Hi All,
After my last blog covering all the basics of getting your VM protected by Defender for Cloud its now time for 2 resources in this blog. Both Storage Accounts and Key Vaults are very common used within Azure Environments and (can) hold very sensitive data. Certainly a reason to look at protection of those resources.
Want to check out first what it takes to setup a basic Defender for Cloud environment, here is the link: Getting started with Defender for Cloud (kooijman.cloud)
So lets start with the good old Storage Account!
What can we expect from protecting a storage account?
First we have to make sure that our resources are enabled for Defender for Cloud in the overview below in this example on subscription level (recommended approach).
Now we have Defender enabled for the storage account, lets take a look at a very default storage account I deployed for boot diagnostics data from our VM and what recommendations we are getting.
Main issue with this storage account is it public access and with it, the attack surface of it, something I see very often with storage accounts that have been there for a while. So lets reduce the attack surface.
First we are going to deploy a private endpoint for the storage account
With the endpoint connected to the storage account, resources within our Azure Network can directly connect to the storage account and we can disable the public access.
There we go, resolved the recommendations, so where are we now in the process of protecting the storage account?
We have enabled it, will get alerts (hopefully not off course) and once they are there we can resolve it, integration with Sentinel and Automatic response are for blogs yet to come as this goes for all the resources we have have enabled.
Next up, the Key Vault
Lets take a look with our friends at Microsoft why we should protect our Vault even more.
Microsoft Defender for Key Vault detects unusual and potentially harmful attempts to access or exploit Key Vault accounts. This layer of protection helps you address threats even if you're not a security expert, and without the need to manage third-party security monitoring systems.
When anomalous activities occur, Defender for Key Vault shows alerts and optionally sends them via email to relevant members of your organization. These alerts include the details of the suspicious activity and recommendations on how to investigate and remediate threats.
In our previous blog we create a key vault for ADE, so lets protect that one! Just like the other resources we have to make sure defender for cloud is enabled at subscription level.
Now lets take a look with the recommendations and what we can do about that.
Like with the Storage Account, also a private endpoint is advised for attack surface reduction, logging should be enabled and with the creation of the key vault I had the firewall enabled. Keep in mind that this is great way where to solve things that are not always by default in place.
First lets fix the logging so in case something goes wrong we have logs for investigation. Very nicely we can just select the recommendations and fix this from this window.
Now for the second one, this is the same as creating the private endpoint for the storage account.
And that's it, we a few simple steps we reduce the possibility of an attack, and once Defender detect an abnormally we will get notified and are able to resolve this. A good safe habit for sensitive data that is often stored in those resources.
All tough this resources are not the biggest to protect in terms of integration options, i think its very usefull to do so given the nature of the data, specialy with the KeyVault.
Thank you all for ready this blog and feel free to check out my other blogs.
