Module 4ab - Security and Network Security - Protect Against Security Threats - Azure Sentinel, Key Vault and Dedicated Hosts

Question 1

What is a Security Information and Event Management (SIEM) System?

Answer 1

A SIEM system aggregates security data from multiple sources and provides capabilities for threat detection and response. Basically the “reactive” system after a breach.

Question 2

Hint: Think “Batman” as a SIEM system…

What is Azure Sentinel and what’s the difference between it and Azure Security Center?

What are four (4) things that it does?

Answer 2

Azure’s SIEM System. This is the system you’d go to for breaches. Unlike Security Center which is proactive prevention, Sentinel is reactive actions and prevention.

• Data Aggregation at scale; across all users, devices, apps, and both on-prem and cloud infrastructure (even multiple clouds)
• Detects previously undetected threats using Microsoft’s comprehensive analytics and threat intelligence
• Investigates threats with AI; examines suspicious activities at scale
• Rapid Incident Response with built-in orchestration and automation of common tasks

Question 3

What data source connections does Azure Sentinel support?

Answer 3

Connections to the following sources:

• Microsoft Solutions (obviously!)
• Non-MS Solutions like AWS CloudTrail, Citrix Analytics, VMware Carbon Black Cloud, etc
• Common Event Format (CEF) compliant data sources. These are Industry-standard system that use the CEF messaging standard, like Syslog or REST APIs

Question 4

Hint: Escalators…

Azure Sentinel’s Built-In Analytics are based on templates? Who built them and what are they based on?

What are three (3) aspects of those templates?

Answer 4

Templates designed by Microsoft security experts based on

• Escalation Chains for suspicious activity
• Known threats
• Attack vectors

Templates are:

• Customizable
• Used to search across the environment for any suspicious activity
• Some use proprietary ML behavioral analytics based on MS algorithms

Question 5

Describe Sentinel’s Custom Analytics for threat detection

Answer 5

Rules you create to search your environment for specific criteria.

• Alert thresholds
• Result previews based on historical logs (since you’re building this off CUSTOM criteria as opposed to known threats i.e. known criteria…)
• Query scheduling (i.e. when to kick off your search)

Question 6

What are “Incidents” w.r.t. Azure Sentinel?

Answer 6

A group of related Security Alerts

Question 7

What is the Investigation Graph?

Answer 7

A tool used by Azure Sentinel to examine:

• The timeline of the incidents and their occurrences
• Entities directly connected to and/or affected by the alert
• Common exploration queries

Question 8

Hint: Obama’s Pandemic Playbook)

What are Azure Monitor Playbooks?

Answer 8

Used to automate responses to threats

The playbook can run manually or automatically when a rule triggers on alert

Question 9

What’s an example workflow for a Playbook?

Answer 9

1. Trigger Alerts to open a ticket
2. Send a message to Teams or Slack
3. Send info in an Alert to a security admin via email with option buttons “Block” or “Ignore”

When clicking Block ⇒ the IP address is blocked, user is disabled in Azure Active Directory

When clicking Ignore ⇒ Alert is closed in Sentinel and incident is closed in the trigger system

Question 10

What is Azure Key Vault?

Answer 10

A centralized cloud service for storing application secrets in a single, central location. Provides secure access to sensitive info via access control and logging capabilities

Question 11

What are three (3) things Azure Key Vault manages?

What’s used to ensure security on your stored secrets?

Answer 11

Manage Secrets - Store control access tokens, passwords, certs, API Keys, etc.

Manage Encryption Keys

Manage SSL/TLS Certs - Provision/Manage/Deploy public or private Secure Socket Layer/Transport Layer Security certificates for both Azure Resources and internal resources

Store secrets backed by hardware security modules (HSMs)
- keys and secrets protected by software or by FIPS 140-2 Level 2 validated HSMs

Question 12

Hint: What’s great about Azure?

What are four (4) benefits of Azure Key Vault?

Answer 12

• Securely stored secrets and keys!!! - This is the MAIN idea behind KeyVault! Access requires authentication and authorization
• Centralized AND Simplified App Secrets administration - reduces potential for leaks and control distribution, easier to enroll and renew certificates from public cert authorities, scale up and replicate within Regions, and use standard cert management tools
• Access Monitoring and Access Control
• Integration with Azure Services

Question 13

What two (2) places can I see my Secret Values?

Viewing Secrets requires authentication and authorization (T/F)?

Answer 13

1. Secrets => Select the secret => Select “Current Version” => Click “Show Secret Value”
2. Through the Cloud Shell:
   az keyvault secret show –name noelspwd –vault-name my-keyvault-001noel –query value –output tsv

True. These two paths assume you are already authenticated and authorized through 1. Azure Portal or 2. Cloud Shell’s Azure secure login

Question 14

What is Azure Dedicated Host?

Answer 14

Microsoft can provide physical servers to host your Azure VMs (Windows or Linux) should you have requirements to do so (i.e. regulatory compliance)

Question 15

What are Host Groups?

Answer 15

A collection of Azure Dedicated Hosts

Host Group => Dedicated Host => VMs

Your VMs can sit on a Dedicated Host but your Dedicate Host can be grouped with other Dedicated Hosts

Question 16

What are the benefits of a Dedicated Host?

Answer 16

Complete control over the environment hosting your VMs!

• Visibility into the environment
• Helps address compliance requirements by deploying to isolated servers
• You can choose the number of processors, server capabilities, VM series, VM sizes WITHIN THE SAME HOST

Question 17

Hint: WITH….not FOR

How do you achieve High Availability with Dedicated Hosts?

Answer 17

Provision multiple hosts in a Host Group, then deploy your VMs across the whole group…

Question 18

What does Dedicate Host Maintenance Control allow you to do? What the time window for using it?

Answer 18

Lets you control when regular maintenance updates occur (within a 35-DAY ROLLING WINDOW)

Question 19

How are Dedicated Hosts billed?

Answer 19

• Charged per HOST, regardless of how many VMs you deploy to it
• Price based on VM family, VM size and Region

Question 20

Another advantage of Dedicated Hosts are that software licensing, storage and network usage are billed in aggregate with the VMs running on each Dedicated Host (T/F)?

Answer 20

False. Host and VMs are billed separately from all that! 😉