1
00:00:00,000 --> 00:00:06,200
Welcome to the Azure Security Podcast,

2
00:00:06,200 --> 00:00:09,380
where we discuss topics relating to security, privacy,

3
00:00:09,380 --> 00:00:13,400
reliability, and compliance on the Microsoft Cloud Platform.

4
00:00:13,400 --> 00:00:15,800
Hey, everyone. Welcome to Episode 32.

5
00:00:15,800 --> 00:00:17,480
We have the whole gang here this week.

6
00:00:17,480 --> 00:00:20,120
We also have a special guest, Rin Yew.

7
00:00:20,120 --> 00:00:25,240
He's here to talk to us about the SOC Process Framework Workbook.

8
00:00:25,240 --> 00:00:26,480
But before we get to Rin,

9
00:00:26,480 --> 00:00:27,960
let's take a look at the news.

10
00:00:27,960 --> 00:00:29,600
Mike, why don't you kick things off?

11
00:00:29,600 --> 00:00:32,640
I thought I'd keep things bright and cheery,

12
00:00:32,640 --> 00:00:37,720
keeping them up from last time's dark view of the future.

13
00:00:37,720 --> 00:00:41,760
But on a genuinely positive note in the ransomware space,

14
00:00:41,760 --> 00:00:45,160
we did publish since the last podcast,

15
00:00:45,160 --> 00:00:50,000
a new one-two-three step-by-step guidance focused on

16
00:00:50,000 --> 00:00:52,400
human-operated ransomware that takes a lot of

17
00:00:52,400 --> 00:00:54,520
those lessons learned from that deck and

18
00:00:54,520 --> 00:00:56,560
the project plan that we talked about last time,

19
00:00:56,560 --> 00:00:59,440
and actually lays it out step-by-step

20
00:00:59,440 --> 00:01:02,040
what's the first thing to do, second thing, third thing.

21
00:01:02,040 --> 00:01:03,360
So that's out there.

22
00:01:03,360 --> 00:01:04,720
It's mostly the same information,

23
00:01:04,720 --> 00:01:07,240
but it's a little bit more prescriptive and a little bit more order.

24
00:01:07,240 --> 00:01:11,120
So less processing on your part to have to do that.

25
00:01:11,120 --> 00:01:13,400
We're constantly looking to improve that.

26
00:01:13,400 --> 00:01:16,560
We've got some more guidance that we're working on structuring

27
00:01:16,560 --> 00:01:19,640
and writing up so that it's as clear as possible

28
00:01:19,640 --> 00:01:21,840
for all of those steps and to end.

29
00:01:21,840 --> 00:01:23,280
So that's one of the things that we're

30
00:01:23,280 --> 00:01:25,800
constantly working on continuously improving.

31
00:01:25,800 --> 00:01:28,720
The other thing that will be out very shortly,

32
00:01:28,720 --> 00:01:32,160
it may actually be published by the time this podcast comes out,

33
00:01:32,160 --> 00:01:33,680
is we've recorded videos on

34
00:01:33,680 --> 00:01:35,440
the cyber reference architecture and

35
00:01:35,440 --> 00:01:38,000
the Cloud Adoption Framework Secure methodology,

36
00:01:38,000 --> 00:01:42,760
anywhere between 10 and usually 20 to 20 or 25 minutes,

37
00:01:42,760 --> 00:01:46,320
kind of on each section of it to help folks understand

38
00:01:46,320 --> 00:01:48,200
what that content is about,

39
00:01:48,200 --> 00:01:50,000
what we're thinking, the thought process behind it,

40
00:01:50,000 --> 00:01:51,840
some strategic tips and whatnot.

41
00:01:51,840 --> 00:01:54,240
So that will be out very, very shortly.

42
00:01:54,240 --> 00:01:56,520
We're going to go ahead and post those videos in

43
00:01:56,520 --> 00:01:57,480
a couple of different places,

44
00:01:57,480 --> 00:01:59,600
but the easiest place to look is on

45
00:01:59,600 --> 00:02:02,960
the cyber reference architecture sites as well

46
00:02:02,960 --> 00:02:05,920
as the methodology pages within CAHF Secure.

47
00:02:05,920 --> 00:02:08,520
So those are going to be out there.

48
00:02:08,520 --> 00:02:10,600
The last piece I'll share is just like

49
00:02:10,600 --> 00:02:14,520
a kind of an interesting analogy I was trying out on Twitter this morning.

50
00:02:14,520 --> 00:02:19,160
When you think about the way that

51
00:02:19,160 --> 00:02:23,680
organizations are trying to kind of instinctively prevent ransomware first,

52
00:02:23,680 --> 00:02:26,360
as opposed to making sure they have a backup plan,

53
00:02:26,360 --> 00:02:29,800
it's like doing a retirement planning by buying a lottery ticket.

54
00:02:29,800 --> 00:02:32,920
So the odds are definitely not in your favor.

55
00:02:32,920 --> 00:02:38,000
So time for my babies, Azure Sentinel News.

56
00:02:38,000 --> 00:02:40,000
Apparently, I'm now Sentinel Mama,

57
00:02:40,000 --> 00:02:41,160
so let's go with that.

58
00:02:41,160 --> 00:02:43,080
But let's talk about some stuff that's happened in

59
00:02:43,080 --> 00:02:45,320
Sentinel because there's always new things.

60
00:02:45,320 --> 00:02:48,960
The Windows Security Events connector is now based on

61
00:02:48,960 --> 00:02:50,960
the Azure Monitor agent or AMA.

62
00:02:50,960 --> 00:02:55,840
That's going to replace the MMA agent.

63
00:02:55,840 --> 00:02:58,760
So the AMA agent is really cool.

64
00:02:58,760 --> 00:03:02,400
It lets you filter the type of events you want to ingest,

65
00:03:02,400 --> 00:03:05,440
which is good to keep your ingestion rate down.

66
00:03:05,440 --> 00:03:06,920
So go and have a look at that.

67
00:03:06,920 --> 00:03:09,800
The Azure Activity Logs connector is now based on

68
00:03:09,800 --> 00:03:11,600
the diagnostic settings pipeline,

69
00:03:11,600 --> 00:03:17,520
which means there's a better ingestion rate and better performance.

70
00:03:17,520 --> 00:03:19,880
But these upgrades are not automatic.

71
00:03:19,880 --> 00:03:22,000
You need to go in and change things.

72
00:03:22,000 --> 00:03:23,920
So go and have a look at that.

73
00:03:23,920 --> 00:03:26,760
We're now finally got public preview of

74
00:03:26,760 --> 00:03:29,240
export and importing analytics rules.

75
00:03:29,240 --> 00:03:31,960
That is something that I have had

76
00:03:31,960 --> 00:03:35,040
many customers ask me about all the time.

77
00:03:35,040 --> 00:03:37,520
So now you can export them into an ARM template,

78
00:03:37,520 --> 00:03:39,840
and then you can re-import them.

79
00:03:39,840 --> 00:03:42,520
So if you need a copy of your rules,

80
00:03:42,520 --> 00:03:45,000
for whatever reason, you can do that.

81
00:03:45,000 --> 00:03:47,800
Then last but not least,

82
00:03:47,800 --> 00:03:50,400
in fact, not last but not least is a few more.

83
00:03:50,400 --> 00:03:54,320
The alert enrichment has now got alert details,

84
00:03:54,320 --> 00:03:57,440
so you can custom tailor the way alerts are.

85
00:03:57,440 --> 00:04:01,200
We've got some more documentation around playbooks,

86
00:04:01,200 --> 00:04:03,640
and a really cool thing is that

87
00:04:03,640 --> 00:04:07,040
all of the Azure Sentinel documentation has now been reorganized.

88
00:04:07,040 --> 00:04:09,200
We've got some really cool people on board.

89
00:04:09,200 --> 00:04:13,960
Shout out to the Sentinel docs and content folks.

90
00:04:13,960 --> 00:04:16,920
They've reorganized all our documentation,

91
00:04:16,920 --> 00:04:19,320
and they've done it in better categories.

92
00:04:19,320 --> 00:04:21,600
So we've got like collect your data,

93
00:04:21,600 --> 00:04:23,680
threat intelligence, threat hunting.

94
00:04:23,680 --> 00:04:25,320
So depending on what you might be

95
00:04:25,320 --> 00:04:27,160
interested in using Sentinel for,

96
00:04:27,160 --> 00:04:28,960
what your job is, so it should be

97
00:04:28,960 --> 00:04:31,120
much easier to find the documentation.

98
00:04:31,120 --> 00:04:34,680
So that is all my Sentinel news,

99
00:04:34,680 --> 00:04:37,880
because let's face it, that's basically what I talk about.

100
00:04:37,880 --> 00:04:41,160
A bunch of things to my interest over the last week or so.

101
00:04:41,160 --> 00:04:44,680
The first one is that the web application firewall in

102
00:04:44,680 --> 00:04:48,960
Azure front door has an updated set of default rules for things

103
00:04:48,960 --> 00:04:50,480
like detecting cross-site scripting,

104
00:04:50,480 --> 00:04:53,040
SQL injection, and so on.

105
00:04:53,040 --> 00:04:56,920
I have a concern with web application firewalls.

106
00:04:56,920 --> 00:04:59,400
I've seen people put a WAF in place

107
00:04:59,400 --> 00:05:02,040
without really caring about the quality of

108
00:05:02,040 --> 00:05:05,320
the security of the underlying software that they've written.

109
00:05:05,320 --> 00:05:09,000
There really is no replacement for getting the code right.

110
00:05:09,000 --> 00:05:10,760
In my opinion,

111
00:05:10,760 --> 00:05:13,400
I think everyone on the podcast would agree with me here,

112
00:05:13,400 --> 00:05:15,240
that the role of a WAF is not to

113
00:05:15,240 --> 00:05:18,160
compensate for the fact that you wrote lousy code.

114
00:05:18,160 --> 00:05:20,840
It's therefore as an extra layer of defense,

115
00:05:20,840 --> 00:05:23,680
in case you've made a mistake or in case you've missed something.

116
00:05:23,680 --> 00:05:25,960
Remember, it's one more thing to manage.

117
00:05:25,960 --> 00:05:28,680
More things and more complexities can make things a little bit

118
00:05:28,680 --> 00:05:31,320
more harder to manage and less secure.

119
00:05:31,320 --> 00:05:33,440
So don't think that a WAF is

120
00:05:33,440 --> 00:05:35,240
a replacement for getting the code right.

121
00:05:35,240 --> 00:05:37,480
You should always be striving to get the code right,

122
00:05:37,480 --> 00:05:40,640
just recognizing that you never will get it 100 percent correct.

123
00:05:40,640 --> 00:05:42,840
So for example, one of the vulnerability classes that it

124
00:05:42,840 --> 00:05:44,640
can detect is SQL injection,

125
00:05:44,640 --> 00:05:50,320
but make sure you write code that uses parameterized queries.

126
00:05:50,320 --> 00:05:52,680
Get the code right. Don't just focus on saying,

127
00:05:52,680 --> 00:05:53,800
yeah, I've got a WAF in front of us,

128
00:05:53,800 --> 00:05:55,880
we're golden, no, you're not.

129
00:05:55,880 --> 00:05:59,600
Next one is as your active directory,

130
00:05:59,600 --> 00:06:02,200
only authentication into Azure SQL,

131
00:06:02,200 --> 00:06:03,600
that's now available.

132
00:06:03,600 --> 00:06:07,800
So essentially, that turns off standard authentication,

133
00:06:07,800 --> 00:06:10,720
and SQL Server has been around since

134
00:06:10,720 --> 00:06:13,520
the very earliest days of SQL Server.

135
00:06:13,520 --> 00:06:15,760
I'm showing my age here,

136
00:06:15,760 --> 00:06:18,720
but even back in the days when I first started using SQL Server,

137
00:06:18,720 --> 00:06:22,000
which was SQL Server 4.2 running on OS2,

138
00:06:22,000 --> 00:06:24,840
that's how far back standard authentication goes.

139
00:06:24,840 --> 00:06:29,120
So now finally, there's an option in Azure SQL to disable that,

140
00:06:29,120 --> 00:06:31,880
and just use Azure AD only authentication.

141
00:06:31,880 --> 00:06:36,800
Azure Sphere OS is now updated to 21.06.

142
00:06:36,800 --> 00:06:38,880
Just some general security vulnerabilities have been

143
00:06:38,880 --> 00:06:41,760
fixed, better integration with Wolf SSL.

144
00:06:41,760 --> 00:06:44,800
The last one, one of my favorite topics,

145
00:06:44,800 --> 00:06:49,160
we now have new Azure VMs for confidential compute workloads.

146
00:06:49,160 --> 00:06:51,640
These are significantly larger than

147
00:06:51,640 --> 00:06:56,080
the current set of VMs that are available for confidential compute.

148
00:06:56,080 --> 00:07:02,480
So these are VMs that are based on Intel's third-gen Xeon scalable processor,

149
00:07:02,480 --> 00:07:04,720
and they support SGX,

150
00:07:04,720 --> 00:07:06,160
Software Guard Extensions,

151
00:07:06,160 --> 00:07:10,160
which is used to run code and data in a secure enclave.

152
00:07:10,160 --> 00:07:14,040
So now we have these more scalable versions which have up to

153
00:07:14,040 --> 00:07:17,640
like a thousand times more memory and up to 48 cores.

154
00:07:17,640 --> 00:07:20,640
One of the concerns about the current crop of VMs for

155
00:07:20,640 --> 00:07:23,080
confidential computers that they're relatively small,

156
00:07:23,080 --> 00:07:24,600
and that's a fair comment,

157
00:07:24,600 --> 00:07:29,040
but we're in limited preview right now for much larger workloads.

158
00:07:29,040 --> 00:07:31,800
The first news that I wanted to share is that

159
00:07:31,800 --> 00:07:37,240
MITRE ThreadInformed Defense Center has released a mapping of

160
00:07:37,240 --> 00:07:44,400
the Azure infrastructure as a service or IaaS controls against the attack framework.

161
00:07:44,400 --> 00:07:46,960
With that release, they're providing

162
00:07:46,960 --> 00:07:50,680
supporting documentation and resources that can be

163
00:07:50,680 --> 00:07:54,040
used with any project that you may have.

164
00:07:54,040 --> 00:07:56,160
If you take a look at it,

165
00:07:56,160 --> 00:07:58,720
within one of the documentation,

166
00:07:58,720 --> 00:08:03,760
you will see the attack table which is color coded.

167
00:08:03,760 --> 00:08:08,360
It has different shades of yellow, green,

168
00:08:08,360 --> 00:08:14,160
and what they're trying is to define the areas where

169
00:08:14,160 --> 00:08:20,480
basic minimal partial or significant coverage is provided for

170
00:08:20,480 --> 00:08:25,040
the protect data and respond functions.

171
00:08:25,040 --> 00:08:30,560
Also, they understand that some of these controls may

172
00:08:30,560 --> 00:08:35,960
provide all three protected and respond so they have a color,

173
00:08:35,960 --> 00:08:41,960
I think it's purple for the areas where all three are covered.

174
00:08:41,960 --> 00:08:46,720
I have to research a little bit more on this.

175
00:08:46,720 --> 00:08:51,480
I haven't read all the documentation for this mapping,

176
00:08:51,480 --> 00:08:55,360
but I think that their mapping controls against

177
00:08:55,360 --> 00:08:59,160
capability provided by individual services.

178
00:08:59,160 --> 00:09:00,960
If you are aware,

179
00:09:00,960 --> 00:09:09,400
Microsoft services provide many integrations to many of the services that we have.

180
00:09:09,400 --> 00:09:13,200
When those services are integrated,

181
00:09:13,200 --> 00:09:17,840
there are many capabilities in automation that becomes available.

182
00:09:17,840 --> 00:09:22,680
I'm not sure if they have taken into

183
00:09:22,680 --> 00:09:28,000
consideration the integration as part of the control.

184
00:09:28,000 --> 00:09:30,000
In either case, it's a good start.

185
00:09:30,000 --> 00:09:32,080
Many customers have been asking for it,

186
00:09:32,080 --> 00:09:34,600
so everyone will be happy.

187
00:09:34,600 --> 00:09:38,400
Another news that I wanted to share is that

188
00:09:38,400 --> 00:09:46,600
enhanced audit logs for conditional access policy changes have been made public preview.

189
00:09:46,600 --> 00:09:51,800
An important aspect of managing conditional access is

190
00:09:51,800 --> 00:09:56,520
understanding changes to the policies over time.

191
00:09:56,520 --> 00:10:02,640
Policy changes may cause disruptions for your end users,

192
00:10:02,640 --> 00:10:06,840
so maintaining a lot of changes and enabling

193
00:10:06,840 --> 00:10:13,120
admins to revert previous policies versions is really important.

194
00:10:13,120 --> 00:10:19,560
In addition to showing who made a policy change and when,

195
00:10:19,560 --> 00:10:26,160
the audit logs will now also contain a modified property value,

196
00:10:26,160 --> 00:10:28,880
so that the admins have

197
00:10:28,880 --> 00:10:34,320
created visibility into what are segments and conditions,

198
00:10:34,320 --> 00:10:37,440
and even controls have been changed.

199
00:10:37,440 --> 00:10:46,760
Another news is that PIM has added support to the ABAC conditions in Azure stores roles.

200
00:10:46,760 --> 00:10:53,440
In previous postcards, I talked about ABAC attributes-based access control,

201
00:10:53,440 --> 00:10:58,800
and how excited I was for that functionality because

202
00:10:58,800 --> 00:11:05,080
basically by adding more attributes to different resources,

203
00:11:05,080 --> 00:11:10,560
now those attributes could be also used for conditional access.

204
00:11:10,560 --> 00:11:13,560
In this case, with ABAC,

205
00:11:13,560 --> 00:11:18,440
you could grant a security principle access to a resource,

206
00:11:18,440 --> 00:11:26,240
in this case, Azure storage based on the value of an attribute.

207
00:11:26,240 --> 00:11:30,560
Also, Azure Security Podcast Spanish Edition,

208
00:11:30,560 --> 00:11:33,840
the second episode is not available.

209
00:11:33,840 --> 00:11:38,320
For those of you Spanish speakers,

210
00:11:38,320 --> 00:11:41,840
we are interviewing Roberto Rodriguez,

211
00:11:41,840 --> 00:11:44,520
who is talking about Simulan.

212
00:11:44,520 --> 00:11:49,480
Roberto is going to be talking about Simulan with us in

213
00:11:49,480 --> 00:11:52,320
the English podcast sometime in September.

214
00:11:52,320 --> 00:11:56,480
If you do not understand Spanish,

215
00:11:56,480 --> 00:12:01,520
don't be worried, we're going to have him soon in our show,

216
00:12:01,520 --> 00:12:07,200
and you could listen to what he had to say about Simulan and all the work that he's doing.

217
00:12:07,200 --> 00:12:09,200
That's all for me.

218
00:12:09,200 --> 00:12:13,240
With that, let's turn our attention to our guests this week.

219
00:12:13,240 --> 00:12:15,440
This week we have Rin Yu.

220
00:12:15,440 --> 00:12:18,600
He is a Principal Cyber Analytics Specialist

221
00:12:18,600 --> 00:12:21,800
focusing on Sentinel and other SOC technology.

222
00:12:21,800 --> 00:12:23,400
Rin, why don't you take a moment,

223
00:12:23,400 --> 00:12:26,120
explain what you do at Microsoft and how long you've been here.

224
00:12:26,120 --> 00:12:27,520
My name is Rin Yu,

225
00:12:27,520 --> 00:12:31,160
and I've been with Microsoft since 2012,

226
00:12:31,160 --> 00:12:34,840
and I started out on the Xbox security team,

227
00:12:34,840 --> 00:12:40,000
helping to build out our security operations within Xbox and Microsoft Gaming,

228
00:12:40,000 --> 00:12:41,400
what that needed to look like,

229
00:12:41,400 --> 00:12:47,200
and then later on they merged us in with the larger Windows devices organization,

230
00:12:47,200 --> 00:12:50,520
and thinking things through on how to integrate

231
00:12:50,520 --> 00:12:54,960
security operations back into a larger hub and spoke model that we now see today

232
00:12:54,960 --> 00:12:57,600
through our Cyber Defense Operations Center,

233
00:12:57,600 --> 00:12:59,680
also known as our CDOC.

234
00:12:59,680 --> 00:13:05,600
That's some of the things that I've been a part of before taking on this role.

235
00:13:05,600 --> 00:13:11,600
The role that I have now is a Principal Analytics Specialist over Azure Sentinel,

236
00:13:11,600 --> 00:13:18,200
and our threat hunting, tooling, and SOC processes within our security products

237
00:13:18,200 --> 00:13:23,840
has given me the opportunity to really help shape the way Sentinel has taken form,

238
00:13:23,840 --> 00:13:25,320
partnering with our product groups,

239
00:13:25,320 --> 00:13:27,040
partnering with our partners,

240
00:13:27,040 --> 00:13:30,200
and our field sellers, and our customers.

241
00:13:30,200 --> 00:13:32,080
That's what I do today.

242
00:13:32,080 --> 00:13:36,920
Ryn, we heard about the SOC process framework that you just released recently.

243
00:13:36,920 --> 00:13:41,040
We've actually already mentioned it on one of our earlier episodes,

244
00:13:41,040 --> 00:13:43,440
but can you tell us more about it?

245
00:13:43,440 --> 00:13:49,720
Absolutely. The SOC process framework, it was a labor of love.

246
00:13:49,720 --> 00:13:55,720
It was something that took shape from multiple customer conversations,

247
00:13:55,720 --> 00:14:01,000
asking about how to operationalize Sentinel,

248
00:14:01,000 --> 00:14:05,760
and our threat hunting tools within Sentinel and RxDR platform,

249
00:14:05,760 --> 00:14:08,120
and what that needed to look like.

250
00:14:08,120 --> 00:14:12,800
We set down to think through processes and procedures,

251
00:14:12,800 --> 00:14:17,400
and how we could incorporate those and operationalize the toolset.

252
00:14:17,400 --> 00:14:22,200
Who do you envision using it, or who are you seeing using it?

253
00:14:22,200 --> 00:14:27,200
Who should be thinking about reading it and taking a look at this?

254
00:14:27,200 --> 00:14:33,760
Yeah, really honestly, anyone, whether you're small, medium, large,

255
00:14:33,760 --> 00:14:37,440
doesn't really matter, anyone really can leverage this framework.

256
00:14:37,440 --> 00:14:42,360
It's built into the workbook gallery within Sentinel.

257
00:14:42,360 --> 00:14:44,640
You can go into the gallery,

258
00:14:44,640 --> 00:14:46,480
you can pull that down, save it,

259
00:14:46,480 --> 00:14:51,320
and then start to take a look at the content within the workbook.

260
00:14:51,320 --> 00:14:56,480
Some of which, it's all built around processes and procedures

261
00:14:56,480 --> 00:15:01,680
that you can snap and operations, your security operations to,

262
00:15:01,680 --> 00:15:03,920
to give you things to think about,

263
00:15:03,920 --> 00:15:07,560
questions to consider as you're looking at severity,

264
00:15:07,560 --> 00:15:09,160
as you're looking at criticality,

265
00:15:09,160 --> 00:15:11,840
as you're looking at assets in your line of business,

266
00:15:11,840 --> 00:15:16,440
as you're looking at where those line of business meet revenue generating business,

267
00:15:16,440 --> 00:15:18,840
and how you need to protect assets,

268
00:15:18,840 --> 00:15:21,800
thinking of services, applications,

269
00:15:21,800 --> 00:15:25,320
whether they're, we call them hybrid cloud,

270
00:15:25,320 --> 00:15:28,920
if they're on Azure or AWS or Google,

271
00:15:28,920 --> 00:15:30,680
or even if they're on-prem,

272
00:15:30,680 --> 00:15:32,960
wherever those things may live,

273
00:15:32,960 --> 00:15:38,480
thinking about how to monitor for those activities.

274
00:15:38,480 --> 00:15:40,840
Then as you're monitoring for those,

275
00:15:40,840 --> 00:15:43,760
being able to understand the type of telemetry and

276
00:15:43,760 --> 00:15:47,160
signaling that that monitoring is giving you and then taking action

277
00:15:47,160 --> 00:15:49,960
on the alerts and the monitoring,

278
00:15:49,960 --> 00:15:52,040
as well as thinking through controls,

279
00:15:52,040 --> 00:15:57,160
thinking through ways to be able to protect those assets,

280
00:15:57,160 --> 00:15:59,560
and then bringing those pieces together.

281
00:15:59,560 --> 00:16:06,280
So it really is, it's for any organization that is looking to really build out and

282
00:16:06,280 --> 00:16:11,440
understand how to apply security operations from a process and

283
00:16:11,440 --> 00:16:14,800
procedural perspective to help them

284
00:16:14,800 --> 00:16:18,320
operationalize the tool sets that they already have in play.

285
00:16:18,320 --> 00:16:24,400
Like a security operations lead or manager or director are the primary audiences,

286
00:16:24,400 --> 00:16:26,200
but then everybody would use the process.

287
00:16:26,200 --> 00:16:27,360
Is that accurate?

288
00:16:27,360 --> 00:16:29,480
Yeah, absolutely.

289
00:16:29,480 --> 00:16:36,120
So, Ryn, how are you seeing customers using the framework actually in real life?

290
00:16:36,120 --> 00:16:38,360
That's a great question.

291
00:16:38,360 --> 00:16:44,160
So I had an individual reach out to me actually this morning.

292
00:16:44,160 --> 00:16:50,480
It's really interesting as I was talking to him and working through

293
00:16:50,480 --> 00:16:54,520
just a couple of thoughts that he had around it.

294
00:16:54,520 --> 00:16:59,240
It became very apparent that they want to be able to leverage

295
00:16:59,240 --> 00:17:03,360
the framework to be able to adapt it to their business and to their business model.

296
00:17:03,360 --> 00:17:10,880
Now, that means that they may have some processes already in place that can be

297
00:17:10,880 --> 00:17:14,280
kind of morphed or merged into the SOC process framework,

298
00:17:14,280 --> 00:17:16,080
which is exactly what it's meant to be.

299
00:17:16,080 --> 00:17:17,280
It's meant to be malleable.

300
00:17:17,280 --> 00:17:23,440
It's meant to be a form of adaptation to what a business already currently has.

301
00:17:23,440 --> 00:17:28,200
It's not to take away from what a business is already doing to protect their line of

302
00:17:28,200 --> 00:17:33,960
business, but more or less to build upon as a framework that they can really

303
00:17:33,960 --> 00:17:38,280
kind of snap to those things, especially if they're new to the security operation

304
00:17:38,280 --> 00:17:39,280
side of things.

305
00:17:39,280 --> 00:17:43,400
And so in this particular case, he was telling me, hey, this is fantastic.

306
00:17:43,400 --> 00:17:47,080
I've already been trying to implement some of these things.

307
00:17:47,080 --> 00:17:52,080
But one of the things I want to help really try to focus on is on automation.

308
00:17:52,080 --> 00:17:57,760
I want to think through some of the questions and some of the things so that we can really

309
00:17:57,760 --> 00:18:05,640
start applying more of that SOAR capability because of how small we are,

310
00:18:05,640 --> 00:18:11,160
so that we're reducing the amount of load that a human has to take on.

311
00:18:11,160 --> 00:18:15,760
And that's absolutely a great approach to the framework.

312
00:18:15,760 --> 00:18:21,120
Another approach, too, is also making sure that you're not just removing the human aspect

313
00:18:21,120 --> 00:18:26,360
of it, that you still have those checks and balances and that someone is making sure that

314
00:18:26,360 --> 00:18:28,360
they're looking at those alerts.

315
00:18:28,360 --> 00:18:31,080
They're looking at things that are being fired on.

316
00:18:31,080 --> 00:18:33,480
They're looking at the automation processes.

317
00:18:33,480 --> 00:18:42,880
They're doing some type of check around those processes and things so that we call the maturity

318
00:18:42,880 --> 00:18:43,880
model.

319
00:18:43,880 --> 00:18:45,960
You're looking at the maturity overall.

320
00:18:45,960 --> 00:18:47,560
And so you're going to start small.

321
00:18:47,560 --> 00:18:52,080
You're going to start a little by little and you're going to implement a few of these things

322
00:18:52,080 --> 00:18:53,800
here and a few of those things there.

323
00:18:53,800 --> 00:18:58,080
And as you continue to develop and grow, it's going to grow with you.

324
00:18:58,080 --> 00:19:01,760
And that's really what this model or this framework is designed to do.

325
00:19:01,760 --> 00:19:08,520
And so as he and I talked this morning, that really resonated with him because they were

326
00:19:08,520 --> 00:19:12,120
there in the process of implementing that.

327
00:19:12,120 --> 00:19:17,040
And it was exciting to see the light bulb turn on that he doesn't have to take the entire

328
00:19:17,040 --> 00:19:23,600
thing in one big chunk, that he can build upon it and take the pieces that are applicable

329
00:19:23,600 --> 00:19:28,120
now and continue to mature his security operations over time.

330
00:19:28,120 --> 00:19:32,720
Are you able to walk us through like a few of the modules?

331
00:19:32,720 --> 00:19:34,440
I know, I mean, I've had a look at it.

332
00:19:34,440 --> 00:19:35,680
It's a big thing.

333
00:19:35,680 --> 00:19:39,680
So we'd be here all day if we did probably the whole thing.

334
00:19:39,680 --> 00:19:45,480
But maybe talk us through maybe a couple of your favorites or maybe the first few.

335
00:19:45,480 --> 00:19:46,600
Absolutely.

336
00:19:46,600 --> 00:19:52,960
You know, my favorite is the incident response procedure section.

337
00:19:52,960 --> 00:19:58,400
That's before you get into some of the bigger sections, which are the analytical processes

338
00:19:58,400 --> 00:20:03,920
and procedures or the business processes and procedures or the operational or technology

339
00:20:03,920 --> 00:20:05,360
processes and procedures.

340
00:20:05,360 --> 00:20:08,480
So this workbook is pretty large.

341
00:20:08,480 --> 00:20:16,320
I believe we've tracked it to somewhere close to 60 pages worth of content around really

342
00:20:16,320 --> 00:20:18,880
helping to provide the detail to some of those.

343
00:20:18,880 --> 00:20:26,400
So the incident response procedures gives a summary of what an incident is and it then

344
00:20:26,400 --> 00:20:32,880
dives into the purpose of incident response procedures all up.

345
00:20:32,880 --> 00:20:41,480
It includes a decision matrix that helps them map severities and the severities come with

346
00:20:41,480 --> 00:20:49,200
the service level objectives or SLOs that any operational team can snap to.

347
00:20:49,200 --> 00:20:52,920
Again, all of these things are malleable and customizable.

348
00:20:52,920 --> 00:20:58,280
They can certainly edit and change within the workbook because all of our workbooks

349
00:20:58,280 --> 00:21:05,560
within Sentinel are open for customers to be able to take and change and modify and

350
00:21:05,560 --> 00:21:06,920
apply things.

351
00:21:06,920 --> 00:21:12,000
So think of it as kind of a repository of knowledge around SOC operations.

352
00:21:12,000 --> 00:21:17,440
And in this particular procedure, it really is kind of giving out that scope and definitions

353
00:21:17,440 --> 00:21:18,440
in that area.

354
00:21:18,440 --> 00:21:20,960
And then we step into severity definitions.

355
00:21:20,960 --> 00:21:25,840
We talk a little bit about why CEV-1, CEV-2, CEV-3, CEV-4.

356
00:21:25,840 --> 00:21:34,240
We give critical examples around compromise and service disruption or publicly displayed

357
00:21:34,240 --> 00:21:35,240
attacks.

358
00:21:35,240 --> 00:21:40,080
We talk a little bit about commodity versus advanced persistent attacks.

359
00:21:40,080 --> 00:21:46,440
We talk a little bit about examples around services and sensitive systems and different

360
00:21:46,440 --> 00:21:55,000
attacks that may compromise computer systems as well as outbreaks or websites and vulnerabilities,

361
00:21:55,000 --> 00:22:00,760
all of those pieces so that an analyst can come in and look at the card.

362
00:22:00,760 --> 00:22:05,200
The way that it's broken out in this section of the workbook is it's each one of those

363
00:22:05,200 --> 00:22:12,720
has its own card with examples within that so that an analyst isn't left to try and

364
00:22:12,720 --> 00:22:18,000
understand or try to figure out why CEV-1, CEV-2, CEV-3 when they're trying to apply

365
00:22:18,000 --> 00:22:23,440
that type of nomenclature during an incident as they're triaging and they're doing some

366
00:22:23,440 --> 00:22:27,920
type of annotation within the incident blade within Azure Sentinel.

367
00:22:27,920 --> 00:22:31,360
Those are just a couple of the high level pieces.

368
00:22:31,360 --> 00:22:35,920
Then we get into the overall incident response process.

369
00:22:35,920 --> 00:22:40,320
There is a Visio diagram that breaks down each of the sections.

370
00:22:40,320 --> 00:22:42,680
We have watch and monitor.

371
00:22:42,680 --> 00:22:44,360
We have investigate.

372
00:22:44,360 --> 00:22:53,000
There is mobilize, assess and contain, and then last, remediate and recover.

373
00:22:53,000 --> 00:22:55,060
Then postmortem.

374
00:22:55,060 --> 00:23:02,080
We break down all of those sections from a large Visio diagram and we carve out each

375
00:23:02,080 --> 00:23:08,280
of the areas of that diagram and then go into a lot more details around how an analyst would

376
00:23:08,280 --> 00:23:15,560
think about that section if they're making decisions around, okay, can I triage this

377
00:23:15,560 --> 00:23:16,560
on my own?

378
00:23:16,560 --> 00:23:19,960
Can I deliver and do the investigation?

379
00:23:19,960 --> 00:23:24,080
Or do I need to escalate to some type of IR team?

380
00:23:24,080 --> 00:23:32,920
Do I need to pull in another organizational asset to help me triage because they know

381
00:23:32,920 --> 00:23:38,880
that line of business or they know the criticality of the assets or services or things that are

382
00:23:38,880 --> 00:23:47,560
running that have potentially been indicated through this investigation that I'm doing?

383
00:23:47,560 --> 00:23:51,280
We really want them to think about each of those areas.

384
00:23:51,280 --> 00:23:58,320
That's really what we're doing is we're calling out in detail each of those pieces so that

385
00:23:58,320 --> 00:24:02,760
they can really focus on the considerations.

386
00:24:02,760 --> 00:24:07,880
In this particular case, so let's just break down assessment and containment, asking questions

387
00:24:07,880 --> 00:24:10,880
like is the incident currently ongoing?

388
00:24:10,880 --> 00:24:12,600
What's the business impact?

389
00:24:12,600 --> 00:24:18,920
Is there stolen information that is potentially stored on the system?

390
00:24:18,920 --> 00:24:23,720
Is that system being monitored by the attacker?

391
00:24:23,720 --> 00:24:28,440
Is there automated routines to delete evidence?

392
00:24:28,440 --> 00:24:34,440
What type of activities are you noticing through the monitoring side or do you need to go hunt

393
00:24:34,440 --> 00:24:39,760
for some of those type of nefarious activities that may not necessarily have been alerted

394
00:24:39,760 --> 00:24:46,560
on because rules and detections may not have been set up to answer those questions?

395
00:24:46,560 --> 00:24:56,600
What's the production impact to those systems or to the assets or services in question?

396
00:24:56,600 --> 00:25:03,280
What is your containment strategy look like and how do you effectively preserve evidence

397
00:25:03,280 --> 00:25:07,480
during a containment strategy?

398
00:25:07,480 --> 00:25:12,560
Just really getting them to think about all of those things so that if they are in the

399
00:25:12,560 --> 00:25:18,920
middle of a deeper investigation where they're bringing in external resources, that they're

400
00:25:18,920 --> 00:25:25,720
asking those questions and making sure that everyone that is a part of that investigation

401
00:25:25,720 --> 00:25:34,680
all have those things at top of mind so that as they're looking at evidence and they're

402
00:25:34,680 --> 00:25:41,040
cataloging that evidence and they're time-lining that evidence, each of those pieces is coming

403
00:25:41,040 --> 00:25:48,240
to bear through the lens of the type of considerations that they need to be asking during the process

404
00:25:48,240 --> 00:25:49,240
itself.

405
00:25:49,240 --> 00:25:53,400
Yeah, you're definitely not kidding about the labor of love.

406
00:25:53,400 --> 00:26:00,840
That's an amazing set of resources just to hear from you as well as the visual for it.

407
00:26:00,840 --> 00:26:04,520
Tell me a little bit about how this kind of compares to some of the other Microsoft guidance

408
00:26:04,520 --> 00:26:08,600
that we've released, which is a little bit more of how to get started and kind of a simpler

409
00:26:08,600 --> 00:26:14,280
view to get things going. How would you compare, contrast what we've shared from our CDOC,

410
00:26:14,280 --> 00:26:19,200
our Cyber Defense Operations Center and those lessons learned and best practices there with

411
00:26:19,200 --> 00:26:21,360
the SOC process framework?

412
00:26:21,360 --> 00:26:29,320
Well, I think it's very complimentary in the fact that I came from that world.

413
00:26:29,320 --> 00:26:35,600
A lot of the things that we've built into the workbook are industry standards, just

414
00:26:35,600 --> 00:26:42,560
things at a high level to consider and look at. Some customers, we may want to go deeper

415
00:26:42,560 --> 00:26:47,200
into some of those areas and focus a little bit heavier depending on what their line of

416
00:26:47,200 --> 00:26:53,600
business may be or where. They may see particular attacks, whether they may be on the advanced

417
00:26:53,600 --> 00:27:00,520
persistent side or on the commodity side. On the comparison of what we've offered, it's

418
00:27:00,520 --> 00:27:06,240
again very complimentary. We're looking at a security operations model. We're thinking

419
00:27:06,240 --> 00:27:12,560
through what roles and responsibilities are on the Cyber Defense Operations Center. We

420
00:27:12,560 --> 00:27:19,480
too are looking at automation. We're looking at triage investigation, hunting and incident

421
00:27:19,480 --> 00:27:25,160
management. That's really what we're doing within this workbook is bringing those pieces

422
00:27:25,160 --> 00:27:31,400
but expanding them out into greater detail. I will say that there's a lot of stuff from

423
00:27:31,400 --> 00:27:39,320
some of the things Mark, you and I have worked on. Some of the stuff that you particularly

424
00:27:39,320 --> 00:27:48,680
have built into the SOC compass and some of the just detailed content there that we're

425
00:27:48,680 --> 00:27:53,320
really thinking about for V2. How do we incorporate that in? How do we make this a little bit

426
00:27:53,320 --> 00:28:00,560
more from that perspective so that we're giving a little bit more granularity to some of these

427
00:28:00,560 --> 00:28:07,240
areas? That's some of the things that we're thinking about, which I think I love. I love

428
00:28:07,240 --> 00:28:11,360
that message where we need to merge. We need to bring some of those pieces together. When

429
00:28:11,360 --> 00:28:15,960
I really thought through this, it was more of let's just think of industry standards,

430
00:28:15,960 --> 00:28:23,760
things that at a high level, any customer, no matter where they are in their state of

431
00:28:23,760 --> 00:28:29,760
affairs, they can think through processes and procedures and questions and just things

432
00:28:29,760 --> 00:28:35,840
to consider and apply them operationally. That's really what I was thinking about at

433
00:28:35,840 --> 00:28:41,320
the time of that. As you and I have talked and I think of we've talked with some of our

434
00:28:41,320 --> 00:28:46,240
other teams as we've talked with our product groups, those are some of the ideas that are

435
00:28:46,240 --> 00:28:52,200
now starting to emerge is we want to see a unification across the board there. I'm excited

436
00:28:52,200 --> 00:28:57,240
to say that that's where we're headed with some of the newer versions of the workbook,

437
00:28:57,240 --> 00:29:03,360
which I think will be well received. I love having a framework that we can actually work

438
00:29:03,360 --> 00:29:07,320
within and plug those best practices and so they go to the right folks and they get plugged

439
00:29:07,320 --> 00:29:14,520
into the right things. I think the complimentary piece of having that here's your first steps

440
00:29:14,520 --> 00:29:18,480
and then here's what the whole journey looks like. You can pick and choose. Do you want

441
00:29:18,480 --> 00:29:21,960
to use this as a reference model to compare where you're at? Do you want to just run a

442
00:29:21,960 --> 00:29:25,160
couple of key best practices because you want to start on this area because you know this

443
00:29:25,160 --> 00:29:29,160
team really wants to get better? It gives a lot of different options there.

444
00:29:29,160 --> 00:29:35,200
I love that absolutely. I think that's what customers are asking for is one, where do

445
00:29:35,200 --> 00:29:41,960
I start? And two, what are the options that I have? And then how do I apply those options

446
00:29:41,960 --> 00:29:47,360
in a way that is impactful to my business? Well, you've kind of hinted on this, Ryn,

447
00:29:47,360 --> 00:29:53,240
but what's next for the framework? You mentioned there that there's some new versions of workbooks

448
00:29:53,240 --> 00:29:59,800
coming, but are you doing a version two? What's next? We are currently working on a version

449
00:29:59,800 --> 00:30:06,520
two and one of the new features that we're playing around with, and so I'll hint to this,

450
00:30:06,520 --> 00:30:11,800
we're playing around with a feature called Flyaway Workbooks where we can link to additional

451
00:30:11,800 --> 00:30:18,880
workbook content within a given workbook, like the main workbook. And so one of the ideas

452
00:30:18,880 --> 00:30:26,720
we're thinking about is if we can carve off very particular, very granular and detailed

453
00:30:26,720 --> 00:30:35,240
content that gives us the ability to put that into a workbook where we can say, hey, how

454
00:30:35,240 --> 00:30:42,160
large are you and ask you questions around what your state of affairs are and then link

455
00:30:42,160 --> 00:30:48,760
to, if you fit any one of these models, here's content that is applicable to your current

456
00:30:48,760 --> 00:30:53,280
state. We're kind of looking along those lines, and that's exciting because then it

457
00:30:53,280 --> 00:30:59,080
allows us to really kind of expand on not only the content that the workbook can offer,

458
00:30:59,080 --> 00:31:05,680
but we can then make it more modular. And we can then start to scope some of the modularity

459
00:31:05,680 --> 00:31:10,840
of the workbook and the content to certain areas that I think customers are now asking

460
00:31:10,840 --> 00:31:17,600
us for, to really kind of help them dive more into where do I get started. Now, while the

461
00:31:17,600 --> 00:31:23,720
workbook is made simple so that you can just load it, you can go in, start to replace the

462
00:31:23,720 --> 00:31:28,160
customer word with your customer name, you can start to think through what processes

463
00:31:28,160 --> 00:31:32,760
and procedures are applicable to your line of business. It really, again, is malleable

464
00:31:32,760 --> 00:31:40,520
in that way. We're also thinking about ease of use, and we've been thinking about how

465
00:31:40,520 --> 00:31:44,840
we can make this a little bit more modular to drive that ease of use. And I think that's

466
00:31:44,840 --> 00:31:49,560
going to be exciting for those using Sentinel going forward. I'm kind of excited to what

467
00:31:49,560 --> 00:31:50,560
this might yield.

468
00:31:50,560 --> 00:31:54,240
So I've been listening to all of this. One of the first things that sort of came to

469
00:31:54,240 --> 00:31:58,920
my mind was, what's the best way to start with this framework? I mean, how would somebody

470
00:31:58,920 --> 00:32:00,320
get started?

471
00:32:00,320 --> 00:32:05,480
Yeah, again, you're going to go load that workbook into the gallery. You're going to

472
00:32:05,480 --> 00:32:10,120
get it started there. And you're going to pick each of those sections, right? You're

473
00:32:10,120 --> 00:32:16,360
going to, the first thing to do is when you go into the editor mode of the workbook, advanced

474
00:32:16,360 --> 00:32:21,600
editor, you can just do a search and replace of the word customer and put in whatever your

475
00:32:21,600 --> 00:32:25,440
line of business is. Boom. That's the very first thing to do to get started. Then the

476
00:32:25,440 --> 00:32:31,000
next thing you want to do is take each of those processes and procedures and really

477
00:32:31,000 --> 00:32:36,040
look at each of those sections on what are you doing today? What is your current state

478
00:32:36,040 --> 00:32:44,640
and how you can apply that to your business and to those that are working within the tool

479
00:32:44,640 --> 00:32:46,280
sets?

480
00:32:46,280 --> 00:32:50,920
And that's really what it is. It's understanding the processes and procedures, understanding

481
00:32:50,920 --> 00:32:57,360
those processes so that you can then apply them operationally to Azure Sentinel and to

482
00:32:57,360 --> 00:33:04,600
other security tools within our product stack. And as you're kind of looking at that, you're

483
00:33:04,600 --> 00:33:09,920
going to start to see a pattern. You're going to see how those processes and procedures

484
00:33:09,920 --> 00:33:15,520
build off of each other where you will have a framework. And so that's why we've also

485
00:33:15,520 --> 00:33:24,760
put in the workbook areas for diagrams. And so at the very, very beginning, when you go

486
00:33:24,760 --> 00:33:31,680
to the SOC main, you'll see the procedural flow. You'll see how the procedural flow interconnects

487
00:33:31,680 --> 00:33:37,880
with each other. You'll see, as it's talking about shift turnover and daily operations

488
00:33:37,880 --> 00:33:43,720
and it's looking at shift scheduling and staffing or training. And then from there,

489
00:33:43,720 --> 00:33:47,800
once you kind of have some of those pieces underway, then that training dovetails into

490
00:33:47,800 --> 00:33:53,120
okay, now I understand how to go monitor and triage. I can now do a crisis response or

491
00:33:53,120 --> 00:33:58,040
call out. I can do incident management and problem change. So really getting to each

492
00:33:58,040 --> 00:34:05,040
of those areas to understand the details of those processes and then how to apply the

493
00:34:05,040 --> 00:34:11,320
procedure of that process back to the tool itself. And that's really where the meat

494
00:34:11,320 --> 00:34:16,840
of this is. It really gives our customers that capability to operationalize the tool

495
00:34:16,840 --> 00:34:23,640
itself. It lowers the bar from Sentinel just being a tier three threat hunting capability

496
00:34:23,640 --> 00:34:30,720
tool. Cause that was feedback that we got a lot from our customers was, you know, this

497
00:34:30,720 --> 00:34:37,240
isn't really built for a tier one or tier two, you know, analysts. And that just really

498
00:34:37,240 --> 00:34:43,720
kind of made me dishearted cause for me, you know, this has been my baby as well as Sarah

499
00:34:43,720 --> 00:34:47,420
is, you know, Sentinel mama. I've always thought, you know, I guess you guys have called me

500
00:34:47,420 --> 00:34:52,000
Sentinel papa or whatever, but Sentinel has been kind of in my blood clear back since,

501
00:34:52,000 --> 00:35:00,840
you know, early 2015, 2016, late 2015 when Sentinel was really kind of being conceptualized.

502
00:35:00,840 --> 00:35:04,960
And so we wanted to make sure that we were shaping in the right way. And this type of

503
00:35:04,960 --> 00:35:12,080
operationalization gives a level one level two, a really good understanding of how to

504
00:35:12,080 --> 00:35:20,600
apply, you know, a stage down notations using tagging that's built into the incident model,

505
00:35:20,600 --> 00:35:25,800
understanding how to queue and triage understanding how to apply an escalation procedure through

506
00:35:25,800 --> 00:35:31,880
tagging understanding all of those pieces because they can now use the tool the way

507
00:35:31,880 --> 00:35:39,600
it's been developed and designed through this level of understanding. And that's exciting.

508
00:35:39,600 --> 00:35:43,400
So something we ask all our guests is, is there a final thought that you would leave

509
00:35:43,400 --> 00:35:48,440
our listeners? Yeah, I think, you know, based on what the conversation we've had today,

510
00:35:48,440 --> 00:35:53,960
our final thought or my final thought is, you know, it doesn't matter how large, small,

511
00:35:53,960 --> 00:36:00,400
who you are, or what your current security state is, just do something, right? Take action,

512
00:36:00,400 --> 00:36:06,680
take a look at where you're at, apply the workbook, look at what is applicable to you,

513
00:36:06,680 --> 00:36:13,720
to your line of business and to your state of affairs, and use that to help drive further

514
00:36:13,720 --> 00:36:19,960
process, use that to help, you know, move you towards a level of maturity that, you know,

515
00:36:19,960 --> 00:36:25,200
that you hope to achieve. And I think that's what's so great is that it really is designed

516
00:36:25,200 --> 00:36:30,880
for all audiences because it's process based, right, so that you can apply that process no

517
00:36:30,880 --> 00:36:35,240
matter where you are within your state of affairs.

518
00:36:35,240 --> 00:36:39,200
So let's bring this episode to an end. Thanks, Rin, for joining us this week. I really appreciate

519
00:36:39,200 --> 00:36:43,480
you taking the time joining us. I learned a great deal from you. Hopefully our listeners

520
00:36:43,480 --> 00:36:47,560
learned a great deal too. And to our listeners, stay safe out there, take care of yourself,

521
00:36:47,560 --> 00:36:48,560
and we'll see you next time.

522
00:36:48,560 --> 00:36:52,920
Thanks for listening to the Azure Security Podcast. You can find show notes and other

523
00:36:52,920 --> 00:37:00,080
resources at our website azsecuritypodcast.net. If you have any questions, please find us

524
00:37:00,080 --> 00:37:06,640
on Twitter at azuresecpod. Background music is from ccmixter.com and licensed under the

525
00:37:06,640 --> 00:37:13,640
Creative Commons license.