Security Monitoring in Azure using USM Anywhere

March 7, 2017  |  Ryan Leatherbury

Is Your Azure Environment Secure?

Azure security monitoring has become of increasing interest, and AlienVault is responding with new capabilities. With the recent (February) launch USM Anywhere, our SaaS-delivered Unified Security Management solution for monitoring your cloud, hybrid cloud and on-premises environments, including Microsoft Azure implementations.

Since USM Anywhere is a cloud service we’re able to create new product features and push updates much more frequently, allowing our customers to have all the latest features and capabilities without having to do any deployments themselves. Driving many of those improvements have been our USM Anywhere customers, who we talk to regularly to get feedback and input on capabilities and experience.

With our product improvements moving at a clipping pace, we’re dedicating some space here on the AlienVault blog to product-specific info, tools, tips, and tricks. Consider this the inaugural post in the series (cue the fanfare!) and we look forward to reading your comments and feedback!

In this post, I want to delve into USM Anywhere for Microsoft Azure security monitoring. Now, make no mistake—one of the biggest benefits of USM Anywhere is you can monitor all of your environments (AWS, Azure, on-premises physical and virtual IT) from a single pane of glass. But, for the Azure folks in the house, I want to specifically focus on a few Azure-related USM Anywhere questions that relate to some of our top customer questions and Azure security best practices, including how to:

  • Keep up to date on what Azure VMs are running in your subscription (asset discovery)
  • Use Azure Diagnostic logs to monitor your deployed assets including Windows hosts, IIS and the Azure SQL Database service.
  • Keep up with changes made by users with access to your Azure subscription.
  • Detect vulnerabilities on your Azure VMs.

Deploying USM Anywhere to monitor Azure is simple, and designed in concert with the Azure security model. As shown in the image below, USM Anywhere Sensors deploy natively into each cloud and on premise environment. The Azure Sensor can be easily installed from the Azure Marketplace. It discovers Azure assets, collects security data and sends it to the cloud-based USM Anywhere service for storage and reporting.

Asset Discovery

As in any environment, cloud security monitoring starts with asset discovery. In USM Anywhere, Azure assets are virtual machines (VMs) or platform services like Azure SQL Database with an IP address or fully qualified domain name.

Whereas in on-premises environments you would run a network scan to discover assets, in Azure cloud environments it’s a best practice to discover assets directly from Azure APIs. To do this USM Anywhere uses direct hooks into Azure APIs, allowing it to automatically discover VMs and services as they are spun up and to collect additional information about those assets (e.g. the Azure VM type, and which Azure region(s) the asset is running in beyond what would be provided in a traditional network scan). The screenshot below from the USM Anywhere setup wizard summarizes the discovered Azure VMs that it automatically discovers within an Azure environment.

USM Anywhere automatically discovers and enables log collection from several Azure data sources including the Azure REST Monitor API (formerly Azure Insights), as well as Azure Diagnostics events through Azure APIs.

Let’s take a closer look.

Monitoring Your Deployed Assets

Windows-based VMs have an Azure agent enabled by default that can collect Windows event logs. Within the Azure portal, you can enable Windows security event logging in the Diagnostics settings for the VM as shown in the image below. Once you do, Azure will automatically push logs to an Azure Storage location. This means that you can get Windows host information without having to install a separate agent. (Pretty clever of those Azure folks.) You can also enable logging for things like IIS web server and SQL Database events.

Now for USM Anywhere’s part in this -

The USM Anywhere Azure Sensor is preconfigured to automatically discover Azure Storage Tables and Blobs containing these types of Diagnostic logs. You can easily enable USM Anywhere to collect logs and create events associated with each data source. USM Anywhere has dozens of out-of-box correlation rules that create alarms based on Windows security events, including brute force login attempts, temporary account creation, and many others.

In the image below, you can see the automatically-discovered Storage locations containing Azure logs within the USM Anywhere setup wizard.

Not only will USM Anywhere monitor Azure VMs but it will also treat the Azure SQL Database platform service as an Asset. The Azure SQL service is abstracted from the individual VMs it is running on, so you can use the database service without administering the lower level VM details. Yet, to make it simple for you to track related security issues, USM Anywhere treats the SQL service as an asset, mapping events and other security issues directly with the SQL service as shown in the Asset details view below.

Keeping up with Azure User Changes

Azure Monitor helps you to track user activities within an Azure subscription including when users log on, deploy or shut down VMs, and more. Through the Azure Monitor REST API, USM Anywhere captures those logs and creates events so you can answer the question, “Who is doing what in my Azure environment?”

Finding Vulnerabilities

USM Anywhere detects vulnerabilities on Azure VMs using authenticated asset scans. You simply need to enter SSH credentials for Linux hosts or WinRM credentials for Windows. You can enable USM Anywhere to run scheduled scans against any asset or asset group.

Summary - Securing Your Azure Environment

USM Anywhere supports several Azure integrations that simplify threat monitoring and detection. These include API-based asset discovery, native Azure log collection capabilities, out-of-the-box correlation rules for alarm generation, and vulnerability scanning to address Azure security concerns.

Keep in mind, we’ve only touched on a few specific areas of security monitoring in Azure. For a complete view of how to use USM Anywhere to monitor your Azure environment you can check out our online demo, or better still try your free 14-day trial of USM Anywhere to start monitoring of your Azure subscription today!

Share this with others

Get price Free trial