CIS 3.1 in Azure - Azure Security Center

Continuing on with discussing the CIS Controls on Azure, the goal of this post is to talk about CIS Control 3, and specifically 3.1: Run Automated Vulnerability Scanning Tools.  On-premises, this control focuses on using tools to scan networks and systems for known vulnerabilities.  In some cases, this can include both internal and external scans, depending on your policy.

Applying this to Azure is a bit tricky.  When you think about the shared responsibility model, vulnerabilities in the underlying services that you use are technically the responsibility of the provider.  Services that you create (and place on top of) Azure resources fall under your responsibilities.

So, if I had to translate CIS 3.1, I would say that vulnerability scanning is essentially ensuring that the services you have provisioned are secured by default (ie: you have used the correct configuration) and that the configuration of those services meets your corporate policies.  There are a couple of tools in the Azure toolbox that you can use to satisfy this requirement, and today we are going to talk about Azure Security Center.

Azure security center comes in a couple of different service levels, but even in the first level, you get access to a rich dashboard and the ability to apply policy/audit to your resources (in a generic way).  Here is what my dashboard looks like currently (in my test subscription).



Oh my! I've got a lot of work to do here.  Here is a look at the current recommendations for my subscription.



Azure Security Center has a rich feature set that is only growing.  You can look at a list of the policy definitions here.  I would say that implementing Azure Security Center and working through the remediation/policy items in a timely fashion (as per your patch management policy) would suffice to meeting CIS 3.1.  It is constantly being updated by Microsoft to reference best practices for the Azure platform, and provides continuous scanning against deployed resources.