Turbocharge your Azure security and compliance posture with Sysdig

Oct 20 SANS Webinar! Solutions Forum 2022: Is Your SecOps Ready for Cloud and Containers?

This article is intended to summarize the security services and tools provided by Microsoft for Azure cloud. We will also explore the value add Sysdig can provide when used in conjunction with the default Azure services for security.

Sharing the responsibility for Security

Microsoft Azure’s security model for the cloud divides the responsibility between Microsoft and customers based on the following principles:

  • Microsoft protects the underlying infrastructure
  • Customers put the practices, protocols and tooling in place to protect the workloads

The nuances of the shared responsibilities have been illustrated in detail for SaaS, PaaS, IaaS and On-Prem in the below diagram that can be found in this Microsoft article.

CNAPP with Microsoft Azure

The responsibility of securing the cloud workloads, applications and services on Microsoft Azure lies with the customer. Microsoft however provides a handy set of tools that can help with CNAPP (cloud-native application platform protection) and also related (CWPP – cloud workload protection, CSPM – cloud security posture management) use cases that can smooth the journey of cloud adoption and operations for the customers.

For a detailed explanation of these terms please read this article. Below is a list of solutions and services that many Microsoft Azure customers commonly leverage as an à la carte collection of monthly subscriptions:

Microsoft Defender for Cloud

Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) for all of your Azure resources and now is also offering some multi-cloud capabilities dependent on Azure Arc.

Microsoft Defender for Containers

Microsoft Defender for Containers is an agent-based solution for securing your containers and maintaining the security of your clusters, containers, and their applications. This is a separate subscription from Defender for Cloud.

Microsoft Defender Advanced Threat Protection

This service helps to identify unexpected and potentially unauthorized or malicious activities like Malware, crypto mining or attacks. ATP is a preventative and post-detection, investigative response feature of Microsoft Defender. ATP’s features are standard in many high-end anti-malware packages.

Microsoft Azure Policy

Azure Policy is used to enforce organizational standards and assess compliance. It is a compliance dashboard that helps evaluate the overall state of the environment. It also helps in the enforcement of remediations.

Microsoft Azure Activity Logs

These allow monitoring deployments in the cloud by getting a history of activity for your account subscription, including API calls, SDKs, the command line tools, and Azure services. Sysdig consumes this service (amongst others) as a part of cloud security and compliance continuous feedback.

Microsoft Azure AD and RBAC

Security in the cloud begins with the foundation of Identity. Active Directory (AD) and Role-based Access Control services provide fine-grained access control policies.

Microsoft Azure Purview

This provides a unified data governance solution to govern on-premises, multi-cloud, and software-as-a-service (SaaS) data and allows data consumers to access valuable, trustworthy data management. Combined with other tools, it can help to meet regulations like HIPAA, GDPR, etc.

Microsoft Sentinel

Although as a SIEM from Microsoft, Sentinel itself is not a part of CNAPP, it offers a near runtime threat detection capability that works hand in hand with cloud workload protection.

Sysdig’s value add for Microsoft Azure

Depending on the use case, Sysdig has add-on and complementary features to Azure security services, aimed at the overall strengthening of your cloud security posture on Azure. Here are some scenarios where Sysdig is a solution to consider:

Hybrid-cloud or Multi-cloud scenarios:

You can use Azure Arc to extend Microsoft Defender’s capabilities to GCP or AWS but the implementation itself has added complexity. If you want to simplify and standardize the operations between the (various) cloud and the on-prem infrastructure of your company, a platform like Sysdig that allows for consolidation is a great choice.

Figure 1. Multicloud view of your infrastructure

Reduction of associated latency and storage costs with SIEM:

Sysdig leverages the open source Falco project for runtime threat detection. This not only leads to earlier detection of threats, but also you can configure Falco rules within Sysdig to send only certain suspicious event feeds to the SIEM. This reduces the ingestion and storage costs associated with your SIEM implementation.

Reduction of dependency on custom features:

Microsoft’s security services are best suited for Azure as they have multiple custom features that are built with Azure in mind. Sysdig’s solution has been used and tested by multiple clients across a variety of cloud platforms – and it has features which can work with different cloud platforms as required.

Continuous compliance:

This use case involves following established and industry-led guidelines or specifications. The main service that relates to compliance in Azure is Microsoft Defender for Cloud. But there are other services needed to achieve full compliance in Azure: Azure Policy, Microsoft Azure Purview and so on. By utilizing Sysdig with Azure, you can have all your compliance controls in one place – be it any control framework such as SOC2, PCI, NIST, ISO-27001, HiTrust, HIPAA, FedRAMP, GDPR or any best practices that come from the CIS Benchmarks and suggested by the cloud provider.

Figure 2. Compliance and Benchmark reports provide a continuous picture of the security posture of your cloud infrastructure or workload applications.

Mix of traditional and container-based infrastructure:

While Microsoft Defender for cloud does a very good job providing security findings regarding the configuration of your cloud account and services, it lacks visibility into container workloads. For inspecting container workloads, you would need to use Microsoft Defender for Containers service. Sysdig provides an overview of your security posture in both worlds, containers and cloud. Similarly, Advanced Threat Protection combined with Microsoft Sentinel does a good job detecting anomalies involving Azure resources like IAM access keys, compute instances, blob storages, and Azure AKS resources. However, these are additional subscriptions that you have to account for in your cloud budget.

With Sysdig you have all the security use cases with one subscription – leveraging the open-source Falco project for the runtime detection capabilities around workload protection, and cloud security monitoring. Sysdig threat detection capabilities detect not only cloud events, but also those that exist on the container workload side like spawning of a shell in a container, modification within sensitive folders, deletion of bash history, etc.

Figure 3. A threat detection dashboard

Sysdig Secure thus strengthens Microsoft Azure and multi-cloud security by providing a powerful but simple unified experience with a predictable cost model, covering:

Summary table

Below is a summary table of the value add by Sysdig for each of Microsoft Azure tools:

Use Case

Category

Microsoft Azure’s Service(s)

Sysdig’s value add

Configuration and vulnerability scanning for VMs and Containers.



CWPP, CSPM

Microsoft’s Defender for Containers


Microsoft’s Defender for Cloud integrates with Rapid7 or Qualys Scanners


Note – there are additional licensing requirements from either Qualys or Rapid7 for cloud.

Extends vulnerability scanning capabilities for host instances and images also applying runtime intelligence to provide risk spotlight. Extends CSPM and Compliance features by combining dynamic and static checks into a unified experience. One single subscription for protecting both VMs and Containers. Out-of-the-box multi-cloud support.

Cloud Security Monitoring and intelligent threat detection

CWPP, and also CSPM

Advanced Threat Protection


Microsoft Sentinel

Leverage the power of the Falco open source project within Sysdig. Rich out-of-the-box set of rules for CWPP and cloud security monitoring. Deep runtime detection for workloads and cloud. Reduce your SIEM costs by filtering what events get reported to the Sentinel SIEM.

Audit Logging

Not a core security category, but supplemental

Activity Logs

Native integration with Activity logs.

Compliance and Data Security


Detection, Configuration Drifts and Data Protection

CSPM, Standardization, React/Alert

Microsoft’s Defender for Cloud

Sysdig unifies Continuous Compliance for cloud and workloads with remediation capabilities.


Detect runtime threats and vulnerabilities leading to reaction, remediation and forensic analysis

Monitor sensitive Data

Data related CSPM

Azure Purview

Sysdig reinforces security posture and compliance related to data like GDPR and HITRUST


Conclusion

You can check off 101 boxes for cloud and container security by using default Azure tools, and to be wholly protected you need a platform like Sysdig that can:

  • Help you protect your multi-cloud and hybrid cloud infrastructure
  • Provide runtime threat detection for workloads and go beyond a “static” security mindset
  • Deliver a control plane that helps you establish a comprehensive implementation of best practices and compliance frameworks
  • Enable multiple checkpoints to ensure build-time security and stop vulnerable images from being deployed

Stay up to date

Sign up to receive our newest.

Related Posts

Scanning images in Azure Container Registry

Runtime security in Azure Kubernetes Service

5 Steps to Securing Microsoft Azure Cloud Infrastructure