Tailwind Traders plans to adopt a hybrid cloud posture. This transition makes its environment more complex than when workloads were deployed exclusively on-premises.
Additionally, the security configuration and telemetry of these workloads are becoming increasingly complex.

In this unit, you will learn how Tailwind Traders can:

• Monitor the configuration of its on-premises and cloud workloads
• Be alerted in case of suspicious activity
• Simplify the management of updates for its on-premises and cloud server operating systems

What is Microsoft Defender for Cloud?

Microsoft Defender for Cloud allows you to assess the security configuration of various workloads. You can use it to:

• Implement security best practices on IaaS, PaaS, data, and on-premises resources
• Track compliance of security configuration against regulatory standards
• Protect data by detecting suspicious activities, such as data exfiltration patterns
• Classify data hosted in SQL databases

In hybrid environments, Defender for Cloud can be integrated with the Log Analytics agent to collect:

• System log events
• Event tracing telemetry
• Memory dump files (crash dumps)

Defender for Cloud can then analyze this data to:

• Provide recommendations
• Generate alerts that can be forwarded to the organization’s SIEM (Security Incident and Event Management) system

Tailwind Traders already uses various tools to assess the compliance of the security configuration of its Windows Server and Linux workloads.
By adopting more hybrid technologies, the company can use Microsoft Defender for Cloud to monitor and remediate the security configuration of its on-premises servers and cloud workloads.

What is Microsoft Sentinel?

Microsoft Sentinel allows organizations with hybrid cloud solutions to ingest telemetry from security event logs, both on-premises and in the cloud.

Microsoft Sentinel is both a SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution.

SIEM capabilities:

• Store and analyze log data and event telemetry
• Support data ingestion from:
  • On-premises environments
  • Azure
  • Third-party clouds, including other SIEM systems

SOAR capabilities:

• Orchestrate data analysis
• Create automated responses to known threats

The following image shows a hybrid architecture with Microsoft Sentinel.

Microsoft Sentinel Features in Hybrid Environments

When Microsoft Sentinel is used in hybrid environments, it can:

• Collect data from users, devices, applications, and infrastructure, whether in the cloud or on-premises
• Use artificial intelligence (AI) and deep learning to identify potentially malicious activities in event data
• Detect threats by analyzing event data against attack signatures generated from Microsoft’s security research
• Automate incident response for known threat patterns using security playbooks

Microsoft Sentinel includes built-in workbooks that help analyze data and can provide recommendations.
These workbooks allow you to quickly understand suspicious security telemetry without manually sorting through data to interpret it.
You can also import or use custom workbooks based on the experiences of other security researchers who have developed different analysis methods than those included in Sentinel.

Tailwind Traders’ Use of Microsoft Sentinel

Tailwind Traders has an on-premises SIEM system that collects and analyzes event log data from various computers and devices.
This system was sufficient when the company operated exclusively on-premises.

By adopting Microsoft Sentinel, Tailwind Traders can extend this capability to its hybrid cloud environment.

It is likely that Tailwind Traders will connect its existing SIEM to Microsoft Sentinel.
This connection allows the company to benefit from Sentinel’s AI and deep learning without making major changes to its on-premises configuration.

What is Azure Automation Update Management?

Azure Automation Update Management enables managing updates for server operating systems both on-premises and in the cloud through a single cloud-based console.

Update Management works with:

• Microsoft Windows Server workloads
• Supported Linux operating systems, whether physical or virtual

Update sources:

• For Windows Server:
  • Microsoft Update
  • Windows Server Update Services (WSUS)
• For Linux:
  • Public or custom Linux package repositories

Update Management allows you to:

• Identify missing updates on registered systems
• Schedule and automate updates to ensure compliance and security

The following diagram shows how Update Management integrates with Azure Automation and Log Analytics workspaces.

Configuring an Update Deployment

When you configure an update deployment, you must specify:

• Whether the deployment targets Windows or Linux computers (you cannot target both types at the same time)
• The specific registered servers you want to include in the deployment
• The update classifications to install (for example: critical, security, etc.)
• Whether certain specific updates should be included or excluded
• The deployment schedule, including whether it should be recurring
• Scripts to run before and after the update
• The maximum duration of the maintenance window, with the last 20 minutes reserved for system restart
• Restart options to determine whether the system should restart if necessary to complete the installation of updates

Tailwind Traders’ Use

The company has WSUS and other tools to manage updates for its Windows and Linux operating systems on-premises.

By configuring its system workloads (IaaS VMs on-premises and in the cloud) to connect to Azure Software Update, Tailwind Traders can ensure that all operating systems hosting critical workloads remain up to date. Un seul, quatre, deux.