The basics

Let’s start this article with some basic cybersecurity terminology.  Security hygiene, or cyber hygiene, is a general term used to describe the ongoing practice of keeping your technology and IT estate in a healthy and protected state.  The metaphor with physical hygiene is valid because we know with our bodies that there’s no such thing as “set it and forget it”: if we don’t maintain regular hygiene practices and exercise, we atrophy.  It’s a continual effort comprised of daily discipline, habit, and ritual.

The same is true of our increasingly connected infrastructure.  Nature wants to tear your body down if you don’t maintain it, and malicious cyber actors are the equivalent in IT.  The infrastructure that’s in a best-practice, fully patched state one day is not going to be like that forever.  You only need to pay attention to recent developments to realise this, such as Windows elevation of privilege vulnerabilities (SeriousSAM) and remote code execution vulnerabilities (PrintNightmare).  Without continual monitoring and remediation, we are left open to these threats.  To back this up with numbers, the Online Trust Alliance published a study estimating 93% of incidents reported would not have occurred should best practice and basic hygiene been followed. As time progresses, as does best practice and the actions you must take to implement it.  Similarly, you must stay on top of new solutions being introduced into your environments, such as PaaS and IaaS in the cloud.

Where do you start?  Beginning with a vendor-neutral approach, a number of institutes publish guidance for what they regard as best practice hygiene.  The Center for Internet Security (CIS) are an example of this.  Published as CIS Controls, and released in regular versions, these provide a mechanism to review high-level recommendations and prioritise accordingly.  An organisation can take the recommendations (for example, get the PDFs online) and use them as a standard to work to, applying them across their multi-vendor estate, or use the vendor-specific CIS Benchmarks, such as CIS Benchmarks for Microsoft Azure Foundations.

Azure Security Center

These are great, but one of the reasons customers (myself included) like Microsoft solutions is the inclusion of things natively and integration with the larger platform to make the IT pro’s life easier.  Sticking with Azure, Microsoft’s native solution for ongoing security hygiene management is the Azure Security Center.  I briefly touched on what exactly the Azure Security Centre (ASC) is in this blog over at Petri.com before, but let’s recap.

At its core, ASC is about security posture management and belongs to a category called cloud security posture management (CSPM) tools.  The CSPM capabilities of ASC are provided at no additional cost to you, the Azure administrator, and sometimes referred to as “Security Center without Azure Defender”.  What’s Azure Defender then?  Azure Defender is comprised of many protective services (think about how many types of Azure resources there are!) and is a consumption-based license (with a 30-day trial), which extends ASC into a cloud workload protection platform (CWPP) that includes additional protective and remedial capabilities.  Now that’s a lot of acronyms and tech jargon, so let’s break it down, and think about ASC as having two pillars:

  • Azure Security Center without Azure Defender: a CSPM that reports your security posture and builds a Secure Score (more on this later)
  • Azure Security Center with Azure Defender: a CWPP that builds on the CSPM to additionally protect your Azure resources

I detailed the various resources that Azure Defender can protect here, so for the remainder of this article I’ll focus on how we can use the free Secure Score to tackle that opening problem: security hygiene.

Secure Score

If you take away one thing from this article, it should be this.  Not every IT department has a SOC or MSSP.  In the small business space, this is especially true.  What that team does have, with ASC’s Secure Score, is a clear roadmap on what to do, why to do it, and how to do it.

Not to be confused with the Microsoft Secure Score (which pertains to Microsoft 365 resources such as identities and devices), Secore Score within ASC presents information and recommendations for improving the security posture and hygiene of your Azure IaaS and PaaS estate.  These are then turned into a sort of KPI by assigning a score; 100% being what Azure administrators should aspire to (and it’s really satisfying as you start checking things off and improving that score).

In the example above, you can see an overarching Secure Score with differently scored controls, which are groups of recommendations.  In this instance, there’s a lot of failures (it’s a demo environment… for the record!), but also opportunities with clear descriptions about what to do. For example, immediately I can see that both the VMs in my environment have open management ports, which in terms of a “score”, remediating would bump me up by eight points.

After entering the recommendation, I’m given clear instructions on how to fix the problem (and why).  Should you step up to have Azure Defender, some recommendations will get quick fix, a button that kick-starts auto-remediation.  You can even run Logic Apps and workflow automation to reduce additional manual effort.

This brings me to the huge and immediate advantage of Secure Score (compared to manual or third-party controls): the sheer accessibility of it.  One intuitive location in the Azure portal (though you can also use APIs or PowerBI if you want) to understand the current state of things and plain-speaking language about what you should do to improve it.

Recommendations have an accompanying severity, which is a good place to start.  Filters to the top of the recommendations list in ASC allow you to first target high severity recommendations, so you can resource your time more appropriately towards significant threats.

As you remediate and improve, the secure score updates, but only improves when all recommendations in that control have been remediated.

Sometimes, you may have business exemptions against a recommendation or a business process/third-party solution that mitigates it but ASC cannot detect this.  Under such circumstances, an exemption can be made so it doesn’t hurt your score.  An important note about exemptions is they are currently a preview premium feature.

Your environment may have a requirement for certain security hygiene requirements which are not included in the default Secure Score feedback, which is powered by the Azure Security Benchmark.  This is where the concept of policy management steps in, which can be managed from the security policy section of ASC.

Firstly, there are specific industry and regulatory standards that can be managed, such as ISO 27001, and are set up already “out of the box”.  Or, within the security policy page, you can add additional standards on which recommendations will build on.

More advanced still, there is a facility to create custom initiatives, which can even be customised with their own severity and remediation descriptions.  This is useful if you have a bespoke security benchmark or compliance standard not yet managed by Microsoft.

A challenge: next actions

This blog is in response to a challenge issued by Yuri Diogenes of the C+AI Security CxE Team at Microsoft to write about getting started with security hygiene in Azure using ASC and Secure Score.  Now the challenge is for readers: start using it!  Your priority actions should be something like this:

  1. Visit ASC by searching for Security Center in the Azure portal.
  2. The overview page may recommend enabling Azure Defender, so at least try it for 30 days and see what additional benefits it opens up (beyond the scope of this article, but expect things such as just-in-time VM access and vulnerability scanning powered by Qualys, and more!).
  3. Jump into the Secure Score section of ASC to see, at a high level, your overall posture by subscription.
  4. Then into view recommendations, so you can start building that roadmap, starting based on severity.
  5. Lastly, get into the routine of regular reviews for ongoing security hygiene.