Deprecation of Bring your own License (BYOL) feature in vulnerability management

November 2024 Update

Updated versions of CIS standards for managed Kubernetes environments and new recommendations
November 19, 2024

Defender for Cloud's regulatory compliance dashboard now offers updated versions of the Center for Internet Security (CIS) standards for assessing the security posture of managed Kubernetes environments.
From the dashboard, you can assign the following standards to your AWS/EKS/GKE Kubernetes resources:

• CIS Azure Kubernetes Service (AKS) v1.5.0
• CIS Google Kubernetes Engine (GKE) v1.6.0
• CIS Amazon Elastic Kubernetes Service (EKS) v1.5.0
  To ensure the best possible depth of coverage for these standards, we’ve enriched our coverage by also releasing 79 new Kubernetes-centric recommendations.
  To use these new recommendations, either assign the standards listed above or create a custom standard and include one or more of the new assessments in it.

Public preview of Kubernetes cloud process events in advanced hunting
We're announcing the preview release of Kubernetes cloud process events in advanced hunting. This powerful integration provides detailed information about Kubernetes process events occurring across your multicloud environments. You can use it to discover threats that can be observed through process details, such as malicious processes invoked in your cloud infrastructure. For more information, see CloudProcessEvents.

Deprecation of Bring your own License (BYOL) feature in vulnerability management
November 19, 2024

Estimated date for change:

• February 3 2025: The feature will no longer be available for onboarding new machines and subscriptions.
• May 1 2025: The feature will be fully deprecated and no longer available.
  As part of our efforts to improve the Defender for Cloud security experience, we're streamlining our vulnerability assessment solutions. We're removing the "Bring Your Own License" feature in Defender for Cloud. You'll now use Microsoft Security Exposure Management connectors for a more seamless, integrated, and complete solution.

We recommend that you transition to the new connector solution within Microsoft Security Exposure Management. Our team is here to support you through this transition.

For more information on using the connectors, see Overview of connecting data sources in Microsoft Security Exposure Management - Microsoft Security Exposure Management.

Agentless code scanning in Microsoft Defender for Cloud (preview)
November 19, 2024

Agentless code scanning in Microsoft Defender for Cloud is now available for public preview. It offers fast and scalable security for all repositories in Azure DevOps organizations with one connector. This solution helps security teams find and fix vulnerabilities in code and infrastructure as code (IaC) configurations across Azure DevOps environments. It doesn't require agents, changes to pipelines, or interruptions to developer workflows, making setup and maintenance simple. It works independently from continuous integration and continuous deployment (CI/CD) pipelines. The solution provides continuous and automated insights to speed up risk detection and response, ensuring security without interrupting workflows.

Use cases:

• Organization-wide scanning: You can securely monitor all repositories in Azure DevOps organizations with one connector.
• Early vulnerability detection: Quickly find code and IaC risks for proactive risk management.
• Continuous security insights: Keep visibility and respond quickly across development cycles without affecting productivity.

On-demand malware scanning in Microsoft Defender for Storage (Preview)
November 19, 2024

On-demand malware scanning in Microsoft Defender for Storage, now in public preview, enables scanning of existing blobs in Azure Storage accounts whenever needed. Scans can be initiated from the Azure portal UI or via the REST API, supporting automation through Logic Apps, Automation playbooks, and PowerShell scripts. This feature uses Microsoft Defender Antivirus with the latest malware definitions for every scan and provides upfront cost estimation in the Azure portal before scanning.

Use cases:

• Incident response: Scan specific storage accounts after detecting suspicious activity.
• Security baseline: Scan all stored data when first enabling Defender for Storage.
• Compliance: Set automation to schedule scans that help meet regulatory and data protection standards.

JFrog Artifactory container registry support by Defender for Containers (Preview)
November 18, 2024

This feature extends Microsoft Defender for Containers coverage of external registries to include JFrog Artifactory. Your JFrog Artifactory container images are scanned using Microsoft Defender Vulnerability Management to identify security threats and mitigate potential security risks.

AI security posture management is now generally available (GA)
November 18, 2024

Defender for Cloud's AI security posture management features are now generally available (GA).

Defender for Cloud reduces risk to cross cloud AI workloads by:

• Discovering generative AI Bill of Materials (AI BOM), which includes application components, data, and AI artifacts from code to cloud.
• Strengthening generative AI application security posture with built-in recommendations and by exploring and remediating security risks.
• Using the attack path analysis to identify and remediate risks.

Critical assets protection in Microsoft Defender for Cloud
November 18, 2024

Today, we're excited to announce the General Availability of Critical Assets Protection in Microsoft Defender for Cloud. This feature enables security administrators to tag the "crown jewel" resources that are most critical to their organizations, allowing Defender for Cloud to provide them with the highest level of protection and prioritize security issues on these assets above all others. Learn more about critical assets protection.

Alongside the General Availability release, we're also expending support for tagging Kubernetes and nonhuman identity resources.

Enhanced critical asset protection for containers
November 18, 2024

Critical asset protection is extended to support additional use cases for containers.

Users can now create custom rules that mark assets managed by Kubernetes (workloads, containers, etc.) as critical based on the asset Kubernetes namespace and/or the asset Kubernetes label.

As with other critical asset protection use cases, Defender for Cloud takes into account asset criticality for risk prioritization, attack path analysis, and security explorer.

Enhancements to detect & respond to container threats
November 18, 2024

Defender for Cloud provides a suite of new features to empower SOC teams to tackle container threats in cloud-native environments with greater speed and precision. These enhancements include Threat Analytics, GoHunt capabilities, Microsoft Security Copilot guided response, and cloud-native response actions for Kubernetes pods.

Introducing cloud-native response actions for Kubernetes pods (Preview)
November 18, 2024

Defender for Cloud now offers multicloud response actions for Kubernetes pods, accessible exclusively from the Defender XDR portal. These capabilities enhance incident response for AKS, EKS, and GKE clusters.

The following are new response actions:

Network Isolation - Instantly block all traffic to a pod, preventing lateral movement and data exfiltration. Requires network policy configuration on your kubernetes cluster.

Pod Termination - Quickly terminate suspicious pods, stopping malicious activity without disrupting the broader application.

These actions empower SOC teams to contain threats effectively across cloud environments.

Threat Analytics report for containers
We're introducing a dedicated Threat Analytics report, designed to provide comprehensive visibility into threats targeting containerized environments. This report equips SOC teams with insights to detect and respond to the latest attack patterns on AKS, EKS, and GKE clusters.

Key Highlights:

• Detailed analysis of top threats and associated attack techniques within Kubernetes environments.
• Actionable recommendations to strengthen your cloud-native security posture and mitigate emerging risks.

GoHunt for Kubernetes pods & Azure resources
GoHunt now extends its hunting capabilities to include Kubernetes pods and Azure resources, within the Defender XDR portal. This feature enhances proactive threat hunting, enabling SOC analysts to conduct in-depth investigations across cloud-native workloads.

Key Features:

• Advanced query capabilities to detect anomalies in Kubernetes pods and Azure resources, offering richer context for threat analysis.
• Seamless integration with Kubernetes entities for efficient threat hunting and investigation.

Security Copilot Guided Response for Kubernetes pods
Introducing Guided Response for Kubernetes pods, a feature powered by Security Copilot. This new capability provides real-time, step-by-step guidance, helping SOC teams respond to container threats swiftly and effectively.

Key Benefits:

• Contextual response playbooks tailored to common Kubernetes attack scenarios.
• Expert, real-time support from Security Copilot, bridging the knowledge gap and enabling faster resolution.

API Security Posture Management Native Integration within Defender CSPM plan now in public preview
November 15, 2024

API security posture management (Preview) capabilities are now included in the Defender CSPM plan and can be enabled through extensions within the plan under environment settings page. For more information, see Improve your API security posture (Preview).

Enhanced container protection with vulnerability assessment and malware detection for AKS nodes
November 13, 2024

Defender for Cloud now provides vulnerability assessment and malware detection for the nodes in Azure Kubernetes Service (AKS), and provides clarity to customers on their part in the shared security responsibility they have with the managed cloud provider.

Providing security protection for these Kubernetes nodes allow customers to maintain security and compliance across the managed Kubernetes service.

To receive the new capabilities, you have to enable the agentless scanning for machines option in the Defender CSPM, Defender for Containers, or Defender for Servers P2 plan in your subscription.

Vulnerability Assessment
A new recommendation is now available in Azure portal: AKS nodes should have vulnerability findings resolved. Through this recommendation, you can now review and remediate vulnerabilities and CVEs found on Azure Kubernetes Service (AKS) nodes.

Malware detection
New security alerts are triggered when the agentless malware detection capability detects malware in AKS nodes.

Agentless malware detection uses the Microsoft Defender Antivirus anti-malware engine to scan and detect malicious files. When threats are detected, security alerts are directed into Defender for Cloud and Defender XDR, where they can be investigated and remediated.