As digital transformation accelerates, many organizations are moving their data to the cloud at an exponential rate, taking advantage of the cost and operational efficiencies cloud deployments offer. The dynamic and complex nature of an organization's cloud data estate – storage and database resources, where data is stored and processed – along with the increased multicloud adoption and cloud-native application development, have multiplied the data security blind spots for security teams.
As a result, security teams often lack comprehensive visibility into their cloud data estate, leaving organizations with an unaccounted-for attack surface. Malicious actors are increasingly taking advantage of these blind spots and targeting “low hanging fruit”, such as misconfigured object stores, SQL instances and virtual machines, to carry out a data breach. With the growing number of data breaches, organizations need to gain control of their cloud data estate.
Cloud data security begins with proactively strengthening the security posture of the cloud data estate and maintaining continuous threat protection against active data breaches. Last week at Microsoft Secure, we announced new cloud data security enhancements for Microsoft Defender for Cloud, our cloud-native application platform (CNAPP) offering a comprehensive multicloud data security solution, enabling organizations to start secure with data-aware security posture and stay secure with threat protection for their cloud storage and database resources. Customers are now able to:
- Discover your data estate and pressing risks to sensitive data with data-aware security posture integrated in Defender Cloud Security Posture Management (CSPM)
Gain visibility into your multicloud data estate with automatic discovery and evaluate where sensitive data resides, how data resources are accessed, and related data flows. Powered by the cloud security graph, security teams can uncover their latest data risks and identify possible points of data exposure by running queries on their object stores, managed and hosted databases. To prioritize direct and indirect risks to sensitive data, security teams can also leverage attack path analysis to understand and remediate high risks to the cloud data estate.
- Detect malware upon content upload and threats to sensitive data with Defender for Storage
Malware Scanning for Defender for Storage enables security teams to scan content upon upload and detect polymorphic and metamorphic malware in near real-time. With agentless and simple at-scale enablement, security teams can block the distribution of malware across their Azure Blob Storage. With the sensitive data threat detection capability, security teams can prioritize and respond to sensitive data exposure and data exfiltration events. To stop these breaches earlier, Defender for Storage now also has new activity monitoring detections, to provide visibility on key leaks and SAS token abuse so security teams can stop bad actors in early stages.
With Defender CSPM's new data-aware security posture management, security teams can get ahead of their data risks and prioritize security issues that could result in data breach.
Automatic cloud data estate discovery
Cloud data security begins with visibility.The new data-aware security posture capabilities enable security teams to automatically discover managed and shadow data resources in use across clouds, including different types of objects stores and databases. Security teams can take a deeper look into their data resources by leveraging the Cloud Security Explorer to run queries to determine who can access them, their network setting, access controls, and configured data flows.
Organizations need to understand their cloud data estate and their resource attributes.
In addition to automatic cloud data estate discovery, data-aware security posture capabilities offer sensitive data discovery, to automatically identify data resources that contain sensitive data such as personally identifiable information (PII), financial data, and credentials. The new sensitive data discovery engine offers out-of-the-box agentless, sample-based data scanning for dozens of highly sensitive information types with the option to select hundreds of additional sensitive information types within the data sensitivity options under the Defender for Cloud environment settings.
Microsoft Purview customers can also leverage existing custom data classifiers using Purview information types, labels, and data context to identify data resources that contain sensitive data with existing organizational data practices.
Customers can configure the appropriate data sensitivity setting from Environment settings within Microsoft Defender for Cloud
Identify and remediate cloud data at-risk
Our new data-aware security posture capabilities introduce data-layer context to the cloud security graph, a graph-based context engine that exists within Defender for Cloud to proactively identify and remediate risks to the cloud data estate.
Data-aware security offers coverage across object storage, managed databases, hosted databases, database copies, and data flows.
Explore risks to your data resources using the Cloud Security Explorer
Powered by the cloud security graph, security teams can run queries using the Cloud Security Explorer to find and misconfigured data resources across their multicloud data estate that are publicly accessible and contain sensitive data.Query results inform security teams of network and access controls applied to the exposed data resources, along with examples of sensitive data within the identified resource.
Surface data exposure risks with attack path analysis
Data-aware security posture capabilities introduce two new data risks categories to the Defender for Cloud attack paths tool to identify direct and lateral movement risks to data in the cloud. Selecting “Data Exposure” or “Sensitive Data Exposure” risk categories will surface risks to databases, object stores, or copies of data resources.
New attack path risk categories: "Sensitive data exposure" and "Data exposure"
In the example below, an attack path that involves an internet-exposed virtual machine (VM) with access to a data store that contains sensitive data indicates there is a risk of costly data breach, as a result of a lateral movement attack technique. In this scenario, attackers could exploit the vulnerable VM that is exposed to the internet and has permissions to move laterally to access an object store that contains sensitive data.
Attack path example showing an internet-exposed VM containing sensitive data
"Prioritizing data security is a must for Icertis because we manage more than 2 billion metadata elements across 10 million contracts, delivering the only enterprise-grade contract lifecycle solution built on the Microsoft Azure Cloud. The new data-aware security posture capabilities in Microsoft Defender for Cloud support our end-to-end approach to ethical data management, enabling us to proactively identify and address potential security risks. Features including attack path analysis and cloud security explorer, combined with Defender’s data-aware security posture capabilities, support our efforts as Icertis continues to safeguard customer data with the utmost care and diligence.”
Subodh Patil, Principal Architect, Information Security, Icertis
Optimizing cloud data security with posture visibility and threat protection
Cloud data security begins with proactively managing your sprawled cloud data estate and maintaining continuous threat protection against data breaches.Microsoft Defender for Cloud is a unique cloud-native application platform (CNAPP) that offers comprehensive data security consisting of two layers of security to protect the cloud data estate.
- Data security posture management - the first layer is the newly introduced data security posture management that prioritize security issues that may result in data breaches.
- Data threat protection - the second layer is advanced threat protection for detecting and responding to early signs of ongoing data breaches in the form of suspicious or potentially harmful attempts to upload, access or exploit data in object stores and databases.
Customers who have both Defender CSPM and Defender for Cloud’s workload protection plans enabled will be able to view their existing security alerts on the cloud resources that are related to the attack path. By clicking the security alerts indicator on the cloud resources that appear in above attack path example, we can see early attempts to brute force access the vulnerable VM that has permission to access an object store that contains sensitive data.
View of active security alerts related to attack paths
With Defender for Storage new malware scanning and data-aware threat detection, security teams will be able to detect and respond to malware distribution and sensitive data breaches in Azure Storage.
As part of Microsoft Defender for Cloud’s Cloud Workload Protection (CWP) offering, Defender for Storage analyzes telemetry streams and synthesizes cloud object store activity against Microsoft’s threat intelligence research to detect anomalous and potentially malicious activity such as suspicious access and data exfiltration. Customers benefit from contextual security alerts that deliver investigation details, security recommendations, and automated response workflows to protect storage resources.
Defender for Storage now offers enhancements in public preview to help customers enhance their Azure Storage protection. The first is Malware Scanning, enabling security teams to detect metamorphic and polymorphic malware upon content upload in near real-time. The second is integrated sensitive data threat detection, a new set of detections based on sensitive data discovery engine.
“Protecting storage accounts from untrusted content is one of our top security concerns. Now that Defender for Storage has extended its malware scanning capabilities and provided us with built-in near real-time full scanning, it allows us to replace our custom solutions meaning lower TCO and lower risk.We can now meet compliance regulations and stay secure with simple setup and zero maintenance.”
Pete van Blerk, Security Lead at NewOrbit
Malware Scanning upon content upload in near-real time.
Cloud storage resources have become a common point of malware entry and distribution with industry standards and regulations requiring malware scanning upon new content upload, it’s critical for organizations to have strong security controls in place.
Many website and mobile applications today allow end users to upload files to a shared backend cloud storage. If the storage is not protected, attackers can exploit those applications to quickly spread malware-infected files throughout an organization's infrastructure, affecting compute resources, applications, and other end-user devices that use the cloud storage. To prevent malware distribution through shared cloud object stores, organizations must protect its distribution point within the cloud storage. This requires a proactive approach to detect and remediate malicious files upon upload to the cloud storage.
New Malware Scanning for Defender for Storage offer simple agentless setup, near real-time malware scanning across file types, metamorphic and polymorphic malware detection, and faster response with configurable workflows
Defender for Storage now offers Malware Scanning in public review that enables security teams to detect and prevent malware distribution events with near real-time malware scanning upon content upload. Powered by Defender Antivirus technologies, Malware Scanning offers rich detection for both metamorphic and polymorphic malware for Azure Blob Storage. Malware Scanning is an agentless solution that can be implemented at-scale across an organization's cloud storage estate without requiring configuration changes.
When a new blob is uploaded to an Azure Blob container, Defender for Storage scans the blob for malware and produces scans results in near real-time. The scan results, including the malware findings and the time of the scan, are then added to the Blob's Index Tags.
If the scan results indicate malware, Defender for Storage will also generate a security alert to inform security teams’ response with additional details on the incident, the malware type, and links to threat research on the malware found powered by Microsoft Security Intelligence. Security teams can also set up automations to send their Malware Scanning security alerts for further investigation with Defender for Cloud’s built-in Microsoft Sentinel integration.
Malware Scanning security alert within Defender for Cloud includes information on the malicious file source and related resources.
Additionally, developers and security teams can build seamless automations such as sending scan results to Azure Event Grid to trigger actions such as automatic deletion of file quarantine. Scan results can also be logged within Log Analytics to demonstrate evidence of regulatory compliance.
The public preview of Malware Scanning is offered free of charge as an add-on, exclusive to the new Defender for Storage plan and can be enabled at the subscription level or at the resource level. In the future, Malware Scanning will be priced at USD $0.15/GB of data ingested. To accommodate better cost management, customers can set a limit of GB scanned per month.Billing for Malware Scanning as an add-on for Defender for Storage is not enabled during public preview and users will be notified in advance before billing begins.
Detect data breaches that involve sensitive data
As more organizations store more data in the cloud, cloud storage resources are the popular resource type to house sensitive data such as financial information and personal identifiable information (PII). According to a recent report on data breaches, cloud storage resources are lucrative targets for cybercriminals seeking to compromise sensitive data.
Defender for Storage provides ongoing activity monitoring of Azure Storage resources across data and control planes. It uses behavioral modeling to identify suspicious attempts to access or exploit data and configuration changes that indicate early signs of a data breach and generates a security alert, which allows security teams to enable quick investigation, response, and mitigation.
We have extended our sensitive data discovery engine to enable sensitive data threat detection for Microsoft Defender for Storage generating new security alerts on active data breaches that involve malicious access, exfiltration, or corruption of sensitive data stored within Azure Blob Storage.
Get started today
We encourage you to enable Microsoft Defender for Cloud comprehensive cloud data security solution by enabling Defender CSPM, Defender for Storage, and Defender for Databases plans across your cloud data estate.
- About data-aware security posture
- Microsoft Defender for Storage
- Malware Scanning in Defender for Storage
- Defender for Cloud database protection
- Defender for Cloud pricing
For more information on Defender for Cloud, please visit Defender for Cloud web page.
FAQs
How do I enable Microsoft Defender for Cloud's Enhanced security Features? ›
To enable enhanced security features on a subscription:
Search for and select Microsoft Defender for Cloud. In the Defender for Cloud menu, select Environment settings. Select the subscription or workspace that you want to protect. Select Enable all to enable all of the plans for Defender for Cloud.
Microsoft Defender for Cloud is a unified cloud-native application protection platform that helps strengthen your security posture, enables protection against modern threats, and helps reduce risk throughout the cloud application lifecycle across multicloud and hybrid environments.
Which security feature is available in the free mode of Microsoft Defender for Cloud? ›Defender for Cloud includes Foundational CSPM (Free) capabilities for free. You can also enable advanced CSPM capabilities by enabling paid Defender plans.
Which storage services can be protected by using Microsoft Defender for Cloud select only one answer? ›With protection for Azure Blob Storage, Azure Files, and Azure Data Lake Storage services, it provides a comprehensive alert suite, near real-time Malware Scanning (add-on), and sensitive data threat detection (no extra cost), allowing quick detection, triage, and response to potential security threats with contextual ...
How do I enable Microsoft Defender for Cloud apps? ›- In Microsoft 365 Defender, from the navigation pane, select Settings.
- Select Endpoints.
- Under General, select Advanced features.
- Toggle the Microsoft Defender for Cloud Apps to On.
- Select Apply. Note.
To access the Defender for Cloud Apps portal, go to https://portal.cloudappsecurity.com. You can also access the portal through the Microsoft 365 Defender portal, as follows: In the Microsoft 365 Defender Portal, select More resources, and then select Defender for Cloud Apps.
How do I know if Cloud protection is enabled? ›Select the Virus & threat protection tile (or the shield icon on the left menu bar), and then, under Virus & threat protection settings, select Manage settings. Confirm that Cloud-based Protection and Automatic sample submission are switched to On.
What is the difference between Defender for Cloud and 365 Defender? ›365 Defender users say it is flexible, easy to use, and well integrated, but needs better machine learning capabilities. Defender for Cloud users like its alerting tools and say it provides them with good visibility into their system.
What is the difference between Microsoft Defender and Cloud app security? ›Office 365 Cloud App Security has access to all of the features of Microsoft Defender for Cloud Apps, but supports only the Office 365 app connector. Office 365 Cloud App Security is accessed through the same portal as Microsoft Defender for Cloud Apps. It is bundled with the Office 365 E5 subscription.
What are the three uses of Microsoft Defender for Cloud apps? ›Defender for Cloud Apps can enforce policies, detects threats, and provides governance actions for resolving issues.
What are the prerequisites for Microsoft Defender for Cloud? ›
Prerequisites. To get started with Defender for Cloud, you must have a subscription to Microsoft Azure. If you don't have a subscription, you can sign up for a free account.
What are three Microsoft Defender for Cloud apps? ›- Microsoft Defender for Cloud.
- Microsoft Defender Cloud Security Posture Mgmt.
- Microsoft Defender for DevOps.
- Microsoft Defender External Attack Surface Management.
- Azure Firewall.
- Azure Web App Firewall.
- Azure DDoS Protection.
- GitHub Advanced Security.
From Defender for Cloud's menu, select Environment settings and select the subscription with the machines that you want to receive Defender for Endpoint. In the status of the Endpoint protection component, select On to enable the integration with Microsoft Defender for Endpoint.
How to connect Defender for identity to Cloud app security? ›- In Defender for Cloud Apps, under the settings cog, select Settings.
- Under Threat Protection, select Microsoft Defender for Identity.
- Select Enable Microsoft Defender for Identity data integration and then select Save.
Onboard a management group and all its subscriptions
As a user with Security Admin permissions, open Azure Policy and search for the definition Enable Microsoft Defender for Cloud on your subscription . Select Assign and ensure you set the scope to the MG level. Other than the scope, there are no required parameters.
In Windows 10, you can find a shortcut for Windows Defender Firewall with Advanced Security in the Start Menu using the following path: "Start Menu → Windows Administrative Tools → Windows Defender Firewall with Advanced Security."