Microsoft is releasing a new Azure DDos Protection Solution for Microsoft Sentinel that is designed to help customers identify bad actors from Azure’s DDoS security signals and block new attack vectors in other network security products, such as Azure Firewall.
The Redmond, Wash. IT giant says each Azure network security service is fully integrated with Sentinel, Microsoft’s cloud-native security information and event management (SIEM) solution, which also collects security signals from each Azure security service.
That data is then analyzed to create a centralized view of the attack landscape, and Sentinel correlates events and related incidents when anomalies are detected. Sentinel then automates the response to mitigate sophisticated attacks.
For example, when cybercriminals use a DDoS attack to act as a smokescreen to more harmful activity such as data theft, Sentinel will detect the DDoS attack and use the information it gathers on attack sources to prevent the next phases of the attack.
By using remediation capabilities in Azure Firewall and other network security services in the future, the attacking DDoS sources are blocked, according to Microsoft.
“This cross-product detection and remediation magnifies the security posture of the organization, where Sentinel is the orchestrator,” the company says in a blog.
According to Microsoft, the Azure DDoS Protection Solution for Sentinel is being released as a single solution package that includes:
- Azure DDoS Protection data connector and workbook.
- Alert rules that help retrieve the source DDoS attackers. These are new rules Microsoft created specifically for this solution. These rules may be utilized by customers to achieve other objectives for their security strategy.
- A Remediation IP Playbook that automatically creates remediation in Azure Firewall to block the source DDoS attackers. Although Microsoft documents and demonstrate how to use Azure Firewall for remediation, any 3rd party firewall that has a Sentinel Playbook can be used for remediation. This provides the flexibility for customers to use this new DDoS solution with any firewall.
The solution is initially released for Azure Firewall (or any third-party firewall), and Microsoft plans to enhance it to support Azure WAF soon.
Read the blog for use cases, or read this guidance to learn about how to deploy the solution.
