IAPP CIPT – How Technology can help in achieving GDPR compliance Part 4

7. Security in cloud infrastructure environment demo

Hi guys. In this lesson we’ll discuss about securing our cloud infrastructures. So your client or your company already has virtual machines in a cloud platform. Just for this example I will use again microsoft Asia. So you have your virtual machines in cloud and you want to see some security dashboard, some security analytics, some security reports about your machines over there. And I’ve chosen to show you a subscription called Azure Security Center that can be bought directly from Microsoft, from Microsoft Asia.

It’s something similar also for Amazon and other cloud platforms. But for the sake of this demo, I would use Azure Security Center. So when you come in to this console, to this tenant, you see practically there are some nice dashboards over here and you have seven important tabs antimatter Assessments, update Assessments, network Security, Identity and Access, threat Intelligence, computer Security Events, and some baseline assessments.

What does this mean? So, anti malware assessments, when you click on it, you’ll practically see all the machines, all the computers that have an anti malware installed on it. Either it’s the default Windows Defender or it’s a separate tool installed on the system. And you will be able to see different reports regarding detected threats protection statues which are computers or virtual machines with insufficient protection, which are the computers with detected threats and which are the threats already detected or even remediated.

Types of protections that you can see. It’s Windows Defender, malicious Software Removal tool or System Center, or any other protection that you may have in there. This demo is just focused on some mix of products over here, but they integrate well with other vendors for endpoint security also. And these vendors are also included in the marketplace of Asia. So you can come with your license and add, let’s say, Defender or Kaspersky or Trend Micro endpoint protection for your virtual machine. Good. Coming back, update assessments here.

Well, this is not the update assessments. Let me just come back here 1 second. So I’ll go to security and I go to update assessments. So it’s update management. And right now you will see the status of your infrastructure in terms of Windows Linux updates. So you have all your Linux computers, all your Windows computers that need critical updates or security updates or different other updates, and which of these are already up to date. And let’s click on this. And I have 32 critical updates over here that I need to process. So either I have a patch management system or I have to go manually to patch and apply all the updates to this system.

The tool offers me the report capabilities in order to see and check which machines may have some critical vulnerabilities and may be exposed to some hacking attacks. This is not loading, I don’t know why. Just wait a moment, let me check again. Yeah, now it’s loading. So what gets me here is practically a search database called Log Analytics. Practically a database where I can see all the logs coming in from these machines. So the system will tell me what correlation or what searches and queries did he make in order to get this update result. You see here the query and all the results. It’s not so easy to process that. Then I have network security. So here I will get details about IP addresses that are involved in sort of communications to my environment. Let’s wait a bit.

And I mean distinct IP addresses. See when it is loading. So voila, you can see here malicious communications coming in or out from your environment, which are the computers active in these malicious communications and the IP addresses that we consider to be malicious. And you can see different patterns or different reports regarding inbound and outbound communications, the amount of traffic, the distinct malicious IP address is involved. And you can go here and see the log searches that I’ve shown before. Again, everything clickable here will go for the log sources.

So you can actually see the log that generated this result. Over here, active computers, how many sessions were created per computer and which were the top destinations or the unique destinations for that? Let me just come back if I go to identity and access. Again, this is really important. So as you may see, we have an identity posture and right now 99.

7% of the logons have failed, which is quite a number. And you see failed login reasons, logons over time, what machines, the login attempts number, the account that was involved in a failed login account that already logged on, and practically the accounts that the system enforced, the change or reset password which were locked or not locked. And you see all of these details coming in from Azure Active Directory. So practically getting all the reports and logs from Azure Active Directory, correlating it with your machines and IP addresses and everything that’s happening in there and providing you these sort of reports regarding identity and access coming back over here, then I have potential malicious trafficking.

As you may see here in the threat breakdown, we have 737 botnet activities coming mostly from the United States, Ukraine, China, Netherlands and all the other countries. And you also have the distribution on the map. You can even click here on the map or scroll in, scroll down on the map. And here on the right you may see more details about this coming in.

You see the overview, you see the outgoing, incoming and other things, the country, the confidence and the type of the threat, wherever it may be possible to have a full report. But when it’s not possible, then this is the information that a system will get back to you. If you click over here, then you can also get all these 300 log searches and log reports that generated, that are correlated and generated in this report. And this is again important. Then the last tab over here is a Security baseline assessment.

These are some rules that we consider baseline in terms of security, right? Access to this computer from the network, password complexity, how do you treat locks, remote connections, ports open, SSH audit policy rules, securities, registry keys, different things that we can monitor at the endpoint level and how your computers react to different traffic patterns.

And then we can create this sort of baseline assessment either for the web or either for the different operating system required rules. And we’ll tell you what exactly you need to improve at your environment in order to become security compliant or in order to improve your security assessment maturity level. Coming back to my view over here, practically these are the notable issues, things that are really, really important for you to handle immediately. Some updates for 16 computers, insufficient production for twelve, critical updates for other ten, and some other things over here based on the priority.

The detection environment is something that is going on for security Information Event management maybe. And if you want to find more details about what CME is, security Information Event Management, I encourage you to join into my Curator courses.

There is a fundamental course that will tell you exactly what the CM is and what you can get from that kind of platform. And then there is also more technical, more hands on course and courses regarding Simplatforms from Curator, from IBM Curator that you can get enrolled in and find out more about that. So the detection over here is something similar, but not so advanced. What is doing is getting logs from different sources, getting a correlation between them and being able to say these activities generated this type of attacks. And this workflow of activities is practically this type of attacks.

And we have here failed RDP, brute force attack. And when you click it again, you get all the logs that were generating this rule to happen. Similar to a SIM, not so user friendly, let’s say, in this moment. And you have also remediation steps over here and all the details about IP addresses and vertical level involved the computers. So not so advanced to the team, but really, really good information to have in a cloud platform related your environment over there.

8. Defending and remediating endpoints from cloud demo

Hi guys. In this lesson I want to present you an endpoint management and protection tool that will include soon in the new version also some incident response features. And by incident response I mean an automation framework that will be included in this incident response framework. And this automation will help you immediately remediate or automatically or half automatically remediate everything that was considered an attack or suspicious event at the endpoint level.

So it’s not about what an antivirus will block. It’s not only what you can be alerted on in terms of zero day attacks or behavior analytics, but you also will be able to remediate what will be considered or what can be a zero day attack at the endpoint level. And this is the tool that I want to present. It’s called windows. Advanced Defender ATP. And ATP means Advanced Threat protection. So it’s Windows Defender advanced Threat Protection. It’s a cloud security subscription. It’s the same practically agent. But let’s think is an agent that runs on Windows endpoints either server or personal machines like Windows Seven or Windows Ten and transmits some data.

Some behavior that is able to analyze at the endpoint level is going for a lot, a lot of things. And transmits this data to this central console that you just see over here which is called Windows Defender Security Center. And like I said, the new version that will be available in March 2018. So if you listen this course after this date, then this tool already exists on the market and maybe it has plenty of other nice new features. So this instant response automation will be included starting March 2018. In the new version, what this tool is going to offer you is practically they are analyzing complex malware attacks, things that happen in memory. So the malware is not writing anything to disk, it’s just happening in memory.

There are different PowerShell, commands or scripts that are able to move from one application to another, from one process to another, and to inject some actions that will open communications that will grab information from the system and even hijack identities or accounts. So different things that may happen. So first in these dashboards you have active alerts, have machines that are at risks and users that are at risk. So let me just click on a machine that’s considered to be at risk. What you may see over here is the domain is the lockdown users for this machine and all the alerts in a timeline that happened for this machine. So it started it’s in September 2017 and it went up to February 2018, right? And all these activities happened in this timeline.

And you have here the date, the time when it started to happen and it went up. You have all the details, all the renewal details regarding what happened, the loaded module, the process that were injected, the DLL that were changed, how the Molar went from one process to the other what’s infected. If there are files involved, you will see that there are some files involved and affected or different applications. And here in the alerts you practically have due to severity all the names of the attacks that in behind have plenty of action. So I clicked on Exploit quad block, dynamic code execution. And see here the description, the recommended actions. And you have here the alert process trees, or how this attack went from here to here and what was the infections and how they did it into SVC host.

And we have different details, the hashing. And if you go for actions, you can investigate, you can manage this alert and you can print up and print and go for this alert. If I go back to the machine over here again you will see an action button. The things I told you about the incident response will be practically from here. So from actions right here you will have another feature over here called Remediation. So this will run a playbook or runbook with different actions that will be processed at the endpoint level based on the type of the attack. So it will go there, it will change the registry to the normal version.

It will look and delete a specific DLL file or that was injected, it will go and change privileges for a specific account and so on and so forth, depending on the type of the attack and what we know regarding those types of attacks in terms of collecting investigation packages. If you see and there will be alerts with files involved. You can even detonate that file in a sandbox in Cloud. So you upload the file or the tool uploads automatically the file from the endpoint in the cloud and you will detonate that file in sandbox environment practically you will run it against different operating systems and versions and see the result of running that file and see what is the infection vector. If you go for the action center you see that it was scanned, it was at restriction or not, it was isolated and so on.

Here you’ll also see the remediation of the new feature that I was talking about and how it was remediated. The good thing is that after an endpoint is remediated the administrator and next maybe the chief information security officer will receive a report of what happened, what was remediated, how it was remediated and what’s the status right now. So it’s really really interesting because it can eliminate time that an analyst will spend in doing all this forensics activity. So it will do things in minutes and maybe seconds then an analyst probably is going to do in days. Let me go back right now and over here we have user risks.

So everything that the user was doing, all the machines that it has relationship with, where it was locked in, all the processes related to this user that were suspicious and it has a level of severity between medium high, let’s say, and all the timeline that you may see here. This is a really nice tool that will work in conjunction with your antivirus. Antivirus will just block well known attacks and stuff, but this tool will be more a behavior analytics tool, a zero-day attack malware protection tool that will alert you about what’s happening, what’s suspicious. And with the new features, it will be possible also to remediate think about the servers, which is more relevant, right? So you can immediately remediate, based on a runbook, all the servers that were somehow infected or suspicious to sort of attacks.

So this is what I wanted to present you. And with this video we ended up this section. Take a look at the conclusion and I hope you really enjoyed the training and how the material went through, starting with the GDPR legislation, then with gap assessments, creating some files based on the theory that we learned about, and finding out some tools that exist on the market that can help in achieving GDPR compliance with technology.

• Category: Uncategorized