Azure Intrusion Detection
In establishing your Azure cloud defenses, you first need to understand that an intrusion detection system (IDS) in Azure is fundamentally different than an IDS in on-premises environments. In Azure, you don’t manage the underlying network infrastructure, making it difficult to access packet-level information using port mirroring, taps or traditional network-based methods. The one benefit to this is that Microsoft is responsible for securing their infrastructure, as they operate under the shared responsibility model. However, you are still responsible for monitoring and securing your applications running in Azure.
Azure does provide a management plane to help you monitor activity in your Azure cloud environment. The management plane is essentially the APIs that configure, monitor, and control your Azure cloud environment. Direct access to the Azure API is critical for delivering intrusion detection capabilities. For complete Azure intrusion detection, you need a comprehensive cloud IDS solution that is natively built for the Azure environment and provides essential Azure IDS and security monitoring capabilities.
AlienVault® USM Anywhere™ includes an Azure sensor that enables direct access to the Azure API. This allows you to automatically monitor your Azure environment and quickly detect assets, identify threats, and gain remediation guidance. Purpose-built for the Azure cloud, USM Anywhere delivers five essential security monitoring features, including asset discovery, intrusion detection, vulnerability scanning, behavioral monitoring, and Security Information and Event Management (SIEM). AlienVault USM Anywhere’s integrated Azure IDS approach gives you the visibility you need to detect threats across your Azure cloud environment.
AlienVault USM Anywhere delivers complete Azure intrusion detection and security monitoring with these critical capabilities:
Comprehensive Azure Intrusion Detection
- Direct access to the Azure API and the cloud management plane
- Purpose-built for the Azure cloud
- Leverages the shared security model
Continuous Security Monitoring of Your Azure Environment
- Continuous monitoring for advanced threat detection
- Ability to monitor shadow IT
- Helps achieve compliance with regulatory standards
Integrated Threat Intelligence
- Spot the latest threats targeting your Azure environment with continuous threat intelligence updates
- Pre-built correlation rules eliminate the need for you to create your own
- Focus on remediating vulnerabilities and responding to threats rather than researching every alert
Comprehensive Azure Intrusion Detection
There are some unique aspects of intrusion detection in the Azure cloud that you need to account for. Because Microsoft controls the Azure network, you don’t have easy access to the low-level network traffic, and so you are not able to employ your traditional network IDS tools. However, as defined in the Azure shared responsibility model, Microsoft has responsibility for locking down its network. However, you’re still responsible for securing your applications and systems running in Azure. And while Microsoft provides some tools to assist you, including Azure Security Groups, you still need to do more.
This brings us to the management plane, which is the critical aspect of the cloud that affords you security control capabilities. The management plane is the web interface and the APIs that configure, monitor, and control your Azure cloud environment. This is essentially the key to your Azure kingdom, so you need to lock it down. However, access to the management plane also provides a security controls opportunity. By accessing the Azure management plane, you can ensure that every VM spun up has proper monitoring enabled and data flowing into your systems. You can analyze the complete history of every action taken with complete traceability back to the source. This gives you a new mechanism for detecting threats.
To capture the security benefits of the management plane, you need a solution that accesses the Azure API directly. USM Anywhere, with its purpose-built Azure sensor, delivers the capabilities you need for comprehensive intrusion detection in Azure. USM Anywhere has been purpose built to run in Azure and monitor the Azure cloud. It directly accesses the Azure API to monitor all activity and discover all VMs in your Azure environment. Combined with USM Anywhere’s Hyper-V and VMware sensors, USM Anywhere gives you the visibility you need across all your cloud and on-premises environments to detect and respond to threats.
Continuous Monitoring of Your Azure Environment
One of the promises of the cloud, namely the flexibility and scale it provides, is also the source of one of its security weaknesses. Specifically, your Azure cloud environment is constantly changing as you spin up new instances or change configurations. In some cases, this may be done frequently on a daily or even hourly basis. In addition, folks in your organization may be doing things that you aren’t aware of. This is called ‘Shadow IT’, which refers to employees introducing rogue services or bringing rogue assets into your corporate network. New cloud security risks may be manifesting themselves on an hourly basis.
The need to monitor for Shadow IT activity drives the need for solutions that provide continuous security monitoring of all activity in the cloud. You need a solution that continuously monitors your Azure cloud environment and delivers Azure IDS functionality.
This ongoing monitoring of your Azure environment is also important for compliance purposes. Many regulatory requirements, including PCI DSS, HIPAA, and GLBA require continuous monitoring capabilities. As you move workloads to Azure, you need a solution that performs this continuous Azure security monitoring.
USM Anywhere with its native Azure sensor delivers continuous security monitoring of your Azure environment. With its direct Azure API integration, USM Anywhere monitors all activity and detects changes in your Azure environment to deliver critical Azure IDS capabilities and help you monitor Shadow IT. And USM Anywhere’s security monitoring capabilities help ensure compliance with many regulatory requirements.
Integrated Threat Intelligence
The critical ingredient that aids in your Azure intrusion detection capabilities and enables comprehensive threat detection is threat intelligence. Threat intelligence is the actionable information every IT team needs to automatically detect threats in your network and prioritize the response to those threats. And very often, it is too resource-intensive and too costly for organizations to invest in effective threat intelligence. That’s where the Threat Intelligence delivered by AlienVault Labs steps in. AlienVault collects millions of threat indicators daily, including data from the Open Threat Exchange (OTX), the world’s first truly open threat intelligence community.
The AlienVault Labs team curates the data and combines it with additional information about attackers’ tools, infrastructure, and methods to detect malicious behaviors -- true Anywhere threat intelligence. This enables the AlienVault Labs team to continuously tune the USM Anywhere platform to detect emerging threats. The Labs team incorporates their research into our extensive library of customizable correlation rules that are included with the USM Anywhere platform, eliminating the need for you to conduct the research on your own.