Remediate Security Alerts Using Azure Defender (part 1)

By Ashwin Venugopal -

 



To read part 2 please click here

Security Alerts

Security Center can generate alerts for resources deployed on Azure as well as on on-premises and hybrid cloud environments which are always triggered by advanced detections and are available only with the Azure Defender.

Respond to today's threats

There have been some important changes in the threat landscape over the last 20 years due to which the realities have been changed leading to an unprecedented level of professionalism in the attacker ranks. They are now interested in  stealing information, financial accounts, and private data- all of which they can use to generate cash on open market or use a particular business, political, or military position. 

To counter these, organizations often deploy various point solutions focused on defending either the enterprise perimeter or endpoints by looking for known attack signatures and these solutions often tend to generate a high volume of low fidelity alerts, which requires a security analyst to triage and investigate. Most organizations lacks the time and expertise required to respond to these alerts leading to so many go eventually unaddressed. 

Besides, the attackers have also evolved their methods to subvert many signature-based defenses and adapt to aloud environments which lead to the extensive requirement of new approaches to more quickly identify emerging threats as well as expedite detection and response. 

What are security alerts and security incidents?

Alerts are the notifications that Security Center generates whenever it detects threats on your resources while prioritizing and listing the alerts, along with the information needed for you to quickly investigate the problem.

A security incident is known as a collection of related alerts instead of listing each alert individually. Security Center uses Cloud Smart Alert Correlation to correlate different alerts and low fidelity signals into security incidents.

How does Security Center detect threats?

Security Center employs advanced security analytics, which is much better than the signature-based approaches and they includes the following:

  • Integrated threat intelligence- Microsoft has an immense amount of global threat intelligence and the researchers can also receive threat intelligence information shared among major cloud service providers as well as feeds from other third parties. Azure Security Center can use this information to alert you to threats from known bad actors.

  • Behavioral analytics- It is a technique that analyzes and compares data to a collection of known patterns that are determined through complex machine learning algorithms that are applied to the massive datasets. Azure Security Center can use behavioral analytics to identify compromised resources based on the analysis of virtual machine logs, virtual network device logs, fabric logs, and other sources.

  • Anomaly detection- Azure Security Center also uses anomaly detection to identify threats. Unlike to behavioral analysis, anomaly detection is more "personalized" and focuses on baselines specific to your deployments. Machine learning is applied to determine normal activity for your deployments which then generate rules to define outlier conditions that could represent a security events.

Continuous monitoring and assessments

Azure Security Center is appreciated for having security research and data science teams throughout Microsoft who continuously monitors for the changes in the landscape including the following initiatives:
  • Threat intelligence monitoring- which includes mechanisms, indicators, implications, and actionable advice about the existing or emerging threats. This information is shared in the security community, and Microsoft continuously monitors threat intelligence feeds from internal as well as external sources.

  • Signal sharing- Insights from security teams across the Microsoft's broad portfolio of cloud and on-premises services, servers, and client endpoint devices are shared as well as analyzed. 

  • Microsoft security specialists- Ongoing engagement with teams across Microsoft that works in specialized security fields, like forensics, and web attack detection. 

  • Detection tuning- Algorithms are run against customer datasets, and security researchers work with customers to validate the results. True and false positives are used to refine machine learning algorithms.  



To read part 2 please click here






Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more