Getting started with Azure Sentinel (part 1 of 4)

By Ashwin Venugopal -

 



To read part 2, please click here
To read part 3, please click here
To read part 4, please click here




Current Cloud Security Landscape

Every security architecture requires a thorough understanding of the IT environment it will protect and you should know all the security solutions that will be deployed to protect a particular IT environment. The major components of a modern IT environment are as follows:
  1. Identity for authentication and authorization of access to systems.
  2. Networks to gain access to internal resources and the internet.
  3. Storage and compute in the data center for internal applications and sensitive information.
  4. End user devices and the applications they use to interact with data.
  5. You can also include Industrial Control Systems (IOC) and the IoT for some environments. 

The threats and vulnerabilities of all these components must be studied thoroughly before any further use. 

Cloud security reference framework

The components of cloud security reference framework is given below which can help you in mapping and discovery of the security solutions:
  • Security Operations Center- It can offer following technologies as well as procedures at high level: log management and Security Incident and Event Monitoring (SIEM), Security Orchestration and Automated Response (SOAR) along with the vulnerability management, threat intelligence, incident response as well as intrusion prevention or detection.

  • Productivity Services- It includes currently in use solution daily by an end user to secure the business productivity services like email protections, SharePoint Online, OneDrive for Business, Box, Dropbox, Google Apps, Salesforce and many more.

  • Identity & Access Management- If an attacker gain access to your environment, they will first of all go for weak or vulnerable accounts while using them to exploit the system. Hence, an identity is usually first step to your IT environments by a successful phishing attack. 

  • Client Endpoint Management- It offers protection for a wide range of endpoints from desktops and laptops to mobile devices as well as kiosk systems with the help of some specialized solutions like Endpoint Detection and Response (EDR), Mobile Device Management (MDM), and Mobile Application Management (MAM) from advanced and persistent threats against the operating systems and applications. It cal also provide secure printing, managing peripherals, and any devices that an end user generally interacts during work.

  • Cloud Access Security Broker- CASB is an old component and runs as a cloud solution that can ingest log data from SaaS applications as well as firewalls while applying its own threat detection and prevention solutions. SIEM solution takes the information from CASB to know the situation of your diverse IT environment.

  • Perimeter Network- It is one of the most advanced cyber security and known as a frontline defense or only line of defense. But, nowadays it includes multiple options from external facing advanced firewalls, web proxy servers, and application gateways to virtual private networking solutions and secure DNS along with the protection services like DDoS, Web Application Firewall, and Intrusion Protection/Detection services.

  • IoT & Industrial Control Systems- The ICS is generally operated and maintained in isolation from the corporate environment called the Information Technology/Operational Technology divide (IT/OT divide). It runs systems existing from decades and cannot be easily updated or replaced. Whereas IoT is similar as well as different as there are many small headless devices that collect data and control critical business functions without working on same network.

  • Private Cloud Infrastructure- The technologies in this component are stoarge, newtorks, internal firewalls, physical and virtual servers while determining the extent of log data collection as well as transfer to the cloud for Azure Monitor ingestion.

  • Public Cloud Infrastructure- Nowadays these are mainstay in modern IT environments and ideally have many governance as well as security layers embedded into the full life cycle of creation and operations including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS) services. 

  • Privileged Access Management- It makes sure the high governance of all the system-level access, while removing unwanted permissions and recording every request for elevated access. The advanced solutions allows rotation of passwords for service accounts, management of shared system accounts, local administrator accounts on all computers and servers. Password vaults and session recordings can also be implemented for evidence gathering.

  • Cloud Workload Protection Platform- It is also known as Cloud Security Posture Management (CSPM) according to the developed solution's view. It may include any DevOps tools for deployment and configuration management solutions of private as well as public platforms along with a potentially enforced configuration compliance with multiple regulatory and industry standard frameworks.

  • Information Security- It can easily protect the data at rest as well as in transition regardless of the storage whether it is endpoint, portable or cloud storage. It includes secure collaboration, digital rights management, securing email, scanning for regulated data and other sensitive information.   

The cloud Security Reference Framework can easily guide about the required services to protect your cloud implementation.




To read part 2, please click here
To read part 3, please click here
To read part 4, please click here





Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more