Microsoft Defender for Cloud Wrap - Issue #9 - Out-of-Band Log4j Edition
Happy Monday everyone! At least, I hope it's a happy Monday. For most of you, you are deeply concerned about the news around the Log4j crisis over the weekend. And, for many of you, you have been deep in attempting to figure out how much of your environment is exposed to this zero-day exploit.
As you know this newsletter delivers bi-weekly on Fridays - except, as noted last issue that the newsletter would not deliver until the new year due to the holidays and my taking time off to spend time with family and friends.
So, this newsletter issue is definitely an out-of-band experience. But with the ongoing effort to identify and control the Log4J outbreak, I believe it’s important to deliver this newsletter now instead of waiting until January 7th.
There’s still a lot of awesome, accumulated and curated content in this newsletter issue below, but the focus here is more about getting all of you the necessary information about how to deal with Log4j with Microsoft Defender for Cloud.
...
Our own guidance
Microsoft security teams have put together the following guidance and resources to help customers understand this vulnerability and to help detect and hunt for exploits:
Microsoft Security blog describing the nature of current attacks Microsoft is observing. The blog also contains guidance on how to use Microsoft security products to detect and hunt for malicious activity, and apply protections: Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation
RiskIQ (acquired by Microsoft in August 2021) published threat intelligence article to the community portal with information about the vulnerability and exploitation of it, as well as detections and mitigations: CVE-2021-44228 Apache Log4j Remote Code Execution Vulnerability
Microsoft 365 Defender threat analytics article with detection information and potential impacts to customer environments: Threat Insights: CVE-2021-44228 Log4j active exploitation (sign in is required)
And, Melvyn Mildiner, Senior Content Developer at Microsoft, has just posted a great explanation of how Defender for Cloud works to help customers identify Log4j.
How Defender for Cloud finds machines affected by Log4j vulnerabilities
...
Not sure, what Log4j is?
In its simplest terms, a zero day vulnerability in Log4j (also now known as “Log4Shell”) can allow unauthenticated remote code execution and access to servers. Researchers have reported that there are 100 attempts to exploit this vulnerability a minute, leading to hundreds of thousands of attempts since it was discovered just a few days ago - but that it has probably been an active exploit for some time before it was publicly disclosed.
NewScientist explains it this way…
Almost every bit of software you use will keep records of errors and other important events, known as logs. Rather than creating their own logging system, many software developers use the open source Log4j, making it one of the most common logging packages in the world.
Not having to reinvent the wheel is a huge benefit, but the popularity of Log4j has now become a global security headache. The flaw affects millions of pieces of software, running on millions of machines, which we all interact with.
Read the rest: Log4j software bug is ‘severe risk’ to the entire internet
...
As noted last issue, I’m taking time off for the holidays and this newsletter will return in force in January, but I thought - with everything going on - it was appropriate to send this out-of-band edition.
The rest of this newsletter issue is the normal fare.
Talk soon.
-Rod
Things to Read
How Defender for Cloud finds machines affected by Log4j vulnerabilities — techcommunity.microsoft.com Microsoft Defender for Cloud's inventory filters can easily and quickly help you find all machines with a specific piece of software, or that are vulnerable to a specific CVE. In this case, we show how to find machines running Log4j or with the security finding CVE-2021-44228.
Microsoft launches dedicated Container protection plan — techcommunity.microsoft.com Microsoft Defender for Containers is a new cloud workload protection plan designed around the unique needs of container solutions.
Understand the enhanced security features of Microsoft Defender for Cloud | Microsoft Docs — docs.microsoft.com Is the 500-MB free data ingestion calculated for an entire workspace or strictly per machine?
Defender for Cloud Cost Estimation - starkonsec - Medium — starkonsec.medium.com Your description for this link...
Things to Watch/Listen To
Keep track of "Defender for Cloud in the field" with the new YouTube page
Keep track of "Defender for Cloud in the field" with the new YouTube page
Microsoft Defender for Containers | Defender for Cloud in the Field #3 — www.youtube.com In this episode of Defender for Cloud in the field, Maya Herskovic joins Yuri Diogenes to talk about Microsoft Defender for Containers. Maya explains what's ...
Things that are New and Updated
Microsoft launches dedicated Container protection plan — techcommunity.microsoft.com Microsoft Defender for Containers is a new cloud workload protection plan designed around the unique needs of container solutions.
Microsoft Defender for Cloud: General availability updates for November 2021 | Azure updates | Microsoft Azure — azure.microsoft.com New enhancements and updates released for general availability (GA) in Microsoft Defender for Cloud in November 2021.
Things in the News
Rabobank grows a safer global IT landscape with Microsoft Security solutions — customers.microsoft.com Protecting the data and information that supports this sprawling enterprise is a complex undertaking. That’s why Rabobank manages its multicloud environment with Microsoft Security solutions, using Microsoft Sentinel to tie together insights from throughout the company, and Microsoft Defender for Cloud for threat detection and response. Thanks to the consolidation it achieves with Microsoft Security solutions, Rabobank now works with just four security vendors rather than 20, with licensing savings—and most importantly, security—on the rise.