In establishing your Azure cloud defenses, you first need to understand that an intrusion detection system (IDS) in Azure is fundamentally different than an IDS in on-premises environments. In Azure, you don’t manage the underlying network infrastructure, making it difficult to access packet-level information using port mirroring, taps or traditional network-based methods. The one benefit to this is that Microsoft is responsible for securing their infrastructure, as they operate under the shared responsibility model. However, you are still responsible for monitoring and securing your applications running in Azure.
Azure does provide a management plane to help you monitor activity in your Azure cloud environment. The management plane is essentially the APIs that configure, monitor, and control your Azure cloud environment. Direct access to the Azure API is critical for delivering intrusion detection capabilities. For complete Azure intrusion detection, you need a comprehensive cloud IDS solution that is natively built for the Azure environment and provides essential Azure IDS and security monitoring capabilities.
AlienVault® USM Anywhere™ includes an Azure sensor that enables direct access to the Azure API. This allows you to automatically monitor your Azure environment and quickly detect assets, identify threats, and gain remediation guidance. Purpose-built for the Azure cloud, USM Anywhere delivers five essential security monitoring features, including asset discovery, intrusion detection, vulnerability scanning, behavioral monitoring, and Security Information and Event Management (SIEM). AlienVault USM Anywhere’s integrated Azure IDS approach gives you the visibility you need to detect threats across your Azure cloud environment.
AlienVault USM Anywhere delivers complete Azure intrusion detection and security monitoring with these critical capabilities:
* The ISMS that governs USM Anywhere, USM Central
There are some unique aspects of intrusion detection in the Azure cloud that you need to account for. Because Microsoft controls the Azure network, you don’t have easy access to the low-level network traffic, and so you are not able to employ your traditional network IDS tools. However, as defined in the Azure shared responsibility model, Microsoft has responsibility for locking down its network. However, you’re still responsible for securing your applications and systems running in Azure. And while Microsoft provides some tools to assist you, including Azure Security Groups, you still need to do more.
This brings us to the management plane, which is the critical aspect of the cloud that affords you security control capabilities. The management plane is the web interface and the APIs that configure, monitor, and control your Azure cloud environment. This is essentially the key to your Azure kingdom, so you need to lock it down. However, access to the management plane also provides a security controls opportunity. By accessing the Azure management plane, you can ensure that every VM spun up has proper monitoring enabled and data flowing into your systems. You can analyze the complete history of every action taken with complete traceability back to the source. This gives you a new mechanism for detecting threats.
To capture the security benefits of the management plane, you need a solution that accesses the Azure API directly. USM Anywhere, with its purpose-built Azure sensor, delivers the capabilities you need for comprehensive intrusion detection in Azure. USM Anywhere has been purpose built to run in Azure and monitor the Azure cloud. It directly accesses the Azure API to monitor all activity and discover all VMs in your Azure environment. Combined with USM Anywhere’s Hyper-V and VMware sensors, USM Anywhere gives you the visibility you need across all your cloud and on-premises environments to detect and respond to threats.
One of the promises of the cloud, namely the flexibility and scale it provides, is also the source of one of its security weaknesses. Specifically, your Azure cloud environment is constantly changing as you spin up new instances or change configurations. In some cases, this may be done frequently on a daily or even hourly basis. In addition, folks in your organization may be doing things that you aren’t aware of. This is called ‘Shadow IT’, which refers to employees introducing rogue services or bringing rogue assets into your corporate network. New cloud security risks may be manifesting themselves on an hourly basis.
The need to monitor for Shadow IT activity drives the need for solutions that provide continuous security monitoring of all activity in the cloud. You need a solution that continuously monitors your Azure cloud environment and delivers Azure IDS functionality.
This ongoing monitoring of your Azure environment is also important for compliance purposes. Many regulatory requirements, including PCI DSS and GLBA require continuous monitoring capabilities. As you move workloads to Azure, you need a solution that performs this continuous Azure security monitoring.
USM Anywhere with its native Azure sensor delivers continuous security monitoring of your Azure environment. With its direct Azure API integration, USM Anywhere monitors all activity and detects changes in your Azure environment to deliver critical Azure IDS capabilities and help you monitor Shadow IT. And USM Anywhere’s security monitoring capabilities help ensure compliance with many regulatory requirements.