Zero Trust Principles in Microsoft Security Copilot

By Ashwin Venugopal -

 






Introduction

Every connection and resource request is handled by Zero Trust security approach as if it came from a malicious actor and an uncontrolled network. No matter the source of the request or resource it uses, Zero Trust encourages us to "never trust, always verify."  In order to apply Zero Trust principles for Microsoft Security Copilot five layers of protection should be applied. The five steps are discussed below:

Step 1: Deploy or validate identity and access policies for admin and SecOps staff

The first step is to stop bad actors from gaining access to Security Copilot so they can't use it to quickly learn about cyberattacks. 
  • Users must change their passwords when high-risk activity is identified, and their accounts must use multifactor authentication (MFA) to prevent access from being compromised by simple password guessing. 

  • Intune management and device compliance policies must be followed by devices. 

These recommendations align with the Specialized security protection level in Microsoft's Zero Trust Trust identity and device access policies. 

Step 2: Apply least privilege to admin and SecOps user accounts

Setting up the proper roles in Security Copilot is part of this step. It also entails checking your SecOps and admin user accounts to make sure they have the fewest privileges possible for the tasks they are supposed to perform. 

Step 3: Secure devices for privileged access

The employees can use privileged access devices, such as Security Copilot, to access security tools and data for added security. A hardened workstation with application guard and clear application control is referred to as a privileged access device. To defend the host against intruders, the workstation employs credential guard, device guard, app guard, and exploit guard. Make sure to update the Intune device compliance policy to include these devices. Switch the security groups from the old device compliance policy to the new one. There is no need to change the Conditional Access rule. 

Step 4: Deploy or validate your threat protection services

Make sure to have the full suite of threat protection services, such as Microsoft Defender XDR with Microsoft 365, Microsoft Sentinel, and other security services and products, to detect as well as respond to security incidents while preventing bad actors from accessing Security Copilot.

Step 5: Secure access to third-party security products and data 

Make sure to have secure access to third-party security products and associated data before integrating them with Security Copilot. The Microsoft Zero Trust guidelines offer suggestions for protecting SaaS app access. These suggestions can be applied to the third-party security products. 

Conclusion

Now the network environment is ready for Microsoft Security Copilot with a strong foundation of security. 




































Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 3, please click  here Microsoft Sentinel Content Hub Content in Microsoft Sentinel includes any of the following types: Data connectors offer log ingestion from different sources into Microsoft Sentinel. Parsers give log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios. Workbooks provide monitoring, visualization, and interactively with data in Microsoft Sentinel, highlighting meaningful insights for users.  Analytics rules give alerts that point to relevant SOC actions via incidents.  Hunting Queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel. Notebooks help SOC teams in using advanced hunting features in Jupyter and Azure Notebooks. Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue.  Playbooks and Azure Logic Apps Custom Connectors provide featu...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more