Incident Response in Azure
Azure is a public cloud computing platform from Microsoft that provides various cloud services such as computing, analytics, networking, and storage. It lets you choose which services you use to build and grow new applications or migrate existing applications to Azure.
Incident response refers to an organization’s handling of data breaches or cyberattacks, including how the organization attempts to control the impact of an attack or breach, known as a security incident. The ultimate goal of incident response is to effectively manage security incidents to minimize direct and secondary damage such as recovery costs and time, legal consequences, lost revenues, and reputational losses.
At a minimum, organizations should establish and implement a clear incident response plan. The plan should define what the company regards as a significant security event (an incident) and provide clear guidelines for employees to follow in response to a relevant incident.
It is also important to designate a team, employee, or leader responsible for managing the overall incident response plan and performing each action laid out in the incident response plan.
How Does Microsoft Respond to Security Incidents Against Azure Infrastructure?
The Azure cloud platform uses the shared responsibility model—Azure is responsible for securing the infrastructure, while customers are responsible for securing your workloads. Here is Microsoft’s part of the incident response process.
When a security incident occurs, Microsoft usually responds quickly and decisively to secure Azure services and prevent a breach of customer data. Microsoft’s incident response strategy involves investigating, containing, and removing security vulnerabilities and threats.
Microsoft continuously monitors its cloud services for indications of compromise (IoCs). Microsoft provides automated security monitoring tools and alerts and annual employee training to help users identify and report indications of a potential security incident.
Initiating a response procedure
When an employee, customer, or security monitoring solution detects suspicious activity, a service-specific response team steps in to investigate the incident. Every service operations team, including the service-specific response teams, provides round-the-clock resources by maintaining on-call rotations 24/7. These rotations allow Microsoft to implement incident response procedures successfully at any scale and time, covering widespread and concurrent incidents.
When you detect and escalate a suspicious action, the service-specific security response team initiates a process that includes analyzing, containing, and eradicating the threat and recovering the affected system. Various response teams can coordinate their incident analysis efforts to determine the scope of an event, including its impact on customers and sensitive data.
This collaborative analysis allows the security response teams to work with service teams to build a response plan to contain and eliminate the threat, minimize its impact, and recover the environment to a secure state. Each dedicated service team can leverage the security response team’s support to implement the plan and ensure a successful recovery.
Post-incident response
Once they have solved the incident, the relevant service team implements the lessons learned from the incident, improving your ability to prevent, identify, and respond to future incidents. In some cases, you might implement a full forensic investigation of the security incident, especially if it impacted customers or resulted in a data breach.
The investigation helps identify technical flaws, manual and procedural errors, and additional gaps contributing to the incident or present during the event. You can coordinate with the service-specific security response team to implement the improvements recommended by the investigation team. It will help you improve your incident detection and response strategy and prevent further incidents.
Azure Incident Response Tools
Azure provides the following tools that can help you setup your own incident response process on Azure, to deal with security incidents related to your workloads and data.
Azure Monitor
Azure Monitor maximizes the performance and availability of your services and applications. It provides a holistic solution that collects, analyzes, and manipulates telemetry data in on-premises and cloud environments. The information it provides can help you understand your application's performance, allowing you to detect security issues proactively and secure your applications and resources.
Application Insights
Application Insights is an Azure Monitor feature that offers scalable application performance management (APM) and real-time monitoring for web applications. Developers and DevOps teams can leverage Application Insights for the following tasks:
- Automatic detection of performance anomalies.
- Diagnosis of problems through powerful analysis tools.
- Observation of user activity on the application.
- Continuous improvement of application usability and performance.
Application Insights supports multiple platforms, including Node.js, .NET, Python, and Java. It works with various applications in different environments, including on-premises, hybrid, and public cloud, and integrates well with DevOps pipelines.
Microsoft Sentinel
Microsoft Sentinel is a cloud native platform that provides Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) capabilities. It is scalable, delivering advanced, enterprise-wide security analytics and threat intelligence. It offers a centralized solution for threat detection, threat hunting, visibility, and response.
Microsoft Sentinel provides a comprehensive view of the whole organization to reduce the stress of dealing with large alert volumes, extended resolution times, and sophisticated attack techniques. It collects cloud-scale data across all devices, users, applications, and infrastructure, including on-premises and hybrid or multi-cloud deployments.
It also detects previously unknown threats and minimizes false positives using Microsoft's unmatched analytics and threat intelligence capabilities. Microsoft Sentinel uses artificial intelligence to investigate threats, identify suspicious activity at scale, and leverage Microsoft's cybersecurity experience. It can quickly respond to incidents using built-in orchestration and common task automation.
Azure Advisor
Azure Advisor is a cloud advisor that offers recommendations to optimize Azure deployments. It is personalized and can analyze your resource configurations and usage to recommend solutions. It helps you find opportunities to reduce your overall Azure spending while improving resource performance, security, and reliability. Azure Advisor also offers security advice, which can significantly improve the overall security of solutions deployed in Azure. It bases its security recommendations on the analysis performed by Microsoft Defender for Cloud.
Defender for Cloud
Microsoft Defender for Cloud is a threat protection and security management tool that assesses your overall security posture and helps you secure your resources in the cloud. It offers Microsoft Defender programs to protect your Azure (and other) workloads.
Defender for Cloud gives you the tools to harden your cloud resources, track security mechanisms, prevent cyberattacks, and simplify security management. With native integration, Defender for Cloud is easy to deploy and provides simple, automatic configurations to protect resources by default.
If you enable the enhanced security features, Defender for Cloud can also detect threats to your workloads and resources. It sends alerts to the Azure portal or emails them directly to relevant contacts in your organization. Defender for Cloud can also stream alerts to a third-party security solution, such as SIEM or SOAR.
Conclusion
In this article I explained the basics on incident response and two aspects of incident response in the Azure cloud:
- Security incidents related to Azure infrastructure — these are handled by Microsoft as part of its responsibility for Azure cloud platform security.
- Security incidents related to workloads and data — these are typically the responsibility of the cloud customer. Azure provides several tools you can use to manage incident response, including Azure Monitor, Application Insights, and Defender for Cloud. You can add third-party security tools and processes to bolster incident response.
I hope this will be useful as you improve your ability to handle critical security incidents against Azure deployments.