Azure Threat Research Matrix (ATRM), which highlighted the potential techniques an adversary could abuse within Azure & AzureAD. The immediate thought would be to give clients an idea of what potential abuse scenarios exist when they decide to use a certain resource or feature.
AzDetectSuite is a project created to allow Azure users to establish a basic defense within Azure by giving pre-built KQL queries for each technique within ATRM that are deployable Alerts to Azure Monitor. ATRM, most (85%+) techniques will have a KQL query and a button that will deploy the query to their Azure subscription.
The queries live within a publicly available GitHub repository and can openly be reviewed, Pull Requested, and critiqued. These queries are not a “one-size-fits-all” and are mostly geared towards smaller environments since they are alerting off of more basic telemetry, so use at your own discretion. Within the repository is also a PowerShell script, Invoke-AzDetectSuite.ps1, which will import an entire tactic’s detections for every technique within it, or it can also just import all available
AzDetectSuite vs Microsoft Defender for Cloud
AzDetectSuite (ADS) is not meant to compete with Microsoft Defender for Cloud (MDC). MDC provides advanced detections based on your subscription plan and will give more granular control based on the telemetry in a tenant. ADS is meant to be an open source suite of basic detections for techniques found within ATRM, as MDC is not comprehensive in its coverage for techniques found in ATRM. MDC’s capabilities far exceed ADS, as it is a subscription-based service with more insight into a resource’s telemetry than what is provided to users. In comparison, ADS is open source and is more targeted towards smaller environments that want to ensure their resources are secure from potential abuse. In addition, ADS has some additional detections that utilize agents as well. For example, ADS has a detection that when combined with PowerShell scriptblock logging, will tell you what command was run when someone utilizes RunCommand on an AzureVM. For larger environments, it is recommended to go through ADS and determine which detections will be suitable for your environment and that may compliment MDC. detections.
In Azure, logs are centralized to Azure Monitor. Azure Monitor will ingest data from hundreds of log sources. These sources range from the general Azure Log (AzureActivity) to more detailed logs, such as Service Principal Sign-Ins (AADServicePrincipalSignInLogs). Writing a basic detection for Azure is very easy, so it is necessary to ask a few questions before developing a detection:
1. How broad should this detection be?
General alert on a single action
Specific alert when an action meets a certain condition
2. What are you trying to alert on?
An action in a Resource?
Whenever a user or service principal logs in?
Whenever a new resource is created?
3. Does the resource action ever occur legitimately?
Part of sysadmin’s routines
Can you minimize false positives through more granular data?
4. What steps should be taken once the alert fires?
Enable a runbook?
Email/Text appropriate parties
Using Kusto Query Language (KQL), a basic detection for something such as RunCommand on a Virtual Machine looks like this:
AzureActivity | where OperationNameValue == 'MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION'
Where ‘AzureActivity’ is the log provider and the logs are then filtered to look for when the OperationNameValue property matches ‘MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION’
Every question has a stem (question) and four options (answer choices).
Choose the correct or best answer from the options.
The stem may be in the form of a question or incomplete statement.
An exam question may require you to choose the appropriate answer based on a qualifier, such as FIRST, MOST likely or BEST. So, there might be two right answers, so pick the BEST option.
Read the question carefully, eliminate known incorrect answers and then make the best choice possible.
Answers questions from a Business Risk perspective, rather than technical solution or control.
Domain 1: Information Security Governance
The three main goals of information security are:
Confidentiality prevents unauthorized disclosure
Integrity prevents unauthorized alteration\
Availability ensures authorized access
Security Strategy and SWOT Analysis
Security activities must be aligned with business strategy, mission, goals, and objectives. This requires strategic, tactical, and operational planning.
SWOT analysis identifies the strengths, weaknesses, opportunities, and threats facing an organization, typically laid out in a grid:
A gap analysis compares the current state of security controls to a benchmark and identifies any areas of deviation.
Security frameworks provide templates for security activities. These include COBIT, NIST CSF, and ISO 27001/2.
Due Care and Due Diligence
Due care is taking reasonable steps to protect the interest of the organisation. Due diligence ensures those steps are carried out.
Security governance is carried out through
Policies which state high-level objectives (mandatory compliance).
Standards which state detailed technical requirements (mandatory compliance).
Procedures which provide step-by-step processes (mandatory compliance).
Guidelines which offer advice and best practices (optional compliance).
For the security policy framework to be successful, it must have the support of senior leadership and other stakeholders.
Security is a constant balancing act between usability and control. Managers must constantly make trade-offs to allow the organization to achieve both security and business objectives.
Every organization has a risk tolerance (or risk appetite) that describes how much risk the organization is willing to accept. Understanding this tolerance, whether it is explicit or implicit, is crucial to finding the correct balance for security activities.
Key influences on security strategy include:
Security baselines, such as NIST SP 800-53, provide a standardized set of controls that an organization may use as a benchmark.
Typically, organizations don’t adopt a baseline standard wholesale, but instead tailor a baseline to meet their specific security requirements
Information should be classified based upon its sensitivity to the organization.
Common classes of sensitive information include:
Personally identifiable information (PII) which uniquely identifies individuals.
Protected health information (PHI) which includes individual health records.
Proprietary information which contains trade secrets.
Data at Rest – Data stored on a system or media device
Data in Motion – Data in transit over a network
Data in Use – Data being actively processed in memory
Information should be labeled with its classification and security controls should be defined and appropriate for each classification level.
Collect only data that is necessary for legitimate business purposes. This is known as data minimization.
Data Owner – Senior-level executive who establishes rules and determines controls
Data Steward – Individual who handles day-to-day data governance activity. Designated by the data owner.
Data Custodian – IT staff members responsible for the storage and processing of information.
Key Performance Indicator (KPI) – Measures the success of the security program.
Key Goal Indicator (KGI) – Measures progress toward defined goals
Key Risk Indicator (KRI) – Measures risk on a forward-looking basis.
Budgets are forward-looking financial plans. As budgets are revised each year, they may be approached in two ways:
Incremental budgeting starts with the prior years’ budget and adjusts upward or downward
Zero-based budgeting starts with a blank slate each year
Fiscal years are the 12-month periods used for financial reporting and may differ from the standard calendar year for any organization.
Expenses come in two primary forms:
Capital expenses involve fixed-cost investments in major assets
Operational expenses cover the day-to-day costs of running the organization
Authentication, authorization, and accounting.
Authorization and Authentication are two distinct concepts in the realm of security and access control. While they are related, they serve different purposes.
Authentication: Authentication is the process of verifying the identity of a user or entity. It ensures that the user is whom they claim to be before granting them access to a system, application, or resource. Authentication typically involves the use of credentials, such as usernames and passwords, biometric information, security tokens, or digital certificates. The goal of authentication is to establish trust and validate the identity of the user or entity requesting access.
Authorization: Authorization, on the other hand, occurs after authentication and involves granting or denying access rights and permissions to authenticated users or entities. Once a user’s identity is verified, authorization determines what actions, resources, or information they are allowed to access. It involves defining and enforcing access controls based on roles, privileges, and permissions assigned to individual users or groups. The authorization ensures that users have appropriate privileges to perform specific actions or access certain resources within the system or application.
Domain 2: Information Risk Management
Assets should be classified according to their own criticality and sensitivity as well as the classification of the information that they store, process, and transmit. These asset classifications ensure that measures taken to protect assets are proportional to their business value.
Risks are the combination of a threat and a corresponding vulnerability.
Quantitative risk assessment uses the following formulas:
Single Loss Expectancy = AssetValue * ExposureFactor
Annualized Loss Expectancy = AnnualizedRateofOccurence * SLE
Responses to a risk include:
Avoid risk by changing business practices
Mitigate risk by implementing controls
Accept risk and continue operations
Transfer risk through insurance or contract
Security tests verify that a control is functioning properly.
Security assessments are comprehensive reviews of the security of a system, application, or other tested environment.
Security audits use testing and assessment techniques but are performed by independent auditors. There are three types of security audits:
Internal audits are performed by an organization’s internal audit staff, normally led by a Chief Audit
Executive who reports directly to the CEO. External audits are performed by an outside auditing firm.
Third-party audits are conducted by, or on behalf of, another organization, such as a regulator.
Organizations that provide services to other organizations may conduct audits under SSAE 16. These engagements produce two different types of reports:
Type I reports provide a description of the controls in place, as described by the audited organization, and the auditor’s opinion whether the controls described are sufficient. The auditor does not test the controls.
Type II reports results when the auditor actually tests the controls and provides an opinion on their effectiveness.
COBIT, ISO 27001, and ISO 27002 are commonly used standards for cybersecurity audits.
Vulnerability assessments seek to identify known deficiencies in systems and applications.
Network discovery scanning uses tools like nmap to check for active systems and open ports. Common scanning techniques include:
TCP SYN scans send a single packet with the SYN flag set.
TCP Connect scans attempt to complete the three way handshake.
TCP ACK scans seek to impersonate an established connection.
Xmas scans set the FIN, PSH, and URG flags.
Network vulnerability scanning first discovers active services on the network and then probes those services for known vulnerabilities. Web application vulnerability scans use tools that specialize in probing for web application weaknesses.
The vulnerability management workflow includes three basic steps: detection, remediation, and validation. Penetration testing goes beyond vulnerability scanning and attempts to exploit vulnerabilities. It includes five steps:
Business continuity planning conducts a business impact assessment and then implements controls designed to keep the business running during adverse circumstances.
Backups provide an important disaster recovery control. Remember that there are three major categories of backup:
Full Backup Copies all files on a system.
Differential Backup Copies all files on a system that have changed since the most recent full backup.
Incremental Backup Copies all files on a system that have changed since the most recent full or incremental backup.
Disaster recovery sites fit into three major categories:
Disaster recovery plans require testing. There are five major test types:
Domain 3: Information Security Program Development and Management
Security Controls Categorization
Security controls are categorized by their purpose as preventive, detective, or corrective controls. They are also categorized by their mechanism of action as technical, physical, or administrative controls. Controls may overlap these categories.
Preventive Controls: These controls are designed to prevent security incidents from occurring. They include measures such as access controls, security awareness training, and security policies.
Detective Controls: These controls are focused on detecting security incidents or breaches that have occurred. Examples include intrusion detection systems, security monitoring tools, and log analysis.
Corrective Controls: These controls are implemented to correct or mitigate the effects of a security incident. They include activities such as incident response, disaster recovery planning, and system restoration.
Technical Controls: These controls involve the use of technology to enforce security policies and protect information assets. Examples include firewalls, encryption, antivirus software, and intrusion prevention systems.
Physical Controls: These controls are physical measures put in place to secure physical assets and facilities. Examples include locks, access control systems, surveillance cameras, and biometric authentication systems.
Administrative Controls: These controls involve policies, procedures, and organizational practices to manage security risks. Examples include security awareness training, security governance frameworks, risk assessments, and incident response plans.
Cryptography is one of the primary controls used to achieve security objectives. Encryption transforms plaintext data into ciphertext, while decryption reverses the process, turning ciphertext back into plaintext.
The two basic cryptographic operations are substitution which modifies characters and transposition, which moves them around.
Cryptography is the practice of securing data through encryption and decryption techniques. It plays a crucial role in achieving security objectives. Here are some key aspects of cryptography:
Encryption and Decryption: Encryption transforms plaintext data into ciphertext using an encryption algorithm, while decryption reverses the process, converting ciphertext back into plaintext using a decryption algorithm.
Basic Cryptographic Operations: Cryptographic operations involve substitution and transposition. Substitution modifies characters, while transposition moves them around, providing additional security.
Symmetric Encryption: Symmetric encryption uses the same shared secret key for both encryption and decryption processes. It is efficient for bulk data encryption but requires secure key management.
Asymmetric Encryption: Asymmetric encryption, also known as public-key cryptography, involves the use of public and private key pairs. Each user has their own key pair. Anything encrypted with one key from the pair can only be decrypted using the other key from that same pair. It provides secure key exchange and enables digital signatures.
Secure Symmetric Algorithms: Some commonly used secure symmetric encryption algorithms include 3DES, AES (Advanced Encryption Standard), IDEA, and Blowfish. DES (Data Encryption Standard) is considered insecure due to its key length.
Secure Asymmetric Algorithms: Secure asymmetric encryption algorithms include RSA, El Gamal, and elliptic curve cryptography (ECC). These algorithms provide strong security for key exchange, digital signatures, and encryption.
Diffie-Hellman Algorithm: The Diffie-Hellman algorithm is a key exchange protocol used to securely exchange symmetric keys over an insecure channel. It enables secure communication between parties without prior shared secrets.
Hash Functions: Hash functions are one-way functions that produce a unique fixed-size hash value (digest) for each input. They are used for data integrity, password storage, and digital signatures. Hash functions cannot be reversed to obtain the original data.
Digital Certificates: Digital certificates use the X.509 standard and contain a copy of an entity’s public key. They are digitally signed by a certificate authority (CA) to establish trust. Digital certificates are widely used in secure communication protocols such as Transport Layer Security (TLS) and Secure Sockets Layer (SSL).
Encryption and Decryption
Symmetric encryption uses the same shared secret key for encryption and decryption.
In asymmetric encryption, users each have their own public/private keypair. Keys are used as follows:
Anything encrypted with one key from a pair may only be decrypted with the other key from that same pair.
Secure symmetric algorithms include 3DES, AES, IDEA, and Blowfish. DES is not secure.
Secure asymmetric algorithms include RSA, El Gamal, and elliptic curve (ECC).
The Diffie-Hellman algorithm may be used for secure exchange of symmetric keys.
Hashes are one-way functions that produce a unique value for every input and cannot be reversed.
Digital certificates use the X.509 standard and contain a copy of an entity’s public key. They are digitally signed by a certificate authority (CA).
Transport Layer Security (TLS) is the replacement for Secure Sockets Layer (SSL) and uses public key cryptography to exchange a shared secret key used to secure web traffic and other network communications.
Two serious issues can occur when users are granted limited access to information in databases or other repositories. Aggregation attacks occur when a user is able to summarize individual records to detect trends that are confidential. Inference attacks occur when a user is able to use several innocuous facts in combination to determine, or infer, more sensitive information.
DNS converts between IP addresses and domain names. ARP converts between MAC addresses and IP addresses. NAT converts between public and private IP addresses.
Wireless networks should be secured using WPA or WPA2 encryption, not WEP.
Network switches generally work at layer 2 and connect directly to endpoints or other switches. Switches may also create virtual LANs (VLANs) to further segment internal networks at layer 2. Routers generally work at layer 3 and connect networks to each other. Firewalls are the primary network security control used to separate networks of differing security levels.
When deploying services in the cloud, organizations may choose from three major cloud strategies:
Software-as-a-Service (SaaS) deploys entire applications to the cloud. The customer is only responsible for supplying data and manipulating the application.
Infrastructure-as-a-Service (IaaS) sells basic building blocks, such as servers and storage. The customer manages the operating system and configures and installs software.
Platform-as-a-Service (PaaS) provides the customer with a managed environment to run their own software without concern for the underlying hardware.
Most Virtual Private Networks (VPN) use either TLS or IPsec. IPsec uses Authentication Headers (AH) to provide authentication, integrity and nonrepudiation and Encapsulating Security Payload (ESP) to provide confidentiality.
Cloud services may be built and/or purchased in several forms:
Public cloud providers sell services to many different customers and many customers may share the same physical hardware.
Private cloud environments dedicate hardware to a single user.
Hybrid cloud environments combine elements of public and private cloud in a single organization.
Community cloud environments use a model similar to the public cloud but with access restricted to a specific set of customers.
Access Control and Attacks
Access control refers to the mechanisms and techniques used to limit and control access to information resources and systems. Here are key aspects related to access control and attacks:
Aggregation Attacks: Aggregation attacks occur when a user can summarize individual records to detect trends that should remain confidential. These
The core activities of identity and access management are:
Identification where a user makes a claim of identity.
Authentication where the user proves the claim of
Authorization where the system confirms that the user is permitted to perform the requested action.
In access control systems, we seek to limit the access that subjects (e.g. users, applications, processes) have to objects (e.g. information resources, systems) Access controls work in three different fashions:
Technical (or logical) controls use hardware and software mechanisms, such as firewalls and intrusion prevention systems, to limit access.
Physical controls, such as locks and keys, limit physical access to controlled spaces.
Administrative controls, such as account reviews, provide management of personnel and business practices.
Multifactor authentication systems combine authentication technologies from two or more of the following categories:
Something you know (Type 1 factors) rely upon secret information, such as a password.
Something you have (Type 2 factors) rely upon physical possession of an object, such as a smartphone.
Something you are (Type 3 factors) rely upon biometric characteristics of a person, such as a face scan or fingerprint.
Authentication technologies may experience two types of errors. False positive errors occur when a system accepts an invalid user as correct. It is measured using the false acceptance rate (FAR). False negative errors occur when a system rejects a valid user, measured using the false rejection rate (FRR). We evaluate the effectiveness of an authentication technology using the crossover error rate (CER), as shown here:
RADIUS is an authentication protocol commonly used for backend services. TACACS+ serves a similar purpose and is the only protocol from the TACACS family that is still commonly used.
The implicit deny principle says that any action that is not explicitly authorized for a subject should be denied.
Access control lists (ACLs) form the basis of many access management systems and provide a listing of subjects and their permissions on objects and groups of objects.
Discretionary access control (DAC) systems allow the owners of objects to modify the permissions that other users have on those objects. Mandatory access control (MAC) systems enforce predefined policies that users may not modify.
Role-based access control assigns permissions to individual users based upon their assigned role(s) in the organization. For example, backup administrators might have one set of permissions while sales representatives have an entirely different set.
Brute force attacks against password systems try to guess all possible passwords. Dictionary attacks refine this approach by testing combinations and permutations of dictionary words. Rainbow table attacks precompute hash values for use in comparison. Salting passwords with a random value prior to hashing them reduces the effectiveness of rainbow table attacks.
Man-in-the-middle attacks intercept a client’s initial request for a connection to a server and proxy that connection to the real service. The client is unaware that they are communicating through a proxy and the attacker can eavesdrop on the communication and inject commands.
When managing the physical environment, you should be familiar with common power issues:
Fires require the combination of heat, oxygen, and fuel. They may be fought with fire extinguishers:
Class A: common combustible fires
Class B: liquid fires
Class C: electrical fires
Class D: metal fires
Organizations may use wet pipe fire suppression systems that always contain water, dry pipe systems that only fill with water when activated, or preaction systems that fill the pipes at the first sign of fire detection.
Mantraps use a set of double doors to restrict physical access to a facility.
The top ten security vulnerabilities in web applications, according to OWASP are:
Sensitive data exposure
XML external entities
Broken access control
Using components with known vulnerabilities.
Insufficient logging and monitoring
In addition to maintaining current and patched platforms, one of the most effective application security techniques is input validation which ensures that user input matches the expected pattern before using it in code.
Domain 4: Information Security Incident Management
Security professionals are often called upon to participate in a variety of investigations:
Criminal investigations look into the violation of a criminal law and use the beyond a reasonable doubt standard of proof.
Civil investigations examine potential violations of civil law and use the preponderance of the evidence standard.
Regulatory investigations examine the violation of a private or public regulatory standard.
Administrative investigations are internal to an organization, supporting administrative activities.
Investigations may use several different types of evidence:
Real evidence consists of tangible objects that may be brought into court.
Documentary evidence consists of records and other written items and must be authenticated by testimony.
Testimonial evidence is evidence given by a witness, either verbally or in writing.
The best evidence rule states that, when using a document as evidence, the original document must be used unless there are exceptional circumstances. The parol evidence rule states that a written agreement is assumed to be the complete agreement.
Chain of Custody and Evidence Handling
Forensic investigators must take steps to ensure that they do not accidentally tamper with evidence and that they preserve the chain of custody documenting evidence handling from collection until use in court.
Business Continuity Planning (BCP)
Business continuity planning (BCP) attempts to design systems and controls in a manner that minimizes the risk that business activity will be disrupted.
Disaster Recovery Process
The disaster recovery process begins when operations are disrupted at the primary site and shifted to an alternate capability. The process only concludes when normal operations are restored.
Which of the following should be the FIRST step in developing an information security plan?
A. Perform a technical vulnerabilities assessment
B. Analyze the current business strategy
C. Perform a business impact analysis
D. Assess the current levels of security awareness
Prior to assessing technical vulnerabilities or levels of security awareness, an information security manager needs to gain an understanding of the current business strategy and direction. A business impact analysis should be performed prior to developing a business continuity plan, but this would not be an appropriate first step in developing an information security strategy because it focuses on availability.
Mandatory Cyber Incident Reporting Initial guidance for Critical Infrastructure Sectors
if you are a cyber security team member in any role working for any of the 13 critical infrastructure sectors under the SOCI Act Obligation, you must familiarise yourself with the requirements of the SOCI Act. There is a broader organisational, national and community benefit as well as purpose to the regulation and knowing your role in making meaningful contribution to this purpose will take you a long way in your career.
One of the SOCI Act obligations in Mandatory Cyber Incident Reporting within 12 hours of becoming aware of a critical cyber incident (there are provisions, see PDF). For your awareness, you may enquire with your Security Operations team of the process flow for incident reporting related to SOCI. There should be a specific role or individual responsible for picking up the phone and calling the number in the infographic below. As an exercise, you can find out who that person is in your organization. To your surprise the person or role, may not be a part of the cyber security team, varies from organisation to organisation.
Amazon Security Lake: A Revolutionary Solution for Enhanced Data Protection
Avoid common pitfalls and maximize the potential of Amazon Security Lake for robust data protection and threat detection.
Amazon Web Services (AWS) has recently announced the general availability of Amazon Security Lake, a groundbreaking solution that offers enhanced data protection capabilities. In this blog, we will explore the key features and benefits of Amazon Security Lake and discuss how it can revolutionize data security practices for organizations.
Amazon Security Lake is a comprehensive security analytics and threat detection solution offered by AWS. It enables organizations to centralize, analyze, and act upon security data from various sources, such as AWS CloudTrail logs, Amazon VPC Flow Logs, and AWS Config rules. By leveraging machine learning and advanced analytics, Security Lake empowers organizations to gain valuable insights into their security posture and detect potential threats in real-time.
Key Features and Benefits:
Centralized Security Data Repository: Amazon Security Lake acts as a centralized repository for all security-related data, making it easier for organizations to manage and analyze vast amounts of security logs. With this unified approach, organizations can seamlessly integrate security data from various sources, eliminating data silos and enhancing visibility into their overall security landscape.
Real-time Threat Detection: By employing advanced machine learning algorithms, Security Lake enables organizations to proactively detect security threats in real-time. It continuously monitors and analyzes security logs, identifying anomalous activities, unauthorized access attempts, and potential security breaches. This allows organizations to respond promptly and effectively to mitigate risks and prevent data breaches.
Scalable and Flexible Architecture: Built on AWS’s highly scalable infrastructure, Security Lake is designed to accommodate organizations of all sizes. It can effortlessly handle large volumes of security data, ensuring that organizations can scale their security operations without compromising performance. Additionally, Security Lake offers flexible deployment options, allowing organizations to choose between fully managed services or self-managed implementations based on their specific requirements.
Simplified Investigation and Compliance: Amazon Security Lake provides powerful search and query capabilities, enabling security teams to investigate incidents and conduct forensic analysis efficiently. The solution offers pre-built dashboards, visualizations, and security analytics tools, making it easier for organizations to gain actionable insights from their security data. Moreover, Security Lake assists organizations in meeting regulatory compliance requirements by providing pre-configured compliance rules and facilitating security audits.
Integration with AWS Security Services: As part of the AWS ecosystem, Security Lake seamlessly integrates with other AWS security services, such as Amazon GuardDuty and AWS Security Hub. This integration strengthens an organization’s overall security posture by leveraging the combined power of multiple security tools, improving threat detection and response capabilities.
We will walk you through the process of setting up Amazon Security Lake.
Step 1: Sign in to the AWS Management Console: To begin, sign in to the AWS Management Console using your AWS account credentials. If you don’t have an AWS account, you can create one by following the instructions on the AWS website.
Step 2: Navigate to the Amazon Security Lake Console: Once you are logged in, navigate to the Amazon Security Lake Console. You can find the console by searching for “Security Lake” in the AWS services search bar, or you can access it directly via the following URL: https://console.aws.amazon.com/security-lake/.
Step 3: Create a Security Lake: In the Security Lake console, click on the “Create Security Lake” button to start the setup process. You will be prompted to provide a name for your Security Lake and choose a region where it will be deployed. Select the appropriate region based on your organization’s requirements and click “Next.”
Step 4: Configure Data Sources: In this step, you will configure the data sources for your Security Lake. Security Lake supports various AWS data sources, such as CloudTrail logs, VPC Flow Logs, and AWS Config rules. Choose the data sources that you want to integrate with Security Lake by enabling them and providing the necessary permissions. Follow the on-screen instructions to configure each data source.
Step 5: Set Up Data Ingestion: Next, you will set up data ingestion for your Security Lake. Select the desired method of data ingestion based on your organization’s needs. You can choose between real-time ingestion using Amazon Kinesis Data Firehose or batch ingestion using Amazon S3. Configure the necessary settings for data ingestion, such as the destination S3 bucket or Kinesis Firehose delivery stream.
Step 6: Enable Data Analysis: Once the data ingestion is set up, you can enable data analysis for your Security Lake. Security Lake uses machine learning algorithms and advanced analytics to detect security threats and anomalies in real-time. Enable the desired analysis features, such as anomaly detection or specific AWS service integrations, to enhance your security capabilities.
Step 7: Configure Security Lake Settings: In this step, you can configure additional settings for your Security Lake. This includes defining retention periods for the ingested data, setting up access controls and permissions, and configuring notifications for security events. Adjust these settings according to your organization’s compliance and security requirements.
Step 8: Review and Create the Security Lake: Before creating the Security Lake, review all the configuration settings you have made. Ensure that the selected data sources, data ingestion methods, analysis features, and settings align with your organization’s needs. Once you are satisfied, click “Create Security Lake” to initiate the creation process.
Step 9: Monitor and Manage Your Security Lake: After the Security Lake is created, you can monitor and manage it from the Security Lake console. Utilize the pre-built dashboards, visualizations, and security analytics tools provided by Security Lake to gain valuable insights into your security posture. Continuously monitor the alerts and notifications generated by the system to promptly respond to potential security threats.
When setting up Amazon Security Lake, there are a few potential “gotchas” or challenges that you may encounter. Being aware of these pitfalls can help you navigate the setup process more effectively. Here are some important considerations:
Data ingestion limitations: Amazon Security Lake supports various data sources, but each has its own limitations. For example, CloudTrail logs have a maximum size limit per file, and VPC Flow Logs have a limit on the number of records per file. Ensure that you understand and plan for these limitations to avoid potential issues with data ingestion.
Permissions and access control: Configuring proper permissions and access control is crucial for Security Lake. Ensure that you grant the necessary permissions to the AWS services and resources involved in data ingestion and analysis. Additionally, make sure that you set up appropriate access controls for users and roles to prevent unauthorized access to your Security Lake.
Data storage costs: While Security Lake provides a powerful solution for data analysis, keep in mind that storing large volumes of security data can incur additional costs. Be mindful of the storage costs associated with S3 buckets or Kinesis Data Firehose delivery streams, especially if you have high data ingestion rates or long retention periods. Regularly review and optimize your data storage practices to manage costs efficiently.
Performance considerations: The performance of Security Lake can be influenced by factors such as data ingestion rates, analysis complexity, and the size of your security data. If you have a high volume of data or complex analysis requirements, you may need to carefully allocate resources and optimize your Security Lake configuration to ensure smooth and efficient operation.
Security Lake limitations: While Security Lake offers robust security analytics capabilities, it is important to understand its limitations. For example, Security Lake may not cover all types of security logs or support custom log formats. Evaluate your specific security needs and verify that Security Lake aligns with your requirements.
Monitoring and alerts: Monitoring the alerts and notifications generated by Security Lake is crucial for timely threat detection and response. However, it’s essential to set up effective monitoring practices to avoid missing critical alerts or being overwhelmed by false positives. Regularly review and fine-tune your alerting mechanisms to ensure they are tuned to your organization’s security priorities.
Integration challenges: Security Lake integrates with other AWS security services, such as GuardDuty and Security Hub. While this integration enhances your overall security capabilities, it may require additional configuration and management. Be prepared to address any potential challenges related to integration, including service compatibility, data sharing, and event correlation.
Compliance considerations: If your organization operates in regulated industries or needs to comply with specific security standards, ensure that Security Lake meets the necessary compliance requirements. While Security Lake provides built-in compliance rules and tools, additional configurations or customization may be necessary to align with your specific compliance needs.
Remember that it is crucial to consult AWS documentation, user guides, and seek support from AWS experts to address any specific challenges or concerns you may encounter during the setup and configuration of Amazon Security Lake.
Employee PII not protected by Australian Privacy Principles
The Australian Privacy Principles (APPs) in the Privacy Act regulate the handling of personal information held by Australian government agencies and certain private sector organisations.
However, section 7B(3) states that an act done, or practice engaged in, by an organisation that is or was an employer of an individual, is exempt for the purposes of paragraph 7(1)(ee) if the act or practice is directly related to:
a. a current or former employment relationship between the employer and the individual; and
b. an employee record held by the organisation and relating to the individual.
The Privacy Act defines an ‘employee record’ as a record of personal information relating to the employment of the employee, and includes information that is a record of personal information about the employment of the employee.
Cybersecurity has become a critical concern for businesses of all sizes and industries. The increasing sophistication and frequency of cyber attacks highlight the need for organizations to implement effective cybersecurity measures to protect their operations, assets, and reputation.
The purpose of this Cyber Security Strategy is to provide a comprehensive framework for protecting our organization against cyber threats. This strategy is based on the Australian Cyber Security Centre (ACSC) Essential Eight framework, which outlines eight essential security controls that organizations should implement to mitigate cybersecurity risks.
The objectives of our Cyber Security Strategy are:
To protect the confidentiality, integrity, and availability of our organization’s information and assets.
To ensure that our organization is compliant with relevant laws, regulations, and standards.
To reduce the risk of cyber threats, including malware, ransomware, phishing, and other types of cyber attacks.
To ensure that our employees are trained in cybersecurity best practices and are aware of their roles and responsibilities in protecting the organization’s assets and operations.
Our Cyber Security Strategy will focus on implementing the first four security controls of the Essential Eight framework, as these are considered the most effective at mitigating cybersecurity risks. These controls are:
Application Whitelisting: We will implement application whitelisting to allow only approved applications to run on our systems, preventing the execution of malicious software.
Patching Applications: We will keep applications up-to-date with the latest security patches to prevent vulnerabilities from being exploited.
Patching Operating Systems: We will regularly patch operating systems to prevent known vulnerabilities from being exploited.
Restricting Administrative Privileges: We will limit administrative privileges to reduce the risk of unauthorized access to critical systems and data.
In addition to implementing these security controls, we will also establish policies and processes to ensure that they are maintained and updated regularly.
Our Cyber Security Strategy will include a risk management approach to identify and prioritize cybersecurity risks. We will conduct regular risk assessments to identify potential threats and vulnerabilities, and develop plans to mitigate these risks.
Training and Awareness:
We recognize that employees are a critical component of our cybersecurity strategy. We will provide regular training and awareness programs to educate employees on cybersecurity best practices and their roles and responsibilities in protecting the organization’s assets and operations.
Monitoring and Reporting:
We will establish monitoring and reporting processes to ensure that our security controls are effective and to identify any security incidents or breaches. We will conduct regular reviews of our cybersecurity measures to ensure that they are up-to-date and aligned with emerging threats and industry best practices.
Australian Essentials Eight
The Australian Cyber Security Centre (ACSC) has developed the Essential Eight framework, which outlines eight essential security controls that organizations should implement to mitigate cybersecurity risks. These security controls are practical and effective, and align with the maturity level 2 of the Essential Eight framework.
Essential Eight framework includes maturity levels that organizations can use to measure their implementation of the Essential Eight controls. These maturity levels provide a structured approach to implementing cybersecurity measures and help organizations to progressively improve their cybersecurity posture.
The Essential Eight maturity levels are as follows:
Ad Hoc: Organizations at this level have ad hoc security measures in place that are reactive and not based on any formal risk management or security framework.
Developed: Organizations at this level have implemented some security measures, but these measures are not consistent or fully integrated into the organization’s risk management framework.
Defined: Organizations at this level have a defined security posture, with security measures fully integrated into the organization’s risk management framework.
Managed: Organizations at this level have a managed security posture, with regular monitoring and reporting of security measures and incidents.
Established: Organizations at this level have established a culture of security, with a proactive approach to cybersecurity and regular testing and improvement of security measures.
Mature: Organizations at this level have a mature security posture, with a continuous improvement approach to cybersecurity and a strong focus on risk management.
Adaptive: Organizations at this level have an adaptive security posture, with the ability to quickly respond to emerging threats and adapt security measures accordingly.
By implementing the Essential Eight controls and progressing through the maturity levels, organizations can reduce the risk of cyber threats and protect their business operations, assets, and reputation. Our proposed cybersecurity plan will help your organization to achieve maturity level 2 of the Essential Eight framework, which includes the implementation of the first four security controls.
We will work with your organization to develop a comprehensive cybersecurity plan that aligns with the Essential Eight framework and supports your business objectives. Our plan will include technical aspects, policies, and processes, and will be tailored to your organization’s specific needs and requirements.
In this Cyber Security Strategy and Implementation Guide, we will provide a detailed plan for configuring a secure managed cloud environment using Intune, and implementing policies to ensure devices are up-to-date and compliant with the Essential Eight framework maturity level 2.
This guide will cover technical aspects, policies, and processes, and provide business owners with a comprehensive approach to cybersecurity that can help reduce the risk of cyber threats and protect their businesses.
This guide will provide information to help configure a secure managed cloud environment for a customer with 20 seats. The aim is to implement policies that align with Essential Eight Framework maturity level 2 and use Device Management tools like Intune to manage and secure all company-owned devices. This plan will cover technical aspects, policies, and processes necessary for implementing a secure managed cloud environment.
The Essential Eight consists of the following security controls:
Application Whitelisting: Application whitelisting helps prevent the execution of malicious software by allowing only approved applications to run.
Patching Applications: Keeping applications up-to-date with the latest security patches can help prevent vulnerabilities from being exploited.
Patching Operating Systems: Regularly patching operating systems can help prevent known vulnerabilities from being exploited.
Restricting Administrative Privileges: Limiting administrative privileges can help reduce the risk of unauthorized access to critical systems and data.
Multi-factor Authentication: Using multi-factor authentication (MFA) can help prevent unauthorized access to systems and data by requiring additional forms of authentication.
Backups: Regularly backing up critical data can help protect against data loss in the event of a cyber attack or other disaster.
Network Segmentation: Network segmentation can help reduce the impact of a cyber attack by limiting the spread of malware and other threats.
User Education: Educating users on how to identify and respond to cyber threats can help prevent security incidents caused by human error.
Implementing these security controls can help protect businesses against a wide range of cyber threats, including malware, ransomware, phishing, and other types of cyber attacks. Business owners should ensure that their organizations have appropriate cybersecurity measures in place, and regularly review and update these measures to stay ahead of evolving threats.
The ACSC recommends that organizations implement the Essential Eight framework in a prioritized manner, starting with the first four security controls, as these are considered the most effective at mitigating cybersecurity risks. The framework also includes maturity levels that organizations can use to measure their implementation of the Essential Eight controls.
In addition to implementing the Essential Eight framework, organizations should also regularly review and update their cybersecurity measures to stay ahead of evolving threats. They should also ensure that their employees are trained in cybersecurity best practices and are aware of their roles and responsibilities in protecting the organization’s assets and operations.
By implementing the Essential Eight framework and regularly reviewing and updating their cybersecurity measures, organizations can reduce the risk of cyber threats and protect their business operations, assets, and reputation.
Essentials Eight Implementation Guide using Microsoft Intune.
The technical aspects of implementing a secure managed cloud environment involve the following steps:
Device Management Tool: As per the requirement, Intune will be the device management tool to be used to manage and secure all company-owned devices. Intune provides various features like device management, application management, and conditional access, among others.
Configuration of Devices: The first step in configuring devices is to join them to Azure AD. This will allow for seamless management of devices from Intune. The next step is to configure policies for devices. The following policies will be implemented:
a. Password Policy: A password policy will be implemented that enforces strong passwords and password expiration every 90 days. This policy will help prevent unauthorized access to devices.
b. Device Compliance Policy: A device compliance policy will be implemented that ensures that devices are compliant with security standards. This policy will check if devices have the latest OS updates, anti-virus software installed, and if devices are jailbroken/rooted. Devices that do not meet the compliance requirements will be prevented from accessing company resources. As direct internet connectivity has been stipulated, applications will be set to auto update. Firmware can be update if an executable file is packaged and deployed via Intune.
c. Encryption Policy: An encryption policy will be implemented that requires all devices to be encrypted. This policy will ensure that data stored on devices is protected in case of loss or theft.
d. Application Policy: An application policy will be implemented that ensures that only approved applications are installed on devices. This policy will help prevent the installation of malicious software on devices. Application whitelisting will prevent all non-approved applications (including malicious code) from executing. WDAC provides all the features of AppLocker with additional functionality and simpler management from within Intune. It is also possible to implement the latest recommended block rules from Microsoft. Only signed macros will be enabled via Intune policies. Web advertisements that are java or flash based will be blocked. ‘Other’ web adverts will not be controlled. Web browsers are configured to block or disable support for Flash content for Internet Explorer and Edge. Web browsers are configured to block Java from the Internet for Internet Explorer and Edge. Office 365 applications block flash content by default. Object Linking and Embedding will be disabled by Intune policy.
e. Conditional Access Policy: A conditional access policy will be implemented that ensures that only authorized devices can access company resources. This policy will require devices to be compliant with device compliance policies and have approved applications installed. Stronger user authentication makes it harder for adversaries to access sensitive information and systems. MFA is enabled for all with a soft token. Hard tokens would require an IaaS server in Azure and will not be implemented.
Monitoring and Reporting: Intune provides various monitoring and reporting capabilities that allow administrators to monitor device compliance and security. Reports can be generated to view the compliance status of devices and track any policy violations. This will help administrators to identify and remediate any security issues.
Daily Backups: Configuration settings of Office 365 and Intune are backed up. Documents, Desktops and Pictures are redirected to OneDrive using Windows Known Folders providing a backup of data to the cloud. Office 365 data is replicated by Microsoft to at least two geographically dispersed data centres. Exchange Online has a recover deleted items from server option. Cloud based files have Recycle bin and Restore options in addition to retention policies. Retention policies are created that ensure that data is retained forever for: * Exchange * SharePoint * OneDrive * Office 365 Groups * Skype for Business * Exchange Public Folders * Teams channel messages * Teams chats Workstation configuration is stored in Intune (AutoPilot rebuild) or SCCM task sequence.
Policies The policies to be implemented are as follows:
Acceptable Use Policy: An Acceptable Use Policy will be implemented that outlines the acceptable use of company-owned devices. The policy will include guidelines on the use of company resources, the installation of software, and the handling of confidential information. This policy will help prevent security incidents caused by employees.
Incident Response Policy: An Incident Response Policy will be implemented that outlines the steps to be taken in case of a security incident. The policy will include guidelines on reporting incidents, containing incidents, and recovering from incidents. This policy will ensure that security incidents are handled efficiently and effectively.
Data Classification Policy: A Data Classification Policy will be implemented that classifies data based on its sensitivity. The policy will include guidelines on how data should be handled based on its classification. This policy will ensure that sensitive data is protected appropriately.
Access Control Policy: An Access Control Policy will be implemented that outlines the procedures for granting and revoking access to company resources. The policy will include guidelines on how access should be granted based on roles and responsibilities. This policy will help prevent unauthorized access to company resources. Restriction of administrative privileges for admin accounts will prevent adversaries using these accounts to gain full access to information and systems. WDAC policies are applied to admin users to prevent the ability to run email and web browsers. Admin users will log on with their normal accounts and then authenticate to the Office 365 tenant for management using their privileged account to administer the system.
The process for implementing a secure managed cloud environment involves the following steps:
Assessment: An assessment will be conducted to identify the current security posture of the organization. The assessment will identify any security gaps and risks.
Planning: Based on the assessment, a plan will be developed to implement a secure managed cloud environment. The plan will.
Cyber Security Strategy provides a comprehensive framework for protecting our organization against cyber threats. By implementing the first four security controls of the Essential Eight framework, establishing policies and processes to maintain and update these controls, and adopting a risk management approach, we can reduce the risk of cyber threats and protect our organization’s assets and operations.