Azure Advanced Threat Protection

  • Author: Ronald Fung

  • Creation Date: May 10, 2023

  • Next Modified Date: May 10, 2024

A. Introduction

Advanced Threat Protection for Azure SQL Database, Azure SQL Managed Instance, Azure Synapse Analytics, SQL Server on Azure Virtual Machines and Azure Arc-enabled SQL Server detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases.

Advanced Threat Protection is part of the Microsoft Defender for SQL offering, which is a unified package for advanced SQL security capabilities. Advanced Threat Protection can be accessed and managed via the central Microsoft Defender for SQL portal.

Advanced Threat Protection provides a new layer of security, which enables customers to detect and respond to potential threats as they occur by providing security alerts on anomalous activities. Users receive an alert upon suspicious database activities, potential vulnerabilities, and SQL injection attacks, as well as anomalous database access and queries patterns. Advanced Threat Protection integrates alerts with Microsoft Defender for Cloud, which include details of suspicious activity and recommend action on how to investigate and mitigate the threat. Advanced Threat Protection makes it simple to address potential threats to the database without the need to be a security expert or manage advanced security monitoring systems.

B. How is it used at Seagen

As a biopharma research company using Microsoft Azure, you can use Azure Advanced Threat Protection (Azure ATP) to detect and investigate advanced attacks in your network. Here are some ways you can use Azure ATP:

  1. Threat detection: Azure ATP provides real-time detection of advanced attacks in your network, such as malicious users, compromised credentials, and lateral movement. It uses machine learning and behavioral analytics to detect suspicious activities and provide alerts to security teams.

  2. Investigation and response: Azure ATP provides tools to investigate and respond to security incidents. It provides a timeline of events, risk scores, and recommendations for remediation. It also integrates with other security solutions, such as Microsoft Defender for Endpoint and Azure Sentinel.

  3. Identity protection: Azure ATP provides identity protection features that can help you to secure your identities and credentials. It detects suspicious sign-in activities, risky user behaviors, and anomalies in authentication patterns.

  4. Cloud-based deployment: Azure ATP is deployed in the cloud, which can help you to reduce the cost and complexity of managing on-premises infrastructure. It integrates with on-premises Active Directory and Azure AD, and it can be used to monitor both cloud and on-premises environments.

  5. Secure score: Azure ATP provides a secure score that measures the security posture of your organization. It provides recommendations for improving security and tracks progress over time.

Overall, Azure ATP can help your biopharma research company to detect and investigate advanced attacks in your network. With threat detection, investigation and response, identity protection, cloud-based deployment, and secure score, Azure ATP can help you to improve your security posture and reduce the risk of security incidents.

C. Features

For a full investigation experience, it is recommended to enable auditing, which writes database events to an audit log in your Azure storage account. To enable auditing, see Auditing for Azure SQL Database and Azure Synapse or Auditing for Azure SQL Managed Instance.

Alerts

Advanced Threat Protection detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases. For a list of alerts, see the Alerts for SQL Database and Azure Synapse Analytics in Microsoft Defender for Cloud.

D. Where implemented

LeanIX

E. How it is tested

Testing Azure Advanced Threat Protection (ATP) involves ensuring that the security solution is functioning correctly, securely, and meeting the needs of all stakeholders involved in the project. Here are some steps to follow to test Azure ATP:

  1. Define the scope and requirements: Define the scope of the project and the requirements of all stakeholders involved in the project. This will help ensure that Azure ATP is designed to meet the needs of all stakeholders.

  2. Develop test cases: Develop test cases that cover all aspects of Azure ATP functionality, including threat detection, alerting, and reporting. The test cases should be designed to meet the needs of the organization, including scalability and resilience.

  3. Conduct unit testing: Test the individual components of Azure ATP to ensure that they are functioning correctly. This may involve using tools like PowerShell or Azure CLI for automated testing.

  4. Conduct integration testing: Test Azure ATP in an integrated environment to ensure that it works correctly with other systems and applications. This may involve testing Azure ATP with different operating systems, browsers, and devices.

  5. Conduct user acceptance testing: Test Azure ATP with end-users to ensure that it meets their needs and is easy to use. This may involve conducting surveys, interviews, or focus groups to gather feedback from users.

  6. Automate testing: Automate testing of Azure ATP to ensure that it is functioning correctly and meeting the needs of all stakeholders. This may involve using tools like Azure DevOps to set up automated testing pipelines.

  7. Monitor performance: Monitor the performance of Azure ATP in production to ensure that it is meeting the needs of all stakeholders. This may involve setting up monitoring tools, such as Azure Monitor, to track usage and identify performance issues.

  8. Address issues: Address any issues that are identified during testing and make necessary changes to ensure that Azure ATP is functioning correctly and meeting the needs of all stakeholders.

By following these steps, you can ensure that Azure ATP is tested thoroughly and meets the needs of all stakeholders involved in the project. This can help improve the quality of Azure ATP and ensure that it functions correctly in a production environment.

F. 2023 Roadmap

????

G. 2024 Roadmap

????

H. Known Issues

There are several known issues that can impact Azure Advanced Threat Protection. Here are some of the most common issues to be aware of:

  1. Configuration issues: Configuration issues can arise when setting up Azure ATP. It is important to ensure that all configurations are set up correctly to avoid issues with threat detection, alerting, and reporting.

  2. Performance issues: If the system is not properly sized, it can impact performance and availability, causing issues with threat detection and response.

  3. Integration issues: Integration issues can arise when integrating Azure ATP with other systems and applications. It is important to ensure that Azure ATP is designed to work seamlessly with other systems and applications to avoid integration issues.

  4. Security issues: Security is a critical concern when it comes to Azure ATP. It is important to ensure that all data is encrypted in transit and at rest, and that access to Azure ATP is restricted to authorized personnel.

  5. False positive alerts: False positive alerts can cause confusion and lead to wasted time investigating non-existent threats. It is important to fine-tune Azure ATP’s alerting system to reduce false positives as much as possible.

  6. Noise reduction issues: In some cases, Azure ATP may generate too many alerts or too much data, which can make it difficult to identify real threats. It is important to configure Azure ATP’s noise reduction features to ensure that only relevant data is presented to security personnel.

  7. Reliability issues: Reliability issues can arise when Azure ATP is not functioning correctly or when the system experiences downtime. It is important to monitor Azure ATP’s performance and reliability to ensure that it is meeting the needs of the organization.

Overall, Azure Advanced Threat Protection requires careful planning and management to ensure that it is functioning correctly and meeting the needs of all stakeholders involved in the project. By being aware of these known issues and taking steps to address them, you can improve the quality of Azure ATP and ensure the success of your project.

[x] Reviewed by Enterprise Architecture

[x] Reviewed by Application Development

[x] Reviewed by Data Architecture