Defender CSPM: How to improve the security of cloud environments
Defender CSPM provides continuous visibility and recommendations to protect enterprise cloud environments. Let's see its features and how to use them.
Defender CSPM: a brief introduction
Defender CSPM (Cloud Security Posture Management) is a plan within Microsoft Defender for Cloud that continuously assesses Azure, AWS, and GCP resources against security benchmarks — CIS, NIST, PCI-DSS — and generates a prioritised recommendation list with attack path analysis. The paid plan adds AI-powered risk prioritisation, governance workflows, and regulatory compliance dashboards beyond the free foundational posture assessments.
What is a CSPM, what is it for, and why is it important
Cloud security presents different challenges than the risks of previous computing models. First of all, the cloud infrastructure is necessarily connected to the Internet. Because it allows the almost instantaneous transfer of any type of data, the Internet exposes everything connected to it to a vast number of threats.
In addition, connecting to the Internet increases the risk of data exposure: anyone in the world can view and potentially steal the exposed data, unlike when the data is stored in private networks.
Second, cloud infrastructure is often highly complex, combining different types of cloud services, as is the case in a multi-cloud environment. As business needs change, various computing, storage, and software services are added, expanded, or removed.
All of this happens in remote data centers, making it difficult to maintain visibility and control, meet compliance requirements, and identify and eliminate risks.
Finally, while some aspects of a cloud service may be managed by the provider, security configurations usually aren’t. This forces organizations to implement security measures for an infrastructure that they do not directly manage.
Cloud configuration errors occur when the security standards or framework of a cloud infrastructure do not follow a configuration policy and security guidelines, directly jeopardizing the protection of cloud resources.
These risks take the form of security breaches, hacker attacks, ransomware, malware, or insider threats that exploit vulnerabilities to access cloud systems.
A rather terrifying scenario, but in which a CSPM (Cloud Security Posture Management) can lend us a hand.
But what exactly is it?
Getting contextual visibility and insights with Defender CSPMIt is a solution that helps identify, prevent, and correct misconfigurations and security vulnerabilities in cloud environments to reduce the risk of breaches and improve compliance. CSPM provides visibility into cloud environments, allowing you to quickly detect configuration errors and correct them automatically.
A CSPM manages multiple aspects of cloud security, the most important of which are:
- Configuration errors: As we mentioned before, organizations often misconfigure the implementation of their cybersecurity solutions. A CSPM solution will ensure that everything is configured correctly.
- Legal and regulatory compliance issues: A lack of attention to detail in cloud security could cause compliance issues. A CSPM solution will ensure that doesn’t happen.
- Unauthorized access: Misconfigured access management tools — or simply a security oversight — can lead to unauthorized access to the organization’s network and systems. A CSPM will make sure to prevent prying eyes from focusing on your most sensitive resources. Protecting workloads in the cloud begins with the adoption of security policies customized for the organization, supported by a specially designed CSPM platform, which continuously monitors and discovers the resources distributed in the workloads in the cloud, evaluating them to verify if they meet security best practices and standards, such as CIS and NIST.
The CSPM identifies and corrects risks by automating visibility, monitoring, threat detection, and correction flows to search for configuration errors in various cloud environments, including:
- Infrastructure as a Service (IaaS)
- Software as a Service (SaaS)
- Platform as a Service (PaaS) A CSPM is generally automated. Instead of requiring security teams to manually check their clouds for security risks, it works in the background, analyzing the cloud for compliance risks and configuration vulnerabilities.
Most CSPM tools can scan multi-cloud environments, providing a combined view of the security status across all cloud services. This capability is crucial because many organizations use more than one cloud service, which increases the risk of misconfigurations and can be more difficult to manage manually.
Finally, modern CSPM solutions also integrate seamlessly with DevOps processes, ensuring that security is embedded throughout the software development lifecycle. This integration helps identify and address security issues early, reducing the likelihood of vulnerabilities being introduced into production environments.
Defender CSPM: basic CSPM functionality offered by Defender for Cloud
Microsoft Defender CSPM (Cloud Security Posture Management) is an integrated solution within Defender for Cloud that helps protect cloud infrastructures by continuously monitoring resource configuration, detecting vulnerabilities, and automating error correction to ensure compliance with best security practices.
The CSPM provides detailed visibility into the security status of assets and workloads, offering guidelines for strengthening security to help you efficiently and effectively improve your security posture.
Defender for Cloud continuously evaluates its resources against the security standards defined for its Azure subscriptions, AWS accounts, and GCP projects. Defender for Cloud provides security recommendations based on these assessments.
By default, when you enable Defender for Cloud on an Azure subscription, the Microsoft Cloud Security Benchmark (MCSB) compliance standard is enabled. It provides recommendations and Defender for Cloud provides an aggregated security score based on some of the MCSB recommendations.
The higher the score, the lower the level of risk identified.
Measuring your security posture with Defender CSPMDefender for Cloud offers two options for its CSPM functionality: the free plan (defined by Microsoft under the name Foundational CSPM), integrated into the basic offer of the service, and Microsoft Defender CSPM, an additional paid plan that we will discuss in the next section.
As for the free plan, its features are automatically enabled on any subscription or account that has onboarded to Defender for Cloud and include:
- Asset Discovery: the process of automatically discovering all cloud resources in the organization’s environment. This includes virtual machines, databases, storage accounts, identities, and other assets, providing a complete view of the IT infrastructure. The goal is to ensure that no resource remains unmonitored or unmanaged, reducing the risk of vulnerabilities due to misconfigurations or forgotten resources.
- Ongoing assessment and safety recommendations: an ongoing analysis of cloud resource security configurations to identify vulnerabilities, misconfigurations, and potential threats. The system provides detailed recommendations to correct issues and improve security posture, ensuring a proactive approach to cybersecurity management.
- Compliance with the Microsoft Cloud Security Benchmark: a set of guidelines developed by Microsoft to ensure the security of cloud infrastructures. The benchmark includes best practices and compliance requirements based on recognized standards, such as NIST and CIS. Adherence to the MCSB helps organizations maintain a high level of security, reducing the risk of exposures and non-compliance.
- Secure Score: a quantitative indicator that measures the current state of the organization’s security within the cloud environment. The score is calculated based on the number of recommendations implemented compared to the total recommendations and provides a clear reference for understanding the current level of protection. A higher score indicates a stronger security posture, while a low score signals the need for improvements.
Defender CSPM: additional paid plan features
Are Defender for Cloud’s free features not enough for us?
If you deem it necessary, you can expand its set of features by activating the plan Defender CSPM.
Microsoft Defender CSPM FeaturesThe Defender CSPM plan offers advanced security posture management features, among the main ones we find:
- Security Governance: Security teams are responsible for improving their organizations’ security posture, but they may not have the resources or authority to actually implement security recommendations. The assignment of managers with due dates and the definition of governance rules create accountability and transparency, so that we can guide the process of improving the organization’s security.
- Regulatory compliance: Thanks to this functionality, Microsoft Defender CSPM simplifies the process to meet regulatory compliance requirements, providing a specific dashboard and continuously evaluates the environment to analyze risk factors based on the controls and best practices of the standards applied to subscriptions. The dashboard reflects the state of compliance with these standards. Instead, the Microsoft cloud security benchmark (MCSB) is automatically assigned to subscriptions and accounts when you sign in to Defender for Cloud (Foundational CSPM). This benchmark is based on the cloud security principles defined by the Azure Security Benchmark and applies them with detailed technical implementation guidance for Azure, other cloud providers (such as AWS and GCP), and other Microsoft clouds.
- Cloud Security Explorer: allows you to proactively identify security risks in the cloud environment by graphically querying the Cloud Security Graph, which is the Defender for Cloud’s context definition engine. The security team’s requests can be prioritized, taking into account the context and specific regulations of the organization. With the Cloud Security Explorer, it is possible to query security issues and the context of the environment, such as the inventory of resources, exposure to the Internet, permissions and the “lateral movement” between resources and between multiple clouds (Azure and AWS).
- Attack path analysis: helps to address security issues, related to the specific environment, which represent immediate threats with the greatest potential for exploitation. Defender for Cloud analyzes which security issues are part of potential attack paths that attackers could use to violate the specific environment. It also highlights security recommendations that need to be resolved to mitigate them.
- Agentless scanning for machines: Microsoft Defender for Cloud maximizes coverage of operating system posture issues and goes beyond the coverage provided by assessments based on specific agents. Thanks to agentless scanning for virtual machines, it is possible to obtain immediate, wide and unobstructed visibility regarding potential posture problems. All without having to install agents, complying with network connectivity requirements or impacting machine performance. Agentless scanning for virtual machines provides vulnerability assessment and software inventory, both through Microsoft Defender Vulnerability Management, in Azure and Amazon AWS environments. Agentless scanning is available both in Defender Cloud Security Posture Management (CSPM)Be inDefender for Servers P2. In this table, let’s see in detail the difference between the “foundational” features and those offered by Defender CSPM:
Defender for Cloud: Foundational vs Defender CSPM features
Feature
Foundational
Defender CSPM
Availability
Security recommendations
Yes
Yes
Azure, on-premises
Resource inventory
Yes
Yes
Azure, on-premises
Secure score
Yes
Yes
Azure, on-premises
Data visualization and reports with Azure Workbooks
Yes
Yes
Azure, on-premises
Data export
Yes
Yes
Azure, on-premises
Workflow automation
Yes
Yes
Azure, on-premises
Remediation tools
Yes
Yes
Azure, on-premises
Microsoft Cloud Security Benchmark
Yes
Yes
Azure, on-premises
Security governance
-
Yes
Azure, on-premises
Regulatory compliance standards
-
Yes
Azure, on-premises
Cloud Security Explorer
-
Yes
Azure
Attack path analysis
-
Yes
Azure
Agentless scanning for machines
-
Yes
Azure
Agentless container security posture
-
Yes
Azure
Container registry vulnerability assessment, including scanning
-
Yes
Azure
Data-aware security posture
-
Yes
Azure
EASM network exposure insights
-
Yes
Azure
Permissions management
-
Yes
AzureHow to enable and configure Defender CSPM
Now that we have a clearer view of the features offered in the paid plan, it’s time to take a closer look at how to enable and configure them with a small practical example.
1. Enabling Defender CSPM
First, the Defender CSPM plan must be enabled on the Azure subscription. To activate it, you must have at least the role of Security Admin(a predefined Azure role).
Once we have verified that the prerequisite above is met, we access the Azure portal And let’s go to the section Microsoft Defender for Cloud. From the menu, we access the page Environment Settings.
We select the subscription on which we want to enable Defender CSPM and on the page Defender plans, let’s select Defender CSPM and let’s set the status to ON.
Let’s click on Save to save changes.
Once activated, Defender CSPM is ready to evaluate our multi-cloud environment and will provide recommendations to strengthen asset security and improve security posture.
2. Creating governance rules
The most inexperienced in cloud security may have difficulty implementing the recommendations and solving the problems identified, but as we have seen, Defender CSPM offers governance rules to assign high priority issues to cloud security managers, with defined resolution times.
To create governance rules, we just need to access the section Microsoft Defender for Cloudfrom the Azure portal, as in the previous example. After that, from the menu of Defender for Cloud, let’s go up Environment Settings and we select the interested subscription.
In the settings, we select Governance Rules.
Let’s click on +Create governance rule and fill in the details:
- Name of the rule
- Let’s select the scope at the subscription level
- Priority: 1 Let’s click on Next to proceed to the next page.
In the section Conditions, let’s set:
- Severity: High
- Owner: By email address, enter the cloud security team’s email to receive notifications
- Remediation Timeframe: 30 days Let’s enable weekly notification for managers on the management of open or due tasks and click on Save. A weekly email will be sent to the cloud security team and their managers with all recommendations assigned based on the configured governance rules.
Conclusions
The security of your cloud environments must be considered of paramount importance if your digital infrastructure has been transferred “to the clouds” and with the increase in cyber threats, nothing should be left to chance, not even the possibility of a configuration error on our part.
It is therefore important to have tools that assist cybersecurity experts in their operations and provide them with the control and feedback they need in order to keep our IT environments safe and prevent the unintentional creation of flaws in our security posture.
The basic features of Defender for Cloud and the functionality of Defender CSPM (depending on our needs) can help us with exactly this, providing vision and possibility of action to the professionals who manage and maintain our defenses.
In this type of environment, it is essential not to rest too much on your laurels; so, why wait when you can already rely on these solid tools to begin to secure your organization?
FAQ on Microsoft Defender CSPM
What is Microsoft Defender CSPM?Microsoft Defender CSPM is a paid extension of Defender for Cloud, developed to help organizations improve the security posture of their cloud environments. It offers advanced tools to identify and correct misconfigurations, monitor vulnerabilities, and ensure compliance with recognized security standards.
What’s the difference between Defender CSPM and Defender for Cloud?Defender for Cloud includes some basic CSPM functionality in a free plan called Foundational CSPM. Defender CSPM, on the other hand, is an advanced plan that adds additional functionality for more in-depth and proactive cloud security management.
What features are included in the free plan (Foundational CSPM)?The free plan allows you to automatically discover all your cloud resources, perform continuous assessments of security configurations, receive recommendations to improve your security posture, and monitor your overall health with an indicator called Secure Score. In addition, it ensures compliance with the Microsoft Cloud Security Benchmark and supports data visualization through Azure Workbooks.
What additional features does Defender CSPM offer for a fee?The paid plan includes tools for security governance, advanced regulatory compliance, the ability to graphically explore risks through the Cloud Security Explorer, the analysis of attack paths, agentless scanning for virtual machines and containers, the evaluation of container logs and the management of permissions, offering even more complete control of the cloud environment.
Does Defender CSPM work only on Azure?No, Defender CSPM is designed for multicloud environments. In addition to Azure, it can also be used with AWS accounts and GCP projects. However, some more advanced features are only available on Azure.
How do you enable Defender CSPM?To enable Defender CSPM, you must have at least the Security Admin role. From the Azure portal, you access the Microsoft Defender for Cloud section, enter the environment settings, select the desired subscription and activate the Defender CSPM plan by setting it to ON. Finally, you save the changes to make it operational.
What does the Secure Score do?The Secure Score is an indicator that measures the overall security of the cloud environment. It is calculated based on the number of security recommendations implemented compared to those available. The higher the score, the lower the level of risk associated with the infrastructure.
What is the Microsoft Cloud Security Benchmark (MCSB)?The Microsoft Cloud Security Benchmark is a security standard that is automatically applied to Azure subscriptions when Defender for Cloud is activated. It includes a series of best practices and controls based on recognized standards such as NIST and CIS, adapted for the Microsoft cloud environment and for other providers such as AWS and GCP.
Do I need to install agents to use Defender CSPM?No, one of the advanced features of the plan is the ability to perform an agentless scan of virtual machines, which allows you to detect vulnerabilities and collect information without impacting performance and without requiring additional installations.
Who is Defender CSPM for?Defender CSPM is aimed at organizations that operate in the cloud and need advanced tools to protect complex infrastructures, improve visibility of risks, and maintain compliance with regulations and security best practices.
Written by
Emanuele Rossi
Infra & Security · Dev4Side
Dev4Side Software · Microsoft Gold Partner
Need help implementing this in your company?
Our specialist teams have delivered 200+ Microsoft implementations across Italy. Contact us for a free, no-obligation evaluation of your project.
Related articles
Microsoft Purview Compliance Manager: Compliance without complications
Discover Microsoft Purview Compliance Manager, the tool that can help your company to easily meet compliance requirements.
Microsoft Security Awareness Training: all the official resources
Discover the official Microsoft resources for Security Awareness Training and how to strengthen the company's security posture starting with employees.
Microsoft Defender for IoT: what is it and how it works
An introductory overview of how Defender for IoT can help your company secure its industrial networks and critical infrastructure.