The unprecedented scale and sophistication of modern cyber threats, combined with the rapidly disappearing IT perimeter, means that while preventing an attack from becoming a breach is ideal, it is no longer realistic.
While the cloud may have initially raised some security concerns among enterprises, Microsoft is changing those dynamics by applying prescriptive analytics to application and network data, learning the behaviour of a machine or a group of machines, and combining these insights with broad cloud reputation, Azure Security Centre empowers customers to realise the benefits of these controls without introducing any management overhead.
With this collective power of millions of cloud customers, Microsoft can help each customer more effectively defend against the increasing volume and sophistication of attacks. Azure Security Centre has released a number of new capabilities that leverage this collective intelligence to not only detect threats, but also do a better job of preventing them.
Microsoft security research and data science teams are constantly monitoring the threat landscape and adding new or enhancing current detection algorithms. Azure Security Centre customers benefit from these innovations as algorithms are continuously released, validated, and tuned without the need to worry about keeping signatures up to date.
Here are some of the most recent updates:
- Harnessing the Power of Machine Learning – Azure Security Center has access to a vast amount of data about cloud network activity, which can be used to detect threats targeting your Azure deployments. For example:
- Brute Force Detections – Machine learning is used to create a historical pattern of remote access attempts, which allows it to detect brute force attacks against SSH, RDP, and SQL ports. In the coming weeks, these capabilities will be expanded to also monitor for network brute force attempts targeting many applications and protocols, such as FTP, Telnet, SMTP, POP3, SQUID Proxy, MongoDB, Elastic Search, and VNC.
- Outbound DDoS and Botnet Detection – A common objective of attacks targeting cloud resources is to use the compute power of these resources to execute other attacks. New detection algorithms are generally available in Azure Security Center, which clusters virtual machines together according to network traffic patterns and uses supervised classification techniques to determine if they are taking part in a DDoS attack. Also, in private preview are new analytics that detect if a virtual machine is part of a botnet. It works by joining network data (IPFIX) with passive DNS information to obtain a list of domains accessed by the VM and using them to detect malicious access patterns.
- New Behavioural Analytics Servers and VMs – Once a server or virtual machine is compromised, attackers employ a wide variety of techniques to execute malicious code on that system while avoiding detection, ensuring persistence, and obviating security controls. Additional behavioural analytics are now generally available in Azure Security Center to help identify suspicious activity, such as process persistency in the registry, processes masquerading as system processes, and attempts to evade application whitelisting. In addition, new analytics have been released to public preview that are designed specifically for Windows Server 2016, for example activity related to SAM and admin account enumeration. Over the next few weeks, many of the behavioural analytics available for Windows VMs will be available for Linux VMs as well. Operations Management Suite Security users will also benefit from these new detections for non-Azure servers and VMs.
- Azure SQL Database Threat Detection – Threat Detection for Azure SQL Database, which identifies anomalous database activities indicating unusual and potentially harmful attempts to access or exploit databases, announced upcoming general availability in April 2017. You can view alerts from SQL Database Threat Detection in Azure Security Center, along with additional details and actions for investigating and preventing similar threats in the future.
To find out more and take advantage of these and other advanced detection capabilities, or if you would like to discuss your IT Security/ Cybersecurity requirements with one of CoreAzure National Cyber Security Centre (NCSC) Certified Professionals, then please contact with us.
The NCSC Certified Professional provides an independent assessment and verification process, based on the government’s approved standard of competence for cyber security professionals.