US National Cybersecurity Strategy

Based on the recent publication of the US National Cybersecurity Strategy, here are some practical suggestions for implementing cybersecurity solutions that loosely map to its guidelines:

  1. Defend Critical Infrastructure by:
  • Expanding the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety and harmonizing regulations to reduce the burden of compliance

Recommendation: Perform a gap analysis on your cybersecurity defenses. Start with a ‘master list of all recommended defenses and compare that to your organization’s tools’ Prioritize the implementation of any required defenses. Consider consolidation of security solutions under a single vendor’s licence agreement to save on costs. Create good architecture diagrams to describe your infrastructure from a cybersecurity perspective.

  • Enabling public-private collaboration at the speed and scale necessary to defend critical infrastructure and essential services

Recommendation: Create an inventory of all critical assets. If you’re a small org then a manual inventory is fine, otherwise consider a mature asset collection tool to help with this (google ‘asset inventory cybersecurity’ and you’ll get plenty of hits). Use your asset inventory to categorize critical assets and use this information in your SIEM to help with better correlations.

  • Defending and modernizing Federal networks and updating Federal incident response policy.

Recommendation: Review/create incident response policies and procedures. Consider creating specific response procedures that map to your SIEM incidents to improve clarity and incident response times.

  1. Disrupt and Dismantle Threat Actors by:
  • Using all instruments of national power, making malicious cyber actors incapable of threatening the national security or public safety of the United States
  • Strategically employing all tools of national power to disrupt adversaries
  • Engaging the private sector in disruption activities through scalable mechanisms
  • Addressing the ransomware threat through a comprehensive Federal approach and in lockstep with international partners.

Recommendation: Have a clear understanding of the ‘kill chains‘ that may affect your organization. Use Mitre ATT&CK  and your favorite security sites to help research threat actor groups. Identify security tools needed to detect/block attackers. Test/validate the effectiveness of those tools using Red/Blue/Purple team events.

  1. Shape Market Forces to Drive Security and Resilience by:
  • Placing responsibility on those within the digital ecosystem that are best positioned to reduce risk and shift the consequences of poor cybersecurity away from the most vulnerable in order to make the digital ecosystem more trustworthy
  • Promoting privacy and the security of personal data

Recommendation: Move data to the cloud and implement a data protection solution that not only tags and categorizes your data but locks out access if it’s stolen.

  • Shifting liability for software products and services to promote secure development practices
  • Ensuring that Federal grant programs promote investments in new infrastructure that are secure and resilient.
  1. Invest in a Resilient Future by: 
  • Reducing systemic technical vulnerabilities in the foundation of the Internet and across the digital ecosystem while making it more resilient against transnational digital repression

Recommendation: Implement a robust vulnerability assessment solution. Note that moving all your assets to the cloud can make this far easier to manage and can greatly benefit the effectiveness of your CSPM and SIEM.

  • Prioritizing cybersecurity R&D for next-generation technologies such as postquantum encryption, digital identity solutions, and clean energy infrastructure and developing a diverse and robust national cyber workforce.
  1. Forge International Partnerships to Pursue Shared Goals by:
  • Leveraging international coalitions and partnerships among like-minded nations to counter threats to the digital ecosystem through joint preparedness, response, and cost imposition
  • Increasing the capacity of partners to defend themselves against cyber threats, both in peacetime and in crisis; and working with allies and partners to make secure, reliable, and trustworthy global supply chains for information and communications technology and operational technology products and services.

Recommendation: Although many are reluctant to go back to the IBM days of putting all your security solutions into a single basket, cloud vendors and MSSPs have made great progress in the past 5+ years to provide a long list of services under one roof. When looking for one security product it’s very important to think broader and understand the interconnected values between all of your other security tools (XDR!). Security decision makers will often find that re-shuffling several of their security solutions makes more sense than just adding them one brick at a time.

Do you really need an NIDS anymore?

I had a client the other day asking for my recommendations on a NIDS platform.

Back in the day, NIDS was the ONLY security tool many corporations depends on to detect malicious activity. Many of the top MSSPs would build service contracts just around firewall and NIDS.

It’s worth questioning the value of NIDS in today’s day as EDR and XDR gets better and better.

For example Defender for Endpoint provides network threat intel and works with Defender for Cloud Apps to identify and block malicious web traffic.

And if you think of XDR as also including ‘smart’ firewalls like Palo Alto, and with proper network segmentation, you have to consider if NIDS is a worthy expenditure.

And if your DMZ has moved to or integrated with the cloud there are different ways to monitor/protect your sensitive assets than NIDS.

Just a few things to consider when trying to balance security value with your budget.

More references on this topic (Thanks Kevin!!!)

https://www.pratum.com/blog/262-why-intrusion-detection-and-prevention-systems-are-still-important

IDS & IPS Remain Important Even as Other Tools Add IDPS Features

SIEM Use Case Guide – Part 3

Real World Examples

In this section let’s take the real world example of Bloodhound and discuss defensive measures for that use case.

Bloodhound

Step 1: Know thy Enemy.

Have a good list of threat intelligence sites (eg Mitre) that you can use to learn about an attack group or a specific exploit. Bloodhound uses ‘ingestors’ like Sharphound to collect information which it then uses to map out an attack path. So when looking for defenses you may need to look at the ingestors, not Bloodhound itself (although Sharphound may run as a sub-command within Bloodhound).

Step 2: Plan your defenses and build a Blue Team toolkit.

There are many ways to detect and block an exploit, depending on the conditions. But don’t take too much time thinking about the best way to do it when there are some easy wins that you can do right away, for example:

  • Ensure an EDR (and AntiMalware) is installed on all endpoints, and run reports to ensure their rules/signatures are all kept updated.
  • If the EDR vendor provides advanced features, make sure they’re enabled for optimal defenses – eg. enable blocking mode, enable advanced configurations such as Microsoft Defender ASR (Attack Surface Reduction)
  • Configuration Policies – Use tools like Microsoft Endpoint Manager (with Intune) to configure policies on your endpoints to provide a base ‘hardening’ for your devices. Ensure logging is enabled on all servers, including advanced logging for Powershell. If you’re using 1 or more cloud platforms you should be managing your infrastructure’s security policies with a CSPM (cloud security posture management) like Microsoft Defender for Cloud – this can also add additional defenses like FIM – File Integrity Management.

Step 3: Build Process For Faster Response

Once you have a list of tools/methods for building defenses, create a checklist and start filling it out. You’ll find that after adding a few rows a common pattern will arise for similar exploits, so your ‘Defender’ job should get a bit easier over time.

Example Defender Framework/Checklist

See also:

Super Simple SIEM Use Case Guide
SIEM Use Case Guide – Part 2

Microsoft Ignite 2022 – START HERE

https://news.microsoft.com/ignite-2022-book-of-news/

https://ignite.microsoft.com/en-US/home

The list of Ignite presentation topics is HUGE!!!

Fortunately, Microsoft provides MVPs with an quick reference sheet so we can share our top picks with you.

So here are my top picks for security topics from Microsoft Ignite (and a few other non-security topics):

Rob Lefferts, CVP of PM, Modern Protection and SOC

https://ignite.microsoft.com/en-US/speakers/66804f79-fa68-4762-8f82-45798387e70e?source=/speakers

Shawn Bice, CVP, Cloud Security

https://ignite.microsoft.com/en-US/speakers/0e6b8553-7111-4422-94e0-04a8dddbd678?source=/speakers

What’s new in SIEM and XDR: Attack disruption and SOC empowerment

https://ignite.microsoft.com/en-US/sessions/e1f4b983-55d3-4048-8e90-9c22c4362e6b

Zero Trust as Business Driver: 3 Discrete Scenarios

https://ignite.microsoft.com/en-US/sessions/9974d5a2-b241-4ede-ab2d-c2cd1b7a83be

From Code to Cloud: A new Approach to Integrating Multicloud Security

https://ignite.microsoft.com/en-US/sessions/28f61a40-f1e6-43d8-9fd0-e3c8c6267bac

Secure access and improve efficiency with Microsoft Entra

https://ignite.microsoft.com/en-US/sessions/538bf946-a7bf-46dc-809f-9fbda241f918

Protect Everything, Everywhere With Comprehensive Security

https://ignite.microsoft.com/en-US/sessions/17bbd01d-4e26-4e2e-9eec-3a060b477eda?source=sessions

Azure Arc

https://ignite.microsoft.com/en-US/sessions/50f1092f-6209-4349-b02e-9ad2872ad136?source=sessions

https://azure.microsoft.com/en-us/products/azure-arc/hybrid-data-services/#overview

https://techcommunity.microsoft.com/t5/azure-stack-blog/what-s-new-for-azure-arc-and-azure-stack-hci-at-microsoft-ignite/ba-p/3650949

Azure Monitor

https://techcommunity.microsoft.com/t5/azure-observability-blog/bg-p/AzureObservabilityBlog

Azure – Postman integrations

https://techcommunity.microsoft.com/t5/apps-on-azure-blog/enhanced-api-developer-experience-with-the-microsoft-postman/ba-p/3650304

Supply Chain Management Certification

https://techcommunity.microsoft.com/t5/microsoft-learn-blog/announcing-a-new-dynamics-365-supply-chain-management-functional/ba-p/3250813

Microsoft Cloud for Sustainability

https://cloudblogs.microsoft.com/industry-blog/sustainability/2022/10/12/driving-innovation-for-esg-progress-with-microsoft-cloud-for-sustainability/

Power Automate

https://powerautomate.microsoft.com/en-us/blog/new-ways-to-innovate-with-ai-and-microsoft-power-automate/

Top 5 Cybersecurity Capabilities

5 cybersecurity capabilities announced at Microsoft Ignite 2022

Microsoft Entra

https://ignite.microsoft.com/en-US/sessions/538bf946-a7bf-46dc-809f-9fbda241f918?source=sessions

https://www.microsoft.com/en-us/security/business/microsoft-entra

Microsoft Sentinel

https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-what-s-new-at-microsoft-ignite/ba-p/3649968

Microsoft Purview

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-purview-information-protection-showcase-of-new/ba-p/3647934

Making Security Fun with Microsoft Cloud Games

This is a really fun way to learns some practical skills with Microsoft Cloud security tools.

I would recommend this for anyone who has a Microsoft E5 license or anyone using Microsoft cloud based products who is ready to get serious about securing their cloud and on-prem environment with Microsoft security tools.

https://www.youtube.com/watch?v=m-5qUPhhRV0

This is not for beginners.

It’s expected you have at least a basic understanding of what these security tools are shown in this screenshot from the game:

Expect to spend at least a couple of hours playing the game.

Have fun!

Performing a Security Audit on Logic Apps

As DevOps move toward no-code apps in the cloud, there becomes a need for security reviews and controls to prevent risky

This is nothing new, but the need for better security reviews is becoming clear as more people try to rush to get their apps done in the easiest way possible.

Here’s a simple approach to identifying security risks in your logic apps:

  1. Create an architecture diagram of your logic app. This can be a simplified version that just shows the high level logic.
  2. Break down the logic app by it’s components:
  • The individual logic app components – you likely won’t find too many security problems here.
  • all the parameters – don’t hardcode passwords into parameters!
  • connectors – Often the culprit of weak security in logic apps. Really understand what these connectors are communicating with. Don’t allow public access. Limit the roles/permissions.
  • app registrations – another culprit of weak security. If app registrations are needed for your logic apps, be sure permissions are set to their most restrictive settings. avoid read.all readwrite.all settings.
  • managed identities – if possible, use managed identities instead of user accounts for your connectors. Many logic apps don’t yet support managed identities, so those apps will require additional monitor and possibly frequent password/secret changes.

3. Use Resource Locks to prevent changes. If someone tries to turn off resource logs be sure it’s logged and alerted on.

4. Restrict user/admin access to your logic apps. Some apps can have really powerful permissions/access, so you don’t want users to ever have the ability to change logic apps unless they’ve been given specific short-term permissions to do so.

5. LOG EVERYTHING – wherever possible, enable logging within logic apps and connectors. Store logs in a Log Analytics Workspace. Use Azure Monitor alerts ore Microsoft Sentinel to monitor/report/alert on all activities.

6. Perform ‘attack simulations‘. Run your logic apps through test conditions which will trigger your alerts. Validate your alerts work as expected.

7. Build a ‘logic app security audit’ spreadsheet. Use this as a template for repeated audits for future logic app security testing. Use the above ideas as the initial framework for your spreadsheet.

Zero Trust – A simple Approach for Azure Enterprises

Zero Trust sounds very enticing, but feels overwhelming as much as any other standards based framework.

However there are some quick wins in the Azure world, and all you need is:

  • A good checklist (The Microsoft Zero Trust Assessment Quiz)
  • A Microsoft Sentinel workbook (see below)

In addition, Microsoft has a ton of direction around Zero Trust like:

If you prefer to save some reading time, I’ve taken Microsoft Zero Trust Assessment Quiz results and compressed it into a clean list of questions here:

zero-trust-maturity-checklist

Microsoft has also added a Zero Trust workbook to Azure Sentinel, so if you’re using their SIEM, there’s an excellent report that you can export and have a full list of security tool recommendations that you likely already own (depending if you have an E3 or E5 license)

If you’re familiar with the resources under ‘Microsoft Offerings’ then you can begin planning your Zero Trust controls around these features. If you’re not familiar then now it the time to begin learning and proposing a Zero Trust approach around these tools.

Enjoy!

Mapping Cyber Defense Use Cases to Mitre ATT&CK Data Sources

Mitre ATT&CK provides so many ways to quantitatively think about approaches for defending against attackers.

However it can be challenging to map the ATT&CK matrix to to real-world defense methods.

One approach is to look at the ATT&CK data sources and research detections that would map to those data sources.

This still requires some experience and a bit of guessing since there doesn’t appear to be an easy button way to map data sources to detection tools.

Endpoint Detection vendors have done a pretty good job mapping detections to ATT&CK techniques but few of them share their mappings in a simple spreadsheet – that would greatly help validate your detection gaps.

SIEM products like Microsoft Sentinel have done a good job mapping detection rules AND log sources to ATT&CK.

The chart below is an example of an easy way to provide a path forward on where to focus efforts for detections. It also provides a gap analysis for any obvious security tools that may be missing in your environment.

And hopefully my short detection method recommendations will give you some ideas or at least stir conversation.

I’m a Microsoft Recognized Community Hero!

I’m very excited to have been recognized by Microsoft as an Azure Community Hero!

Having worked with (not employed by..) Microsoft for several years as a Security Solutions Advisor/Developer, in 2021/22 I began taking on more of a volunteer role finding ways to give back to the community in any ways I could find.

After several months of contributing on the Microsoft Q&A sites I was very surprised to receive this badge(r) of recognition which they title ‘Microsoft Azure Community Hero’.

So I hope you don’t mind me sharing in my happiness for this honor.

Isn’t it cute?

https://jumpnet.enjinx.io/eth/asset/68c0000000000065/183?source=EnjinWallet-1.15.1

Using OpenAI as your personal everyday Oracle

My coding skills are enough to get by, but I’ve found new inspiration in everything from how to write better code to how to make better coffee by using the openai playground.

It’s easy, just go to:

https://beta.openai.com/playground

And start typing your questions.

It helps if you are more descriptive on what you want, eg.

‘generate detailed vbs code for copying files over the network to another server’

Sure, you could just find a code generating web site, but there’s a convenience in being able to use simple sentences to describe your needs vs the harsh logic of a google search!

And now you have a new, portable, tool to entertain you during those boring moments in your life…

Enjoy, and welcome to the future..