Within the cybersecurity industry, we use words like event, alert, notification, and incident. I will clarify these words first before continuing to answer the question.
In an introductory article, I wrote on how you can become a master in vulnerability management. I will use that article as a base and continue to provide you some guidance on becoming a master in running an effective vulnerability management program.
Every vulnerability management scanning solution will offer loads of options. And often enough these options are extremely valuable, but only if you utilize them at the proper moment.
The first scan you need to configure is a so-called discovery scan. The purpose of this scan is not to detect vulnerabilities but to discover new hosts. It is critical…
Let’s first log onto the Microsoft Azure portal environment. If you are not logged on with a Microsoft account, you will be automatically redirected to the Microsoft Logon page. Once successfully authenticated, you will automatically return to the Microsoft Azure Portal environment.
Once you have clicked on the ‘Azure Sentinel’ button, you will be redirected to the webpage where you will see all configured Azure Sentinels environments. Yes, that’s correct. Within one subscription you can maintain multiple Azure Sentinel environments. This could be effective when you want to have separate environments for Developments, Acceptance, and Production.
For both approaches, you can compile a list of pros and cons, but in the end, it doesn’t really matter. What is important, are the steps during the development process.
Before you can start developing a use case, you need to run a quality assurance checklist. Do you possess all the information you require to successfully build and implement the use case? Over here are some of the items you need to put on this quality assurance checklist:
Even when the network traffic is encrypted, the IDS solution can nevertheless show value, but it is limited and it is only based on the unencrypted parts of the network traffic (packets headers). And these alerts are of limited value for a Security Operation Center.
Firewalls remain the place where you can disrupt traffic. Traditionally massive firewalls are only placed on the network edges. Once in, the network traffic will most likely not pass a firewall anymore. Great for attackers and bad for security. With the move to Zero Trust Architecture, the firewall will have a more prominent role to play. Functions (applications, services, etc.) are isolated in their own network zone. To enter this network zone, the traffic must be approved by a firewall.
In the article ‘Can you truly master Vulnerability Management?’ I wrote about how you can become a master in Vulnerability Management and shared two techniques to make it more difficult for an attacker.
But these defensive techniques take time to implement. Especially when the estate is vast. And during the implementation, you still might be vulnerable to unknown, or undiscovered, or unpatched vulnerabilities. There is another technique for how you can defend yourself against vulnerability exploitation. Firewalling. By implementing both a network and a host-based firewalling, you make it more difficult to successfully exploit a vulnerability.
In another article on use cases, I spoke about the unanswered question. In this article, I will speak about identifying the attack surface and therefore indirectly about identifying possible use cases.
If you ask a business person what the thing is they are most worried about in terms of security, you hear terms like phishing, ransomware, Denial of Service attacks, etc. On their own, these represent some pretty serious risks. But let’s take away the marketing buzz words, what do you hear then? Silence? A big uhh? Heavy breathing?
Use cases remain a valuable weapon in the ongoing battle against security threats. In most corporate environments I have seen, the use case is describing the threat including to a certain extent the technical details.
If I was lucky there was a reference to a generic security incident response playbook. In my opinion, this is a recipe for disaster. Generic incident response playbook.
If no response was described, then the company was at the mercy of the knowledge and skills of the analyst of the day.
And still, we ponder why we have an analyst fatigue issue.
But don’t get…
The National Cybersecurity Center of Excellence (NCCoE, part of NIST) defines Zero Trust Architecture as ‘A zero trust architecture treats all users as potential threats and prevents access to data and resources until the users can be properly authenticated and their access authorized. In essence, a zero trust architecture allows a user full access but only to the bare minimum they need to perform their job. If a device is compromised, zero trust can ensure that the damage is contained.’. One might think that just user authentication and authorization are enough to conform to this standard.
But Zero Trust Architecture…
A passion-ed security professional who shares his knowledge and experiences while trying to achieve a more secure IT/OT/IIoT world.