Microsoft Bolsters Cloud Security with DevOps, CSPM Coverage
Microsoft has expanded its Microsoft Defender for Cloud security platform with two new preview services — Microsoft Defender for DevOps and Microsoft Defender Cloud Security Posture Management (Defender CSPM).
At the company’s annual Microsoft Ignite conference this week, Microsoft introduced the new Defender products to help developers mitigate security vulnerabilities and respond to attacks, said Shawn Bice, corporate vice president of Cloud Security at Microsoft. The tools target both new and legacy code that’s written without security in mind.
“At Microsoft, we’re approaching cloud security with an infinite mindset,” Bice said in a blog post. “In a constantly changing world, we use threat intelligence, AI, and automation to create a virtuous cycle of signals to evolve and respond faster to bad actors and events.”
Defender for DevOps
The Defender for DevOps offering enables organizations to unify DevOps security management across multiple pipeline environments in a central console, supporting platforms like GitHub and Azure DevOps, with more to follow.
“We introduced new innovations in Defender for Cloud, including enhanced security posture management that will help you focus on the most critical risks and provide built-in multicloud security recommendations,” said Microsoft CEO Satya Nadella in his keynote at Ignite. “The new Defender for DevOps helps you secure the entire development lifecycle and unify DevOps security management across multiple environments.”
Moreover, Defender for DevOps correlates with other cloud security efforts to remediate code vulnerabilities and apply security guardrails throughout the application development lifecycle, Bice said.
The product checks for security issues in code around resource configurations and checks for vulnerabilities in software repositories.
“And we can do this in a way where we’re not slowing down a developer’s existing pipeline,” Bice told The New Stack. “We’ve really aimed to make it simple for developers to scale security by connecting into those pipelines and code repositories, identifying and remediating issues in what you could think of as a fluent motion.”
The need for such a tool is evident at Rockefeller Capital Management.
“If we shift left and bring security to the developers right away, code deployment will have tightened protection,” said James Rajeshvincent, Managing Director Head of Platform Development at Rockefeller Capital Management, in a statement. “Integrating DevSecOps results into Microsoft Defender for Cloud and having a single pane of glass that shows me what is in production, the code quality, and what is coming into the pipeline so that I don’t need to go into multiple places and reports to scan for code errors is going to be priceless for us.”
Focus on the Code
Defender for Cloud strengthens security and reduces risk throughout the cloud application lifecycle so organizations can stay protected — with Defender for DevOps starting at the code level, Bice said. The DevOps offering features underlying tools to address code issues immediately.
“There are two tooling aspects,” Bice told The New Stack. “There are connectors, like Source Code Management Systems (GitHub and Azure DevOps), to Defender for Cloud… which are allowing scenarios to bridge between security and developers. Second, there is scanning that is leveraging the greatness in GitHub’s Advanced Security plus added capabilities for ADO [Azure DevOps] In Pipeline, IaC [Infrastructure as Code] and more.”
Indeed, IaC and container image scanning help prevent cloud misconfigurations from ever reaching production environments. And Defender for DevOps integrates with GitHub Advanced Security to enable automated workflows across platforms including GitHub and Azure DevOps, fostering stronger collaboration between SecOps and developer teams.
“There are quite a few cyber bad actors or nation states or cybercriminals — however you want to frame it — that are really targeting code exploits,” Bice told The New Stack. “And as we know these bad actors, they move around the whole surface area, but as of late there is more focus at the code itself than I’ve seen before, or even the industry has seen before.”
This is Bice’s second stint at Microsoft. He spent 17 years at the company previously and also worked at AWS and Splunk before rejoining Microsoft as CVP of Cloud Security.
Microsoft Defender CSPM
Meanwhile, Defender CSPM builds on existing posture management capabilities in Defender for Cloud to help security teams prioritize and proactively remediate the most critical threats with contextual cloud security and attack path analysis, Bice said.
“Defender CSPM does attack path analysis because it has what we call a security graph behind it,” Bice said. “It understands all of this highly connected data. So when you go to do analysis of an entry point, you’re able to model this behind the scenes with software so that you could show a predictive path and what an attacker might go to next.”
Explaining the security graph, Bice noted, “underneath the covers, there is a graph data management system that we’re using.” The technology is internal to the team and not available as a product, he said.
Thus, built on top of this intelligent cloud security graph, Defender CSPM “provides comprehensive visibility with automatically deployed agentless scanning for real-time assessments across multicloud environments,” Bice said in his blog post. “Defender CSPM connects the dots for security teams, integrating insights from cloud workloads as well as signals from Defender for DevOps and Microsoft Defender External Attack Surface Management. Instead of sifting through long lists of vulnerable resources, customers can use the proactive attack path analysis to reduce recommendation noise by up to 99% and only focus on the most exploitable vulnerabilities along potential attack paths to begin remediation.”