- Configure Azure Defender for SQL
- Use the Microsoft Threat Modeling Tool
Table of Contents
Configure Azure Defender for SQL
Availability
Aspect | Details |
---|---|
Release state: | Microsoft Defender for Azure SQL database servers – Generally available (GA) Microsoft Defender for SQL servers on machines – Generally available (GA) |
Pricing: | The two plans that form Microsoft Defender for SQL are billed as shown on the pricing page |
Protected SQL versions: | SQL on Azure virtual machines SQL Server on Azure Arc-enabled servers On-premises SQL servers on Windows machines without Azure Arc Azure SQL single databases and elastic pools Azure SQL Managed Instance Azure Synapse Analytics (formerly SQL DW) dedicated SQL pool |
Clouds: | Commercial clouds Azure Government Azure China 21Vianet (Partial: Subset of alerts and vulnerability assessment for SQL servers. Behavioral threat protections aren’t available.) |
Pricing
Microsoft Defender for SQL on Azure | €13.511/Instance/month2 |
Microsoft Defender for SQL outside Azure | €9.863/vCore/month3 |
2 Microsoft Defender for SQL on Azure price applies to SQL servers on Azure SQL Database, Azure SQL Managed Instance and Azure Virtual Machines.
3 Microsoft Defender for SQL outside Azure price applies on Azure Arc enabled SQL Servers, which extends Azure services to SQL Server instances hosted outside of Azure in the customer’s datacenter, on the edge or in a multi-cloud environment.
What does it do?
Microsoft Defender for SQL comprises two separate Microsoft Defender plans:
- Microsoft Defender for Azure SQL database servers protects:
- Microsoft Defender for SQL servers on machines extends the protections for your Azure-native SQL Servers to fully support hybrid environments and protect SQL servers (all supported version) hosted in Azure, other cloud environments, and even on-premises machines:
When you enable either of these plans, all supported resources that exist within the subscription are protected. Future resources created on the same subscription will also be protected.
What about the benefits??
These two plans include functionality for identifying and mitigating potential database vulnerabilities and detecting anomalous activities that could indicate threats to your databases.
A vulnerability assessment service discovers, tracks, and helps you remediate potential database vulnerabilities. Assessment scans provide an overview of your SQL machines’ security state, and details of any security findings.
- Learn more about vulnerability assessment for Azure SQL Database.
- Learn more about vulnerability assessment for Azure SQL servers on machines.
An advanced threat protection service continuously monitors your SQL servers for threats such as SQL injection, brute-force attacks, and privilege abuse. This service provides action-oriented security alerts in Microsoft Defender for Cloud with details of the suspicious activity, guidance on how to mitigate to the threats, and options for continuing your investigations with Microsoft Sentinel. Learn more about advanced threat protection.
Alerts in Microsoft Defender for SQL?
Threat intelligence enriched security alerts are triggered when there’s:
- Potential SQL injection attacks – including vulnerabilities detected when applications generate a faulty SQL statement in the database
- Anomalous database access and query patterns – for example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attempt)
- Suspicious database activity – for example, a legitimate user accessing an SQL Server from a breached computer which communicated with a crypto-mining C&C server
Alerts include details of the incident that triggered them, as well as recommendations on how to investigate and remediate threats.
How to enable?
Microsoft has consolidated all Defender product to the same page under Defender for Cloud and Defender plans.
When you are creating and SQL, you can find Defender under the provisioning steps.
The plan consolidates all database resource types. The “Select types” control provides pricing information and quantity for each resource type, as well as the ability to exclude certain types.
When you open SQL-database, you will find the following options
From server settings you will find settings for assessment scanning
And for threat protection
Under Configure threat detection types you can enable or disable detections
And under audit, you can enable auditing for SQL and for Microsoft support operations
But there is also free features
Like Ledger which is still in preview.
Azure SQL Ledger
With Ledger you can verify the integrity of your data and detect possible tampering.
Ledger helps protect data from any attacker or high-privileged user, including database administrators (DBAs), system administrators, and cloud administrators. As with a traditional ledger, the feature preserves historical data. If a row is updated in the database, its previous value is maintained and protected in a history table. Ledger provides a chronicle of all changes made to the database over time.
Each transaction that the database receives is cryptographically hashed (SHA-256). The hash function uses the value of the transaction, along with the hash of the previous transaction, as input to the hash function. (The value includes hashes of the rows contained in the transaction.) The function cryptographically links all transactions together, like a blockchain.
Ledger functionality is introduced to tables in Azure SQL Database in two forms:
- Updatable ledger tables, which allow you to update and delete rows in your tables.
- Append-only ledger tables, which only allow insertions to your tables.
You create and database with the Ledger with the following instructions.
Identity management
There is also on option to use system or user assigned managed identities, which is still is preview.
Here are some of the benefits of using Managed identities:
- You don’t need to manage credentials. Credentials are not even accessible to you.
- You can use managed identities to authenticate to any resource that supports Azure Active Directory authentication including your own applications.
- Managed identities can be used without any additional cost.
And there are description for the identities that can be used.
- System-assigned Some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity an identity is created in Azure AD that is tied to the lifecycle of that service instance. So when the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.
- User-assigned You may also create a managed identity as a standalone Azure resource. You can create a user-assigned managed identity and assign it to one or more instances of an Azure service. In the case of user-assigned managed identities, the identity is managed separately from the resources that use it.
How to use the managed identities as a Developer?
What Azure services support the feature?
Managed identities for Azure resources can be used to authenticate to services that support Azure AD authentication. For a list of Azure services that support the managed identities for Azure resources feature, see Services that support managed identities for Azure resources.
Transparent Data Encryption
With TDE you will bring your own certificates to encrypt the data just like in Azure Information Protection.
You will have keys to access your data not Microsoft. So you have to keep them safe.
Benefits of TDE
Customer-managed TDE provides the following benefits to the customer:
- Full and granular control over usage and management of the TDE protector;
- Transparency of the TDE protector usage;
- Ability to implement separation of duties in the management of keys and data within the organization;
- Key Vault administrator can revoke key access permissions to make encrypted database inaccessible;
- Central management of keys in AKV;
- Greater trust from your end customers, since AKV is designed such that Microsoft cannot see nor extract encryption keys;
Microsoft Threat Modeling Tool
What it is?
The Microsoft Threat Modeling Tool 2018 was released as GA in September 2018 as a free click-to-download. The change in delivery mechanism allows us to push the latest improvements and bug fixes to customers each time they open the tool, making it easier to maintain and use. This article takes you through the process of getting started with the Microsoft SDL threat modeling approach and shows you how to use the tool to develop great threat models as a backbone of your security process.
Download here https://aka.ms/threatmodelingtool and install
Once done, the application main page will open
Choose create a model you will see templates that can be used
Analyzing threats
Once he clicks on the analysis view from the icon menu selection (file with magnifying glass), he is taken to a list of generated threats the Threat Modeling Tool found based on the default template, which uses the SDL approach called STRIDE (Spoofing, Tampering, Info Disclosure, Repudiation, Denial of Service and Elevation of Privilege). The idea is that software comes under a predictable set of threats, which can be found using these 6 categories.
STRIDE model
To better help you formulate these kinds of pointed questions, Microsoft uses the STRIDE model, which categorizes different types of threats and simplifies the overall security conversations.
Category | Description |
---|---|
Spoofing | Involves illegally accessing and then using another user’s authentication information, such as username and password |
Tampering | Involves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet |
Repudiation | Associated with users who deny performing an action without other parties having any way to prove otherwise—for example, a user performs an illegal operation in a system that lacks the ability to trace the prohibited operations. Non-Repudiation refers to the ability of a system to counter repudiation threats. For example, a user who purchases an item might have to sign for the item upon receipt. The vendor can then use the signed receipt as evidence that the user did receive the package |
Information Disclosure | Involves the exposure of information to individuals who are not supposed to have access to it—for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers |
Denial of Service | Denial of service (DoS) attacks deny service to valid users—for example, by making a Web server temporarily unavailable or unusable. You must protect against certain types of DoS threats simply to improve system availability and reliability |
Elevation of Privilege | An unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself, a dangerous situation indeed |
Reports
After you finish changing priorities and updating the status of each generated threat, you can save the file and/or print out a report. Go to Report > Create Full Report.
Threat model section
Component | Details |
---|---|
Feedback, Suggestions and Issues Button | Takes you the MSDN Forum for all things SDL. It gives you an opportunity to read through what other users are doing, along with workarounds and recommendations. If you still can’t find what you’re looking for, email tmtextsupport@microsoft.com for our support team to help you |
Create a Model | Opens a blank canvas for you to draw your diagram. Make sure to select which template you’d like to use for your model |
Template for New Models | You must select which template to use before creating a model. Our main template is the Azure Threat Model Template, which contains Azure-specific stencils, threats and mitigations. For generic models, select the SDL TM Knowledge Base from the drop-down menu. Want to create your own template or submit a new one for all users? Check out our Template Repository GitHub Page to learn more |
Open a Model | Opens previously saved threat models. The Recently Opened Models feature is great if you need to open your most recent files. When you hover over the selection, you’ll find 2 ways to open models:Open From this Computer – classic way of opening a file using local storageOpen from OneDrive – teams can use folders in OneDrive to save and share all their threat models in a single location to help increase productivity and collaboration |
Getting Started Guide | Opens the Microsoft Threat Modeling Tool main page |
Things to remember
Protected SQL versions:
- SQL on Azure virtual machines
- SQL Server on Azure Arc-enabled servers
- On-premises SQL servers on Windows machines without Azure Arc
- Azure SQL single databases and elastic pools
- Azure SQL Managed Instance
- Azure Synapse Analytics (formerly SQL DW) dedicated SQL pool
Threat intelligence enriched security alerts are triggered when there’s:
- Potential SQL injection attacks – including vulnerabilities detected when applications generate a faulty SQL statement in the database
- Anomalous database access and query patterns – for example, an abnormally high number of failed sign-in attempts with different credentials (a brute force attempt)
- Suspicious database activity – for example, a legitimate user accessing an SQL Server from a breached computer which communicated with a crypto-mining C&C server
Threat detection types available
How TDE works
What is the STRIDE ( Spoofing, Tampering, Info Disclosure, Repudiation, Denial of Service and Elevation of Privilege) model