Security Strategy & Principles

By Ashwin Venugopal -

 




Microsoft Security Principles

It includes the following:
  1. An effective defense requires you to dramatically increase the costs to the attacker. 
  2. Assume your identities are always under attack. 
  3. Apply attack graph thinking.
  4. Defense in depth is critical. 
  5. Protect, detect, and respond. 
  6. Above all, assume compromise. 

Measuring Security Success

It's is difficult to calculate Security Return on Investment (SROI) as both the components of risk are not easy to measure. 
  • Impact- Many of the outcomes are unknown and difficult to measure (like, which competitive products have benefitted from intelligence stolen from your environment?).

  • Likelihood- This is driven by uncertainty influenced by adaptive/reactive human attacker decisions (i.e. they are not random). 

Defender Investment consists of:

  • Security budget - which is the cost of purchasing technology and hiring people.
  • The time and attention of the team members.

Defender Return consists of your ability to:

  • Reduce the attacker's ROI, which discourages attackers, encouraging them to move on to easier targets, and thereby reduces the frequency of attacks. 
  • Reduce the business impact of any attack on your organization. 

Attacker ROI is a crucial factor that defenders must work to influence:

  • Attacker Return which is the success rate of attacks and is largely out of control of individual defenders (like, black-market availability, law enforcement effectiveness, etc.). Hence, it's not recommended to waste time or attention on this one.

  • Attacker Investment which is the best opportunity for a defender to affect ROI by adopting a strategy of defeating the cheapest attack mechanisms, you force an attacker to spend more time/money/resources to successfully attack you.   

The Defender's Dilemma

The most common dilemma faced by the defenders is that they have to be correct every time, every where forever whereas an attacker has be right just once. Security is not an easy task because we can never have enough resources to protect all the assets which in turn results in turn leads to a lot of security projects remaining in backlogs (usually representing accepted risk); whereas, the attackers have a variety of effective techniques ranging from an exploiting unpatched firmware, operating systems, and apps to configure weaknesses to human errors by users or administrators.

The cloud makes threat detection more effective since the cloud stores and processes massive numbers of events and the other threat signals - administrators can use context and machine learning to separate the signal from the noise. Besides, it also offers a community effect i.e. if 100 customers are protected by cloud threat detection, an investigation of an attack on one benefits the other 99 with little or no effort on their part. 

Microsoft is also capable of investing billions of dollars to get the optimal mix of security expertise, processes, and technologies and its cloud services can detect as well as respond to threats in almost real time as they have a continuous access to security event information across millions of devices with millions of network connections and logging activities. Microsoft uses behavioral analysis, anomaly detection, and sophisticated statistical algorithms to identify potential compromises as they happen.

Raise the Attacker's Cost

As a defender, if you concentrate on undermining the attacker's model by raising the cost of attack, then, you can easily shift the paradigm from a Defender's dilemma to an Attacker's dilemma and if you defend against the cheapest attack techniques first, the cost to attack your environment will raise automatically. 

Once you have solid detection as well as response in place against known attacks, then you can readily defend against any potential and future attacks which is not a luxury most organizations can afford. Microsoft Defender for Office 365 will help you to use Attack Simulator to run realistic attack scenarios within your organization which greatly help you to identify as well as find vulnerable users before a real attack impacts your bottom line. Hence, the more you are able to prevent "easy" attacks, the more expensive it becomes for an attacker.

     




Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more