Microsoft Defender for Cloud (Azure Security Center) 101

But not only that, it’s also considered as:

• Cloud Security Posture Management (CSPM) solution
• Cloud Workload Protection Platform (CWPP)
• A DevSecOps solution centralising security management at the code level across multi-cloud and multi-pipeline environments

Deploying Microsoft Defender for Cloud is simple since it’s already integrated with Azure services as a native security solution. 

For example, it integrates with Microsoft Sentinel and Microsoft Defender for Cloud Apps.

Defender for Cloud basically fills 3 essential needs:

• Continuously assess: Knowing your security posture, and identify if there are any issues and keeping track of vulnerabilities.
• Secure: Secure and harden resources and services by comparing status against the Microsoft cloud security benchmark in Defender for Cloud (Azure Security Benchmark+ Security benchmark for other cloud providers + other Microsoft clouds).
• Defend: Defend is to detect and resolve the threats to resources, workloads and services hosted on the Azure Cloud.

The two primary goals of Microsoft Defender for Cloud are as follows:

1. Help you (as aministrator) understand your current security situation
2. Helping you improve your security posture based on insights

Watch the video below to learn more about it:

Now that we know what it means let’s see what you can do with it… with Microsoft Defender for Cloud, you can:

• Monitor and manage cloud security posture
• Detect vulnerabilities
• Investigate security incidents efficiently

That information is provided to the Security administrator in the Azure dashboard:

Azure-native Protections

• Azure PaaS services: Detect threats targeting Azure PaaS services including Azure App Service, Azure SQL, Azure Storage Account, and many more services.
• Azure data services: Defender for Cloud includes capabilities that help you automatically classify your data in Azure SQL. You can also get assessments for potential vulnerabilities across Azure SQL and Storage services, along with recommendations for how to mitigate them.
• Networks: Defender for Cloud helps you limit exposure to brute force attacks by restricting access to virtual machine ports with Just-in-Time (JIT) VM access. You can strengthen your network by allowing only specific source IPs, defining port and IP range restrictions, and preventing unnecessary access to critical resources.

Advanced threat protection

Defender for Cloud offers advanced threat protection for virtual machines, SQL databases, containers, web applications, and networks, helping detect and respond to security threats across your environment.

Defender for Cloud Components

Microsoft groups Defender for Cloud capabilities into different areas:

All these have their own individual set of policies. These policies may require actions such as enabling centralised identity management, configuring firewalls, or applying other security best practices across services. 

What is the pricing for Defender for Cloud?

Microsoft Defender for Cloud pricing varies based on the type of agreement, date of purchase, and currency exchange rate. It is a pay-as-you-go service with no upfront costs, and you can try it for free for the first 30 days.

Charges apply per resource based on the pricing model outlined below.

Key Features of Microsoft Defender for Cloud

To go into every feature, would take hours if not days. For now, we provide you with some of the key features of Microsoft Defender for Cloud:

• Intelligent threat detection: Defender for Cloud uses machine learning and advanced detection algorithms to identify a wide range of threats. It proactively spots potential vulnerabilities and offers actionable steps to fix them before they’re exploited.
• Prioritises risk remediation: It helps you focus on fixes that impact your secure score and overall security.
• Vulnerability management: Defender for Cloud includes built-in vulnerability scanning (formerly Azure Defender) to detect and fix risks across your cloud resources.
• Identity and Access Management (IAM): Microsoft Defender for Cloud supports IAM by integrating with Microsoft Entra (formerly Azure Active Directory). It helps detect excessive permissions, unused roles, and risky access patterns. The tool recommends actions to enforce least-privilege access and supports MFA, conditional access and role-based access control (RBAC) to reduce identity-related risks.
• Code pipeline insights: Defender for Cloud helps security teams protect applications and resources from code to cloud. It supports multi-pipeline environments like GitHub and Azure DevOps.
• Compliance: Defender for Cloud supports regulatory compliance by showing your current status against various industry standards. It helps you meet HIPAA, GDPR, and PCI DSS regulatory standards. It also provides recommendations to help improve compliance across your environment.
• Threat protection: Covers capabilities that detect and respond to threats targeting both Azure and non-Azure resources.
• Security Information and Event Management (SIEM): Defender for Cloud integrates with SIEM tools (like Microsoft Sentinel). This enables centralised security monitoring, threat detection, and incident response across your environment.

How does Microsoft Defender for Cloud work?

Microsoft Defender for Cloud works by providing unified security management and advanced threat protection. It actively monitors networks and detects threats by collecting and analysing log data from all Azure resources and network activity.

It doesn't just use signature-based detection methods but also makes use of machine learning (ML) to detect threats by using:

• Integrated threat intelligence
• Behavioural analytics
• Anomaly detection

Microsoft Defender for Cloud works by assigning security policies and international regulations to workloads and resources across cloud environments and evaluating whether they are applied or not. This process then creates a “secure score”. 

Based on the outcomes, it includes recommendations to improve your security posture, for both Azure and non-Azure environments.

What is a Secure Score?

A Secure Score measures an organisation's security posture. It consolidates security findings into a single, actionable score. You can find it in the Microsoft Defender portal. 

A higher score = a lower identified risk level.

Microsoft Defender for Cloud constantly scans the hybrid network's resources for security issues. Each resource is assessed individually and has a maximum score based on everything that could be done to maximise its security.

For every recommendation that goes ignored, the score drops. The findings for each resource are all put together, and an overall score is generated that tells you how good your security is at a glance.

Next, you can see more details about the score and how to improve it.

How is the Secure Score Calculated?

Secure Score in Microsoft Defender for Cloud is calculated based on the percentage of security controls you've implemented out of the total possible improvements.

• Each recommendation has a maximum point value based on its impact on your security posture.
• When you implement a recommendation, you earn points toward your Secure Score. 
• Partial implementation gives partial points. For example, if a recommendation applies to 10 resources and you fix 5, you get 50% of the possible points.
• Total Secure Score is the sum of all points you've earned, divided by the total possible points across all recommendations.

Security alerts

Security alerts in Microsoft Defender for Cloud are notifications triggered when threats are detected across either your Azure or non-Azure resources.

As Defender for Cloud detects a threat in any area of your environment, it generates security alerts along with details of the affected resources. Even better, it also provides remediation steps. It can trigger automated responses (such as Azure Functions or other apps) to take immediate action if configured.

The really powerful part is that it actually correlates these alerts into incidents if they affect multiple resources. So, it's taking a lot of this telemetry and giving you more of a visual of an attack campaign that might be happening within your organisation.

Within this, you have a basic table with:

• Severity: Helps you prioritize what incidents or alerts to respond to.
• Title: The alert name.
• Affected Resources: What assets are impacted.
• Start Time: When the alert started.
• Attack Tactics: (Sometimes available) Minor attack details.

This gives you a better visual indicator of what’s going on and what stage it’s at within your organisation.

Check out the image below for a visual representation of security alerts overview:

We can actually click into one of these alerts, and it'll pull up detailed information

• Severity level
• Description of what's happening
• Affected resources
• Take action page with recommendations

How to take action on an alert

Once you’ve finished the investigation of the security alert, and understand its scope, you can respond to it within the Azure portal. Just follow along:

Click on “take action”.

You will be redirected to the take action page, where you are given recommendations about what to do about the security alert. It should look like this:

From there, you can enforce a rule for that alert. For this example, that would be traffic detected from IP addresses recommended for blocking. Click on enforce role as shown below:

You should be redirected to another page where you can see the description as well as the remediation steps.

You can enforce rules directly within the security alert workflow, such as setting allowed source IP addresses and blocking all others. This lets you mitigate incidents on the spot in Defender for Cloud, without navigating through other areas of the Azure portal.

There are tons of capabilities within the security alerts page. To take action, you can implement multiple steps:

• Mitigate the threat: Escalating the alert to the security teams and creating a solution for it.
• Prevent future attacks: Resolving security recommendations to prevent future attacks.
• Trigger automated responses: You can do this through Logic Apps and also create automated ways to remediate incidents or provide additional alerts (e-mail notifications or integration with your ticketing system).
• Suppress similar attacks: if you see a false positive, you might want to create a suppression rule to mitigate all the other alerts that might be coming through for this particular incident.

Threat classification levels

When Defender for Cloud detects a threat, it categorises it into four severity levels:

• High: Indicates a likely compromise that needs immediate action.
• Medium: Flags suspicious activity that requires prompt investigation.
• Low: Identifies minor events that may not pose a significant risk.
• Informational: Provides context about a potential threat, usually alongside another severity level.

Benefits of Microsoft Defender for Cloud

• Proactive threat defence: Defender for Cloud uses real-time monitoring and alerts to detect and stop threats early before they impact your infrastructure.
• Multi-cloud protection: It provides visibility into the security of cloud environments within a single-pane dashboard, including Azure, AWS, and Google Cloud.
• Integration with Azure-native services: Microsoft Defender for Cloud integrates with other Microsoft security tools like Azure Sentinel 
  Unified security management: Defender for Cloud brings security management into one platform, whether using Azure only, multiple clouds or a hybrid cloud.
• Comprehensive protection across cloud resources: Defender for Cloud secures your entire cloud environment, including virtual machines, containers, networks, databases, and other key resources.
• Cloud Native security: Microsoft Defender for Cloud is built as a cloud-native security solution tailored to protect cloud workloads and applications. It scales easily and supports deployment across multiple cloud platforms, making it flexible for complex environments.

Closing thoughts

To wrap it up, we discussed how Microsoft Defender for Cloud is an essential and scalable solution for securing workloads and applications. No matter whether you’re fully in Azure, partially in Azure – hybrid cloud, on-prem or multi-cloud.

That said, you probably wonder, “Is Microsoft Defender for Cloud worth it?”

The short answer = Yes. 

Out of all the Azure Security best practices, using Microsoft Defender for Cloud is one of the best things to do. You get a service that processes billions of signals daily.

Better yet, the dashboard basically gives you a single-pane overview to follow up on all recommendations easily and remain clear-sight, even in complex multi-cloud environments.

And let’s be honest: eventually, you’ll need something to protect your environment against cyberattacks – which are getting more sophisticated as days go by.

While Defender for Cloud may not be free forever (only the first 30 days), neither is recovery. Keep in mind that security is NOT the place to play a cost cutter. It’s just not worth the risk.