New multicloud CNAPP innovations in Microsoft Defender for Cloud

Posted by

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

With almost 90% of organizations adopting a multicloud strategy1, successfully securing across your entire environment has never been more important. Vulnerabilities in code, overprivileged access, critical misconfigurations, and evolving threats can lead to sensitive data exposure and breaches, driving cloud security to the top of the concern list for many enterprises Microsoft Defender for Cloud is pioneering this new era of security by offering a holistic approach to multicloud management. Trusted by industry professionals as a leading Cloud Native Application Protection Platform (CNAPP), Defender for Cloud integrates security and compliance capabilities for apps, data, and infrastructure into one platform, providing end-to-end protection across Amazon Web Services (AWS), Google Cloud Platform (GCP), Azure, and hybrid environments. With proactive posture management and advanced threat protectionDefender for Cloud empowers organizations to start secure and stay secure, effortlessly managing the security of their workloads across clouds. 

Today's exciting announcement of new advanced multicloud posture management capabilities for Google Cloud Platform (GCP) further solidifies Microsoft's commitment to ensuring optimal security across multicloud and hybrid environments.


New advanced multicloud posture management capabilities for Google Cloud Platform (GCP) in Microsoft Defender for Cloud

Cloud security begins with proactively identifying and remediating your most critical risk. Defender CSPM provides industry-leading posture management capabilities and is recognized by KuppingerCole as an Overall Leader, Market Champion, Product Leader, and Innovation Leader in its 2023 CSPM Leadership Compass, noting “Organizations looking for a CSPM which provides multi-cloud capabilities including data aware security posture should consider Microsoft Defender for Cloud.”  


Today, we're excited to announce that we are expanding the power of our contextual cloud security graph and attack path analysis with support for GCP resources. Starting on August 15, customers can leverage the power of Defender CSPM for comprehensive visibility and intelligent cloud security across their GCP resources. This enables organizations to sift through the clutter, zeroing in on and addressing the most pressing risks spanning their multicloud environment. 


Key features of our GCP support include: 

  • Attack path analysis: Understand the potential routes attackers might take. 
  • Cloud security explorer: Proactively identify security risks by running graph-based queries on the security graph. 
  • Agentless scanning: Scan servers and identify secrets and vulnerabilities without installing an agent. 
  • Data-aware security posture: Discover and remediate risks to sensitive data in Google Cloud Storage buckets. 


Delving deeper into agentless scanning, Google Compute Instances can now be scanned for vulnerabilities and hidden secrets. The scans are powered by the Microsoft Defender Vulnerability Management engine, ensuring rapid and large-scale detection of server vulnerabilities. Agentless scanning identifies various secrets like SSH private keys, access keys, and SQL connection strings stored on servers. When a secret is found, its validity is confirmed and its relevance is evaluated, empowering our customers to tackle the most critical risks. 


Further, our data-aware security posture now encompasses Google Cloud Storage buckets. This feature offers automatic sensitivity scanning for dozens of built-in and custom sensitive information types, allowing security teams to pinpoint and prioritize potential data breach risks. Now, security teams can effortlessly identify where sensitive data is located, who has access to it, and its flow patterns. 


Attack path analysis outlining a potential lateral movement to a data store from an internet exposed virtual machine with high severity vulnerabilities discovered through agentless scanning.Attack path analysis outlining a potential lateral movement to a data store from an internet exposed virtual machine with high severity vulnerabilities discovered through agentless scanning.


Microsoft cloud security benchmark coverage expands to GCP 

As part of our mission to secure across multicloud and hybrid environments, we are also excited to announce that the Microsoft cloud security benchmark (MCSB) has expanded its cloud coverage with support for Google Cloud Platform, now in public preview. Customers onboarding their GCP environment in Defender for Cloud will now gain free GCP resource monitoring according to industry best practices auto-enabled by default. With this announcement, the Microsoft cloud security benchmark now supports all three major cloud service providers, offering cloud-specific implementation details for Azure, AWS and GCP aligned to the framework’s holistic set of security best practices.  


Today, there are over 120 built-in GCP-specific assessments available to monitor your GCP resources in Microsoft Defender for Cloud. We will continue to build additional assessments and coverage for MCSB controls and best practices over time. With this new set of GCP assessments, MCSB now supports 500+ automated assessments across cloud deployments in Microsoft Defender for Cloud.  


Learn more about how MCSB can help you succeed in your cloud security journey. 


Prevent malware distribution with Malware Scanning in Defender for Storage 

Defender for Cloud is also advancing cloud data security at runtime. We’re excited to share the upcoming general availability of Malware Scanning in Defender for Storage.  Starting September 1, security teams can enable an additional layer of protection to detect and prevent Azure Blob storage accounts from acting as a point of malware entry and distribution. This add-on to Defender for Storage will be priced at $0.15 (USD) per GB of data scanned. 


Malware Scanning in Defender for Storage offers built-in and agentless detection with zero maintenance. As soon as a file is uploaded to a storage account, Malware Scanning will immediately read the uploaded content, scan it out of band, and detect polymorphic and metamorphic malware in near real-time. If a file is determined as malicious by the Microsoft Defender Antivirus engine, access to the file can be blocked, the file can be quarantined or deleted, and the scan result will automatically trigger a security alert in Defender for Cloud, so SOC analysts can receive full context on the malicious findings.  To maintain maximum privacy, the regional malware scanning engine never retains the content of the files, and the data is never centralized. Files are scanned "in-memory" and are never stored in the Malware Scanning.


Learn more about enabling Malware Scanning in Defender for Storage. 


Announcing vulnerability assessment (VA) for Containers powered by Microsoft Defender Vulnerability Management in Defender for Cloud  

With the rise of containerization and microservices, it's more important than ever to secure the software supply chain and ensure that container images are free from vulnerabilities Today, as a result of Defender for Cloud’s integration with Microsoft Defender Vulnerability Management, we are excited to announce the general availability of agentless container posture management in Defender CSPM and the public preview of vulnerability assessment scanning for container images in Defender for Containers 


These new container vulnerability assessment capabilities powered by Defender Vulnerability Management include 

  • Agentless vulnerability assessment for containers 
  • Zero configuration for onboarding 
  • Near real-time scan of new images 
  • Daily refresh of vulnerability reports  
  • Coverage for both ship (ACR) and runtime (AKS) 
  • Support for OS and language packages 
  • Real-world exploitability insights (based on CISA kev, exploit DB and more) 
  • Support for ACR private links 

Agentless container posture management in Defender CSPM, powered by Defender Vulnerability Management 

To help proactively strengthen the security posture of your containerized environments, Defender CSPM provides a new vulnerability assessment offering for containers powered by Defender Vulnerability Management, with near real-time scans of new images, daily report refreshes, and real-world exploitability insights. Vulnerabilities are added to Defender CSPM security graph for contextual risk assessment and calculation of attack paths. Customers can now access out-of-the-box container vulnerability assessments that, combined with attack path analysis and agentless discovery of the Kubernetes estate, enable security teams to hunt for risks with the cloud security explorer and prioritize the vulnerabilities that pose the greatest risks to the organization. This agentless approach allows security teams to gain visibility into their Kubernetes and containers registries across the SDLC, removing friction and footprints from the workloads.


Enable Defender CSPM with agentless container posture in a single click.  


Attack path analysis outlining a containerized application publicly exposed with high severity vulnerabilities discovered using Defender Vulnerability ManagementAttack path analysis outlining a containerized application publicly exposed with high severity vulnerabilities discovered using Defender Vulnerability Management


Public preview of vulnerability assessment for containers in Defender for Containers, powered by Defender Vulnerability Management 

In providing comprehensive cloud workload protection, Defender for Containers new integration with Defender Vulnerability Management now provides our customers with vulnerability assessments through one-click enablement, near real-time scan of new images, and daily result refreshes of current and emerging vulnerabilities enriched withexploitability insights - all to help organizations focus on vulnerabilities with the greatest security impact to their organization

Enable Container vulnerability assessments powered by Defender Vulnerability Management in one click here.  


New vulnerability assessment recommendation powered by Defender Vulnerability ManagementNew vulnerability assessment recommendation powered by Defender Vulnerability Management


Learn more about the new capabilities in Microsoft Defender Vulnerability Management.


From code to cloud, Defender for Cloud is the comprehensive CNAPP to help you start secure with proactive posture hardening and stay secure with advanced threat protection across multicloud apps, infrastructure, and data. Develop an infinite mindset to cloud security and learn more about the expansion of the security portfolio in Microsoft Defender for Cloud. Get started today with these new innovations in Microsoft Defender for Cloud. 


1 2023 State of the Cloud Report, Flexera.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.