Enable Adaptive Application Controls in Azure Security Center

9 min read

Updated – 05/08/2020Adaptive application controls updated with a new recommendation and support for wildcards in path rules.

Introduction

Azure Security Center gives you complete visibility and control over the security of hybrid cloud workloads, including compute, network, storage, identity, and application workloads. Azure Security Center (ASC) has two mains value proposition:

  1. Cloud Security Posture Management (CSPM) – Helps you prevent misconfiguration to strengthen your security posture for all different types of cloud workloads and resources in Azure (IaaS, PaaS, and SaaS).
  2. Cloud Workload Protection Platform (CWPP) – Protect against threats for servers whether they are running in Azure, on-premises or other clouds such as Amazon AWS or Google GCP, in additional to cloud-native workloads such as Web Apps, Kubernetes, Key Vaults, as well as for SQL databases (PaaS/VM) and storage accounts.

Adaptive Application Controls (AAC) is one of many features that is included in the Azure Security Center that falls under the Cloud Workload Protection Platform (CWPP) for threat detection and response, which is something you must consider for your Windows and Linux systems whether they are running on Azure, on-premises or in other cloud environments.

Many companies are using Security Center but are not leveraging this powerful cloud defense capability which might not be a good thing for the long run. Application control helps you deal with malicious and/or unauthorized software, by allowing only specific applications to run on your virtual machines and servers.

In this article, I will show you how to enable adaptive application controls in Azure Security Center so you can whitelist your applications for Windows and Linux machines and protect your systems.

Adaptive Application Controls overview

One of the biggest challenges of dealing with the whitelisting application is how to maintain that list. The traditional approach of using AppLocker in Windows is a good solution, but still has the overhead of keeping up with the applications and making the initial baseline work properly for your needs.

With adaptive application controls, Azure Security Center leverages machine learning which is going to learn how the apps behave on your server(s) and is going to suggest a list of applications that should be whitelisted based on some patterns, behaviors, and also security analytics. That’s very important because you want to make sure that you don’t have the wrong applications running, unwanted applications running on the servers. And you want to make sure that if there is a known vulnerable application, you should be notified. This capability works for Windows VMs, as well as on-premises machines running Windows or Linux.

At the time of writing this article, please note that Azure and non-Azure (Windows and Linux) machines are only supported in audit mode as documented by Microsoft. What that means is in audit mode, adaptive application controls will not block the execution of the application, it will only notify you.

Non-Azure Virtual Machine (Windows and Linux)

Prerequisites

To follow this article, you need to have the following:

  1. Microsoft Azure subscription. If you don’t have an Azure subscription, you can create a free one here.
  2. Azure Security Center – Standard Tier enabled. Adaptive application control is part of the Azure Security Center standard tier. Please note that you can use the standard tier free for 30 days.
  3. Log Analytics Workspace – To create a new workspace, follow the instructions here Create a Log Analytics workspace.
  4. Windows or Linux machines running on Azure VMs or on-premises with the Microsoft Monitoring Agent (MMA) installed and connected to the Log Analytics workspace. Check the following article to learn more on how to onboard Windows machines to Security Center.

Planning for Adaptive Application Controls

There are very important points that you should take into consideration during the planning phase before you enable this feature.

Adaptive application controls do not support Windows machines for which AppLocker policy is already enabled by either group policy objects (GPO) or local security policy. As a security best practice, Azure Security Center will always try to create a publisher rule for applications that are selected to be allowed. And if an application doesn’t have publishing information, which means is not signed, a path rule will be created for that full path of the specified application. So just keep that in mind.

Enable Adaptive Application Controls

To enable and access adaptive application controls from Security Center dashboard, take the following steps:

  1. Open Azure Portal and sign in with a user who has Security Admin privileges.
  2. On the left navigation pane, click Security Center.
  3. From Security Center’s sidebar, under the ADVANCED CLOUD DEFENSE, open the Adaptive application controls page.
  4. The Adaptive application controls appear, you will see that there are groups that potentially are already created, in case you did already the configuration. But if this is a brand-new configuration, the ‘Configured‘ tab is going to be blank, because everything else will be under the ‘Recommended‘ tab.
  5. Under the ‘Recommended‘ tab, you will have multiple groups that are an aggregation that actually contains servers with similar patterns of applications, behavior, and execution.
  6. If you open one of those groups, you will have more information about the ‘VMs/servers‘ that belong to that group, the current state of that server, and severity, which means that the adaptive application controls policy was not applied.
  7. The ‘Recommended applications‘ section contains a list of all applications that are frequently used and identified by those VMs, and it is highly recommended that you whitelist those in the first place.
  8. Then you also have ‘More applications‘, which is a list of applications that are less frequently used within this group. But you could also whitelist those if you want to. This is the initial configuration, where you basically need to review some of these options and then click on the ‘Audit‘ button. So, this is a very straightforward process.
  9. When you click on ‘Audit‘, Security Center automatically creates the appropriate rules on top of the built-in application which will take a couple of minutes to complete. The allow list solution available on the Windows Server is via utilizing the AppLocker feature in the background. Now that the rule is configured, you will see that the group is going to appear under the ‘Configured‘ tab as shown in the figure below.
  10. When you click on that group, you will be able to make changes if you want to. Some of the changes that you can make here is regarding the ‘Publisher whitelisting rules‘, you can make a modification if you want to, then you can add a new rule and customize the publisher for EXE file, MSI (in case of Windows machines), SCRIPT or All. You can also see the existing ‘File Types‘ which were selected.
  11. You can see the ‘Path whitelisting rules‘ and the ‘Hash whitelisting rules‘ as well if there are ones created. You can also create and add a new rule(s) if needed. The rule type could be ‘Publisher‘, ‘Path‘, or ‘Hash‘.
  12. Under the ‘Configured VMs/servers‘ section, you can see which servers are part of this group that will be affected by those settings.
  13. And finally, if there are any alerts that are correlated with this group, you can visualize these security alerts under the ‘Recent Alerts‘ section, or you can go back to the main Security alerts dashboard and visualize from there.

Application violation

In this section, I want to show you how application violation is going to look like in Azure Security Center.

Under Security Center | Security alerts dashboard, I have two security alerts that were triggered by adaptive application controls as shown in the below figure.

If I click on any of these alerts ‘Adaptive application control policy violation was audited‘, I can see two servers that have an app that violated the policy that was established by adaptive application controls.

When you click on the ‘Attacked Resource‘, you will see the explanation about this particular alert, and then you can see the explanation about which application was executed. So in this example, ‘CERTWAC.EXE‘ application is not part of my whitelist, which means that this is a violation of the policy. Therefore, the alert is triggered, and then you can validate it here.

If you’ve already integrated Azure Security Center with Azure Monitor, then you will also receive a notification based on the action group that you specified. As shown below, I am using email notification. You can find more details on how to integrate Azure Security Center with Azure Monitor here.

This is a great opportunity if you are in audit mode to reveal if this is a really malicious application that should be blocked, or if it is a false positive and perhaps you need to change the policy and add this application to the whitelist. So you have that option as well.

How it works…

Azure Security Center relies on a minimum of two weeks of data in order to create a baseline and populate the unique recommendations per group of your virtual machines. So, what happened is the Security Center proprietary clustering algorithm is going to create those groups that have similar activities in apps to get the optional recommendation for the application control. So those groups are automatically created by Security Center, and within each group, you will have multiple servers, and the application whitelisting will be suggested for that group and applied to the group.

Keep in mind that the way Azure Security Center operates is, if the whitelisting is in audit mode, it is going to generate security alerts every time that there is a violation in the policy. Every time you have a violation in the policy, let’s say that your whitelist has only allowed, like, two applications to run. If the app number three is launched, it’s going to work because it is in audit mode, however, it is going to generate a security alert.

I highly recommend to enable audit mode for all your VMs first and then enforce as needed. In audit mode, applications will NOT get blocked.

Adaptive application controls updated

The adaptive application controls feature has received two significant updates in July 2020:

  • A new recommendation identifies potentially legitimate behavior that hasn’t previously been allowed. The new recommendation, Allowlist rules in your adaptive application control policy should be updated, prompts you to add new rules to the existing policy to reduce the number of false positives in adaptive application controls violation alerts.
  • Path rules now support wildcards (*). From this update, you can configure allowed path rules using wildcards. There are two supported scenarios:
    • Using a wildcard at the end of a path to allow all executables within this folder and sub-folders.
    • Using a wildcard in the middle of a path to enable a known executable name with a changing folder name (e.g. personal user folders with an known executable, automatically generated folder names, etc).

Summary

Adaptive application control is an intelligent, automated, end-to-end solution from Azure Security Center which helps you control which applications can run on your Azure and non-Azure VMs (Windows and Linux). In the background, Azure Security Center uses machine learning to analyze the applications running on your VMs and creates an allowed list from this intelligence. Security Center uses a proprietary clustering algorithm to create groups of VMs, making sure that similar VMs get the optimal recommended application control policy.

In this article, you learned how to enable adaptive application controls in Azure Security Center to whitelist applications running in Azure and non-Azure VMs. How are you going to use adaptive application controls in your environment? You are welcome to share your thoughts in the comment section below.

Additional resources I highly encourage you to check:

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

About Charbel Nemnom 550 Articles
Charbel Nemnom is a Cloud Architect, ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.