Azure Security Center provides security posture management and threat protection for your hybrid cloud workloads. Cloud Security Posture Management includes Policies, initiatives, recommendations, secure scores, and security controls. Cloud Workload Protection protects threats against servers, cloud-native workloads, databases, and storage security alerts and incidents.
2. About me
• Udaiappa Ramachandran ( Udai )
• CTO-Akumina, Inc.
• Cloud Expert
• Microsoft Azure, Amazon Web Services and Google
• New Hampshire Cloud User Group (http://www.meetup.com/nashuaug )
• https://udai.io
4. Security/Data Breaches
• Adobe
• Adult Friend Finder
• Ashley Madison
• AWS S3 Bucket
• Canva
• Code Spaces (source code hosting)
• Dubsmash
• eBay
• Equifax
• Facebook
• Heartland Payment Systems
• LinkedIn
• Marriott International
• My Fitness Pal
• MySpace
• NetEase
• Podesta/Hillary Emails
• Sina Weibo
• Target
• Yahoo
• Zynga
5. Challenges
• Threats increasing in volume and sophistication
• Attacker business models evolve to maximize attacker return on investment (ROI)
• Attack automation and evasion techniques evolving along multiple dimensions
• Can’t Stop All Attacks
• Must balance investments across prevention, detection, and response
• Prevention investments must be focused on real world attacks
• Integration is required, but complex and costly
• Threat Detection requires context from a diverse signal sources and high volumes of data
• Efficient operations requires integration of tools and technology like machine learning
• Requires Blend of Human Expertise and Technology
• Need human expertise, adaptability, and creativity to combat human threat actors
• Difficult to hire people deep expertise, growing skillset takes a long time
6. Why use Security Center?
• Centralized policy management – Ensure compliance with company or regulatory security
requirements by centrally managing security policies across all your hybrid cloud
workloads.
• Continuous security assessment – Monitor the security posture of machines, networks,
storage and data services, and applications to discover potential security issues.
• Actionable recommendations – Remediate security vulnerabilities before they can be
exploited by attackers with prioritized and actionable security recommendations.
• Prioritized alerts and incidents - Focus on the most critical threats first with prioritized
security alerts and incidents.
• Advanced cloud defenses – Reduce threats with just in time access to management ports
and adaptive application controls running on your VMs.
• Integrated security solutions - Collect, search, and analyze security data from a variety of
sources, including connected partner solutions.
7. Azure Security Center (ASC)
• Cloud Security Posture Management
• Policies, initiatives and recommendations
• Secure Score and security controls
• Cloud Workload Protection
• Protect threats against Servers, Cloud native workloads, databases and storage
• Security alerts and incidents
9. Security Score
• Measurement of an
organization’s security
posture, higher the number
lower the risk
• Score may fluctuate if no
governance on new
resource provisioning
10. Security Policy
• Security Policy is the driver for Security Score
• Built in set of policies(security controls) automatically assigned on your subscription
• The resources are assessed continuously
• Each policy is in audit mode and checks for misconfigurations
• Customize or Disable policies not relevant to organization
AWS BUCKETS - https://www.scmagazine.com/contractor-misconfigures-aws-exposes-data-of-50000-australian-employees/article/704873/
AWS BUCKETS - https://www.tripwire.com/state-of-security/featured/preventing-yet-another-aws-s3-storage-breach-with-tripwire/
PODESTA / HILLARY - https://en.wikipedia.org/wiki/Podesta_emails
OPM - https://en.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach
TARGET - https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
ASHLEY MADISON – ENUMERATION ATTACK
Other Breaches Source: https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
Thread Landscape
90+ million cyber incidents
4+ million cost per breach
400+ billion loss from cyber attacks
Rapidly changing resource
Increasingly sophisticated attacks
Security skills are in short supply
Security hygiene is important
https://outpost24.com/Press-Release-37-of-organisations-have-suffered-a-cyberattack-on-cloud-environments-due-to-the-lack-of-basic-cloud-security-hygiene
https://blog.automox.com/bad-cyber-hygiene-breaches-tied-to-unpatched-vulnerabilities
XDR-Extended Detection and Response
DMZ=Demilitarized Zone
DVR=Digital Video Recorder
CVE=Common Vulnerabilities and Exposures
CVSS=Common Vulnerability Scoring System
ISO=International Organization for Standardization
PCI=Payment Card Industry
SOC TSP=Service Organization Controls Trust Service Criteria(Principles)
NIST=National Institute of Standards and Technology
CIS=Center for Internet Security
CMMC=Cybersecurity Maturity Model Certification
NZISM=New Zealand Information Security Manual
HIPAA=The Health Insurance Portability and Accountability Act of 1996
Determine the nature of the attack.
Determine the attack point of origin.
Determine the intent of the attack. Was the attack directed at your organization to acquire specific information, or was it random?
Identify the systems that were compromised.
Identify the files that were accessed and determine the sensitivity of those files.
securityresources
| where * contains 'Diagnostic logs should be enabled in App service'
| where properties.status.code has 'unhealthy'
securityresources
| where * contains 'Azure Cosmos DB accounts should have firewall rules'
| where properties.status.code has 'unhealthy'
Privileged identity management –PIM, just in time administration
MAM, MDM – Mobile application management , mobile device management
https://aka.ms/ops101-learn
https://aka.ms/ops101-blog
https://aka.ms/ops101-docs
https://docs.microsoft.com/en-us/security/ciso-workshop/ciso-workshop
https://channel9.msdn.com/Shows/IT-Ops-Talk/OPS101-Securing-your-Hybrid-environment-Part-1-Azure-Security-Center
https://channel9.msdn.com/Shows/IT-Ops-Talk/OPS103-Securing-your-Hybrid-environment--Part-2-Azure-Sentinel
https://github.com/Azure/Azure-Security-Center
https://github.com/Azure/Azure-Security-Center/tree/main/Workflow%20automation/Notify-ASCRecommendationsAzureResource
https://github.com/Azure/Azure-Security-Center/tree/main/Workflow%20automation/Notify-ResourceExemption
https://techcommunity.microsoft.com/t5/azure-security-center/how-to-keep-track-of-resource-exemptions-in-azure-security/ba-p/1770580
https://techcommunity.microsoft.com/t5/azure-security-center/send-asc-recommendations-to-azure-resource-stakeholders/ba-p/1216663
https://techcommunity.microsoft.com/t5/azure-security-center/creating-a-custom-dashboard-for-azure-security-center-with-azure/ba-p/1518647