{"id":20179,"date":"2021-01-05T13:40:17","date_gmt":"2021-01-05T21:40:17","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/azuregov\/?p=20179"},"modified":"2021-01-05T13:40:59","modified_gmt":"2021-01-05T21:40:59","slug":"quickly-deploy-dod-stig-compliant-images-and-visualize-compliance-using-azure","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/azuregov\/quickly-deploy-dod-stig-compliant-images-and-visualize-compliance-using-azure\/","title":{"rendered":"Quickly deploy DoD STIG-compliant images and visualize compliance using Azure"},"content":{"rendered":"<p><em>This blog is authored by members of Microsoft\u2019s Government Cybersecurity, Azure Global Critical Infrastructure team:\u00a0 Michele Myauo, Principal Engineering Manager; Adam Dimopoulos, Senior Program Manager; and Shawn Gibbs, Senior Program Manager.<\/em><\/p>\n<p>At Microsoft, our security and compliance story is one of our greatest differentiators. Microsoft recognizes the criticality of security compliance accreditations for Defense Industrial Base (DIB) and Department of Defense (DoD) customers. Maintaining <a href=\"https:\/\/public.cyber.mil\/stigs\/\">Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs)<\/a> compliance is critical and often time consuming. STIGs are secure configuration standards for installation and maintenance of DoD Information Assurance (IA) and IA-enabled devices and systems. Azure provides automation and compliance dashboarding capabilities at cloud speed and scale, allowing customers to reduce the heavy costs of compliance when they choose Azure.<\/p>\n<p>The Azure Team has created sample solutions using first-party Azure tooling to deliver STIG automation and compliance reporting. The <a href=\"https:\/\/aka.ms\/AAakti2\">STIG Automation GitHub Repository<\/a>, enables customers to:\nAutomate STIG implementation and baseline updates with <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/virtual-machines\/windows\/image-builder-overview\">Azure Image Builder<\/a>\nVisualize compliance with Azure Monitor <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/log-query\/log-analytics-overview\">Log Analytics<\/a> or <a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/azure-sentinel\/\">Sentinel<\/a><\/p>\n<p>Available for use with Azure commercial today and coming soon to Azure Government, here&#8217;s a summary of current resources to help get you started:<\/p>\n<p><strong>STIG automation architecture<\/strong><\/p>\n<p>With our <a href=\"https:\/\/aka.ms\/AAakti2\">STIG Automation GitHub Repository<\/a>, customers can build STIG images and automate baseline updates as new versions of STIGs are released quarterly. The overall architecture uses a set of resources deployed via nested Azure Resource Manager (ARM) templates from this repository. The result is an automated virtual machine image creation via Azure Image Builder and final STIG&#8217;d images stored in the resource groups shared Azure Image Gallery for use in that Azure subscription.<\/p>\n<p>Currently supported operating systems:<\/p>\n<ul>\n<li>Windows 10 RS5 Enterprise\/Enterprise multi-session\/Professional<\/li>\n<li>Windows 2019<\/li>\n<li>Windows 2016<\/li>\n<\/ul>\n<p style=\"text-align: center;\"><strong>STIG Automation Architecture<\/strong><\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Automation-Architecture-Image.png\"><img decoding=\"async\" class=\"wp-image-20182 aligncenter\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Automation-Architecture-Image.png\" alt=\"Image STIG Automation Architecture Image\" width=\"824\" height=\"158\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Automation-Architecture-Image.png 657w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Automation-Architecture-Image-300x58.png 300w\" sizes=\"(max-width: 824px) 100vw, 824px\" \/><\/a><\/p>\n<p>More specifically, automation creates a resource group that plays host to the required components to create, store and audit images as they are used. During deployment, several image templates will be uploaded representing how to make a STIG\u2019d image. Once images are created, they can then be used in other automation templates or scripts. In addition to images in the shared Azure Image Gallery the Windows 10, 2019 and 2016 templates create Azure Virtual Hard Disk (VHDs) that can then be used or downloaded as needed. Azure Image Builder will also create resource groups that house the components used for creating images and this is where the Azure VHD files are stored until you move them.<\/p>\n<p>The PowerSTIG Desired State Configuration (DSC) audit information for each image is automatically logged and reported to an Azure Log Analytics Workspace, and an Azure Sentinel Workbook is included with the deployment to visualize the data. If desired, this workbook can be removed or replaced with any other Log Analytics or Sentinel Workbook, by simply pointing new or existing queries to the Log Analytics Workspace included in the STIG automation deployment. PowerSTIG is an open-source GitHub project being actively supported.<\/p>\n<p><strong>Azure Image Builder<\/strong><\/p>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/virtual-machines\/windows\/image-builder-overview\">Azure Image Builder<\/a> let&#8217;s you start with a Windows or Linux-based Azure Marketplace image and begin to add your own customizations. Because the Image Builder is built on <a href=\"https:\/\/packer.io\/\">HashiCorp Packer<\/a>, you can also import your existing Packer shell provisioner scripts. Additionally, you can specify where you would like your images to be hosted; in the <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/virtual-machines\/windows\/shared-image-galleries\">Azure Shared Image Gallery<\/a> as a managed image or VHD.<\/p>\n<p>Standardized virtual machine (VM) images allow organizations to migrate to the cloud and ensure consistency in the deployments. Images typically include predefined security and configuration settings, as well as necessary software. Setting up your own imaging pipeline requires time, infrastructure, and configuration. But with Azure VM Image Builder, just provide a simple configuration describing your image, submit it to the service, and the image is subsequently built and distributed.\nNote: Azure Image Builder is available in Public Preview in Azure commercial.<\/p>\n<p><strong>Azure Monitor Log Analytics<\/strong><\/p>\n<p><a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/monitor\/\">Azure Monitor<\/a> collects monitoring telemetry from a variety of on-premises and Azure sources. Management tools, such as those in Azure Security Center and Azure Automation, also push log data to Azure Monitor. The service aggregates and stores this telemetry in a log data store that\u2019s optimized for cost and performance. Analyze data, set up alerts, get end-to-end views of your applications, and use machine learning\u2013driven insights to quickly identify and resolve problems.<\/p>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/azure-monitor\/log-query\/log-analytics-overview\">Log Analytics<\/a> is a tool in the Azure portal used to edit and run log queries with data in Azure Monitor Logs. You may write a simple query that returns a set of records and then use features of Log Analytics to sort, filter, and analyze them. Or you may write a more advanced query to perform statistical analysis and visualize the results in a chart to identify a particular trend. Whether you work with the results of your queries interactively or use them with other Azure Monitor features such as log query alerts or workbooks, Log Analytics is the tool that you&#8217;re going to use write and test them.<\/p>\n<p>With the automation, your Azure Log Analytics Dashboard shows your current projected STIG compliance score, helps you see what needs attention, and guides you to key improvement actions. Below is an example of what your Azure Log Analytics dashboard will look like:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Dashboard-Image.png\"><img decoding=\"async\" class=\"alignnone size-large wp-image-20183\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Dashboard-Image-1024x525.png\" alt=\"Image STIG Dashboard Image\" width=\"640\" height=\"328\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Dashboard-Image-1024x525.png 1024w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Dashboard-Image-300x154.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Dashboard-Image-768x394.png 768w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Dashboard-Image.png 1035w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><span style=\"font-size: 8pt;\"><em>Note: The Azure Monitor Log Analytics dashboard is a projection of your organization\u2019s STIG compliance profile based on all available information to date\u2014Microsoft is not an accrediting body for STIGs, and thus cannot guarantee any outcome under the formal STIG review process<\/em><\/span>.<\/p>\n<p><strong>Azure Sentinel<\/strong><\/p>\n<p><a href=\"https:\/\/azure.microsoft.com\/en-us\/services\/azure-sentinel\/\">Azure Sentinel<\/a> is a cloud-native security information and event manager (SIEM) platform that uses built-in artificial intelligence (AI) to help analyze large volumes of data across an enterprise\u2014fast. Azure Sentinel aggregates data from all sources, including users, applications, servers, and devices running on-premises or in any cloud, letting you reason over millions of records in a few seconds. It includes built-in connectors for easy onboarding of popular security solutions. Collect data from any source with support for open standard formats like CEF and Syslog.<\/p>\n<p>See and stop threats before they cause harm, with SIEM reinvented for the modern world. Azure Sentinel is your birds-eye view across the enterprise. Put the cloud and large-scale intelligence from decades of Microsoft security experience to work. Make your threat detection and response smarter and faster with artificial intelligence (AI). Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs\u2014while reducing IT costs.<\/p>\n<p>With the automation, your Azure Sentinel STIG Dashboard shows your current projected STIG compliance score, helps you see what needs attention, and guides you to key improvement actions. Below is an example of what your Azure Sentinel dashboard will look like:<\/p>\n<p><a href=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Workbook-Image-3.png\"><img decoding=\"async\" class=\"alignnone size-large wp-image-20184\" src=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Workbook-Image-3-1024x356.png\" alt=\"Image STIG Workbook Image 3\" width=\"640\" height=\"223\" srcset=\"https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Workbook-Image-3-1024x356.png 1024w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Workbook-Image-3-300x104.png 300w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Workbook-Image-3-768x267.png 768w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Workbook-Image-3-1536x535.png 1536w, https:\/\/devblogs.microsoft.com\/azuregov\/wp-content\/uploads\/sites\/43\/2020\/12\/STIG-Workbook-Image-3.png 1540w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/a><\/p>\n<p><span style=\"font-size: 8pt;\">Note: The Azure Sentinel dashboard is a projection of your organization\u2019s STIG compliance profile based on all available information to date\u2014Microsoft is not an accrediting body for STIGs, and thus cannot guarantee any outcome under the formal STIG review process.<\/span><\/p>\n<p>Microsoft is actively building out additional STIG resources for Defense Industrial Base (DIB) companies and the Department of Defense (DoD) to use in their STIG journey. These tools cannot guarantee a positive STIG adjudication, but they may assist organizations by improving their STIG posture going into a formal STIG review in accordance with accreditation body standards. Get started by visiting our <a href=\"https:\/\/aka.ms\/AAakti2\">STIG Automation GitHub Repository<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog is authored by members of Microsoft\u2019s Government Cybersecurity, Azure Global Critical Infrastructure team:\u00a0 Michele Myauo, Principal Engineering Manager; Adam Dimopoulos, Senior Program Manager; and Shawn Gibbs, Senior Program Manager. At Microsoft, our security and compliance story is one of our greatest differentiators. Microsoft recognizes the criticality of security compliance accreditations for Defense Industrial [&hellip;]<\/p>\n","protected":false},"author":1804,"featured_media":18321,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2,1],"tags":[75,253,262,315,3430],"class_list":["post-20179","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-announcements","category-azuregov","tag-azure","tag-disa","tag-dod","tag-government","tag-stig"],"acf":[],"blog_post_summary":"<p>This blog is authored by members of Microsoft\u2019s Government Cybersecurity, Azure Global Critical Infrastructure team:\u00a0 Michele Myauo, Principal Engineering Manager; Adam Dimopoulos, Senior Program Manager; and Shawn Gibbs, Senior Program Manager. At Microsoft, our security and compliance story is one of our greatest differentiators. Microsoft recognizes the criticality of security compliance accreditations for Defense Industrial [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts\/20179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/users\/1804"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/comments?post=20179"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/posts\/20179\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/media\/18321"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/media?parent=20179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/categories?post=20179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/azuregov\/wp-json\/wp\/v2\/tags?post=20179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}