Host Security

By Ashwin Venugopal -

 

Endpoint Protection

Computer systems that can interact directly with users are considered endpoint systems, and the systems on devices such as laptops, smartphones, tablets, etc. are need to be secured to prevent them from acting as gateways for security attacks on an organization's networked systems.

Step 1: Help protect against malware

Install antimalware to help identify and remove viruses, spyware, and other malicious software. You can easily install Microsoft Antimalware or an endpoint protection solution from a Microsoft Partner.

Step 2: Monitor the status of the antimalware

With the help of the information under Endpoint protection issues, you can identify a plan to address any issues identified. Security Center reports the following endpoint protection issues:

  • Endpoint protection not installed on Azure VMs- A supported antimalware solution isn't installed on these Azure VMs.
  • Endpoint protection not installed on non-Azure computers- A supported antimalware solution isn't installed om these non-Azure computers.
  • Endpoint protection health issues-
  1. Signature out of date- An antimalware solution is installed on these VMs and computers, but the solution doesn't have the latest antimalware signatures.
  2. No real-time protection- An antimalware solution is installed on these VMs and computers, but it isn't configured for real time protection. the service might be disabled, or Security Center might be unable to obtain the status because the solution isn't supported.
  3.  not reporting- An antimalware solution is installed but not reporting data.
  4. Unknown- An antimalware solution is installed, but either its status is unknown or it is reporting an unknown error.  

Privileged Access Workstations (PAWs)

PAWs provide a dedicated system for sensitive tasks that are protected from the Internet attacks and threat vectors which a hardened and locked down workstation designed to provide high security assurances for sensitive accounts and tasks. 
The PAW security controls are focused on mitigating high impact and high probability risks of compromise and these include mitigating attacks on the environment and risks that can decrease the effectiveness of PAW controls over time:

  • Internet attacks- Isolating the PAW from the open internet is the key ensuring that the PAW is not compromised.
  • Usability risk- If a PAW is too difficult to use for daily tasks, then administrators will be motivated to create workarounds to make their jobs easier.
  • Environment risks- Minimizing the use of management tools and accounts that have access to the PAWs to secure and monitor these specialized workstations.
  • Supply chain tampering- Taking a few key actions can mitigate critical attack vectors that are readily available to attackers. This includes validating the integrity of all installation media and using a trusted and reputable supplier for hardware as well as software.
  • Physical attacks- As PAWs can be physically mobile and used outside of physically secure facilities, they must be protected against attacks that leverage unauthorized physical access to the computer. 

Architecture Overview

The architectural approach built on the protections found in the Windows 10 Credential Guard and Device Guard features goes beyond those protections for sensitive accounts and tasks. This methodology is appropriate for accounts with access to high value assets:
  • Administrative Privileges- PAWs provides increased security for high impact IT administrative roles and tasks and can be applied to administration of many types of systems including Automated Teller Machines (ATMs), Point Of Sale (POS) devices, Microsoft Azure Active Directory tenants, Microsoft 365 tenants, etc.
  • High sensitivity information workers- The approach used in a PAW can also provide protection for highly sensitive information worker tasks and personnel such as those involving pre-announcement Merger and Acquisition activity, pre-release financial reports, sensitive research, or other proprietary or sensitive data.   
The security of most or all business assets in an IT organization depends on the integrity of the privileged accounts used to administer, manage, and develop.

Jump Box

Administrative "Jump Box" architectures set up a small number administrative console servers and restrict personnel from using them for administrative tasks while the administrative session on the jump server relies on the integrity of the local computer accessing it, but if this computer is a user workstation subject to phishing attacks and other internet-based attack vectors, then the administrative session is also subject to those risks.
The default configuration in the PAW guidance installs administrative tools on the PAW, but a jump server architecture can also be added if required and the user jump box is exposed to risk so appropriate protective controls, detective controls, and response processes should still be applied for the internet-facing computer.

Azure Resource Manager

Resource Manager is the deployment and management service for your Azure subscription while using its access control, tagging, and auditing features to help secure and organize your resources after deployment. Here are some additional terms to know when using Resource Manager:
  • Resource provider- A service that supplies Azure resources. For example- a common resource provider is Microsoft Compute, which supplies the VM resource.
  • Resource manager template- A JSON file that defines one or more resources to deploy to a resource group or subscription while the template can be used to consistently and repeatedly deploy the resources. 
  • Declarative syntax- Syntax that lets you state, "Here's what I intend to create" without having to write the sequence of programming commands to create it. 
You can use the Resource Manager template to define your VMs, and after that you can easily deploy or redeploy them. It is recommended to periodically redeploy your VMs to force the deployment of a freshly updated and security-enhanced VM OS.











Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Deployment (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide featu...
Read more