Yes, I can already hear most people thinking/saying an event becomes an incident at the moment the detection use case has triggered. But is it this black and white? Or do we unnecessarily complicate it with processes, procedures, and responsibilities?

Within the cybersecurity industry, we use words like event, alert, notification, and incident. I will clarify these words first before continuing to answer the question.

  • An event contains information about something that has happened. For example, a user logs into a host via SSH.


Naturally, the simplistic and straightforward answer is you measure. But what is the thing you need to measure? The number of scans? The number of discovered vulnerabilities? Something else? I will provide some tips to you on what you can measure to check if you are running an effective vulnerability management program.

In an introductory article, I wrote on how you can become a master in vulnerability management. I will use that article as a base and continue to provide you some guidance on becoming a master in running an effective vulnerability management program.

Which scans do I need to configure?

Every vulnerability management scanning solution will offer loads of options. And often enough these options are extremely valuable, but only if you utilize them at the proper moment.

The first scan you need to configure is a so-called discovery scan. The purpose of this scan is not to detect vulnerabilities but to discover new hosts. It is critical…


Let’s find out by creating an Azure Sentinel environment, adding some log sources, and creating some (basic) alert rules. I will compare this implementation with some of the other SIEM solutions I have implemented in the past.

Let’s first log onto the Microsoft Azure portal environment. If you are not logged on with a Microsoft account, you will be automatically redirected to the Microsoft Logon page. Once successfully authenticated, you will automatically return to the Microsoft Azure Portal environment.

Installing Microsoft Azure Sentinel

Microsoft Azure Portal website
Microsoft Azure Portal website
Microsoft Azure Portal website

Once you have clicked on the ‘Azure Sentinel’ button, you will be redirected to the webpage where you will see all configured Azure Sentinels environments. Yes, that’s correct. Within one subscription you can maintain multiple Azure Sentinel environments. This could be effective when you want to have separate environments for Developments, Acceptance, and Production.


In earlier articles, I spoke about identifying the attack surface and about the now-what question. As a result, you should possess by now a list of use cases you want to implement. The subsequent question is, should I follow the agile principles or shall I follow the classic waterfall approach when developing and implementing the list of use cases?

For both approaches, you can compile a list of pros and cons, but in the end, it doesn’t really matter. What is important, are the steps during the development process.

Before you can start developing a use case, you need to run a quality assurance checklist. Do you possess all the information you require to successfully build and implement the use case? Over here are some of the items you need to put on this quality assurance checklist:

  • Use case name and description


Intrusion Detection Systems (IDS for short) does analyze captured network traffic. But as more and more network traffic is becoming encrypted, the IDS solution encounters more and more difficulties demonstrating its genuine value. Which changes in the network architecture need to be made to overcome this issue?

Captured output generated by SNORT (enriched with GeoIP information by Logstash)
Captured output generated by SNORT (enriched with GeoIP information by Logstash)
Captured output generated by SNORT (enriched with GeoIP information by Logstash)

Even when the network traffic is encrypted, the IDS solution can nevertheless show value, but it is limited and it is only based on the unencrypted parts of the network traffic (packets headers). And these alerts are of limited value for a Security Operation Center.

IDS Decryption options


In an introductory article, I wrote about how you can move from theory to reality. Now let’s be a little bit more hands-on and update the Zero Trust Architecture you have drafted. In this article, I will write about the various components you are planning to introduce and which decisions you still need to take.

Zero Trust Architecture is about users, locations, devices, data, and networks.
Zero Trust Architecture is about users, locations, devices, data, and networks.
Zero Trust Architecture is about users, locations, devices, data, and networks.

Firewall

Firewalls remain the place where you can disrupt traffic. Traditionally massive firewalls are only placed on the network edges. Once in, the network traffic will most likely not pass a firewall anymore. Great for attackers and bad for security. With the move to Zero Trust Architecture, the firewall will have a more prominent role to play. Functions (applications, services, etc.) are isolated in their own network zone. To enter this network zone, the traffic must be approved by a firewall.


The optimal way to secure yourself against a vulnerability is to install the patch. But sometimes you can’t because the patch is either unavailable or the company’s policies and procedures prevent you from installing the patch. And therefore, the vulnerability remains vulnerable to exploitation. Or is there something else you can do?

Hackers are constantly on the lookout for how to exploit known and unknown vulnerabilities.
Hackers are constantly on the lookout for how to exploit known and unknown vulnerabilities.
Hackers are constantly on the lookout for how to exploit known and unknown vulnerabilities.

In the articleCan you truly master Vulnerability Management?’ I wrote about how you can become a master in Vulnerability Management and shared two techniques to make it more difficult for an attacker.

But these defensive techniques take time to implement. Especially when the estate is vast. And during the implementation, you still might be vulnerable to unknown, or undiscovered, or unpatched vulnerabilities. There is another technique for how you can defend yourself against vulnerability exploitation. Firewalling. By implementing both a network and a host-based firewalling, you make it more difficult to successfully exploit a vulnerability.

Showcase

Allow me to explain…


The attack surface represents the initial point where an attack could attack, but it might be more extensive than we genuinely think it is. Allow me to explain this in more detail.

The attack surface from above.
The attack surface from above.
The attack surface from above.

In another article on use cases, I spoke about the unanswered question. In this article, I will speak about identifying the attack surface and therefore indirectly about identifying possible use cases.

Educate

If you ask a business person what the thing is they are most worried about in terms of security, you hear terms like phishing, ransomware, Denial of Service attacks, etc. On their own, these represent some pretty serious risks. But let’s take away the marketing buzz words, what do you hear then? Silence? A big uhh? Heavy breathing?


Security Use cases are primarily focused on detection. But all too often the question ‘now what’ is forgotten. Let’s deep-dive on this and focus upon what is missing.

Put one´s finger on the sore spot

Use cases remain a valuable weapon in the ongoing battle against security threats. In most corporate environments I have seen, the use case is describing the threat including to a certain extent the technical details.

If I was lucky there was a reference to a generic security incident response playbook. In my opinion, this is a recipe for disaster. Generic incident response playbook.

If no response was described, then the company was at the mercy of the knowledge and skills of the analyst of the day.

And still, we ponder why we have an analyst fatigue issue.

But don’t get…


How can you successfully implement Zero Trust Architecture?

Network architecture
Network architecture
Network Architecture

The National Cybersecurity Center of Excellence (NCCoE, part of NIST) defines Zero Trust Architecture as ‘A zero trust architecture treats all users as potential threats and prevents access to data and resources until the users can be properly authenticated and their access authorized. In essence, a zero trust architecture allows a user full access but only to the bare minimum they need to perform their job. If a device is compromised, zero trust can ensure that the damage is contained.’. One might think that just user authentication and authorization are enough to conform to this standard.

But Zero Trust Architecture…

Richard de Vries

A passion-ed security professional who shares his knowledge and experiences while trying to achieve a more secure IT/OT/IIoT world.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store