Secure Your Cloud with Confidence Defend against Threats with Microsoft Sentinel

Slide Note
Embed
Share

Explore the powerful combination of Jupyter Notebooks and Microsoft Sentinel for efficient threat hunting and defense against cyber threats. Learn how to set up your Azure ML workspace, assign compute resources, and store investigation artifacts for enhanced response capabilities.

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

rainer
rainer Follow

Uploaded on Mar 13, 2024 | 3 Views

Presentation Transcript

  1. Secure Your Cloud with Confidence Defend against Threats with Microsoft Sentinel David Branscome dabran@microsoft.com

  2. Agenda Using Jupyter Notebooks for Threat Hunting Microsoft Defender for Threat Intelligence (MDTI) Defender External Attack Surface Management (EASM)

  3. Using Jupyter Notebooks for Threat Hunting

  4. What are Jupyter Notebooks? Jupyter Notebooks are NOT a Microsoft product, but they are used in Sentinel (and other products) Open-source web applications based on JUlia, PYThon and R Notebooks are documents that contain live code, equations, visualizations, and narrative text Originally used for data science, stock market predictions, astronomy, etc but have found a niche in cybersecurity

  5. How to leverage Jupyter Notebooks with Sentinel Storage of investigation artifacts Store and collect evidence to improve response time for next event Interactive scripting tool Can be used to process stored scripts and store results inline for investigations Interoperability with multiple programming interfaces Enable deeper programmatic abilities to connect to, use and store external data Use as training or standardization guides Leverage notebooks to guide analysts through steps of a threat hunt or investigation dynamically

  6. Setting up your Azure ML Workspace Requirements: At least Microsoft Sentinel Contributor role to save and launch notebooks Resource-group level Owner or Contributor role to create a new Azure Machine Learning workspace Create a new Azure ML workspace. Use a public endpoint to avoid issues with network communication

  7. Assign a compute resource to the ML workspace Create an Azure ML compute resource that will be used to run the notebook Compute resources have different sizes and can handle different types of ML workloads (e.g., compute vs. memory- intensive)

  8. Using a built-in Jupyter Notebook Cloning a Notebook and making small adjustments can be an easy way to start learning Rename and clone an existing built-in notebook and save it to an ML workspace Once the notebook is cloned, you ll need to assign compute resources to the notebook.

  9. Start/stop the compute resource Stop and start the compute resource to reduce spend Once the compute instance is running and the kernel is connected, you can run the notebook

  10. Default workspace directory structure The working directory for my Azure ML workspace looks like this by default. This will be important when we want to add more Notebooks to our Sentinel instance

  11. Getting New Sentinel Notebooks Sentinel Product Group creates new Notebooks and stores them on their GitHub repo They are not all integrated into your Sentinel instance. How do you get them over?

  12. Download Notebooks to your Sentinel environment You can download all the Microsoft Sentinel team s Jupyter Notebooks and add them to the Notebooks collection in your Sentinel instance Open any Notebook, click on + Code to create a new cell, and run the code shown below. It will download all the Microsoft Sentinel Notebooks from the Sentinel GitHub repository to your ML workspace.

  13. Copy GitHub contents to your ML working directory The notebooks that you downloaded get stored in the azure-sentinel-nb directory of the user folder in your Azure ML workspace You now need to copy the new notebooks out of the azure- sentinel-nb workspace, since these are not yet visible in Sentinel.

  14. Move notebook to your working directory Select a notebook from the folder under the azure-sentinel-nb location (e.g., Guided investigation Anomalous... ) Click on the ellipsis on the right side of the Notebook name and select Move Move the Notebook to the working directory (Megan.Bowen in this image) Automation is a better option, obviously

  15. Check My Notebooks for the new notebook Next, check your My Notebooks tab. The new notebooks should show up there and can be used.

  16. Running Jupyter Notebooks Blocks of code in the notebook can be run one step at a time, or you can run blocks of code in sequence. However, don t run them out of sequence, since code blocks often rely on data from previous blocks as input

  17. DEMO Move Jupyter Notebooks to Sentinel from your ML workspace

  18. Microsoft Defender Threat Intelligence

  19. Microsoft Defender Threat Intelligence Protect your organization from adversaries with a 360-degree view of your threat exposure Identify adversaries and their malicious infrastructure at a global scale. Understand vulnerabilities from endpoint to the internet. Accelerate remediation with internet threat intelligence. Uncover exposures to ensure full removal of attackers and reduce the risk of double extortion. Identify Accelerate Integrate Integrate with existing security infrastructure to enhance prevention and improve your posture.

  20. Security operations Using data collected from a variety of defense tools to analyze events occurring within an environment to mitigate threats Incident response Investigating, analyzing, and responding to cyber incidents within a network or enclave MDTI Common Use Cases Threat hunting Proactively searching for malware or attackers hiding within a network Cyber threat intelligence analysis Identifying and tracking cyber threats to an organization and working with stakeholders to reduce risk Cybersecurity research Developing new concepts or novel approaches to identify and defend against cyber threats

  21. Defender TI Features Key Value Propositions Intelligence Articles. Centralized collection of public OSINT and private expansion of related infrastructure indictors. Original Microsoft research articles from our multiple threat, response, and research teams Advanced Investigations. Expansive modern data sets to connect adjacent and related attacker infrastructure to eliminate missed threats. Datasets include Passive DNS, WHOIS, SSL certificates, cookies, hosts and host pairs, domains, IPs, and services running. Projects. Allow collaboration and reuse of prior investigations history across an individual or team. This aids in reducing response times and discovery of related attack infrastructure as threat actors TTPs shift. Reputation Scoring. Dynamically calculated severity scoring and analyst guidance for internet infrastructure to aid in decision making and response process times.

  22. How does it work graph the internet Threat actors are intelligent and constantly changing their tactics: Web crawlers Scripted and random interactions Active and passive sensors

  23. Observe the internet through the eyes of an attacker In a threat campaign threat actors might Target specific types browsers and/or versions Threat actors can filter traffic from target organizations and security vendors to stay hidden from detection Target specific regions of the world Target specific types of IP space (residential, commercial, mobile) Therefore, we must try to act like the intended victim and avoid detection, just like the threat actor does

  24. How to blend in to map the internet to find bad stuff Interact with internet assets via a multitude of different perspectives Virtual user Browser diversity Different browsers Various versions Mobile and desktop versions Global proxies Thousands of egress points from different geolocations to emulate traffic from different countries IP space Residential Commercial Mobile

  25. Interacting like a user from a browser perspective We also see the internet like a user does. When the page is rendered in the browser the full Response and DOM (Document Object Model) are captured. This allows for understanding of dependent requests, cookies, headers, links, causes, sequences of how the page was actually loaded. We hash the DOM and compare it to all the other DOM we have seen. We can then use the hash signatures to identify website similarity at a global internet scale.

  26. Home page 1 Learn about new security topics in the form of articles or to research intelligence they have found elsewhere. 2 Search is the gateway to the vast amount of data available should you want to dive in with data you want to turn into intelligence. 1 3 2 Featured articles are key research publications that we find relevant based on our intelligence expertise.. 3 Articles ensure every customer has data to hunt with across all verticals and topics.

  27. Articles Feature summary Analytic view of intelligence research Coverage of new techniques observed in the wild, as well as recommendations for pivot and hunting points

  28. Summary view Search results Search results are output into two tabs: Use case: Suspicious Domain Research Summary provides key insights about an artifact that the platform has derived from expansive datasets. 1 2 1 Data is pure investigative content where a customer can extrapolate and start to connect artifacts based on a deep dive analysis. 2

  29. Data view Search results Use case: Suspicious Domain Research

  30. Projects Organizing investigations

  31. Reputation scoring Feature summary Hosts, Domains, and IP Addresses are grouped into categories depending on their numerical reputation score. Characteristics include: First seen Last seen ASN Country Associated infrastructure

  32. Analyst Insights Feature summary Lists any insights that apply to artifacts. Also shows rules that were not triggered, which can help move investigations along faster

  33. Datasets Includes information related to DNS, certificates used, host pairs, subdomains, file hashes and many other data elements. Can help answer questions such as: Is the IP address routable? Where is the IP address geolocated? How old is the domain? What name servers are used? Is this a sinkhole domain? Are there fake names in the WHOIS record? Is it using a self-signed certificate? Etc .

  34. DEMO Microsoft Defender Threat Intelligence

  35. Microsoft Defender External Attack Surface Management

  36. What is your external attack surface? Everything that an attacker can see on the internet with little risk that they ll be detected by defenders.

  37. Overview of Defender EASM Discovers and maps your digital attack surface Provides teams with ability to identify unknowns, prioritize risks, eliminate potential attack vectors, and extend vulnerability management beyond the firewall

  38. Key concepts Assets An external-facing online entity owned and controlled by your organization. Asset types include domains, hosts, pages, IP blocks and addresses, contact emails, ASNs, and SSL certificates. Discovery Process that maps an organization's infrastructure by detecting connections to known assets. Note that this process maps connections based on our pre-existing comprehensive map of the internet. Any discovered assets are already included in this map but will be refreshed and mapped to the customer. Seeds Known assets attributed to your organization, which kickstart the discovery process. Discovery investigates the connections that seeds have to other infrastructure to define your Attack Surface. Attack Surface An organization's infrastructure that is exposed to the open internet. Your attack surface is defined through the discovery process; users can use multiple discovery runs to compile a single Attack Surface. Inventory Your indexed list of known assets, which is regularly monitored to detect any changes. Attack surface insights A series of dashboards that alert users of any risks to their attack surface (e.g., GDPR violations, CVE vulnerabilities).

  39. Dashboards Feature summary MDEASM has four pre-defined dashboards with use-case based information that a customer can use in analyzing their inventory and assessing risk: Attack Surface Summary Security Posture GDPR Compliance OWASP Top 10 These dashboards are comprised of details from the Approved Inventory. Inventory in other states are not included.

  40. Creating an EASM Azure Resource Two steps involved: Create a resource group Create an EASM resource in the resource group Creating the EASM can be done 2 different ways: Select attack surface of one of 25,000 organizations already mapped Create a custom discovery, providing seed information (domains, hosts, IP s, etc ) Building the attack surface will take 24- 48 hours

  41. Understanding inventory assets and billing After onboarding EASM, customers get a 30-day free trial, after which they are charged for billable assets Only approved asset types are considered billable: Approved hosts Approved domains Approved IP addresses

  42. Viewing the attack surface Results are presented by: Asset type Queryable inventory Dashboards to evaluate your Security Posture & Risk

  43. Deleting a resource You can delete the resource within the resource itself or at the subscription level. To delete the resource from the resource:

  44. DEMO Defender for External Attack Surface Management

  45. Thank you

Related


Artificial Intelligence in Cyber Security: Enhancing Threat Detection and Response

Artificial Intelligence in Cyber Security: Enhancing Threat Detection and Response

annabelle
Explore Microsoft Azure Cloud Services

Explore Microsoft Azure Cloud Services

kurtis
Understanding Latency in Sentinel-1A Standard Products

Understanding Latency in Sentinel-1A Standard Products

ines
Comprehensive Digital Risk Assessment Guide for Businesses

Comprehensive Digital Risk Assessment Guide for Businesses

kennedy
Healthcare Executive's Guide to Ransomware Threats

Healthcare Executive's Guide to Ransomware Threats

basil
Understanding Malicious Attacks, Threats, and Vulnerabilities in IT Security

Understanding Malicious Attacks, Threats, and Vulnerabilities in IT Security

ciel
Understanding Cloud Computing Cost Comparison

Understanding Cloud Computing Cost Comparison

thea
TEAM SWOT ANALYSIS

TEAM SWOT ANALYSIS

shyam
Understanding Threats in Distribution Integrity Management Program

Understanding Threats in Distribution Integrity Management Program

brutus
Cloud Migration

Cloud Migration

hiba
Understanding Cloud-Optimized HDF5 Files for Efficient Data Access

Understanding Cloud-Optimized HDF5 Files for Efficient Data Access

elissa
Azure IoT Edge

Azure IoT Edge

harvey
Enhancing Query Optimization in Production: A Microsoft Journey

Enhancing Query Optimization in Production: A Microsoft Journey

nemy
Microsoft Azure Overview

Microsoft Azure Overview

zainab
Benefits of Operator Connect for Microsoft Teams Administration

Benefits of Operator Connect for Microsoft Teams Administration

sophronia
PIN Pad Security Training and Procedures

PIN Pad Security Training and Procedures

elliemae
Collaborative Operational Security

Collaborative Operational Security

millicent
SmartBar for Microsoft Dynamics 365 & Power Apps - Improve Navigation and Personalize Your Forms

SmartBar for Microsoft Dynamics 365 & Power Apps - Improve Navigation and Personalize Your Forms

gibson
How to Identify and Mitigate Cyber Threats

How to Identify and Mitigate Cyber Threats

heloise
Understanding Cybersecurity Threats and Facebook Security

Understanding Cybersecurity Threats and Facebook Security

altalune
Cloud Computing and Virtualization

Cloud Computing and Virtualization

braydon
Understanding Amazon EC2: Elastic Compute Cloud Fundamentals

Understanding Amazon EC2: Elastic Compute Cloud Fundamentals

danae
Leveraging Data Warehouse and Cloud Computing for Informed Decision-Making

Leveraging Data Warehouse and Cloud Computing for Informed Decision-Making

carolyn
Understanding 95% Confidence Intervals in Statistics

Understanding 95% Confidence Intervals in Statistics

machabee

More Related Content

Indiana Requirements to Secure Election Infrastructure
Indiana Requirements to Secure Election Infrastructure
Protection Motivation
Protection Motivation
Responding to Threats in the Washington Presidency
Responding to Threats in the Washington Presidency
Major Threats to Biodiversity Due to Human Activities
Major Threats to Biodiversity Due to Human Activities
Research Methods and Project Management
Research Methods and Project Management
Parsimoni – the European IoT/Edge OS. Secure, efficient, flexible.
Parsimoni – the European IoT/Edge OS. Secure, efficient, flexible.
United States v. Microsoft Corporation
United States v. Microsoft Corporation
Enhancing IT Support Efficiency with Microsoft Copilot
Enhancing IT Support Efficiency with Microsoft Copilot
Standing Up for Equality: Voices and Actions
Standing Up for Equality: Voices and Actions
Debate on Driving Skills: Are Women Better Drivers Than Men?
Debate on Driving Skills: Are Women Better Drivers Than Men?
Guide to Connecting Your Easee Charging Device to Mobiflow
Guide to Connecting Your Easee Charging Device to Mobiflow
“SUGAR - FREE” VS SUGAR - POWERED FUTURE
“SUGAR - FREE” VS SUGAR - POWERED FUTURE
Enhancing Security with Two-Factor Authentication in Funding & Tenders Portal
Enhancing Security with Two-Factor Authentication in Funding & Tenders Portal
Recognizing Online Scams and Seeking Support
Recognizing Online Scams and Seeking Support
Ascon: The Lightweight Cryptography Standard for IoT
Ascon: The Lightweight Cryptography Standard for IoT
DEFEND THE DEFENDERS
DEFEND THE DEFENDERS
Evolution of Legal Aid Regime in Seychelles
Evolution of Legal Aid Regime in Seychelles
Principles of Cyber Security
Principles of Cyber Security
Drone Detection Using mmWave Radar for Effective Surveillance
Drone Detection Using mmWave Radar for Effective Surveillance
PRESENTATION - 2024
PRESENTATION - 2024
Understanding Malignant Melanoma: Types, Signs, and Prognosis
Understanding Malignant Melanoma: Types, Signs, and Prognosis
Exploring Onshape: A Cloud-Based 3D CAD Package for Students
Exploring Onshape: A Cloud-Based 3D CAD Package for Students
Protect Your Community: National Slam the Scam Day
Protect Your Community: National Slam the Scam Day
Cloud Computing Service Application
Cloud Computing Service Application