Getting Started with Azure Sentinel (part 4 of 4)

 


To read part 1, please click here
To read part 2, please click here
To read part 3, please click here



Scenario Mapping

It should be repeated regularly so that the tools and procedures are in-tune for better analysis and right flow of data along with the sell defined responses to make sure about appropriate actions to be taken upon detection of actual threats.

Step 1 - Define the new scenarios

  • Impact analysis- It can be considered as a summary of the complete analysis and you can provide a scoring system to make sure that the security controls' implementation are done on priority basis according to the potential impact's severity.

  • Risk vs likelihood- As some scenarios are at high risk of catastrophe, you can take the help of risk calculations to justify budget and controls which are required to mitigate the risk to some extent while prioritizing your resources to implement the controls.

  • Cost & value estimate- You must know the cost and value of the resource to your organization and if the cost outweighs its value to protect your resources, then you will have to look for another economical way to protect the resource.

  • System impacted- You can make a list of those systems that can be easily targeted for an attack, this way you can sort out the targets and ensure there regular monitoring as well as protection.  

  • People impacted- Make a scenario list of the relevant business groups, stakeholders, and support personnel that can be impacted by a successful attack while also ensuring clear documentation for escalation as well as resolution.

  • Customer impacted- You should also consider the customer impact for the loss or compromise of their data or an outage caused to the services offered to them while also recording any considerable severity and mitigation. 

Step 2 - Explain the purpose

Some of the high-level categories that can group same scenarios are as follows:

  • System health- This scenario ensures the operational health of a system or service needed to keep the system running. 
  • Compliance- The compliance requirements considerations are specific to your business, industry, or geographical region. 
  • Vulnerability- You should know if it's a system or process vulnerability that requires mitigation.
  • Threat- This scenario can articulate a potential threat and may not have a specific associated vulnerability.
  •  Breach- These scenarios can explore the impact of a successful breach.                                                                                                                                                                    

Step 3 - The kill-chain stage    

The kill Chain is a renowned construct which came into existence in the military and later on developed as a framework by Lockheed Martin and you can use the headers given below to perform accordingly:

Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on objectives.

Step 4 - Which solution will do detection?

You will have determine which component can successfully detect a threat among the following scenarios:

SIEM, CASB, DLP, IAM, EDR, CWPP

Step 5 - What actions will occur instantly?

You have to focus on the automation of the following actions:

  • Logging and alerting
  • Notify/warn the end user
  • Block the action
  • Offer alternative options/actions
  • Trigger workflow

Step 6 - Severity & output

You have to define a proper output for each severity level:
  • Level 0 - Logs and reports
  • Level 1 - Dashboard notification
  • Level 2 - Generate event in ticketing system
  • Level 3 - Alerts sent to groups/individuals
  • Level 4 - Automatic escalation to the senior management team

Step 7 - What action should the analyst take?

You will have to define exactly what action should be taken by the analyst for proper response, remediation, and recovery.


You should regularly do scenario mapping and carry out testing to make sure efficient protections as well as detections. Some organizations do it once per year while others on weekly basis or as per requirement.  

                                                                                                                                                                                                                                                                                                                                          To read part 1, please click here  
To read part 2, please click here
To read part 3, please click here


                                                                                                                                                                                                                                                                                                                                           

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   












Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)