Module 4ab - Security and Network Security - Protect Against Security Threats - Azure Sentinel, Key Vault and Dedicated Hosts Flashcards

1
Q

What is a Security Information and Event Management (SIEM) System?

A

A SIEM system aggregates security data from multiple sources and provides capabilities for threat detection and response. Basically the “reactive” system after a breach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Hint: Think “Batman” as a SIEM system…

What is Azure Sentinel and what’s the difference between it and Azure Security Center?

What are four (4) things that it does?

A

Azure’s SIEM System. This is the system you’d go to for breaches. Unlike Security Center which is proactive prevention, Sentinel is reactive actions and prevention.

  • Data Aggregation at scale; across all users, devices, apps, and both on-prem and cloud infrastructure (even multiple clouds)
  • Detects previously undetected threats using Microsoft’s comprehensive analytics and threat intelligence
  • Investigates threats with AI; examines suspicious activities at scale
  • Rapid Incident Response with built-in orchestration and automation of common tasks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What data source connections does Azure Sentinel support?

A

Connections to the following sources:

  • Microsoft Solutions (obviously!)
  • Non-MS Solutions like AWS CloudTrail, Citrix Analytics, VMware Carbon Black Cloud, etc
  • Common Event Format (CEF) compliant data sources. These are Industry-standard system that use the CEF messaging standard, like Syslog or REST APIs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Hint: Escalators…

Azure Sentinel’s Built-In Analytics are based on templates? Who built them and what are they based on?

What are three (3) aspects of those templates?

A

Templates designed by Microsoft security experts based on

  • Escalation Chains for suspicious activity
  • Known threats
  • Attack vectors

Templates are:

  • Customizable
  • Used to search across the environment for any suspicious activity
  • Some use proprietary ML behavioral analytics based on MS algorithms
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Describe Sentinel’s Custom Analytics for threat detection

A

Rules you create to search your environment for specific criteria.

  • Alert thresholds
  • Result previews based on historical logs (since you’re building this off CUSTOM criteria as opposed to known threats i.e. known criteria…)
  • Query scheduling (i.e. when to kick off your search)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are “Incidents” w.r.t. Azure Sentinel?

A

A group of related Security Alerts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the Investigation Graph?

A

A tool used by Azure Sentinel to examine:

  • The timeline of the incidents and their occurrences
  • Entities directly connected to and/or affected by the alert
  • Common exploration queries
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Hint: Obama’s Pandemic Playbook)

What are Azure Monitor Playbooks?

A

Used to automate responses to threats

The playbook can run manually or automatically when a rule triggers on alert

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What’s an example workflow for a Playbook?

A
  1. Trigger Alerts to open a ticket
  2. Send a message to Teams or Slack
  3. Send info in an Alert to a security admin via email with option buttons “Block” or “Ignore”

When clicking Block ⇒ the IP address is blocked, user is disabled in Azure Active Directory

When clicking Ignore ⇒ Alert is closed in Sentinel and incident is closed in the trigger system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Azure Key Vault?

A

A centralized cloud service for storing application secrets in a single, central location. Provides secure access to sensitive info via access control and logging capabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are three (3) things Azure Key Vault manages?

What’s used to ensure security on your stored secrets?

A

Manage Secrets - Store control access tokens, passwords, certs, API Keys, etc.

Manage Encryption Keys

Manage SSL/TLS Certs - Provision/Manage/Deploy public or private Secure Socket Layer/Transport Layer Security certificates for both Azure Resources and internal resources

Store secrets backed by hardware security modules (HSMs)
- keys and secrets protected by software or by FIPS 140-2 Level 2 validated HSMs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Hint: What’s great about Azure?

What are four (4) benefits of Azure Key Vault?

A
  • Securely stored secrets and keys!!! - This is the MAIN idea behind KeyVault! Access requires authentication and authorization
  • Centralized AND Simplified App Secrets administration - reduces potential for leaks and control distribution, easier to enroll and renew certificates from public cert authorities, scale up and replicate within Regions, and use standard cert management tools
  • Access Monitoring and Access Control
  • Integration with Azure Services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What two (2) places can I see my Secret Values?

Viewing Secrets requires authentication and authorization (T/F)?

A
  1. Secrets => Select the secret => Select “Current Version” => Click “Show Secret Value”
  2. Through the Cloud Shell:
    az keyvault secret show –name noelspwd –vault-name my-keyvault-001noel –query value –output tsv

True. These two paths assume you are already authenticated and authorized through 1. Azure Portal or 2. Cloud Shell’s Azure secure login

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is Azure Dedicated Host?

A

Microsoft can provide physical servers to host your Azure VMs (Windows or Linux) should you have requirements to do so (i.e. regulatory compliance)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are Host Groups?

A

A collection of Azure Dedicated Hosts

Host Group => Dedicated Host => VMs

Your VMs can sit on a Dedicated Host but your Dedicate Host can be grouped with other Dedicated Hosts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the benefits of a Dedicated Host?

A

Complete control over the environment hosting your VMs!

  • Visibility into the environment
  • Helps address compliance requirements by deploying to isolated servers
  • You can choose the number of processors, server capabilities, VM series, VM sizes WITHIN THE SAME HOST
17
Q

Hint: WITH….not FOR

How do you achieve High Availability with Dedicated Hosts?

A

Provision multiple hosts in a Host Group, then deploy your VMs across the whole group…

18
Q

What does Dedicate Host Maintenance Control allow you to do? What the time window for using it?

A

Lets you control when regular maintenance updates occur (within a 35-DAY ROLLING WINDOW)

19
Q

How are Dedicated Hosts billed?

A
  • Charged per HOST, regardless of how many VMs you deploy to it
  • Price based on VM family, VM size and Region
20
Q

Another advantage of Dedicated Hosts are that software licensing, storage and network usage are billed in aggregate with the VMs running on each Dedicated Host (T/F)?

A

False. Host and VMs are billed separately from all that! 😉