WEBVTT 0:00:02.720000 --> 0:00:06.220000 When it comes to security, you of course want to use every tool at your 0:00:06.220000 --> 0:00:12.060000 disposal. One of those key tools is having what you need to be proactive 0:00:12.060000 --> 0:00:14.440000 about security incidents. 0:00:14.440000 --> 0:00:16.600000 That's what we're going to look at in this video. 0:00:16.600000 --> 0:00:20.460000 We're going to take a look at Azure Security and Incidents. 0:00:20.460000 --> 0:00:23.560000 The topics themselves are relatively straightforward. 0:00:23.560000 --> 0:00:27.160000 We'll talk about security alerts, and then we'll talk about security center 0:00:27.160000 --> 0:00:30.280000 incidents, what those are, how they differentiate. 0:00:30.280000 --> 0:00:32.900000 And then finally, I'm going to demonstrate security alerts. 0:00:32.900000 --> 0:00:36.760000 Now, I'm not going to demonstrate security incidents because quite honestly, 0:00:36.760000 --> 0:00:39.740000 I say this proudly, I don't have any. 0:00:39.740000 --> 0:00:43.340000 And that's because my environment's a demo environment, and I generally 0:00:43.340000 --> 0:00:48.320000 break things down before there can be any kind of coordinated attack on 0:00:48.320000 --> 0:00:53.160000 my resources. And no, I'm not inviting you to try to, you know, pen test 0:00:53.160000 --> 0:00:56.380000 my system. I'm just saying that just because it's not going to be on mine 0:00:56.380000 --> 0:00:57.440000 doesn't mean it's not anywhere. 0:00:57.440000 --> 0:01:01.040000 I'm going to pull up actually a Microsoft web page that shows you what 0:01:01.040000 --> 0:01:02.900000 the incidents would look like and what you can do. 0:01:02.900000 --> 0:01:06.720000 So it'll be a little bit of using their content. 0:01:06.720000 --> 0:01:08.380000 All right, so what are security alerts? 0:01:08.380000 --> 0:01:10.220000 Let's talk about these for a moment. 0:01:10.220000 --> 0:01:14.860000 First of all, to get security alerts, as is often the case with a lot, 0:01:14.860000 --> 0:01:18.380000 you need security center standard edition. 0:01:18.380000 --> 0:01:22.300000 And it comes into three stages. 0:01:22.300000 --> 0:01:25.880000 OK, the first is threat detection. 0:01:25.880000 --> 0:01:28.140000 And what threat detection is going to do? 0:01:28.140000 --> 0:01:30.720000 It's going to monitor traffic. 0:01:30.720000 --> 0:01:34.900000 All right, it's going to collect logs, and it's going to analyze those 0:01:34.900000 --> 0:01:42.500000 logs. Now, this analytics is, of course, from the Microsoft AI. 0:01:42.500000 --> 0:01:44.160000 It's same things they use. 0:01:44.160000 --> 0:01:49.200000 It's just allowing it to, you know, apply here. 0:01:49.200000 --> 0:01:50.960000 Now, what do we have? 0:01:50.960000 --> 0:01:53.720000 Analytics threat intelligence here being Azure. 0:01:53.720000 --> 0:01:55.700000 That was a really vague statement. 0:01:55.700000 --> 0:01:57.160000 OK, so you've got threat intelligence. 0:01:57.160000 --> 0:02:01.000000 That's that AI, artificial intelligence, it's looking, and we'll talk 0:02:01.000000 --> 0:02:06.040000 about some of the ways that that works in just a minute. 0:02:06.040000 --> 0:02:08.840000 All right, it looks for behavioral analytics. 0:02:08.840000 --> 0:02:12.000000 All right, so are things happening maybe within an admin account that 0:02:12.000000 --> 0:02:13.580000 are a little bit different? 0:02:13.580000 --> 0:02:18.860000 Anomaly detection, so, you know, things like maybe accessing a system 0:02:18.860000 --> 0:02:21.960000 from somewhere that has never been accessed before. 0:02:21.960000 --> 0:02:25.980000 Now, when you get a security alert, security alert has four different 0:02:25.980000 --> 0:02:27.080000 classifications. 0:02:27.080000 --> 0:02:30.160000 High, medium, low, and informational. 0:02:30.160000 --> 0:02:33.300000 High, what that means is there's a high probability that your resource 0:02:33.300000 --> 0:02:35.940000 is actually compromised. 0:02:35.940000 --> 0:02:41.120000 That is an immediate high value issue. 0:02:41.120000 --> 0:02:47.260000 OK, medium is there is suspicious activity that may indicate that a resource 0:02:47.260000 --> 0:02:52.600000 is compromised. And it just means that the artificial intelligence is 0:02:52.600000 --> 0:02:56.320000 confidence in the analytics is, well, medium. 0:02:56.320000 --> 0:03:02.860000 OK, and then there's low, right, which means it's either probably a benign 0:03:02.860000 --> 0:03:06.740000 positive, something that's really not a big deal, or it's an attack that 0:03:06.740000 --> 0:03:09.120000 was actually blocked, which is useful. 0:03:09.120000 --> 0:03:13.000000 And you want to look at those, right, because, you know, if it's low, 0:03:13.000000 --> 0:03:16.520000 that's great. It means it's not causing you immediate problems. 0:03:16.520000 --> 0:03:21.500000 On the other hand, you know, if it was a blocked attack, probably a good 0:03:21.500000 --> 0:03:23.260000 idea to understand that. 0:03:23.260000 --> 0:03:28.680000 OK, so, you know, we have these multiple options for security alerts. 0:03:28.680000 --> 0:03:33.480000 Now, and I didn't tell you informational, informational just means that 0:03:33.480000 --> 0:03:38.360000 you see that when you go into a security incident that we'll talk about 0:03:38.360000 --> 0:03:39.200000 in just a moment. 0:03:39.200000 --> 0:03:42.620000 OK, now where do our security alerts come from? 0:03:42.620000 --> 0:03:45.240000 Sounds like a kind of an interesting question there. 0:03:45.240000 --> 0:03:49.160000 All right, so the sources, virtual machines, so activity from virtual 0:03:49.160000 --> 0:03:56.300000 machines, app services, data, Azure containers, at the data level, SQL 0:03:56.300000 --> 0:04:01.920000 database and Azure Synapse, which is used to be SQL Data Warehouse. 0:04:01.920000 --> 0:04:05.280000 Azure Storage, Cosmos DB, networking. 0:04:05.280000 --> 0:04:10.240000 So we're looking at both infrastructure as a service, as well as platform 0:04:10.240000 --> 0:04:14.740000 as a service. And you'll notice also ARM and Key Vault, right? 0:04:14.740000 --> 0:04:17.720000 Those are currently in preview. 0:04:17.720000 --> 0:04:20.060000 I think Key Vault in particular is something going to be very important. 0:04:20.060000 --> 0:04:24.220000 ARM is looking at the management plane, right, and just the management 0:04:24.220000 --> 0:04:25.560000 plane in general. 0:04:25.560000 --> 0:04:27.420000 All right, so those are security alerts. 0:04:27.420000 --> 0:04:32.100000 Now, how are those differentiated from security incidents? 0:04:32.100000 --> 0:04:36.960000 Security incidents are a collection of related alerts. 0:04:36.960000 --> 0:04:41.080000 And it's using what's called Cloud Smart Alert Correlation. 0:04:41.080000 --> 0:04:46.800000 It's looking at what's going on across not only multiple actions, but 0:04:46.800000 --> 0:04:48.620000 even multiple subscriptions. 0:04:48.620000 --> 0:04:52.000000 And the idea of being, and I don't want to try to go too far down InfoSec 0:04:52.000000 --> 0:04:58.420000 because we have a whole InfoSec team that would shake their head at me, 0:04:58.420000 --> 0:04:59.040000 but hopefully not. 0:04:59.040000 --> 0:05:05.000000 But in any case, when you think about an attack, an attack is not one 0:05:05.000000 --> 0:05:11.640000 single action. An attack is typically a very complex set of coordinated 0:05:11.640000 --> 0:05:14.100000 actions that are going to occur. 0:05:14.100000 --> 0:05:19.700000 In fact, the actual attack itself may come sometime weeks or even months 0:05:19.700000 --> 0:05:22.420000 after the initial activity. 0:05:22.420000 --> 0:05:24.440000 And that's what this is looking for. 0:05:24.440000 --> 0:05:27.300000 And it's based on fusion analytics. 0:05:27.300000 --> 0:05:30.960000 And it uses the MITRE attack majors. 0:05:30.960000 --> 0:05:34.000000 And if you're not familiar with InfoSec, you can look those up. 0:05:34.000000 --> 0:05:40.100000 And it's just basing its assessment of an incident on AI. 0:05:40.100000 --> 0:05:44.260000 And so incidents are things that if you see an incident come up and it's 0:05:44.260000 --> 0:05:47.140000 going to come up in the same interface as your alerts, this is something 0:05:47.140000 --> 0:05:50.800000 that you're probably going to want to end up paying a little more attention 0:05:50.800000 --> 0:05:53.020000 to. You should pay attention to everything. 0:05:53.020000 --> 0:05:56.500000 But it's going to be a little more time critical, because that's going 0:05:56.500000 --> 0:05:57.020000 to be something. 0:05:57.020000 --> 0:06:01.600000 If it rises to that level, it's definitely something that's most likely 0:06:01.600000 --> 0:06:03.300000 not going to be benign. 0:06:03.300000 --> 0:06:05.320000 All right, let's go ahead and take a look. 0:06:05.320000 --> 0:06:08.540000 And all I'm going to do is I'm going to pop into Security Center. 0:06:08.540000 --> 0:06:11.360000 And we're going to take a look at the alerts for Security Center. 0:06:11.360000 --> 0:06:14.360000 And I'm going to drill down into an alert and see what's going on with 0:06:14.360000 --> 0:06:18.980000 it. And then I'm going to take you over to a page from Microsoft where 0:06:18.980000 --> 0:06:23.840000 if nothing else, I can just show you what an incident would look like. 0:06:23.840000 --> 0:06:27.520000 And it's something that to go beyond just what's in the video, you might 0:06:27.520000 --> 0:06:32.640000 want to take a look at the Microsoft incident description. 0:06:32.640000 --> 0:06:36.900000 So let's go ahead and let's pop into this. 0:06:36.900000 --> 0:06:42.320000 OK, I am in Security Center. 0:06:42.320000 --> 0:06:45.700000 And I'm just going to go right to the heart of the matter. 0:06:45.700000 --> 0:06:47.580000 And that is my security alerts. 0:06:47.580000 --> 0:06:53.340000 And of course, security alerts are driven by policy. 0:06:53.340000 --> 0:06:55.360000 Here are my security alerts. 0:06:55.360000 --> 0:07:02.800000 And I currently have seven security alerts, two of which are medium and 0:07:02.800000 --> 0:07:06.460000 five of which are low severity. 0:07:06.460000 --> 0:07:08.300000 OK, and there's my severity. 0:07:08.300000 --> 0:07:10.080000 There's my medium and my low. 0:07:10.080000 --> 0:07:12.000000 So what do we have? 0:07:12.000000 --> 0:07:16.680000 I've got one that happened several days ago, suspicious authentication 0:07:16.680000 --> 0:07:20.560000 activity. Ooh, that looks dangerous. 0:07:20.560000 --> 0:07:24.440000 OK, so I've got a virtual machine here that doesn't exist anymore because 0:07:24.440000 --> 0:07:25.720000 I made it go away. 0:07:25.720000 --> 0:07:34.960000 Demo JIT VM. And if I drill down into that, I can see a little bit of 0:07:34.960000 --> 0:07:39.100000 information. Oh, look at this whole bunch of people. 0:07:39.100000 --> 0:07:40.340000 That's actually pretty cool. 0:07:40.340000 --> 0:07:45.600000 Whole bunch of people tried to log in to that VM. 0:07:45.600000 --> 0:07:47.820000 I had it pretty much wide open for a while. 0:07:47.820000 --> 0:07:49.320000 And these were all the attacks. 0:07:49.320000 --> 0:07:54.020000 Those are actually legitimate attacks trying to get in. 0:07:54.020000 --> 0:07:58.060000 So some of the used accounts were recognized by the host. 0:07:58.060000 --> 0:08:04.340000 That means I don't think what actually, I don't really recognize any of 0:08:04.340000 --> 0:08:06.340000 these. Maybe I used student one. 0:08:06.340000 --> 0:08:07.820000 Most of you student one at some point. 0:08:07.820000 --> 0:08:09.860000 That was probably me. 0:08:09.860000 --> 0:08:11.040000 But there you go. 0:08:11.040000 --> 0:08:12.460000 That's an alert. 0:08:12.460000 --> 0:08:14.300000 And of course, you can set that up. 0:08:14.300000 --> 0:08:15.500000 Oh, one thing is pretty cool. 0:08:15.500000 --> 0:08:19.140000 Security alerts map will show you where your security alerts are coming 0:08:19.140000 --> 0:08:21.140000 from. I have no threats detected right now. 0:08:21.140000 --> 0:08:22.300000 So that's awesome. 0:08:22.300000 --> 0:08:34.740000 Now, incidents that accumulation of alerts, if I go up here, hit the right 0:08:34.740000 --> 0:08:35.700000 combination button. 0:08:35.700000 --> 0:08:37.700000 There we go. OK. 0:08:37.700000 --> 0:08:42.760000 If we look in here, you can see the top three items in here are actually 0:08:42.760000 --> 0:08:44.220000 security incidents. 0:08:44.220000 --> 0:08:47.040000 And they have a slightly different icon, a different icon. 0:08:47.040000 --> 0:08:49.460000 So you can tell what they are. 0:08:49.460000 --> 0:08:52.380000 And not surprisingly, there's going to be high severity. 0:08:52.380000 --> 0:08:55.560000 And then when you click on an incident, what it's going to do is show 0:08:55.560000 --> 0:08:58.020000 you all of the related alerts. 0:08:58.020000 --> 0:09:02.020000 So here are the related alerts to a particular incident that happened 0:09:02.020000 --> 0:09:04.300000 on August 10, 2019. 0:09:04.300000 --> 0:09:08.420000 And that's it. That is alerts and incidents. 0:09:08.420000 --> 0:09:12.320000 Again, just because they are relatively straightforward does not mean 0:09:12.320000 --> 0:09:14.700000 that they are not critically important. 0:09:14.700000 --> 0:09:18.580000 Of course, you want to always keep ahead of what these security incidents 0:09:18.580000 --> 0:09:21.720000 are. You want to monitor your alerts. 0:09:21.720000 --> 0:09:24.140000 You want to set up a learning on your alerts. 0:09:24.140000 --> 0:09:24.940000 And certainly your incidents.