Welcome to the Azure Security Podcast, where we discuss topics relating to security, privacy, reliability, and compliance on the Microsoft Cloud Platform. Hey, everyone. Welcome to Episode 32. We have the whole gang here this week. We also have a special guest, Rin Yew. He's here to talk to us about the SOC Process Framework Workbook. But before we get to Rin, let's take a look at the news. Mike, why don't you kick things off?
I thought I'd keep things bright and cheery, keeping them up from last time's dark view of the future. But on a genuinely positive note in the ransomware space, we did publish since the last podcast, a new one-two-three step-by-step guidance focused on human-operated ransomware that takes a lot of those lessons learned from that deck and the project plan that we talked about last time, and actually lays it out step-by-step what's the first thing to do, second thing, third thing.
So that's out there. It's mostly the same information, but it's a little bit more prescriptive and a little bit more order. So less processing on your part to have to do that. We're constantly looking to improve that. We've got some more guidance that we're working on structuring and writing up so that it's as clear as possible for all of those steps and to end. So that's one of the things that we're constantly working on continuously improving.
The other thing that will be out very shortly, it may actually be published by the time this podcast comes out, is we've recorded videos on the cyber reference architecture and the Cloud Adoption Framework Secure methodology, anywhere between 10 and usually 20 to 20 or 25 minutes, kind of on each section of it to help folks understand what that content is about, what we're thinking, the thought process behind it, some strategic tips and whatnot. So that will be out very, very shortly.
We're going to go ahead and post those videos in a couple of different places, but the easiest place to look is on the cyber reference architecture sites as well as the methodology pages within CAHF Secure. So those are going to be out there. The last piece I'll share is just like a kind of an interesting analogy I was trying out on Twitter this morning.
When you think about the way that organizations are trying to kind of instinctively prevent ransomware first, as opposed to making sure they have a backup plan, it's like doing a retirement planning by buying a lottery ticket. So the odds are definitely not in your favor. So time for my babies, Azure Sentinel News. Apparently, I'm now Sentinel Mama, so let's go with that. But let's talk about some stuff that's happened in Sentinel because there's always new things.
The Windows Security Events connector is now based on the Azure Monitor agent or AMA. That's going to replace the MMA agent. So the AMA agent is really cool. It lets you filter the type of events you want to ingest, which is good to keep your ingestion rate down. So go and have a look at that. The Azure Activity Logs connector is now based on the diagnostic settings pipeline, which means there's a better ingestion rate and better performance. But these upgrades are not automatic.
You need to go in and change things. So go and have a look at that. We're now finally got public preview of export and importing analytics rules. That is something that I have had many customers ask me about all the time. So now you can export them into an ARM template, and then you can re-import them. So if you need a copy of your rules, for whatever reason, you can do that. Then last but not least, in fact, not last but not least is a few more.
The alert enrichment has now got alert details, so you can custom tailor the way alerts are. We've got some more documentation around playbooks, and a really cool thing is that all of the Azure Sentinel documentation has now been reorganized. We've got some really cool people on board. Shout out to the Sentinel docs and content folks. They've reorganized all our documentation, and they've done it in better categories. So we've got like collect your data, threat intelligence, threat hunting.
So depending on what you might be interested in using Sentinel for, what your job is, so it should be much easier to find the documentation. So that is all my Sentinel news, because let's face it, that's basically what I talk about. A bunch of things to my interest over the last week or so. The first one is that the web application firewall in Azure front door has an updated set of default rules for things like detecting cross-site scripting, SQL injection, and so on.
I have a concern with web application firewalls. I've seen people put a WAF in place without really caring about the quality of the security of the underlying software that they've written. There really is no replacement for getting the code right. In my opinion, I think everyone on the podcast would agree with me here, that the role of a WAF is not to compensate for the fact that you wrote lousy code.
It's therefore as an extra layer of defense, in case you've made a mistake or in case you've missed something. Remember, it's one more thing to manage. More things and more complexities can make things a little bit more harder to manage and less secure. So don't think that a WAF is a replacement for getting the code right. You should always be striving to get the code right, just recognizing that you never will get it 100 percent correct.
So for example, one of the vulnerability classes that it can detect is SQL injection, but make sure you write code that uses parameterized queries. Get the code right. Don't just focus on saying, yeah, I've got a WAF in front of us, we're golden, no, you're not. Next one is as your active directory, only authentication into Azure SQL, that's now available. So essentially, that turns off standard authentication, and SQL Server has been around since the very earliest days of SQL Server.
I'm showing my age here, but even back in the days when I first started using SQL Server, which was SQL Server 4.2 running on OS2, that's how far back standard authentication goes. So now finally, there's an option in Azure SQL to disable that, and just use Azure AD only authentication. Azure Sphere OS is now updated to 21.06. Just some general security vulnerabilities have been fixed, better integration with Wolf SSL.
The last one, one of my favorite topics, we now have new Azure VMs for confidential compute workloads. These are significantly larger than the current set of VMs that are available for confidential compute. So these are VMs that are based on Intel's third-gen Xeon scalable processor, and they support SGX, Software Guard Extensions, which is used to run code and data in a secure enclave.
So now we have these more scalable versions which have up to like a thousand times more memory and up to 48 cores. One of the concerns about the current crop of VMs for confidential computers that they're relatively small, and that's a fair comment, but we're in limited preview right now for much larger workloads.
The first news that I wanted to share is that MITRE ThreadInformed Defense Center has released a mapping of the Azure infrastructure as a service or IaaS controls against the attack framework. With that release, they're providing supporting documentation and resources that can be used with any project that you may have. If you take a look at it, within one of the documentation, you will see the attack table which is color coded.
It has different shades of yellow, green, and what they're trying is to define the areas where basic minimal partial or significant coverage is provided for the protect data and respond functions. Also, they understand that some of these controls may provide all three protected and respond so they have a color, I think it's purple for the areas where all three are covered. I have to research a little bit more on this.
I haven't read all the documentation for this mapping, but I think that their mapping controls against capability provided by individual services. If you are aware, Microsoft services provide many integrations to many of the services that we have. When those services are integrated, there are many capabilities in automation that becomes available. I'm not sure if they have taken into consideration the integration as part of the control. In either case, it's a good start.
Many customers have been asking for it, so everyone will be happy. Another news that I wanted to share is that enhanced audit logs for conditional access policy changes have been made public preview. An important aspect of managing conditional access is understanding changes to the policies over time. Policy changes may cause disruptions for your end users, so maintaining a lot of changes and enabling admins to revert previous policies versions is really important.
In addition to showing who made a policy change and when, the audit logs will now also contain a modified property value, so that the admins have created visibility into what are segments and conditions, and even controls have been changed. Another news is that PIM has added support to the ABAC conditions in Azure stores roles.
In previous postcards, I talked about ABAC attributes-based access control, and how excited I was for that functionality because basically by adding more attributes to different resources, now those attributes could be also used for conditional access. In this case, with ABAC, you could grant a security principle access to a resource, in this case, Azure storage based on the value of an attribute. Also, Azure Security Podcast Spanish Edition, the second episode is not available.
For those of you Spanish speakers, we are interviewing Roberto Rodriguez, who is talking about Simulan. Roberto is going to be talking about Simulan with us in the English podcast sometime in September. If you do not understand Spanish, don't be worried, we're going to have him soon in our show, and you could listen to what he had to say about Simulan and all the work that he's doing. That's all for me. With that, let's turn our attention to our guests this week. This week we have Rin Yu.
He is a Principal Cyber Analytics Specialist focusing on Sentinel and other SOC technology. Rin, why don't you take a moment, explain what you do at Microsoft and how long you've been here.
My name is Rin Yu, and I've been with Microsoft since 2012, and I started out on the Xbox security team, helping to build out our security operations within Xbox and Microsoft Gaming, what that needed to look like, and then later on they merged us in with the larger Windows devices organization, and thinking things through on how to integrate security operations back into a larger hub and spoke model that we now see today through our Cyber Defense Operations Center, also known as our CDOC.
That's some of the things that I've been a part of before taking on this role. The role that I have now is a Principal Analytics Specialist over Azure Sentinel, and our threat hunting, tooling, and SOC processes within our security products has given me the opportunity to really help shape the way Sentinel has taken form, partnering with our product groups, partnering with our partners, and our field sellers, and our customers. That's what I do today.
Ryn, we heard about the SOC process framework that you just released recently. We've actually already mentioned it on one of our earlier episodes, but can you tell us more about it? Absolutely. The SOC process framework, it was a labor of love. It was something that took shape from multiple customer conversations, asking about how to operationalize Sentinel, and our threat hunting tools within Sentinel and RxDR platform, and what that needed to look like.
We set down to think through processes and procedures, and how we could incorporate those and operationalize the toolset. Who do you envision using it, or who are you seeing using it? Who should be thinking about reading it and taking a look at this? Yeah, really honestly, anyone, whether you're small, medium, large, doesn't really matter, anyone really can leverage this framework. It's built into the workbook gallery within Sentinel.
You can go into the gallery, you can pull that down, save it, and then start to take a look at the content within the workbook.
Some of which, it's all built around processes and procedures that you can snap and operations, your security operations to, to give you things to think about, questions to consider as you're looking at severity, as you're looking at criticality, as you're looking at assets in your line of business, as you're looking at where those line of business meet revenue generating business, and how you need to protect assets, thinking of services, applications, whether they're, we call them hybrid cloud,
if they're on Azure or AWS or Google, or even if they're on-prem, wherever those things may live, thinking about how to monitor for those activities. Then as you're monitoring for those, being able to understand the type of telemetry and signaling that that monitoring is giving you and then taking action on the alerts and the monitoring, as well as thinking through controls, thinking through ways to be able to protect those assets, and then bringing those pieces together.
So it really is, it's for any organization that is looking to really build out and understand how to apply security operations from a process and procedural perspective to help them operationalize the tool sets that they already have in play. Like a security operations lead or manager or director are the primary audiences, but then everybody would use the process. Is that accurate? Yeah, absolutely. So, Ryn, how are you seeing customers using the framework actually in real life?
That's a great question. So I had an individual reach out to me actually this morning. It's really interesting as I was talking to him and working through just a couple of thoughts that he had around it. It became very apparent that they want to be able to leverage the framework to be able to adapt it to their business and to their business model.
Now, that means that they may have some processes already in place that can be kind of morphed or merged into the SOC process framework, which is exactly what it's meant to be. It's meant to be malleable. It's meant to be a form of adaptation to what a business already currently has.
It's not to take away from what a business is already doing to protect their line of business, but more or less to build upon as a framework that they can really kind of snap to those things, especially if they're new to the security operation side of things. And so in this particular case, he was telling me, hey, this is fantastic. I've already been trying to implement some of these things. But one of the things I want to help really try to focus on is on automation.
I want to think through some of the questions and some of the things so that we can really start applying more of that SOAR capability because of how small we are, so that we're reducing the amount of load that a human has to take on. And that's absolutely a great approach to the framework.
Another approach, too, is also making sure that you're not just removing the human aspect of it, that you still have those checks and balances and that someone is making sure that they're looking at those alerts. They're looking at things that are being fired on. They're looking at the automation processes. They're doing some type of check around those processes and things so that we call the maturity model. You're looking at the maturity overall. And so you're going to start small.
You're going to start a little by little and you're going to implement a few of these things here and a few of those things there. And as you continue to develop and grow, it's going to grow with you. And that's really what this model or this framework is designed to do. And so as he and I talked this morning, that really resonated with him because they were there in the process of implementing that.
And it was exciting to see the light bulb turn on that he doesn't have to take the entire thing in one big chunk, that he can build upon it and take the pieces that are applicable now and continue to mature his security operations over time. Are you able to walk us through like a few of the modules? I know, I mean, I've had a look at it. It's a big thing. So we'd be here all day if we did probably the whole thing. But maybe talk us through maybe a couple of your favorites or maybe the first few.
Absolutely. You know, my favorite is the incident response procedure section. That's before you get into some of the bigger sections, which are the analytical processes and procedures or the business processes and procedures or the operational or technology processes and procedures. So this workbook is pretty large. I believe we've tracked it to somewhere close to 60 pages worth of content around really helping to provide the detail to some of those.
So the incident response procedures gives a summary of what an incident is and it then dives into the purpose of incident response procedures all up. It includes a decision matrix that helps them map severities and the severities come with the service level objectives or SLOs that any operational team can snap to. Again, all of these things are malleable and customizable.
They can certainly edit and change within the workbook because all of our workbooks within Sentinel are open for customers to be able to take and change and modify and apply things. So think of it as kind of a repository of knowledge around SOC operations. And in this particular procedure, it really is kind of giving out that scope and definitions in that area. And then we step into severity definitions. We talk a little bit about why CEV-1, CEV-2, CEV-3, CEV-4.
We give critical examples around compromise and service disruption or publicly displayed attacks. We talk a little bit about commodity versus advanced persistent attacks. We talk a little bit about examples around services and sensitive systems and different attacks that may compromise computer systems as well as outbreaks or websites and vulnerabilities, all of those pieces so that an analyst can come in and look at the card.
The way that it's broken out in this section of the workbook is it's each one of those has its own card with examples within that so that an analyst isn't left to try and understand or try to figure out why CEV-1, CEV-2, CEV-3 when they're trying to apply that type of nomenclature during an incident as they're triaging and they're doing some type of annotation within the incident blade within Azure Sentinel. Those are just a couple of the high level pieces.
Then we get into the overall incident response process. There is a Visio diagram that breaks down each of the sections. We have watch and monitor. We have investigate. There is mobilize, assess and contain, and then last, remediate and recover. Then postmortem.
We break down all of those sections from a large Visio diagram and we carve out each of the areas of that diagram and then go into a lot more details around how an analyst would think about that section if they're making decisions around, okay, can I triage this on my own? Can I deliver and do the investigation? Or do I need to escalate to some type of IR team?
Do I need to pull in another organizational asset to help me triage because they know that line of business or they know the criticality of the assets or services or things that are running that have potentially been indicated through this investigation that I'm doing? We really want them to think about each of those areas. That's really what we're doing is we're calling out in detail each of those pieces so that they can really focus on the considerations.
In this particular case, so let's just break down assessment and containment, asking questions like is the incident currently ongoing? What's the business impact? Is there stolen information that is potentially stored on the system? Is that system being monitored by the attacker? Is there automated routines to delete evidence?
What type of activities are you noticing through the monitoring side or do you need to go hunt for some of those type of nefarious activities that may not necessarily have been alerted on because rules and detections may not have been set up to answer those questions? What's the production impact to those systems or to the assets or services in question? What is your containment strategy look like and how do you effectively preserve evidence during a containment strategy?
Just really getting them to think about all of those things so that if they are in the middle of a deeper investigation where they're bringing in external resources, that they're asking those questions and making sure that everyone that is a part of that investigation all have those things at top of mind so that as they're looking at evidence and they're cataloging that evidence and they're time-lining that evidence, each of those pieces is coming
to bear through the lens of the type of considerations that they need to be asking during the process itself. Yeah, you're definitely not kidding about the labor of love. That's an amazing set of resources just to hear from you as well as the visual for it. Tell me a little bit about how this kind of compares to some of the other Microsoft guidance that we've released, which is a little bit more of how to get started and kind of a simpler
view to get things going. How would you compare, contrast what we've shared from our CDOC, our Cyber Defense Operations Center and those lessons learned and best practices there with the SOC process framework? Well, I think it's very complimentary in the fact that I came from that world. A lot of the things that we've built into the workbook are industry standards, just
things at a high level to consider and look at. Some customers, we may want to go deeper into some of those areas and focus a little bit heavier depending on what their line of business may be or where. They may see particular attacks, whether they may be on the advanced persistent side or on the commodity side. On the comparison of what we've offered, it's again very complimentary. We're looking at a security operations model. We're thinking
through what roles and responsibilities are on the Cyber Defense Operations Center. We too are looking at automation. We're looking at triage investigation, hunting and incident management. That's really what we're doing within this workbook is bringing those pieces but expanding them out into greater detail. I will say that there's a lot of stuff from
some of the things Mark, you and I have worked on. Some of the stuff that you particularly have built into the SOC compass and some of the just detailed content there that we're really thinking about for V2. How do we incorporate that in? How do we make this a little bit more from that perspective so that we're giving a little bit more granularity to some of these areas? That's some of the things that we're thinking about, which I think I love. I love
that message where we need to merge. We need to bring some of those pieces together. When I really thought through this, it was more of let's just think of industry standards, things that at a high level, any customer, no matter where they are in their state of affairs, they can think through processes and procedures and questions and just things to consider and apply them operationally. That's really what I was thinking about at
the time of that. As you and I have talked and I think of we've talked with some of our other teams as we've talked with our product groups, those are some of the ideas that are now starting to emerge is we want to see a unification across the board there. I'm excited to say that that's where we're headed with some of the newer versions of the workbook,
which I think will be well received. I love having a framework that we can actually work within and plug those best practices and so they go to the right folks and they get plugged into the right things. I think the complimentary piece of having that here's your first steps and then here's what the whole journey looks like. You can pick and choose. Do you want
to use this as a reference model to compare where you're at? Do you want to just run a couple of key best practices because you want to start on this area because you know this team really wants to get better? It gives a lot of different options there. I love that absolutely. I think that's what customers are asking for is one, where do I start? And two, what are the options that I have? And then how do I apply those options
in a way that is impactful to my business? Well, you've kind of hinted on this, Ryn, but what's next for the framework? You mentioned there that there's some new versions of workbooks coming, but are you doing a version two? What's next? We are currently working on a version two and one of the new features that we're playing around with, and so I'll hint to this, we're playing around with a feature called Flyaway Workbooks where we can link to additional
workbook content within a given workbook, like the main workbook. And so one of the ideas we're thinking about is if we can carve off very particular, very granular and detailed content that gives us the ability to put that into a workbook where we can say, hey, how large are you and ask you questions around what your state of affairs are and then link to, if you fit any one of these models, here's content that is applicable to your current
state. We're kind of looking along those lines, and that's exciting because then it allows us to really kind of expand on not only the content that the workbook can offer, but we can then make it more modular. And we can then start to scope some of the modularity of the workbook and the content to certain areas that I think customers are now asking
us for, to really kind of help them dive more into where do I get started. Now, while the workbook is made simple so that you can just load it, you can go in, start to replace the customer word with your customer name, you can start to think through what processes and procedures are applicable to your line of business. It really, again, is malleable in that way. We're also thinking about ease of use, and we've been thinking about how
we can make this a little bit more modular to drive that ease of use. And I think that's going to be exciting for those using Sentinel going forward. I'm kind of excited to what this might yield. So I've been listening to all of this. One of the first things that sort of came to my mind was, what's the best way to start with this framework? I mean, how would somebody get started? Yeah, again, you're going to go load that workbook into the gallery. You're going to
get it started there. And you're going to pick each of those sections, right? You're going to, the first thing to do is when you go into the editor mode of the workbook, advanced editor, you can just do a search and replace of the word customer and put in whatever your line of business is. Boom. That's the very first thing to do to get started. Then the next thing you want to do is take each of those processes and procedures and really
look at each of those sections on what are you doing today? What is your current state and how you can apply that to your business and to those that are working within the tool sets? And that's really what it is. It's understanding the processes and procedures, understanding those processes so that you can then apply them operationally to Azure Sentinel and to other security tools within our product stack. And as you're kind of looking at that, you're
going to start to see a pattern. You're going to see how those processes and procedures build off of each other where you will have a framework. And so that's why we've also put in the workbook areas for diagrams. And so at the very, very beginning, when you go to the SOC main, you'll see the procedural flow. You'll see how the procedural flow interconnects with each other. You'll see, as it's talking about shift turnover and daily operations
and it's looking at shift scheduling and staffing or training. And then from there, once you kind of have some of those pieces underway, then that training dovetails into okay, now I understand how to go monitor and triage. I can now do a crisis response or call out. I can do incident management and problem change. So really getting to each of those areas to understand the details of those processes and then how to apply the
procedure of that process back to the tool itself. And that's really where the meat of this is. It really gives our customers that capability to operationalize the tool itself. It lowers the bar from Sentinel just being a tier three threat hunting capability tool. Cause that was feedback that we got a lot from our customers was, you know, this
isn't really built for a tier one or tier two, you know, analysts. And that just really kind of made me dishearted cause for me, you know, this has been my baby as well as Sarah is, you know, Sentinel mama. I've always thought, you know, I guess you guys have called me Sentinel papa or whatever, but Sentinel has been kind of in my blood clear back since, you know, early 2015, 2016, late 2015 when Sentinel was really kind of being conceptualized.
And so we wanted to make sure that we were shaping in the right way. And this type of operationalization gives a level one level two, a really good understanding of how to apply, you know, a stage down notations using tagging that's built into the incident model, understanding how to queue and triage understanding how to apply an escalation procedure through tagging understanding all of those pieces because they can now use the tool the way
it's been developed and designed through this level of understanding. And that's exciting. So something we ask all our guests is, is there a final thought that you would leave our listeners? Yeah, I think, you know, based on what the conversation we've had today, our final thought or my final thought is, you know, it doesn't matter how large, small,
who you are, or what your current security state is, just do something, right? Take action, take a look at where you're at, apply the workbook, look at what is applicable to you, to your line of business and to your state of affairs, and use that to help drive further process, use that to help, you know, move you towards a level of maturity that, you know,
that you hope to achieve. And I think that's what's so great is that it really is designed for all audiences because it's process based, right, so that you can apply that process no matter where you are within your state of affairs. So let's bring this episode to an end. Thanks, Rin, for joining us this week. I really appreciate you taking the time joining us. I learned a great deal from you. Hopefully our listeners
learned a great deal too. And to our listeners, stay safe out there, take care of yourself, and we'll see you next time. Thanks for listening to the Azure Security Podcast. You can find show notes and other resources at our website azsecuritypodcast.net. If you have any questions, please find us on Twitter at azuresecpod. Background music is from ccmixter.com and licensed under the Creative Commons license.