The “holy grail” of security capabilities that I’ve heard so many CISOs talk about, enables them to manage the security of the systems in their organization using a policy-based approach that provides them with a single place to monitor which systems meet their security policies, which systems do not meet policies and also helps them remediate the issues with non-compliant systems.

Taking this policy-based approach a giant step further by augmenting it with cloud scale security data analytics and credible threat intelligence feeds from Microsoft and trusted third parties, and then tightly integrating all of these capabilities with your organization’s identity management strategy and on-premises Security Information and Event Management (SIEM), and this looks a lot like the security nirvana that so many of the CISOs I know, have been asking for.

This is essentially what the new Azure Security Center does; it provides integrated security monitoring and policy management for your Azure resources across your organization’s Azure subscriptions. This is a brand new capability in Microsoft Azure, that is now in public preview.

The capabilities of the Azure Security Center have been conveniently categorized into prevention, detection, and response capabilities (I have circled these in red in the screen shot below). I describe this as convenient because it aligns well with the “protect, detect, and respond” security strategy that so many of the enterprise customers I talk to are actively using today.

Policy-based Monitoring
Azure Security Center enables organizations to monitor and manage Azure resources such as virtual machines, networking resources, SQL resources, and applications. Setting a security policy on your Azure subscription and enabling data collection (seen in the screenshot below) will define which security expert recommendations you want to see based on the data and analysis of the security configurations and events collected on your Azure resources.

When data collection is enabled, a data collection agent is automatically installed on each virtual machine in the Azure subscription that the policy applies to. This will enable Azure Security Center to provide a data-driven view of what is happening with all of these resources. You decide where (which Azure region) the data collected on your Azure resources resides in order to maintain any data residency policies your organization might have.

More information on security policies in the Azure Security Center is available in this article: Setting security policies in Azure Security Center.

Security Expert Recommendations
The Azure Security Center periodically analyses the security state of your Azure resources; the data collected from the virtual machines in your Azure subscription enables Azure Security Center to monitor the state of your Azure resources against the policy and provide you with recommendations for the areas that you specified in the policy. When potential security vulnerabilities are identified, recommendations are created. The recommendations guide you through the process of configuring the security controls that mitigate the vulnerabilities that were identified. This capability will help countless organizations that don’t have fulltime security experts on staff.

In the example screen shot below issues are identified by resource (virtual machines, networking, SQL, applications) and by severity (high, medium, low). From the identified issues, numerous different recommendations are generated and listed.

Here’s a less complicated example. Once I enabled data collection and defined a security policy for my Azure subscription that included “Access Control Lists on endpoints”, a medium severity recommendation appeared in the list of recommendations.

This alerted me to the fact that my virtual machine in Azure had two unprotected endpoints (PowerShell and Remote Desktop) and recommended that Access Control Lists for these ports be implemented (seen in the screen shot below). Clicking on Remote Desktop in the list gave me the opportunity to configure the Access Control List.


More information on security recommendations in the Azure Security Center is available in this article: Implementing security recommendations in Azure Security Center.

Automatically Identifies Threats and Enables Response
A big part of the Azure Security Center’s value proposition are its threat detection and response capabilities. It automatically collects and analyzes log data from Azure resources, network traffic, and partner solutions like firewalls and anti-malware software. It uses this data to detect threats and generate a list of prioritized alerts (seen in the screen shots below).

A closer look at the RDP activity detected in this example reveals the details in the screen shot below. Azure Security Center will make context-aware suggestions on what response actions can help with items in the list. In the case of the suspicious RDP activity this might include action like filtering the IP address that is connecting to the system’s RDP port by using a Network ACL or a Network Security Group rule.


Detecting meaningful security events through all the noise generated in a large IT environment is challenging, even in environments that have one or more SIEM systems deployed.  Azure Security Center will help security teams cut through the noise to more easily detect threats and material security events that might otherwise appear to be noise or anomalies in logs that have not been aggregated and analyzed.

Azure Security Center can detect and help remediate many types of attacks. Some examples include network based attacks like Remote Desktop Protocol (RDP) grinding/abuse (seen in the screen shot above), and compromised virtual machines using the large scale threat intelligence and machine learning capabilities built into Azure Security Center.

More information on security alerts is available in this article: Managing and responding to security alerts in Azure Security Center.

For those organizations that want to export data from Azure, there’s an API available to help do this. I discussed the API and PowerShell script in a previous article on Azure Active Directory‘s Access and Usage Reports.

I’m just scratching the surface of the capabilities in the brand new Azure Security Center. I am very excited about its set of capabilities because so many security experts and CISOs will benefit from them.

Here are some more resources for you to learn more about the Azure Security Center:

Azure Security Center now available
Getting started with Azure Security Center
New Azure Security Center helps you prevent, detect, and respond to threats (video)
Azure Security Center videos

Tim Rains
Chief Security Advisor
Enterprise Cybersecurity Group