THREAD: Yesterday I gave a talk at #ITechDays on #Security approach in a #Cloud with #Azure context.
Here is key points and promised links and references.
DISCLAIMER: I'm MVP and RD but it isn't based on NDA info. My opinions only.
It might be wrong. You are warned.
Pic (cc) visualhunt.com/re7/e60879a6
John Boyd defined #OODA loop. It is not strongest or best equip who survive.
Rate of adaptation to change matters.
How it applies to #security?
#cloud and #security got complex. Number of entry points and attack vectors has increased.
Every user's identity is an attack vector now!
Process it!
Question is: How quickly you can detect an incident and react? Reaction doesn't have to be perfect at first.
It is not about how much protection you put in place and how many doors you will lock in your network.
It is about IF and HOW FAST you can respond.
OBSERVE: Collect logs from your endpoints, devices and services.
HINT: #Cloud vendors collect massive amount of signals - think #AZURE #XBOX #Office365
ORIENT: Correlate, report, dashboards, queries and threat hunting analytics
DECIDE: Classify incidents with automated rules and playbooks, triage incidents with automation and collect evidence
ACT: Automated actions to isolate, re-configure or trigger risk-based response to the action
Security operations connected to OODA Loop concept derived from Jurgen Visser (linkedin.com/in/jurgenvisse…)
Link: correlatedsecurity.com/an-ooda-driven…
#Azure Services like #AzureAD @azuread with its signals, conditional access and risk-based identity protection are delivering its own smaller #OODA Loops
Same with other services - #Azure Security Center @AzureTeamSec works on its own OODA Loop (collect, orient, decide, act) to protect specific resources
#Azure delivers platform and tools to execute your own #security loop. Each of those tools runs its internal loop to mitigate threats.
#CLoud providers make commodity not not only from platform but also #security consulting.
Not perfect but compliance manager or Secure Score are good enough for most who don't do anything at all now.
ORIENT: Go check your Compliance Manager score for @Microsoft365 #Office365: compliance.microsoft.com/compliancemana…
ORIENT: Go Check your Secure Score: security.microsoft.com/securescore.
Both will give you a baseline. You will be surprised how low it typically is.
#Azure Security Center does the same for cloud infrastructure, now also for #AWS and #GCP.
Base security consulting knowledge was turned into commodity tools
What you need besides security knowledge is to learn new skills: KQL, Jupyter Notebooks, Python, #Azure security concepts.
How? Here are links
#Azure security - start with Azure Security Compass and TOP10 Azure Security practices:
aka.ms/azuresecurityc…
@MarkSimos did great job here.
Defender ATP Ninja - good general training: techcommunity.microsoft.com/t5/microsoft-d…
#Azure Security Ninja - another good curated resource list: techcommunity.microsoft.com/t5/azure-secur…
A big one - #AzureSentinel. Start with ninja training resources: techcommunity.microsoft.com/t5/azure-senti…
#AzureSentinel to go will speed up your lab creation and trainig - github.com/OTRF/Azure-Sen…
KQL Ninja will help you master queries and analytics in it: security-tzu.com/2020/08/07/bec…
Be Good! Buy @DebugPrivilege a coffee!
#Cloud vendors will become (are) security vendors. It will level a playing field a bit (not totally) on defense side.
And a bonus - #WardleyMap on security area in #azure cloud I did some time ago. As every map it isn't perfect.
Challenge it.
/EOT
Share this Scrolly Tale with your friends.
A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.