Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Microsoft Sentinel in Action

You're reading from   Microsoft Sentinel in Action Architect, design, implement, and operate Microsoft Sentinel as the core of your security solutions

Arrow left icon
Product type Paperback
Published in Feb 2022
Publisher Packt
ISBN-13 9781801815536
Length 478 pages
Edition 2nd Edition
Arrow right icon
Authors (2):
Arrow left icon
Richard Diver Richard Diver
Author Profile Icon Richard Diver
Richard Diver
Gary Bushey Gary Bushey
Author Profile Icon Gary Bushey
Gary Bushey
Arrow right icon
View More author details
Toc

Table of Contents (23) Chapters Close

Preface 1. Section 1: Design and Implementation
2. Chapter 1: Getting Started with Microsoft Sentinel FREE CHAPTER 3. Chapter 2: Azure Monitor – Introduction to Log Analytics 4. Section 2: Data Connectors, Management, and Queries
5. Chapter 3: Managing and Collecting Data 6. Chapter 4: Integrating Threat Intelligence with Microsoft Sentinel 7. Chapter 5: Using the Kusto Query Language (KQL) 8. Chapter 6: Microsoft Sentinel Logs and Writing Queries 9. Section 3: Security Threat Hunting
10. Chapter 7: Creating Analytic Rules 11. Chapter 8: Creating and Using Workbooks 12. Chapter 9: Incident Management 13. Chapter 10: Configuring and Using Entity Behavior 14. Chapter 11: Threat Hunting in Microsoft Sentinel 15. Section 4: Integration and Automation
16. Chapter 12: Creating Playbooks and Automation 17. Chapter 13: ServiceNow Integration for Alert and Case Management 18. Section 5: Operational Guidance
19. Chapter 14: Operational Tasks for Microsoft Sentinel 20. Chapter 15: Constant Learning and Community Contribution 21. Assessments 22. Other Books You May Enjoy

The cloud security reference framework

To assist with the discovery and mapping of current security solutions, we developed the cloud security reference framework. The following diagram is a section of this framework that provides the technical mapping components, and you can use this to carry out a mapping of your own environment:

Figure 1.2 – Technical mapping components; the cloud security reference framework

Figure 1.2 – Technical mapping components; the cloud security reference framework

Each of these 12 components is described in the following list, along with some examples of the types of solutions to consider as they relate to integration with Microsoft Sentinel and the rest of your security architecture:

  1. Security Operations Center: At a high level, this includes the following technologies and procedures: log management and Security Incident and Event Monitoring (SIEM), Security Orchestration and Automated Response (SOAR), vulnerability management, threat intelligence, incident response, and intrusion prevention/detection. This component is explored further in the Mapping the SOC architecture section later in this chapter.
  2. Productivity Services: This component covers any solution currently in use to protect the business productivity services that your end users rely on for their day-to-day work. This may include email protection, SharePoint Online, OneDrive for Business, Box, Dropbox, Google apps, and Salesforce. Many more will appear in the future, and most of these should be managed through a Cloud Access Security Broker (CASB) solution.
  3. Identity and Access Management: Identities are among the most important entities to track. Once an attacker gains access to your environment, their main priority is to find the most sensitive accounts and use them to exploit systems further. In fact, identity is usually one of the first footholds in your IT environment, usually through a successful phishing attack. A simple resolution is to implement multi-factor authentication, ensuring that even if a password is stolen (or guessed), the attacker would need multiple attempts to access the system.
  4. Client Endpoint Management: This component covers a wide range of endpoints, from desktops and laptops to mobile devices and kiosk systems, all of which should be protected by specialized solutions such as Endpoint Detection and Response (EDR), Mobile Device Management (MDM), and Mobile Application Management (MAM) solutions to ensure protection from advanced and persistent threats against the operating systems and applications. This component also includes secure printing, managing peripherals, and any other device that an end user may interact with, such as the future of virtual reality/augmentation devices.
  5. Cloud Access Security Broker (CASB): This component has been around for several years and is finally becoming a mainstay of modern cloud security infrastructure due to the increased adoption of cloud services. The CASB is run as a cloud solution that can ingest log data from Software as a Service (SaaS) applications and firewalls and will apply its own threat detection and prevention solutions. Information coming from the CASB will be consumed by the SIEM solution to add to the overall picture of what is happening across your diverse IT environment.
  6. Perimeter Network: One of the most advanced components, when it comes to cybersecurity, must be the perimeter network. This used to be the first line of defense and for some companies still is the only line of defense. That is changing now, and we need to be aware of the multitude of options available; from external-facing advanced firewalls, web proxy servers, and application gateways to virtual private networking solutions and secure DNS, this component will also include protection services such as Distributed Denial of Service (DDoS), Web Application Firewall (WAF), and intrusion protection/detection services.
  7. IoT and Industrial Control Systems: ICS are usually operated and maintained in isolation from the corporate environment, known as the Information Technology/Operational Technology (IT/OT) divide. These are highly bespoke systems that may have existed for decades and are not easily updated or replaced. The networks and devices may be highly sensitive to any latency or attempts to scan; instead, the recommended approach is passive monitoring of network traffic.

    The reference to IoT is different, yet similar; in these systems, there will be a lot of small devices that collect data and control critical business functions without working on the same network. Some of these devices can be smart to enable automation; others are single-use (vibration or temperature sensors). The volume and velocity of data that can be collected from these systems can be very high. If useful information can be gained from the data, then consider filtering the information before ingesting it into Microsoft Sentinel for analysis and short- or long-term retention.

  8. Private Cloud Infrastructure: This may be hosted in local server rooms, a specially designed data center, or hosted with a third-party provider. The technologies involved in this component will include storage, networks, internal firewalls, and physical and virtual servers. The data center has been the mainstay of many companies for the last 2-3 decades, but most are now transforming into hybrid solutions, combining the best of cloud (public) and on-premises (private) solutions. The key consideration here is how much of the log data you can collect and transfer to the cloud for Microsoft Sentinel ingestion. We will cover data connectors more in Chapter 3, Managing and Collecting Data.

    Active Directory is a key solution that should also be included in this component. It will be extended to public cloud infrastructure (component 09) and addressed in the Privileged Access Management section (component 10). The best defense for Azure Active Directory is to deploy the Microsoft Defender for Identity solution, which Microsoft developed to specifically protect Active Directory domain controllers.

  9. Public Cloud Infrastructure: These solutions are now a mainstay of most modern IT environments, beginning either as an expansion of existing on-premises virtualized server workloads, a disaster recovery solution, or an isolated environment created and maintained by the developers. A mature public cloud deployment will have many layers of governance and security embedded into the full life cycle of creation and operations. This component may include Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) services; each public cloud service provider offers its own security protections that can be integrated into Microsoft Sentinel.
  10. Privileged Access Management: This is a critical component, not to be overlooked, especially in terms of gaining access to the SOC platform and associated tools. The Privileged Access Management (PAM) capability ensures all system-level access is highly governed, removing permissions when not required, and making a record of every request for elevated access. Advanced solutions will ensure password rotation for service accounts, management of shared system accounts (including SaaS services such as Twitter and Facebook), and the rotation of passwords for the local administrator accounts on all computers and servers. For the SOC platform, consider implementing password vaults and session recording for evidence gathering.
  11. Cloud Workload Protection Platform: This component may also be known as Cloud Security Posture Management (CSPM), depending on the view of the solution developed. This is a relatively new area for cloud security and is still maturing.

    Whatever they are labeled as, these solutions address the same problems: how do you know that your workloads are configured correctly across a hybrid environment and protect the resources within each of those environments? This component will also include any DevOps tools implemented to orchestrate the deployment and ongoing configuration management of solutions deployed to private and public cloud platforms. This solution should be capable of continuously scanning for, and potentially enforcing, configuration compliance with multiple regulatory and industry-standard frameworks.

  12. Information Security: This component is critical to securing data at rest and in transit, regardless of the storage: endpoint, portable, or cloud storage. This component is important to cover secure collaboration, digital rights management, securing email (in conjunction with component 02, (Productivity Services), scanning for regulated data, and other sensitive information.

The cloud security reference framework is meant to be a guide to what services are needed to secure your cloud implementation. In the next section, we will look at the SOC in more detail.

You have been reading a chapter from
Microsoft Sentinel in Action - Second Edition
Published in: Feb 2022
Publisher: Packt
ISBN-13: 9781801815536
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image