Security Control: Posture and vulnerability management

  • Article

Posture and Vulnerability Management focuses on controls for assessing and improving cloud security posture, including vulnerability scanning, penetration testing and remediation, as well as security configuration tracking, reporting, and correction in cloud resources.

PV-1: Define and establish secure configurations

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
4.1, 4.2 CM-2, CM-6 1.1

Security principle: Define the security configuration baselines for different resource types in the cloud. Alternatively, use configuration management tools to establish the configuration baseline automatically before or during resource deployment so the environment can be compliant by default after the deployment.

Azure guidance: Use the Microsoft Cloud Security Benchmark and service baseline to define your configuration baseline for each respective Azure offering or service. Refer to the Azure reference architecture and Cloud Adoption Framework landing zone architecture to understand the critical security controls and configurations that may be needed across Azure resources.

Use Azure landing zone (and Blueprints) to accelerate the workload deployment by setting up configuration of services and application environments, including Azure Resource Manager templates, Azure RBAC controls, and Azure Policy.

Azure implementation and additional context:

AWS guidance: Use the Microsoft Cloud Security Benchmark - multi-cloud guidance for AWS and other input to define your configuration baseline for each respective AWS offering or service. Refer to the security pillar and other pillars in the AWS Well-Architectured Framework to understand the critical security controls and configurations that may be needed across AWS resources.

Use AWS CloudFormation templates and AWS Config rules in the AWS landing zone definition to automate deployment and configuration of services and application environments.

AWS implementation and additional context:

GCP guidance: Use the Microsoft Cloud Security Benchmark – multi-cloud guidance for GCP and other input to define your configuration baseline for each respective GCP offering or service. Refer to pillars in Google Cloud deployments foundation blueprints, and landing zone design.

Use Terraform blueprints modules for Google Cloud and use native Google Cloud Deployment Manager to automate deployment and configuration of services and application environments.

GCP implementation and additional context:

Customer security stakeholders (Learn more):

PV-2: Audit and enforce secure configurations

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
4.1, 4.2 CM-2, CM-6 2.2

Security principle: Continuously monitor and alert when there is a deviation from the defined configuration baseline. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploying a configuration.

Azure guidance: Use Microsoft Defender for Cloud to configure Azure Policy to audit and enforce configurations of your Azure resources. Use Azure Monitor to create alerts when there is a configuration deviation detected on the resources.

Use Azure Policy [deny] and [deploy if not exist] rules to enforce secure configuration across Azure resources.

For resource configuration audit and enforcement not supported by Azure Policy, you may need to write custom scripts or use third-party tooling to implement the configuration audit and enforcement.

Azure implementation and additional context:

AWS guidance: Use AWS Config rules to audit configurations of your AWS resources. And you can choose to resolve the configuration drift using AWS Systems Manager Automation associated with the AWS Config rule. Use Amazon CloudWatch to create alerts when there is a configuration deviation detected on the resources.

For resource configuration audit and enforcement not supported by AWS Config, you may need to write custom scripts or use third-party tooling to implement the configuration audit and enforcement.

You can also centrally monitor your configuration drifting by onboarding your AWS account to Microsoft Defender for Cloud.

AWS implementation and additional context:

GCP guidance: Use Google Cloud Security Command Center to configure GCP. Use Google Cloud Monitoring in Operations Suite to create alerts when there is configuration deviation detected on the resources.

For governing your organizations, use Organizational Policy to centralize and programmatically control over your organization’s cloud resources. As the organization policy administrator, you will be able to configure constraints across your entire resource hierarchy.

For resource configuration audit and enforcement not supported by Organization Policy, you may need to write custom scripts, or use third-party tooling to implement the configuration audit and enforcement.

GCP implementation and additional context:

Customer security stakeholders (Learn more):

PV-3: Define and establish secure configurations for compute resources

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
4.1 CM-2, CM-6 2.2

Security principle: Define the secure configuration baselines for your compute resources, such as VMs and containers. Use configuration management tools to establish the configuration baseline automatically before or during the compute resource deployment so the environment can be compliant by default after the deployment. Alternatively, use a pre-configured image to build the desired configuration baseline into the compute resource image template.

Azure guidance: Use Azure recommended operating system security baselines (for both Windows and Linux) as a benchmark to define your compute resource configuration baseline.

Additionally, you can use a custom VM image (using Azure Image Builder) or container image with Azure Automanage Machine Configuration (formerly called Azure Policy Guest Configuration) and Azure Automation State Configuration to establish the desired security configuration.

Azure implementation and additional context:

AWS guidance: Use EC2 AWS Machine Images (AMI) from trusted sources on marketplace as a benchmark to define your EC2 configuration baseline.

Additionally, you can use EC2 Image Builder to build custom AMI template with a Systems Manager agent to establish the desired security configuration. Note: The AWS Systems Manager Agent is preinstalled on some Amazon Machine Images (AMIs) provided by AWS.

For workload applications running within your EC2 instances, AWS Lambda or containers environment, you may use AWS System Manager AppConfig to establish the desired configuration baseline.

AWS implementation and additional context:

GCP guidance: Use Google Cloud recommended operating system security baselines (for both Windows and Linux) as a benchmark to define your compute resource configuration baseline.

Additionally, you can use a custom VM image using Packer Image Builder, or container image with Google Cloud Build container image to establish the desired configuration baseline.

GCP implementation and additional context:

Customer security stakeholders (Learn more):

PV-4: Audit and enforce secure configurations for compute resources

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
4.1 CM-2, CM-6 2.2

Security principle: Continuously monitor and alert when there is a deviation from the defined configuration baseline in your compute resources. Enforce the desired configuration according to the baseline configuration by denying the non-compliant configuration or deploying a configuration in compute resources.

Azure guidance: Use Microsoft Defender for Cloud and Azure Automanage Machine Configuration (formerly called Azure Policy Guest Configuration) to regularly assess and remediate configuration deviations on your Azure compute resources, including VMs, containers, and others. In addition, you can use Azure Resource Manager templates, custom operating system images, or Azure Automation State Configuration to maintain the security configuration of the operating system. Microsoft VM templates in conjunction with Azure Automation State Configuration can assist in meeting and maintaining security requirements. Use Change Tracking and Inventory in Azure Automation to track changes in virtual machines hosted in Azure, on-premises, and other cloud environments to help you pinpoint operational and environmental issues with software managed by the Distribution Package Manager. Install the Guest Attestation agent on virtual machines to monitor for boot integrity on confidential virtual machines.

Note: Azure Marketplace VM images published by Microsoft are managed and maintained by Microsoft.

Azure implementation and additional context:

AWS guidance: Use AWS System Manager's State Manager feature to regularly assess and remediate configuration deviations on your EC2 instances. In addition, you can use CloudFormation templates, custom operating system images to maintain the security configuration of the operating system. AMI templates in conjunction with Systems Manager can assist in meeting and maintaining security requirements.

You can also centrally monitor and manage the operating system configuration drift through Azure Automation State Configuration and onboard the applicable resources to Azure security governance using the following methods :

  • Onboard your AWS account into Microsoft Defender for Cloud
  • Use Azure Arc for servers to connect your EC2 instances to Microsoft Defender for Cloud

For workload applications running within your EC2 instances, AWS Lambda or containers environment, you may use AWS System Manager AppConfig to audit and enforce the desired configuration baseline.

Note: AMIs published by Amazon Web Services in AWS Marketplace are managed and maintained by Amazon Web Services.

AWS implementation and additional context:

GCP guidance: Use VM Manager and Google Cloud Security Command Center to regularly assess and remediate configuration deviation of your Compute Engine instances, Containers, and Serverless contracts. In addition, you can use Deployment Manager VM templates, custom operating system images to maintain the security configuration of the operating system. Deployment Manager VM templates templates in conjunction with VM Manager can assist in meeting and maintaining security requirements.

You can also centrally monitor and manage the operating system configuration drift through Azure Automation State Configuration and onboard the applicable resources to Azure security governance using the following methods :

  • Onboard your GCP project into Microsoft Defender for Cloud
  • Use Azure Arc for servers to connect your GCP VM instances to Microsoft Defender for Cloud

GCP implementation and additional context:

Customer security stakeholders (Learn more):

PV-5: Perform vulnerability assessments

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
5.5, 7.1, 7.5, 7.6 RA-3, RA-5 6.1, 6.2, 6.6

Security principle: Perform vulnerabilities assessment for your cloud resources at all tiers in a fixed schedule or on-demand. Track and compare the scan results to verify the vulnerabilities are remediated. The assessment should include all types of vulnerabilities, such as vulnerabilities in Azure services, network, web, operating systems, misconfigurations, and so on.

Be aware of the potential risks associated with the privileged access used by the vulnerability scanners. Follow the privileged access security best practice to secure any administrative accounts used for the scanning.

Azure guidance: Follow recommendations from Microsoft Defender for Cloud for performing vulnerability assessments on your Azure virtual machines, container images, and SQL servers. Microsoft Defender for Cloud has a built-in vulnerability scanner for virtual machines. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications)

Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerability management recommendations suggested by Microsoft Defender for Cloud, you can pivot into the selected scan solution's portal to view historical scan data.

When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing JIT (Just In Time) provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.

Note: Microsoft Defender services (including Defender for servers, containers, App Service, Database, and DNS) embed certain vulnerability assessment capabilities. The alerts generated from Azure Defender services should be monitored and reviewed together with the result from Microsoft Defender for Cloud vulnerability scanning tool.

Note: Ensure you setup email notifications in Microsoft Defender for Cloud.

Azure implementation and additional context:

AWS guidance: Use Amazon Inspector to scan your Amazon EC2 instances and container images residing in Amazon Elastic Container Registry (Amazon ECR) for software vulnerabilities and unintended network exposure. Use a third-party solution for performing vulnerability assessments on network devices and applications (e.g., web applications)

Refer to control ES-1, "Use Endpoint Detection and Response (EDR)", to onboard your AWS account into Microsoft Defender for Cloud and deploy Microsoft Defender for servers (with Microsoft Defender for Endpoint integrated) in your EC2 instances. Microsoft Defender for servers provides a native threat and vulnerability management capability for your VMs. The vulnerability scanning result will be consolidated in the Microsoft Defender for Cloud dashboard.

Track the status of vulnerability findings to ensure they are properly remediated or suppressed if they're considered false positive.

When conducting remote scans, do not use a single, perpetual, administrative account. Consider implementing a temporary provisioning methodology for the scan account. Credentials for the scan account should be protected, monitored, and used only for vulnerability scanning.

AWS implementation and additional context:

GCP guidance: Follow recommendations from Microsoft Defender for Cloud or/and Google Cloud Security Command Center for performing vulnerabilities assessments on your Compute Engine instances. Security Command Center has built-in vulnerabilities assessments on network devices and applications (e.g., Web Security Scanner)

Export scan results at consistent intervals and compare the results with previous scans to verify that vulnerabilities have been remediated. When using vulnerabilities management recommendations suggested by Security Command Center, you can pivot into the selected scan solution’s portal to view historical scan data.

GCP implementation and additional context:

Customer security stakeholders (Learn more):

PV-6: Rapidly and automatically remediate vulnerabilities

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
7.2, 7.3, 7.4, 7.7 RA-3, RA-5, SI-2: FLAW REMEDIATION 6.1, 6.2, 6.5, 11.2

Security principle: Rapidly and automatically deploy patches and updates to remediate vulnerabilities in your cloud resources. Use the appropriate risk-based approach to prioritize the remediation of vulnerabilities. For example, more severe vulnerabilities in a higher value asset should be addressed as a higher priority.

Azure guidance: Use Azure Automation Update Management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VMs. For Windows VMs, ensure Windows Update has been enabled and set to update automatically.

For third-party software, use a third-party patch management solution or Microsoft System Center Updates Publisher for Configuration Manager.

Azure implementation and additional context:

AWS guidance: Use AWS Systems Manager - Patch Manager to ensure that the most recent security updates are installed on your operating systems and applications. Patch Manager supports patch baselines to allow you to define a list of approved and rejected patches for your systems.

You can also use Azure Automation Update Management to centrally manage the patches and updates of your AWS EC2 Windows and Linux instances.

For third-party software, use a third-party patch management solution or Microsoft System Center Updates Publisher for Configuration Manager.

AWS implementation and additional context:

GCP guidance: Use Google Cloud VM Manager OS patch management or a third-party solution to ensure that the most recent security updates are installed on your Windows and Linux VM’s. For Windows VM’s ensure Windows Update has been enabled and set to update automatically.

For third-party software, use a third-party patch management solution or Microsoft System Center Updates Publisher for configuration management.

GCP implementation and additional context:

Customer security stakeholders (Learn more):

PV-7: Conduct regular red team operations

CIS Controls v8 ID(s) NIST SP 800-53 r4 ID(s) PCI-DSS ID(s) v3.2.1
18.1, 18.2, 18.3, 18.4, 18.5 CA-8, RA-5 6.6, 11.2, 11.3

Security principle: Simulate real-world attacks to provide a more complete view of your organization's vulnerability. Red team operations and penetration testing complement the traditional vulnerability scanning approach to discover risks.

Follow industry best practices to design, prepare and conduct this kind of testing to ensure it will not cause damage or disruption to your environment. This should always include discussing testing scope and constraints with relevant stakeholders and resource owners.

Azure guidance: As required, conduct penetration testing or red team activities on your Azure resources and ensure remediation of all critical security findings.

Follow the Microsoft Cloud Penetration Testing Rules of Engagement to ensure your penetration tests are not in violation of Microsoft policies. Use Microsoft's strategy and execution of Red Teaming and live site penetration testing against Microsoft-managed cloud infrastructure, services, and applications.

Azure implementation and additional context:

AWS guidance: As required, conduct penetration testing or red team activities on your AWS resources and ensure remediation of all critical security findings.

Follow the AWS Customer Support Policy for Penetration Testing to ensure your penetration tests are not in violation of AWS policies.

AWS implementation and additional context:

GCP guidance: As required, conduct penetration testing or red team activities on your GCP resource and ensure remediation of all critical security findings.

Follow the GCP Customer Support Policy for Penetration Testing to ensure your penetration tests are not in violation of GCP policies.

GCP implementation and additional context:

Customer security stakeholders (Learn more):