Azure Security Posture Auditing – Microsoft Azure/ AzureAD/O365 Security

Microsoft AzureAD/O365 Security

AzureAD – Users can create Azure AD tenants by Default.

Azure AD & O365 Attack Matrix

The amount of things that are defaulted in the AzureAD/O365 commercial tenants is too much and it’s critical to verify all settings are required as Defaults, it is also important to monitor updates. As a example;

Users can create Azure AD tenants Disable this setting, it was available by default but now there is a toggle to disable it!;

https://twitter.com/JeffreyAppel7/status/1593219049215127555

Azure Security Posture Auditing

References

1. Create a new user in Azure AD
https://lnkd.in/gm2Qfr5A

2. Manage Azure AD identities
https://lnkd.in/gGKN-7eX

3. Enable SSPR in Azure AD
https://lnkd.in/ggKKt5NZ

4. Create a conditional access policy
https://lnkd.in/gZigbcdQ

5. Explore Microsoft security score
https://lnkd.in/gxaarvqK

6. Use secure score in Microsoft Defender to improve security posture
https://lnkd.in/gFKnSFX5

7. Microsoft 365 Defender for Cloud Apps
https://lnkd.in/gJjFwmpa

8. Explore the Service Trust Portal
https://lnkd.in/g-ReCYKw

9. Explore the Microsoft Purview compliance portal
https://lnkd.in/gP_-RSck

10. Explore compliance manager
https://lnkd.in/gUd6BYaK

11. Manage subscriptions and RBAC
https://lnkd.in/g4Jmzu9q

12. Manage governance via Azure Policy
https://lnkd.in/gSF6vJPt

13. Manage Azure resources by using the Azure Portal
https://lnkd.in/gFAzwgPd

14. Manage Azure resources by using ARM templates
https://lnkd.in/g-Xf7Crj

15. Manage Azure resources by using Azure PowerShell
https://lnkd.in/gPyDt2zW

16. Manage Azure resources by using Azure CLI
https://lnkd.in/gqXTn9fN

17. Implement virtual networking
https://lnkd.in/gRb8cbei

18. Implement inter-site connectivity
https://lnkd.in/gU9Zt7Dc

19. Implement traffic management
https://lnkd.in/geThBtbA

20. Manage Azure storage
https://lnkd.in/gdYd7u-4

21. Manage virtual machines
https://lnkd.in/gisq2g2e

22. Implement Azure web apps
https://lnkd.in/gFs7vJQy

23. Implement Azure Container Instances
https://lnkd.in/ghvPHPx9

24. Implement Azure Kubernetes Service
https://lnkd.in/gXMa847F

25. Backup virtual machines
https://lnkd.in/gJTVUnw8

26. Implement monitoring
https://lnkd.in/gcd3hytY

Azure Cloud Security

O365 MSDN

https://www.splunk.com/en_us/blog/security/hunting-m365-invaders-blue-team-s-guide-to-initial-access-vectors.html

Microsoft Cyberattack Simulator

Microsoft Cyberattack Simulator

Microsoft has released an open-source cyberattack simulator that allows security researchers and data scientists to create simulated network environments and see how they fare against AI-controlled cyber agents.

This simulator is being released as an open-source project named ‘CyberBattleSim‘ built using a Python-based Open AI Gym interface. 

The Microsoft 365 Defender Research team created CyberBattleSim to model how a threat actor spreads laterally through a network after its initial compromise.

“The environment consists of a network of computer nodes. It is parameterized by a fixed network topology and a set of predefined vulnerabilities that an agent can exploit to laterally move through the network.”

“The simulated attacker’s goal is to take ownership of some portion of the network by exploiting these planted vulnerabilities. While the simulated attacker moves through the network, a defender agent watches the network activity to detect the presence of the attacker and contain the attack,” the Microsoft 365 Defender Research Team explains in a new blog post.

To build their simulated environment, researchers will create various nodes on the network and indicate that services are running on each node, their vulnerabilities, and how the device is protected.

Automated cyber agents (threat actors) are then deployed in the environment, where they randomly select actions to perform against the various nodes to take control over them.

Reference

Microsoft Azure Sentinel

Microsoft Azure Sentinel

Microsoft Azure Sentiel is fasting becoming a very powerful SIEM and IMO, I think its going to take the lead for the following reasons;

For all of the above reason, I am going to learn Azure Sentinel in more depth, hopefully build a cyber range using my MSDN subscription.

Gaps

  • Certification
    • FIPS 140-2 Compliance
    • WCAG 2.1 (Section 508)
  • Multi-tenancy / MSSP
  • Local customer references
  • Transfer of logs from on-prem to Cloud is complicated networking, if you need to send SYSLOG via UDP to a Public cloud, its not going to work.
  • Assessing all your data sources and method to Azure Sentil is vital om-prem SIEM this isn’t as critical although you should do this as best practice, you can assumes experience SIEM vendor will support all obvious formats.
  • Encryption and Data Masking.
  • How do you get your Data out, priority lock is a huge problem for a SIEM platform, what happens to your data when if you decided to break the contract. Also, if you wish to access that data via a different platform
  • Datasources
  • Azure monitor and sentinel take up to 8 hours to populate a suspicious log.
  • I recall when everyone moved to Office 365 and didn’t bother to maintain a strong Email Security Gateway and just went with Office 365, allot of customers got hit with Crytolockers because of this decision. All for DX transformation. You need proper security experience people in your DX transformation or building SecOps as you will end up paying the price

Azure SOC Process Framework

SOC Process Framework with Sentinel and how build a SOC and operationalize Security Operations:
Credit: Rin Ure
https://lnkd.in/dR242uYK
Main SOC Process Framework:
https://lnkd.in/dfNcpTB2
Process Framework Workbook:
https://lnkd.in/d_Pcxsrc
Get SOC Action Playbooks:
https://lnkd.in/d4czpZ4K
Incident Overview (with Remediation) Workbook:
https://lnkd.in/dKXkcCmX
What’s New: Azure Sentinel – SOC Process Framework 8 Part Video Series!
https://lnkd.in/d7wAvipW
SOCAnalystActionsByAlert.csv:
https://lnkd.in/dHs3p4Va

Research

Azure Security Monitoring

Azure Security Monitoring

 

Monitoring Azure and or Cloud is not straight forward, you have to consider if logs are actually available via the cloud service and has security information. Its also necessary to consider, the Control Pane, Data Pane, Application and VM.

 

Sources

  • VMs
  • Azure Resources
  • Azure Office 365
  • Azure AD

Office 365 Anti-Spam and Anti-Malware Protection

Office 365 Anti-Spam and Anti-Malware Protection

 

Volume Licensing for Microsoft products and Online Services

Volume Licensing for Microsoft products and Online Services

https://www.microsoft.com/en-us/licensing/product-licensing/products.aspx

https://azure.microsoft.com/en-us/documentation/articles/remoteapp-officesubscription/

https://azure.microsoft.com/en-us/documentation/articles/remoteapp-o365/

Exchange Online using Outlook SPLA

Office 356 or Office SPLA

http://www.transparity.co.uk/blog/citrix/rolling-out-office-2016-365-on-citrix-hang-on-a-while/

Azure and Citrix Workspace Cloud

Azure and Citrix Workspace Cloud

 

Azure Cost Calculators

  • https://azure.microsoft.com/en-us/pricing/calculator/
  • https://readytogo.microsoft.com/global/_layouts/RTG/AssetViewer.aspx?AssetUrl=https://readytogo.microsoft.com/global/asset/pages/microsoft%20azure%20in%20open%20licensing%20-%20azure%20open%20calculator.aspx
  • https://blogs.technet.microsoft.com/cbernier/2015/03/26/microsoft-azure-cost-estimator-version-2-2/
  • https://www.microsoft.com/en-au/download/confirmation.aspx?id=43376

 

  • Demo platform to show capability with Azure and Citrix
  • Extend our own Citrix Platform and Infrastructure to Azure as first customer

Azure Constraints

  • https://azure.microsoft.com/en-us/documentation/articles/azure-subscription-service-limits/