Secure Multi-Cloud

Environments Workshop
Microsoft Defender for Cloud
Protect your multi-cloud and hybrid environments
Workshop Agenda

 Using Microsoft Defender for Cloud to identify active threats on targeted hybrid
workloads.
 Demonstrating investigation and response to threats using Defender for Cloud
 Discovering vulnerabilities on existing Azure, hybrid and multi-cloud workloads
and explaining how to reduce attack surface area.
 Providing guidance for production implementation of Microsoft Defender for
Cloud and hands-on experience of Azure Network Security product features
Cloud security challenges

Visibility into security Increase in number and Complexity managing

and compliance sophistication of attacks multi-cloud environments
52% of organizations cite I​n 2021, the average cost 92% of organizations are
secure configuration of cloud of a breach was $4.24M.2  embracing a multi-cloud
resources as a top priority.1 strategy

Source: 451 Research

1

Source: Ponemon Institute, Cost of a Breach Report

2
Microsoft Defender For Cloud
Cloud native application protection across clouds and on-prem environments

Harden and manage Detect threats and protect

Respond & Automate
your Security Posture your workloads

Automate with the

tools of your choice

Secure configuration Full-stack Assess and resolve security

of resources threat protection alerts and incidents

Management of Vulnerability assessment Automate

compliance requirements & management response

Microsoft Azure Amazon Web Services Google Cloud Platform On-prem

How we’re different

Built-in Multi-cloud and Secure Score Advanced

with Azure hybrid support Threat Protection
• No deployment, just • Agentless onboarding • Birds-eye view of the • Workload-specific
enable for AWS and GCP security posture of all signals and threat alerts
posture management your clouds
• Built into the resource • Deterministic, AI,
provisioning process • Auto provisioning for • Prioritized security and anomaly-based
new resources recommendations detection mechanisms
• Broadest protection
coverage • Onboard on-prem • Track and manage your • Leverages the power of
resources with Azure Arc security posture state Microsoft Threat
• Remediate with a click over time Intelligence with 24
trillion signals daily
Make Microsoft Defender for Cloud work for you

Chief Information Security Security

Security Officer Admin Operations

Responsibilities Responsibilities Responsibilities

Create an overall security Reduce the attack surface of the Around the clock threat hunting,
strategy that creates resilience organization’s cloud environments investigation of breaches, and
against cyber attacks and track mitigation of incidents
performance over time Product use cases
• Harden the cloud environment Product use cases
Product use cases with recommendations • Leverage workload-specific threat
• Top level view of the detections and response
• Set security policies for the
multicloud security state mechanisms to identify attacks,
environment, monitor investigate alerts and incidents,
• Create dashboards to implementation, track down and quickly mitigate threats
visualize progress over time vulnerabilities
• Manage the multicloud
asset inventory
Harden and manage
your Security Posture
Holistic management of your security posture in the cloud

Resource visibility Secure Score Compliance Data security

View and manage your Understand the Ensure your configurations Identify sensitive
cloud resource bottom line of align with key data and prioritize
inventory your security compliance standards  critical resources
posture, implement and enforce
recommendations, organizational policies
and monitor
over time
The security dashboard

Centralized posture view

Your security posture across Azure, AWS,
and GCP in one place

Focused views
Easily access deep dive views for security posture,
resource inventory, workload protection, and more

Top insights front and center

Understand which recommendations to prioritize
See your most attacked resources and take action
Secure Score

Assess and implement best practices for security and

compliance

Cover all critical cloud resources across network, access,

compute, databases, your service layer and more

450+out-of-the-box recommendations
Evaluated categories
Create custom recommendations to meet organizational
requirements

Use “Quick fix” to remediate with a single click or scale

enforcement mechanisms to enforce policies to avoid Access Compute SQL server IoT
configuration drifts

Network App Services Containers

Compliance assessment
and management
Assess and manage your compliance status with
a continuous assessment of your cloud resources

Use industry standards, regulatory compliance

frameworks, and vendor provided benchmarks
to implement security and compliance best practices

Create custom recommendations to meet unique

organizational needs

Support for:

CIS HIPAA
PCI Local/National compliance standards
NIST Azure Security Benchmark
SOC AWS Foundational Security best practices
ISO
Identify sensitive data in cloud resources
Integrated with Microsoft Purview

Extend visibility from cloud infrastructure resources

into the data layer

Leverage an entirely new way to prioritize security

policies and the investigation of alerts

Filter recommendations and resources by data

sensitivity

Easily view the number of assets that contain sensitive

information across your environment
Detect threats and
protect your workloads
Threat protection for all layers of the cloud and on-prem

Threat MITRE Leading threat Vulnerability Alert

detection ATT&CK® intelligence management correlation
framework
Prioritized alerts mapping Rely on highly Identify and Prioritize more easily
across compute, sophisticated and remediate with connected alerts
databases, the resource-specific vulnerabilities before that are grouped
Understand the effect
cloud service layer, alerts based on they are exploited into incidents
across the adversary’s
and more Microsoft’s global
attack lifecycle
threat intelligence
Protect your workloads in the cloud
and on-premises
Use detections that are built for the unique attack
vectors of each resource type, built on the powerful
insights of Microsoft Threat Intelligence

Reduce your attack surface by continuously scanning

workloads to identify and manage vulnerabilities

Automatically protect new workloads as soon as they

are deployed

Integrate with your SIEM for easy management of

incidents
Security alerts and incidents

Use prioritized alerts when threats are detected on

your resources.

Investigate effectively with smart alert correlation that

combines different alerts and low fidelity signals into
security incidents.

Manage incidents with a central view of attack

campaigns and related alerts.
Full-stack coverage with dedicated detections
Compute Service Layer AWS workloads GCP workloads

Azure
Any server Azure VMSS Key Vault
DNS

App Services Azure K8s Network Layer V1 Resource Manager Amazon EKS GKE clusters

Databases and Storage

Blob storage File storage Maria DB Azure Cosmos DB Amazon EC2 Google Compute

Azure SQL MySQL Postgres SQL

Azure Resource Management
Operationalize
Defender for Cloud
Multi-cloud and hybrid protection
Automatic onboarding for Azure subscriptions

Use API connectors to onboard AWS and GCP accounts to posture management capabilities

Use the Azure Arc agent to onboard workloads outside of Azure and protect them against threats

Use API connectors

for agentless CSPM
enablement

Deploy the Azure Arc agent to enable Built-in

workload protection
Use Azure Arc to connect
workloads anywhere to Multicloud

Microsoft Defender for Cloud

Azure Arc

Azure Arc unlocks hybrid and multicloud scenarios so

you can manage security for all your resources in a
consistent way
Single control plane
Azure Resource Manager
for any resource,
Extension installation, e.g. Log Analytics agent anywhere

Enforce compliance and simplify audit reporting

Asset organization and inventory with a unified view in Azure Arc

the Azure Portal—Azure Tags

Server owners can view and remediate to meet their

compliance—RBAC in Azure Datacenter
& hosted
Respond and automate

Leverage “Quick Fixes” for the fastest way to

implement recommendations

Automate threat alert responses with Azure Logic

Apps and use the apps of your choice
to create intelligent workflows

Connect to Microsoft Sentinel and easily move

between the portals when investigating and
managing incidents

Microsoft Sentinel
Secure Multi-Cloud
Environments Workshop
Azure Network Security Overview

Author name
Date
Contents

Section 1: Azure DDoS Protection

Standard

Section 2: Azure Web Application

Firewall

Section 3: Azure Firewall

Section 4: Azure Firewall Manager

Azure networking services

DDoS Protection
Virtual Network 
Azure WAF
Virtual WAN
Azure Firewall
ExpressRoute
Azure Firewall Manager
VPN
Network Security Groups
DNS
Service Endpoints/Private Link

CDN
Network Watcher
Front Door
ExpressRoute Monitor
Traffic Manager
Azure Monitor
Application Gateway
Virtual Network TAP
Load Balancer
Azure DDoS
Protection: Standard
What is a DDoS attack?
A Distributed Denial of Service (DDoS) attack is an
attempt to make an online service unavailable by
$5,600/minute
exhausting its resources (bandwidth, compute etc.)  Estimated cost of downtime for
It can break online commerce, be used as a form SMEs impacted by DDoS attacks
extortion or as a form of hacktivism —Gartner

DDoS for hire services make it extremely easy and

inexpensive to generate targeted DDoS attacks:

1-hour DDoS attack: $48  33%

1-day DDoS attack: $134  Percentage of downtime incidents
attributed to DDoS attacks
1-month DDoS attack: $1000
—Verisign/Merit Research
Azure DDoS Protection—2021 Q3 and Q4 DDoS attack trends
DDoS Attack Trends
2021

3.4Tbps
(UDP Reflection)

2020

2018
2.3Tbps
(CLDAP Reflection)
1.7Tbps
(Memcached)

2016
2014

400Gbps 650Gbps
(Protocol Flood)
(NTP Amplification)
DDoS Attack Types

Volumetric attacks Protocol attacks Resource attacks

Brute force attacks that saturate Attacks that consumes actual Target the application layer and
network links and resources server resources, or those of involves triggering a back-end
intermediate communication process to overwhelm resources
equipment, such as firewalls and on the target system
load balancers

Example attacks Example attacks Example attacks

TCP Flood, Excessive TCP GRE, ICMP ping flood, excessive Slowloris, Poison cache,
segments, Spoofing, fragments, land attack etc. Slow post, etc.
Amplification etc.
Microsoft’s DDoS Protection Global Scale

62 50 Tbps 450+ Inbound & Outbound

Mitigations
regions mitigation capacity Attack mitigations daily
Azure DDoS Protection Standard
Cloud scale DDoS protection for Virtual Networks in Azure

1 Azure global network Public Internet

Azure

2 Adaptive tuning
Spoke VNET Central VNET Spoke VNET
Inbound /
Inbound
3 Attack analytics & metrics Outbound

Azure DDoS

4 Integration with Microsoft Defender

for Cloud and Microsoft Sentinel
Azure Firewall Azure WAF

5 DDoS Rapid Response (DRR)

6 SLA guarantee and cost protection

Infrastructure Protection vs. Standard SKU
Feature DDoS Infrastructure Protection DDoS Protection Standard

Active traffic monitoring & always-on detection Yes Yes

Automatic attack mitigations Yes Yes

Integration with Microsoft Sentinel No Yes

Availability guarantee Azure Region Application

Tuned for traffic volume at

Mitigation policies Tuned for traffic volume at an Azure region level
a customer resource level
Real time attack metrics & resource 
Metrics & alerts No
logs via Azure Monitor

Mitigation reports No Post attack mitigation reports

Mitigation flow logs No NRT log stream for SIEM integration

Mitigation policy customization No Engage DDoS Experts

Access to DDoS Experts during 

Support Best effort
an active attack

SLA Azure Region Application guarantee & cost protection

Pricing Free Monthly & usage based

Azure Web
Application Firewall
Azure Application Delivery portfolio
Together, application delivery services let you build mission-critical dynamic, high-performance
global applications

Azure Web Application Application Azure Load

Front Door Firewall Gateway Balancer

Azure Traffic
Azure CDN DDoS Protection API Manager
Manager
Web application attack landscape
Increase in scale, sophistication, and new threats

DDoS attacks Web application attacks Malicious bots

Brute force attacks that saturate Exploit web application Target both infrastructure and
network links and resources vulnerabilities web applications to gain
competitive advantage

Example attacks Example attacks Example attacks

TCP Syn Flood, UDP Reflection, OWASP TOP 10: SQL injection, Content and Price Scrapers,
Amplification, Http(s) flood Cross Site Scripting, OS command credential stuffing
injection, Remote File Inclusion
Azure WAF
Incoming requests

Best choice for Azure customers: Network Edge

Locations
• Meet enterprise compliance standards
• Platform managed, ease of use
• Highly available, scalable, performant
Azure Global WAF
• Protect web applications in Azure or elsewhere 1 (Front Door)

• Quick responses to new attacks

2
Azure Regional WAF
(Application Gateway)

1 Integrated with Azure Front Door/CDN at network

edge, combine application acceleration, caching, Valid requests
and protection

2 Integrated with Application Gateway, dedicated

protection for both public and private web sites

Azure regions Other Cloud On-premises

Azure Web Application Protection

DDoS attacks Web Application attacks Malicious Bots

Global Regional

Global footprint with Azure Network L3/L4 DDoS Mitigation Azure DDoS
non-HTTP/S traffic filtering Edges Tuned to App Traffic Patterns Standard

Protects against common Azure WAF on Protects against common Azure WAF on
L7 web attacks Front Door L7 web attacks Application Gateway

Legitimate traffic Legitimate traffic

is allowed through is allowed through

Azure Web Application Firewall combined with the global scale of Azure DDoS Protection Standard combined with Azure Web Application
Azure Network Edges provides protection from multiple attack types Firewall provides adaptive protection from multiple attack types
Azure WAF Key Features
 Powerful custom rules engine
Custom rules
• Geo-match Filtering
OWASP rules
• IP Restriction Bot management
WAF Policy
• HTTP Request Parameter Filtering
Incoming requests
• Size Restriction
Logs

 Conditional rate limiting at Azure Azure Global WAF Azure Regional WAF Monitor
network edge (Front Door) (Application Gateway)

Metrics
 Preconfigured OWASP top 10
Microsoft Sentinel
 Bot protection integration with
Microsoft Threat Intelligence

 Easy configuration: ARM, Portal, API, PS, Azure regions

CLI, Terraform
Application Delivery Choices
With cloud-native WAF at public entry point

https://docs.microsoft.com/en-us/azure/architecture/guide/technology-choices/load-balancing-overview
Azure Firewall
Azure Firewall
Cloud native stateful Firewall as a service
User configuration Microsoft Threat Intelligence
A first among public cloud providers L3-L7 connectivity policies Known malicious IPs and FQDNs

Central governance of all traffic flows

Built-in high availability and auto scale Threat intel, NAT,

Spoke 1 network and
Network and application traffic filtering Central VNet application traffic
filtering rules
allows inbound/
Centralized policy across VNets and subscriptions outbound access

Complete VNET protection Spoke 2 Azure Firewall

Traffic is denied
Filter Outbound, Inbound, Spoke-Spoke and Hybrid by default
Connections traffic (VPN and ExpressRoute)

Centralized logging Azure to on-premises

Spoke VNets traffic filtering
Archive logs to a storage account, stream events to
your Event Hub, or send them to Log Analytics or Security
Integration and Event Management (SIEM) system of choice
On-premises

Best for Azure

DevOps integration, FQDN Tags, Service Tags, Integration
with ASE, Backup and other Azure services
Azure Firewall Key Features
URL
IDPS Filtering
Application rules Threat Intel
TLS Web
• FQDN Filtering (HTTP/S, MSSQL) • Deny and Alert on known Categories
Inspection
• FQDN Tags (Windows Update, malicious IPs and domains
Azure Backup, etc.)
Monitoring Spoke 1
• Web Categories
• Azure monitor logging
Fully stateful network rules • Azure monitor metrics
• Service Tags
• FQDN Filtering (any TCP/UDP Scale and availability Spoke 2 Azure Firewall
protocol)
Traffic is Internet
• Built-in auto scale (30 Gbps) denied by
and HA default
VNET/VWAN
NAT support • Multiple public IPs – up to 250
Azure to on-premises
• Default Source Network • Availability Zones (99.99% SLA) Spoke VNets traffic filtering
Address Translation (SNAT)
• Destination Network Premium SKU features
Address Translation (DNAT)
• TLS Inspection On-premises
• Intrusion Detection and
DNS Proxy and Custom DNS Prevention System (IDPS)
• URL Filtering
Feature Firewall Standard Firewall Premium AWS Firewall NVAs

Application level FQDN filtering (SNI based) for HTTPS/SQL HTTP/s only

Network level FQDN filtering – all ports and protocols

Stateful firewall (5 tuple rules)

Network Address Translation (SNAT+DNAT) NAT GW

Threat intelligence-based filtering (known malicious IP address/ domains)

Web content filtering (web categories)

DNS Proxy + Custom DNS Vendor Dependent

Full logging including SIEM integration

Built-in HA with unrestricted cloud scalability (auto scale as traffic grows)

Availability zones Firewall per AZ

Service Tags and FQDN Tags for easy policy management

Cloud service model with Integrated monitoring and management

Easy DevOps integration using REST/PS/CLI/Templates Templates

Central management

Inbound TLS termination (TLS reverse proxy) Using App GW Using ALB

Outbound TLS termination (TLS forward proxy)

Fully managed IDPS BYO signatures

URL filtering (full path - incl. SSL termination)

Application and user aware traffic filtering rules Roadmap

IPSEC and SSL VPN gateway VPN Gateway VPN Gateway Transit Gateway

Advanced Next Generation Firewall features (e.g. DLP) Roadmap Vendor Dependent
Growing Azure Firewall ecosystem

GA GA GA

Support for partner security policy Easy integration for partners using
management tools standard Azure REST APIs
Azure Firewall
Manager
Enterprise challenges
Complex network architecture and constantly changing threat environment

Centralized management and

Need complete visibility into the network
administration

Enforcing consistent security policies Simplify rule management across

across multiple firewalls multiple firewalls

Compliance using a zero-trust security Networks are automatically secured

model and protected

Rapidly push firewall protection policy to

Respond to internet attacks
respond to new threats
Azure Firewall
Manager Overview
Centralized Firewall Management &
Administration
• Create policy and apply across multiple firewalls
• Supports DevOps model – Hierarchical policy &
governance
• Works across regions/subscription/deployments

Support Two Deployment Architectures

• Hub Virtual Network – a standard Azure virtual
network with security (and routing in future) policies
• Secured Virtual Hub – an Azure Virtual WAN
Hub with security and routing policies
Roadmap
• Extend support to additional cloud native network
security services
 Azure Firewall Manager
Key features Global admin

Azure region 1 Azure region N

Global policy
Hub Virtual Networks Local admin

• Brings centralized firewall management

goodness to VNETs
VNet
• Secure existing hub-and-spoke VNET
deployments seamlessly Azure Firewall Azure Firewall

• Update configuration across multiple

firewall instances
Secured vHub Hub VNET

Secure Virtual Hub

• Centralized security for virtual WAN hubs
VPN
• Automated routing – secures V2I, B2I, V2V, B2V
Virtual WAN ER / VPN
with just few clicks ER/VPN

• Advanced security with 3rd party

SECSaaS partners
HQ/ End-user Datacenter
branch devices
Hub Virtual Networks vs. Secured Virtual Hubs
Hub Virtual Network Secured Virtual Hub
Underlying resource Virtual network Virtual WAN Hub

Hub & Spoke Using Virtual network peering Automated using hub virtual network connection

VPN Gateway up to 10 Gbps and 30 S2S connections; More scalable VPN Gateway up 20 Gbps and 1000 S2S
On-prem connectivity
ExpressRoute connections; Express Route

Automated branch connectivity using SDWAN Not supported Supported

Single Virtual Hub per region. Multiple hubs possible with

Hubs per region Multiple Virtual Networks per region
multiple Virtual WANs

Azure Firewall – multiple public IP addresses Customer provided Auto generated

Azure Firewall Availability Zones Supported Supported

Advanced internet security with 3rd party Security as a Service Customer established and managed VPN connectivity to Automated via Security Partner Provider flow and partner
partners partner service of choice. management experience

Customer managed UDR

Centralized route management to attract traffic to the hub Supported using BGP
Roadmap: UDR default route automation for spokes

Support two security providers – Azure Firewall for east-west

Multiple security provider support Not supported
traffic filtering and 3P for north-south internet filtering

Web Application Firewall on Application Gateway Supported in Virtual Network Roadmap; can be used in spoke

Network Virtual Appliance Supported in Virtual Network Roadmap; can be used in spoke.
Central security and
policy management
Deploy and configure multiple Azure Firewall instances Azure Firewall Global
Manager Admin
Span different Azure regions and subscriptions from a
single pane of glass Local
Admin
Enforce consistent configuration across Azure Firewall
Manage Network address translation (NAT), network, and
application rule collections, as well as threat intelligence
and DNS settings. VNet VNet VNet

VNet VNet VNet VNet VNet VNet

DevOps optimized hierarchical Azure Firewall policies

Secured Secured Secured
VNet vHub VNet VNet vHub VNet VNet vHub VNet

Global firewall policies authored by Central IT with local

derived firewall policies for DevOps self-service for VNet VNet VNet VNet VNet VNet

better agility VNet VNet VNet

Prod Hub: Staging hub: Dev Hub:

Global Policy Global Policy Global Policy + Local Policy
Manage Azure Firewall Policy independent of
Azure Firewall
Azure Firewall Policy is a top-level resource with
independent access control and activity tracking.
Multi security provider
support (secure hub only)
Combine best of breed security VNet 1 Secured vHub
Azure Firewall for east-west (virtual network to virtual 3rd Party
network/branch to virtual network) traffic filtering Sec-aaS
Security partner of your choice for north-south (virtual IPSec
network to Internet/branch to Internet) traffic filtering VNet 2
Tunnel

Use Azure for Edge security Azure VPN

Internet
Avoids routing internet traffic to on-premise Firewall Gateway

Route internet traffic directly from Azure VNet 3

Partners
• Zscaler (currently runs on ZIA cloud, roadmap to run Express Virtual
Route WAN/VPN
on Azure)
• Check Point (runs on Azure)
• iboss (runs on Azure) Private traffic B2V +
V2V via Azure Firewall

Internet traffic via 3P

Simplifies connectivity and security Branch 1 Branch 2

Easily attract traffic to your secured virtual hub for filtering

and logging without manipulating User Defined Routes
 Azure Firewall Manager
Trusted security partners

Use Azure as your Secured Internet Edge

Use best-in-breed
Breakout Office 365 traffic
third-party Protect VNet-to-Internet
Combine with Azure Firewall directly at branch; filter rest
Security-as-a-Service or Branch-to-Internet
for layered security of Internet traffic using
(SECaaS) partners with user traffic
SECaaS on Azure
Azure Firewall Manager 

Supported Partners
Demo
Summary
Microsoft Defender for Cloud

Secure and protect resources across the

three major cloud providers and hybrid
environments in one place

Ensure secure and compliant configuration

of cloud resources

Detect vulnerabilities and threats to protect

against malicious attacks
Strengthen your cloud security posture today

Enable Defender Fix your top 5 Start a free trial Onboard AWS,
for Cloud Secure Score to protect your GCP and on-prem
to assess your recommendations workloads workloads with
security posture today Azure Arc

To learn more, visit: aka.ms/DefenderForCloud

Q&A
Thank you!