Getting Started with Azure Sentinel (part 4 of 4)

By Ashwin Venugopal -

 


To read part 1, please click here
To read part 2, please click here
To read part 3, please click here



Scenario Mapping

It should be repeated regularly so that the tools and procedures are in-tune for better analysis and right flow of data along with the sell defined responses to make sure about appropriate actions to be taken upon detection of actual threats.

Step 1 - Define the new scenarios

  • Impact analysis- It can be considered as a summary of the complete analysis and you can provide a scoring system to make sure that the security controls' implementation are done on priority basis according to the potential impact's severity.

  • Risk vs likelihood- As some scenarios are at high risk of catastrophe, you can take the help of risk calculations to justify budget and controls which are required to mitigate the risk to some extent while prioritizing your resources to implement the controls.

  • Cost & value estimate- You must know the cost and value of the resource to your organization and if the cost outweighs its value to protect your resources, then you will have to look for another economical way to protect the resource.

  • System impacted- You can make a list of those systems that can be easily targeted for an attack, this way you can sort out the targets and ensure there regular monitoring as well as protection.  

  • People impacted- Make a scenario list of the relevant business groups, stakeholders, and support personnel that can be impacted by a successful attack while also ensuring clear documentation for escalation as well as resolution.

  • Customer impacted- You should also consider the customer impact for the loss or compromise of their data or an outage caused to the services offered to them while also recording any considerable severity and mitigation. 

Step 2 - Explain the purpose

Some of the high-level categories that can group same scenarios are as follows:

  • System health- This scenario ensures the operational health of a system or service needed to keep the system running. 
  • Compliance- The compliance requirements considerations are specific to your business, industry, or geographical region. 
  • Vulnerability- You should know if it's a system or process vulnerability that requires mitigation.
  • Threat- This scenario can articulate a potential threat and may not have a specific associated vulnerability.
  •  Breach- These scenarios can explore the impact of a successful breach.                                                                                                                                                                    

Step 3 - The kill-chain stage    

The kill Chain is a renowned construct which came into existence in the military and later on developed as a framework by Lockheed Martin and you can use the headers given below to perform accordingly:

Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, Actions on objectives.

Step 4 - Which solution will do detection?

You will have determine which component can successfully detect a threat among the following scenarios:

SIEM, CASB, DLP, IAM, EDR, CWPP

Step 5 - What actions will occur instantly?

You have to focus on the automation of the following actions:

  • Logging and alerting
  • Notify/warn the end user
  • Block the action
  • Offer alternative options/actions
  • Trigger workflow

Step 6 - Severity & output

You have to define a proper output for each severity level:
  • Level 0 - Logs and reports
  • Level 1 - Dashboard notification
  • Level 2 - Generate event in ticketing system
  • Level 3 - Alerts sent to groups/individuals
  • Level 4 - Automatic escalation to the senior management team

Step 7 - What action should the analyst take?

You will have to define exactly what action should be taken by the analyst for proper response, remediation, and recovery.


You should regularly do scenario mapping and carry out testing to make sure efficient protections as well as detections. Some organizations do it once per year while others on weekly basis or as per requirement.  

                                                                                                                                                                                                                                                                                                                                          To read part 1, please click here  
To read part 2, please click here
To read part 3, please click here


                                                                                                                                                                                                                                                                                                                                           

                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   












Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more