4.4 Cloud Security Posture Management (CSPM)

Cloud Security Posture Management (CSPM)

Introduction

CWP detects attacks in progress. CSPM prevents the conditions that enable attacks. A virtual machine with a public IP, no network security group, and an unpatched Apache vulnerability is not currently being attacked — but it is one internet scan away from compromise. CSPM finds this configuration, scores it as high severity, and tells you exactly how to fix it before an attacker arrives.

CSPM is not a security alert — it is a security recommendation. The distinction matters for SOC workflow: alerts are reactive (something happened, investigate it). Recommendations are proactive (something is wrong, fix it before something happens). Both are essential. This subsection teaches you to work with CSPM’s primary tools: Secure Score, security recommendations, attack path analysis, and governance rules.

Secure Score: understanding your cloud security posture

The Secure Score is a percentage that represents how many of Defender for Cloud’s security recommendations are implemented in your environment. A score of 70% means 70% of applicable recommendations are satisfied, and 30% are not. Each unimplemented recommendation represents a misconfiguration or missing security control.

Secure Score calculation assigns points to each recommendation based on the number of affected resources and the recommendation’s weight. A recommendation that affects 50 VMs contributes more potential points than one affecting 2 VMs. The score is the sum of all earned points divided by the sum of all possible points.

How to improve Secure Score: Navigate to Recommendations, sort by “Potential score increase” (highest first), and address the top recommendations. Each recommendation shows exactly which resources are affected, the remediation steps, and the score impact. The top 5 recommendations typically account for 30-40% of the score gap — fixing them provides the largest improvement for the least effort.

Score trending matters more than the absolute number. A score that improves from 55% to 70% over three months demonstrates measurable security improvement to management. A score that declines from 70% to 60% indicates new resources are being deployed without proper security controls. Track the trend in monthly security reports (Module 3.9 cross-product investigation methodology).

Security recommendations: the actionable output

Security recommendations are Defender for Cloud’s primary output. Each recommendation is a specific finding with a specific fix.

Recommendation anatomy: Every recommendation includes a title (“Machines should have a vulnerability assessment solution”), a severity (High, Medium, Low), the affected resources (list of specific VMs, storage accounts, or other resources that do not comply), the remediation steps (specific configuration changes to implement), the related security control (which Secure Score category it contributes to), and the compliance standards it maps to (CIS, NIST, PCI DSS).

Remediation workflow:

Review the recommendation. Understand what the finding is and why it matters. A “High severity” recommendation for “Virtual machines should have endpoint protection” means VMs without antivirus — a direct attack vector.

Check the affected resources. Are these production or development resources? Production resources need immediate remediation. Development resources may be acceptable risk depending on your policy.

Apply the fix. Many recommendations include a “Fix” button that applies the remediation automatically (enabling an Azure Policy, deploying an extension, changing a configuration). For complex remediations, the steps are documented in the recommendation detail.

Verify the fix. After remediation, the next CSPM evaluation cycle (typically within 24 hours) marks the resource as compliant and updates the Secure Score.

Exempt vs dismiss. If a recommendation does not apply to a specific resource (a test VM that intentionally lacks endpoint protection, a storage account that must allow public access for a CDN), you can exempt the resource from the recommendation. Exemption removes the resource from the Secure Score calculation with a documented justification. Dismissal hides the recommendation entirely — use this only for recommendations that are categorically inapplicable to your environment, not for individual resource exceptions.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

// Top security recommendations by affected resource count
SecurityRecommendation
| where TimeGenerated > ago(1d)
| extend Severity = tostring(Properties.severity)
| extend ResourceCount = toint(Properties.resourceDetails.ResourceCount)
| extend Description = tostring(Properties.displayName)
| where Severity in ("High", "Medium")
| summarize TotalAffected = sum(ResourceCount) by Description, Severity
| order by TotalAffected desc
| take 10

Attack path analysis: finding exploitation chains

Attack path analysis is Defender CSPM’s most powerful capability. It uses the Security Graph (subsection 4.1) to discover paths that an attacker could follow from an internet-facing entry point to a sensitive data store.

How attack paths are discovered: Defender CSPM traverses the Security Graph looking for chains of weaknesses. Each link in the chain is a finding: an internet-exposed VM (entry point), a known vulnerability on that VM (exploitation opportunity), network access from the VM to a database server (lateral movement path), and weak authentication on the database (data access). The chain represents a viable attack scenario — not a theoretical risk, but a concrete path an attacker could follow.

Interpreting attack paths: Each path shows the entry point (how the attacker gets in), the intermediate nodes (how they move through your environment), and the target (what they reach). The path also shows which link is easiest to break — removing the vulnerability on the entry-point VM eliminates the entire path, while restricting network access between the VM and database eliminates the lateral movement step.

Prioritising attack paths: Not all paths are equally dangerous. Paths that reach sensitive data (databases containing PII, key vaults containing secrets) are higher priority than paths that reach non-sensitive resources. Paths from internet-facing entry points are higher priority than paths requiring internal access. Paths with known exploitable vulnerabilities (CVEs with public exploit code) are higher priority than paths requiring misconfigurations that are difficult to exploit.

Governance rules: automating remediation ownership

Governance rules automate the assignment of security recommendations to resource owners. When a new recommendation is created for a resource, the governance rule assigns it to the owner with a deadline and notification.

How governance rules work: You define a rule with conditions (recommendation severity = High, resource type = Virtual Machine, subscription = Production) and actions (assign to the resource owner, set a remediation deadline of 14 days, send email notification). When a new recommendation matches the conditions, the assignment happens automatically. The resource owner sees the recommendation in their Defender for Cloud view with the deadline.

Governance dashboard: Tracks remediation progress: how many recommendations are assigned, how many are overdue, how many are completed. This dashboard provides the metrics you report to management: “87 high-severity recommendations were assigned this month, 72 were remediated on time, 12 are in progress, 3 are overdue.”

Governance rules are configured in Defender for Cloud → Environment settings → Governance rules. They require Defender CSPM (the paid tier) — Foundational CSPM does not include governance.

CSPM operational workflow for SOC teams

CSPM is not a one-time assessment. It is a continuous process that requires regular attention from the SOC and infrastructure teams.

Daily: Review any new high-severity recommendations that appeared overnight (new resources deployed without proper controls, newly disclosed CVEs affecting existing resources). Check attack paths for new paths involving critical assets.

Weekly: Review the Secure Score trend. Is it improving? If declining, identify which new resources or new recommendations are driving the decline. Review governance dashboard for overdue remediation tasks.

Monthly: Generate a posture report showing score trends, recommendation completion rates, attack path remediation progress, and compliance status. Present to security leadership as evidence of posture improvement.

Quarterly: Review and update exemptions. Are resources that were exempted 6 months ago still legitimately exempt, or has the business context changed? Review governance rule effectiveness: are assignments being completed on time?

Data-aware security posture (Defender CSPM)

Standard CSPM treats all resources equally — a storage account containing public marketing images gets the same assessment as a storage account containing customer PII. Data-aware security posture (a Defender CSPM feature) identifies which resources actually contain sensitive data and prioritises their protection.

The data-aware scanner analyses the content of storage accounts, SQL databases, and other data stores to identify sensitive data types (credit card numbers, personal identification numbers, healthcare records, financial data). When sensitive data is found, the resource is tagged in the Security Graph, and attack paths leading to that resource are elevated in priority.

This changes the investigation and remediation calculus. An attack path to a storage account with public marketing images is low priority. An attack path to a storage account containing 50,000 customer records with PII is critical. Data-aware posture makes this distinction automatically.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

// Data-aware security posture — resources containing sensitive data
SecurityRecommendation
| where TimeGenerated > ago(1d)
| where RecommendationDisplayName has "sensitive data"
    or Properties has "sensitiveData"
| extend ResourceName = tostring(Properties.resourceDetails.ResourceName)
| extend DataTypes = tostring(Properties.additionalData.sensitiveDataTypes)
| project TimeGenerated, ResourceName, DataTypes,
    RecommendationDisplayName
| order by TimeGenerated desc

Agentless scanning: visibility without deployment

Defender CSPM includes agentless scanning for VMs — it analyses VM disk snapshots to discover installed software, vulnerabilities, and secrets without installing any agent on the VM. This provides three advantages over agent-based scanning.

First, coverage without deployment — agentless scanning covers VMs that do not have agents installed (because auto-provisioning failed, the VM owner removed the agent, or the VM is in a subscription without Defender for Servers). This eliminates the “we cannot scan what we cannot reach” problem.

Second, secrets detection — agentless scanning identifies plaintext secrets stored on VM disks: hardcoded passwords in configuration files, private keys in home directories, API tokens in application settings, and database connection strings in application code. These secrets represent credential exposure risk — an attacker who gains access to the VM can read these secrets and use them to access other resources.

Third, software inventory without runtime impact — the scan analyses a disk snapshot, not the running VM. There is no performance impact, no agent to maintain, and no compatibility concerns. The scan runs periodically (typically every 12-24 hours) and updates the vulnerability and software inventory in Defender for Cloud.

The trade-off: Agentless scanning provides inventory and vulnerability data but not runtime threat detection. It tells you what is installed on the VM and what CVEs affect it, but it does not detect active attacks. For complete protection, use both: agentless scanning for posture assessment, agent-based (MDE) for runtime detection.

Recommendation lifecycle: from discovery to closure

Understanding the full lifecycle of a recommendation helps you manage CSPM operationally.

Discovery: A CSPM evaluation runs (triggered by resource deployment, configuration change, or scheduled assessment) and identifies a non-compliant resource. The recommendation is created with severity, affected resources, and remediation steps.

Assignment (with governance): If governance rules are configured, the recommendation is automatically assigned to the resource owner with a deadline and notification. Without governance, the recommendation sits unassigned until someone manually triages it.

Remediation: The resource owner (or SOC team, for security-critical recommendations) implements the fix. Many recommendations include a “Fix” button that applies the change automatically via Azure Policy remediation.

Verification: The next CSPM evaluation (within 24 hours) verifies the fix. If the resource is now compliant, the recommendation is resolved and the Secure Score improves.

Regression: If a previously compliant resource becomes non-compliant (someone changed a configuration, a new CVE is disclosed), the recommendation reappears. Governance rules re-assign it automatically. This continuous monitoring prevents configuration drift — a resource that was secure last month must remain secure this month.

Knowledge check