Microsoft Defender for Open-Source Relational Databases Now Supports Multicloud (AWS RDS)

Introduction:

Many organizations use multiple cloud providers today, which makes security misconfigurations more likely due to the solution scale and complexity. Moreover, different practices and concepts among each cloud provider's implementation create bigger internal knowledge gaps.

No matter how many cloud providers an organization uses, a database is the core of each application, storing the organization's most valuable data: PII, financial and payment information, medical information, and other sensitive data. This makes databases the most attractive attack target for any threat actor – from inside or outside.

Even though there is more awareness of exposure misconfigurations (thanks to cybersecurity education and posture management products that reveal these issues), public datasets show that the most risky database misconfiguration – exposing databases to the internet is not going down. This fact emphasizes the importance of threat protection that will act as a last line of defense and help detect, in near real-time, attacks that endanger databases and the critical data they contain.

Thomas_Zou_0-1714500872594.jpeg

Internet exposed databases count through time.

(Source: Time series · General statistics · The Shadowserver Foundation)

Announcement:

Microsoft for open-source relational databases have been long focusing on providing comprehensive protection for Azure databases.

Today, we're excited to announce another significant milestone in our cloud database security journey: Microsoft for open-source relational databases plans now extend their protection to multicloud environments, starting with Amazon on AWS. The workloads supported in AWS are:

  • Aurora PostgreSQL
  • Aurora MySQL
  • PostgreSQL
  • MySQL
  • MariaDB

This release includes full parity with the alert types of support for managed Azure OSS databases:

  • Anomalous database access and query patterns – For example, a logon from a suspicious location or from a domain not seen in the past 60 days.
  • Suspicious database activities – For example, a user accessing a database service from a breached computer which communicated with a crypto-mining C&C server.
  • Brute-force attacks – With the ability to separate simple brute force attempt from a successful brute force.

Under public preview, you can turn on the for open-source relational databases plan for AWS at no cost. This marks a pivotal moment in our commitment to securing your business-critical data across cloud environments.

This announcement makes Microsoft the sole major security provider offering multicloud database protection, a significant step forward in building an end-to-end multicloud & Cloud native application protection platform (CNAPP).

Defender for Cloud stands out with its comprehensive approach, covering a diverse range of databases and leveraging Microsoft's dual role as a cloud and security provider. This integration enables us to provide unparalleled scanning depth and real-time threat detection capabilities, enhancing security across multicloud environments.

This multicloud database protection announcement is part of Microsoft's commitment to build a comprehensive Cloud Native Application Protection Platform (CNAPP). CNAPP integrates advanced data threat intelligence, , and data threat protection to provide in depth cloud data security insight and breadth of data security protection across various cloud platforms.

Thomas_Zou_1-1714500872600.png

Microsoft's CNAPP infographic

Features

You will now have full flexibility to mix and match the protection on your multicloud databases:

Thomas_Zou_2-1714500872605.jpeg

Protection layers for multicloud database protection

  • Foundational CSPM – Free out of the box (OOTB) control plane recommendations are generated once you connect your account to Microsoft Defender for Cloud.

Thomas_Zou_3-1714500872615.pngRecommendations are evaluated and generated OOTB for all connected cloud environments.

  • Advanced posture management with Defender CSPM (DCSPM) – Discovers your databases, what types of sensitive data they contain and assesses risk to that data based on context gathered across all the clouds in the customer's scope.

Thomas_Zou_4-1714500872621.pngMisconfigurations and sensitive data are discovered and displayed as part of an attack path

  • Advanced threat protection with Defender for open-source relational databases – Provides threat protection by generating near real-time alerts based on suspicious and anomalous access patterns to your databases.

Thomas_Zou_5-1714500872625.pngAttack path also highlights active attack on the vulnerable resources

Thomas_Zou_6-1714500872632.pngMDC lists the alert history on the resource we can see brute force attacks, connections from harmful applications and more

Thomas_Zou_7-1714500872640.png

Brute force attack detected from an IP that was reported as a Tor exit node

  • Finally, Microsoft Defender for Cloud offers seamless integration with Defender XDR, which offers enhanced threat detection and response capabilities. It's crucial for organizations to adopt both Defender for Cloud and Defender XDR personas to effectively manage and mitigate security risks across their multicloud environments.

Thomas_Zou_8-1714500872648.pngDefender XDR identified an incident where the same IP tried to brute force cloud databases in AWS and Azure

Sensitive data discovery is built-in!

Defender for open-source databases on AWS will be the first database threat protection plan to bundle sensitive data discovery as part of its core value, without depending on other plans (such as DCSPM) or incur additional costs. Once the plan is enabled the discovery process will be scheduled weekly and you will be able to consume the findings in all the main MDC experiences:

  • Alerts – filter alerts by resources with findings, alert page enrichment
  • Inventory – filter resources with findings
  • Resource health – enrichment with findings
  • Security explorer (new!) – You will also be able to query the findings using security explorer even without enabling DCSPM.
    Only findings' data will be queryable – other pieces of context require enabling DCSPM.

Conclusion

In conclusion, Microsoft Defender for open-source relational databases now support multicloud database protections in AWS RDS environments. This change signifies a pivotal advancement in cloud security. Through its holistic approach embodied by CNAPP, Microsoft empowers organizations to safeguard their critical data assets consistently across diverse cloud platforms.

Resources:

To learn more about Defender for Cloud, click here.

Read about Defender for open-source relational databases documentation here.

Read about sensitive data discovery.

Defender for open-source relational databases alerts reference.

Start free trial here.

 

This article was originally published by Microsoft's Defender for Cloud Blog. You can find the original article here.