pre-built queries specifically tailored for cloud and containerized threats. These built-in queries allow SOC teams to: Focus their time in quickly identifying attacker activity and not write custom queries. Gain insights in minutes vs. hours, reducing the investigation time enormously. This streamlined approach enhances SOC efficiency, ensuring that teams spend more time on remediation and less on query development. Go hunt view Bridging knowledge gaps with guided response using Microsoft Security Copilot Many security teams, especially those working in complex environments like containers, may not have deep expertise in every aspect of container threat response. Additionally, security teams might encounter threats or vulnerabilities they haven’t seen before. We are excited to integrate with Security Copilot to bridge this gap. Security Copilot serves as a valuable tool that offers: Step-by-step, context-rich guidance for each incident. Tailored recommendations for effective threat containment and remediation. By leveraging AI-driven insights, Security Copilot empowers SOC teams of varying expertise levels to navigate incidents with precision, ensuring consistent and effective responses across the board. Security copilot recommendations Summary Microsoft Defender for Cloud has introduced significant advancements in runtime protection for containerized environments. By leveraging the Microsoft Defender for Endpoint (MDE) detection engine, this solution now offers near real-time threat detection, enhancing threat visibility and response capabilities. A key feature, binary drift detection, monitors changes in container images to identify unauthorized modifications and prevent security breaches. Additionally, the integration with Defender XDR centralizes alerts, providing comprehensive visibility and simplifying incident detection, investigation, and response. With enhanced cloud-native response actions and advanced hunting capabilities, SOC teams can confidently address container threats, reducing risks and operational disruptions across multi-cloud environments. Learn more Ready to elevate your container security? Experience the power of our new features firsthand with our cutting-edge simulator—test them in your containerized environments and see the difference! Alerts for Kubernetes Clusters - Microsoft Defender for Cloud | Microsoft LearnMicrosoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? Defender for Cloud’s CSPM sensitive scanning capabilities now include Azure files. This feature is in GA. Learn more about it here. File integrity monitoring (FIM) update Staring June 2025, FIM requires a minimum Defender for Endpoint (MDE) client version. For Windows devices, please make sure you have Windows 10.8760 or later and for Linux, 30.124082. For more details, please refer to our documentation. Blogs of the month In December, our team published the following blog posts we would like to share: AKS Security Dashboard Strategy to Execution: Operationalizing Microsoft Defender CSPM MDC Named a Leader in Frost Radar TM for CNAPP for the 2nd Year in a Row! GitHub Community Learn more about MDC and XDR integration by following this lab – module 25. Visit our GitHub page. Defender for Cloud in the field MDC Ignite updates 2024 Cloud detection response (CDR) for Defender for Containers Improvements in Container's posture management Visit our YouTube page! Customer journey Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring Properstar, a leading real estate platform, partnered with Microsoft to simplify unstructured real estate data and leverage dynamic AI-powered solutions like Azure Open AI to provide relevant search results. Then, they were able to scale up, using Defender for Cloud to implement data protection and regulatory compliance. Security community webinars Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. Check out our upcoming webinars this month in the link below! I would like to register Watch past webinars We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribeAKS Security Dashboard
In today’s digital landscape, the speed of development and security must go hand in hand. Applications are being developed and deployed faster than ever before. Containerized application developers and platform teams enjoy the flexibility and scale that Kubernetes has brought to the software development world. Open-source code and tools have transformed the industry - but with speed comes increased risk and a growing attack surface. However, in vast parts of the software industry, developers and platform engineering teams find it challenging to prioritize security. They are required to deliver features quickly and security practices can sometimes be seen as obstacles that slow down the development process. Lack of knowledge or awareness of the latest security threats and best practices make it challenging to build secure applications. The new Azure Kubernetes Service (AKS) security dashboard aims to alleviate these pains by providing comprehensive visibility and automated remediation capabilities for security issues, empowering platform engineering teams to secure their Kubernetes environment more effectively and easily. Consolidating security and operational data in one place directly within the AKS portal allows engineers to benefit from a unified view of their Kubernetes environment. Enabling more efficient detection, and remediation of security issues, with minimal disruption to their workflows. Eventually reducing the risk of oversight security issues and improving remediation cycles. To leverage the AKS security dashboard, navigate to the Microsoft Defender for Cloud section in the AKS Azure portal. If your cluster is already onboarded to Defender for Containers or Defender CSPM, security recommendations will appear on the dashboard. If not, it may take up to 24 hours after onboarding before Defender for Cloud scans your cluster and delivers insights. Security issues identified in the cluster, surfaced in the dashboard are prioritized to risk. Risk level is dynamically calculated by an automatic attack path engine operating behind the scenes. This engine assesses the exploitability of security issues by considering multiple factors, such as cluster RBAC (Role Based Access Control), known exploitability in the wild, internet exposure, and more. Learn more about how Defender for Cloud calculates risk. Security issues surfaced in the dashboard are divided into different tabs: Runtime environment vulnerability assessment: The dynamic and complex nature of Kubernetes environments means that vulnerabilities can arise from multiple sources, with different ownership for the fix. For vulnerabilities originating from the containerized application code, Defender for Cloud will point out every vulnerable container running in the cluster. For each vulnerable container Defender for cloud will surface remediation guidelines that include the list of vulnerable software packages and specify the version that contains the fix. The scanning of container images powered by Microsoft Defender Vulnerability Management (MDVM) includes scanning of both OS packages and language specific packages see the full list of the supported OS and their versions. For vulnerabilities originating from the AKS infrastructure, Defender for cloud will include a list of all identified CVEs (common vulnerabilities and exposures) and recommend next steps for remediation. Remediation may include upgrading the Node pool image version or the AKS version itself. Since new vulnerabilities are discovered daily, even if a scanning tool is deployed as part of the CI/CD process, runtime scan can’t be overlooked. Defender for cloud makes sure Kubernetes workloads are scanned daily compared to an up-to-date vulnerability list. Security misconfigurations: Security misconfigurations are also highlighted in the AKS security dashboard, empowering developers and platform teams to execute fixes that can significantly minimize the attack surface. In some cases, changing a single line of code in a container's YAML file, without affecting application functionality, can eliminate a significant attack vector. Each security misconfiguration highlighted in the AKS security dashboard includes manual remediation steps, and where applicable, an automated fix button is also available. For containers misconfigurations, a quick link to a built-in Azure policy is included for easily preventing future faulty deployments of that kind. This approach empowers DevOps & platform engineering teams to use the “Secure by Default” method for application development. To conclude - automated remediation and prevention can be a game changer in keeping the cluster secure- a proactive approach that can help prevent security breaches before they can cause damage, ensuring that the cluster remains secure and compliant with industry standards. Ultimately, automated remediation empowers security teams to focus on more strategic tasks, knowing that their Kubernetes environment is continuously monitored and protected. Assigning owners to security issues Since cluster administration and containers security issues remediation is not always the responsibility of a single team or person, it is recommended to use the “assign owner” button in the security dashboard to notify the correct owner about the issue need to be handled. It is also possible to filter the view using the built-in filters and assign multiple issues to the same person quickly. Get Started Today To start leveraging these new features in Microsoft Defender for Cloud, ensure either Defender for Container or Defender CSPM is enabled in your cloud environments. For additional guidance or support, visit our deployment guide for a full subscription coverage, or enable on a single cluster using the dashboard settings section. Learn More If you haven’t already, check out our previous blog post that introduced this journey: New Innovations in Container Security with Unified Visibility and Investigations. This new release continues to build on the foundation outlined in that post. With “Elevate your container posture: from agentless discovery to risk prioritization”, we’ve delivered capabilities that allow you to further strengthen your container security practices, while reducing operational complexities.
Elevate Your Container Posture: From Agentless Discovery to Risk Prioritization
As Kubernetes (K8s) continue to power modern containerized applications, the complexity of managing and securing these environments grows exponentially. The challenges in monitoring K8s environments stem not only from their dynamic nature but also from their unique structure—each K8s cluster operates as its own ecosystem, complete with its own control plane for authorization, networking, and resource management. This makes it fundamentally different from traditional cloud environments, where security practitioners often have established expertise and tools for managing the cloud control plane. The specialized nature of Kubernetes (K8s) environments limits the visibility and control available to many security teams, resulting in blind spots that increase the risk of misconfigurations, compliance gaps, and potential attack paths gaining comprehensive visibility into the posture state of K8s workloads is essential for addressing these gaps and ensuring a secure, resilient infrastructure. Key benefits By further expanding agentless container posture approach, Defender for Cloud delivers the following key benefits: Enhanced risk management: improved prioritization through additional security insights, networking information, K8s RBAC, and image evaluation status, ensuring more critical issues can addressed first. Proactive security posture: gain comprehensive insights and prevent lateral movement within Kubernetes clusters, helping to identify and mitigate threats before they cause harm. Comprehensive compliance and governance: achieve full transparency into software usage and Kubernetes RBAC configurations to meet compliance requirements and adhere to industry standards. Release features overview: Enhanced K8s workload modeling To ensure customers can better focus on security findings, and avoid reviewing stale information, Defender for Cloud now models K8s workloads in the security graph based on their configuration (K8s specification) rather than runtime assets. This improvement avoids refresh-rate discrepancies, providing a more accurate and streamlined view of your K8s workloads, with single security findings for all identical containers within the same workload. New Security Insights for Containers and Pods Security teams that use the security explorer to proactively identify security risks in their multicloud environments, now get even better visibility with additional security insights for containers and pods, including privileged containers, sensitive mounts, and more. For example, security practitioners can use the security explorer to find all containers vulnerable to remote code execution, which are also exposed to the internet and uses sensitive host mounts, to eliminate the misconfigurations and vulnerabilities before a potential attacker abuse them to attack the container remotely and break-out into the host through the sensitive host mount. Extended K8s Networking Information To enable customers to query the security graph based on additional characters of K8s networking and better understand exposure details for K8s workloads, Defender for Cloud now offers extended data collection for both K8s ingresses and services. This feature also includes new properties such as service port and service selectors. The following figure shows all new networking criteria that customers can now use to query for K8s networking configuration: The following figure show detailed exposure information on a K8s workload exposed to the internet: Enhanced image discovery Customers can now gain complete visibility to all images used in customer environments using the security explorer, including images from all supported registries, and any image running in K8s, regardless of whether the image is scanned for vulnerabilities, with extended information per image. Here are a few examples for important use cases that customers can detect and respond to action on through a single query in the security explorer: Detect usage of images from unmonitored registries: Figure 4: images deployed directly from an unscanned docker registry Check the presence of specific image in the environment Figure 5: search for an image with a specific digest Trace all images not evaluated for vulnerabilities Figure 6: all images not assessed for vulnerabilities K8s RBAC in the security graph The addition of K8s RBAC into the security graph serves two main purposes: Security practitioners gain easy visibility into K8s service accounts, their permissions, and their bindings with K8s workloads, without prior expertise, and hunt for service accounts that do not meet security best practices. In the following example, a service account that has full cluster permissions: Figure 7: example of service account cluster admin permissions on cluster level The security graph contextual analysis uses the K8s RBAC to identify lateral movement internally within K8s, from K8s to other cloud resources and from the cloud to K8s. The following example shows an attack path starting from a container exposed to the internet with a vulnerability that can be remotely exploited. It also has access to a managed identity allowing the attacker to move all the way to a critical storage account: Figure 8: attack path from a vulnerable exposed container to a critical storage account Comprehensive Software Inventory for Containers A detailed software inventory is now available for all container images and containers scanned for vulnerabilities, serving security practitioners and compliance teams in many ways: Full visibility to all software packages used in container images and containers: Figure 9: Full software list for images and containers Query specific software usage across all environments, making it easier to identify risks or ensure compliance. A common example of this use case includes a vulnerable software version with a zero-day vulnerability. For example, following the OpenSSL zero-day vulnerability publication, a security admin can use the following queries to find all instances of container images within the organization using OpenSSL version 3.0, even before a CVE was published: Figure 10: search for a specific vulnerable open ssl version Critical Asset Protection for K8s Critical asset protection has been enhanced to cover additional container use cases: Defender for cloud customers can now define rules to mark workloads as critical based on their namespace and K8s labels. The following figure shows how customers can define rules that would automatically tag critical workloads based on their K8s labels: Figure 11: customer defined rules for asset criticality based on K8s labels Predefined rules allow K8s clusters to be flagged as critical, ensuring prioritized focus during risk assessments. Example for one of the predefined rules that automatically tags K8s clusters as critical: Figure 12: Example for predefined K8s cluster criticality rules As with other asset protection features in Defender for Cloud, these updates seamlessly integrate into the risk prioritization, attack path analysis, and security explorer workflows. The following example shows a critical attack path where the attack target is critical K8s cluster: Figure 13: Critical attack path where the target is a critical K8s cluster K8s CIS benchmark Customers that would like to audit their K8s clusters for regulatory compliance using K8s CIS or enforce security controls that are part of the K8s CIS standard, now benefit from updated K8s CIS standards with broader security controls, with K8s CIS 1.5.0 for AKS, and EKS and K8s CIS 1.6.0 for GKE. To start using the new standards and controls, enable the desired K8s CIS standard through regulatory compliance dashboard, or via security policies: Figure 14: Enabling K8s CIS 1.6.0 for GKE Compliance status can then be monitored via the regulatory compliance dashboard for the relevant K8s CIS standard: Figure 15: Viewing K8s CIS 1.5.0 compliance status Get Started Today To start leveraging these new features in Microsoft Defender for Cloud, ensure either Defender for Container or Defender CSPM is enabled in your cloud environments. For additional guidance or support, visit our deployment guide. With these updates, we’re committed to helping you maintain a robust, secure, and scalable cloud-native environment. Learn More If you haven’t already, check out our previous blog post that introduced this journey: New Innovations in Container Security with Unified Visibility and Investigations. This new release continues to build on the foundation outlined in that post. With “Elevate your container posture: from agentless discovery to risk prioritization”, we’ve delivered capabilities that allow you to further strengthen your container security practices, while reducing operational complexities.Microsoft Defender for Cloud Customer Newsletter
What's new in Defender for Cloud? AI security posture management is now generally available! Reduce risk to cross cloud AI workloads by discovering generative AI Bill of Materials, strengthen generative AI application security posture and use the attack path analysis to identify risk. Learn more about it here. On-demand malware scanning now in public preview We’re excited to announce the public preview of on-demand malware scanning. Customers can now scan existing files in storage accounts on-demand, which helps customers to gain finer control and customization for critical storage assets. For more details, please refer to our documentation. Blog(s) of the month In November, following Ignite announcements, our team published the following blog posts we'd like to share: Cloud security innovations: strengthening defenses against modern cloud and AI threats New innovations in container security with unified visibility, investigations, and response actions Proactively harden your cloud security posture in the age of AI with CSPM innovations Prevent malware from spreading by scanning cloud storage accounts on-demand Deprecation of “Bring Your Own License” in MDC” GitHub community Learn how to onboard Azure DevOps to Defender for Cloud in our updated lab - Module 14 here. Visit our GitHub page here. Defender for Cloud in the field Refresh your knowledge on securing your AI applications: Secure your AI applications from code to runtime Visit our new YouTube page Customer journey Discover how other organizations successfully use Microsoft Defender for Cloud to protect their cloud workloads. This month we are featuring The NBA (National Basketball Association), a global sports and media powerhouse dedicated to growing and celebrating the game of basketball, partnered with Microsoft to address the complexities of scale, and security required for next-generation technologies. With its IT estate in Azure, the NBA leverages Defender for Cloud to provide a single pane of glass on its cloud security posture. Security community webinars Join our experts in the upcoming webinars to learn what we are doing to secure your workloads running in Azure and other clouds. This month, we have the following upcoming webinar: DEC 11 Microsoft Defender for Cloud | Exploring the Latest Container Security Updates from Microsoft Ignite DEC 12 Microsoft Defender for Cloud | Future-Proofing Cloud Security with Defender CSPM We offer several customer connection programs within our private communities. By signing up, you can help us shape our products through activities such as reviewing product roadmaps, participating in co-design, previewing features, and staying up-to-date with announcements. Sign up at aka.ms/JoinCCP. We greatly value your input on the types of content that enhance your understanding of our security products. Your insights are crucial in guiding the development of our future public content. We aim to deliver material that not only educates but also resonates with your daily security challenges. Whether it’s through in-depth live webinars, real-world case studies, comprehensive best practice guides through blogs, or the latest product updates, we want to ensure our content meets your needs. Please submit your feedback on which of these formats do you find most beneficial and are there any specific topics you’re interested in https://aka.ms/PublicContentFeedback. Note: If you want to stay current with Defender for Cloud and receive updates in your inbox, please consider subscribing to our monthly newsletter: https://aka.ms/MDCNewsSubscribeProactively harden your cloud security posture in the age of AI with CSPM innovations
Generative AI applications have rapidly transformed industries, from marketing and content creation to personalized customer experiences. These applications, powered by sophisticated models, bring unprecedented capabilities—but also unique security challenges. As developers build generative AI systems, they increasingly rely on containers and APIs to streamline deployment, scale effectively, and ensure consistent performance. However, the very tools that facilitate agile development also introduce new security risks. Containers, essential for packaging AI models and their dependencies, are susceptible to misconfigurations and can expose entire systems to attacks if not properly secured. APIs, which allow seamless integration of AI functionalities into various platforms, can be compromised if they lack robust access controls or encryption. As generative AI becomes more integrated into critical business processes, security admins are challenged with continuously hardening the security posture of the foundation for AI application. Ensuring core workloads, like containers and APIs, are protected is vital to safeguard sensitive data of any application. And when introducing generative AI, remediating vulnerabilities and misconfigurations efficiently, ensures a strong security posture to maintain the integrity of AI models and trust in their outputs. New cloud security posture innovations in Microsoft Defender Cloud Security Posture Management (CSPM) help security teams modernize how they proactively protect their cloud-native applications in a unified experience from code to runtime. API security posture management is now natively available in Defender CSPM We're excited to announce that API security posture management is now natively integrated into Defender CSPM and available in public preview at no additional cost. This integration provides comprehensive visibility, proactive API risk analysis, and security best practice recommendations for Azure API Management APIs. Security teams can use these insights to identify unauthenticated, inactive, dormant, or externally exposed APIs, along and receive risk-based security recommendations to prioritize and implement API security best practices. Additionally, security teams can now assess their API exposure risks within the context of their overall application by mapping APIs to their backend compute hosts and visualizing the topology powered by cloud security explorer. This mapping now enables end-to-end API-led attack path analysis, helping security teams proactively identify and triage lateral movement and data exfiltration risks. We’ve also enhanced API security posture capabilities by expanding sensitive data discovery beyond request and response payloads to now include API URLs, path, query parameters, and the sources of data exposure in APIs. This allows security teams to track and mitigate sensitive data exposure across cloud applications efficiently. In addition, the new support for API revisions enables automatic onboarding of all APIs, including tagged revisions, security insights assessments, and multi-regional gateway support for Azure API Management premium customers. Enhanced container security posture across the development lifecycle While containers offer flexibility and ease of deployment, they also introduce unique security challenges that need proactive management at every stage to prevent vulnerabilities from becoming exploited threats. That’s why we’re excited to share new container security and compliance posture capabilities in Defender CSPM, expanding current risk visibility across the development lifecycle: It's crucial to validate the security of container images during the build phase and block the build if vulnerabilities are found, helping security teams prevent issues at the source. To support this, we’re thrilled to share container image vulnerability scanning for any CI/CD pipeline is now in public preview. The expanded capability offers a command-line interface (CLI) tool that allows seamless CI/CD integration and enables users to perform container image vulnerability scanning during the build stage, providing visibility into vulnerabilities at build. After integrating their CI/CD pipelines, organizations can use the cloud security explorer to view container images pushed by their pipelines. Once the container image is built, scanned for vulnerabilities, it is pushed to a container registry until ready to be deployed to runtime environments. Organizations rely on cloud and third-party registries to pull container images, making these registries potential gateways for vulnerabilities to enter their environment. To minimize this, container image vulnerability scanning is now available for third-party private registries, starting with Docker Hub and JFrog Artifactory. The scan results are immediately available to both the security teams and developers to expedite patches or image updates before the container image is pushed to production. In addition to container security posture capabilities, security admins can also strengthen the compliance posture of Kubernetes across clouds. Now in public preview, security teams can leverage multicloud regulatory compliance assessments with support for CIS Kubernetes Benchmarks for Amazon Elastic Kubernetes Service (EKS), Azure Kubernetes Service, and Google Kubernetes Engine (GKE). AI security posture management (AI-SPM) is now generally available Discover vulnerability and misconfiguration of generative AI apps using Azure OpenAI Service, Azure Machine Learning, and Amazon Bedrock to reduce risks associated with AI-related artifacts, components, and connectors built into the apps and provide recommended actions to proactively improve security posture with Defender CSPM. New enhancements in GA include: Expanded support of Amazon Bedrock provides deeper discovery of AWS AI technologies, new recommendations, and attack paths. Additional support for AWS such as Amazon OpenSearch (service domains and service collections), Amazon Bedrock Agents, and Amazon Bedrock Knowledge Bases. New AI grounding data insights provides resource context to its use as a grounding source within an AI application. Grounding is the invisible line between organizational data and AI applications. Ensuring the right data is used – and correctly configured in the application – for grounding can reduce hallucinations, prevent sensitive data loss, and reduce the risk of grounding data poisoning and malicious outputs. Customers can use the cloud security explorer to query multicloud data used for AI grounding. New ‘used for AI grounding’ risk factor in recommendations and attack paths can also help security teams prioritize risks to datastores. Thousands of organizations are already reaping the benefits of AI-SPM in Defender CSPM, like Mia Labs, an innovative startup that is securely delivering customer service through their AI assistant with the help of Defender for Cloud. “Defender for Cloud shows us how to design our processes with optimal security and monitor where jailbreak attempts may have originated.” Marwan Kodeih, Chief Product Officer, Mia Labs, Inc. New innovations to find and fix issues in code with new DevOps security innovations Addressing risks at runtime is only part of the picture. Remediating risks in the Continuous Integration/Continuous Deployment (CI/CD) pipeline is equally critical, as vulnerabilities introduced in development can persist into production, where they become much harder—and costlier—to fix. Insecure DevOps practices, like using untrusted images or failing to scan for vulnerabilities, can inadvertently introduce risks before deployment even begins. New innovations include: Agentless code scanning, now in public preview, empowers security teams to quickly gain visibility into their Azure DevOps repositories and initiate an agentless scan of their code immediately after onboarding to Defender CSPM. The results are provided as recommendations for exposed Infrastructure-as-Code misconfigurations and code vulnerabilities. End-to-end secrets mapping, now in public preview, helps customers understand how a leaked credential in code impacts deployed resources in runtime. It provides deeper risk insights by tracing exposed secrets back to code repositories where it originated, with both secret validation and mapping to accessible resources. Defender CSPM now highlights which secrets could cause the most damage to systems and data if compromised. Additional CSPM enhancements [General Availability] Critical asset protection: Enables security admins to prioritize remediation efforts with the ability to identify their ‘crown jewels’ by defining critical asset rules in Microsoft Security Exposure Management and applying them to their cloud workloads in Defender for Cloud. As a result, the risk levels of recommendations and attack paths consider the resource criticality tags, streamlining prioritization above other un-tagged resources. In addition to the General Availability release, we are also extending support for tagging Kubernetes and non-human identity resources. [Public Preview] Simplified API security testing integration: Integrating API security testing results into Defender for Cloud is now easier than ever. Security teams can now seamlessly integrate results from supported API security testing providers into Defender for Cloud without needing a GitHub Advanced Security license. Explore additional resources to strengthen your cloud security posture With these innovations, Defender CSPM users are empowered to enhance their security posture from code to runtime and prepared to protect their AI applications. Below are additional resources that expand on our innovations and help you incorporate them in your operations: Learn more about container security innovations in Defender for Cloud. Enable the API security posture extension in Environment Settings. Get started with AI security posture management for your Azure OpenAI, Azure Machine Learning, and Amazon Bedrock deployments. RSVP to join us on December 3rd the Microsoft Tech Community AMA to get your questions answered.
