Module 4ab - Security and Network Security - Protect Against Security Threats - Azure Sentinel, Key Vault and Dedicated Hosts Flashcards
What is a Security Information and Event Management (SIEM) System?
A SIEM system aggregates security data from multiple sources and provides capabilities for threat detection and response. Basically the “reactive” system after a breach.
Hint: Think “Batman” as a SIEM system…
What is Azure Sentinel and what’s the difference between it and Azure Security Center?
What are four (4) things that it does?
Azure’s SIEM System. This is the system you’d go to for breaches. Unlike Security Center which is proactive prevention, Sentinel is reactive actions and prevention.
- Data Aggregation at scale; across all users, devices, apps, and both on-prem and cloud infrastructure (even multiple clouds)
- Detects previously undetected threats using Microsoft’s comprehensive analytics and threat intelligence
- Investigates threats with AI; examines suspicious activities at scale
- Rapid Incident Response with built-in orchestration and automation of common tasks
What data source connections does Azure Sentinel support?
Connections to the following sources:
- Microsoft Solutions (obviously!)
- Non-MS Solutions like AWS CloudTrail, Citrix Analytics, VMware Carbon Black Cloud, etc
- Common Event Format (CEF) compliant data sources. These are Industry-standard system that use the CEF messaging standard, like Syslog or REST APIs
Hint: Escalators…
Azure Sentinel’s Built-In Analytics are based on templates? Who built them and what are they based on?
What are three (3) aspects of those templates?
Templates designed by Microsoft security experts based on
- Escalation Chains for suspicious activity
- Known threats
- Attack vectors
Templates are:
- Customizable
- Used to search across the environment for any suspicious activity
- Some use proprietary ML behavioral analytics based on MS algorithms
Describe Sentinel’s Custom Analytics for threat detection
Rules you create to search your environment for specific criteria.
- Alert thresholds
- Result previews based on historical logs (since you’re building this off CUSTOM criteria as opposed to known threats i.e. known criteria…)
- Query scheduling (i.e. when to kick off your search)
What are “Incidents” w.r.t. Azure Sentinel?
A group of related Security Alerts
What is the Investigation Graph?
A tool used by Azure Sentinel to examine:
- The timeline of the incidents and their occurrences
- Entities directly connected to and/or affected by the alert
- Common exploration queries
Hint: Obama’s Pandemic Playbook)
What are Azure Monitor Playbooks?
Used to automate responses to threats
The playbook can run manually or automatically when a rule triggers on alert
What’s an example workflow for a Playbook?
- Trigger Alerts to open a ticket
- Send a message to Teams or Slack
- Send info in an Alert to a security admin via email with option buttons “Block” or “Ignore”
When clicking Block ⇒ the IP address is blocked, user is disabled in Azure Active Directory
When clicking Ignore ⇒ Alert is closed in Sentinel and incident is closed in the trigger system
What is Azure Key Vault?
A centralized cloud service for storing application secrets in a single, central location. Provides secure access to sensitive info via access control and logging capabilities
What are three (3) things Azure Key Vault manages?
What’s used to ensure security on your stored secrets?
Manage Secrets - Store control access tokens, passwords, certs, API Keys, etc.
Manage Encryption Keys
Manage SSL/TLS Certs - Provision/Manage/Deploy public or private Secure Socket Layer/Transport Layer Security certificates for both Azure Resources and internal resources
Store secrets backed by hardware security modules (HSMs)
- keys and secrets protected by software or by FIPS 140-2 Level 2 validated HSMs
Hint: What’s great about Azure?
What are four (4) benefits of Azure Key Vault?
- Securely stored secrets and keys!!! - This is the MAIN idea behind KeyVault! Access requires authentication and authorization
- Centralized AND Simplified App Secrets administration - reduces potential for leaks and control distribution, easier to enroll and renew certificates from public cert authorities, scale up and replicate within Regions, and use standard cert management tools
- Access Monitoring and Access Control
- Integration with Azure Services
What two (2) places can I see my Secret Values?
Viewing Secrets requires authentication and authorization (T/F)?
- Secrets => Select the secret => Select “Current Version” => Click “Show Secret Value”
- Through the Cloud Shell:
az keyvault secret show –name noelspwd –vault-name my-keyvault-001noel –query value –output tsv
True. These two paths assume you are already authenticated and authorized through 1. Azure Portal or 2. Cloud Shell’s Azure secure login
What is Azure Dedicated Host?
Microsoft can provide physical servers to host your Azure VMs (Windows or Linux) should you have requirements to do so (i.e. regulatory compliance)
What are Host Groups?
A collection of Azure Dedicated Hosts
Host Group => Dedicated Host => VMs
Your VMs can sit on a Dedicated Host but your Dedicate Host can be grouped with other Dedicated Hosts