Azure Defender for Kubernetes and Azure Defender for Web Apps are available solutions within the Azure Security Center. Today we will focus on Kubernetes. First, we will explain how you can reach a complete on-premises and multicloud threat protection on your Kubernetes cluster. Then we dive a bit deeper and demonstrate how you can connect Azure Defender and Azure Security Center to enable detection mode and auto alerts. If you want to start with the basics, read first our previous post  on cloud security and threat detection in general with a downloadable whitepaper.

After your reading, make sure to check out our awesome free tool to discover your security score.

Or you can opt directly for our 3 days’ workshop to map your security environment and test it in your environment. 

Azure defender for Kubernetes is an add-on on Azure Security Center. It provides cluster-level threat protection for your Kubernetes cluster managed by Azure (AKS). Moreover, you can extend this protection for even on-premises or other clouds by using the Azure Arc extension for Kubernetes.  

Azure defender for Kubernetes is one of the three other container-based add-ons that Azure Security Center provides. Azure Defender for Kubernetes, Azure Defender for Servers, Azure Defender for Registries and Azure Policy add-on for Kubernetes combined, covers most of your security and compliancy requirements. Each of these solutions are agentless (except for Azure Policy for Kubernetes) and generate alerts when suspicious activities are found. You can use these alerts to quickly remediate current security issues and to improve the security of your containerized ecosystem.  

Azure Defender for Kubernetes defends against many threats by detecting patterns in the following techniques used by malicious users:  

• Exploitation for Privilege Escalation  
  • Detect  
  • Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code.  
  • Examples:  
    • Container with a sensitive volume mount detected  
    • Privileged container detected  
    • New high privilege’s role detected
       
• Indicator Removal on Host  
  • Detect  
  • Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.  
  • Examples:  
    • Kubernetes events deleted  

• Exploitation of Public-Facing Application  
  • Protect  
  • Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability.  
  • Examples:  
    • Kubernetes penetration testing tool detected  
    • Digital currency mining container detected  
    • K8S API requests from proxy IP address detected  

• Implantation of Container Image  
  • Detect  
  • Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.  
  • Examples:  
    • Container with a sensitive volume mount detected  
    • CoreDNS modification in Kubernetes detected 

Azure Defender for Servers monitors your Linux Kubernetes nodes for suspicious activities. For example, web shell detection and connection with known suspicious IP addresses. Furthermore, it also has some built-in analytics in container configurations. That detects issues like the creation of privileged containers, suspicious requests to the Kubernetes API servers and Secure Shell (SSH) servers running inside a Docker container.  

Azure Defender for Container Registries is a vulnerability scanner. It scans all your Azure Container Registry registries to detect and list all known vulnerabilities in the present container images. This in combination with logic your CI/CD pipeline will prevent from any vulnerable container running in your Kubernetes clusters. Additionally, this add-on rescans images recently pulled by Kubernetes on a weekly basis and generates alerts when new vulnerabilities are found. This means you will always be on top of the latest security issues and can quickly initiate actions to prevent any exploitations.  

After you have enabled the Azure Defender plans on your subscription, Security Center starts to analyze and combine logs from multiple sources:  

• Kubernetes API audit logs from the master nodes abstracted by Azure, which is used by Azure Defender for Kubernetes  
• Log analytics security event logs from the nodes running Kubernetes, which is used by Azure Defender for Servers  
• Kubernetes workload configuration scraped by the Azure Policy for Kubernetes add-on (in the backend it is based on OPA gatekeeper) to detect misconfiguration of objects in your Kubernetes cluster, which is used by Azure Defender for Kubernetes 

Now, that Azure Defender is enabled, you can verify the connection between the logs sources and Security Center. First, log in to the Kubernetes cluster of your subscription. Then execute the following CLI command which should trigger an example security alert:  

kubectl get pods -–namespace=asc-alerttest-662jfi039n  

Create workflows that auto remediates alerts

Now we only touched the detection mode of Azure Security Center which is creating security alerts. However, it is also possible to create workflows that auto remediates alerts. This can be done with the combination of 2 Azure resources – Azure Logic Apps en Azure Functions Apps.  

You need to configure the Azure Logic App to have an Azure Security Center alert set as trigger. That pulls the right data out of the alert – which cluster, namespace and pod the alert is for. Then it sends the data as arguments to the Azure Function. That can log in on the right cluster and execute the necessary commands to remediate the alert. For instance, killing the pod that is detected as a miner image.  

If you need support with that, do not hesitate to reach out to us – cloud native solutions and Kubernetes are our dada. We earned a Microsoft Advanced Specialization in Kubernetes on Azure. But besides the theory, we have quite some happy customers and years of field experience earned through those real-life projects.