How to Monitor Virtual Machine Security
Introduction
CrowdStrike’s cloud security posture management solution, Falcon Horizon, monitors rapidly growing public cloud environments to help organizations proactively identify and resolve potential issues.
Video
Assessment Types
The main dashboard displays an overview of recent findings across all of the registered cloud accounts and providers. Shown on the left, the configuration assessment findings are based on policies that look at various, service specific settings. The behavioral assessment, on the right, focuses on changes or events that could indicate malicious activity.
Assessment Findings
For this environment, there is a high severity behavioral finding for one of the most commonly used Azure services, Virtual Machine.
Drilling down on the finding presents the details including the associated MITRE ATT&CK Tactic and Technique. While this view is automatically filtered for a single behavioral policy, menu options and filters are available to hone in on other details of the behavioral assessment or pivot using the Assessment menu at the top to view the configuration assessment findings.
Clicking on the number of findings opens the IOA Event Timeline that provides a complete description and remediation plan for this indicator of attack. The user session details are outlined along with an event timeline summary. Behavioral findings are also assigned a confidence score to help establish urgency and prioritization.
Virtual Machine Policies
The assessment findings are based on policies that CrowdStrike has developed for the different cloud services. Under the policies tab, there is a comprehensive list of supported services for each cloud provider. Specifically for Azure Virtual Machine, there are a number of configuration based policies to help organizations ensure proper security. Given the core functionality and wide spread use of this particular service, most of those are associated with a high severity level and various compliance guidelines. Links are available to relevant documentation where applicable.
CrowdStrike also goes beyond compliance specific policies, to deliver additional configuration insights such as virtual machines not being properly assigned a network security group.
To identify potentially malicious activity, behavioral policies are also available.
In some cases, there can be an association between the behavioral and configuration findings. Above, on the dashboard, there was a finding for a VM modification that allowed ingress from the public internet.
That change would later trigger a configuration finding for the “Virtual Machine allows inbound from internet on any port from any source” policy. Details such as a description and remediation steps, and alert logic are available for each policy.
Conclusion
With the growth of cloud deployments and the risk of misconfiguration, it is imperative that companies continuously monitor their environments to minimize risk. Falcon Horizon provides granular policy assessment and visibility to help organizations quickly identify potential exposures and take action to improve overall cloud security.
