That’s why we’re excited to announce a seamless integration between Azure Firewall and Azure Sentinel. Now, you can get both detection and prevention in the form of an easy-to-deploy Azure Firewall solution for Azure Sentinel.

Combining prevention and detection allows you to ensure that you both prevent sophisticated threats when you can, while also maintaining an “assume breach mentality” to detect and quickly respond to cyberattacks.

Azure Sentinel and Azure Firewall: Better together

The seamless integration of Azure Firewall and Azure Sentinel enables security operations with three key capabilities:

1. Monitoring and visualizing Azure Firewall activities.
2. Detecting threats and leveraging AI-assisted investigation capabilities.
3. Automating response and correlation to other sources.

The whole experience is packaged as a solution in the Azure Sentinel marketplace, which means it can be deployed in just a few clicks.

How do you deploy and enable the Azure Firewall solution for Azure Sentinel?

Deploying the solution is simple. You can find it in the “Solutions” blade in your Azure Sentinel workspace, called the “Azure Firewall Solution for Azure Sentinel.”

Figure 1: Azure Sentinel solutions preview.

Once you open the Azure Firewall solution, simply hit the “create” button, follow all the steps in the wizard, pass validation, and create the solution. With just a few clicks, all content—including connectors, detections, workbooks, and playbooks that we’ll cover below—will be deployed in your Azure Sentinel workspace.

Monitoring and visualizing Azure Firewall activities

The Azure Firewall workbook allows you to visualize Azure Firewall events. With this workbook, you can:

• Learn about your application and network rules.
• See statistics for firewall activities across URLs, ports, and addresses.
• Filter by firewall and resource group.
• Dynamically filter per category with easy-to-read data sets when investigating an issue in the logs.

The workbook provides a single dashboard for ongoing monitoring of your firewall activity. When it comes to threat detection, investigation, and response, the Azure Firewall solution also provides built-in detection and hunting capabilities.

Figure 2. Azure Firewall workbook.

Detecting threats and leveraging AI-assisted investigation capabilities

Built-in Threat Detection—analytics

The solution’s detection rules provide Azure Sentinel a powerful method for analyzing Azure Firewall signals to detect traffic representing malicious activity patterns traversing through the network. This allows rapid response and remediation of the threats.

The attack stages an adversary will pursue within the firewall solution are segmented based on the MITRE ATT&CK framework. The MITRE framework is a series of steps that trace stages of a cyberattack from the early reconnaissance stages to the exfiltration of data. The framework helps defenders understand and combat ransomware, security breaches, and advanced attacks.

The solution includes detections for common scenarios an adversary might use as part of the attack—Spanning from the discovery stage (gaining knowledge about the system and internal network) through the command-and-control (C2) stage (communicating with compromised systems to control them) to the exfiltration stage (adversary trying to steal data from the organization).

Figure 3. Azure Firewall threat detections in Sentinel.

Hunting queries

Hunting queries are a tool for the security researcher to look for threats in the network of an organization, either after an incident has occurred or proactively to discover new or unknown attacks. To do this, security researchers will look at several indicators of compromise (IOCs). The built-in Azure Sentinel hunting queries in the Azure Firewall solution give security researchers the tools they need to find high-impact activities from the firewall logs. Several examples include:

Automating response and correlation to other sources

Lastly, the Azure Firewall also includes Azure Sentinel playbooks, which enable you to automate response to threats. For example, if the firewall logs an event where a particular device on the network is trying to communicate with the internet via HTTP protocol over a non-standard TCP port, this action will trigger a detection in Azure Sentinel. The playbook will automate a notification to the security operations team via Microsoft Teams, and the security analysts can block the source IP of the device with a single click—preventing it from accessing the internet until an investigation can be completed. Playbooks allow this process to be much more efficient and streamlined.

Figure 4. Playbook automation configuration.

Seeing the integrated solution in action: Seamless hunting with pre-configured Azure Firewall hunting queries

Let’s look at what the fully integrated solution looks like in a real-world scenario.

The attack and initial prevention by Azure Firewall

A sales representative in the company has accidentally opened a phishing email and opened a PDF file containing malware. The malware immediately tried to connect to a malicious website but was blocked by the Azure Firewall, which detected the domain due to the Microsoft threat intelligence feed it consumes.

The security analyst response based on the Azure Firewall solution for Azure Sentinel

The connection attempt triggered a detection in Azure Sentinel and started the playbook automation process to notify the security operations team via a Teams channel, where, with a click of a button, the analyst was able to block the computer from communicating with the internet. The security operations team then notified the IT department which removed the malware from the sales representative’s computer. However, taking the proactive approach and looking deeper, the security researcher leveraged the Azure Firewall hunting queries and ran the “Source IP abnormally connects to multiple destinations” query. This reveals that the malware on the infected computer tried to communicate with several other devices on the broader network and tried to access several of them. One of those access attempts succeeded, as there was no proper network segmentation to prevent the lateral movement in the network, and the new device had a known vulnerability the malware exploited to infect it.

The result

The security researcher removed the malware from that new device, completed mitigating the attack, and discovered a network weakness in the process.

Conclusion

Integrating threat prevention and threat detection is key to properly securing your organization and enabling your security operations team to monitor and respond to threats.

Enabling the Azure Firewall solution on your Azure Sentinel workspace is just a few clicks away. Start now.

Learn more

In addition to the Azure Firewall solution, we announced several new Azure Sentinel innovations at the RSA Conference 2021. Learn more about these announcements, including new integrations, machine learning features, collaboration capabilities, and more on the Azure Sentinel announcement blog.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Optimize security with Azure Firewall solution for Azure Sentinel appeared first on Microsoft Security Blog.

Since these applications are business-critical, an SAP security breach can be catastrophic. Yet, protecting SAP applications is uniquely challenging. These systems are growing in complexity as organizations expand them beyond base capabilities. They are vulnerable not only to outside attacks, but also insider threats. What’s more, their complex nature means that threats can emerge across multiple modules, making cross-correlation especially important.

It has been traditionally very difficult for security operations (SecOps) teams to effectively monitor them due to the unique nature of the SAP ecosystems and the expertise they require. We set out to meet this challenge with the new SAP threat monitoring solution for Azure Sentinel. Now in public preview, the solution provides continuous threat detection and analytics for SAP systems deployed on Azure, in other clouds, or on-premises. Now, SecOps teams can use Azure Sentinel’s visibility, threat detection, and investigation tools to protect their SAP systems and cross-correlate across their entire organization.

Effective SAP threat monitoring

An effective approach to SAP threat monitoring has several key requirements:

1. Multi-layered coverage: An SAP threat monitoring solution needs to cover both the infrastructure layer (virtual machine, storage, and network) as well as the business and applicative layers since threats traverse every layer of the SAP system.
2. Rich insight into SAP applicative and transactional data: SAP systems produce viable security data in the form of change documents, audit logging, job execution, data transformation (table data), and more. For a complete picture of potential threats, you need visibility into all this activity.
3. Correlation across enterprise data sources: SAP systems are complex, and indicators of compromise often aren’t straightforward. To reduce noise, it’s imperative to cross-correlate across additional data sources such as network, storage, or identity data, as well as across other entities, such as systems and users.
4. Flexible deployment: SAP NetWeaver systems can be deployed on-premises, in the cloud, or hybrid deployments. Any effective SAP monitoring solution needs to offer deployment flexibility and provide visibility into any of these deployment configurations—especially since cloud transformation is often a long, multi-stage process, and organizations may find their SAP deployment method changing over time.
5. Threat detections specific to SAP: SAP systems are unique environments facing unique threats. An effective monitoring approach needs to include threat detections and analytics tailored to SAP-specific use cases and threats.
6. Customizability: On the flip side, SAP ABAP platforms inclusive of S/4HANA are also highly custom in nature, which means that you can’t rely solely on out-of-the-box detections. The SAP threat monitoring approach needs to be open to modification and include the ability to build or import your own security content, so you can tailor detection to your specific environment.

Our approach: The SAP threat monitoring solution for Azure Sentinel

We kept these requirements top of mind when developing our approach to SAP threat monitoring. The Azure Sentinel SAP threat monitoring solution can be deployed in one simple package that includes all components. The solution includes:

• A Rich NetWeaver data connector: The SAP collector is delivered as a Docker container image that can be deployed anywhere in the network and integrate into NetWeaver capable systems. The data connector collects over 10 different log files with SAP NetWeaver enabled systems that allows monitoring business and application layer-related risks within SAP systems. You can view the full list of available log sources in the documentation.
• SAP underlying Infrastructure data connectors: Existing Azure Sentinel data connectors, such as those for virtual machines, networking, and Azure Active Directory, monitor the underlying infrastructure.
• Built-in security content: Out-of-the-box detections catch important SAP threats like system configuration changes, execution of sensitive function modules, and suspicious activity by privileged users. Plus, a workbook helps SecOps teams visualize the security health of their SAP systems.

Figure 1: Out-of-the-box detections included in the Azure Sentinel SAP threat monitoring solution.

Figure 2: SAP workbook helps analyze different security audit log events by severity, in order to keep track of the different events on the SAP ABAP system.

Figure 3: Visualizing and tracking authentication events using a built-in workbook.

• A rich set of configurations is also included in the form of watchlists. These watchlists reduce noise by allowing you to describe your specific SAP environment and the risks you’re most concerned about. For example, specify whether a certain system is a production or test system, and identify any specific SAP transactions that should be especially carefully monitored.

Use case: Monitoring for abuse of privileges with Azure Sentinel

What does this look like in action? One of the most common SAP security risks is the potential misuse of privileges. With the right privileges, SAP users can execute functions and even debug ABAP code running on these systems, which—while necessary—also by nature opens the system up to significant risk. For example, an SAP user with developer privileges could exploit those privileges to view sensitive human resources or financial data by executing a function module to gain elevated access privileges.

Azure Sentinel gives you the ability to quickly detect these threats without drowning in noise. You can monitor function modules executed via SE37, while also targeting your detections by defining a granular set of your most sensitive modules. You can also specify that these detections should only apply to your production systems since these behaviors can be common and harmless in developer or sandbox systems.

The pre-configured functions and detections can monitor for these threats from day one, while still providing the flexibility you need to customize your implementation.

Another common scenario is the use of break-glass users such as DDIC/SAP. While those users are frequently enabled for valid reasons, the usage of these privileges still needs to be very carefully monitored due to the high privileges of the default “superman” users. In Azure Sentinel, you can monitor for these users and use automation to help you manage these risks. For example, monitor for system access from these users, and when it is detected, automatically call a playbook that will send a Teams message to confirm that SAP basis permissions were given to perform the operation.

Learn more

Azure Sentinel threat monitoring for SAP capabilities enables you to protect critical SAP systems more efficiently and effectively and extends Azure Sentinel’s cloud-native security analytics and AI capabilities to the world of SAP. Learn more about the SAP threat monitoring solution in documentation, or join us live on May 26, 2021, at 8 AM Pacific Time to learn more about the SAP threat monitoring solution live in our Azure Sentinel webinar.

In addition to threat monitoring for SAP, we announced several new Azure Sentinel innovations at the RSA Conference 2021. Learn more about these announcements, including new integrations, ML features, collaboration capabilities, and more, on the Azure Sentinel announcement blog.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Protecting SAP applications with the new Azure Sentinel SAP threat monitoring solution appeared first on Microsoft Security Blog.

For example, in June 2017, a destructive cyber attack known as “NotPetya” infected thousands of computers globally and resulted in dozens of enterprises experiencing significant financial losses. One of NotPetya’s victims, a global shipping and logistics company, lost $300 million as a result of production downtime and cleanup activities.

Why industrial and critical infrastructure OT networks are at risk

According to CyberX’s 2020 Global IoT/ICS Risk Report, which analyzed network traffic from over 1,800 production OT networks, 71 percent of OT sites are running unsupported versions of Windows that no longer receive security patches; 64 percent have cleartext passwords traversing their networks; 54 percent have devices that can be remotely managed using remote desktop protocol (RDP), secure shell (SSH), and virtual network computing (VNC), enabling attackers to pivot undetected; 66 percent are not automatically updating their Windows systems with the latest antivirus definitions; 27 percent of sites have direct connections to the internet.

These vulnerabilities make it significantly easier for adversaries to compromise OT networks, whether their initial entry is via systems exposed to the internet or via lateral movement from the corporate IT network (using compromised remote access credentials, for example).

CISOs are increasingly accountable for both IT and IoT/OT security. However, according to a SANS survey, IT security teams lack visibility into the security and resiliency of their OT networks, with most respondents (59 percent) stating they are only “somewhat confident” in their organization’s ability to secure their industrial IoT devices.

How should organizations secure their IoT/OT environments?

Organizations need to invest in strengthening their IoT/OT security and structure the appropriate policies and procedures so that new IoT/OT monitoring and alerting systems will be successfully operationalized.

A key success factor is to obtain organizational alignment and solid collaboration with teams that will operate the system. In many organizations, these teams have traditionally worked in separate silos. Visibility and well-defined roles and responsibilities between IoT/OT, IT, and security personnel are key for a successful alignment. Although there can be more connectivity between the IT and the IoT/OT networks, they are still separate networks with different characteristics. Personnel operating the IoT/OT network are not always security trained, and the security staff are not familiar with the IoT/OT network infrastructure, devices, protocols, or applications. In particular, the top priority for OT personnel is maintaining the availability and integrity of their control networks—whereas IT security teams have traditionally been focused on maintaining the confidentiality of sensitive data.

To be effective, IT security teams will need to adapt their existing procedures and policies to be inclusive of the IoT/OT security world.

Gaining continuous security operations center (SOC) visibility into IoT/OT risk with Azure Defender for IoT

Azure Defender for IoT is an agentless, network-layer IoT/OT security platform that’s easy to deploy and provides real-time visibility to all IoT/OT devices, vulnerabilities, and threats—within minutes of being connected to the OT network. Based on technology from Microsoft’s acquisition of CyberX, Azure Defender for IoT uses specialized IoT/OT-aware behavioral analytics and threat intelligence to auto-discover unmanaged IoT/OT assets and rapidly detect anomalous or unauthorized activities in your IoT/OT network. Additionally, it enables you to centralize IoT/OT security monitoring and governance via built-in integration with Azure Sentinel and third-party SOC solutions such as Splunk, IBM QRadar, and ServiceNow.

According to SANS, there’s a clear difference between the detection of an attack on corporate companies versus industrial and critical infrastructure organizations with control networks. While 72 percent of organizations without OT environments detected a compromise within seven days, only 45 percent of organizations with OT environments were able to do the same.

Reducing the time between compromise and detection is a key catalyst for enabling your SOC with real-time IoT/OT alerts and detailed contextual information about your IoT/OT assets and vulnerabilities.

Detect and respond to IoT/OT incidents faster

To operationalize security alerts from the IoT/OT network, you must integrate them with your existing SOC workflows and tools. Given the significant investments that organizations have already made in a centralized SOC, it makes sense to bring IoT/OT security into their existing SOC and to expand the SOC responsibilities to be able to manage IoT/OT incidents as well. This next step will create a productive working environment between the teams. Integration of the SOC within the IoT/OT environment can create a competitive advantage for the organization.

Modern SOCs rely heavily on SIEM solutions to operate efficiently. This means that IoT/OT security alerts and investigation processes should be delivered to the SOC team via their preferred SIEM solution. SIEM solutions provide security value by normalizing and correlating data across the enterprise, including data ingested from firewalls, applications, servers, and endpoints.

As of today, most of our customers (78 percent) who have deployed Azure Defender for IoT and have SIEM, have integrated (or are in the process of integrating) IoT/OT security into their SIEM platform and SOC workflows.

Integrating IoT/OT security with your SIEM in five steps:

Step 1: Forward IoT/OT security events to the SIEM

The first step in a successful SOC integration is to integrate IoT/alerts with your organizational SIEM. This capability is supported out of the box with Azure Defender for IoT. After integrating Azure Defender for IoT with a SIEM, clients typically spend a short time tuning which alerts are forwarded to the SIEM to reduce alert fatigue.

Figure 1: Azure Defender for IoT integrates out-of-the-box with a broad range of SIEM, ticketing, firewall, and NAC systems.

Step 2: Identify and define IoT/OT security threats and SOC incidents

The second step is agreeing on which IoT/OT security threats the organization would like to monitor in the SOC, based on the organizational threat landscape, industry needs, compliance, and more. Once relevant threats are defined, you can define the use cases that constitute an incident within the SOC.

For example, a common use case is an unauthorized change to OT equipment, such as an unauthorized change to Programmable Logic Controller (PLC) code—since this can take down production and potentially cause a safety incident. In the TRITON attack on the safety controllers in a petrochemical facility, for example, the adversary initially compromised a Windows workstation in the OT network and then uploaded a malicious back door to the PLC using a legitimate industrial control system (ICS) command (you may recognize this as an excellent example of an OT-specific living-off-the-land tactic).

This type of activity is immediately detected when Azure Defender for IoT detects a deviation from the OT network baseline, such as a programming command sent from a new device. Azure Defender for IoT incorporates Layer 7 Deep Packet Inspection (DPI) and patented IoT/OT-aware behavioral analytics using Finite-State Machine (FSM) modeling to create a baseline of OT network activity. Compared to generic baselining algorithms developed for IT networks (which are largely non-deterministic), this approach is optimized for the deterministic nature of OT networks—resulting in a faster learning period with fewer false positives and false negatives. Additionally, deeply analyzing high-fidelity network traffic, including at the application layer, enables the platform to identify malicious OT commands and not just deviations in source/destination information.

In this particular use case, unauthorized changes to PLC ladder logic code can be an indication of either new functionality or parameters being programmed into the PLC, which typically only happens on rare occasions: an error on the part of a control engineer or a misconfigured application. In all these cases, the SOC should investigate with plant personnel to determine if the activity was malicious or legitimate.

Step 3: Create SIEM detection rules

Once IoT/OT security threat use cases are defined, you can create detection rules and severity levels in the SIEM. Only relevant incidents will be triggered, thus reducing unnecessary noise. For example, you would define PLC code changes performed from unauthorized devices, or outside of work hours, as a high severity incident due to the high fidelity of this specific alert.

Step 4: Define SOC workflows for resolution

The fourth step is to define workflows for resolution. This will also help remove ambiguity between IT security and OT teams about who is responsible for investigating unusual activities (note that unclear roles and responsibilities were also an important factor in the TRITON incident, until a second attack two months later).

The goal is to enable Tier 1 SOC analysts to handle most IoT/OT incidents and only escalate to specialized IoT/OT security experts when needed. This means defining the appropriate workflow for mitigation and creating automated investigation playbooks for each use case.

For example, when the SOC receives an alert that PLC code changes have been initiated, check first if the programming device is an authorized engineering workstation, and then if it occurred during normal work hours, whether it happened during a scheduled change window, etc. If the answer to these questions is no, you should immediately disconnect the rogue workstation from the network (or block it with a firewall rule, if possible).

Here’s an example of a logical workflow for resolution:

Figure 2: Example of a built-in automated SOAR playbook for Azure Sentinel initiated by an OT-specific alert generated by Azure Defender for IoT

Step 5: Training and knowledge transfer

The fifth step is to provide comprehensive training to all stakeholders – for example, teach the SOC team about the unique characteristics of OT environments, so they can have intelligent conversations with IoT/OT personnel when resolving incidents and can implement remediation actions that are relevant (and not harmful) for OT environments.

Azure Defender for IoT and Azure Sentinel: Better together

Azure Sentinel is the first cloud-native SIEM/SOAR platform on a major public cloud. It delivers all the advantages of a cloud-based service, including simplicity, scalability, and lower total cost of ownership; provides a bird’s eye view across IT and OT to enable rapid detection and response for multistage attacks that cross IT/OT boundaries (like TRITON); incorporates machine learning combined with continuously-updated threat intelligence from trillions of signals collected daily.

Azure Defender for IoT is deeply integrated with Azure Sentinel, providing rich contextual information to SOC analysts beyond the basic information provided by simple Syslog alerts. For example, it provides detailed information about which IoT/OT assets associated with an alert including device type, manufacturer, the protocol used, firmware level, etc.

Azure Sentinel has also been enhanced with IoT/OT-specific SOAR playbooks. The integrated combination of these two solutions helps SOC analysts detect and respond to IoT/OT incidents faster—so you can prevent incidents before they have a material impact on your firm.

In the screenshot below, you can see a built-in Sentinel investigation experience for an IoT/OT security use case:

Figure 3: Interactive investigation graph in Azure Sentinel, produced from real-time OT monitoring data generated by Azure Defender for IoT. 

Learn more

If you’d like to learn more and see a full demo of how Azure Defender for IoT and Azure Sentinel can be used together to detect and investigate a sophisticated attack, check out our Microsoft Ignite session or read the blog “Go inside the new Azure Defender for IoT including CyberX.”

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 5 steps to enable your corporate SOC to rapidly detect and respond to IoT/OT threats appeared first on Microsoft Security Blog.